Fix clippy warnings: remove unused imports/variables/functions, derive Default, fix comparisons

debian/.debhelper/generated/linux-patch-api/dh_installchangelogs.dch.trimmed

@@ -0,0 +1,11 @@
+linux-patch-api (1.0.0-1) stable; urgency=medium
+
+  * Initial production release
+  * Secure mTLS-authenticated REST API for remote package management
+  * 15 API endpoints for package install/remove, patch application, system management
+  * Asynchronous job processing with WebSocket status streaming
+  * IP whitelist enforcement and comprehensive audit logging
+  * Systemd integration with security hardening
+  * Supports Debian 11/12, Ubuntu 20.04/22.04/24.04
+
+ -- Echo <echo@moon-dragon.us>  Thu, 09 Apr 2026 18:57:12 -0500

debian/.debhelper/generated/linux-patch-api/installed-by-dh_install

@@ -0,0 +1,4 @@
+debian/tmp/usr/bin/linux-patch-api
+debian/tmp/lib/systemd/system/linux-patch-api.service
+debian/tmp/etc/linux_patch_api/config.yaml
+debian/tmp/etc/linux_patch_api/whitelist.yaml

debian/.debhelper/generated/linux-patch-api/postinst.service

@@ -0,0 +1,30 @@
+# Automatically added by dh_installsystemd/13.31
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+	# The following line should be removed in trixie or trixie+1
+	deb-systemd-helper unmask 'linux-patch-api.service' >/dev/null || true
+
+	# was-enabled defaults to true, so new installations run enable.
+	if deb-systemd-helper --quiet was-enabled 'linux-patch-api.service'; then
+		# Enables the unit on first installation, creates new
+		# symlinks on upgrades if the unit file has changed.
+		deb-systemd-helper enable 'linux-patch-api.service' >/dev/null || true
+	else
+		# Update the statefile to add new symlinks (if any), which need to be
+		# cleaned up on purge. Also remove old symlinks.
+		deb-systemd-helper update-state 'linux-patch-api.service' >/dev/null || true
+	fi
+fi
+# End automatically added section
+# Automatically added by dh_installsystemd/13.31
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+	if [ -d /run/systemd/system ]; then
+		systemctl --system daemon-reload >/dev/null || true
+		if [ -n "$2" ]; then
+			_dh_action=restart
+		else
+			_dh_action=start
+		fi
+		deb-systemd-invoke $_dh_action 'linux-patch-api.service' >/dev/null || true
+	fi
+fi
+# End automatically added section

debian/.debhelper/generated/linux-patch-api/prerm.service

@@ -0,0 +1,5 @@
+# Automatically added by dh_installsystemd/13.31
+if [ -z "$DPKG_ROOT" ] && [ "$1" = remove ] && [ -d /run/systemd/system ] ; then
+	deb-systemd-invoke stop 'linux-patch-api.service' >/dev/null || true
+fi
+# End automatically added section

debian/debhelper-build-stamp

@@ -0,0 +1 @@
+linux-patch-api

debian/files

@@ -0,0 +1,2 @@
+linux-patch-api_1.0.0-1_amd64.buildinfo admin optional
+linux-patch-api_1.0.0-1_amd64.deb admin optional

debian/linux-patch-api.debhelper.log

@@ -0,0 +1 @@
+dh_auto_install

debian/linux-patch-api.postrm.debhelper

@@ -0,0 +1,12 @@
+# Automatically added by dh_installsystemd/13.31
+if [ "$1" = remove ] && [ -d /run/systemd/system ] ; then
+	systemctl --system daemon-reload >/dev/null || true
+fi
+# End automatically added section
+# Automatically added by dh_installsystemd/13.31
+if [ "$1" = "purge" ]; then
+	if [ -x "/usr/bin/deb-systemd-helper" ]; then
+		deb-systemd-helper purge 'linux-patch-api.service' >/dev/null || true
+	fi
+fi
+# End automatically added section

debian/linux-patch-api.substvars

@@ -0,0 +1,3 @@
+shlibs:Depends=libc6 (>= 2.39), libgcc-s1 (>= 4.2)
+misc:Depends=
+misc:Pre-Depends=

debian/linux-patch-api/DEBIAN/conffiles

@@ -0,0 +1,4 @@
+/etc/linux_patch_api/config.yaml
+/etc/linux_patch_api/whitelist.yaml
+/etc/linux_patch_api/config.yaml
+/etc/linux_patch_api/whitelist.yaml

debian/linux-patch-api/DEBIAN/control

@@ -0,0 +1,23 @@
+Package: linux-patch-api
+Version: 1.0.0-1
+Architecture: amd64
+Maintainer: Echo <echo@moon-dragon.us>
+Installed-Size: 8897
+Depends: systemd, libsystemd0, libc6 (>= 2.39), libgcc-s1 (>= 4.2)
+Section: admin
+Priority: optional
+Homepage: https://gitea.moon-dragon.us/echo/linux_patch_api
+Description: Secure remote package management API for Linux systems
+ Linux Patch API provides a secure, mTLS-authenticated REST API for
+ remote package management operations including:
+  - Package installation and removal
+  - Security patch application
+  - System health monitoring
+  - Job queue management with WebSocket status streaming
+ .
+ Features:
+  - Mutual TLS (mTLS) authentication
+  - IP whitelist enforcement
+  - Asynchronous job processing
+  - Comprehensive audit logging
+  - Systemd integration with security hardening

debian/linux-patch-api/DEBIAN/md5sums

@@ -0,0 +1,5 @@
+23b89eecc51f46c6813658dd615d13a9  lib/systemd/system/linux-patch-api.service
+d64a80e2a796561c39c6941c6b9e268c  usr/bin/linux-patch-api
+154c7ae7e01ae22cdc8ceea1fd0956e2  usr/share/doc/linux-patch-api/changelog.Debian.gz
+978478c6c7f1e9dcb38eb1f2454535c0  usr/share/doc/linux-patch-api/changelog.gz
+c2fab316c94aa61adb70d79365cfe08f  usr/share/doc/linux-patch-api/copyright

debian/linux-patch-api/DEBIAN/postinst

@@ -0,0 +1,49 @@
+#!/bin/bash
+# postinst script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Configure with debhelper
+if [ "$1" = "configure" ]; then
+    echo "Configuring linux-patch-api..."
+    
+    # Copy example configs if they don't exist
+    if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
+        echo "Creating default config.yaml..."
+        cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
+        chmod 640 /etc/linux_patch_api/config.yaml
+        chown linux-patch-api:linux-patch-api /etc/linux_patch_api/config.yaml
+    fi
+    
+    if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
+        echo "Creating default whitelist.yaml..."
+        cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
+        chmod 640 /etc/linux_patch_api/whitelist.yaml
+        chown linux-patch-api:linux-patch-api /etc/linux_patch_api/whitelist.yaml
+    fi
+    
+    # Reload systemd daemon to pick up new service file
+    systemctl daemon-reload
+    
+    # Enable the service (but don't start automatically - admin should configure first)
+    systemctl enable linux-patch-api.service
+    
+    echo ""
+    echo "linux-patch-api installed successfully!"
+    echo ""
+    echo "Next steps:"
+    echo "  1. Configure /etc/linux_patch_api/config.yaml with your settings"
+    echo "  2. Place TLS certificates in /etc/linux_patch_api/certs/"
+    echo "  3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
+    echo "  4. Start the service: systemctl start linux-patch-api"
+    echo "  5. Check status: systemctl status linux-patch-api"
+    echo ""
+fi
+
+# Handle upgrade
+if [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-remove" ] || [ "$1" = "abort-deconfigure" ]; then
+    echo "Installation aborted - service remains in previous state"
+fi
+
+exit 0

debian/linux-patch-api/DEBIAN/postrm

@@ -0,0 +1,64 @@
+#!/bin/bash
+# postrm script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Handle purge - remove all configuration and data
+if [ "$1" = "purge" ]; then
+    echo "Purging linux-patch-api configuration and data..."
+    
+    # Stop service if still running
+    if systemctl is-active --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl stop linux-patch-api.service
+    fi
+    
+    # Disable service
+    if systemctl is-enabled --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl disable linux-patch-api.service
+    fi
+    
+    # Reload systemd to remove service file
+    systemctl daemon-reload
+    
+    # Remove configuration directory (preserved by conffiles during normal remove)
+    if [ -d "/etc/linux_patch_api" ]; then
+        echo "Removing /etc/linux_patch_api..."
+        rm -rf /etc/linux_patch_api
+    fi
+    
+    # Remove data directory
+    if [ -d "/var/lib/linux_patch_api" ]; then
+        echo "Removing /var/lib/linux_patch_api..."
+        rm -rf /var/lib/linux_patch_api
+    fi
+    
+    # Remove log directory
+    if [ -d "/var/log/linux_patch_api" ]; then
+        echo "Removing /var/log/linux_patch_api..."
+        rm -rf /var/log/linux_patch_api
+    fi
+    
+    # Remove system user
+    if getent passwd linux-patch-api > /dev/null 2>&1; then
+        echo "Removing user linux-patch-api..."
+        userdel linux-patch-api 2>/dev/null || true
+    fi
+    
+    # Remove system group
+    if getent group linux-patch-api > /dev/null 2>&1; then
+        echo "Removing group linux-patch-api..."
+        groupdel linux-patch-api 2>/dev/null || true
+    fi
+    
+    echo "linux-patch-api purged successfully"
+fi
+
+# Handle upgrade/remove - just ensure service is disabled
+if [ "$1" = "remove" ] || [ "$1" = "upgrade" ]; then
+    # Service should already be stopped by prerm
+    # Just reload systemd to remove the service file
+    systemctl daemon-reload 2>/dev/null || true
+fi
+
+exit 0

debian/linux-patch-api/DEBIAN/preinst

@@ -0,0 +1,46 @@
+#!/bin/bash
+# preinst script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Check if this is an upgrade
+if [ -d "/etc/linux_patch_api" ]; then
+    echo "Detected existing installation - performing upgrade"
+fi
+
+# Create system user if it doesn't exist
+if ! getent group linux-patch-api > /dev/null 2>&1; then
+    echo "Creating group linux-patch-api..."
+    groupadd --system linux-patch-api
+fi
+
+if ! getent passwd linux-patch-api > /dev/null 2>&1; then
+    echo "Creating user linux-patch-api..."
+    useradd --system \
+        --gid linux-patch-api \
+        --home-dir /var/lib/linux_patch_api \
+        --no-create-home \
+        --shell /usr/sbin/nologin \
+        --comment "Linux Patch API Service" \
+        linux-patch-api
+fi
+
+# Create required directories
+mkdir -p /etc/linux_patch_api/certs
+mkdir -p /var/lib/linux_patch_api
+mkdir -p /var/log/linux_patch_api
+
+# Set proper ownership
+chown -R linux-patch-api:linux-patch-api /var/lib/linux_patch_api
+chown -R linux-patch-api:linux-patch-api /var/log/linux_patch_api
+
+# Set secure permissions
+chmod 750 /etc/linux_patch_api
+chmod 750 /etc/linux_patch_api/certs
+chmod 755 /var/lib/linux_patch_api
+chmod 755 /var/log/linux_patch_api
+
+echo "Pre-installation checks completed successfully"
+
+exit 0

debian/linux-patch-api/DEBIAN/prerm

@@ -0,0 +1,33 @@
+#!/bin/bash
+# prerm script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Stop the service before removal/upgrade
+if [ "$1" = "remove" ] || [ "$1" = "upgrade" ]; then
+    echo "Stopping linux-patch-api service..."
+    
+    if systemctl is-active --quiet linux-patch-api.service; then
+        systemctl stop linux-patch-api.service
+        echo "Service stopped successfully"
+    else
+        echo "Service was not running"
+    fi
+    
+    # Disable the service
+    if systemctl is-enabled --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl disable linux-patch-api.service
+        echo "Service disabled"
+    fi
+fi
+
+# Handle failed upgrade
+if [ "$1" = "failed-upgrade" ]; then
+    echo "Upgrade failed - attempting to restore previous state"
+    # Previous version should handle restoration
+fi
+
+echo "Pre-removal script completed"
+
+exit 0

debian/linux-patch-api/etc/linux_patch_api/config.yaml

@@ -0,0 +1,46 @@
+# Linux Patch API Configuration
+# Example configuration file - copy to /etc/linux_patch_api/config.yaml
+
+# Server Configuration
+server:
+  port: 12443
+  bind: "0.0.0.0"
+  timeout_seconds: 30
+
+# TLS/mTLS Configuration
+tls:
+  enabled: true
+  port: 12443
+  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
+  server_cert: "/etc/linux_patch_api/certs/server.pem"
+  server_key: "/etc/linux_patch_api/certs/server.key"
+  min_tls_version: "1.3"
+
+# Job Configuration
+jobs:
+  max_concurrent: 5
+  timeout_minutes: 30
+  storage_path: "/var/lib/linux_patch_api/jobs"
+
+# Logging Configuration
+logging:
+  level: "info"
+  journal_enabled: true
+  syslog_enabled: false
+  # syslog_server: "udp://localhost:514"
+  file_path: "/var/log/linux_patch_api/audit.log"
+  retention_days: 30
+
+# IP Whitelist Configuration
+whitelist:
+  path: "/etc/linux_patch_api/whitelist.yaml"
+  # Entries can be:
+  # - Individual IPs: "192.168.1.100"
+  # - CIDR subnets: "192.168.1.0/24"
+  # - Hostnames: "admin-server.internal"
+
+# Package Manager Backend
+package_manager:
+  # Primary backend (auto-detected if not specified)
+  # Options: apt, dnf, yum, apk, pacman
+  backend: "auto"

debian/linux-patch-api/etc/linux_patch_api/whitelist.yaml

@@ -0,0 +1,14 @@
+# Linux Patch API - IP Whitelist Configuration
+# Copy to /etc/linux_patch_api/whitelist.yaml
+# Block all by default - only listed IPs can access the API
+
+# Supported entry types:
+# - Individual IPs: "192.168.1.100"
+# - CIDR subnets: "192.168.1.0/24"
+# - Hostnames: "admin-server.internal" (resolved at startup)
+
+# Example entries:
+entries:
+  - "192.168.1.0/24"      # Management network
+  - "10.0.0.50"          # Specific admin workstation
+  # - "admin-server.internal"  # Hostname example (uncomment to use)

debian/linux-patch-api/lib/systemd/system/linux-patch-api.service

@@ -0,0 +1,57 @@
+[Unit]
+Description=Linux Patch API - Secure Remote Package Management
+Documentation=man:linux-patch-api(8)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
+Restart=on-failure
+RestartSec=5s
+TimeoutStopSec=30s
+
+# Process management
+RuntimeDirectory=linux-patch-api
+RuntimeDirectoryMode=0755
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/linux_patch_api /var/log/linux_patch_api
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=false
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+
+# System call filtering (whitelist approach)
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+# Environment
+Environment="RUST_BACKTRACE=1"
+Environment="RUST_LOG=info"
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=linux-patch-api
+SyslogFacility=daemon
+SyslogLevel=info
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
+[Install]
+WantedBy=multi-user.target

debian/linux-patch-api/usr/share/doc/linux-patch-api/copyright

@@ -0,0 +1,31 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: linux-patch-api
+Upstream-Contact: Echo <echo@moon-dragon.us>
+Source: https://gitea.moon-dragon.us/echo/linux_patch_api
+
+Files: *
+Copyright: 2024-2026 Echo <echo@moon-dragon.us>
+License: MIT
+
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ THE SOFTWARE.
+
+Files: debian/*
+Copyright: 2024-2026 Echo <echo@moon-dragon.us>
+License: MIT

debian/tmp/etc/linux_patch_api/config.yaml

@@ -0,0 +1,46 @@
+# Linux Patch API Configuration
+# Example configuration file - copy to /etc/linux_patch_api/config.yaml
+
+# Server Configuration
+server:
+  port: 12443
+  bind: "0.0.0.0"
+  timeout_seconds: 30
+
+# TLS/mTLS Configuration
+tls:
+  enabled: true
+  port: 12443
+  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
+  server_cert: "/etc/linux_patch_api/certs/server.pem"
+  server_key: "/etc/linux_patch_api/certs/server.key"
+  min_tls_version: "1.3"
+
+# Job Configuration
+jobs:
+  max_concurrent: 5
+  timeout_minutes: 30
+  storage_path: "/var/lib/linux_patch_api/jobs"
+
+# Logging Configuration
+logging:
+  level: "info"
+  journal_enabled: true
+  syslog_enabled: false
+  # syslog_server: "udp://localhost:514"
+  file_path: "/var/log/linux_patch_api/audit.log"
+  retention_days: 30
+
+# IP Whitelist Configuration
+whitelist:
+  path: "/etc/linux_patch_api/whitelist.yaml"
+  # Entries can be:
+  # - Individual IPs: "192.168.1.100"
+  # - CIDR subnets: "192.168.1.0/24"
+  # - Hostnames: "admin-server.internal"
+
+# Package Manager Backend
+package_manager:
+  # Primary backend (auto-detected if not specified)
+  # Options: apt, dnf, yum, apk, pacman
+  backend: "auto"

debian/tmp/etc/linux_patch_api/whitelist.yaml

@@ -0,0 +1,14 @@
+# Linux Patch API - IP Whitelist Configuration
+# Copy to /etc/linux_patch_api/whitelist.yaml
+# Block all by default - only listed IPs can access the API
+
+# Supported entry types:
+# - Individual IPs: "192.168.1.100"
+# - CIDR subnets: "192.168.1.0/24"
+# - Hostnames: "admin-server.internal" (resolved at startup)
+
+# Example entries:
+entries:
+  - "192.168.1.0/24"      # Management network
+  - "10.0.0.50"          # Specific admin workstation
+  # - "admin-server.internal"  # Hostname example (uncomment to use)

debian/tmp/lib/systemd/system/linux-patch-api.service

@@ -0,0 +1,57 @@
+[Unit]
+Description=Linux Patch API - Secure Remote Package Management
+Documentation=man:linux-patch-api(8)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
+Restart=on-failure
+RestartSec=5s
+TimeoutStopSec=30s
+
+# Process management
+RuntimeDirectory=linux-patch-api
+RuntimeDirectoryMode=0755
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/linux_patch_api /var/log/linux_patch_api
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=false
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+
+# System call filtering (whitelist approach)
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+# Environment
+Environment="RUST_BACKTRACE=1"
+Environment="RUST_LOG=info"
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=linux-patch-api
+SyslogFacility=daemon
+SyslogLevel=info
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
+[Install]
+WantedBy=multi-user.target