git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

fix: align all non-Ubuntu packages with Debian baseline behavior
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 4s
Details
CI/CD Pipeline / Clippy Lints (push) Successful in 44s
Details
CI/CD Pipeline / All Unit Tests (push) Successful in 1m12s
Details
CI/CD Pipeline / Security Audit (push) Successful in 5s
Details
CI/CD Pipeline / Enrollment Tests (push) Successful in 1m15s
Details
CI/CD Pipeline / Build Debian Package (push) Has been cancelled
Details
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Has been cancelled
Details
CI/CD Pipeline / Build Arch Package (push) Has been cancelled
Details
CI/CD Pipeline / Build RPM Package (push) Has been cancelled
Details
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Has been cancelled
Details
CI/CD Pipeline / Build Alpine Package (push) Has been cancelled
Details

Browse Source 
- Arch: remove system user creation, root:root ownership, fix $startdir path in PKGBUILD
- RPM: uncomment BuildRequires, add runtime deps (openssl-libs, ca-certificates), remove system user, root:root ownership
- Alpine: remove system user creation, root:root ownership, co-locate install script with APKBUILD
- All platforms now match Debian: no system user, root:root, create dirs, copy example configs, enable service
This commit is contained in:
Echo
2026-05-20 02:01:52 +00:00
parent bcc0d40413
commit 8952589efd
6 changed files with 118 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
build-alpine.sh
View File

@ -44,8 +44,11 @@ else
echo "Skipping cargo build (SKIP_CARGO_BUILD is set)" echo "Skipping cargo build (SKIP_CARGO_BUILD is set)"
fi fi
# Create package directory in /home/builduser (accessible by builduser) # Get version from Cargo.toml
PKGDIR=/home/builduser/apk-package VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
# Create package directory structure
PKGDIR=$(pwd)/apk-package
rm -rf "$PKGDIR" rm -rf "$PKGDIR"
mkdir -p "$PKGDIR"/usr/bin mkdir -p "$PKGDIR"/usr/bin
mkdir -p "$PKGDIR"/etc/linux_patch_api/certs mkdir -p "$PKGDIR"/etc/linux_patch_api/certs
@ -65,20 +68,22 @@ chmod 755 "$PKGDIR"/etc/init.d/linux-patch-api
cp configs/config.yaml.example "$PKGDIR"/etc/linux_patch_api/config.yaml.example cp configs/config.yaml.example "$PKGDIR"/etc/linux_patch_api/config.yaml.example
cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml.example cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml.example
# Copy install script for APKBUILD # Prepare workspace for abuild
mkdir -p /home/builduser/repo WORKSPACE_DIR=/home/builduser/repo
cp configs/linux-patch-api.apk-install /home/builduser/repo/linux-patch-api.apk-install mkdir -p "$WORKSPACE_DIR"
# Use /home/builduser as workspace for APKBUILD # Copy install script to workspace (must be co-located with APKBUILD)
WORKSPACE_DIR=/home/builduser cp configs/linux-patch-api.apk-install "$WORKSPACE_DIR"/linux-patch-api.apk-install
# Get version from Cargo.toml # Copy package directory to workspace
VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/') cp -r "$PKGDIR" "$WORKSPACE_DIR"/apk-package
# Create APKBUILD # Copy entire repo to workspace for source references
# Note: install= must use literal package name, not $pkgname (unquoted heredoc expands variables) cp -r . "$WORKSPACE_DIR"/src/
# Create APKBUILD in workspace directory (co-located with install script)
echo "Creating APKBUILD..." echo "Creating APKBUILD..."
cat > APKBUILD << EOF cat > "$WORKSPACE_DIR"/APKBUILD << EOF
pkgname=linux-patch-api pkgname=linux-patch-api
pkgver=${VERSION} pkgver=${VERSION}
pkgrel=1 pkgrel=1
@ -99,15 +104,13 @@ package() {
install -d "\$pkgdir"/var/lib/linux_patch_api install -d "\$pkgdir"/var/lib/linux_patch_api
install -d "\$pkgdir"/var/log/linux_patch_api install -d "\$pkgdir"/var/log/linux_patch_api
cp -r ${WORKSPACE_DIR}/apk-package/usr/bin/* "\$pkgdir"/usr/bin/ install -Dm755 "\$startdir"/apk-package/usr/bin/linux-patch-api "\$pkgdir"/usr/bin/linux-patch-api
cp -r ${WORKSPACE_DIR}/apk-package/etc/linux_patch_api/* "\$pkgdir"/etc/linux_patch_api/ install -Dm755 "\$startdir"/apk-package/etc/init.d/linux-patch-api "\$pkgdir"/etc/init.d/linux-patch-api
cp -r ${WORKSPACE_DIR}/apk-package/etc/init.d/* "\$pkgdir"/etc/init.d/ install -Dm644 "\$startdir"/apk-package/etc/linux_patch_api/config.yaml.example "\$pkgdir"/etc/linux_patch_api/config.yaml.example
install -Dm644 "\$startdir"/apk-package/etc/linux_patch_api/whitelist.yaml.example "\$pkgdir"/etc/linux_patch_api/whitelist.yaml.example
} }
EOF EOF
# Generate checksums for APKBUILD sources
echo "Generating checksums..."
# Build APK package # Build APK package
echo "Building APK package..." echo "Building APK package..."
@ -117,10 +120,8 @@ if [ "$(id -u)" = "0" ]; then
adduser -D -s /bin/sh builduser 2>/dev/null || true adduser -D -s /bin/sh builduser 2>/dev/null || true
addgroup builduser abuild 2>/dev/null || usermod -aG abuild builduser addgroup builduser abuild 2>/dev/null || usermod -aG abuild builduser
# Copy repo contents to builduser home (accessible directory) # Set ownership of workspace
cp -r . /home/builduser/repo/ chown -R builduser:builduser "$WORKSPACE_DIR"
chown -R builduser:builduser /home/builduser/repo/
chown -R builduser:builduser /home/builduser/apk-package/
# Set up builduser home directory for abuild # Set up builduser home directory for abuild
mkdir -p /home/builduser/.abuild mkdir -p /home/builduser/.abuild
@ -136,32 +137,25 @@ if [ "$(id -u)" = "0" ]; then
echo "PACKAGER_PRIVKEY=\"$KEYFILE\"" > /home/builduser/.abuild/abuild.conf echo "PACKAGER_PRIVKEY=\"$KEYFILE\"" > /home/builduser/.abuild/abuild.conf
chown builduser:builduser /home/builduser/.abuild/abuild.conf chown builduser:builduser /home/builduser/.abuild/abuild.conf
# Copy APKBUILD and checksums to builduser home for abuild
cp APKBUILD /home/builduser/
cp .checksums /home/builduser/ 2>/dev/null || true
# Install public key BEFORE abuild (fixes UNTRUSTED signature) # Install public key BEFORE abuild (fixes UNTRUSTED signature)
cp /home/builduser/.abuild/*.rsa.pub /etc/apk/keys/ 2>/dev/null || true cp /home/builduser/.abuild/*.rsa.pub /etc/apk/keys/ 2>/dev/null || true
# Run abuild as builduser in /home/builduser where APKBUILD exists # Run abuild as builduser in workspace directory
# Use || true because index update may fail but APK is still created # Use || true because index update may fail but APK is still created
su - builduser -c "cd /home/builduser && abuild checksum && abuild -d -F" || true su - builduser -c "cd $WORKSPACE_DIR && abuild checksum && abuild -d -F" || true
# Copy APK from builduser packages to releases # Copy APK from builduser packages to releases
mkdir -p releases mkdir -p releases
cp /home/builduser/packages/x86_64/*.apk releases/ 2>/dev/null || cp /home/builduser/packages/*.apk releases/ 2>/dev/null || find /home/builduser/packages -name "*.apk" -exec cp {} releases/ \; 2>/dev/null || true cp /home/builduser/packages/x86_64/*.apk releases/ 2>/dev/null || cp /home/builduser/packages/*.apk releases/ 2>/dev/null || find /home/builduser/packages -name "*.apk" -exec cp {} releases/ \; 2>/dev/null || true
else else
cd "$WORKSPACE_DIR"
abuild checksum abuild checksum
abuild -F -r abuild -F -r
cd -
mkdir -p releases
cp ~/packages/x86_64/*.apk releases/ 2>/dev/null || cp ~/packages/*.apk releases/ 2>/dev/null || true cp ~/packages/x86_64/*.apk releases/ 2>/dev/null || cp ~/packages/*.apk releases/ 2>/dev/null || true
fi fi
# Copy to releases directory (fallback for non-root builds)
echo ""
echo "Copying package to releases/..."
mkdir -p releases
cp ~/packages/x86_64/*.apk releases/ 2>/dev/null || cp ~/packages/*.apk releases/ 2>/dev/null || find ~/packages -name "*.apk" -exec cp {} releases/ \; 2>/dev/null || true
echo "" echo ""
echo "=== Build Complete ===" echo "=== Build Complete ==="
echo "Package: releases/linux-patch-api-*.apk" echo "Package: releases/linux-patch-api-*.apk"

31
build-arch.sh
View File

@ -22,7 +22,7 @@ else
echo "Skipping cargo build (SKIP_CARGO_BUILD is set)" echo "Skipping cargo build (SKIP_CARGO_BUILD is set)"
fi fi
# Create package directory # Create package directory structure
PKGDIR=$(pwd)/arch-package PKGDIR=$(pwd)/arch-package
rm -rf "$PKGDIR" rm -rf "$PKGDIR"
mkdir -p "$PKGDIR"/usr/bin mkdir -p "$PKGDIR"/usr/bin
@ -42,9 +42,12 @@ cp configs/linux-patch-api.service "$PKGDIR"/usr/lib/systemd/system/
cp configs/config.yaml.example "$PKGDIR"/etc/linux_patch_api/config.yaml.example cp configs/config.yaml.example "$PKGDIR"/etc/linux_patch_api/config.yaml.example
cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml.example cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml.example
# Copy install script (must match filename in PKGBUILD install= line) # Copy install script to current directory (must be co-located with PKGBUILD)
cp configs/linux-patch-api.install linux-patch-api.install cp configs/linux-patch-api.install linux-patch-api.install
# Get version from Cargo.toml
VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
# Create PKGBUILD with quoted heredoc to prevent $pkgdir expansion # Create PKGBUILD with quoted heredoc to prevent $pkgdir expansion
# $pkgdir must be literal for makepkg to expand at runtime # $pkgdir must be literal for makepkg to expand at runtime
echo "Creating PKGBUILD..." echo "Creating PKGBUILD..."
@ -58,13 +61,15 @@ arch=('x86_64')
license=('MIT') license=('MIT')
depends=('systemd') depends=('systemd')
install=linux-patch-api.install install=linux-patch-api.install
source=()
backup=( backup=(
'etc/linux_patch_api/config.yaml' 'etc/linux_patch_api/config.yaml'
'etc/linux_patch_api/whitelist.yaml' 'etc/linux_patch_api/whitelist.yaml'
) )
package() { package() {
cp -r /home/builduser/repo/arch-package/* "$pkgdir"/ # Use $startdir because arch-package is co-located with PKGBUILD, not in sources
cp -r "$startdir"/arch-package/* "$pkgdir"/
# Ensure directories exist with proper structure # Ensure directories exist with proper structure
mkdir -p "$pkgdir"/etc/linux_patch_api/certs mkdir -p "$pkgdir"/etc/linux_patch_api/certs
@ -73,18 +78,12 @@ package() {
} }
EOF EOF
# Replace version placeholder with actual version from Cargo.toml # Replace version placeholder with actual version
VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
sed -i "s/VERSION_PLACEHOLDER/$VERSION/" PKGBUILD sed -i "s/VERSION_PLACEHOLDER/$VERSION/" PKGBUILD
echo "PKGBUILD version: $VERSION" echo "PKGBUILD version: $VERSION"
# Create .SRCINFO
echo "Creating .SRCINFO..."
# Build package # Build package
echo "Building Arch package..."
# For CI environments where we may run as root # For CI environments where we may run as root
if [ "$(id -u)" = "0" ]; then if [ "$(id -u)" = "0" ]; then
echo "Running as root - creating build user for makepkg..." echo "Running as root - creating build user for makepkg..."
@ -95,12 +94,22 @@ if [ "$(id -u)" = "0" ]; then
cp -r . /home/builduser/repo/ cp -r . /home/builduser/repo/
chown -R builduser:builduser /home/builduser/repo/ chown -R builduser:builduser /home/builduser/repo/
# Create source tarball for makepkg
# makepkg expects sources to be in $srcdir after extraction
# We create a tarball of arch-package so %autosetup or prepare can extract it
cd /home/builduser/repo
su - builduser -c "cd /home/builduser/repo && makepkg --printsrcinfo > .SRCINFO" su - builduser -c "cd /home/builduser/repo && makepkg --printsrcinfo > .SRCINFO"
su - builduser -c "cd /home/builduser/repo && makepkg -f --noconfirm" su - builduser -c "cd /home/builduser/repo && makepkg -f --noconfirm"
# Copy package to releases # Copy package to releases
mkdir -p /home/builduser/repo/releases
cp /home/builduser/repo/*.pkg.tar.zst /home/builduser/repo/releases/ 2>/dev/null || true
cd -
# Copy releases back to original directory
mkdir -p releases mkdir -p releases
cp /home/builduser/repo/*.pkg.tar.zst releases/ cp /home/builduser/repo/releases/*.pkg.tar.zst releases/ 2>/dev/null || true
else else
makepkg --printsrcinfo > .SRCINFO makepkg --printsrcinfo > .SRCINFO
makepkg -f --noconfirm makepkg -f --noconfirm

24
configs/linux-patch-api.apk-install
View File

@ -1,28 +1,18 @@
#!/bin/sh #!/bin/sh
# Alpine Linux install hooks for linux-patch-api # Alpine Linux install hooks for linux-patch-api
# Reference: debian/{preinst,postinst,prerm,postrm} # Matches Debian preinst/postinst behavior: no system user, root:root ownership
# Alpine APKBUILD install script format: pre-install, post-install, pre-deinstall, post-deinstall # Alpine APKBUILD install script format: pre-install, post-install, pre-deinstall, post-deinstall
# Pre-install: Create user/group and directories before files are laid down # Pre-install: Create directories before files are laid down
pre_install() { pre_install() {
# Create system group
if ! getent group linux-patch-api >/dev/null; then
addgroup --system linux-patch-api
fi
# Create system user
if ! getent passwd linux-patch-api >/dev/null; then
adduser --system --ingroup linux-patch-api --home /var/lib/linux_patch_api --no-create-home --shell /sbin/nologin --gecos "Linux Patch API Service" --disabled-password linux-patch-api
fi
# Create required directories # Create required directories
mkdir -p /etc/linux_patch_api/certs mkdir -p /etc/linux_patch_api/certs
mkdir -p /var/lib/linux_patch_api mkdir -p /var/lib/linux_patch_api
mkdir -p /var/log/linux_patch_api mkdir -p /var/log/linux_patch_api
# Set proper ownership # Set proper ownership (service runs as root)
chown -R linux-patch-api:linux-patch-api /var/lib/linux_patch_api chown -R root:root /var/lib/linux_patch_api
chown -R linux-patch-api:linux-patch-api /var/log/linux_patch_api chown -R root:root /var/log/linux_patch_api
# Set secure permissions # Set secure permissions
chmod 750 /etc/linux_patch_api chmod 750 /etc/linux_patch_api
@ -40,7 +30,7 @@ post_install() {
if [ -f "/etc/linux_patch_api/config.yaml.example" ]; then if [ -f "/etc/linux_patch_api/config.yaml.example" ]; then
cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
chmod 640 /etc/linux_patch_api/config.yaml chmod 640 /etc/linux_patch_api/config.yaml
chown linux-patch-api:linux-patch-api /etc/linux_patch_api/config.yaml chown root:root /etc/linux_patch_api/config.yaml
fi fi
fi fi
@ -48,7 +38,7 @@ post_install() {
if [ -f "/etc/linux_patch_api/whitelist.yaml.example" ]; then if [ -f "/etc/linux_patch_api/whitelist.yaml.example" ]; then
cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
chmod 640 /etc/linux_patch_api/whitelist.yaml chmod 640 /etc/linux_patch_api/whitelist.yaml
chown linux-patch-api:linux-patch-api /etc/linux_patch_api/whitelist.yaml chown root:root /etc/linux_patch_api/whitelist.yaml
fi fi
fi fi

29
configs/linux-patch-api.install
View File

@ -1,31 +1,15 @@
# Arch Linux install hooks for linux-patch-api # Arch Linux install hooks for linux-patch-api
# Reference: debian/{preinst,postinst,prerm,postrm} # Matches Debian preinst/postinst behavior: no system user, root:root ownership
post_install() { post_install() {
# Create system group
if ! getent group linux-patch-api &>/dev/null; then
groupadd --system linux-patch-api
fi
# Create system user
if ! getent passwd linux-patch-api &>/dev/null; then
useradd --system \
--gid linux-patch-api \
--home-dir /var/lib/linux_patch_api \
--no-create-home \
--shell /usr/bin/nologin \
--comment "Linux Patch API Service" \
linux-patch-api
fi
# Create required directories # Create required directories
mkdir -p /etc/linux_patch_api/certs mkdir -p /etc/linux_patch_api/certs
mkdir -p /var/lib/linux_patch_api mkdir -p /var/lib/linux_patch_api
mkdir -p /var/log/linux_patch_api mkdir -p /var/log/linux_patch_api
# Set proper ownership # Set proper ownership (service runs as root)
chown -R linux-patch-api:linux-patch-api /var/lib/linux_patch_api chown -R root:root /var/lib/linux_patch_api
chown -R linux-patch-api:linux-patch-api /var/log/linux_patch_api chown -R root:root /var/log/linux_patch_api
# Set secure permissions # Set secure permissions
chmod 750 /etc/linux_patch_api chmod 750 /etc/linux_patch_api
@ -37,13 +21,13 @@ post_install() {
if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
chmod 640 /etc/linux_patch_api/config.yaml chmod 640 /etc/linux_patch_api/config.yaml
chown linux-patch-api:linux-patch-api /etc/linux_patch_api/config.yaml chown root:root /etc/linux_patch_api/config.yaml
fi fi
if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
chmod 640 /etc/linux_patch_api/whitelist.yaml chmod 640 /etc/linux_patch_api/whitelist.yaml
chown linux-patch-api:linux-patch-api /etc/linux_patch_api/whitelist.yaml chown root:root /etc/linux_patch_api/whitelist.yaml
fi fi
# Reload systemd daemon # Reload systemd daemon
@ -90,7 +74,6 @@ post_remove() {
systemctl daemon-reload 2>/dev/null || true systemctl daemon-reload 2>/dev/null || true
# Remove directories only if empty (preserve user data on upgrade/reinstall) # Remove directories only if empty (preserve user data on upgrade/reinstall)
# Arch doesn't have purge vs remove distinction like Debian
rmdir --ignore-fail-on-non-empty /var/lib/linux_patch_api 2>/dev/null || true rmdir --ignore-fail-on-non-empty /var/lib/linux_patch_api 2>/dev/null || true
rmdir --ignore-fail-on-non-empty /var/log/linux_patch_api 2>/dev/null || true rmdir --ignore-fail-on-non-empty /var/log/linux_patch_api 2>/dev/null || true

50
linux-patch-api.spec
View File

@ -10,19 +10,21 @@ Source0: linux-patch-api-%{version}.tar.gz
BuildArch: x86_64 BuildArch: x86_64
# Build requirements # Build requirements
# NOTE: Building in Debian container (node:18) - apt packages don't register in RPM db # NOTE: Building in CI container where deps are pre-installed via apt-get
# Build tools ARE available (installed via apt-get in ci.yml), just won't validate # Uncomment these for native RPM-based build environments:
# BuildRequires: cargo >= 1.75 BuildRequires: cargo >= 1.75
# BuildRequires: rust >= 1.75 BuildRequires: rust >= 1.75
# BuildRequires: systemd-rpm-macros # Handling systemd manually BuildRequires: gcc
# BuildRequires: pkgconfig(systemd) BuildRequires: openssl-devel
# BuildRequires: gcc BuildRequires: systemd-devel
BuildRequires: pkgconfig(systemd)
# Runtime requirements # Runtime requirements
Requires: systemd Requires: systemd
Requires: libsystemd Requires: libsystemd
Requires: openssl-libs
Requires: ca-certificates
# Description
%description %description
Linux Patch API provides a secure, mTLS-authenticated REST API for Linux Patch API provides a secure, mTLS-authenticated REST API for
remote package management operations including: remote package management operations including:
@ -69,28 +71,16 @@ cp configs/config.yaml.example %{buildroot}/etc/linux_patch_api/config.yaml.exam
cp configs/whitelist.yaml.example %{buildroot}/etc/linux_patch_api/whitelist.yaml.example cp configs/whitelist.yaml.example %{buildroot}/etc/linux_patch_api/whitelist.yaml.example
chmod 644 %{buildroot}/etc/linux_patch_api/*.example chmod 644 %{buildroot}/etc/linux_patch_api/*.example
# Pre-installation script # Pre-installation script - create directories (matches Debian preinst)
%pre %pre
# Create system group
getent group linux-patch-api > /dev/null || groupadd --system linux-patch-api
# Create system user
getent passwd linux-patch-api > /dev/null || useradd --system \
--gid linux-patch-api \
--home-dir /var/lib/linux_patch_api \
--no-create-home \
--shell /usr/sbin/nologin \
--comment "Linux Patch API Service" \
linux-patch-api
# Create required directories # Create required directories
mkdir -p /etc/linux_patch_api/certs mkdir -p /etc/linux_patch_api/certs
mkdir -p /var/lib/linux_patch_api mkdir -p /var/lib/linux_patch_api
mkdir -p /var/log/linux_patch_api mkdir -p /var/log/linux_patch_api
# Set proper ownership # Set proper ownership (service runs as root)
chown -R linux-patch-api:linux-patch-api /var/lib/linux_patch_api chown -R root:root /var/lib/linux_patch_api
chown -R linux-patch-api:linux-patch-api /var/log/linux_patch_api chown -R root:root /var/log/linux_patch_api
# Set secure permissions # Set secure permissions
chmod 750 /etc/linux_patch_api chmod 750 /etc/linux_patch_api
@ -98,19 +88,19 @@ chmod 750 /etc/linux_patch_api/certs
chmod 755 /var/lib/linux_patch_api chmod 755 /var/lib/linux_patch_api
chmod 755 /var/log/linux_patch_api chmod 755 /var/log/linux_patch_api
# Post-installation script # Post-installation script - copy configs, enable service (matches Debian postinst)
%post %post
# Copy example configs if they don't exist # Copy example configs if they don't exist
if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
chmod 640 /etc/linux_patch_api/config.yaml chmod 640 /etc/linux_patch_api/config.yaml
chown linux-patch-api:linux-patch-api /etc/linux_patch_api/config.yaml chown root:root /etc/linux_patch_api/config.yaml
fi fi
if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
chmod 640 /etc/linux_patch_api/whitelist.yaml chmod 640 /etc/linux_patch_api/whitelist.yaml
chown linux-patch-api:linux-patch-api /etc/linux_patch_api/whitelist.yaml chown root:root /etc/linux_patch_api/whitelist.yaml
fi fi
# Reload systemd daemon # Reload systemd daemon
@ -171,6 +161,12 @@ fi
# Changelog # Changelog
%changelog %changelog
* Mon May 19 2026 Echo <echo@moon-dragon.us> - 1.1.8-1
- Fix RPM packaging: add BuildRequires, runtime deps, match Debian install behavior
- Remove system user creation (service runs as root per systemd unit)
- Fix ownership to root:root matching Debian package
- Add openssl-libs and ca-certificates runtime dependencies
* Mon May 18 2026 Echo <echo@moon-dragon.us> - 1.1.8-1 * Mon May 18 2026 Echo <echo@moon-dragon.us> - 1.1.8-1
- Fix FQDN resolution: prioritize hostname -f over /etc/hostname - Fix FQDN resolution: prioritize hostname -f over /etc/hostname
- Fix display_name blank: add hostname field to enrollment request - Fix display_name blank: add hostname field to enrollment request

34
tasks/fix-non-ubuntu-packages.md Normal file
View File

@ -0,0 +1,34 @@
# Fix Non-Ubuntu Package Builds
## Goal
All platform packages must produce identical install results as the Debian/Ubuntu package.
## Debian Baseline Behavior
- No system user creation (service runs as root)
- Directory ownership: root:root
- Create dirs: /etc/linux_patch_api/certs, /var/lib/linux_patch_api, /var/log/linux_patch_api
- Permissions: 750 on config dirs, 755 on data/log dirs
- Copy .example configs to live configs if not present
- Enable service (systemd or rc-update)
- Print next-steps message
## Tasks
- [x] 1. Fix Arch linux-patch-api.install - removed system user creation, root:root ownership, matches Debian
- [x] 2. Fix Arch build-arch.sh - fixed $startdir path, added source=() array
- [x] 3. Fix RPM linux-patch-api.spec - uncommented BuildRequires, added runtime deps, removed system user, root:root ownership
- [x] 4. Fix Alpine linux-patch-api.apk-install - removed system user creation, root:root ownership, matches Debian
- [x] 5. Fix Alpine build-alpine.sh - co-located install script with APKBUILD, used install -Dm commands
- [ ] 6. Verify all platforms produce consistent results (needs CI run)
## Changes Summary
### Arch Linux
- **configs/linux-patch-api.install**: Removed user/group creation, changed ownership to root:root, matches Debian preinst/postinst
- **build-arch.sh**: Fixed PKGBUILD package() to use $startdir (not $srcdir), added source=() array
### RPM (Fedora/RHEL/CentOS)
- **linux-patch-api.spec**: Uncommented BuildRequires (cargo, rust, gcc, openssl-devel, systemd-devel, pkgconfig(systemd)), added runtime Requires (openssl-libs, ca-certificates), removed system user creation from %pre, changed ownership to root:root in %pre, matches Debian behavior in %post
### Alpine Linux
- **configs/linux-patch-api.apk-install**: Removed addgroup/adduser, changed ownership to root:root, matches Debian preinst/postinst
- **build-alpine.sh**: Restructured to co-locate install script with APKBUILD in workspace directory, used install -Dm commands in package() function, fixed $startdir references