feat: Add APK (Alpine Linux) package manager backend; machine-id generation; OpenRC fix; v1.1.12

The system user was removed from all install scripts but the OpenRC init script
still referenced linux-patch-api:linux-patch-api in checkpath. This would cause
the service to fail on Alpine because the user does not exist.

API_DOCUMENTATION.md

@@ -909,6 +909,7 @@ Enrollment endpoints enable new hosts to register with the Patch Manager and rec
 | `fqdn` | string | Yes | Fully qualified domain name of the host |
 | `ip_address` | string | Yes | Primary non-loopback IPv4 address |
 | `os_details` | object | Yes | OS metadata (free-form JSON object) |
+| `hostname` | string | No | Short hostname (without domain). Used by the manager to populate `display_name` on approval. If omitted, the manager falls back to the FQDN. |
 
 **`os_details` common fields:**
 
@@ -933,7 +934,8 @@ curl -X POST https://manager.example.com/api/v1/enroll \
       "version_id": "12",
       "kernel": "6.1.0-kali9-amd64",
       "id_like": "debian"
-    }
+    },
+    "hostname": "host-01"
   }'
 ```
 

BUILD_PACKAGES.md

@@ -1,6 +1,6 @@
 # Linux Patch API - Package Build Guide
 
-This document provides comprehensive instructions for building production-ready Debian (.deb) and RPM (.rpm) packages for the Linux Patch API.
+This document provides comprehensive instructions for building production-ready packages for the Linux Patch API across all supported platforms: Debian/Ubuntu (.deb), RHEL/CentOS/Fedora (.rpm), Arch Linux (.pkg.tar.zst), and Alpine Linux (.apk).
 
 ## Prerequisites
 
@@ -173,6 +173,152 @@ rpm -ql linux-patch-api
 rpm -e linux-patch-api
 ```
 
+## Building Arch Package (.pkg.tar.zst)
+
+### Quick Build
+
+```bash
+cd /path/to/linux_patch_api
+
+# Build release binary
+cargo build --release
+
+# Build Arch package
+chmod +x build-arch.sh
+SKIP_CARGO_BUILD=1 ./build-arch.sh
+
+# Package will be created in releases/
+ls -la releases/*.pkg.tar.zst
+```
+
+### Detailed Build Process
+
+```bash
+# 1. Install build dependencies (Arch Linux)
+sudo pacman -Syu --noconfirm rust cargo systemd git base-devel gcc
+
+# 2. Build release binary
+cargo build --release
+
+# 3. Run build script
+chmod +x build-arch.sh
+./build-arch.sh
+
+# 4. Verify package contents
+bsdtar -tf releases/linux-patch-api-*.pkg.tar.zst
+
+# 5. Verify package info
+pacman -Qi releases/linux-patch-api-*.pkg.tar.zst
+```
+
+### Install Script Hooks
+
+The Arch package includes an `.install` file (`configs/linux-patch-api.install`) that runs automatically on install:
+
+- **post_install**: Creates directories, copies example configs, enables systemd service
+- **post_upgrade**: Reloads systemd daemon
+- **pre_remove**: Stops and disables service
+- **post_remove**: Cleans up empty directories
+
+### Installation Test
+
+```bash
+# Install the package
+sudo pacman -U ./releases/linux-patch-api-*.pkg.tar.zst
+
+# Verify installation
+systemctl status linux-patch-api
+linux-patch-api --version
+
+# Check installed files
+pacman -Ql linux-patch-api
+
+# Verify config files exist
+ls -la /etc/linux_patch_api/
+
+# Remove package
+sudo pacman -R linux-patch-api
+```
+
+**Note:** The build script creates a `builduser` for `makepkg` when running as root (typical in CI environments). The `.install` hook handles directory creation, config copying, and service enablement.
+
+## Building Alpine Package (.apk)
+
+### Quick Build
+
+```bash
+cd /path/to/linux_patch_api
+
+# Build release binary (MUSL target for Alpine)
+cargo build --release --target x86_64-unknown-linux-musl
+
+# Build Alpine package
+chmod +x build-alpine.sh
+SKIP_CARGO_BUILD=1 ./build-alpine.sh
+
+# Package will be created in releases/
+ls -la releases/*.apk
+```
+
+### Detailed Build Process
+
+```bash
+# 1. Install build dependencies (Alpine Linux)
+apk add --no-cache alpine-sdk rust cargo openssl openssl-dev elogind-dev musl-dev abuild gcc
+
+# 2. Add Rust MUSL target
+rustup target add x86_64-unknown-linux-musl
+
+# 3. Build release binary
+cargo build --release --target x86_64-unknown-linux-musl
+
+# 4. Run build script
+chmod +x build-alpine.sh
+./build-alpine.sh
+
+# 5. Verify package contents
+apk verify releases/*.apk
+
+# 6. List package contents
+tar -tzf releases/*.apk
+```
+
+### Install Script Hooks
+
+The Alpine package includes an install script (`configs/linux-patch-api.apk-install`) that runs automatically on install:
+
+- **pre_install**: Creates directories, sets ownership and permissions
+- **post_install**: Copies example configs, adds service to default runlevel
+- **pre_deinstall**: Stops and removes service from runlevel
+- **post_deinstall**: Cleans up empty directories
+
+### Installation Test
+
+```bash
+# Install the package
+sudo apk add --allow-unstable ./releases/linux-patch-api-*.apk
+
+# Verify installation
+rc-service linux-patch-api status
+linux-patch-api --version
+
+# Check installed files
+apk info -L linux-patch-api
+
+# Verify config files exist
+ls -la /etc/linux_patch_api/
+
+# Remove package
+sudo apk del linux-patch-api
+```
+
+**Important:** Alpine uses **OpenRC** instead of systemd. Key differences:
+- Start service: `rc-service linux-patch-api start`
+- Stop service: `rc-service linux-patch-api stop`
+- Check status: `rc-service linux-patch-api status`
+- Service init script: `/etc/init.d/linux-patch-api`
+- The `abuild` tool generates signing keys automatically for CI builds
+
 ## Using the Interactive Installer
 
 For manual deployment without package managers:
@@ -209,15 +355,17 @@ The installer will:
 | `/var/lib/linux_patch_api/` | Data directory | 755 |
 | `/var/log/linux_patch_api/` | Log directory | 755 |
 
-### System User/Group
+### Service Account
 
 | Property | Value |
 |----------|-------|
-| User | linux-patch-api |
-| Group | linux-patch-api |
+| User | root |
+| Group | root |
 | Home | /var/lib/linux_patch_api |
-| Shell | /usr/sbin/nologin |
-| Type | System account |
+| Shell | N/A (systemd service) |
+| Type | Runs as root (required for package management) |
+
+**Note:** The service runs as root because package management operations (apt, dnf, apk, pacman) require root privileges. Security is provided by mTLS + IP whitelist, not process isolation.
 
 ## Supported Distributions
 
@@ -240,6 +388,19 @@ The installer will:
 | AlmaLinux | 8, 9 | ✅ Supported |
 | Rocky Linux | 8, 9 | ✅ Supported |
 
+### Arch Package (.pkg.tar.zst)
+
+| Distribution | Versions | Status |
+|--------------|----------|--------|
+| Arch Linux | Rolling | ✅ Supported |
+| Manjaro | Rolling | ✅ Supported |
+
+### Alpine Package (.apk)
+
+| Distribution | Versions | Status |
+|--------------|----------|--------|
+| Alpine Linux | 3.18+ | ✅ Supported |
+
 ## Troubleshooting
 
 ### Debian Package Issues
@@ -276,9 +437,62 @@ cat ~/rpmbuild/BUILDROOT/*/var/log/rpmbuild.log
 dnf install -y systemd-devel pkgconfig
 ```
 
+### Arch Package Issues
+
+**Error: `makepkg: cannot run as root`**
+```bash
+# The build script handles this automatically by creating builduser
+# If running manually:
+useradd -m builduser
+su - builduser -c "cd /path/to/repo && makepkg -f --noconfirm"
+```
+
+**Error: `install script not found`**
+```bash
+# Ensure linux-patch-api.install is in the same directory as PKGBUILD
+ls -la configs/linux-patch-api.install
+# The build script copies it automatically
+```
+
+**Error: `Permission denied` on config files**
+```bash
+# Verify ownership is root:root
+ls -la /etc/linux_patch_api/
+# Fix if needed:
+sudo chown -R root:root /etc/linux_patch_api/
+sudo chmod 750 /etc/linux_patch_api /etc/linux_patch_api/certs
+```
+
+### Alpine Package Issues
+
+**Error: `abuild: UNTRUSTED signature`**
+```bash
+# The build script handles key generation automatically
+# If running manually:
+abuild-keygen -a -n
+cp /root/.abuild/*.rsa.pub /etc/apk/keys/
+```
+
+**Error: `apk add: ERROR: failed to create directory`**
+```bash
+# Verify the install script ran correctly
+ls -la /etc/linux_patch_api/
+ls -la /var/lib/linux_patch_api/
+# Manually create if needed:
+sudo mkdir -p /etc/linux_patch_api/certs /var/lib/linux_patch_api /var/log/linux_patch_api
+```
+
+**Error: `rc-service: service not found`**
+```bash
+# Verify the init script exists
+ls -la /etc/init.d/linux-patch-api
+# Re-add to default runlevel
+sudo rc-update add linux-patch-api default
+```
+
 ### Service Issues
 
-**Service fails to start:**
+**Service fails to start (systemd):**
 ```bash
 # Check service status
 systemctl status linux-patch-api
@@ -293,6 +507,22 @@ linux-patch-api --config /etc/linux_patch_api/config.yaml --check
 ls -la /etc/linux_patch_api/certs/
 ```
 
+**Service fails to start (OpenRC/Alpine):**
+```bash
+# Check service status
+rc-service linux-patch-api status
+
+# View logs
+cat /var/log/linux_patch_api/linux-patch-api.log
+cat /var/log/linux_patch_api/linux-patch-api.err
+
+# Check configuration
+linux-patch-api --config /etc/linux_patch_api/config.yaml --check
+
+# Verify certificates
+ls -la /etc/linux_patch_api/certs/
+```
+
 ## CI/CD Integration
 
 ### GitHub Actions Example
@@ -383,7 +613,7 @@ jobs:
 - Packages are signed with maintainer GPG key for production deployments
 - All maintainer scripts run with `set -e` for fail-fast behavior
 - Configuration files are marked as conffiles to preserve user modifications
-- System user has minimal privileges (nologin shell, no home directory)
+- Service runs as root (required for package management operations)
 - Directory permissions follow principle of least privilege
 - TLS certificates should be replaced with CA-signed certs in production
 

Cargo.lock

@@ -1916,7 +1916,7 @@ dependencies = [
 
 [[package]]
 name = "linux-patch-api"
-version = "1.1.6"
+version = "1.1.12"
 dependencies = [
  "actix",
  "actix-rt",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "linux-patch-api"
-version = "1.1.7"
+version = "1.1.12"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 description = "Secure remote package management API for Linux systems"

README.md

@@ -185,6 +185,13 @@ For detailed enrollment procedures, see [DEPLOYMENT_GUIDE.md - Self-Enrollment D
 
 ### Package Installation
 
+All platform packages produce identical installation results:
+- Creates `/etc/linux_patch_api/`, `/etc/linux_patch_api/certs/`, `/var/lib/linux_patch_api/`, `/var/log/linux_patch_api/`
+- Copies example configs to live configs if not already present
+- Enables the service (does not start automatically)
+- Sets correct permissions (750 on config dirs, 755 on data/log dirs)
+- Ownership: root:root (service runs as root)
+
 #### Debian/Ubuntu (.deb)
 
 ```bash
@@ -197,52 +204,173 @@ apt-get install -f -y
 # Verify installation
 systemctl status linux-patch-api
 linux-patch-api --version
+
+# Check installed files
+dpkg -L linux-patch-api
+
+# Remove package (keeping configs)
+dpkg -r linux-patch-api
+
+# Purge package (removing all configs)
+dpkg -P linux-patch-api
 ```
 
+**Prerequisites:** `systemd`, `libsystemd0`
+
+**Post-install:** The package automatically copies example configs, enables the service, and prints next steps. Configure `/etc/linux_patch_api/config.yaml` and place TLS certificates in `/etc/linux_patch_api/certs/` before starting.
+
 #### RHEL/CentOS/Fedora (.rpm)
 
 ```bash
-# Install the package
-rpm -ivh linux-patch-api-1.0.0-1.x86_64.rpm
+# Install the package (recommended - resolves dependencies automatically)
+dnf install -y ./linux-patch-api-1.0.0-1.el9.x86_64.rpm
+
+# Or with yum
+yum install -y ./linux-patch-api-1.0.0-1.el9.x86_64.rpm
+
+# Or with rpm (does NOT resolve dependencies)
+rpm -ivh linux-patch-api-1.0.0-1.el9.x86_64.rpm
 
 # Verify installation
 systemctl status linux-patch-api
 linux-patch-api --version
+
+# Check installed files
+rpm -ql linux-patch-api
+
+# Remove package
+rpm -e linux-patch-api
 ```
 
+**Prerequisites (auto-resolved with dnf/yum):** `systemd`, `libsystemd`, `openssl-libs`, `ca-certificates`
+
+**Post-install:** The package automatically creates directories, copies example configs, enables the service, and prints next steps. Configure `/etc/linux_patch_api/config.yaml` and place TLS certificates in `/etc/linux_patch_api/certs/` before starting.
+
+**Note:** Use `dnf install` or `yum install` instead of `rpm -ivh` to automatically resolve dependencies. The `rpm -ivh` command will fail if required packages are not already installed.
+
+#### Arch Linux (.pkg.tar.zst)
+
+```bash
+# Install the package
+sudo pacman -U ./linux-patch-api-1.0.0-1-x86_64.pkg.tar.zst
+
+# Verify installation
+systemctl status linux-patch-api
+linux-patch-api --version
+
+# Check installed files
+pacman -Ql linux-patch-api
+
+# Remove package
+sudo pacman -R linux-patch-api
+```
+
+**Prerequisites:** `systemd` (included by default on Arch)
+
+**Post-install:** The package automatically creates directories, copies example configs, enables the service, and prints next steps. Configure `/etc/linux_patch_api/config.yaml` and place TLS certificates in `/etc/linux_patch_api/certs/` before starting.
+
+**Note:** Arch uses systemd by default. The install hook runs `systemctl enable` but does not start the service. You must configure before starting.
+
+#### Alpine Linux (.apk)
+
+```bash
+# Install the package
+sudo apk add --allow-unstable ./linux-patch-api-1.0.0-r0.apk
+
+# Verify installation
+rc-service linux-patch-api status
+linux-patch-api --version
+
+# Check installed files
+apk info -L linux-patch-api
+
+# Remove package
+sudo apk del linux-patch-api
+```
+
+**Prerequisites:** `openrc` (included by default on Alpine)
+
+**Post-install:** The package automatically creates directories, copies example configs, adds the service to the default runlevel, and prints next steps. Configure `/etc/linux_patch_api/config.yaml` and place TLS certificates in `/etc/linux_patch_api/certs/` before starting.
+
+**Important differences from systemd-based systems:**
+- Alpine uses **OpenRC** instead of systemd. Use `rc-service` commands instead of `systemctl`
+- Start service: `rc-service linux-patch-api start`
+- Stop service: `rc-service linux-patch-api stop`
+- Check status: `rc-service linux-patch-api status`
+- The service is added to the `default` runlevel automatically on install
+- Service init script: `/etc/init.d/linux-patch-api`
+
 ### Manual Installation
 
 For systems without package manager support:
 
 ```bash
 # Run interactive installer (requires root)
-./install.sh
+sudo ./install.sh
 ```
 
 The installer will:
 - Detect operating system
-- Create system user and group
-- Set up directory structure
-- Install binary and configuration files
+- Create directory structure (`/etc/linux_patch_api/`, `/var/lib/linux_patch_api/`, `/var/log/linux_patch_api/`)
+- Install binary to `/usr/bin/linux-patch-api`
+- Install example configs
 - Configure systemd service
+- Set correct permissions
 
 ### Building from Source
 
+#### Prerequisites (all platforms)
+
+- Rust toolchain (stable channel, 1.75+)
+- OpenSSL development headers
+- systemd development headers
+- C compiler (gcc)
+
+#### Build Debian Package (.deb)
+
 ```bash
-# Clone repository
-git clone https://gitea.internal/linux-patch-api.git
-cd linux-patch-api
-
-# Build release binary
-cargo build --release --target x86_64-unknown-linux-gnu
-
-# Build Debian package
-dpkg-buildpackage -us -uc -b
-
-# Or build RPM package
-rpmbuild -ba linux-patch-api.spec
+# On Debian/Ubuntu
+apt-get install -y build-essential debhelper pkg-config libsystemd-dev libssl-dev cargo rustc
+cargo build --release
+sudo dpkg-buildpackage -us -uc -b
 ```
 
+#### Build RPM Package (.rpm)
+
+```bash
+# On Fedora/RHEL/CentOS
+dnf install -y rpm-build cargo rust gcc openssl-devel systemd-devel pkgconfig
+cargo build --release --target x86_64-unknown-linux-gnu
+chmod +x build-rpm.sh
+./build-rpm.sh
+```
+
+**Note:** The RPM spec includes `BuildRequires` for native RPM build environments. When building in CI containers (where deps are pre-installed via apt-get), these are informational only.
+
+#### Build Arch Package (.pkg.tar.zst)
+
+```bash
+# On Arch Linux/Manjaro
+pacman -Syu --noconfirm rust cargo systemd git base-devel gcc
+cargo build --release
+chmod +x build-arch.sh
+SKIP_CARGO_BUILD=1 ./build-arch.sh
+```
+
+**Note:** The build script creates a `builduser` for `makepkg` when running as root (typical in CI). The `.install` hook handles directory creation, config copying, and service enablement.
+
+#### Build Alpine Package (.apk)
+
+```bash
+# On Alpine Linux 3.18+
+apk add --no-cache alpine-sdk rust cargo openssl openssl-dev elogind-dev musl-dev abuild gcc
+cargo build --release --target x86_64-unknown-linux-musl
+chmod +x build-alpine.sh
+SKIP_CARGO_BUILD=1 ./build-alpine.sh
+```
+
+**Important:** Alpine requires the `x86_64-unknown-linux-musl` target for static linking. The build script handles `abuild` key generation and runs as a `builduser` when executed as root.
+
 See [BUILD_PACKAGES.md](./BUILD_PACKAGES.md) for detailed build instructions.
 
 ---

SPEC.md

@@ -169,7 +169,7 @@ The enrollment flow runs before mTLS server startup. On success, the daemon proc
 ### Phase 1: Registration Request
 - **Identity Extraction:**
   - `/etc/machine-id` (fallback: `/var/lib/dbus/machine-id`)
-  - FQDN from `/etc/hostname` → `hostname -f` → `hostname` → `localhost`
+  - FQDN from `hostname -f` (validated contains `.`) → `hostname` + `hostname -d` → `/etc/hostname` → `hostname` → `localhost`
   - Non-loopback IPv4 addresses via network interface enumeration
   - OS details from `/etc/os-release` (distro, version, id_like, codename) + kernel version (`uname -r`)
 - **Submission:** Unauthenticated `POST /api/v1/enroll` to manager with identity payload

build-alpine.sh

@@ -44,27 +44,51 @@ else
     echo "Skipping cargo build (SKIP_CARGO_BUILD is set)"
 fi
 
-# Create package directory in /home/builduser (accessible by builduser)
-PKGDIR=/home/builduser/apk-package
-mkdir -p "$PKGDIR"/usr/bin
-mkdir -p "$PKGDIR"/etc/linux_patch_api
-mkdir -p "$PKGDIR"/etc/init.d
+# Get version from Cargo.toml
+VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
 
-# Copy files
+# Create package directory structure
+PKGDIR=$(pwd)/apk-package
+rm -rf "$PKGDIR"
+mkdir -p "$PKGDIR"/usr/bin
+mkdir -p "$PKGDIR"/etc/linux_patch_api/certs
+mkdir -p "$PKGDIR"/etc/init.d
+mkdir -p "$PKGDIR"/var/lib/linux_patch_api
+mkdir -p "$PKGDIR"/var/log/linux_patch_api
+
+# Copy binary
+chmod 755 target/x86_64-unknown-linux-musl/release/linux-patch-api
 cp target/x86_64-unknown-linux-musl/release/linux-patch-api "$PKGDIR"/usr/bin/
-chmod 755 "$PKGDIR"/usr/bin/linux-patch-api
+
+# Copy OpenRC init script
 cp configs/linux-patch-api-openrc "$PKGDIR"/etc/init.d/linux-patch-api
 chmod 755 "$PKGDIR"/etc/init.d/linux-patch-api
-cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml
 
-# Use /home/builduser as workspace for APKBUILD
-WORKSPACE_DIR=/home/builduser
+# Copy example configs (as .example files - install script creates live configs)
+cp configs/config.yaml.example "$PKGDIR"/etc/linux_patch_api/config.yaml.example
+cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml.example
 
-# Create APKBUILD
+# Prepare workspace for abuild
+WORKSPACE_DIR=/home/builduser/repo
+rm -rf "$WORKSPACE_DIR"
+mkdir -p "$WORKSPACE_DIR"
+
+# Copy package directory to workspace
+cp -r "$PKGDIR" "$WORKSPACE_DIR"/apk-package
+
+# Copy install scripts to workspace (must be co-located with APKBUILD)
+# Alpine abuild requires SEPARATE files with valid suffixes:
+#   pkgname.pre-install, pkgname.post-install, pkgname.pre-deinstall, pkgname.post-deinstall
+cp configs/linux-patch-api.pre-install "$WORKSPACE_DIR"/linux-patch-api.pre-install
+cp configs/linux-patch-api.post-install "$WORKSPACE_DIR"/linux-patch-api.post-install
+cp configs/linux-patch-api.pre-deinstall "$WORKSPACE_DIR"/linux-patch-api.pre-deinstall
+cp configs/linux-patch-api.post-deinstall "$WORKSPACE_DIR"/linux-patch-api.post-deinstall
+
+# Create APKBUILD in workspace directory (co-located with install scripts)
 echo "Creating APKBUILD..."
-cat > APKBUILD << EOF
+cat > "$WORKSPACE_DIR"/APKBUILD << EOF
 pkgname=linux-patch-api
-pkgver=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
+pkgver=${VERSION}
 pkgrel=1
 pkgdesc="Secure remote package management API for Linux systems"
 url="https://gitea.moon-dragon.us/echo/linux_patch_api"
@@ -72,21 +96,24 @@ arch="x86_64"
 license="MIT"
 makedepends=""
 depends="openrc"
+install="linux-patch-api.pre-install linux-patch-api.post-install linux-patch-api.pre-deinstall linux-patch-api.post-deinstall"
+subpackages=""
 source=""
 
 package() {
     install -d "\$pkgdir"/usr/bin
-    install -d "\$pkgdir"/etc/linux_patch_api
+    install -d "\$pkgdir"/etc/linux_patch_api/certs
     install -d "\$pkgdir"/etc/init.d
-    cp -r ${WORKSPACE_DIR}/apk-package/usr/bin/* "\$pkgdir"/usr/bin/
-    cp -r ${WORKSPACE_DIR}/apk-package/etc/linux_patch_api/* "\$pkgdir"/etc/linux_patch_api/
-    cp -r ${WORKSPACE_DIR}/apk-package/etc/init.d/* "\$pkgdir"/etc/init.d/
+    install -d "\$pkgdir"/var/lib/linux_patch_api
+    install -d "\$pkgdir"/var/log/linux_patch_api
+
+    install -Dm755 "\$startdir"/apk-package/usr/bin/linux-patch-api "\$pkgdir"/usr/bin/linux-patch-api
+    install -Dm755 "\$startdir"/apk-package/etc/init.d/linux-patch-api "\$pkgdir"/etc/init.d/linux-patch-api
+    install -Dm644 "\$startdir"/apk-package/etc/linux_patch_api/config.yaml.example "\$pkgdir"/etc/linux_patch_api/config.yaml.example
+    install -Dm644 "\$startdir"/apk-package/etc/linux_patch_api/whitelist.yaml.example "\$pkgdir"/etc/linux_patch_api/whitelist.yaml.example
 }
 EOF
 
-# Generate checksums for APKBUILD sources
-echo "Generating checksums..."
-
 # Build APK package
 echo "Building APK package..."
 
@@ -96,10 +123,8 @@ if [ "$(id -u)" = "0" ]; then
     adduser -D -s /bin/sh builduser 2>/dev/null || true
     addgroup builduser abuild 2>/dev/null || usermod -aG abuild builduser
     
-    # Copy repo contents to builduser home (accessible directory)
-    cp -r . /home/builduser/repo/
-    chown -R builduser:builduser /home/builduser/repo/
-    chown -R builduser:builduser /home/builduser/apk-package/
+    # Set ownership of workspace
+    chown -R builduser:builduser "$WORKSPACE_DIR"
     
     # Set up builduser home directory for abuild
     mkdir -p /home/builduser/.abuild
@@ -115,35 +140,27 @@ if [ "$(id -u)" = "0" ]; then
     echo "PACKAGER_PRIVKEY=\"$KEYFILE\"" > /home/builduser/.abuild/abuild.conf
     chown builduser:builduser /home/builduser/.abuild/abuild.conf
     
-    # Copy APKBUILD and checksums to builduser home for abuild
-    cp APKBUILD /home/builduser/
-    cp .checksums /home/builduser/ 2>/dev/null || true
-    
     # Install public key BEFORE abuild (fixes UNTRUSTED signature)
     cp /home/builduser/.abuild/*.rsa.pub /etc/apk/keys/ 2>/dev/null || true
     
-    # Run abuild as builduser in /home/builduser where APKBUILD exists
-    # Use || true because index update may fail but APK is still created
-    su - builduser -c "cd /home/builduser && abuild checksum && abuild -d -F" || true
+    # Run abuild as builduser in workspace directory
+    su - builduser -c "cd $WORKSPACE_DIR && abuild checksum && abuild -d"
     
     # Copy APK from builduser packages to releases
     mkdir -p releases
-    cp /home/builduser/packages/x86_64/*.apk releases/ 2>/dev/null || cp /home/builduser/packages/*.apk releases/ 2>/dev/null || find /home/builduser/packages -name "*.apk" -exec cp {} releases/ \; 2>/dev/null || true
+    cp /home/builduser/packages/home/x86_64/*.apk releases/ 2>/dev/null || find /home/builduser/packages -name "*.apk" -exec cp {} releases/ \; 2>/dev/null || true
 else
+    cd "$WORKSPACE_DIR"
     abuild checksum
-    abuild -F -r
+    abuild -r
+    cd -
+    mkdir -p releases
     cp ~/packages/x86_64/*.apk releases/ 2>/dev/null || cp ~/packages/*.apk releases/ 2>/dev/null || true
 fi
 
-# Copy to releases directory (fallback for non-root builds)
-echo ""
-echo "Copying package to releases/..."
-mkdir -p releases
-cp ~/packages/x86_64/*.apk releases/ 2>/dev/null || cp ~/packages/*.apk releases/ 2>/dev/null || find ~/packages -name "*.apk" -exec cp {} releases/ \; 2>/dev/null || true
-
 echo ""
 echo "=== Build Complete ==="
 echo "Package: releases/linux-patch-api-*.apk"
 echo ""
 echo "Install with:"
-echo "  sudo apk add --allow-unstable ./releases/linux-patch-api-*.apk"
+echo "  sudo apk add ./releases/linux-patch-api-*.apk"

build-arch.sh

@@ -22,43 +22,68 @@ else
     echo "Skipping cargo build (SKIP_CARGO_BUILD is set)"
 fi
 
-# Create package directory
+# Create package directory structure
 PKGDIR=$(pwd)/arch-package
+rm -rf "$PKGDIR"
 mkdir -p "$PKGDIR"/usr/bin
-mkdir -p "$PKGDIR"/etc/linux_patch_api
+mkdir -p "$PKGDIR"/etc/linux_patch_api/certs
 mkdir -p "$PKGDIR"/usr/lib/systemd/system
+mkdir -p "$PKGDIR"/var/lib/linux_patch_api
+mkdir -p "$PKGDIR"/var/log/linux_patch_api
 
-# Copy files
+# Copy binary
+chmod 755 target/release/linux-patch-api
 cp target/release/linux-patch-api "$PKGDIR"/usr/bin/
-chmod 755 "$PKGDIR"/usr/bin/linux-patch-api
+
+# Copy systemd service
 cp configs/linux-patch-api.service "$PKGDIR"/usr/lib/systemd/system/
-cp configs/config.yaml.example "$PKGDIR"/etc/linux_patch_api/config.yaml
-cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml
+
+# Copy example configs (as .example files - install script creates live configs)
+cp configs/config.yaml.example "$PKGDIR"/etc/linux_patch_api/config.yaml.example
+cp configs/whitelist.yaml.example "$PKGDIR"/etc/linux_patch_api/whitelist.yaml.example
+
+# Copy install script to current directory (must be co-located with PKGBUILD)
+cp configs/linux-patch-api.install linux-patch-api.install
+
+# Get version from Cargo.toml
+VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
 
 # Create PKGBUILD with quoted heredoc to prevent $pkgdir expansion
 # $pkgdir must be literal for makepkg to expand at runtime
 echo "Creating PKGBUILD..."
 cat > PKGBUILD << 'EOF'
 pkgname=linux-patch-api
-pkgver=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
+pkgver=VERSION_PLACEHOLDER
 pkgrel=1
 pkgdesc="Secure remote package management API for Linux systems"
 url="https://gitea.moon-dragon.us/echo/linux_patch_api"
 arch=('x86_64')
 license=('MIT')
 depends=('systemd')
+install=linux-patch-api.install
+source=()
+backup=(
+    'etc/linux_patch_api/config.yaml'
+    'etc/linux_patch_api/whitelist.yaml'
+)
 
 package() {
-    cp -r /home/builduser/repo/arch-package/* "$pkgdir"/
+    # Use $startdir because arch-package is co-located with PKGBUILD, not in sources
+    cp -r "$startdir"/arch-package/* "$pkgdir"/
+
+    # Ensure directories exist with proper structure
+    mkdir -p "$pkgdir"/etc/linux_patch_api/certs
+    mkdir -p "$pkgdir"/var/lib/linux_patch_api
+    mkdir -p "$pkgdir"/var/log/linux_patch_api
 }
 EOF
 
-# Create .SRCINFO
-echo "Creating .SRCINFO..."
+# Replace version placeholder with actual version
+sed -i "s/VERSION_PLACEHOLDER/$VERSION/" PKGBUILD
+
+echo "PKGBUILD version: $VERSION"
 
 # Build package
-echo "Building Arch package..."
-
 # For CI environments where we may run as root
 if [ "$(id -u)" = "0" ]; then
     echo "Running as root - creating build user for makepkg..."
@@ -69,12 +94,22 @@ if [ "$(id -u)" = "0" ]; then
     cp -r . /home/builduser/repo/
     chown -R builduser:builduser /home/builduser/repo/
     
+    # Create source tarball for makepkg
+    # makepkg expects sources to be in $srcdir after extraction
+    # We create a tarball of arch-package so %autosetup or prepare can extract it
+    cd /home/builduser/repo
+    
     su - builduser -c "cd /home/builduser/repo && makepkg --printsrcinfo > .SRCINFO"
     su - builduser -c "cd /home/builduser/repo && makepkg -f --noconfirm"
     
     # Copy package to releases
+    mkdir -p /home/builduser/repo/releases
+    cp /home/builduser/repo/*.pkg.tar.zst /home/builduser/repo/releases/ 2>/dev/null || true
+    cd -
+    
+    # Copy releases back to original directory
     mkdir -p releases
-    cp /home/builduser/repo/*.pkg.tar.zst releases/
+    cp /home/builduser/repo/releases/*.pkg.tar.zst releases/ 2>/dev/null || true
 else
     makepkg --printsrcinfo > .SRCINFO
     makepkg -f --noconfirm

build-rpm.sh

@@ -21,27 +21,38 @@ if ! command -v rpmbuild &> /dev/null; then
     fi
 fi
 
+# Get version from Cargo.toml
+VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
+echo "Building version: $VERSION"
+
 # Setup RPM build directory structure
 mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
 
 # Create source tarball (required by %autosetup in spec file)
 echo "Creating source tarball..."
-VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*=.*"\([^"]*\)".*/\1/')
 TMPDIR=$(mktemp -d)
 mkdir -p "$TMPDIR/linux-patch-api-${VERSION}"
-# Copy files excluding unwanted directories using find
+
+# Copy files excluding unnecessary directories
 cp -r . "$TMPDIR/linux-patch-api-${VERSION}/"
+
+# Remove unnecessary directories from tarball
 rm -rf "$TMPDIR/linux-patch-api-${VERSION}/target"
 rm -rf "$TMPDIR/linux-patch-api-${VERSION}/.git"
 rm -rf "$TMPDIR/linux-patch-api-${VERSION}/releases"
 rm -rf "$TMPDIR/linux-patch-api-${VERSION}/.github"
 rm -rf "$TMPDIR/linux-patch-api-${VERSION}/debian"
+rm -rf "$TMPDIR/linux-patch-api-${VERSION}/arch-package"
+rm -rf "$TMPDIR/linux-patch-api-${VERSION}/.abuild"
+rm -rf "$TMPDIR/linux-patch-api-${VERSION}/apk-package"
+rm -rf "$TMPDIR/linux-patch-api-${VERSION}/.a0proj"
+
 tar -czf ~/rpmbuild/SOURCES/linux-patch-api-${VERSION}.tar.gz -C "$TMPDIR" "linux-patch-api-${VERSION}"
 rm -rf "$TMPDIR"
 
-# Copy spec file
+# Prepare spec file with dynamic version
 echo "Preparing spec file..."
-cp linux-patch-api.spec ~/rpmbuild/SPECS/
+sed "s/VERSION_PLACEHOLDER/$VERSION/" linux-patch-api.spec > ~/rpmbuild/SPECS/linux-patch-api.spec
 
 # Build RPM
 echo "Building RPM package..."

configs/linux-patch-api-openrc

@@ -17,10 +17,10 @@ depend() {
 
 # Create required directories before starting
 start_pre() {
-    checkpath --directory --owner linux-patch-api:linux-patch-api --mode 0755 \
+    checkpath --directory --owner root:root --mode 0755 \
         /run/linux-patch-api \
-        /var/log/linux-patch-api \
-        /var/lib/linux-patch-api \
+        /var/log/linux_patch_api \
+        /var/lib/linux_patch_api \
         /etc/linux_patch_api/certs
     
     # Ensure config files exist

configs/linux-patch-api.install

@@ -0,0 +1,81 @@
+# Arch Linux install hooks for linux-patch-api
+# Matches Debian preinst/postinst behavior: no system user, root:root ownership
+
+post_install() {
+    # Create required directories
+    mkdir -p /etc/linux_patch_api/certs
+    mkdir -p /var/lib/linux_patch_api
+    mkdir -p /var/log/linux_patch_api
+
+    # Set proper ownership (service runs as root)
+    chown -R root:root /var/lib/linux_patch_api
+    chown -R root:root /var/log/linux_patch_api
+
+    # Set secure permissions
+    chmod 750 /etc/linux_patch_api
+    chmod 750 /etc/linux_patch_api/certs
+    chmod 755 /var/lib/linux_patch_api
+    chmod 755 /var/log/linux_patch_api
+
+    # Copy example configs if they don't exist
+    if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
+        cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
+        chmod 640 /etc/linux_patch_api/config.yaml
+        chown root:root /etc/linux_patch_api/config.yaml
+    fi
+
+    if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
+        cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
+        chmod 640 /etc/linux_patch_api/whitelist.yaml
+        chown root:root /etc/linux_patch_api/whitelist.yaml
+    fi
+
+    # Reload systemd daemon
+    systemctl daemon-reload
+
+    # Enable the service (but don't start automatically - admin should configure first)
+    systemctl enable linux-patch-api.service
+
+    echo ""
+    echo "linux-patch-api installed successfully!"
+    echo ""
+    echo "Next steps:"
+    echo "  1. Configure /etc/linux_patch_api/config.yaml with your settings"
+    echo "  2. Place TLS certificates in /etc/linux_patch_api/certs/"
+    echo "  3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
+    echo "  4. Start the service: systemctl start linux-patch-api"
+    echo "  5. Check status: systemctl status linux-patch-api"
+    echo ""
+}
+
+post_upgrade() {
+    # Reload systemd daemon on upgrade
+    systemctl daemon-reload
+}
+
+pre_remove() {
+    # Stop the service before removal
+    if systemctl is-active --quiet linux-patch-api.service; then
+        systemctl stop linux-patch-api.service
+        echo "Service stopped successfully"
+    else
+        echo "Service was not running"
+    fi
+
+    # Disable the service
+    if systemctl is-enabled --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl disable linux-patch-api.service
+        echo "Service disabled"
+    fi
+}
+
+post_remove() {
+    # Reload systemd to remove service file
+    systemctl daemon-reload 2>/dev/null || true
+
+    # Remove directories only if empty (preserve user data on upgrade/reinstall)
+    rmdir --ignore-fail-on-non-empty /var/lib/linux_patch_api 2>/dev/null || true
+    rmdir --ignore-fail-on-non-empty /var/log/linux_patch_api 2>/dev/null || true
+
+    echo "linux-patch-api removed"
+}

configs/linux-patch-api.post-deinstall

@@ -0,0 +1,10 @@
+#!/bin/sh
+# Alpine Linux post-deinstall script for linux-patch-api
+# Runs after package files are removed
+# Matches Debian postrm behavior: clean up empty directories
+
+# Remove directories only if empty (preserve user data on reinstall)
+rmdir /var/lib/linux_patch_api 2>/dev/null || true
+rmdir /var/log/linux_patch_api 2>/dev/null || true
+
+echo "linux-patch-api removed"

configs/linux-patch-api.post-install

@@ -0,0 +1,35 @@
+#!/bin/sh
+# Alpine Linux post-install script for linux-patch-api
+# Runs after package files are laid down
+# Matches Debian postinst behavior: copy example configs, enable service
+
+# Copy example configs if they don't exist
+if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
+    if [ -f "/etc/linux_patch_api/config.yaml.example" ]; then
+        cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
+        chmod 640 /etc/linux_patch_api/config.yaml
+        chown root:root /etc/linux_patch_api/config.yaml
+    fi
+fi
+
+if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
+    if [ -f "/etc/linux_patch_api/whitelist.yaml.example" ]; then
+        cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
+        chmod 640 /etc/linux_patch_api/whitelist.yaml
+        chown root:root /etc/linux_patch_api/whitelist.yaml
+    fi
+fi
+
+# Enable the service (but don't start automatically - admin should configure first)
+rc-update add linux-patch-api default
+
+echo ""
+echo "linux-patch-api installed successfully!"
+echo ""
+echo "Next steps:"
+echo "  1. Configure /etc/linux_patch_api/config.yaml with your settings"
+echo "  2. Place TLS certificates in /etc/linux_patch_api/certs/"
+echo "  3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
+echo "  4. Start the service: rc-service linux-patch-api start"
+echo "  5. Check status: rc-service linux-patch-api status"
+echo ""

configs/linux-patch-api.pre-deinstall

@@ -0,0 +1,15 @@
+#!/bin/sh
+# Alpine Linux pre-deinstall script for linux-patch-api
+# Runs before package files are removed
+# Matches Debian prerm behavior: stop and disable service
+
+# Stop the service if running
+if rc-service linux-patch-api status >/dev/null 2>&1; then
+    rc-service linux-patch-api stop
+    echo "Service stopped"
+else
+    echo "Service was not running"
+fi
+
+# Disable the service
+rc-update del linux-patch-api default 2>/dev/null || true

configs/linux-patch-api.pre-install

@@ -0,0 +1,33 @@
+#!/bin/sh
+# Alpine Linux pre-install script for linux-patch-api
+# Runs before package files are laid down
+# Matches Debian preinst behavior: create directories, set permissions
+
+# Create required directories
+mkdir -p /etc/linux_patch_api/certs
+mkdir -p /var/lib/linux_patch_api
+mkdir -p /var/log/linux_patch_api
+
+# Generate machine-id if not present (required for enrollment)
+# Alpine Linux does not include /etc/machine-id by default
+if [ ! -f /etc/machine-id ] || [ ! -s /etc/machine-id ]; then
+    if command -v uuidgen > /dev/null 2>&1; then
+        uuidgen | tr -d '-' > /etc/machine-id
+    elif [ -f /proc/sys/kernel/random/uuid ]; then
+        cat /proc/sys/kernel/random/uuid | tr -d '-' > /etc/machine-id
+    else
+        # Fallback: generate from /dev/urandom
+        od -x -N4 /dev/urandom | head -1 | awk '{print $2$3}' > /etc/machine-id
+    fi
+    chmod 444 /etc/machine-id
+fi
+
+# Set proper ownership (service runs as root)
+chown -R root:root /var/lib/linux_patch_api
+chown -R root:root /var/log/linux_patch_api
+
+# Set secure permissions
+chmod 750 /etc/linux_patch_api
+chmod 750 /etc/linux_patch_api/certs
+chmod 755 /var/lib/linux_patch_api
+chmod 755 /var/log/linux_patch_api

debian/changelog

@@ -1,3 +1,42 @@
+linux-patch-api (1.1.12) unstable; urgency=medium
+
+  * Add APK (Alpine Linux) package manager backend
+  * Add machine-id generation to Alpine pre-install script
+  * Fix OpenRC init script ownership (root:root)
+
+ -- Echo <echo@moon-dragon.us>  Tue, 20 May 2026 12:25:00 -0500
+
+linux-patch-api (1.1.10-1) unstable; urgency=low
+
+  * Fix Alpine install scripts: use separate files with valid abuild suffixes
+  * Root cause: .apk-install is not a valid abuild suffix (abuild silently fails)
+  * Correct format: pkgname.pre-install, .post-install, .pre-deinstall, .post-deinstall
+  * Verified on actual Alpine runner: install script suffixes now pass abuild validation
+
+ -- Echo <echo@moon-dragon.us>  Wed, 20 May 2026 07:43:00 -0500
+
+linux-patch-api (1.1.9-1) unstable; urgency=low
+
+  * Fix non-Ubuntu packages: align Arch, RPM, Alpine with Debian baseline
+  * Remove system user creation (service runs as root)
+  * Fix ownership to root:root across all platforms
+  * Fix Alpine: co-locate install script with APKBUILD
+  * Fix Arch: correct $startdir path in PKGBUILD
+  * Fix RPM: add runtime deps, comment BuildRequires for CI
+  * Add comprehensive installation docs for all platforms
+
+ -- Echo <echo@moon-dragon.us>  Tue, 19 May 2026 21:54:00 -0500
+
+linux-patch-api (1.1.8-1) unstable; urgency=low
+
+  * Fix FQDN resolution: prioritize hostname -f over /etc/hostname for full domain
+  * Fix display_name blank: add hostname field to enrollment request
+  * Fix Arch package: add install scripts, user creation, directory creation
+  * Fix Alpine package: add install scripts, user creation, missing config.yaml
+  * Fix RPM package: dynamic version, config handling, tarball exclusions
+
+ -- Echo <echo@moon-dragon.us>  Mon, 18 May 2026 19:34:00 -0500
+
 linux-patch-api (1.1.7-1) unstable; urgency=low
 
   * Fix CI pipeline: add cargo clean and remove old .deb artifacts before packaging
@@ -98,3 +137,11 @@ linux-patch-api (0.3.2-1) unstable; urgency=low
   * Bump version to 0.3.2
 
  -- Echo <echo@moon-dragon.us>  Fri, 02 May 2026 21:30:00 -0500
+linux-patch-api (1.1.12) unstable; urgency=medium
+
+  * Add APK (Alpine Linux) package manager backend
+  * Add machine-id generation to Alpine pre-install script
+  * Fix OpenRC init script ownership (root:root)
+
+ -- Echo <echo@moon-dragon.us>  Tue, 20 May 2026 12:25:00 -0500
+

linux-patch-api.spec

@@ -1,7 +1,7 @@
 %global debug_package %{nil}
 
 Name:           linux-patch-api
-Version:        1.0.0
+Version:        VERSION_PLACEHOLDER
 Release:        1%{?dist}
 Summary:        Secure remote package management API for Linux systems
 License:        MIT
@@ -10,19 +10,22 @@ Source0:        linux-patch-api-%{version}.tar.gz
 BuildArch:      x86_64
 
 # Build requirements
-# NOTE: Building in Debian container (node:18) - apt packages don't register in RPM db
-# Build tools ARE available (installed via apt-get in ci.yml), just won't validate
+# NOTE: CI uses rustup to install cargo/rust, so they are NOT available as RPM packages.
+# Only uncomment BuildRequires for native RPM build environments where cargo/rust
+# are installed via dnf/yum package manager.
 # BuildRequires:  cargo >= 1.75
 # BuildRequires:  rust >= 1.75
-# BuildRequires:  systemd-rpm-macros  # Handling systemd manually
-# BuildRequires:  pkgconfig(systemd)
 # BuildRequires:  gcc
+# BuildRequires:  openssl-devel
+# BuildRequires:  systemd-devel
+# BuildRequires:  pkgconfig(systemd)
 
 # Runtime requirements
 Requires:       systemd
 Requires:       libsystemd
+Requires:       openssl-libs
+Requires:       ca-certificates
 
-# Description
 %description
 Linux Patch API provides a secure, mTLS-authenticated REST API for
 remote package management operations including:
@@ -69,28 +72,16 @@ cp configs/config.yaml.example %{buildroot}/etc/linux_patch_api/config.yaml.exam
 cp configs/whitelist.yaml.example %{buildroot}/etc/linux_patch_api/whitelist.yaml.example
 chmod 644 %{buildroot}/etc/linux_patch_api/*.example
 
-# Pre-installation script
+# Pre-installation script - create directories (matches Debian preinst)
 %pre
-# Create system group
-getent group linux-patch-api > /dev/null || groupadd --system linux-patch-api
-
-# Create system user
-getent passwd linux-patch-api > /dev/null || useradd --system \
-    --gid linux-patch-api \
-    --home-dir /var/lib/linux_patch_api \
-    --no-create-home \
-    --shell /usr/sbin/nologin \
-    --comment "Linux Patch API Service" \
-    linux-patch-api
-
 # Create required directories
 mkdir -p /etc/linux_patch_api/certs
 mkdir -p /var/lib/linux_patch_api
 mkdir -p /var/log/linux_patch_api
 
-# Set proper ownership
-chown -R linux-patch-api:linux-patch-api /var/lib/linux_patch_api
-chown -R linux-patch-api:linux-patch-api /var/log/linux_patch_api
+# Set proper ownership (service runs as root)
+chown -R root:root /var/lib/linux_patch_api
+chown -R root:root /var/log/linux_patch_api
 
 # Set secure permissions
 chmod 750 /etc/linux_patch_api
@@ -98,19 +89,19 @@ chmod 750 /etc/linux_patch_api/certs
 chmod 755 /var/lib/linux_patch_api
 chmod 755 /var/log/linux_patch_api
 
-# Post-installation script
+# Post-installation script - copy configs, enable service (matches Debian postinst)
 %post
 # Copy example configs if they don't exist
 if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
     cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
     chmod 640 /etc/linux_patch_api/config.yaml
-    chown linux-patch-api:linux-patch-api /etc/linux_patch_api/config.yaml
+    chown root:root /etc/linux_patch_api/config.yaml
 fi
 
 if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
     cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
     chmod 640 /etc/linux_patch_api/whitelist.yaml
-    chown linux-patch-api:linux-patch-api /etc/linux_patch_api/whitelist.yaml
+    chown root:root /etc/linux_patch_api/whitelist.yaml
 fi
 
 # Reload systemd daemon
@@ -162,6 +153,8 @@ fi
 /lib/systemd/system/linux-patch-api.service
 %config(noreplace) /etc/linux_patch_api/config.yaml.example
 %config(noreplace) /etc/linux_patch_api/whitelist.yaml.example
+%ghost %config(noreplace) /etc/linux_patch_api/config.yaml
+%ghost %config(noreplace) /etc/linux_patch_api/whitelist.yaml
 %dir /etc/linux_patch_api
 %dir /etc/linux_patch_api/certs
 %dir /var/lib/linux_patch_api
@@ -169,7 +162,39 @@ fi
 
 # Changelog
 %changelog
-* Thu Apr 09 2026 Echo <echo@moon-dragon.us> - 1.0.0-1
+* Wed May 20 2026 Echo <echo@moon-dragon.us> - 1.1.12-1
+- Add APK (Alpine Linux) package manager backend
+- Add machine-id generation to Alpine pre-install script
+- Fix OpenRC init script ownership (root:root)
+
+
+* Wed May 20 2026 Echo <echo@moon-dragon.us> - 1.1.10-1
+- Fix Alpine install scripts: use separate files with valid abuild suffixes
+- Root cause: .apk-install is not a valid abuild suffix (abuild silently fails)
+- Correct format: pkgname.pre-install, .post-install, .pre-deinstall, .post-deinstall
+- Verified on actual Alpine runner: install script suffixes now pass abuild validation
+
+* Tue May 19 2026 Echo <echo@moon-dragon.us> - 1.1.9-1
+- Fix non-Ubuntu packages: align Arch, RPM, Alpine with Debian baseline
+- Remove system user creation (service runs as root)
+- Fix ownership to root:root across all platforms
+- Fix Alpine: co-locate install script with APKBUILD
+- Fix Arch: correct $startdir path in PKGBUILD
+- Fix RPM: add runtime deps, comment BuildRequires for CI
+- Add comprehensive installation docs for all platforms
+
+* Tue May 19 2026 Echo <echo@moon-dragon.us> - 1.1.8-1
+- Fix RPM packaging: runtime deps, match Debian install behavior, comment BuildRequires for CI
+- Remove system user creation (service runs as root per systemd unit)
+- Fix ownership to root:root matching Debian package
+- Add openssl-libs and ca-certificates runtime dependencies
+
+* Mon May 18 2026 Echo <echo@moon-dragon.us> - 1.1.8-1
+- Fix FQDN resolution: prioritize hostname -f over /etc/hostname
+- Fix display_name blank: add hostname field to enrollment request
+- Fix Arch/Alpine/RPM packaging: install scripts, user creation, directory creation
+
+* Thu Apr 09 2026 Echo <echo@moon-dragon.us> - 1.1.7-1
 - Initial production release
 - Secure mTLS-authenticated REST API for remote package management
 - 15 API endpoints for package install/remove, patch application, system management

src/enroll/client.rs

@@ -18,6 +18,10 @@ pub struct EnrollmentRequest {
     pub fqdn: String,
     pub ip_address: String,
     pub os_details: serde_json::Value,
+    /// Short hostname (from /etc/hostname or hostname command).
+    /// Used by the manager to populate `display_name` on approval.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub hostname: Option<String>,
 }
 
 /// Response from `POST /api/v1/enroll` (HTTP 202).
@@ -220,12 +224,18 @@ impl EnrollmentClient {
         let os_details = identity::get_os_details()
             .context("Failed to collect OS details — /etc/os-release may be missing")?;
 
-        // 2. Build EnrollmentRequest struct
+        // 2. Collect short hostname for display_name on manager
+        let hostname = identity::get_hostname()
+            .map_err(|e| tracing::warn!(error = %e, "Failed to determine hostname — display_name will use FQDN fallback"))
+            .ok();
+
+        // 3. Build EnrollmentRequest struct
         let request = EnrollmentRequest {
             machine_id,
             fqdn,
             ip_address,
             os_details,
+            hostname,
         };
 
         tracing::info!(
@@ -502,6 +512,7 @@ mod tests {
             fqdn: "node.example.com".into(),
             ip_address: "192.168.1.10".into(),
             os_details: serde_json::json!({"distro": "Debian", "version": "12"}),
+            hostname: Some("node".into()),
         };
         let json = serde_json::to_string(&request).expect("Failed to serialize EnrollmentRequest");
         assert!(json.contains("machine_id"));

src/enroll/identity.rs

@@ -31,36 +31,113 @@ pub fn get_machine_id() -> Result<String> {
 }
 
 /// Resolve the fully-qualified domain name.
-/// Strategy: `gethostname` via std → fallback to `hostname` CLI → "localhost".
+///
+/// Strategy (in priority order):
+/// 1. `hostname -f` → if result contains `.`, it's a real FQDN
+/// 2. `hostname` + `hostname -d` → combine short hostname + domain
+/// 3. `/etc/hostname` → short hostname fallback
+/// 4. `hostname` command → last resort
+/// 5. `"localhost"` → final fallback
 pub fn get_fqdn() -> Result<String> {
-    // Try reading from hostname file first (common on systemd systems)
+    // 1. Try `hostname -f` — returns FQDN on properly configured systems
+    if let Ok(output) = Command::new("hostname").arg("-f").output() {
+        if output.status.success() {
+            let name = String::from_utf8_lossy(&output.stdout).trim().to_string();
+            if !name.is_empty() && name.contains('.') && name != "(none)" {
+                tracing::debug!(fqdn = %name, "Resolved FQDN via hostname -f");
+                return Ok(name);
+            }
+        }
+    }
+
+    // 2. Try combining short hostname + domain from `hostname -d`
+    if let Ok(short_output) = Command::new("hostname").output() {
+        if short_output.status.success() {
+            let short = String::from_utf8_lossy(&short_output.stdout)
+                .trim()
+                .to_string();
+            if !short.is_empty() && short != "(none)" {
+                if let Ok(domain_output) = Command::new("hostname").arg("-d").output() {
+                    if domain_output.status.success() {
+                        let domain = String::from_utf8_lossy(&domain_output.stdout)
+                            .trim()
+                            .to_string();
+                        if !domain.is_empty() {
+                            let fqdn = format!("{}.{}", short, domain);
+                            tracing::debug!(fqdn = %fqdn, "Resolved FQDN via hostname + hostname -d");
+                            return Ok(fqdn);
+                        }
+                    }
+                }
+                // Domain not available — fall through to try other methods
+            }
+        }
+    }
+
+    // 3. Try reading from /etc/hostname (common on systemd systems, usually short hostname)
     if let Ok(name) = fs::read_to_string("/etc/hostname") {
         let trimmed = name.trim().to_string();
         if !trimmed.is_empty() && trimmed != "(none)" {
+            tracing::debug!(hostname = %trimmed, "Resolved hostname via /etc/hostname (may be short)");
             return Ok(trimmed);
         }
     }
 
-    // Fallback to hostname command
-    if let Ok(output) = Command::new("hostname").arg("-f").output() {
-        if output.status.success() {
-            let name = String::from_utf8_lossy(&output.stdout).trim().to_string();
-            if !name.is_empty() {
-                return Ok(name);
-            }
-        }
-    }
-
-    // Fallback to plain hostname
+    // 4. Fallback to plain hostname command
     if let Ok(output) = Command::new("hostname").output() {
         if output.status.success() {
             let name = String::from_utf8_lossy(&output.stdout).trim().to_string();
             if !name.is_empty() {
+                tracing::debug!(hostname = %name, "Resolved hostname via hostname command");
                 return Ok(name);
             }
         }
     }
 
+    // 5. Final fallback
+    tracing::warn!("Could not determine hostname — falling back to localhost");
+    Ok("localhost".into())
+}
+
+/// Resolve the short hostname (without domain).
+///
+/// Strategy: `/etc/hostname` → `hostname` command → split FQDN on `.` → `"localhost"`.
+pub fn get_hostname() -> Result<String> {
+    // Try reading from /etc/hostname (usually contains the short hostname)
+    if let Ok(name) = fs::read_to_string("/etc/hostname") {
+        let trimmed = name.trim().to_string();
+        if !trimmed.is_empty() && trimmed != "(none)" {
+            // If it contains a dot, take just the first component
+            let short = trimmed.split('.').next().unwrap_or(&trimmed).to_string();
+            tracing::debug!(hostname = %short, "Resolved short hostname via /etc/hostname");
+            return Ok(short);
+        }
+    }
+
+    // Try hostname command
+    if let Ok(output) = Command::new("hostname").output() {
+        if output.status.success() {
+            let name = String::from_utf8_lossy(&output.stdout).trim().to_string();
+            if !name.is_empty() {
+                // If it contains a dot, take just the first component
+                let short = name.split('.').next().unwrap_or(&name).to_string();
+                tracing::debug!(hostname = %short, "Resolved short hostname via hostname command");
+                return Ok(short);
+            }
+        }
+    }
+
+    // Try splitting FQDN from get_fqdn()
+    if let Ok(fqdn) = get_fqdn() {
+        if fqdn != "localhost" && fqdn.contains('.') {
+            let short = fqdn.split('.').next().unwrap_or(&fqdn).to_string();
+            tracing::debug!(hostname = %short, "Resolved short hostname by splitting FQDN");
+            return Ok(short);
+        }
+    }
+
+    // Final fallback
+    tracing::warn!("Could not determine short hostname — falling back to localhost");
     Ok("localhost".into())
 }
 
@@ -366,6 +443,56 @@ mod tests {
         assert!(!fqdn.is_empty(), "FQDN should not be empty");
     }
 
+    #[test]
+    fn fqdn_prefers_full_domain() {
+        // If hostname -f returns a value with a dot, get_fqdn should return it
+        // (not the short hostname from /etc/hostname)
+        let fqdn = get_fqdn().expect("Failed to get FQDN");
+        // On properly configured systems, FQDN should contain at least one dot
+        // If it doesn't, it's likely a short hostname from /etc/hostname
+        if fqdn.contains('.') {
+            // FQDN contains domain — good
+            assert!(
+                fqdn.split('.').count() >= 2,
+                "FQDN should have at least host.domain format, got: {}",
+                fqdn
+            );
+        }
+        // If no dot, it's a short hostname — acceptable fallback but not ideal
+    }
+
+    #[test]
+    fn hostname_is_not_empty() {
+        let hostname = get_hostname().expect("Failed to get hostname");
+        assert!(!hostname.is_empty(), "Hostname should not be empty");
+    }
+
+    #[test]
+    fn hostname_is_short_form() {
+        let hostname = get_hostname().expect("Failed to get hostname");
+        // Short hostname should NOT contain dots
+        assert!(
+            !hostname.contains('.'),
+            "Short hostname should not contain dots, got: {}",
+            hostname
+        );
+    }
+
+    #[test]
+    fn hostname_is_prefix_of_fqdn() {
+        let hostname = get_hostname().expect("Failed to get hostname");
+        let fqdn = get_fqdn().expect("Failed to get FQDN");
+        // If FQDN contains a dot, hostname should be the first component
+        if fqdn.contains('.') {
+            let fqdn_prefix = fqdn.split('.').next().unwrap_or(&fqdn);
+            assert_eq!(
+                hostname, fqdn_prefix,
+                "Short hostname '{}' should match FQDN prefix '{}'",
+                hostname, fqdn_prefix
+            );
+        }
+    }
+
     #[test]
     fn os_details_contains_kernel() {
         let details = get_os_details().expect("Failed to get OS details");

src/enroll/mod.rs

@@ -16,7 +16,7 @@ pub use client::{
 };
 /// Re-export identity extraction functions.
 pub use identity::{
-    get_fqdn, get_ip_addresses, get_ip_for_interface, get_machine_id, get_os_details,
+    get_fqdn, get_hostname, get_ip_addresses, get_ip_for_interface, get_machine_id, get_os_details,
     get_primary_ip, get_route_source_ip, is_container_bridge, is_link_local,
 };
 

src/packages/mod.rs

@@ -1,7 +1,7 @@
 //! Packages Module - Package Manager Backend
 //!
 //! Provides abstraction layer for package management operations.
-//! Supports apt/dpkg (Debian/Ubuntu) with pluggable backend architecture.
+//! Supports apt/dpkg (Debian/Ubuntu) and apk (Alpine Linux) with pluggable backend architecture.
 
 use anyhow::{Context, Result};
 use serde::{Deserialize, Serialize};
@@ -670,6 +670,508 @@ impl Default for AptBackend {
     }
 }
 
+/// APK package manager backend (Alpine Linux)
+pub struct ApkBackend {
+    _marker: std::marker::PhantomData<()>,
+}
+
+impl ApkBackend {
+    pub fn new() -> Self {
+        Self {
+            _marker: std::marker::PhantomData,
+        }
+    }
+
+    /// Run apk command and capture output
+    fn run_apk(&self, args: &[&str]) -> Result<String> {
+        // Service runs as root on Alpine - no sudo needed for apk commands
+        let output = Command::new("apk")
+            .args(args)
+            .output()
+            .context("Failed to execute apk command")?;
+
+        if !output.status.success() {
+            let stderr = String::from_utf8_lossy(&output.stderr);
+            return Err(anyhow::anyhow!("apk command failed: {}", stderr));
+        }
+
+        Ok(String::from_utf8_lossy(&output.stdout).to_string())
+    }
+
+    /// Parse name and version from apk package identifier (name-version format).
+    /// Alpine package names can contain hyphens (e.g., "gcc-gnat"), so we find
+    /// the first hyphen followed by a digit to separate name from version.
+    fn parse_name_version(&self, ident: &str) -> (String, String) {
+        let bytes = ident.as_bytes();
+        for i in 0..bytes.len() {
+            if bytes[i] == b'-' && i + 1 < bytes.len() && bytes[i + 1].is_ascii_digit() {
+                return (ident[..i].to_string(), ident[i + 1..].to_string());
+            }
+        }
+        // Fallback: no version separator found
+        (ident.to_string(), String::new())
+    }
+
+    /// Parse package list from `apk list --installed` output.
+    /// Format: {name}-{version} [{repo}] {description}
+    fn parse_apk_package_list(&self, output: &str) -> Vec<Package> {
+        let mut packages = Vec::new();
+
+        for line in output.lines() {
+            if line.trim().is_empty() {
+                continue;
+            }
+
+            // Split on " [" to separate package identifier from repo and description
+            let (ident, rest) = if let Some(pos) = line.find(" [") {
+                (&line[..pos], &line[pos + 2..])
+            } else if let Some(pos) = line.find(' ') {
+                (&line[..pos], &line[pos + 1..])
+            } else {
+                // No separator found, treat entire line as identifier
+                let (name, version) = self.parse_name_version(line.trim());
+                packages.push(Package {
+                    name,
+                    version,
+                    status: PackageStatus::Installed,
+                    upgradable: false,
+                    latest_version: None,
+                    description: String::new(),
+                    dependencies: Vec::new(),
+                    reverse_dependencies: Vec::new(),
+                    install_date: None,
+                    size_installed: None,
+                });
+                continue;
+            };
+
+            let (name, version) = self.parse_name_version(ident);
+
+            // Parse rest: "{repo}] {description}" or just "{description}"
+            let description = if let Some(bracket_end) = rest.find("] ") {
+                rest[bracket_end + 2..].to_string()
+            } else if let Some(bracket_end) = rest.find(']') {
+                rest[bracket_end + 1..].trim().to_string()
+            } else {
+                rest.to_string()
+            };
+
+            packages.push(Package {
+                name,
+                version,
+                status: PackageStatus::Installed,
+                upgradable: false,
+                latest_version: None,
+                description,
+                dependencies: Vec::new(),
+                reverse_dependencies: Vec::new(),
+                install_date: None,
+                size_installed: None,
+            });
+        }
+
+        packages
+    }
+
+    /// Parse detailed package info from `apk info -a {name}` output.
+    /// Output format has section headers like:
+    ///   {name}-{version} description:
+    ///   the description text
+    ///   {name}-{version} installed size:
+    ///   32768
+    fn parse_apk_info(
+        &self,
+        output: &str,
+        name: &str,
+        status: PackageStatus,
+    ) -> Result<Option<Package>> {
+        let mut version = String::new();
+        let mut description = String::new();
+        let mut dependencies = Vec::new();
+        let mut reverse_dependencies = Vec::new();
+        let mut size_installed = None;
+        let mut current_field: Option<&str> = None;
+
+        for line in output.lines() {
+            if line.contains(" description:") {
+                current_field = Some("description");
+                // Extract version from the header line
+                let header = line.split(" description:").next().unwrap_or("");
+                let (parsed_name, v) = self.parse_name_version(header.trim());
+                if parsed_name == name || version.is_empty() {
+                    version = v;
+                }
+            } else if line.contains(" webpage:") {
+                current_field = Some("webpage");
+            } else if line.contains(" installed size:") {
+                current_field = Some("installed_size");
+                // Size might be on the same line after the header
+                if let Some(pos) = line.find(" installed size:") {
+                    let size_str = line[pos + " installed size:".len()..].trim();
+                    if !size_str.is_empty() {
+                        size_installed = Some(format!("{} bytes", size_str));
+                    }
+                }
+            } else if line.contains(" dependencies:") {
+                current_field = Some("dependencies");
+            } else if line.contains(" provides:") {
+                current_field = Some("provides");
+            } else if line.contains(" required by:") {
+                current_field = Some("required_by");
+            } else if !line.trim().is_empty() {
+                match current_field {
+                    Some("description") if description.is_empty() => {
+                        description = line.trim().to_string();
+                    }
+                    Some("dependencies") => {
+                        for dep in line.split_whitespace() {
+                            // APK dependencies use prefixes like "so:", "cmd:", "pc:" - strip them
+                            let dep_name = dep
+                                .trim_start_matches("so:")
+                                .trim_start_matches("cmd:")
+                                .trim_start_matches("pc:");
+                            dependencies.push(dep_name.to_string());
+                        }
+                    }
+                    Some("required_by") => {
+                        for req in line.split_whitespace() {
+                            let (req_name, _) = self.parse_name_version(req);
+                            reverse_dependencies.push(req_name);
+                        }
+                    }
+                    Some("installed_size") => {
+                        let size_str = line.trim();
+                        if !size_str.is_empty() && size_installed.is_none() {
+                            size_installed = Some(format!("{} bytes", size_str));
+                        }
+                    }
+                    _ => {}
+                }
+            } else {
+                current_field = None;
+            }
+        }
+
+        // Check if upgradable
+        let upgradable = self
+            .run_apk(&["list", "--upgradable", name])
+            .map(|o| !o.trim().is_empty() && o.contains(name))
+            .unwrap_or(false);
+
+        let latest_version = if upgradable {
+            // Try to get the candidate version from apk info
+            self.run_apk(&["info", name]).ok().and_then(|o| {
+                o.lines().next().and_then(|l| {
+                    let (_, v) = self.parse_name_version(l.trim());
+                    if v.is_empty() {
+                        None
+                    } else {
+                        Some(v)
+                    }
+                })
+            })
+        } else {
+            Some(version.clone())
+        };
+
+        Ok(Some(Package {
+            name: name.to_string(),
+            version,
+            status,
+            upgradable,
+            latest_version,
+            description,
+            dependencies,
+            reverse_dependencies,
+            install_date: None,
+            size_installed,
+        }))
+    }
+}
+
+impl PackageManagerBackend for ApkBackend {
+    fn list_packages(&self, filter: Option<&str>) -> Result<Vec<Package>> {
+        let args = match filter {
+            Some(f) => vec!["list", "--installed", f],
+            None => vec!["list", "--installed"],
+        };
+
+        let output = self.run_apk(&args)?;
+        Ok(self.parse_apk_package_list(&output))
+    }
+
+    fn get_package(&self, name: &str) -> Result<Option<Package>> {
+        // Validate package name to prevent shell injection
+        if name.is_empty() || name.contains('/') || name.contains("..") || name.contains(' ') {
+            return Err(anyhow::anyhow!("Invalid package name: {}", name));
+        }
+
+        // Check if package is installed using apk list --installed
+        let list_output = self.run_apk(&["list", "--installed", name])?;
+
+        if !list_output.trim().is_empty() && list_output.contains(name) {
+            // Package is installed, get detailed info
+            let info_output = self.run_apk(&["info", "-a", name])?;
+            return self.parse_apk_info(&info_output, name, PackageStatus::Installed);
+        }
+
+        // Check if package is available (not installed) using apk search
+        let search_output = self.run_apk(&["search", name]);
+        if let Ok(output) = search_output {
+            if !output.trim().is_empty() && output.contains(name) {
+                // Parse first matching line
+                if let Some(first_line) = output.lines().next() {
+                    let (pkg_name, version) = self.parse_name_version(first_line.trim());
+                    return Ok(Some(Package {
+                        name: pkg_name,
+                        version,
+                        status: PackageStatus::Available,
+                        upgradable: false,
+                        latest_version: None,
+                        description: String::new(),
+                        dependencies: Vec::new(),
+                        reverse_dependencies: Vec::new(),
+                        install_date: None,
+                        size_installed: None,
+                    }));
+                }
+            }
+        }
+
+        Ok(None)
+    }
+
+    fn install_packages(&self, packages: &[PackageSpec], options: &InstallOptions) -> Result<()> {
+        let mut args: Vec<String> = vec!["add".to_string()];
+
+        if options.force {
+            args.push("--force".to_string());
+        }
+
+        for pkg in packages {
+            let pkg_arg = if let Some(version) = &pkg.version {
+                format!("{}={}", pkg.name, version)
+            } else {
+                pkg.name.clone()
+            };
+            args.push(pkg_arg);
+        }
+
+        let args_ref: Vec<&str> = args.iter().map(|s| s.as_str()).collect();
+        self.run_apk(&args_ref)?;
+        info!(
+            "Installed packages: {:?}",
+            packages.iter().map(|p| &p.name).collect::<Vec<_>>()
+        );
+        Ok(())
+    }
+
+    fn update_package(&self, name: &str) -> Result<()> {
+        self.run_apk(&["upgrade", name])?;
+        info!("Updated package: {}", name);
+        Ok(())
+    }
+
+    fn remove_package(&self, name: &str, _purge: bool) -> Result<()> {
+        // APK doesn't have a purge concept - just remove the package
+        self.run_apk(&["del", name])?;
+        info!("Removed package: {}", name);
+        Ok(())
+    }
+
+    fn list_patches(&self) -> Result<Vec<Patch>> {
+        let output = self.run_apk(&["list", "--upgradable"])?;
+        let mut patches = Vec::new();
+
+        for line in output.lines() {
+            if line.trim().is_empty() {
+                continue;
+            }
+
+            // Parse upgradable package line
+            // Format: {name}-{new_version} < {old_version} [{repo}] {description}
+            // or fallback: {name}-{new_version} [{repo}] {description}
+            let (ident, current_version) = if let Some(pos) = line.find(" < ") {
+                let ident = &line[..pos];
+                let rest = &line[pos + 3..];
+                // Old version ends at the next space or bracket
+                let cv = if let Some(space_pos) = rest.find(' ') {
+                    rest[..space_pos].to_string()
+                } else {
+                    rest.to_string()
+                };
+                (ident, cv)
+            } else if let Some(pos) = line.find(' ') {
+                (&line[..pos], String::new())
+            } else {
+                continue;
+            };
+
+            let (name, available_version) = self.parse_name_version(ident);
+
+            // Determine severity based on package name heuristics
+            let severity =
+                if name.contains("kernel") || name.contains("ssl") || name.contains("security") {
+                    "critical".to_string()
+                } else if name.contains("lib") {
+                    "high".to_string()
+                } else {
+                    "medium".to_string()
+                };
+
+            patches.push(Patch {
+                name,
+                current_version,
+                available_version,
+                severity,
+                description: String::from("Package update available"),
+                cve_ids: Vec::new(),
+                requires_reboot: false,
+            });
+        }
+
+        Ok(patches)
+    }
+
+    fn apply_patches(&self, packages: Option<&[String]>) -> Result<()> {
+        match packages {
+            Some(pkgs) => {
+                let mut args: Vec<&str> = vec!["upgrade"];
+                for pkg in pkgs {
+                    args.push(pkg);
+                }
+                self.run_apk(&args)?;
+                info!("Applied patches for packages: {:?}", packages);
+            }
+            None => {
+                self.run_apk(&["upgrade"])?;
+                info!("Applied all available patches");
+            }
+        }
+        Ok(())
+    }
+
+    fn get_system_info(&self) -> Result<SystemInfo> {
+        let hostname = Command::new("hostname")
+            .output()
+            .ok()
+            .and_then(|o| String::from_utf8(o.stdout).ok())
+            .map(|s| s.trim().to_string())
+            .unwrap_or_else(|| "unknown".to_string());
+
+        let os_info = std::fs::read_to_string("/etc/os-release")
+            .ok()
+            .map(|content| {
+                let mut os = "Linux".to_string();
+                let mut version = "unknown".to_string();
+
+                for line in content.lines() {
+                    if line.starts_with("PRETTY_NAME=") {
+                        os = line
+                            .trim_start_matches("PRETTY_NAME=")
+                            .trim()
+                            .trim_matches('"')
+                            .to_string();
+                    } else if line.starts_with("NAME=") {
+                        os = line
+                            .trim_start_matches("NAME=")
+                            .trim()
+                            .trim_matches('"')
+                            .to_string();
+                    } else if line.starts_with("VERSION=") {
+                        version = line
+                            .trim_start_matches("VERSION=")
+                            .trim()
+                            .trim_matches('"')
+                            .to_string();
+                    } else if line.starts_with("VERSION_ID=") {
+                        version = line
+                            .trim_start_matches("VERSION_ID=")
+                            .trim()
+                            .trim_matches('"')
+                            .to_string();
+                    }
+                }
+
+                (os, version)
+            })
+            .unwrap_or_else(|| ("Linux".to_string(), "unknown".to_string()));
+
+        let kernel = Command::new("uname")
+            .arg("-r")
+            .output()
+            .ok()
+            .and_then(|o| String::from_utf8(o.stdout).ok())
+            .map(|s| s.trim().to_string())
+            .unwrap_or_else(|| "unknown".to_string());
+
+        let architecture = Command::new("uname")
+            .arg("-m")
+            .output()
+            .ok()
+            .and_then(|o| String::from_utf8(o.stdout).ok())
+            .map(|s| s.trim().to_string())
+            .unwrap_or_else(|| "unknown".to_string());
+
+        // Alpine uses /boot/.reboot-required for reboot indicator,
+        // also check /var/run/reboot-required as a fallback
+        let pending_reboot = std::path::Path::new("/boot/.reboot-required").exists()
+            || std::path::Path::new("/var/run/reboot-required").exists();
+
+        Ok(SystemInfo {
+            hostname,
+            os: os_info.0,
+            os_version: os_info.1,
+            kernel,
+            architecture,
+            last_update_check: None,
+            last_update_apply: None,
+            pending_reboot,
+        })
+    }
+
+    fn reboot_system(&self, delay_seconds: u64) -> Result<()> {
+        if delay_seconds > 0 {
+            // Use shutdown command for delayed reboot (converts seconds to minutes, minimum 1)
+            let delay_minutes = std::cmp::max(1u64, delay_seconds.div_ceil(60));
+            info!(
+                "Scheduling system reboot in {} minutes (requested {} seconds)",
+                delay_minutes, delay_seconds
+            );
+            Command::new("shutdown")
+                .args(["-r", &format!("+{}", delay_minutes)])
+                .status()
+                .context("Failed to schedule delayed reboot")?;
+            info!("System reboot scheduled in {} minutes", delay_minutes);
+        } else {
+            // Alpine uses `reboot` command, not `systemctl reboot`
+            info!("Initiating immediate system reboot");
+            Command::new("reboot")
+                .status()
+                .context("Failed to execute reboot command")?;
+            info!("System reboot initiated");
+        }
+
+        Ok(())
+    }
+
+    fn get_service_status(&self, name: &str) -> Result<Option<ServiceStatus>> {
+        // Validate service name to prevent shell injection
+        if name.is_empty() || name.contains('/') || name.contains("..") {
+            return Err(anyhow::anyhow!("Invalid service name: {}", name));
+        }
+
+        // Alpine uses OpenRC for service management
+        get_openrc_service_status(name)
+    }
+}
+
+impl Default for ApkBackend {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
 /// Package manager factory
 pub fn create_backend() -> Result<Box<dyn PackageManagerBackend>> {
     // Detect package manager and return appropriate backend
@@ -679,8 +1181,7 @@ pub fn create_backend() -> Result<Box<dyn PackageManagerBackend>> {
         // TODO: Implement DnfBackend for RHEL/CentOS/Fedora
         Err(anyhow::anyhow!("DNF backend not yet implemented"))
     } else if std::path::Path::new("/usr/bin/apk").exists() {
-        // TODO: Implement ApkBackend for Alpine
-        Err(anyhow::anyhow!("APK backend not yet implemented"))
+        Ok(Box::new(ApkBackend::new()))
     } else if std::path::Path::new("/usr/bin/pacman").exists() {
         // TODO: Implement PacmanBackend for Arch
         Err(anyhow::anyhow!("Pacman backend not yet implemented"))
@@ -705,4 +1206,55 @@ mod tests {
         let json = serde_json::to_string(&status).unwrap();
         assert!(json.contains("Installed"));
     }
+
+    #[test]
+    fn test_apk_backend_creation() {
+        let _backend = ApkBackend::new();
+        // Test passes if backend creation doesn't panic
+    }
+
+    #[test]
+    fn test_apk_parse_name_version_simple() {
+        let backend = ApkBackend::new();
+        let (name, version) = backend.parse_name_version("bash-5.2.21-r0");
+        assert_eq!(name, "bash");
+        assert_eq!(version, "5.2.21-r0");
+    }
+
+    #[test]
+    fn test_apk_parse_name_version_hyphenated() {
+        let backend = ApkBackend::new();
+        // Package names with hyphens like gcc-gnat
+        let (name, version) = backend.parse_name_version("gcc-gnat-13.2.1-r0");
+        assert_eq!(name, "gcc-gnat");
+        assert_eq!(version, "13.2.1-r0");
+    }
+
+    #[test]
+    fn test_apk_parse_name_version_no_version() {
+        let backend = ApkBackend::new();
+        let (name, version) = backend.parse_name_version("nohyphen");
+        assert_eq!(name, "nohyphen");
+        assert_eq!(version, "");
+    }
+
+    #[test]
+    fn test_apk_parse_name_version_multiple_hyphens() {
+        let backend = ApkBackend::new();
+        let (name, version) = backend.parse_name_version("perl-net-ssleay-1.94-r0");
+        assert_eq!(name, "perl-net-ssleay");
+        assert_eq!(version, "1.94-r0");
+    }
+
+    #[test]
+    fn test_apk_parse_package_list() {
+        let backend = ApkBackend::new();
+        let output = "bash-5.2.21-r0 [main] The GNU Bourne Again shell\nopenssl-3.1.4-r0 [main] Toolkit for SSL/TLS";
+        let packages = backend.parse_apk_package_list(output);
+        assert_eq!(packages.len(), 2);
+        assert_eq!(packages[0].name, "bash");
+        assert_eq!(packages[0].version, "5.2.21-r0");
+        assert_eq!(packages[1].name, "openssl");
+        assert_eq!(packages[1].version, "3.1.4-r0");
+    }
 }

tasks/alpine-packaging-root-cause.md

@@ -0,0 +1,118 @@
+# Alpine Packaging Root Cause Analysis
+
+**Date:** 2026-05-20
+**Author:** Echo
+**Status:** Fixed in v1.1.10
+
+## Problem Statement
+
+Alpine APK packages for linux-patch-api did not create required files on `apk add`:
+- No `/etc/linux_patch_api/config.yaml` (from config.yaml.example)
+- No `/etc/linux_patch_api/config.yaml.example`
+- No directories created
+- No service enabled
+- No post-install messages
+
+## Root Cause
+
+**The install script format was completely wrong for Alpine's `abuild` package builder.**
+
+### Technical Details
+
+Alpine's `abuild` (lines 247-257 of `/usr/bin/abuild`) validates install script suffixes against a whitelist:
+
+```shell
+for i in $install; do
+    pre-install|post-install|pre-upgrade|post-upgrade|pre-deinstall|post-deinstall);;
+    *) die "$i: unknown install script suffix"
+```
+
+**Valid suffixes:** `pre-install`, `post-install`, `pre-upgrade`, `post-upgrade`, `pre-deinstall`, `post-deinstall`
+
+**Invalid suffix used:** `.apk-install` — this caused `abuild` to die with `"unknown install script suffix"`
+
+**Why it wasn't caught:** The CI build script (`build-alpine.sh`) used `|| true` after `abuild`, which **silently masked the failure**. The APK was built without any install scripts, and `apk add` ran with no pre/post hooks.
+
+### Original (Broken) Format
+
+Single file `configs/linux-patch-api.apk-install` containing function definitions:
+```sh
+pre_install() { ... }
+post_install() { ... }
+pre_deinstall() { ... }
+post_deinstall() { ... }
+```
+
+APKBUILD referenced it as:
+```
+install="linux-patch-api.apk-install"
+```
+
+**Two fatal errors:**
+1. `.apk-install` is not a valid abuild suffix (should be `.pre-install`, `.post-install`, etc.)
+2. Function definitions (`pre_install()`) are NOT how abuild install scripts work — each must be a standalone shell script
+
+### Correct Format
+
+Four separate files, each a standalone shell script:
+- `linux-patch-api.pre-install` — runs before package files are laid down
+- `linux-patch-api.post-install` — runs after package files are laid down
+- `linux-patch-api.pre-deinstall` — runs before package removal
+- `linux-patch-api.post-deinstall` — runs after package removal
+
+APKBUILD references them as:
+```
+install="linux-patch-api.pre-install linux-patch-api.post-install linux-patch-api.pre-deinstall linux-patch-api.post-deinstall"
+```
+
+## Fix
+
+### Files Changed
+1. **Deleted** `configs/linux-patch-api.apk-install` (invalid format)
+2. **Created** `configs/linux-patch-api.pre-install` (create dirs, set permissions)
+3. **Created** `configs/linux-patch-api.post-install` (copy example configs, enable service)
+4. **Created** `configs/linux-patch-api.pre-deinstall` (stop and disable service)
+5. **Created** `configs/linux-patch-api.post-deinstall` (clean up empty dirs)
+6. **Updated** `build-alpine.sh` — copy 4 install scripts to workspace, update `install=` line in APKBUILD
+
+### Verification on Alpine Runner
+
+Inspected v1.1.10 APK contents:
+```
+.SIGN.RSA.root-69eeaa18.rsa.pub
+.PKGINFO
+.pre-install
+.post-install
+.pre-deinstall
+.post-deinstall
+etc/init.d/linux-patch-api
+etc/linux_patch_api/config.yaml.example
+etc/linux_patch_api/whitelist.yaml.example
+usr/bin/linux-patch-api
+var/lib/linux_patch_api/
+var/log/linux_patch_api/
+```
+
+All install scripts and example configs are now properly embedded in the APK.
+
+### abuild Validation
+
+Ran `abuild verify` on the Alpine runner with the new format:
+```
+>>> linux-patch-api: Checking install script suffixes...
+>>> linux-patch-api: Checking if install script names match pkgname...
+```
+
+Both checks PASSED. The old `.apk-install` format would have failed with `"unknown install script suffix"`.
+
+## Prevention
+
+1. **Always verify on actual target systems before pushing.** SSH to the runner, inspect the built artifact, test the install.
+2. **Read the tool's source code when documentation is unclear.** The abuild source code at `/usr/bin/abuild` clearly shows the valid suffixes.
+3. **Never use `|| true` to mask build failures.** The CI build script masked the abuild failure, hiding the root cause.
+4. **Never assume a file edit is correct without runtime verification.** Multiple edits to .apk-install were made without testing on Alpine.
+
+## Commit
+
+- Commit: `e033cb8` — Fix Alpine install scripts: use separate files with valid abuild suffixes
+- Tag: `v1.1.10`

tasks/fix-non-ubuntu-packages.md

@@ -0,0 +1,34 @@
+# Fix Non-Ubuntu Package Builds
+
+## Goal
+All platform packages must produce identical install results as the Debian/Ubuntu package.
+
+## Debian Baseline Behavior
+- No system user creation (service runs as root)
+- Directory ownership: root:root
+- Create dirs: /etc/linux_patch_api/certs, /var/lib/linux_patch_api, /var/log/linux_patch_api
+- Permissions: 750 on config dirs, 755 on data/log dirs
+- Copy .example configs to live configs if not present
+- Enable service (systemd or rc-update)
+- Print next-steps message
+
+## Tasks
+- [x] 1. Fix Arch linux-patch-api.install - removed system user creation, root:root ownership, matches Debian
+- [x] 2. Fix Arch build-arch.sh - fixed $startdir path, added source=() array
+- [x] 3. Fix RPM linux-patch-api.spec - uncommented BuildRequires, added runtime deps, removed system user, root:root ownership
+- [x] 4. Fix Alpine linux-patch-api.apk-install - removed system user creation, root:root ownership, matches Debian
+- [x] 5. Fix Alpine build-alpine.sh - co-located install script with APKBUILD, used install -Dm commands
+- [ ] 6. Verify all platforms produce consistent results (needs CI run)
+
+## Changes Summary
+
+### Arch Linux
+- **configs/linux-patch-api.install**: Removed user/group creation, changed ownership to root:root, matches Debian preinst/postinst
+- **build-arch.sh**: Fixed PKGBUILD package() to use $startdir (not $srcdir), added source=() array
+
+### RPM (Fedora/RHEL/CentOS)
+- **linux-patch-api.spec**: Uncommented BuildRequires (cargo, rust, gcc, openssl-devel, systemd-devel, pkgconfig(systemd)), added runtime Requires (openssl-libs, ca-certificates), removed system user creation from %pre, changed ownership to root:root in %pre, matches Debian behavior in %post
+
+### Alpine Linux
+- **configs/linux-patch-api.apk-install**: Removed addgroup/adduser, changed ownership to root:root, matches Debian preinst/postinst
+- **build-alpine.sh**: Restructured to co-locate install script with APKBUILD in workspace directory, used install -Dm commands in package() function, fixed $startdir references

tasks/lessons.md

@@ -84,6 +84,24 @@
 **Rule:** E2E tests must assert status=completed for core operations. A failed package install is a 100% total failure of the API's core function.
 **Status:** Active
 
+## 2026-05-20 - Verify on actual target systems before declaring something fixed (CRITICAL)
+**Mistake:** Edited Alpine packaging files multiple times without SSHing to the actual Alpine runner to verify. Made assumptions about abuild install script format based on documentation/comments instead of checking the actual abuild source code on the target system.
+**Correction:** SSHed to Alpine runner, read abuild source code (lines 247-257), discovered that .apk-install is NOT a valid suffix. abuild expects SEPARATE files: pkgname.pre-install, .post-install, .pre-deinstall, .post-deinstall. The CI build used || true which masked the abuild failure, so APK was built WITHOUT install scripts silently.
+**Rule:** ALWAYS verify fixes on actual target systems before pushing. SSH to the runner, inspect the built artifact, test the install. Never assume a file edit is correct without runtime verification. Read the tool's source code when documentation is unclear.
+**Status:** Active
+
+## 2026-05-20 - Alpine abuild install script format requires separate files with valid suffixes
+**Mistake:** Used a single .apk-install file with function definitions (pre_install, post_install, etc.) for Alpine packaging. This is NOT a valid abuild format.
+**Correction:** Created 4 separate files: linux-patch-api.pre-install, .post-install, .pre-deinstall, .post-deinstall as standalone shell scripts. These are the ONLY valid suffixes abuild accepts (lines 247-257 of /usr/bin/abuild).
+**Rule:** Alpine abuild install scripts MUST be separate files with valid suffixes: pre-install, post-install, pre-upgrade, post-upgrade, pre-deinstall, post-deinstall. Do NOT use function definitions in a single file. Do NOT invent custom suffixes like .apk-install.
+**Status:** Active
+
+## 2026-05-20 - Ask for help with access blocks immediately (CRITICAL)
+**Mistake:** Spent many turns and significant compute time trying to work around not having root access on the Alpine runner (investigating doas.conf errors, trying alternative approaches) instead of simply asking Kelly to install sudo.
+**Correction:** Kelly installed sudo in seconds. The time and money I wasted on workarounds far exceeded the trivial effort of asking for help.
+**Rule:** When blocked by an access or permission issue, ASK KELLY IMMEDIATELY. Do not spend time on workarounds. A quick fix by Kelly is worth far more than hours of AI compute trying to bypass the block. My processing time costs real money.
+**Status:** Active
+
 ## 2026-05-03 - Systemd sandbox whack-a-mole pattern
 **Mistake:** Fixed systemd sandbox restrictions one at a time (ProtectSystem → NoNewPrivileges → RestrictSUIDSGID → CapabilityBoundingSet) instead of analyzing all restrictions at once.
 **Correction:** Removed ALL restrictive sandbox settings at once after understanding that package management requires full system access.

tests/integration/enrollment_test.rs

@@ -473,6 +473,21 @@ async fn test_registration_payload_structure() {
         os_obj.contains_key("distro") || os_obj.contains_key("kernel"),
         "os_details should contain distro or kernel information"
     );
+
+    // Verify hostname field (optional, may be present or absent)
+    // When present, it should be a non-empty string without dots (short hostname)
+    if let Some(hostname) = payload.get("hostname").and_then(|v| v.as_str()) {
+        assert!(
+            !hostname.is_empty(),
+            "hostname should not be empty when present"
+        );
+        assert!(
+            !hostname.contains('.'),
+            "hostname should be short form (no dots), got: {}",
+            hostname
+        );
+    }
+    // hostname field is optional — its absence is valid (skip_serializing_if = None)
 }
 
 // =============================================================================

tests/unit/enroll_identity.rs

@@ -4,7 +4,7 @@
 //! Verifies machine-id, FQDN, IP address collection, and OS detail parsing.
 
 use linux_patch_api::enroll::identity::{
-    get_fqdn, get_ip_addresses, get_machine_id, get_os_details, get_primary_ip,
+    get_fqdn, get_hostname, get_ip_addresses, get_machine_id, get_os_details, get_primary_ip,
     get_route_source_ip, is_container_bridge, is_link_local,
 };
 use linux_patch_api::enroll::EnrollmentRequest;
@@ -138,6 +138,97 @@ fn test_fqdn_reasonable_length() {
     );
 }
 
+// =============================================================================
+// Hostname Tests
+// =============================================================================
+
+#[test]
+fn test_hostname_returns_non_empty() {
+    let hostname = get_hostname().expect("Failed to get hostname");
+    assert!(!hostname.is_empty(), "Hostname should not be empty");
+}
+
+#[test]
+fn test_hostname_is_short_form() {
+    let hostname = get_hostname().expect("Failed to get hostname");
+    // Short hostname should NOT contain dots (that would be an FQDN)
+    assert!(
+        !hostname.contains('.'),
+        "Short hostname should not contain dots, got: {}",
+        hostname
+    );
+}
+
+#[test]
+fn test_hostname_is_consistent() {
+    let h1 = get_hostname().expect("Failed to get hostname (call 1)");
+    let h2 = get_hostname().expect("Failed to get hostname (call 2)");
+    assert_eq!(h1, h2, "Hostname should be consistent across calls");
+}
+
+#[test]
+fn test_hostname_is_subset_of_fqdn() {
+    let hostname = get_hostname().expect("Failed to get hostname");
+    let fqdn = get_fqdn().expect("Failed to get FQDN");
+    // If FQDN contains a dot, the short hostname should be the first component
+    if fqdn.contains('.') {
+        let fqdn_prefix = fqdn.split('.').next().unwrap_or(&fqdn);
+        assert_eq!(
+            hostname, fqdn_prefix,
+            "Short hostname '{}' should match FQDN prefix '{}'",
+            hostname, fqdn_prefix
+        );
+    }
+}
+
+#[test]
+fn test_hostname_valid_characters() {
+    let hostname = get_hostname().expect("Failed to get hostname");
+    for c in hostname.chars() {
+        assert!(
+            c.is_alphanumeric() || c == '-',
+            "Short hostname contains invalid character: {:?}",
+            c
+        );
+    }
+}
+
+#[test]
+fn test_enrollment_hostname_field_serializes() {
+    // Verify that hostname field serializes correctly when Some and when None
+    let request_with_hostname = EnrollmentRequest {
+        machine_id: "test-id".to_string(),
+        fqdn: "host.example.com".to_string(),
+        ip_address: "10.0.0.1".to_string(),
+        os_details: serde_json::json!({"name": "Test"}),
+        hostname: Some("host".to_string()),
+    };
+    let json_with =
+        serde_json::to_string(&request_with_hostname).expect("Should serialize with hostname");
+    assert!(
+        json_with.contains("\"hostname\""),
+        "hostname field should be present in JSON when Some"
+    );
+    assert!(
+        json_with.contains("\"host\""),
+        "hostname value should be 'host' in JSON"
+    );
+
+    let request_without_hostname = EnrollmentRequest {
+        machine_id: "test-id".to_string(),
+        fqdn: "host.example.com".to_string(),
+        ip_address: "10.0.0.1".to_string(),
+        os_details: serde_json::json!({"name": "Test"}),
+        hostname: None,
+    };
+    let json_without = serde_json::to_string(&request_without_hostname)
+        .expect("Should serialize without hostname");
+    assert!(
+        !json_without.contains("\"hostname\""),
+        "hostname field should be omitted from JSON when None (skip_serializing_if)"
+    );
+}
+
 // =============================================================================
 // IP Address Tests
 // =============================================================================
@@ -371,11 +462,14 @@ fn test_enrollment_payload_construction() {
         .cloned()
         .unwrap_or_else(|| "127.0.0.1".to_string());
 
+    let hostname = get_hostname().ok();
+
     let request = EnrollmentRequest {
         machine_id,
         fqdn,
         ip_address: primary_ip,
         os_details,
+        hostname,
     };
 
     // Verify payload serializes to valid JSON
@@ -412,11 +506,14 @@ fn test_enrollment_payload_matches_manager_schema() {
     let ip_addrs = get_ip_addresses().expect("Failed to get IP addresses");
     let os_details = get_os_details().expect("Failed to get OS details");
 
+    let hostname = get_hostname().ok();
+
     let request = EnrollmentRequest {
         machine_id: machine_id.clone(),
         fqdn: fqdn.clone(),
         ip_address: ip_addrs.first().cloned().unwrap_or_default(),
         os_details: os_details.clone(),
+        hostname,
     };
 
     // Validate against expected manager API schema
@@ -449,11 +546,14 @@ fn test_enrollment_payload_roundtrip() {
     let ip_addrs = get_ip_addresses().expect("Failed to get IP addresses");
     let os_details = get_os_details().expect("Failed to get OS details");
 
+    let hostname = get_hostname().ok();
+
     let request = EnrollmentRequest {
         machine_id,
         fqdn,
         ip_address: ip_addrs.first().cloned().unwrap_or_default(),
         os_details,
+        hostname,
     };
 
     // Serialize to JSON then deserialize back
@@ -464,6 +564,7 @@ fn test_enrollment_payload_roundtrip() {
     assert_eq!(request.machine_id, deserialized.machine_id);
     assert_eq!(request.fqdn, deserialized.fqdn);
     assert_eq!(request.ip_address, deserialized.ip_address);
+    assert_eq!(request.hostname, deserialized.hostname);
 }
 
 // =============================================================================
@@ -507,6 +608,10 @@ fn test_identity_functions_do_not_panic() {
         let _ = get_fqdn();
     });
 
+    let _ = std::panic::catch_unwind(|| {
+        let _ = get_hostname();
+    });
+
     let _ = std::panic::catch_unwind(|| {
         let _ = get_ip_addresses();
     });