feat: Add .deb packaging for Ubuntu 24.04 release

- debian/control: Package metadata with dependencies
- debian/postinst: Service user, dirs, JWT key gen, config, cron setup
- debian/prerm: Graceful service stop before upgrade
- debian/postrm: Purge cleanup (user, data, config, cron)
- debian/changelog: 1.0.0-1 initial release
- debian/install: File manifest
- scripts/build-package.sh: Full build pipeline (cargo release, frontend, dpkg-deb)
- .gitignore: Exclude *.deb and package-build/

debian/changelog

@@ -0,0 +1,8 @@
+linux-patch-manager (1.0.0-1) noble; urgency=medium
+
+  * Initial release of Linux Patch Manager
+  * Full M1-M12 feature set implemented
+  * MFA, RBAC, mTLS, CA, reporting, audit integrity
+  * HIPAA/PCI-DSS compliance mapping documented
+
+ -- Echo <echo@moon-dragon.us>  Thu, 24 Apr 2026 00:00:00 +0000

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,26 @@
+Package: linux-patch-manager
+Version: 1.0.0-1
+Architecture: amd64
+Maintainer: Moon Dragon <echo@moon-dragon.us>
+Installed-Size: 45000
+Depends: postgresql-16, libssl3, libc6 (>= 2.39)
+Recommends: postgresql-client-16
+Suggests: gpg
+Section: admin
+Priority: optional
+Description: Enterprise Linux Patch Management System
+ Linux Patch Manager is a secure, web-based management interface for
+ controlling patching and updates on Linux servers and workstations.
+ .
+ Features include:
+  - Multi-factor authentication (TOTP + WebAuthn)
+  - Role-based access control (Admin/Operator)
+  - Mutual TLS agent communication
+  - Internal Certificate Authority
+  - Automated patch deployment with rollback
+  - Maintenance window scheduling
+  - Real-time WebSocket job monitoring
+  - CSV/PDF compliance reporting
+  - Audit logging with hash-chain integrity
+  - Email notifications
+  - Azure SSO (OAuth2/OIDC with PKCE)

debian/install

@@ -0,0 +1,9 @@
+usr/local/bin/pm-web
+usr/local/bin/pm-worker
+usr/local/bin/backup.sh
+usr/share/patch-manager/frontend/*
+usr/share/patch-manager/config.example.toml
+usr/share/patch-manager/migrations/*
+lib/systemd/system/patch-manager-web.service
+lib/systemd/system/patch-manager-worker.service
+lib/systemd/system/patch-manager.target

debian/postinst

@@ -0,0 +1,80 @@
+#!/bin/bash
+set -e
+
+# =============================================================================
+# Linux Patch Manager — Post-install script
+# =============================================================================
+
+case "$1" in
+    configure)
+        # Create service user if not exists
+        if ! id patch-manager &>/dev/null; then
+            useradd --system --no-create-home --shell /usr/sbin/nologin \
+                --comment "Linux Patch Manager service account" patch-manager
+        fi
+
+        # Create required directories
+        mkdir -p /etc/patch-manager/ca /etc/patch-manager/certs \
+                 /etc/patch-manager/jwt /etc/patch-manager/tls \
+                 /var/log/patch-manager /opt/patch-manager \
+                 /var/backups/patch-manager
+
+        chown -R patch-manager:patch-manager \
+            /etc/patch-manager /var/log/patch-manager \
+            /opt/patch-manager /usr/share/patch-manager/frontend
+
+        chmod 750 /etc/patch-manager/ca /etc/patch-manager/jwt
+        chmod 700 /var/backups/patch-manager
+
+        # Generate JWT signing key if not present
+        if [[ ! -f /etc/patch-manager/jwt/signing.pem ]]; then
+            openssl genpkey -algorithm ed25519 -out /etc/patch-manager/jwt/signing.pem 2>/dev/null
+            openssl pkey -in /etc/patch-manager/jwt/signing.pem -pubout -out /etc/patch-manager/jwt/verify.pem 2>/dev/null
+            chown patch-manager:patch-manager /etc/patch-manager/jwt/signing.pem /etc/patch-manager/jwt/verify.pem
+            chmod 600 /etc/patch-manager/jwt/signing.pem
+            chmod 644 /etc/patch-manager/jwt/verify.pem
+        fi
+
+        # Write default config if not present
+        if [[ ! -f /etc/patch-manager/config.toml ]]; then
+            cp /usr/share/patch-manager/config.example.toml /etc/patch-manager/config.toml
+            chown patch-manager:patch-manager /etc/patch-manager/config.toml
+            chmod 640 /etc/patch-manager/config.toml
+        fi
+
+        # Install backup cron if not present
+        if ! crontab -l 2>/dev/null | grep -qF "backup.sh"; then
+            (crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/backup.sh >> /var/log/patch-manager/backup.log 2>&1") | crontab -
+        fi
+
+        # Reload systemd
+        systemctl daemon-reload
+
+        echo ""
+        echo "Linux Patch Manager installed successfully!"
+        echo "==========================================="
+        echo ""
+        echo "Next steps:"
+        echo "  1. Install and configure PostgreSQL:"
+        echo "       apt install postgresql-16"
+        echo "  2. Create the database:"
+        echo "       sudo -u postgres createdb -O patch_manager patch_manager"
+        echo "  3. Edit /etc/patch-manager/config.toml with your database URL"
+        echo "  4. Enable and start services:"
+        echo "       systemctl enable --now patch-manager.target"
+        echo "  5. Access the web UI at https://localhost"
+        echo "     Default admin credentials are set via the seed migration."
+        echo ""
+        echo "IMPORTANT: Change the default admin password immediately after first login!"
+        echo ""
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        ;;
+esac
+
+exit 0

debian/postrm

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -e
+
+case "$1" in
+    purge)
+        # Remove service user (only if purge)
+        if id patch-manager &>/dev/null; then
+            userdel patch-manager 2>/dev/null || true
+        fi
+
+        # Remove runtime data
+        rm -rf /var/log/patch-manager
+        rm -rf /opt/patch-manager
+        rm -rf /var/backups/patch-manager
+
+        # Remove configuration and keys (purge only)
+        rm -rf /etc/patch-manager
+
+        # Remove backup cron
+        crontab -l 2>/dev/null | grep -vF "backup.sh" | crontab - 2>/dev/null || true
+
+        # Reload systemd
+        systemctl daemon-reload
+        ;;
+
+    remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+        # On remove (not purge), keep config and keys
+        systemctl daemon-reload 2>/dev/null || true
+        ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        ;;
+esac
+
+exit 0

debian/prerm

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+case "$1" in
+    remove|upgrade|deconfigure)
+        # Stop services gracefully
+        if systemctl is-active --quiet patch-manager.target 2>/dev/null; then
+            systemctl stop patch-manager.target 2>/dev/null || true
+        fi
+        ;;
+
+    failed-upgrade)
+        ;;
+
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        ;;
+esac
+
+exit 0