fix(packaging): make .deb install and upgrade actually work end-to-end

- Generate internal CA + CA-signed web TLS cert in postinst (port 443 was falling back to plain HTTP because no cert files existed) - Repair stale sqlx migration checksums for upgrades from <= 1.1.7 - Restore health check as advisory only (never fails the install) - Use runuser instead of sudo (sudo is not guaranteed on minimal images) - Replace predictable /tmp password file with mktemp under /run - Frontend assets root-owned read-only (security) - Drop Pre-Depends: postgresql-16 (misuse); drop argon2 dep (unused) - Add openssl, curl, cron, util-linux as proper dependencies
2026-06-10 09:16:51 -05:00
7 changed files with 4 additions and 56 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -12,7 +12,7 @@ members = [
 ]

 [workspace.package]
-version = "1.1.14"
+version = "1.1.13"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 license = "MIT"
--- a/debian/changelog
+++ b/debian/changelog
@ -1,9 +1,3 @@
-linux-patch-manager (1.1.14-1) unstable; urgency=low
-
-  * Release v1.1.14
-
- -- git-echo <git-echo@moon-dragon.us>  Wed, 10 Jun 2026 10:02:44 -0500
-
 linux-patch-manager (1.1.13-1) unstable; urgency=low

  * Release v1.1.13
--- a/debian/control
+++ b/debian/control
@ -1,5 +1,5 @@
 Package: linux-patch-manager
-Version: 1.1.14-1
+Version: 1.1.13-1
 Architecture: amd64
 Maintainer: Moon Dragon <echo@moon-dragon.us>
 Installed-Size: 45000
--- a/debian/postinst
+++ b/debian/postinst
@ -277,8 +277,6 @@ generate_tls_certs() {
    if [[ ! -f "${ca_cert}" ]]; then
        info "Generating internal Certificate Authority (ECDSA P-256, 10-year validity)..."
        openssl ecparam -genkey -name prime256v1 -noout -out "${ca_key}"
-        # Convert SEC1 → PKCS#8 (the Rust pm-ca crate only parses PKCS#8).
-        openssl pkcs8 -topk8 -nocrypt -in "${ca_key}" -out "${ca_key}.tmp" && mv "${ca_key}.tmp" "${ca_key}"
        openssl req -new -x509 -key "${ca_key}" -out "${ca_cert}" \
            -days 3650 \
            -subj "/CN=Patch Manager Root CA/O=Patch Manager" \
--- a/frontend/package.json
+++ b/frontend/package.json
@ -1,7 +1,7 @@
 {
  "name": "patch-manager-ui",
  "private": true,
-  "version": "1.1.14",
+  "version": "1.1.13",
  "type": "module",
  "scripts": {
    "dev": "vite",
--- a/scripts/build-package.sh
+++ b/scripts/build-package.sh
@ -22,7 +22,7 @@ warn()  { echo -e "${YELLOW}[WARN]${NC}  $*"; }
 error() { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }

 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-VERSION="1.1.14"
+VERSION="1.1.13"
 RELEASE="1"
 PKG_NAME="linux-patch-manager"
 DEB_NAME="${PKG_NAME}_${VERSION}-${RELEASE}_amd64.deb"
--- a/tasks/roadmap.md
+++ b/tasks/roadmap.md
@ -1,44 +0,0 @@
-# Linux Patch Manager — Roadmap
-
-Future work items for the Linux Patch Manager project. Items here are candidates
-for future PRs — promote them to GitHub/Gitea issues when ready to work them.
-
---
-
-## How to use this file
-
- **Add items** under the appropriate section (or create a new section).
- **Reference issues/PRs** when known: `(#NN)` at the end of the line.
- **Promote to issues** when ready to start work — link the issue back to this file.
- **Mark completed items** with `~~strikethrough~~` and the PR/issue that closed them.
- **Don't delete completed items** — keep the audit trail.
-
---
-
-## Packaging & Install
-
-_(empty — add items here)_
-
-## CI/CD
-
-_(empty — add items here)_
-
-## Security
-
-_(empty — add items here)_
-
-## Infrastructure
-
-_(empty — add items here)_
-
-## Documentation
-
-_(empty — add items here)_
-
-## Refactoring
-
-_(empty — add items here)_
-
---
-
-_Last updated: 2026-06-10 — created `tasks/roadmap.md`_