diff --git a/.github/workflows/debian_package_kanidm.yml b/.github/workflows/debian_package_kanidm.yml deleted file mode 100644 index 30b02900f..000000000 --- a/.github/workflows/debian_package_kanidm.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -name: "Build Deb Packages" - -"on": - push: - pull_request: - -env: - SCCACHE_GHA_ENABLED: "true" - RUSTC_WRAPPER: "sccache" - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true -jobs: - build-deb-package: - name: Build deb packages - strategy: - matrix: - image: - - name: ubuntu - version: 22.04 - - name: debian - version: 12 - fail-fast: false - runs-on: ubuntu-latest - container: - image: "${{ matrix.image.name }}:${{ matrix.image.version }}" - env: - DEBIAN_FRONTEND: noninteractive - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: install curl - run: | - apt-get update && apt-get install -y curl - - name: Setup sccache - uses: mozilla-actions/sccache-action@v0.0.5 - with: - version: "v0.4.2" - - name: Install Rust - uses: dtolnay/rust-toolchain@stable - - name: Install dependencies - run: | - scripts/install_ubuntu_dependencies.sh - - name: Install wasm-pack - run: cargo install wasm-pack - - name: Build packages (kanidm-unixd) - run: make -f platform/debian/Makefile debs/kanidm-unixd - - name: Build packages (kanidm) - run: make -f platform/debian/Makefile debs/kanidm - - - name: Upload debs - uses: actions/upload-artifact@v4 - with: - name: "${{ matrix.image.name }}${{ matrix.image.version }}" - path: | - target/*.deb - upload-to-releases: - permissions: - # https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs - contents: write # allows the action to create a release - - name: Upload to releases - needs: build-deb-package - runs-on: ubuntu-latest - steps: - - name: Download previously built debs - uses: actions/download-artifact@v4 - with: - path: debs - merge-multiple: true - - name: List packages - run: | - find $(pwd) -name '*.deb' - # TODO: This action is old and falling apart and will soon stop working. - # Context: https://github.com/marvinpinto/action-automatic-releases/pull/2 - - uses: "marvinpinto/action-automatic-releases@latest" - with: - repo_token: "${{ secrets.GITHUB_TOKEN }}" - automatic_release_tag: "debs" - prerelease: true - title: ".deb Packages" - files: "debs/*.deb" - if: ${{ github.ref == 'refs/heads/master' && github.repository == 'kanidm/kanidm' }} diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 000000000..137eadc65 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "platform/debian/kanidm_ppa_automation"] + path = platform/debian/kanidm_ppa_automation + url = https://github.com/kanidm/kanidm_ppa_automation diff --git a/book/src/integrations/pam_and_nsswitch.md b/book/src/integrations/pam_and_nsswitch.md index aa7621210..930feb66f 100644 --- a/book/src/integrations/pam_and_nsswitch.md +++ b/book/src/integrations/pam_and_nsswitch.md @@ -140,6 +140,4 @@ Documentation examples for the following Linux distributions are available: - [SUSE / OpenSUSE](pam_and_nsswitch/suse.md) - [Fedora](pam_and_nsswitch/fedora.md) -- Debian / Ubuntu - when one generates packages - [from the repository tools](https://github.com/kanidm/kanidm/tree/master/platform/debian), - configuration is modified on install. +- Debian / Ubuntu - Installed with the packages from [kanidm/kanidm_ppa](https://kanidm.github.io/kanidm_ppa/). diff --git a/book/src/packaging/debian_ubuntu_packaging.md b/book/src/packaging/debian_ubuntu_packaging.md index fdeb53f6c..b5ef68203 100644 --- a/book/src/packaging/debian_ubuntu_packaging.md +++ b/book/src/packaging/debian_ubuntu_packaging.md @@ -2,40 +2,86 @@ ## Building packages -This happens in Docker currently, and here's some instructions for doing it for Ubuntu: +- Debian packaging is complex enough that it lives in a separate repository: +[kanidm/kanidm_ppa_automation](https://github.com/kanidm/kanidm_ppa_automation). +- While official packages are available at https://kanidm.github.io/kanidm_ppa/ these instructions will guide you +through replicating the same process locally, using [cross](https://github.com/cross-rs/cross) & Docker to isolate the build process +from your normal computer and allow building packages for multiple architectures. +- While the examples below will use `aarch64-unknown-linux-gnu` aka `arm64`, +the same process works for `x86_64-unknown-linux-gnu` aka `amd64` as well. -1. Start in the root directory of the repository. -2. Run `./platform/debian/ubuntu_docker_builder.sh` This'll start a container, mounting the - repository in `~/kanidm/` and installing dependencies via - `./scripts/install_ubuntu_dependencies.sh`. -3. Building packages uses make, get a list by running `make -f ./platform/debian/Makefile help` -4. So if you wanted to build the package for the Kanidm CLI, run - `make -f ./platform/debian/Makefile debs/kanidm`. -5. The package will be copied into the `target` directory of the repository on the docker host - not - just in the container. +1. Start in the root directory of the main [kanidm/kanidm](https://github.com/kanidm/kanidm) repository. +1. Install cross: + ```shell + cargo install cross + ``` +1. Pull in the separate deb packaging submodule: + ```shell + git submodule update platform/debian/kanidm_ppa_automation + ``` +1. Launch your desired crossbuild target. Do note the script assumes you use rustup! + ```shell + # See valid targets: + platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh + # Launch a target: + platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh debian-12-aarch64-unknown-linux-gnu + # You can also specify multiple targets within the same distribution: + platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh debian-12-{aarch64,x86_64}-unknown-linux-gnu + ``` +1. Go get a drink of your choice while the build completes. +1. Create a sacrificial deb builder container to avoid changing your own system: + ```shell + docker run --rm -it -e CI=true \ + --mount "type=bind,src=$PWD,target=/src" \ + --workdir /src \ + rust:bookworm + ``` +1. In the container install dependencies with: + ```shell + # The parameter given is which additional target debian architecture to enable (amd64, arm64, etc.) + # If your native platform is amd64, running with arm64 is enough to cover both archs. + platform/debian/kanidm_ppa_automation/scripts/install_ci_build_dependencies.sh arm64 + ``` +1. In the container launch the deb build: + ```shell + platform/debian/kanidm_ppa_automation/scripts/build_debs.sh aarch64-unknown-linux-gnu + # Again, multiple targets also work: + platform/debian/kanidm_ppa_automation/scripts/build_debs.sh {aarch64,x86_64}-unknown-linux-gnu + ``` +1. You can now exit the container, the package paths displayed at the end under `target` will + persist. -## Adding a package +## Adding or amending a deb package +The rough overview of steps is: +1. Add cargo-deb specific metadata to the rust package and any static assets. Submit your changes as + a PR. +2. Add build instructions to the separate packaging repo. Submit your changes as a PR. +3. Go back to the main repo to update the packaging submodule reference to aid running manual dev + builds of the new package. -There's a set of default configuration files in `packaging/`; if you want to add a package -definition, add a folder with the package name and then files in there will be copied over the top -of the ones from `packaging/` on build. +In theory steps 1 & 3 could be done in one PR, but this way is simpler. -You'll need two custom files at minimum: +### Configuration in the main repo +- The repo is: [kanidm/kanidm](https://github.com/kanidm/kanidm) +- Packages are primarily based on their package specific `Cargo.toml` definition read by `cargo-deb`. For +an example, see `unix_integration/resolver/Cargo.toml` +- A package specific `debian` folder is used for static assets. See: `unix_integration/resolver/debian` for an example. +- The debian folder may house needed `postinst`, `prerm` etc hook definitions. They must include the `#DEBHELPER#` comment after any custom actions. +- The package debian folder is also used for any systemd unit files. The file naming pattern is very specific, refer to `cargo-deb` documentation for details. -- `control` - a file containing information about the package. -- `rules` - a makefile doing all the build steps. - -There's a lot of other files that can go into a .deb, some handy ones are: - -| Filename | What it does | -| -------- | ------------------------------------------------------------------------ | -| preinst | Runs before installation occurs | -| postrm | Runs after removal happens | -| prerm | Runs before removal happens - handy to shut down services. | -| postinst | Runs after installation occurs - we're using that to show notes to users | - -## Some Debian packaging links - -- [DH reference](https://www.debian.org/doc/manuals/maint-guide/dreq.en.html) - Explains what needs - to be done for packaging (mostly). -- [Reference for what goes in control files](https://www.debian.org/doc/debian-policy/ch-controlfields) +### Configuration in the kanidm_ppa_automation repo +- The repo is: [kanidm/kanidm_ppa_automation](https://github.com/kanidm/kanidm_ppa_automation) +- Changes are needed if a new binary and/or package is added, or if build time dependencies change. +- Amend `scripts/crossbuild.sh` build rules to include new binaries or packages with shared +libraries. Search for the lines starting with `cross build`. +- Add any new build time system dependencies to `scripts/install_ci_build_dependencies.sh`, be aware + of any difference in package names between Debian & Ubuntu. +- Add any new packages to `scripts/build_debs.sh`, search for the line starting with `for package in`. +- Finally, once your changes have been approved go back to the main `kanidm/kanidm` repo and update the submodule reference and PR the reference update. This is not needed for official builds but helps anyone doing dev builds themselves: + ```shell + cd platform/debian/kanidm_ppa_automation + git pull + cd - + git add platform/debian/kanidm_ppa_automation + git commit -m "Update kanidm_ppa_automation reference to latest" + ``` diff --git a/book/src/packaging/ppa_packages.md b/book/src/packaging/ppa_packages.md index 02e72eaf4..16a7d37cf 100644 --- a/book/src/packaging/ppa_packages.md +++ b/book/src/packaging/ppa_packages.md @@ -1,11 +1,12 @@ # PPA Packages -This pulls the packages from the Kanidm -[debs releases](https://github.com/kanidm/kanidm/releases/tag/debs) and makes a package archive for -“nightly” packages. Packages are distributed for the latest LTS versions, Ubuntu 22.04 & Debian 12. +- This builds packages from the [main Kanidm repository](https://github.com/kanidm/kanidm) and makes a package archive for “nightly” packages. +Stable packages are intended to be introduced soon which will require repeating updated instructions +here. +- Packages are distributed for the latest LTS versions, Ubuntu 22.04 & Debian 12. -Please note that while the commands below should also work on other Ubuntu-based distributions, we -cannot ensure their compatibility with PPA. Pop OS, for example, would require an altered setup in +- Please note that while the commands below should also work on other Ubuntu-based distributions, we +cannot ensure their compatibility. Pop OS, for example, would require an altered setup in line with their [instructions](https://support.system76.com/articles/ppa-third-party/). ## Adding it to your system @@ -46,8 +47,8 @@ sudo apt update ## Listing Packages -Use `apt-cache` to list the packages available: +Use `apt search` to list the packages available: ```bash -apt-cache search kanidm +apt search kanidm ``` diff --git a/examples/kanidm-safe-default b/examples/kanidm-safe-default new file mode 100644 index 000000000..9a06b5c14 --- /dev/null +++ b/examples/kanidm-safe-default @@ -0,0 +1,7 @@ +## Kanidm minimal Service Configuration - /etc/kanidm/config +# For a full example and documentation, see /usr/share/kanidm/kanidm +# or `example/kanidm` in the source repository. + +# Replace this with your kanidmd URI and uncomment the line +#uri = "https://idm.example.com" +verify_ca = true diff --git a/examples/unixd-safe-default b/examples/unixd-safe-default new file mode 100644 index 000000000..b231f4cd1 --- /dev/null +++ b/examples/unixd-safe-default @@ -0,0 +1,17 @@ +## Kanidm Unixd minimal Service Configuration - /etc/kanidm/unixd +# For a full example and documentation, see /usr/share/kanidm-unixd/unixd +# or `example/unixd` in the source repository. + +version = '2' + +# default_shell = "/bin/sh" + +# home_attr = "uuid" +# home_alias = "spn" +# use_etc_skel = false + + +# Defines a set of POSIX groups where membership of any of these groups +# will be allowed to login via PAM. +# Replace your group below and uncomment this line: +#pam_allowed_login_groups = ["your_posix_login_group"] diff --git a/platform/crossbuild/README.md b/platform/crossbuild/README.md deleted file mode 100644 index 4be5da457..000000000 --- a/platform/crossbuild/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# Cross-building things using cargo cross - -Here be dragons. - -1. Get a drink. You'l need it. -2. Install [cargo-cross](https://github.com/cross-rs/cross) -3. Drink the drink. - -## Building Ubuntu 20.04 things - -Make sure you're including `--release` because reasons. - -```shell -CROSS_CONFIG=platform/crossbuild/ubuntu-20.04/Cross.toml \ - cross build --target aarch64-unknown-linux-gnu \ - --bin kanidm_unixd \ - --bin kanidm_unixd_tasks \ - --bin kanidm_ssh_authorizedkeys \ - --bin kanidm-unix \ - --release -``` - -Things will end up in `./target/aarch64-unknown-linux-gnu/release/` - -## Building Ubuntu 22.04 things - -Make sure you're including `--release` because reasons. - -```shell -CROSS_CONFIG=platform/crossbuild/ubuntu-22.04/Cross.toml \ - cross build --target aarch64-unknown-linux-gnu \ - --bin kanidm_unixd \ - --bin kanidm_unixd_tasks \ - --bin kanidm_ssh_authorizedkeys \ - --bin kanidm-unix \ - --release -``` - -Things will end up in `./target/aarch64-unknown-linux-gnu/release/` diff --git a/platform/crossbuild/build.sh b/platform/crossbuild/build.sh deleted file mode 100755 index 38f686fb8..000000000 --- a/platform/crossbuild/build.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -set -e - -if [ -z "$1" ]; then - echo "Usage: $0 target_os" - if [ -d ./platform ]; then - echo "Options:" - find platform/crossbuild -type d -maxdepth 1 -mindepth 1 | awk -F'/' '{print $NF}' | sort - fi - exit 1 -fi - -if [ ! -d "platform/crossbuild/$1" ]; then - echo "Could not find platform/crossbuild/$1" - exit 1 -fi - -TARGET_DIR="./target/$1" - -echo "Recreating then building to ${TARGET_DIR}" -rm -rf "${TARGET_DIR}" -mkdir -p "${TARGET_DIR}" - -CROSS_CONFIG="platform/crossbuild/${1}/Cross.toml" \ - cross build --target aarch64-unknown-linux-gnu \ - --bin kanidm_unixd \ - --bin kanidm_unixd_tasks \ - --bin kanidm_ssh_authorizedkeys \ - --bin kanidm-unix \ - --release -CROSS_CONFIG="platform/crossbuild/${1}/Cross.toml" \ - cross build --target aarch64-unknown-linux-gnu \ - -p pam_kanidm \ - -p nss_kanidm \ - --release - -find "./target/aarch64-unknown-linux-gnu/release/" -maxdepth 1 \ - -type f -not -name '*.d' \ - -name 'kanidm*' \ - -exec mv "{}" "${TARGET_DIR}/" \; - -find "./target/aarch64-unknown-linux-gnu/release/" -maxdepth 1 \ - -name '*kanidm*.so' \ - -exec mv "{}" "${TARGET_DIR}/" \; -# find "${TARGET_DIR}" -name '*.d' -delete - -echo "Contents of ${TARGET_DIR}" -find "${TARGET_DIR}" -type f diff --git a/platform/crossbuild/ubuntu-20.04/Cross.toml b/platform/crossbuild/ubuntu-20.04/Cross.toml deleted file mode 100644 index b0e37ef65..000000000 --- a/platform/crossbuild/ubuntu-20.04/Cross.toml +++ /dev/null @@ -1,18 +0,0 @@ -[build.env] - - -[target.aarch64-unknown-linux-gnu] -dockerfile = "platform/crossbuild/ubuntu-20.04/Dockerfile" -pre-build = [ - "TZ=UTC ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone", - - "apt-get update && apt-get install --assume-yes libssl-dev build-essential", - - # "sed 's/^deb http/deb [arch=amd64] http/' -i '/etc/apt/sources.list'", - # "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy main restricted universe multiverse' >> /etc/apt/sources.list", - # "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list", - # "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list",do - - "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes libssl-dev:$CROSS_DEB_ARCH libpam0g-dev:$CROSS_DEB_ARCH libudev-dev:$CROSS_DEB_ARCH pkg-config:$CROSS_DEB_ARCH", -] diff --git a/platform/crossbuild/ubuntu-20.04/Dockerfile b/platform/crossbuild/ubuntu-20.04/Dockerfile deleted file mode 100644 index f70d7910d..000000000 --- a/platform/crossbuild/ubuntu-20.04/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM ubuntu:20.04 -ARG DEBIAN_FRONTEND=noninteractive - -RUN apt-get update && apt-get install --assume-yes --no-install-recommends \ - g++-aarch64-linux-gnu \ - libc6-dev-arm64-cross - -ENV CROSS_TOOLCHAIN_PREFIX=aarch64-linux-gnu- -ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER="$CROSS_TOOLCHAIN_PREFIX"gcc \ - AR_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"ar \ - CC_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"gcc \ - CXX_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"g++ \ - RUST_TEST_THREADS=1 \ - PKG_CONFIG_PATH="/usr/lib/aarch64-linux-gnu/pkgconfig/:${PKG_CONFIG_PATH}" \ No newline at end of file diff --git a/platform/crossbuild/ubuntu-22.04/Cross.toml b/platform/crossbuild/ubuntu-22.04/Cross.toml deleted file mode 100644 index 8fa52cbab..000000000 --- a/platform/crossbuild/ubuntu-22.04/Cross.toml +++ /dev/null @@ -1,17 +0,0 @@ -[build.env] - -[target.aarch64-unknown-linux-gnu] -dockerfile = "platform/crossbuild/ubuntu-22.04/Dockerfile" -pre-build = [ - "TZ=UTC ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone", - - "apt-get update && apt-get install --assume-yes rsync libssl-dev build-essential", - - "sed 's/^deb http/deb [arch=amd64] http/' -i '/etc/apt/sources.list'", - "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy main restricted universe multiverse' >> /etc/apt/sources.list", - "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list", - "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list", - - "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes libssl-dev:$CROSS_DEB_ARCH libpam0g-dev:$CROSS_DEB_ARCH libudev-dev:$CROSS_DEB_ARCH pkg-config:$CROSS_DEB_ARCH", -] diff --git a/platform/crossbuild/ubuntu-22.04/Dockerfile b/platform/crossbuild/ubuntu-22.04/Dockerfile deleted file mode 100644 index a8079f894..000000000 --- a/platform/crossbuild/ubuntu-22.04/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM ubuntu:22.04 -ARG DEBIAN_FRONTEND=noninteractive - -RUN apt-get update && apt-get install --assume-yes --no-install-recommends \ - g++-aarch64-linux-gnu \ - libc6-dev-arm64-cross - -ENV CROSS_TOOLCHAIN_PREFIX=aarch64-linux-gnu- -ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER="$CROSS_TOOLCHAIN_PREFIX"gcc \ - AR_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"ar \ - CC_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"gcc \ - CXX_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"g++ \ - RUST_TEST_THREADS=1 \ - PKG_CONFIG_PATH="/usr/lib/aarch64-linux-gnu/pkgconfig/:${PKG_CONFIG_PATH}" \ No newline at end of file diff --git a/platform/debian/Makefile b/platform/debian/Makefile deleted file mode 100644 index f124b5964..000000000 --- a/platform/debian/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -ARCH ?= $(shell dpkg --print-architecture) - - -.DEFAULT: help - -.PHONY: help -help: - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/\\$$//' | sed -e 's/##/\n\t/' - -.PHONY: debs/kanidm -debs/kanidm: ## Build the Kanidm CLI package - make sure you set the environment variable KANIDM_BUILD_PROFILE -debs/kanidm: - ARCH=$(ARCH) bash ./platform/debian/build_kanidm.sh kanidm - -.PHONY: debs/kanidmd -debs/kanidmd: ## Build the Kanidmd package - make sure you set the environment variable KANIDM_BUILD_PROFILE -debs/kanidmd: - ARCH=$(ARCH) bash ./platform/debian/build_kanidm.sh kanidmd - -.PHONY: debs/kanidm-unixd -debs/kanidm-unixd: ## Build the Kanidm UNIX tools package (PAM/NSS, unixd and related tools) - make sure you set the environment variable KANIDM_BUILD_PROFILE -debs/kanidm-unixd: - ARCH=$(ARCH) bash ./platform/debian/build_kanidm.sh kanidm-unixd - -.PHONY: debs/all -debs/all: ## Build all the .deb packages - make sure you set the environment variable KANIDM_BUILD_PROFILE -debs/all: debs/kanidmd debs/kanidm debs/kanidm-unixd diff --git a/platform/debian/README.md b/platform/debian/README.md new file mode 100644 index 000000000..d4c2678cc --- /dev/null +++ b/platform/debian/README.md @@ -0,0 +1,2 @@ +Debian packaging has moved to its own repo, see https://github.com/kanidm/kanidm_ppa_automation. +The separate repo is however included here as a git submodule to facilitate ad-hoc dev builds. See the relevant [Kanidm Book chapter](https://kanidm.github.io/kanidm/stable/packaging/debian_ubuntu_packaging.html) for more detailed instructions. diff --git a/platform/debian/build_kanidm.sh b/platform/debian/build_kanidm.sh deleted file mode 100755 index 8e0ae9d4c..000000000 --- a/platform/debian/build_kanidm.sh +++ /dev/null @@ -1,149 +0,0 @@ -#!/usr/bin/bash - -# you can skip the dependency install by setting the env var SKIP_DEPS=1 - -set -e - -if [ -z "${ARCH}" ]; then - ARCH="$(dpkg --print-architecture)" -fi - -if [[ "${ARCH}" != "$(dpkg --print-architecture)" ]]; then - echo "${ARCH} != $(dpkg --print-architecture), cross-compiling!" - export PKG_CONFIG_ALLOW_CROSS=1 -else - echo "Building for ${ARCH}" -fi - - -if [ -z "$1" ]; then - PACKAGE="kanidm" -else - PACKAGE="$1" -fi - -if [ ! -d "./platform/debian/${PACKAGE}" ]; then - echo "Can't find packaging files for ${PACKAGE}" - exit 1 -fi - -echo "Building ${PACKAGE}" - - -SOURCE_DIR="$(cargo metadata --format-version 1 | jq -r .workspace_root)" - -echo "Source dir ${SOURCE_DIR}" - -if [ ! -d "${SOURCE_DIR}" ]; then - echo "Can't find source dir ${SOURCE_DIR}!" - exit 1 -fi - -BUILD_DIR="$(mktemp -d)" - -if [ -z "${SKIP_DEPS}" ]; then - PACKAGING=1 ./scripts/install_ubuntu_dependencies.sh -else - echo "SKIP_DEPS configured, skipping install of rust and packages" -fi - -if [ -f "${HOME}/.cargo/env" ]; then - # shellcheck disable=SC1091 - source "${HOME}/.cargo/env" -else - echo "Couldn't find cargo env in ${HOME}/.cargo/env that seems weird?" -fi - -# if we can't find cargo then need to update the path -if [ "$(which cargo | wc -l)" -eq 0 ]; then - if echo "$PATH" | grep -q '.cargo/bin'; then - echo "Updating path to include local cargo dir" - export PATH="$HOME/.cargo/bin:$PATH" - if [ "$(which cargo | wc -l)" -eq 0 ]; then - echo "Still couldn't find cargo, bailing!" - exit 1 - fi - fi -fi - -# this assumes the versions are in lock-step, which is fine at the moment. -# Debian is picky about dashes in version strings, so a bit of conversion -# is needed for the first one to prevent interference. -KANIDM_VERSION="$(grep -ioE 'version.*' Cargo.toml | head -n1 | awk '{print $NF}' | tr -d '"' | sed -e 's/-/~/')" - -# if we're in a github action, then it's easy to get the commit -if [ -n "${GITHUB_SHA}" ]; then - GIT_HEAD="${GITHUB_SHA}" -else - GIT_HEAD="$(git rev-parse HEAD)" -fi - -# we only want the short commit -GIT_COMMIT="${GIT_HEAD:0:7}" -DATESTR="$(date +%Y%m%d%H%M)" - - -# Due to previous version schemes we need to increment epoch above the default 0, -# to supercede old versions before the change. -EPOCH=1 - -# GitHub Actions forces NTFS compatibility which disallows colons in filenames -# ergo, we do not include the epoch in the filename. -FILENAME="${KANIDM_VERSION}~${DATESTR}+${GIT_COMMIT}" -PACKAGE_VERSION="${EPOCH}:${FILENAME}" - -echo "Deb package Version: ${PACKAGE_VERSION}" - -echo "Updating package dir" -rm -rf "${BUILD_DIR:?}/*" - -echo "Copying source files from ${SOURCE_DIR} to ${BUILD_DIR}" -rsync -a \ - --exclude target \ - "${SOURCE_DIR}/" \ - "${BUILD_DIR}/" - -echo "Copying the debian-specific build files" -cd "${BUILD_DIR}" -pwd -ls -la -rm -rf debian && mkdir -p debian -cp -R platform/debian/packaging/* debian/ - -if [ -d "platform/debian/${PACKAGE}/" ]; then - echo "Copying debian-specific files for ${PACKAGE}" - # shellcheck disable=SC2086 - cp platform/debian/${PACKAGE}/* debian/ -else - echo "No package-specific files were found" -fi - -echo "Setting permissions on debian scripts" -find "./debian/" -name 'pre*' -ls -exec chmod 755 "{}" \; -find "./debian/" -name 'rules' -ls -exec chmod 755 "{}" \; - - -echo "Updating changelog" - -sed -E \ - "s/#DATE#/$(date -R)/" \ - platform/debian/packaging/templates/changelog | \ - sed -E "s/#VERSION#/${PACKAGE_VERSION}/" | \ - sed -E "s/#GIT_COMMIT#/${GIT_COMMIT}/" | \ - sed -E "s/#PACKAGE#/${PACKAGE}/" > debian/changelog - -echo "Running clean" -# debian/rules clean - -echo "Running build" -debian/rules build - -echo "Packaging ${PACKAGE}" -fakeroot debian/rules binary - -echo "Moving debs to target/" -mkdir -p "${SOURCE_DIR}/target/" -find ../ -maxdepth 1 -name '*.deb' -exec mv "{}" "${SOURCE_DIR}/target/" \; - -echo "Done, packages:" -find "${SOURCE_DIR}/target/" -maxdepth 1 -name '*.deb' diff --git a/platform/debian/interactive_entrypoint.sh b/platform/debian/interactive_entrypoint.sh deleted file mode 100755 index 595b9f643..000000000 --- a/platform/debian/interactive_entrypoint.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -if [ -z "${TZ}" ]; then - export TZ="UTC" -fi - -ln -snf "/usr/share/zoneinfo/$TZ" "/etc/localtime" && echo "$TZ" > /etc/timezone - -# Install dependencies, for example make! -scripts/install_ubuntu_dependencies.sh - -# Make git happy -git config --global --add safe.directory /root/kanidm - -echo "To launch a deb build, try:" -echo "make -f ./platform/debian/Makefile debs/kanidm" - -# Launch shell -exec /bin/bash "$@" diff --git a/platform/debian/kanidm-unixd/control b/platform/debian/kanidm-unixd/control deleted file mode 100644 index 0f5683375..000000000 --- a/platform/debian/kanidm-unixd/control +++ /dev/null @@ -1,14 +0,0 @@ -Source: kanidm-unixd -Section: admin -Priority: optional -Maintainer: James Hodgkinson -Build-Depends: debhelper (>=10), libpam0g-dev, libudev-dev, libssl-dev, pkg-config, cargo, make -Standards-Version: 4.6.0 -Homepage: https://kanidm.com -Vcs-Git: https://github.com/kanidm/kanidm/ -Rules-Requires-Root: no - -Package: kanidm-unixd -Architecture: any -Depends: tpm-udev -Description: Kanidm Unix Tools diff --git a/platform/debian/kanidm-unixd/rules b/platform/debian/kanidm-unixd/rules deleted file mode 100755 index ea9177b91..000000000 --- a/platform/debian/kanidm-unixd/rules +++ /dev/null @@ -1,105 +0,0 @@ -#!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) -include /usr/share/dpkg/architecture.mk -# be REALLY noisy -export DH_VERBOSE=1 -export DH_OPTIONS=-v - -export DEB_BUILD_OPTIONS=noautodbgsym -PACKAGE=kanidm-unixd -PKGDIR=debian/${PACKAGE} -BINDIR=${PKGDIR}/usr/sbin/ -LIBDIR=${PKGDIR}/lib/${DEB_HOST_MULTIARCH} -SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE} -PAMDIR=${PKGDIR}/usr/share/pam-configs/ -DISTRIBUTOR_ID=$(shell lsb_release -is) -DISTRIBUTOR_RELEASE=$(shell lsb_release -rs) -DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE) - -# GitHub enforces NTFS compatible filenames for artifacts so we need to drop the EPOCH field -DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version | sed -E 's/^[0-9]+://') - -%: - dh $@ --with systemd - -override_dh_auto_clean: - -override_dh_autoreconf: - -override_dh_auto_build: - # this runs "make -- release/${PACKAGE} release/kanidm-ssh" - KANIDM_BUILD_PROFILE=release_linux dh_auto_build -- release/${PACKAGE} release/kanidm-ssh - -override_dh_auto_test: -override_dh_shlibdeps: -override_dh_strip: - -# Do the systemd things -override_dh_installinit: - install -g root -o root \ - platform/debian/systemd/${PACKAGE}.service \ - debian/ - dh_systemd_enable -p${PACKAGE} --name=${PACKAGE} ${PACKAGE}.service - dh_installinit -p${PACKAGE} --no-start --noscripts - dh_systemd_start -p${PACKAGE} --no-restart-on-upgrade - - install -g root -o root \ - platform/debian/systemd/${PACKAGE}-tasks.service \ - debian/ - dh_systemd_enable -p${PACKAGE} --name=${PACKAGE}-tasks ${PACKAGE}-tasks.service - dh_installinit -p${PACKAGE} --name=${PACKAGE}-tasks --no-start --noscripts - dh_systemd_start -p${PACKAGE} --name=${PACKAGE}-tasks --no-restart-on-upgrade - -override_dh_systemd_start: - echo "Not running dh_systemd_start" - -override_dh_auto_install: - mkdir -p ${BINDIR} - mkdir -p ${PAMDIR} - mkdir -p ${LIBDIR}/security - install \ - -g root -o root \ - target/release/kanidm_ssh_authorizedkeys \ - ${BINDIR} - install \ - -g root -o root \ - target/release/kanidm_ssh_authorizedkeys_direct \ - ${BINDIR} - install \ - -g root -o root \ - target/release/kanidm_unixd \ - ${BINDIR} - install \ - -g root -o root \ - target/release/kanidm-unix \ - ${BINDIR} - install \ - -g root -o root \ - target/release/kanidm_unixd_tasks \ - ${BINDIR} - install \ - -g root -o root \ - target/release/libpam_kanidm.so \ - ${LIBDIR}/security/pam_kanidm.so - install \ - -g root -o root \ - target/release/libnss_kanidm.so \ - ${LIBDIR}/libnss_kanidm.so.2 - install \ - -g root -o root -m 644 \ - debian/kanidm.pam \ - ${PAMDIR}/kanidm - -override_dh_installexamples: - mkdir -p ${SHARED_DIR} - install -D \ - -g root -o root \ - examples/kanidm \ - ${SHARED_DIR}/ - install -D \ - -g root -o root \ - examples/unixd \ - ${SHARED_DIR}/ - -override_dh_builddeb: - dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb diff --git a/platform/debian/kanidm/control b/platform/debian/kanidm/control deleted file mode 100644 index f1e404466..000000000 --- a/platform/debian/kanidm/control +++ /dev/null @@ -1,14 +0,0 @@ -Source: kanidm -Section: admin -Priority: optional -Maintainer: James Hodgkinson -Build-Depends: debhelper (>=10), libpam0g-dev, libudev-dev, libssl-dev, pkg-config, cargo, make -Standards-Version: 4.6.0 -Homepage: https://kanidm.com -Vcs-Git: https://github.com/kanidm/kanidm/ -Rules-Requires-Root: no - -Package: kanidm -Architecture: any -Depends: -Description: Kanidm CLI Tooling diff --git a/platform/debian/kanidm/rules b/platform/debian/kanidm/rules deleted file mode 100755 index 50e4bca2f..000000000 --- a/platform/debian/kanidm/rules +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) - -include /usr/share/dpkg/architecture.mk -# be REALLY noisy -export DH_VERBOSE=1 -export DH_OPTIONS=-v - -export DEB_BUILD_OPTIONS=noautodbgsym -PACKAGE=kanidm -PKGDIR=debian/${PACKAGE} -BINDIR=${PKGDIR}/usr/bin/ -SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE} -DISTRIBUTOR_ID=$(shell lsb_release -is) -DISTRIBUTOR_RELEASE=$(shell lsb_release -rs) -DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE) - -#GitHub enforces NTFS compatible filenames for artifacts so we need to drop the EPOCH field -DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version | sed -E 's/^[0-9]+://') - -%: - dh $@ - -override_dh_auto_clean: - -override_dh_auto_configure: - -override_dh_auto_build: - KANIDM_BUILD_PROFILE=release_linux dh_auto_build -- release/${PACKAGE} - -override_dh_auto_test: -override_dh_shlibdeps: -override_dh_strip: - -override_dh_auto_install: - mkdir -p ${BINDIR} - install -D \ - -g root \ - -o root \ - --mode 755 \ - target/release/kanidm \ - ${BINDIR} - -override_dh_installexamples: - mkdir -p ${SHARED_DIR} - install -D \ - -g root \ - -o root \ - --mode 644 \ - examples/config \ - ${SHARED_DIR}/kanidm - -override_dh_builddeb: - dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb diff --git a/platform/debian/kanidm_ppa_automation b/platform/debian/kanidm_ppa_automation new file mode 160000 index 000000000..942c7b69c --- /dev/null +++ b/platform/debian/kanidm_ppa_automation @@ -0,0 +1 @@ +Subproject commit 942c7b69ca807cc38186b63ab02a391bac9eac7e diff --git a/platform/debian/kanidmd/control b/platform/debian/kanidmd/control deleted file mode 100644 index e8c004abc..000000000 --- a/platform/debian/kanidmd/control +++ /dev/null @@ -1,14 +0,0 @@ -Source: kanidmd -Section: admin -Priority: optional -Maintainer: James Hodgkinson -Build-Depends: debhelper (>=10), libpam0g-dev, libudev-dev, libssl-dev, pkg-config, cargo, make -Standards-Version: 4.6.0 -Homepage: https://kanidm.com -Vcs-Git: https://github.com/kanidm/kanidm/ -Rules-Requires-Root: no - -Package: kanidmd -Architecture: any -Depends: -Description: Kanidm Daemon diff --git a/platform/debian/kanidmd/postinst b/platform/debian/kanidmd/postinst deleted file mode 100644 index 7874e6c4d..000000000 --- a/platform/debian/kanidmd/postinst +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# postinst script for kanidmd -# -# see: dh_installdeb(1) - -set -e - - -case "$1" in - configure) - if [ ! -f /etc/kanidm/config ]; then - echo "=============================" - echo "Thanks for installing Kanidm!" - echo "=============================" - echo "Please ensure you create a configuration file at /etc/kanidm/server.toml" - echo "An example is in /usr/share/kanidmd/" - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/platform/debian/kanidmd/rules b/platform/debian/kanidmd/rules deleted file mode 100755 index e5dbf938a..000000000 --- a/platform/debian/kanidmd/rules +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) - -include /usr/share/dpkg/architecture.mk -# be REALLY noisy -export DH_VERBOSE=1 -export DH_OPTIONS=-v - -export DEB_BUILD_OPTIONS=noautodbgsym - -export DEB_BUILD_OPTIONS=noautodbgsym -PACKAGE=kanidmd -PKGDIR=debian/${PACKAGE} -BINDIR=${PKGDIR}/usr/sbin/ -SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE} -DISTRIBUTOR_ID=$(shell lsb_release -is) -DISTRIBUTOR_RELEASE=$(shell lsb_release -rs) -DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE) - -#GitHub enforces NTFS compatible filenames for artifacts so we need to drop the EPOCH field -DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version | sed -E 's/^[0-9]+://') - -%: - dh $@ --with systemd - -override_dh_auto_clean: -# cargo clean - -override_dh_autoreconf: - -override_dh_auto_build: - KANIDM_BUILD_PROFILE=release_linux dh_auto_build -- release/${PACKAGE} - -override_dh_auto_test: -override_dh_shlibdeps: -override_dh_strip: - - -# Do the systemd things -override_dh_installinit: - install -g root -o root \ - platform/debian/systemd/${PACKAGE}.service \ - debian/ - dh_systemd_enable -p${PACKAGE} --name=${PACKAGE} ${PACKAGE}.service - dh_installinit -p${PACKAGE} --no-start --noscripts - dh_systemd_start -p${PACKAGE} --no-restart-on-upgrade - -override_dh_systemd_start: - echo "Not running dh_systemd_start" - -override_dh_auto_install: - mkdir -p ${BINDIR} - install \ - -g root -o root \ - target/release/kanidmd \ - ${BINDIR} - mkdir -p ${PKGDIR}/usr/share/kanidm/ui/ - cp -R server/web_ui/pkg ${PKGDIR}/usr/share/kanidm/ui/ - -override_dh_installexamples: - mkdir -p ${SHARED_DIR} - install -D \ - -g root -o root \ - examples/kanidm \ - ${SHARED_DIR}/ - install -D \ - -g root -o root \ - --mode=644 \ - examples/server.toml \ - ${SHARED_DIR}/ - -override_dh_builddeb: - dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb diff --git a/platform/debian/packaging/compat b/platform/debian/packaging/compat deleted file mode 100644 index 9a037142a..000000000 --- a/platform/debian/packaging/compat +++ /dev/null @@ -1 +0,0 @@ -10 \ No newline at end of file diff --git a/platform/debian/packaging/copyright b/platform/debian/packaging/copyright deleted file mode 100644 index 2eecd9ef9..000000000 --- a/platform/debian/packaging/copyright +++ /dev/null @@ -1,8 +0,0 @@ -Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: kanidm -Upstream-Contact: James Hodgkinson -Source: https://github.com/kanidm/kanidm - -Files: * -Copyright: 2018- William Brown -License: Mozilla Public License Version 2.0 diff --git a/platform/debian/packaging/postrm.ex b/platform/debian/packaging/postrm.ex deleted file mode 100644 index c80e5a6bb..000000000 --- a/platform/debian/packaging/postrm.ex +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -# postrm script for kanidm -# rename this to remove the .ex to make it usable. -# -# see: dh_installdeb(1) - -set -e - -case "$1" in - purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/platform/debian/packaging/preinst b/platform/debian/packaging/preinst deleted file mode 100755 index 83366ff27..000000000 --- a/platform/debian/packaging/preinst +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh -# preinst script for kanidm-1.1.0-alpha.8-202207110454 -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - - -case "$1" in - install|upgrade) - mkdir -p /etc/kanidm/ - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/platform/debian/packaging/prerm.ex b/platform/debian/packaging/prerm.ex deleted file mode 100755 index e859e23b5..000000000 --- a/platform/debian/packaging/prerm.ex +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -# prerm script for kanidm -# rename this to remove the .ex to make it usable. -# -# see: dh_installdeb(1) - -set -e - - -case "$1" in - remove|upgrade|deconfigure) - ;; - - failed-upgrade) - ;; - - *) - echo "prerm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/platform/debian/packaging/source/format b/platform/debian/packaging/source/format deleted file mode 100644 index 163aaf8d8..000000000 --- a/platform/debian/packaging/source/format +++ /dev/null @@ -1 +0,0 @@ -3.0 (quilt) diff --git a/platform/debian/packaging/templates/changelog b/platform/debian/packaging/templates/changelog deleted file mode 100644 index 825555f32..000000000 --- a/platform/debian/packaging/templates/changelog +++ /dev/null @@ -1,5 +0,0 @@ -#PACKAGE# (#VERSION#) UNRELEASED; urgency=medium - - * Updated to git commit #GIT_COMMIT# - - -- James #DATE# diff --git a/platform/debian/packaging/watch.ex b/platform/debian/packaging/watch.ex deleted file mode 100644 index 10814f858..000000000 --- a/platform/debian/packaging/watch.ex +++ /dev/null @@ -1,38 +0,0 @@ -# Example watch control file for uscan -# Rename this file to "watch" and then you can run the "uscan" command -# to check for upstream updates and more. -# See uscan(1) for format - -# Compulsory line, this is a version 4 file -version=4 - -# PGP signature mangle, so foo.tar.gz has foo.tar.gz.sig -#opts="pgpsigurlmangle=s%$%.sig%" - -# HTTP site (basic) -#http://example.com/downloads.html \ -# files/kanidm-1.1.0-alpha.8-202207110454-([\d\.]+)\.tar\.gz debian uupdate - -# Uncomment to examine an FTP server -#ftp://ftp.example.com/pub/kanidm-1.1.0-alpha.8-202207110454-(.*)\.tar\.gz debian uupdate - -# SourceForge hosted projects -# http://sf.net/kanidm-1.1.0-alpha.8-202207110454/ kanidm-1.1.0-alpha.8-202207110454-(.*)\.tar\.gz debian uupdate - -# GitHub hosted projects -#opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%-$1.tar.gz%" \ -# https://github.com//kanidm-1.1.0-alpha.8-202207110454/tags \ -# (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate - -# PyPI -# https://pypi.debian.net/kanidm-1.1.0-alpha.8-202207110454/kanidm-1.1.0-alpha.8-202207110454-(.+)\.(?:zip|tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz))) - -# Direct Git -# opts="mode=git" http://git.example.com/kanidm-1.1.0-alpha.8-202207110454.git \ -# refs/tags/v([\d\.]+) debian uupdate - - - - -# Uncomment to find new files on GooglePages -# http://example.googlepages.com/foo.html kanidm-1.1.0-alpha.8-202207110454-(.*)\.tar\.gz diff --git a/platform/debian/simple_pkg.sh b/platform/debian/simple_pkg.sh deleted file mode 100755 index cc7430e35..000000000 --- a/platform/debian/simple_pkg.sh +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/bin/env bash - -set -xe - -## NOTE this is based on the Arch Linux PKGBUILD. It combines kanidm_tools, unixd and ssh -# as well as the systemd services. This is a simple alternative for building a tarball for -# use on debian based systems (tested on ubuntu 22.04). - -pushd "$( dirname -- "$0"; )/../../" - -pkgdir=$(realpath kanidm_simple_pkg) -rm -rf "$pkgdir" -mkdir -p "$pkgdir" - -# build the project -make release/kanidm release/kanidm-unixd release/kanidm-ssh - -# enable the following block to include deployment specific configuration files -if [ "${INCLUDE_CONFIG}" -eq 1 ]; then - mkdir -p deployment-config - - # Customize the following heredocs according to the deployment - cat << EOF > deployment-config/config -uri = "https://idm.example.com" -verify_ca = true -verify_hostnames = true -EOF - - cat << EOF > deployment-config/unixd -pam_allowed_login_groups = [""] -EOF - - install -Dm644 deployment-config/config "${pkgdir}/etc/kanidm/config" - install -Dm644 deployment-config/unixd "${pkgdir}/etc/kanidm/unixd" - -fi - -# This is for allowing login via PAM. It needs to be enabled using `pam-auth-update` -install -Dm644 platform/debian/kanidm-unixd/kanidm-unixd.pam "${pkgdir}/usr/share/pam-configs/kanidm-unixd" - -# Install kanidm cli -install -Dm755 target/release/kanidm "${pkgdir}/usr/local/sbin/kanidm" -install -Dm644 target/release/build/completions/_kanidm "${pkgdir}/usr/share/zsh/site-functions/_kanidm" -install -Dm644 target/release/build/completions/kanidm.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm.sh" - -# Install systemd service files -install -Dm644 examples/systemd/kanidm-unixd.service "${pkgdir}/usr/lib/systemd/system/kanidm-unixd.service" -install -Dm644 examples/systemd/kanidm-unixd-tasks.service "${pkgdir}/usr/lib/systemd/system/kanidm-unixd-tasks.service" - -# NB., the debian style lib dir and security dir -install -Dm755 target/release/libnss_kanidm.so "${pkgdir}/usr/lib/x86_64-linux-gnu/libnss_kanidm.so.2" -install -Dm755 target/release/libpam_kanidm.so "${pkgdir}/usr/lib/x86_64-linux-gnu/security/pam_kanidm.so" - -# install kanidm unix utilities -install -Dm755 target/release/kanidm_ssh_authorizedkeys "${pkgdir}/usr/local/sbin/kanidm_ssh_authorizedkeys" -install -Dm755 target/release/kanidm_ssh_authorizedkeys_direct "${pkgdir}/usr/local/sbin/kanidm_ssh_authorizedkeys_direct" -install -Dm755 target/release/kanidm_unixd "${pkgdir}/usr/local/sbin/kanidm_unixd" -install -Dm755 target/release/kanidm-unix "${pkgdir}/usr/local/sbin/kanidm-unix" -install -Dm755 target/release/kanidm_unixd_tasks "${pkgdir}/usr/local/sbin/kanidm_unixd_tasks" - -# Install Bash and ZSH completions -install -Dm644 target/release/build/completions/_kanidm_ssh_authorizedkeys_direct "${pkgdir}/usr/share/zsh/site-functions/_kanidm_ssh_authorizedkeys_direct" -install -Dm644 target/release/build/completions/_kanidm_cache_clear "${pkgdir}/usr/share/zsh/site-functions/_kanidm_cache_clear" -install -Dm644 target/release/build/completions/_kanidm_cache_invalidate "${pkgdir}/usr/share/zsh/site-functions/_kanidm_cache_invalidate" -install -Dm644 target/release/build/completions/_kanidm_ssh_authorizedkeys "${pkgdir}/usr/share/zsh/site-functions/_kanidm_ssh_authorizedkeys" - -install -Dm644 target/release/build/completions/kanidm_ssh_authorizedkeys_direct.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm_ssh_authorizedkeys_direct.sh" -install -Dm644 target/release/build/completions/kanidm_cache_clear.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm_cache_clear.sh" -install -Dm644 target/release/build/completions/kanidm_cache_invalidate.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm_cache_invalidate.sh" -install -Dm644 target/release/build/completions/kanidm_ssh_authorizedkeys.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm_ssh_authorizedkeys.sh" - -tar cvzf "kanidm-client-tools.tar.gz" -C "$pkgdir" . - -# extract the package in root, enable and run the systemd services and then setup nsswitch according to the docs -# and run pam-auth-update. You may also want to setup the ssh config. It's wise to leave a root console open until -# you've confirmed pam-auth-update worked so you don't lock yourself out. - -popd - diff --git a/platform/debian/ubuntu_docker_builder.sh b/platform/debian/ubuntu_docker_builder.sh deleted file mode 100755 index 5a9876285..000000000 --- a/platform/debian/ubuntu_docker_builder.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash - -# Starts a ubuntu docker container with the source code mounted - -if [ -z "${KANIDM_CONTAINER}" ]; then - KANIDM_CONTAINER="ubuntu:latest" -fi - -if [ "$(basename "$(pwd)")" != "kanidm" ]; then - echo "Please run this from the root dir of the repo" - exit 1 -fi - -echo "Starting base ubuntu container" -echo "Repository is in ~/kanidm/" - -# shellcheck disable=SC2068 -# shellcheck disable=SC2086 -docker run --rm -it $KANIDM_BUILDER_OPTIONS \ - -e "INSTALL_RUST=1" \ - -e "PACKAGING=1" \ - -e "TZ=UTC" \ - -v "$(pwd):/root/kanidm/" \ - --workdir "/root/kanidm/" \ - --entrypoint "/root/kanidm/platform/debian/interactive_entrypoint.sh" \ - "${KANIDM_CONTAINER}" $@ diff --git a/scripts/install_ubuntu_dependencies.sh b/scripts/install_ubuntu_dependencies.sh index 5cb8f72c3..385f70b8e 100755 --- a/scripts/install_ubuntu_dependencies.sh +++ b/scripts/install_ubuntu_dependencies.sh @@ -27,11 +27,22 @@ if [ -z "${PACKAGING}" ]; then fi if [ "${PACKAGING}" -eq 1 ]; then + # Install packages needed for cargo-deb to build healthy debs for any supported target + # This works in Debian, but not in Ubuntu because they do multiarch weird. + # It would be too invasive to config a daily driver Ubuntu install for multiarch, + # so instead we don't, and just warn. + source /etc/os-release + if [[ "$ID" == "ubuntu" ]]; then + 2>&1 echo "You're running Ubuntu, so we're skipping enabling multiarch for you because it would be too invasive. You won't be able to build valid debs for other than your native architecture." ${SUDOCMD} apt-get install -y \ - devscripts \ - fakeroot \ - dh-make \ - debmake + libpam0g \ + libssl3 + elif [[ "$ID" == "debian" ]]; then + ${SUDOCMD} dpkg --add-architecture arm64 && ${SUDOCMD} apt-get update + ${SUDOCMD} apt-get install -y \ + libpam0g:{amd64,arm64} \ + libssl3:{amd64,arm64} + fi export INSTALL_RUST=1 fi @@ -68,6 +79,14 @@ if [ $ERROR -eq 0 ] && [ -z "$(which wasm-bindgen)" ]; then echo "You don't have wasm-bindgen installed! Installing it now..." cargo install -f wasm-bindgen-cli fi +if [ $ERROR -eq 0 ] && [ -z "$(which cross)" ]; then + echo "You don't have cross installed! Installing it now..." + cargo install -f cross +fi +if [ $ERROR -eq 0 ] && [ -z "$(which cargo-deb)" ]; then + echo "You don't have cargo-deb installed! Installing it now..." + cargo install -f cargo-deb +fi if [ $ERROR -eq 1 ]; then diff --git a/platform/debian/systemd/kanidmd.service b/server/daemon/debian/daemon.kanidmd.service similarity index 100% rename from platform/debian/systemd/kanidmd.service rename to server/daemon/debian/daemon.kanidmd.service diff --git a/tools/cli/Cargo.toml b/tools/cli/Cargo.toml index 2fa125ebd..84038d69d 100644 --- a/tools/cli/Cargo.toml +++ b/tools/cli/Cargo.toml @@ -76,3 +76,18 @@ features = ["win10"] [target."cfg(not(any(target_os = \"windows\")))".dependencies.webauthn-authenticator-rs] workspace = true features = ["u2fhid"] + +## Debian packaging +[package.metadata.deb] +name = "kanidm" +maintainer = "James Hodgkinson " +# Can't use $auto depends because the name of libssl3 varies by distro and version +depends = ["libc6", "libudev1", "libssl3 | libssl3t64"] +section = "admin" +priority = "optional" +changelog = "../../target/debian/changelog" # Generated by packaging scripts +assets = [ + [ "target/release/kanidm", "usr/bin/", "755" ], + [ "../../examples/config", "usr/share/kanidm/", "444" ], +] +maintainer-scripts = "debian/" diff --git a/platform/debian/kanidm/postinst b/tools/cli/debian/postinst similarity index 100% rename from platform/debian/kanidm/postinst rename to tools/cli/debian/postinst diff --git a/unix_integration/nss_kanidm/Cargo.toml b/unix_integration/nss_kanidm/Cargo.toml index a452b3236..0f145d3fb 100644 --- a/unix_integration/nss_kanidm/Cargo.toml +++ b/unix_integration/nss_kanidm/Cargo.toml @@ -1,5 +1,6 @@ [package] name = "nss_kanidm" +description = "Kanidm NSS module" version = { workspace = true } authors = { workspace = true } @@ -23,3 +24,25 @@ libc = { workspace = true } paste = { workspace = true } lazy_static = { workspace = true } +## Debian packaging +# The base metadata does **not** work to build a functioning package! +# A target specific variant must be used to get the right multiarch path. +[package.metadata.deb] +name = "libnss-kanidm" +maintainer = "James Hodgkinson " +depends = "" +section = "network" +priority = "optional" +assets = [ + # Empty on purpose +] + +[package.metadata.deb.variants.aarch64-unknown-linux-gnu] +merge-assets.append = [ + [ "target/release/libnss_kanidm.so", "usr/lib/aarch64-linux-gnu/libnss_kanidm.so.2", "644"], +] + +[package.metadata.deb.variants.x86_64-unknown-linux-gnu] +merge-assets.append = [ + [ "target/release/libnss_kanidm.so", "usr/lib/x86_64-linux-gnu/libnss_kanidm.so.2", "644"], +] diff --git a/unix_integration/pam_kanidm/Cargo.toml b/unix_integration/pam_kanidm/Cargo.toml index bd0b6d6a2..9d32d528d 100644 --- a/unix_integration/pam_kanidm/Cargo.toml +++ b/unix_integration/pam_kanidm/Cargo.toml @@ -1,5 +1,6 @@ [package] name = "pam_kanidm" +description = "Kanidm PAM module" links = "pam" version = { workspace = true } @@ -23,3 +24,28 @@ tracing = { workspace = true } [build-dependencies] pkg-config = { workspace = true } + +## Debian packaging +# The base metadata does **not** work to build a functioning package! +# A target specific variant must be used to get the right multiarch path. +[package.metadata.deb] +name = "libpam-kanidm" +maintainer = "James Hodgkinson " +depends = ["libc6", "libpam0g"] +section = "network" +priority = "optional" +assets = [ + # Empty on purpose +] + +[package.metadata.deb.variants.aarch64-unknown-linux-gnu] +merge-assets.append = [ + [ "target/release/libpam_kanidm.so", "usr/lib/aarch64-linux-gnu/security/pam_kanidm.so", "644"], + [ "debian/kanidm.pam", "usr/share/pam-configs/kanidm", "644"], +] + +[package.metadata.deb.variants.x86_64-unknown-linux-gnu] +merge-assets.append = [ + [ "target/release/libpam_kanidm.so", "usr/lib/x86_64-linux-gnu/security/pam_kanidm.so", "644"], + [ "debian/kanidm.pam", "usr/share/pam-configs/kanidm", "644"], +] diff --git a/platform/debian/kanidm-unixd/kanidm.pam b/unix_integration/pam_kanidm/debian/kanidm.pam similarity index 100% rename from platform/debian/kanidm-unixd/kanidm.pam rename to unix_integration/pam_kanidm/debian/kanidm.pam diff --git a/unix_integration/resolver/Cargo.toml b/unix_integration/resolver/Cargo.toml index 3c02db2d5..f235e13a1 100644 --- a/unix_integration/resolver/Cargo.toml +++ b/unix_integration/resolver/Cargo.toml @@ -108,3 +108,35 @@ kanidmd_testkit = { workspace = true } clap = { workspace = true, features = ["derive"] } clap_complete = { workspace = true } kanidm_build_profiles = { workspace = true } + +## Debian packaging +# We only package unixd itself here as shared libraries must be packaged separarately due to multiarch rules. +[package.metadata.deb] +name = "kanidm-unixd" +maintainer = "James Hodgkinson " +# Can't use $auto depends because the name of libssl3 varies by distro and version +depends = [ + "libc6", + "tpm-udev", + "libssl3 | libssl3t64", + "libpam-kanidm", + "libnss-kanidm" +] +section = "network" +priority = "optional" +changelog = "../../target/debian/changelog" # Generated by platform/debian/build_debs.sh +assets = [ + [ "target/release/kanidm_ssh_authorizedkeys", "usr/sbin/", "755" ], + [ "target/release/kanidm_unixd_tasks", "usr/sbin/", "755" ], + [ "target/release/kanidm_unixd", "usr/sbin/", "755" ], + [ "target/release/kanidm-unix", "usr/sbin/", "755" ], + [ "../../examples/unixd-safe-default", "etc/kanidm/unixd", "644" ], + [ "../../examples/kanidm-safe-default", "etc/kanidm/config", "644" ], + [ "../../examples/kanidm", "usr/share/kanidm-unixd/", "444" ], + [ "../../examples/unixd", "usr/share/kanidm-unixd/", "444" ], +] +maintainer-scripts = "debian/" +systemd-units = [ + { unit-name = "kanidm-unixd", enable = true}, + { unit-name = "kanidm-unixd-tasks", enable = true}, +] diff --git a/platform/debian/systemd/kanidm-unixd-tasks.service b/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd-tasks.service similarity index 100% rename from platform/debian/systemd/kanidm-unixd-tasks.service rename to unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd-tasks.service diff --git a/platform/debian/systemd/kanidm-unixd.service b/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service similarity index 100% rename from platform/debian/systemd/kanidm-unixd.service rename to unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service diff --git a/platform/debian/kanidm-unixd/postinst b/unix_integration/resolver/debian/postinst similarity index 50% rename from platform/debian/kanidm-unixd/postinst rename to unix_integration/resolver/debian/postinst index ddd9c2d2a..cc7c10be6 100644 --- a/platform/debian/kanidm-unixd/postinst +++ b/unix_integration/resolver/debian/postinst @@ -9,14 +9,12 @@ set -e case "$1" in configure) pam-auth-update --package - if [ ! -f /etc/kanidm/config ]; then - echo "=============================" - echo "Thanks for installing Kanidm!" - echo "=============================" - echo "Please ensure you create configuration files at /etc/kanidm/unixd and /etc/kanidm/config" - echo "Examples are in /usr/share/kanidm-unixd/" - echo "To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html" - fi + echo "=============================" + echo "Thanks for installing Kanidm!" + echo "=============================" + echo "Please ensure you modify the configuration files at /etc/kanidm/unixd and /etc/kanidm/config" + echo "Full examples are in /usr/share/kanidm-unixd/" + echo "To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html" ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/platform/debian/kanidm-unixd/prerm b/unix_integration/resolver/debian/prerm similarity index 85% rename from platform/debian/kanidm-unixd/prerm rename to unix_integration/resolver/debian/prerm index 40f7ccf10..e6eed62c1 100644 --- a/platform/debian/kanidm-unixd/prerm +++ b/unix_integration/resolver/debian/prerm @@ -1,3 +1,5 @@ if [ "$1" = remove ]; then pam-auth-update --package --remove kanidm fi + +#DEBHELPER#