cherry-pick: Improve deb packaging, add aarch64 (#3083)

This allows building the stable 1.3.3 on the new packaging infra

* feat: Rebuild the deb packaging flow
fix: Add more sudo, GHA likes sudo
fix: Give build_debs.sh only the triplet argument
fix: Work around more GHA weirdness in apt sources
Drop crossbuild as it was only used by debian packaging
docs: Update book and other docs for packaging flow
feat: package kanidm_tools aka kanidm cli
docs: Update packaging docs for latest process and clarity
fix: use full triple in sdynlib variants
fix: Correct kanidm.pam asset placement
fix: Give pam & nss modules a description so the debs get it
fix: Work around wonky libssl3 naming in Ubuntu 24.04
fix: Place kanidm bin correctly :3
feat: Pin all blame on @yaleman :3
WIP: Swap out the submodule reference. Still not the final one though.
refactor: Switch kanidm-pam & kanidm-nss to mandatory deps
While in theory unixd will start and run without them, it also won't do
anything useful.
fix: explicit depends for nss & pam libs without versions
We build the debs on the ubuntu24.04 GHA runner so automatic pins
versions that are too new for 22.04. Ideally we'd run cargo-deb also on
the target images but that'll have to be a future improvement.
* refactor: Switch nss_kanidm & pam_kanidm package naming closer to debian guidance
* feat: Attempt enabling unixd by default with secure defaults
* fix: Relax config permissions so the kanidm user can read
Also, update postinst config instructions

.github/workflows/debian_package_kanidm.yml

@@ -1,85 +0,0 @@
----
-name: "Build Deb Packages"
-
-"on":
-  push:
-  pull_request:
-
-env:
-  SCCACHE_GHA_ENABLED: "true"
-  RUSTC_WRAPPER: "sccache"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-jobs:
-  build-deb-package:
-    name: Build deb packages
-    strategy:
-      matrix:
-        image:
-          - name: ubuntu
-            version: 22.04
-          - name: debian
-            version: 12
-      fail-fast: false
-    runs-on: ubuntu-latest
-    container:
-      image: "${{ matrix.image.name }}:${{ matrix.image.version }}"
-      env:
-        DEBIAN_FRONTEND: noninteractive
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: install curl
-        run: |
-          apt-get update && apt-get install -y curl
-      - name: Setup sccache
-        uses: mozilla-actions/sccache-action@v0.0.5
-        with:
-          version: "v0.4.2"
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
-      - name: Install dependencies
-        run: |
-          scripts/install_ubuntu_dependencies.sh
-      - name: Install wasm-pack
-        run: cargo install wasm-pack
-      - name: Build packages (kanidm-unixd)
-        run: make -f platform/debian/Makefile debs/kanidm-unixd
-      - name: Build packages (kanidm)
-        run: make -f platform/debian/Makefile debs/kanidm
-
-      - name: Upload debs
-        uses: actions/upload-artifact@v4
-        with:
-          name: "${{ matrix.image.name }}${{ matrix.image.version }}"
-          path: |
-            target/*.deb
-  upload-to-releases:
-    permissions:
-      # https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
-      contents: write  # allows the action to create a release
-
-    name: Upload to releases
-    needs: build-deb-package
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download previously built debs
-        uses: actions/download-artifact@v4
-        with:
-          path: debs
-          merge-multiple: true
-      - name: List packages
-        run: |
-          find $(pwd) -name '*.deb'
-      # TODO: This action is old and falling apart and will soon stop working.
-      # Context: https://github.com/marvinpinto/action-automatic-releases/pull/2
-      - uses: "marvinpinto/action-automatic-releases@latest"
-        with:
-          repo_token: "${{ secrets.GITHUB_TOKEN }}"
-          automatic_release_tag: "debs"
-          prerelease: true
-          title: ".deb Packages"
-          files: "debs/*.deb"
-        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'kanidm/kanidm' }}

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "platform/debian/kanidm_ppa_automation"]
+	path = platform/debian/kanidm_ppa_automation
+	url = https://github.com/kanidm/kanidm_ppa_automation

book/src/integrations/pam_and_nsswitch.md

@@ -140,6 +140,4 @@ Documentation examples for the following Linux distributions are available:
 
 - [SUSE / OpenSUSE](pam_and_nsswitch/suse.md)
 - [Fedora](pam_and_nsswitch/fedora.md)
-- Debian / Ubuntu - when one generates packages
-  [from the repository tools](https://github.com/kanidm/kanidm/tree/master/platform/debian),
-  configuration is modified on install.
+- Debian / Ubuntu - Installed with the packages from [kanidm/kanidm_ppa](https://kanidm.github.io/kanidm_ppa/).

book/src/packaging/debian_ubuntu_packaging.md

@@ -2,40 +2,86 @@
 
 ## Building packages
 
-This happens in Docker currently, and here's some instructions for doing it for Ubuntu:
+- Debian packaging is complex enough that it lives in a separate repository:
+[kanidm/kanidm_ppa_automation](https://github.com/kanidm/kanidm_ppa_automation).
+- While official packages are available at https://kanidm.github.io/kanidm_ppa/ these instructions will guide you
+through replicating the same process locally, using [cross](https://github.com/cross-rs/cross) & Docker to isolate the build process
+from your normal computer and allow building packages for multiple architectures.
+- While the examples below will use `aarch64-unknown-linux-gnu` aka `arm64`,
+the same process works for `x86_64-unknown-linux-gnu` aka `amd64` as well.
 
-1. Start in the root directory of the repository.
-2. Run `./platform/debian/ubuntu_docker_builder.sh` This'll start a container, mounting the
-   repository in `~/kanidm/` and installing dependencies via
-   `./scripts/install_ubuntu_dependencies.sh`.
-3. Building packages uses make, get a list by running `make -f ./platform/debian/Makefile help`
-4. So if you wanted to build the package for the Kanidm CLI, run
-   `make -f ./platform/debian/Makefile debs/kanidm`.
-5. The package will be copied into the `target` directory of the repository on the docker host - not
-   just in the container.
+1. Start in the root directory of the main [kanidm/kanidm](https://github.com/kanidm/kanidm) repository.
+1. Install cross:
+   ```shell
+   cargo install cross
+   ```
+1. Pull in the separate deb packaging submodule:
+   ```shell
+   git submodule update platform/debian/kanidm_ppa_automation
+   ```
+1. Launch your desired crossbuild target. Do note the script assumes you use rustup!
+   ```shell
+   # See valid targets:
+   platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh
+   # Launch a target:
+   platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh debian-12-aarch64-unknown-linux-gnu
+   # You can also specify multiple targets within the same distribution:
+   platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh debian-12-{aarch64,x86_64}-unknown-linux-gnu
+   ```
+1. Go get a drink of your choice while the build completes.
+1. Create a sacrificial deb builder container to avoid changing your own system:
+   ```shell
+   docker run --rm -it -e CI=true \
+       --mount "type=bind,src=$PWD,target=/src" \
+       --workdir /src \
+       rust:bookworm
+   ```
+1. In the container install dependencies with:
+   ```shell
+   # The parameter given is which additional target debian architecture to enable (amd64, arm64, etc.)
+   # If your native platform is amd64, running with arm64 is enough to cover both archs.
+   platform/debian/kanidm_ppa_automation/scripts/install_ci_build_dependencies.sh arm64
+   ```
+1. In the container launch the deb build:
+   ```shell
+   platform/debian/kanidm_ppa_automation/scripts/build_debs.sh aarch64-unknown-linux-gnu
+   # Again, multiple targets also work:
+   platform/debian/kanidm_ppa_automation/scripts/build_debs.sh {aarch64,x86_64}-unknown-linux-gnu
+   ```
+1. You can now exit the container, the package paths displayed at the end under `target` will
+   persist.
 
-## Adding a package
+## Adding or amending a deb package
+The rough overview of steps is:
+1. Add cargo-deb specific metadata to the rust package and any static assets. Submit your changes as
+   a PR.
+2. Add build instructions to the separate packaging repo. Submit your changes as a PR.
+3. Go back to the main repo to update the packaging submodule reference to aid running manual dev
+   builds of the new package.
 
-There's a set of default configuration files in `packaging/`; if you want to add a package
-definition, add a folder with the package name and then files in there will be copied over the top
-of the ones from `packaging/` on build.
+In theory steps 1 & 3 could be done in one PR, but this way is simpler.
 
-You'll need two custom files at minimum:
+### Configuration in the main repo
+- The repo is: [kanidm/kanidm](https://github.com/kanidm/kanidm)
+- Packages are primarily based on their package specific `Cargo.toml` definition read by `cargo-deb`. For
+an example, see `unix_integration/resolver/Cargo.toml`
+- A package specific `debian` folder is used for static assets. See: `unix_integration/resolver/debian` for an example.
+- The debian folder may house needed `postinst`, `prerm` etc hook definitions. They must include the `#DEBHELPER#` comment after any custom actions.
+- The package debian folder is also used for any systemd unit files. The file naming pattern is very specific, refer to `cargo-deb` documentation for details.
 
-- `control` - a file containing information about the package.
-- `rules` - a makefile doing all the build steps.
-
-There's a lot of other files that can go into a .deb, some handy ones are:
-
-| Filename | What it does                                                             |
-| -------- | ------------------------------------------------------------------------ |
-| preinst  | Runs before installation occurs                                          |
-| postrm   | Runs after removal happens                                               |
-| prerm    | Runs before removal happens - handy to shut down services.               |
-| postinst | Runs after installation occurs - we're using that to show notes to users |
-
-## Some Debian packaging links
-
-- [DH reference](https://www.debian.org/doc/manuals/maint-guide/dreq.en.html) - Explains what needs
-  to be done for packaging (mostly).
-- [Reference for what goes in control files](https://www.debian.org/doc/debian-policy/ch-controlfields)
+### Configuration in the kanidm_ppa_automation repo
+- The repo is: [kanidm/kanidm_ppa_automation](https://github.com/kanidm/kanidm_ppa_automation)
+- Changes are needed if a new binary and/or package is added, or if build time dependencies change.
+- Amend `scripts/crossbuild.sh` build rules to include new binaries or packages with shared
+libraries. Search for the lines starting with `cross build`.
+- Add any new build time system dependencies to `scripts/install_ci_build_dependencies.sh`, be aware
+  of any difference in package names between Debian & Ubuntu.
+- Add any new packages to `scripts/build_debs.sh`, search for the line starting with `for package in`.
+- Finally, once your changes have been approved go back to the main `kanidm/kanidm` repo and update the submodule reference and PR the reference update. This is not needed for official builds but helps anyone doing dev builds themselves:
+  ```shell
+  cd platform/debian/kanidm_ppa_automation
+  git pull
+  cd -
+  git add platform/debian/kanidm_ppa_automation
+  git commit -m "Update kanidm_ppa_automation reference to latest"
+  ```

book/src/packaging/ppa_packages.md

@@ -1,11 +1,12 @@
 # PPA Packages
 
-This pulls the packages from the Kanidm
-[debs releases](https://github.com/kanidm/kanidm/releases/tag/debs) and makes a package archive for
-“nightly” packages. Packages are distributed for the latest LTS versions, Ubuntu 22.04 & Debian 12.
+- This builds packages from the [main Kanidm repository](https://github.com/kanidm/kanidm) and makes a package archive for “nightly” packages.
+Stable packages are intended to be introduced soon which will require repeating updated instructions
+here.
+- Packages are distributed for the latest LTS versions, Ubuntu 22.04 & Debian 12.
 
-Please note that while the commands below should also work on other Ubuntu-based distributions, we
-cannot ensure their compatibility with PPA. Pop OS, for example, would require an altered setup in
+- Please note that while the commands below should also work on other Ubuntu-based distributions, we
+cannot ensure their compatibility. Pop OS, for example, would require an altered setup in
 line with their [instructions](https://support.system76.com/articles/ppa-third-party/).
 
 ## Adding it to your system
@@ -46,8 +47,8 @@ sudo apt update
 
 ## Listing Packages
 
-Use `apt-cache` to list the packages available:
+Use `apt search` to list the packages available:
 
 ```bash
-apt-cache search kanidm
+apt search kanidm
 ```

examples/kanidm-safe-default

@@ -0,0 +1,7 @@
+## Kanidm minimal Service Configuration - /etc/kanidm/config
+# For a full example and documentation, see /usr/share/kanidm/kanidm
+# or `example/kanidm` in the source repository.
+
+# Replace this with your kanidmd URI and uncomment the line
+#uri = "https://idm.example.com"
+verify_ca = true

examples/unixd-safe-default

@@ -0,0 +1,17 @@
+## Kanidm Unixd minimal Service Configuration - /etc/kanidm/unixd
+# For a full example and documentation, see /usr/share/kanidm-unixd/unixd
+# or `example/unixd` in the source repository.
+
+version = '2'
+
+# default_shell = "/bin/sh"
+
+# home_attr = "uuid"
+# home_alias = "spn"
+# use_etc_skel = false
+
+
+# Defines a set of POSIX groups where membership of any of these groups
+# will be allowed to login via PAM.
+# Replace your group below and uncomment this line:
+#pam_allowed_login_groups = ["your_posix_login_group"]

platform/crossbuild/README.md

@@ -1,39 +0,0 @@
-# Cross-building things using cargo cross
-
-Here be dragons.
-
-1. Get a drink. You'l need it.
-2. Install [cargo-cross](https://github.com/cross-rs/cross)
-3. Drink the drink.
-
-## Building Ubuntu 20.04 things
-
-Make sure you're including `--release` because reasons.
-
-```shell
-CROSS_CONFIG=platform/crossbuild/ubuntu-20.04/Cross.toml \
-    cross build --target aarch64-unknown-linux-gnu \
-        --bin kanidm_unixd \
-        --bin kanidm_unixd_tasks \
-        --bin kanidm_ssh_authorizedkeys \
-        --bin kanidm-unix \
-        --release
-```
-
-Things will end up in `./target/aarch64-unknown-linux-gnu/release/`
-
-## Building Ubuntu 22.04 things
-
-Make sure you're including `--release` because reasons.
-
-```shell
-CROSS_CONFIG=platform/crossbuild/ubuntu-22.04/Cross.toml \
-    cross build --target aarch64-unknown-linux-gnu \
-        --bin kanidm_unixd \
-        --bin kanidm_unixd_tasks \
-        --bin kanidm_ssh_authorizedkeys \
-        --bin kanidm-unix \
-        --release
-```
-
-Things will end up in `./target/aarch64-unknown-linux-gnu/release/`

platform/crossbuild/build.sh

@@ -1,49 +0,0 @@
-#!/bin/bash
-
-set -e
-
-if [ -z "$1" ]; then
-    echo "Usage: $0 target_os"
-    if [ -d ./platform ]; then
-        echo "Options:"
-        find platform/crossbuild -type d -maxdepth 1 -mindepth 1 | awk -F'/' '{print $NF}' | sort
-    fi
-    exit 1
-fi
-
-if [ ! -d "platform/crossbuild/$1" ]; then
-    echo "Could not find platform/crossbuild/$1"
-    exit 1
-fi
-
-TARGET_DIR="./target/$1"
-
-echo "Recreating then building to ${TARGET_DIR}"
-rm -rf "${TARGET_DIR}"
-mkdir -p "${TARGET_DIR}"
-
-CROSS_CONFIG="platform/crossbuild/${1}/Cross.toml" \
-    cross build --target aarch64-unknown-linux-gnu \
-        --bin kanidm_unixd \
-        --bin kanidm_unixd_tasks \
-        --bin kanidm_ssh_authorizedkeys \
-        --bin kanidm-unix \
-        --release
-CROSS_CONFIG="platform/crossbuild/${1}/Cross.toml" \
-    cross build --target aarch64-unknown-linux-gnu \
-        -p pam_kanidm \
-        -p nss_kanidm \
-        --release
-
-find "./target/aarch64-unknown-linux-gnu/release/" -maxdepth 1 \
-    -type f -not -name '*.d' \
-    -name 'kanidm*' \
-    -exec mv "{}" "${TARGET_DIR}/" \;
-
-find "./target/aarch64-unknown-linux-gnu/release/" -maxdepth 1 \
-    -name '*kanidm*.so' \
-    -exec mv "{}" "${TARGET_DIR}/" \;
-# find "${TARGET_DIR}" -name '*.d' -delete
-
-echo "Contents of ${TARGET_DIR}"
-find "${TARGET_DIR}" -type f

platform/crossbuild/ubuntu-20.04/Cross.toml

@@ -1,18 +0,0 @@
-[build.env]
-
-
-[target.aarch64-unknown-linux-gnu]
-dockerfile = "platform/crossbuild/ubuntu-20.04/Dockerfile"
-pre-build = [
-    "TZ=UTC ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone",
-
-    "apt-get update && apt-get install --assume-yes libssl-dev build-essential",
-
-    # "sed 's/^deb http/deb [arch=amd64] http/' -i '/etc/apt/sources.list'",
-    # "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy main restricted universe multiverse' >> /etc/apt/sources.list",
-    # "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list",
-    # "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list",do
-
-    "dpkg --add-architecture $CROSS_DEB_ARCH",
-    "apt-get update && apt-get install --assume-yes libssl-dev:$CROSS_DEB_ARCH  libpam0g-dev:$CROSS_DEB_ARCH libudev-dev:$CROSS_DEB_ARCH pkg-config:$CROSS_DEB_ARCH",
-]

platform/crossbuild/ubuntu-20.04/Dockerfile

@@ -1,14 +0,0 @@
-FROM ubuntu:20.04
-ARG DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && apt-get install --assume-yes --no-install-recommends \
-    g++-aarch64-linux-gnu \
-    libc6-dev-arm64-cross
-
-ENV CROSS_TOOLCHAIN_PREFIX=aarch64-linux-gnu-
-ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER="$CROSS_TOOLCHAIN_PREFIX"gcc \
-    AR_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"ar \
-    CC_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"gcc \
-    CXX_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"g++ \
-    RUST_TEST_THREADS=1 \
-    PKG_CONFIG_PATH="/usr/lib/aarch64-linux-gnu/pkgconfig/:${PKG_CONFIG_PATH}"

platform/crossbuild/ubuntu-22.04/Cross.toml

@@ -1,17 +0,0 @@
-[build.env]
-
-[target.aarch64-unknown-linux-gnu]
-dockerfile = "platform/crossbuild/ubuntu-22.04/Dockerfile"
-pre-build = [
-    "TZ=UTC ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone",
-
-    "apt-get update && apt-get install --assume-yes rsync libssl-dev build-essential",
-
-    "sed 's/^deb http/deb [arch=amd64] http/' -i '/etc/apt/sources.list'",
-    "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy main restricted universe multiverse' >> /etc/apt/sources.list",
-    "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list",
-    "echo 'deb [arch=arm64] http://au.archive.ubuntu.com/pub/ubuntu/ports jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list",
-
-    "dpkg --add-architecture $CROSS_DEB_ARCH",
-    "apt-get update && apt-get install --assume-yes libssl-dev:$CROSS_DEB_ARCH  libpam0g-dev:$CROSS_DEB_ARCH libudev-dev:$CROSS_DEB_ARCH pkg-config:$CROSS_DEB_ARCH",
-]

platform/crossbuild/ubuntu-22.04/Dockerfile

@@ -1,14 +0,0 @@
-FROM ubuntu:22.04
-ARG DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && apt-get install --assume-yes --no-install-recommends \
-    g++-aarch64-linux-gnu \
-    libc6-dev-arm64-cross
-
-ENV CROSS_TOOLCHAIN_PREFIX=aarch64-linux-gnu-
-ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER="$CROSS_TOOLCHAIN_PREFIX"gcc \
-    AR_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"ar \
-    CC_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"gcc \
-    CXX_aarch64_unknown_linux_gnu="$CROSS_TOOLCHAIN_PREFIX"g++ \
-    RUST_TEST_THREADS=1 \
-    PKG_CONFIG_PATH="/usr/lib/aarch64-linux-gnu/pkgconfig/:${PKG_CONFIG_PATH}"

platform/debian/Makefile

@@ -1,27 +0,0 @@
-ARCH ?= $(shell dpkg --print-architecture)
-
-
-.DEFAULT: help
-
-.PHONY: help
-help:
-	@fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/\\$$//' | sed -e 's/##/\n\t/'
-
-.PHONY: debs/kanidm
-debs/kanidm: ## Build the Kanidm CLI package - make sure you set the environment variable KANIDM_BUILD_PROFILE
-debs/kanidm:
-	ARCH=$(ARCH) bash ./platform/debian/build_kanidm.sh kanidm
-
-.PHONY: debs/kanidmd
-debs/kanidmd: ## Build the Kanidmd package - make sure you set the environment variable KANIDM_BUILD_PROFILE
-debs/kanidmd:
-	ARCH=$(ARCH) bash ./platform/debian/build_kanidm.sh kanidmd
-
-.PHONY: debs/kanidm-unixd
-debs/kanidm-unixd: ## Build the Kanidm UNIX tools package (PAM/NSS, unixd and related tools) - make sure you set the environment variable KANIDM_BUILD_PROFILE
-debs/kanidm-unixd:
-	ARCH=$(ARCH) bash ./platform/debian/build_kanidm.sh kanidm-unixd
-
-.PHONY: debs/all
-debs/all: ## Build all the .deb packages - make sure you set the environment variable KANIDM_BUILD_PROFILE
-debs/all: debs/kanidmd debs/kanidm debs/kanidm-unixd

platform/debian/README.md

@@ -0,0 +1,2 @@
+Debian packaging has moved to its own repo, see https://github.com/kanidm/kanidm_ppa_automation.
+The separate repo is however included here as a git submodule to facilitate ad-hoc dev builds. See the relevant [Kanidm Book chapter](https://kanidm.github.io/kanidm/stable/packaging/debian_ubuntu_packaging.html) for more detailed instructions.

platform/debian/build_kanidm.sh

@@ -1,149 +0,0 @@
-#!/usr/bin/bash
-
-# you can skip the dependency install by setting the env var SKIP_DEPS=1
-
-set -e
-
-if [ -z "${ARCH}" ]; then
-    ARCH="$(dpkg --print-architecture)"
-fi
-
-if [[ "${ARCH}" != "$(dpkg --print-architecture)" ]]; then
-    echo "${ARCH} != $(dpkg --print-architecture), cross-compiling!"
-    export PKG_CONFIG_ALLOW_CROSS=1
-else
-    echo "Building for ${ARCH}"
-fi
-
-
-if [ -z "$1" ]; then
-    PACKAGE="kanidm"
-else
-    PACKAGE="$1"
-fi
-
-if [ ! -d "./platform/debian/${PACKAGE}" ]; then
-    echo "Can't find packaging files for ${PACKAGE}"
-    exit 1
-fi
-
-echo "Building ${PACKAGE}"
-
-
-SOURCE_DIR="$(cargo metadata --format-version 1 | jq -r .workspace_root)"
-
-echo "Source dir ${SOURCE_DIR}"
-
-if [ ! -d "${SOURCE_DIR}" ]; then
-    echo "Can't find source dir ${SOURCE_DIR}!"
-    exit 1
-fi
-
-BUILD_DIR="$(mktemp -d)"
-
-if [ -z "${SKIP_DEPS}" ]; then
-    PACKAGING=1 ./scripts/install_ubuntu_dependencies.sh
-else
-    echo "SKIP_DEPS configured, skipping install of rust and packages"
-fi
-
-if [ -f "${HOME}/.cargo/env" ]; then
-    # shellcheck disable=SC1091
-    source "${HOME}/.cargo/env"
-else
-    echo "Couldn't find cargo env in ${HOME}/.cargo/env that seems weird?"
-fi
-
-# if we can't find cargo then need to update the path
-if [ "$(which cargo | wc -l)" -eq 0 ]; then
-    if echo "$PATH" | grep -q '.cargo/bin'; then
-        echo "Updating path to include local cargo dir"
-        export PATH="$HOME/.cargo/bin:$PATH"
-        if [ "$(which cargo | wc -l)" -eq 0 ]; then
-            echo "Still couldn't find cargo, bailing!"
-            exit 1
-        fi
-    fi
-fi
-
-# this assumes the versions are in lock-step, which is fine at the moment.
-# Debian is picky about dashes in version strings, so a bit of conversion
-# is needed for the first one to prevent interference.
-KANIDM_VERSION="$(grep -ioE 'version.*' Cargo.toml | head -n1 | awk '{print $NF}' | tr -d '"' | sed -e 's/-/~/')"
-
-# if we're in a github action, then it's easy to get the commit
-if [ -n "${GITHUB_SHA}" ]; then
-    GIT_HEAD="${GITHUB_SHA}"
-else
-    GIT_HEAD="$(git rev-parse HEAD)"
-fi
-
-# we only want the short commit
-GIT_COMMIT="${GIT_HEAD:0:7}"
-DATESTR="$(date +%Y%m%d%H%M)"
-
-
-# Due to previous version schemes we need to increment epoch above the default 0,
-# to supercede old versions before the change.
-EPOCH=1
-
-# GitHub Actions forces NTFS compatibility which disallows colons in filenames
-# ergo, we do not include the epoch in the filename.
-FILENAME="${KANIDM_VERSION}~${DATESTR}+${GIT_COMMIT}"
-PACKAGE_VERSION="${EPOCH}:${FILENAME}"
-
-echo "Deb package Version: ${PACKAGE_VERSION}"
-
-echo "Updating package dir"
-rm -rf "${BUILD_DIR:?}/*"
-
-echo "Copying source files from ${SOURCE_DIR} to ${BUILD_DIR}"
-rsync -a \
-    --exclude target \
-    "${SOURCE_DIR}/" \
-    "${BUILD_DIR}/"
-
-echo "Copying the debian-specific build files"
-cd "${BUILD_DIR}"
-pwd
-ls -la
-rm -rf debian && mkdir -p debian
-cp -R platform/debian/packaging/* debian/
-
-if [ -d "platform/debian/${PACKAGE}/" ]; then
-    echo "Copying debian-specific files for ${PACKAGE}"
-    # shellcheck disable=SC2086
-    cp platform/debian/${PACKAGE}/* debian/
-else
-    echo "No package-specific files were found"
-fi
-
-echo "Setting permissions on debian scripts"
-find "./debian/" -name 'pre*' -ls -exec chmod 755 "{}" \;
-find "./debian/" -name 'rules' -ls -exec chmod 755 "{}" \;
-
-
-echo "Updating changelog"
-
-sed -E \
-    "s/#DATE#/$(date -R)/" \
-    platform/debian/packaging/templates/changelog  | \
-    sed -E "s/#VERSION#/${PACKAGE_VERSION}/" | \
-    sed -E "s/#GIT_COMMIT#/${GIT_COMMIT}/" | \
-    sed -E "s/#PACKAGE#/${PACKAGE}/" > debian/changelog
-
-echo "Running clean"
-# debian/rules clean
-
-echo "Running build"
-debian/rules build
-
-echo "Packaging ${PACKAGE}"
-fakeroot debian/rules binary
-
-echo "Moving debs to target/"
-mkdir -p "${SOURCE_DIR}/target/"
-find ../ -maxdepth 1 -name '*.deb' -exec mv "{}" "${SOURCE_DIR}/target/" \;
-
-echo "Done, packages:"
-find "${SOURCE_DIR}/target/" -maxdepth 1 -name '*.deb'

platform/debian/interactive_entrypoint.sh

@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [ -z "${TZ}" ]; then
-    export TZ="UTC"
-fi
-
-ln -snf "/usr/share/zoneinfo/$TZ" "/etc/localtime" && echo "$TZ" > /etc/timezone
-
-# Install dependencies, for example make!
-scripts/install_ubuntu_dependencies.sh
-
-# Make git happy
-git config --global --add safe.directory /root/kanidm
-
-echo "To launch a deb build, try:"
-echo "make -f ./platform/debian/Makefile debs/kanidm"
-
-# Launch shell
-exec /bin/bash "$@"

platform/debian/kanidm-unixd/control

@@ -1,14 +0,0 @@
-Source: kanidm-unixd
-Section: admin
-Priority: optional
-Maintainer: James Hodgkinson <james@terminaloutcomes.com>
-Build-Depends: debhelper (>=10), libpam0g-dev, libudev-dev, libssl-dev, pkg-config, cargo, make
-Standards-Version: 4.6.0
-Homepage: https://kanidm.com
-Vcs-Git: https://github.com/kanidm/kanidm/
-Rules-Requires-Root: no
-
-Package: kanidm-unixd
-Architecture: any
-Depends: tpm-udev
-Description: Kanidm Unix Tools

platform/debian/kanidm-unixd/rules

@@ -1,105 +0,0 @@
-#!/usr/bin/make -f
-# See debhelper(7) (uncomment to enable)
-include /usr/share/dpkg/architecture.mk
-# be REALLY noisy
-export DH_VERBOSE=1
-export DH_OPTIONS=-v
-
-export DEB_BUILD_OPTIONS=noautodbgsym
-PACKAGE=kanidm-unixd
-PKGDIR=debian/${PACKAGE}
-BINDIR=${PKGDIR}/usr/sbin/
-LIBDIR=${PKGDIR}/lib/${DEB_HOST_MULTIARCH}
-SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE}
-PAMDIR=${PKGDIR}/usr/share/pam-configs/
-DISTRIBUTOR_ID=$(shell lsb_release -is)
-DISTRIBUTOR_RELEASE=$(shell lsb_release -rs)
-DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE)
-
-# GitHub enforces NTFS compatible filenames for artifacts so we need to drop the EPOCH field
-DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version | sed -E 's/^[0-9]+://')
-
-%:
-	dh $@ --with systemd
-
-override_dh_auto_clean:
-
-override_dh_autoreconf:
-
-override_dh_auto_build:
-	# this runs "make -- release/${PACKAGE} release/kanidm-ssh"
-	KANIDM_BUILD_PROFILE=release_linux dh_auto_build -- release/${PACKAGE} release/kanidm-ssh
-
-override_dh_auto_test:
-override_dh_shlibdeps:
-override_dh_strip:
-
-# Do the systemd things
-override_dh_installinit:
-	install -g root -o root \
-		platform/debian/systemd/${PACKAGE}.service \
-		debian/
-	dh_systemd_enable -p${PACKAGE} --name=${PACKAGE} ${PACKAGE}.service
-	dh_installinit -p${PACKAGE} --no-start --noscripts
-	dh_systemd_start -p${PACKAGE} --no-restart-on-upgrade
-
-	install -g root -o root \
-		platform/debian/systemd/${PACKAGE}-tasks.service \
-		debian/
-	dh_systemd_enable -p${PACKAGE} --name=${PACKAGE}-tasks ${PACKAGE}-tasks.service
-	dh_installinit -p${PACKAGE} --name=${PACKAGE}-tasks --no-start --noscripts
-	dh_systemd_start -p${PACKAGE} --name=${PACKAGE}-tasks --no-restart-on-upgrade
-
-override_dh_systemd_start:
-	echo "Not running dh_systemd_start"
-
-override_dh_auto_install:
-	mkdir -p ${BINDIR}
-	mkdir -p ${PAMDIR}
-	mkdir -p ${LIBDIR}/security
-	install \
-		-g root -o root \
-		target/release/kanidm_ssh_authorizedkeys \
-		${BINDIR}
-	install \
-		-g root -o root \
-		target/release/kanidm_ssh_authorizedkeys_direct \
-		${BINDIR}
-	install \
-		-g root -o root \
-		target/release/kanidm_unixd \
-		${BINDIR}
-	install \
-		-g root -o root \
-		target/release/kanidm-unix \
-		${BINDIR}
-	install \
-		-g root -o root \
-		target/release/kanidm_unixd_tasks \
-		${BINDIR}
-	install \
-		-g root -o root \
-		target/release/libpam_kanidm.so \
-		${LIBDIR}/security/pam_kanidm.so
-	install \
-		-g root -o root \
-		target/release/libnss_kanidm.so \
-		${LIBDIR}/libnss_kanidm.so.2
-	install \
-		-g root -o root -m 644 \
-		debian/kanidm.pam \
-		${PAMDIR}/kanidm
-
-override_dh_installexamples:
-	mkdir -p ${SHARED_DIR}
-	install -D \
-		-g root -o root \
-		examples/kanidm \
-		${SHARED_DIR}/
-	install -D \
-		-g root -o root \
-		examples/unixd \
-		${SHARED_DIR}/
-
-override_dh_builddeb:
-	dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb

platform/debian/kanidm/control

@@ -1,14 +0,0 @@
-Source: kanidm
-Section: admin
-Priority: optional
-Maintainer: James Hodgkinson <james@terminaloutcomes.com>
-Build-Depends: debhelper (>=10), libpam0g-dev, libudev-dev, libssl-dev, pkg-config, cargo, make
-Standards-Version: 4.6.0
-Homepage: https://kanidm.com
-Vcs-Git: https://github.com/kanidm/kanidm/
-Rules-Requires-Root: no
-
-Package: kanidm
-Architecture: any
-Depends:
-Description: Kanidm CLI Tooling

platform/debian/kanidm/rules

@@ -1,54 +0,0 @@
-#!/usr/bin/make -f
-# See debhelper(7) (uncomment to enable)
-
-include /usr/share/dpkg/architecture.mk
-# be REALLY noisy
-export DH_VERBOSE=1
-export DH_OPTIONS=-v
-
-export DEB_BUILD_OPTIONS=noautodbgsym
-PACKAGE=kanidm
-PKGDIR=debian/${PACKAGE}
-BINDIR=${PKGDIR}/usr/bin/
-SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE}
-DISTRIBUTOR_ID=$(shell lsb_release -is)
-DISTRIBUTOR_RELEASE=$(shell lsb_release -rs)
-DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE)
-
-#GitHub enforces NTFS compatible filenames for artifacts so we need to drop the EPOCH field
-DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version | sed -E 's/^[0-9]+://')
-
-%:
-	dh $@
-
-override_dh_auto_clean:
-
-override_dh_auto_configure:
-
-override_dh_auto_build:
-	KANIDM_BUILD_PROFILE=release_linux dh_auto_build -- release/${PACKAGE}
-
-override_dh_auto_test:
-override_dh_shlibdeps:
-override_dh_strip:
-
-override_dh_auto_install:
-	mkdir -p ${BINDIR}
-	install -D \
-		-g root \
-		-o root \
-		--mode 755 \
-		target/release/kanidm \
-		${BINDIR}
-
-override_dh_installexamples:
-	mkdir -p ${SHARED_DIR}
-	install -D \
-	    -g root \
-		-o root \
-		--mode 644 \
-		examples/config \
-		${SHARED_DIR}/kanidm
-
-override_dh_builddeb:
-	dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb

platform/debian/kanidm_ppa_automation

@@ -0,0 +1 @@
+Subproject commit 942c7b69ca807cc38186b63ab02a391bac9eac7e

platform/debian/kanidmd/control

@@ -1,14 +0,0 @@
-Source: kanidmd
-Section: admin
-Priority: optional
-Maintainer: James Hodgkinson <james@terminaloutcomes.com>
-Build-Depends: debhelper (>=10), libpam0g-dev, libudev-dev, libssl-dev, pkg-config, cargo, make
-Standards-Version: 4.6.0
-Homepage: https://kanidm.com
-Vcs-Git: https://github.com/kanidm/kanidm/
-Rules-Requires-Root: no
-
-Package: kanidmd
-Architecture: any
-Depends:
-Description: Kanidm Daemon

platform/debian/kanidmd/postinst

@@ -1,34 +0,0 @@
-#!/bin/sh
-# postinst script for kanidmd
-#
-# see: dh_installdeb(1)
-
-set -e
-
-
-case "$1" in
-    configure)
-        if [ ! -f /etc/kanidm/config ]; then
-            echo "============================="
-            echo "Thanks for installing Kanidm!"
-            echo "============================="
-            echo "Please ensure you create a configuration file at /etc/kanidm/server.toml"
-            echo "An example is in /usr/share/kanidmd/"
-        fi
-    ;;
-
-    abort-upgrade|abort-remove|abort-deconfigure)
-    ;;
-
-    *)
-        echo "postinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0

platform/debian/kanidmd/rules

@@ -1,73 +0,0 @@
-#!/usr/bin/make -f
-# See debhelper(7) (uncomment to enable)
-
-include /usr/share/dpkg/architecture.mk
-# be REALLY noisy
-export DH_VERBOSE=1
-export DH_OPTIONS=-v
-
-export DEB_BUILD_OPTIONS=noautodbgsym
-
-export DEB_BUILD_OPTIONS=noautodbgsym
-PACKAGE=kanidmd
-PKGDIR=debian/${PACKAGE}
-BINDIR=${PKGDIR}/usr/sbin/
-SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE}
-DISTRIBUTOR_ID=$(shell lsb_release -is)
-DISTRIBUTOR_RELEASE=$(shell lsb_release -rs)
-DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE)
-
-#GitHub enforces NTFS compatible filenames for artifacts so we need to drop the EPOCH field
-DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version | sed -E 's/^[0-9]+://')
-
-%:
-	dh $@ --with systemd
-
-override_dh_auto_clean:
-# cargo clean
-
-override_dh_autoreconf:
-
-override_dh_auto_build:
-	KANIDM_BUILD_PROFILE=release_linux dh_auto_build -- release/${PACKAGE}
-
-override_dh_auto_test:
-override_dh_shlibdeps:
-override_dh_strip:
-
-
-# Do the systemd things
-override_dh_installinit:
-	install -g root -o root \
-		platform/debian/systemd/${PACKAGE}.service \
-		debian/
-	dh_systemd_enable -p${PACKAGE} --name=${PACKAGE} ${PACKAGE}.service
-	dh_installinit -p${PACKAGE} --no-start --noscripts
-	dh_systemd_start -p${PACKAGE} --no-restart-on-upgrade
-
-override_dh_systemd_start:
-	echo "Not running dh_systemd_start"
-
-override_dh_auto_install:
-	mkdir -p ${BINDIR}
-	install \
-		-g root -o root \
-		target/release/kanidmd \
-		${BINDIR}
-	mkdir -p ${PKGDIR}/usr/share/kanidm/ui/
-	cp -R server/web_ui/pkg ${PKGDIR}/usr/share/kanidm/ui/
-
-override_dh_installexamples:
-	mkdir -p ${SHARED_DIR}
-	install -D \
-		-g root -o root \
-		examples/kanidm \
-		${SHARED_DIR}/
-	install -D \
-		-g root -o root \
-		--mode=644 \
-		examples/server.toml \
-		${SHARED_DIR}/
-
-override_dh_builddeb:
-	dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb

platform/debian/packaging/compat

@@ -1 +0,0 @@
-10

platform/debian/packaging/copyright

@@ -1,8 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: kanidm
-Upstream-Contact: James Hodgkinson <james@terminaloutcomes.com>
-Source: https://github.com/kanidm/kanidm
-
-Files: *
-Copyright: 2018- William Brown <william@blackhats.net.au>
-License: Mozilla Public License Version 2.0

platform/debian/packaging/postrm.ex

@@ -1,24 +0,0 @@
-#!/bin/sh
-# postrm script for kanidm
-# rename this to remove the .ex to make it usable.
-#
-# see: dh_installdeb(1)
-
-set -e
-
-case "$1" in
-    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
-    ;;
-
-    *)
-        echo "postrm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0

platform/debian/packaging/preinst

@@ -1,36 +0,0 @@
-#!/bin/sh
-# preinst script for kanidm-1.1.0-alpha.8-202207110454
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#        * <new-preinst> `install'
-#        * <new-preinst> `install' <old-version>
-#        * <new-preinst> `upgrade' <old-version>
-#        * <old-preinst> `abort-upgrade' <new-version>
-# for details, see https://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-
-case "$1" in
-    install|upgrade)
-        mkdir -p /etc/kanidm/
-    ;;
-
-    abort-upgrade)
-    ;;
-
-    *)
-        echo "preinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0

platform/debian/packaging/prerm.ex

@@ -1,28 +0,0 @@
-#!/bin/sh
-# prerm script for kanidm
-# rename this to remove the .ex to make it usable.
-#
-# see: dh_installdeb(1)
-
-set -e
-
-
-case "$1" in
-    remove|upgrade|deconfigure)
-    ;;
-
-    failed-upgrade)
-    ;;
-
-    *)
-        echo "prerm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0

platform/debian/packaging/source/format

@@ -1 +0,0 @@
-3.0 (quilt)

platform/debian/packaging/templates/changelog

@@ -1,5 +0,0 @@
-#PACKAGE# (#VERSION#) UNRELEASED; urgency=medium
-
-  * Updated to git commit #GIT_COMMIT#
-
- -- James <james@terminaloutcomes.com>  #DATE#

platform/debian/packaging/watch.ex

@@ -1,38 +0,0 @@
-# Example watch control file for uscan
-# Rename this file to "watch" and then you can run the "uscan" command
-# to check for upstream updates and more.
-# See uscan(1) for format
-
-# Compulsory line, this is a version 4 file
-version=4
-
-# PGP signature mangle, so foo.tar.gz has foo.tar.gz.sig
-#opts="pgpsigurlmangle=s%$%.sig%"
-
-# HTTP site (basic)
-#http://example.com/downloads.html \
-#  files/kanidm-1.1.0-alpha.8-202207110454-([\d\.]+)\.tar\.gz debian uupdate
-
-# Uncomment to examine an FTP server
-#ftp://ftp.example.com/pub/kanidm-1.1.0-alpha.8-202207110454-(.*)\.tar\.gz debian uupdate
-
-# SourceForge hosted projects
-# http://sf.net/kanidm-1.1.0-alpha.8-202207110454/ kanidm-1.1.0-alpha.8-202207110454-(.*)\.tar\.gz debian uupdate
-
-# GitHub hosted projects
-#opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%<project>-$1.tar.gz%" \
-#   https://github.com/<user>/kanidm-1.1.0-alpha.8-202207110454/tags \
-#   (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
-
-# PyPI
-# https://pypi.debian.net/kanidm-1.1.0-alpha.8-202207110454/kanidm-1.1.0-alpha.8-202207110454-(.+)\.(?:zip|tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))
-
-# Direct Git
-# opts="mode=git" http://git.example.com/kanidm-1.1.0-alpha.8-202207110454.git \
-#   refs/tags/v([\d\.]+) debian uupdate
-
-
-
-
-# Uncomment to find new files on GooglePages
-# http://example.googlepages.com/foo.html kanidm-1.1.0-alpha.8-202207110454-(.*)\.tar\.gz

platform/debian/simple_pkg.sh

@@ -1,79 +0,0 @@
-#!/usr/bin/env bash
-
-set -xe
-
-## NOTE this is based on the Arch Linux PKGBUILD. It combines kanidm_tools, unixd and ssh
-# as well as the systemd services. This is a simple alternative for building a tarball for
-# use on debian based systems (tested on ubuntu 22.04).
-
-pushd "$( dirname -- "$0"; )/../../"
-
-pkgdir=$(realpath kanidm_simple_pkg)
-rm -rf "$pkgdir"
-mkdir -p "$pkgdir"
-
-# build the project
-make release/kanidm release/kanidm-unixd release/kanidm-ssh
-
-# enable the following block to include deployment specific configuration files
-if [ "${INCLUDE_CONFIG}" -eq 1 ]; then
-  mkdir -p deployment-config
-
-  # Customize the following heredocs according to the deployment
-  cat << EOF > deployment-config/config
-uri = "https://idm.example.com"
-verify_ca = true
-verify_hostnames = true
-EOF
-
-  cat << EOF > deployment-config/unixd
-pam_allowed_login_groups = [""]
-EOF
-
-  install -Dm644 deployment-config/config "${pkgdir}/etc/kanidm/config"
-  install -Dm644 deployment-config/unixd "${pkgdir}/etc/kanidm/unixd"
-
-fi
-
-# This is for allowing login via PAM. It needs to be enabled using `pam-auth-update`
-install -Dm644  platform/debian/kanidm-unixd/kanidm-unixd.pam "${pkgdir}/usr/share/pam-configs/kanidm-unixd"
-
-# Install kanidm cli
-install -Dm755 target/release/kanidm "${pkgdir}/usr/local/sbin/kanidm"
-install -Dm644 target/release/build/completions/_kanidm "${pkgdir}/usr/share/zsh/site-functions/_kanidm"
-install -Dm644 target/release/build/completions/kanidm.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm.sh"
-
-# Install systemd service files
-install -Dm644 examples/systemd/kanidm-unixd.service "${pkgdir}/usr/lib/systemd/system/kanidm-unixd.service"
-install -Dm644 examples/systemd/kanidm-unixd-tasks.service "${pkgdir}/usr/lib/systemd/system/kanidm-unixd-tasks.service"
-
-# NB., the debian style lib dir and security dir
-install -Dm755 target/release/libnss_kanidm.so "${pkgdir}/usr/lib/x86_64-linux-gnu/libnss_kanidm.so.2"
-install -Dm755 target/release/libpam_kanidm.so "${pkgdir}/usr/lib/x86_64-linux-gnu/security/pam_kanidm.so"
-
-# install kanidm unix utilities
-install -Dm755 target/release/kanidm_ssh_authorizedkeys "${pkgdir}/usr/local/sbin/kanidm_ssh_authorizedkeys"
-install -Dm755 target/release/kanidm_ssh_authorizedkeys_direct "${pkgdir}/usr/local/sbin/kanidm_ssh_authorizedkeys_direct"
-install -Dm755 target/release/kanidm_unixd "${pkgdir}/usr/local/sbin/kanidm_unixd"
-install -Dm755 target/release/kanidm-unix "${pkgdir}/usr/local/sbin/kanidm-unix"
-install -Dm755 target/release/kanidm_unixd_tasks "${pkgdir}/usr/local/sbin/kanidm_unixd_tasks"
-
-# Install Bash and ZSH  completions
-install -Dm644 target/release/build/completions/_kanidm_ssh_authorizedkeys_direct "${pkgdir}/usr/share/zsh/site-functions/_kanidm_ssh_authorizedkeys_direct"
-install -Dm644 target/release/build/completions/_kanidm_cache_clear "${pkgdir}/usr/share/zsh/site-functions/_kanidm_cache_clear"
-install -Dm644 target/release/build/completions/_kanidm_cache_invalidate "${pkgdir}/usr/share/zsh/site-functions/_kanidm_cache_invalidate"
-install -Dm644 target/release/build/completions/_kanidm_ssh_authorizedkeys "${pkgdir}/usr/share/zsh/site-functions/_kanidm_ssh_authorizedkeys"
-
-install -Dm644 target/release/build/completions/kanidm_ssh_authorizedkeys_direct.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm_ssh_authorizedkeys_direct.sh"
-install -Dm644 target/release/build/completions/kanidm_cache_clear.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm_cache_clear.sh"
-install -Dm644 target/release/build/completions/kanidm_cache_invalidate.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm_cache_invalidate.sh"
-install -Dm644 target/release/build/completions/kanidm_ssh_authorizedkeys.bash "${pkgdir}/usr/share/bash-completion/completions/kanidm_ssh_authorizedkeys.sh"
-
-tar cvzf "kanidm-client-tools.tar.gz"  -C "$pkgdir" .
-
-# extract the package in root, enable and run the systemd services and then setup nsswitch according to the docs
-# and run pam-auth-update. You may also want to setup the ssh config. It's wise to leave a root console open until
-# you've confirmed pam-auth-update worked so you don't lock yourself out.
-
-popd
-

platform/debian/ubuntu_docker_builder.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-
-# Starts a ubuntu docker container with the source code mounted
-
-if [ -z "${KANIDM_CONTAINER}" ]; then
-    KANIDM_CONTAINER="ubuntu:latest"
-fi
-
-if [ "$(basename "$(pwd)")" != "kanidm" ]; then
-    echo "Please run this from the root dir of the repo"
-    exit 1
-fi
-
-echo "Starting base ubuntu container"
-echo "Repository is in ~/kanidm/"
-
-# shellcheck disable=SC2068
-# shellcheck disable=SC2086
-docker run --rm -it $KANIDM_BUILDER_OPTIONS \
-    -e "INSTALL_RUST=1" \
-    -e "PACKAGING=1" \
-    -e "TZ=UTC" \
-    -v "$(pwd):/root/kanidm/" \
-    --workdir "/root/kanidm/" \
-    --entrypoint "/root/kanidm/platform/debian/interactive_entrypoint.sh" \
-    "${KANIDM_CONTAINER}" $@

scripts/install_ubuntu_dependencies.sh

@@ -27,11 +27,22 @@ if [ -z "${PACKAGING}" ]; then
 fi
 
 if [ "${PACKAGING}" -eq 1 ]; then
+    # Install packages needed for cargo-deb to build healthy debs for any supported target
+    # This works in Debian, but not in Ubuntu because they do multiarch weird.
+    # It would be too invasive to config a daily driver Ubuntu install for multiarch,
+    # so instead we don't, and just warn.
+    source /etc/os-release
+    if [[ "$ID" == "ubuntu" ]]; then
+      2>&1 echo "You're running Ubuntu, so we're skipping enabling multiarch for you because it would be too invasive. You won't be able to build valid debs for other than your native architecture."
     ${SUDOCMD} apt-get install -y \
-        devscripts \
-        fakeroot \
-        dh-make \
-        debmake
+    	libpam0g \
+    	libssl3
+    elif [[ "$ID" == "debian" ]]; then
+    ${SUDOCMD} dpkg --add-architecture arm64 && ${SUDOCMD} apt-get update
+    ${SUDOCMD} apt-get install -y \
+    	libpam0g:{amd64,arm64} \
+    	libssl3:{amd64,arm64}
+    fi
     export INSTALL_RUST=1
 fi
 
@@ -68,6 +79,14 @@ if [ $ERROR -eq 0 ] && [ -z "$(which wasm-bindgen)" ]; then
     echo "You don't have wasm-bindgen installed! Installing it now..."
     cargo install -f wasm-bindgen-cli
 fi
+if [ $ERROR -eq 0 ] && [ -z "$(which cross)" ]; then
+    echo "You don't have cross installed! Installing it now..."
+    cargo install -f cross
+fi
+if [ $ERROR -eq 0 ] && [ -z "$(which cargo-deb)" ]; then
+    echo "You don't have cargo-deb installed! Installing it now..."
+    cargo install -f cargo-deb
+fi
 
 
 if [ $ERROR -eq 1 ]; then

tools/cli/Cargo.toml

@@ -76,3 +76,18 @@ features = ["win10"]
 [target."cfg(not(any(target_os = \"windows\")))".dependencies.webauthn-authenticator-rs]
 workspace = true
 features = ["u2fhid"]
+
+## Debian packaging
+[package.metadata.deb]
+name = "kanidm"
+maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
+# Can't use $auto depends because the name of libssl3 varies by distro and version
+depends = ["libc6", "libudev1", "libssl3 | libssl3t64"]
+section = "admin"
+priority = "optional"
+changelog = "../../target/debian/changelog"  # Generated by packaging scripts
+assets = [
+    [ "target/release/kanidm", "usr/bin/", "755" ],
+    [ "../../examples/config", "usr/share/kanidm/", "444" ],
+]
+maintainer-scripts = "debian/"

unix_integration/nss_kanidm/Cargo.toml

@@ -1,5 +1,6 @@
 [package]
 name = "nss_kanidm"
+description = "Kanidm NSS module"
 
 version = { workspace = true }
 authors = { workspace = true }
@@ -23,3 +24,25 @@ libc = { workspace = true }
 paste = { workspace = true }
 lazy_static = { workspace = true }
 
+## Debian packaging
+# The base metadata does **not** work to build a functioning package!
+# A target specific variant must be used to get the right multiarch path.
+[package.metadata.deb]
+name = "libnss-kanidm"
+maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
+depends = ""
+section = "network"
+priority = "optional"
+assets = [
+	# Empty on purpose
+]
+
+[package.metadata.deb.variants.aarch64-unknown-linux-gnu]
+merge-assets.append = [
+    [ "target/release/libnss_kanidm.so", "usr/lib/aarch64-linux-gnu/libnss_kanidm.so.2", "644"],
+]
+
+[package.metadata.deb.variants.x86_64-unknown-linux-gnu]
+merge-assets.append = [
+    [ "target/release/libnss_kanidm.so", "usr/lib/x86_64-linux-gnu/libnss_kanidm.so.2", "644"],
+]

unix_integration/pam_kanidm/Cargo.toml

@@ -1,5 +1,6 @@
 [package]
 name = "pam_kanidm"
+description = "Kanidm PAM module"
 links = "pam"
 
 version = { workspace = true }
@@ -23,3 +24,28 @@ tracing = { workspace = true }
 
 [build-dependencies]
 pkg-config = { workspace = true }
+
+## Debian packaging
+# The base metadata does **not** work to build a functioning package!
+# A target specific variant must be used to get the right multiarch path.
+[package.metadata.deb]
+name = "libpam-kanidm"
+maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
+depends = ["libc6", "libpam0g"]
+section = "network"
+priority = "optional"
+assets = [
+	# Empty on purpose
+]
+
+[package.metadata.deb.variants.aarch64-unknown-linux-gnu]
+merge-assets.append = [
+    [ "target/release/libpam_kanidm.so", "usr/lib/aarch64-linux-gnu/security/pam_kanidm.so", "644"],
+    [ "debian/kanidm.pam", "usr/share/pam-configs/kanidm", "644"],
+]
+
+[package.metadata.deb.variants.x86_64-unknown-linux-gnu]
+merge-assets.append = [
+    [ "target/release/libpam_kanidm.so", "usr/lib/x86_64-linux-gnu/security/pam_kanidm.so", "644"],
+    [ "debian/kanidm.pam", "usr/share/pam-configs/kanidm", "644"],
+]

unix_integration/resolver/Cargo.toml

@@ -108,3 +108,35 @@ kanidmd_testkit = { workspace = true }
 clap = { workspace = true, features = ["derive"] }
 clap_complete = { workspace = true }
 kanidm_build_profiles = { workspace = true }
+
+## Debian packaging
+# We only package unixd itself here as shared libraries must be packaged separarately due to multiarch rules.
+[package.metadata.deb]
+name = "kanidm-unixd"
+maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
+# Can't use $auto depends because the name of libssl3 varies by distro and version
+depends = [
+	"libc6",
+	"tpm-udev",
+	"libssl3 | libssl3t64",
+	"libpam-kanidm",
+	"libnss-kanidm"
+]
+section = "network"
+priority = "optional"
+changelog = "../../target/debian/changelog"  # Generated by platform/debian/build_debs.sh
+assets = [
+    [ "target/release/kanidm_ssh_authorizedkeys", "usr/sbin/", "755" ],
+    [ "target/release/kanidm_unixd_tasks", "usr/sbin/", "755" ],
+    [ "target/release/kanidm_unixd", "usr/sbin/", "755" ],
+    [ "target/release/kanidm-unix", "usr/sbin/", "755" ],
+    [ "../../examples/unixd-safe-default", "etc/kanidm/unixd", "644" ],
+    [ "../../examples/kanidm-safe-default", "etc/kanidm/config", "644" ],
+    [ "../../examples/kanidm", "usr/share/kanidm-unixd/", "444" ],
+    [ "../../examples/unixd", "usr/share/kanidm-unixd/", "444" ],
+]
+maintainer-scripts = "debian/"
+systemd-units = [
+	{ unit-name = "kanidm-unixd", enable = true}, 
+	{ unit-name = "kanidm-unixd-tasks", enable = true},
+]

unix_integration/resolver/debian/postinst

@@ -9,14 +9,12 @@ set -e
 case "$1" in
     configure)
         pam-auth-update --package
-        if [ ! -f /etc/kanidm/config ]; then
         echo "============================="
         echo "Thanks for installing Kanidm!"
         echo "============================="
-            echo "Please ensure you create configuration files at /etc/kanidm/unixd and /etc/kanidm/config"
-            echo "Examples are in /usr/share/kanidm-unixd/"
+        echo "Please ensure you modify the configuration files at /etc/kanidm/unixd and /etc/kanidm/config"
+        echo "Full examples are in /usr/share/kanidm-unixd/"
         echo "To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html"
-        fi
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

unix_integration/resolver/debian/prerm

@@ -1,3 +1,5 @@
 if [ "$1" = remove ]; then
     pam-auth-update --package --remove kanidm
 fi
+
+#DEBHELPER#