packaging: Add deb for kanidmd

2025-05-19 23:43:56 +02:00 · 2025-03-09 14:31:30 +02:00 · 2025-03-09 14:31:30 +02:00 · a91359f488
parent 5f7ed8dfba
commit a91359f488
5 changed files with 120 additions and 2 deletions
--- a/server/daemon/Cargo.toml
+++ b/server/daemon/Cargo.toml
@ -57,6 +57,31 @@ clap = { workspace = true, features = ["derive"] }
 clap_complete = { workspace = true }
 kanidm_build_profiles = { workspace = true }

+## Debian packaging
+[package.metadata.deb]
+name = "kanidmd"
+maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
+# Can't use $auto depends because the name of libssl3 varies by distro and version
+depends = [
+	"libc6",
+	"tpm-udev",
+	"libssl3 | libssl3t64",
+]
+section = "network"
+priority = "optional"
+changelog = "../../target/debian/changelog"  # Generated by platform/debian/build_debs.sh
+assets = [
+    [ "target/release/kanidmd", "usr/bin/", "755" ],
+  	[ "debian/group.conf", "usr/lib/sysusers.d/kandimd.conf", "644" ],
+    [ "debian/server.toml", "etc/kanidmd/server.toml", "640" ],
+    [ "../../examples/server.toml", "usr/share/kanidmd/", "444" ],
+    [ "../core/static/**/*", "usr/share/kanidmd/static", "444" ],
+]
+maintainer-scripts = "debian/"
+systemd-units = [
+	{ unit-name = "kanidmd", enable = false},  # Cannot start without manual config
+]
+

 [package.metadata.cargo-machete]
 ignored = ["clap_complete", "kanidm_build_profiles"]
--- a/server/daemon/debian/group.conf
+++ b/server/daemon/debian/group.conf
@ -0,0 +1,2 @@
+# This is a sysusers.d format config, please refer to man sysusers.d(5)
+g kanidmd -
--- a/server/daemon/debian/daemon.kanidmd.service
+++ b/server/daemon/debian/daemon.kanidmd.service
@ -10,13 +10,15 @@ Before=radiusd.service
 [Service]
 Type=notify
 DynamicUser=yes
-StateDirectory=kanidm
+User=kanidmd_dyn
+Group=kanidmd
+StateDirectory=kanidmd
 StateDirectoryMode=0750
 CacheDirectory=kanidmd
 CacheDirectoryMode=0750
 RuntimeDirectory=kanidmd
 RuntimeDirectoryMode=0755
-ExecStart=/usr/sbin/kanidmd server -c /etc/kanidm/server.toml
+ExecStart=/usr/bin/kanidmd server

 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
--- a/server/daemon/debian/postinst
+++ b/server/daemon/debian/postinst
@ -0,0 +1,38 @@
+#!/bin/sh
+# postinst script for kanidmd
+#
+# see: dh_installdeb(1)
+
+set -e
+
+
+case "$1" in
+    configure)
+        echo "Creating the kanidmd group for config & cert ownership..."
+        systemd-sysusers
+        echo "Fixing ownership of server configuration ..."
+        chown :kanidmd /etc/kanidmd/server.toml*
+
+        echo "============================="
+        echo "Thanks for installing Kanidm!"
+        echo "============================="
+        echo "Please ensure you modify the configuration file at /etc/kanidmd/server.toml"
+        echo "Only then: systemctl enable kanidmd.service"
+        echo "Full examples are in /usr/share/kanidmd/"
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- a/server/daemon/debian/server.toml
+++ b/server/daemon/debian/server.toml
@ -0,0 +1,51 @@
+# Kanidm server minimal configuration - /etc/kanidm/server.toml
+# For a full example and documentation, see /usr/share/kanidmd/server.toml
+# or `example/server.toml` in the source repository
+
+# NOTE: You must configure at least domain & origin below to allow the server to start!
+
+#   The webserver bind address. Requires TLS certificates.
+#   If the port is set to 443 you may require the
+#   NET_BIND_SERVICE capability.
+#   Defaults to "127.0.0.1:8443"
+bindaddress = "127.0.0.1:8443"
+
+#   The path to the kanidm database.
+#   The provided example uses systemd dynamic user pathing for security
+db_path = "/var/lib/private/kanidmd/kanidm.db"
+
+#   TLS chain and key in pem format. Both must be present.
+#   If the server receives a SIGHUP, these files will be
+#   re-read and reloaded if their content is valid.
+#   These should be owned by root:kanidmd to give the service access.
+tls_chain = "/etc/kanidmd/chain.pem"
+tls_key = "/etc/kanidmd/key.pem"
+
+log_level = "info"
+
+#   The DNS domain name of the server. This is used in a
+#   number of security-critical contexts
+#   such as webauthn, so it *must* match your DNS
+#
+#   ⚠️  WARNING ⚠️
+#
+#   Changing this value after first use WILL break many types of
+#   registered credentials for accounts including but not limited
+#   to: webauthn, oauth tokens, and more.
+#   If you change this value you *must* run
+#   `kanidmd domain rename` immediately after.
+# NOTE: You must set this value!
+#domain = "idm.example.com"
+#
+#   The origin for webauthn. This is the url to the server,
+#   with the port included if it is non-standard (any port
+#   except 443). This must match or be a descendent of the
+#   domain name you configure above. If these two items are
+#   not consistent, the server WILL refuse to start!
+#   origin = "https://idm.example.com"
+# NOTE: You must set this value!
+#origin = "https://idm.example.com:8443"
+
+[online_backup]
+path = "/var/lib/private/kanidmd/backups/"
+schedule = "00 22 * * *"