Skip to content

Commit

Permalink
Merge pull request #170 from himmelblau-idm/karlholmberg/debian_packa…
Browse files Browse the repository at this point in the history
…ging

Added Debian packaging workflow and files
  • Loading branch information
dmulder authored Sep 9, 2024
2 parents 06f046b + 18beb9c commit 13bcc90
Show file tree
Hide file tree
Showing 18 changed files with 1,340 additions and 0 deletions.
558 changes: 558 additions & 0 deletions .github/workflows/build_debian_source_package.yml

Large diffs are not rendered by default.

472 changes: 472 additions & 0 deletions .github/workflows/build_debian_source_package_strict.yml

Large diffs are not rendered by default.

21 changes: 21 additions & 0 deletions debian/copyright
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: himmelblau
Source: https://github.com/openSUSE/himmelblau

Files: *
Copyright: 2024 David Mulder <[email protected]>
License: GPL-3+
Comment:
Interoperability suite for Microsoft Azure AD and Intune.
Himmelblau is an interoperability suite for Microsoft Azure AD and
Intune, which allows users to sign into a Linux machine using Azure
Active Directory credentials. It relies on the Microsoft
Authentication Library to communicate with the Microsoft service.

License: GPL-3+
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
On Debian systems, the complete text of the GNU General Public License
can be found in `/usr/share/common-licenses/GPL-3`.
6 changes: 6 additions & 0 deletions debian/himmelblau.install
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
src/config/himmelblau.conf etc/himmelblau
target/release/aad-tool usr/bin
platform/debian/himmelblaud.service usr/lib/systemd/system
platform/debian/himmelblaud-tasks.service usr/lib/systemd/system
target/release/himmelblaud usr/sbin
target/release/himmelblaud_tasks usr/sbin
3 changes: 3 additions & 0 deletions debian/himmelblau.manpages
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
man/man1/aad-tool.1
man/man8/himmelblaud.8
man/man8/himmelblaud_tasks.8
19 changes: 19 additions & 0 deletions debian/himmelblau.postinst
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/sh
set -e

#DEBHELPER#

case "$1" in
configure)
deb-systemd-helper enable himmelblaud.service >/dev/null || true
deb-systemd-helper enable himmelblaud-tasks.service >/dev/null || true
deb-systemd-invoke start himmelblaud.service >/dev/null || true
deb-systemd-invoke start himmelblaud-tasks.service >/dev/null || true
;;
upgrade|failed-upgrade|abort-install|abort-upgrade)
deb-systemd-invoke restart himmelblaud.service >/dev/null || true
deb-systemd-invoke restart himmelblaud-tasks.service >/dev/null || true
;;
esac

exit 0
13 changes: 13 additions & 0 deletions debian/himmelblau.prerm
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/sh
set -e

#DEBHELPER#

case "$1" in
remove|upgrade|deconfigure)
deb-systemd-invoke stop himmelblaud.service >/dev/null || true
deb-systemd-invoke stop himmelblaud-tasks.service >/dev/null || true
;;
esac

exit 0
1 change: 1 addition & 0 deletions debian/nss-himmelblau.install
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
target/release/libnss_himmelblau.so.2 lib/x86_64-linux-gnu
1 change: 1 addition & 0 deletions debian/pam-himmelblau.install
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
target/release/pam_himmelblau.so lib/x86_64-linux-gnu/security
37 changes: 37 additions & 0 deletions debian/rules
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#!/usr/bin/make -f

# Check if local Rust environment is available
ifneq (,$(wildcard $(HOME)/.cargo/env))
RUST_ENV = . $(HOME)/.cargo/env && rustup default stable &&
else
RUST_ENV =
endif

export CARGO_HOME=$(CURDIR)
export CARGO_TARGET_DIR=$(CURDIR)/target

%:
dh $@

override_dh_auto_clean:
$(RUST_ENV) export CARGO_HOME=$(CARGO_HOME) && export CARGO_TARGET_DIR=$(CARGO_TARGET_DIR) && cargo clean --offline

override_dh_auto_build:
# Ensure the necessary development package is installed
# Extract the vendor dependencies
tar -xf vendor.tar.xz
# Build the project with the appropriate flags
$(RUST_ENV) export CARGO_HOME=$(CARGO_HOME) && export CARGO_TARGET_DIR=$(CARGO_TARGET_DIR) && \
cargo build --release --frozen
# Strip unnecessary symbols from the binaries
strip --strip-unneeded target/release/himmelblaud
strip --strip-unneeded target/release/himmelblaud_tasks
# Copy and set the soname for shared libraries
cp target/release/libnss_himmelblau.so target/release/libnss_himmelblau.so.2
cp target/release/libpam_himmelblau.so target/release/pam_himmelblau.so
patchelf --set-soname libnss_himmelblau.so.2 target/release/libnss_himmelblau.so.2
strip --strip-unneeded target/release/libnss_himmelblau.so.2
strip --strip-unneeded target/release/libpam_himmelblau.so

override_dh_auto_test:
# Skip tests
1 change: 1 addition & 0 deletions debian/source/format
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
3.0 (quilt)
1 change: 1 addition & 0 deletions debian/source/include-binaries
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vendor.tar.xz
1 change: 1 addition & 0 deletions debian/source/options
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
compression = "xz"
54 changes: 54 additions & 0 deletions man/man1/aad-tool.1
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
.TH AAD-TOOL "1" "September 2024" "Himmelblau 0.5.0" "User Commands"
.SH NAME
aad-tool \- Azure Entra ID (AAD) management utility for Himmelblau
.SH SYNOPSIS
.B aad-tool
\fI<COMMAND>\fR [OPTIONS]
.SH DESCRIPTION
The `aad-tool` utility is part of the Himmelblau project, designed to manage and interact with Azure Entra ID through various commands. It allows you to test authentication, manage caches, and check the status of services related to the `himmelblaud` resolver.

.SS Commands:
.TP
.B auth-test
Test user authentication via the `himmelblaud` resolver using the PAM channel. This does not validate your PAM configuration but ensures that `himmelblaud` is correctly processing and verifying user authentications.

.TP
.B cache-clear
Clear all entries in the `himmelblaud` resolver cache. This operation removes cached user and group data. Use `cache-invalidate` for safer cache management without erasing data.

.TP
.B cache-invalidate
Invalidate the `himmelblaud` resolver cache without erasing entries. This forces the `himmelblaud` daemon to refresh all cached user and group data. If offline, the cache remains available and will refresh automatically when back online.

.TP
.B status
Check if the `himmelblaud` daemon is online and properly connected to the Himmelblau service.

.TP
.B version
Display the version of the `aad-tool`.

.TP
.B help
Show help information for the specified subcommand(s).
.SH OPTIONS
.TP
\fB-h\fR, \fB--help\fR
Display help information.
.SH EXAMPLES
.TP
.B aad-tool auth-test
Test user authentication through the `himmelblaud` PAM resolver.

.TP
.B aad-tool cache-clear
Clear all user and group data from the resolver cache.

.TP
.B aad-tool status
Check the connection status of the `himmelblaud` daemon.
.SH "SEE ALSO"
.B himmelblau
Documentation is available through the Texinfo manual. Use the following command to access the full manual:

.BR info himmelblau
54 changes: 54 additions & 0 deletions man/man8/himmelblaud.8
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
.TH HIMMELBLAUD "1" "September 2024" "Himmelblau 0.5.0" "System Services"
.SH NAME
himmelblaud \- Himmelblau Authentication Daemon for Azure Entra ID
.SH SYNOPSIS
.B himmelblaud
[\fIOPTIONS\fR]
.SH DESCRIPTION
The `himmelblaud` daemon is responsible for authenticating users against Azure Entra ID and managing group and user information. It operates as a background service, handling authentication requests and maintaining a cache of user and group data.

.SH OPTIONS
.TP
\fB\-r\fR, \fB\-\-skip\-root\-check\fR
Bypass the check that prevents running the daemon as the root user. This option is risky and should never be used in production environments due to potential security vulnerabilities. It can also be set through the environment variable \fBHIMMELBLAU_SKIP_ROOT_CHECK\fR.

.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable verbose debug output. This option will show detailed diagnostic information useful for troubleshooting and debugging. Can also be set via the environment variable \fBHIMMELBLAU_DEBUG\fR.

.TP
\fB\-t\fR, \fB\-\-configtest\fR
Display the daemon’s current configuration and exit. This is useful for verifying that the configuration file is correctly formatted and contains valid options.

.TP
\fB\-c\fR, \fB\-\-config\fR <config>
Specify the path to the configuration file for the daemon. The default configuration file is located at \fI/etc/himmelblau/himmelblaud.conf\fR. This option can also be set via the environment variable \fBHIMMELBLAU_CONFIG\fR.

.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help message with information about available options.

.TP
\fB\-V\fR, \fB\-\-version\fR
Print the version of the `himmelblaud` daemon and exit.

.SH USAGE EXAMPLES
.TP
.B Start the daemon:
# systemctl start himmelblaud

.TP
.B Run with a specific config file:
# himmelblaud --config /custom/path/himmelblaud.conf

.TP
.B Test the configuration:
# himmelblaud --configtest

.TP
.B Enable debug mode:
# himmelblaud --debug
.SH "SEE ALSO"
Documentation for the `himmelblaud` daemon is available in the Texinfo manual. Use the following command to access the full manual:

.BR info himmelblaud
29 changes: 29 additions & 0 deletions man/man8/himmelblaud_tasks.8
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
.TH HIMMELBLAUD_TASKS "1" "September 2024" "Himmelblau 0.5.0" "System Services"
.SH NAME
himmelblaud_tasks \- Home directory creation daemon for Himmelblau
.SH SYNOPSIS
.B himmelblaud_tasks
.SH DESCRIPTION
The `himmelblaud_tasks` daemon is responsible for automatically creating home directories for users upon successful authentication via Azure Entra ID. This service is required to run as the root user, as it needs elevated permissions to create directories in system locations.

The daemon operates as a background service and does not accept any command-line arguments. It is automatically invoked by the system when required.

.SH USAGE
The `himmelblaud_tasks` daemon must be run as the root user. If the daemon is started without root privileges, it will fail with an error. No user interaction is needed beyond ensuring the daemon is active and running correctly.

.SH EXAMPLES
.TP
.B Start the daemon:
# systemctl start himmelblaud_tasks

.TP
.B Verify the status of the daemon:
# systemctl status himmelblaud_tasks

.SH NOTES
This daemon is integral to Himmelblau for handling user home directory creation. It ensures that users can properly log in with a valid directory structure in place after authentication.

.SH "SEE ALSO"
Further documentation for `himmelblaud_tasks` is available in the Texinfo manual. Use the following command to access the complete manual:

.BR info himmelblaud_tasks
32 changes: 32 additions & 0 deletions platform/debian/himmelblaud-tasks.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# You should not need to edit this file. Instead, use a drop-in file:
# systemctl edit himmelblaud-tasks.service

[Unit]
Description=Himmelblau Local Tasks
After=chronyd.service ntpd.service network-online.target himmelblaud.service

[Service]
User=root
Type=simple
ExecStart=/usr/sbin/himmelblaud_tasks

CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
ProtectSystem=strict
ReadWritePaths=/home /var/run/himmelblaud
RestrictAddressFamilies=AF_UNIX
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
PrivateNetwork=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target

37 changes: 37 additions & 0 deletions platform/debian/himmelblaud.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# You should not need to edit this file. Instead, use a drop-in file:
# systemctl edit himmelblaud.service

[Unit]
Description=Himmelblau Authentication Daemon
After=chronyd.service ntpd.service network-online.target

[Service]
DynamicUser=yes
UMask=0027
CacheDirectory=himmelblaud # /var/cache/himmelblaud
RuntimeDirectory=himmelblaud # /run/himmelblaud
StateDirectory=himmelblaud # /var/lib/himmelblaud

Type=simple
ExecStart=/usr/sbin/himmelblaud

# Implied by dynamic user.
# ProtectHome=
# ProtectSystem=strict
# ReadWritePaths=/var/run/kanidm-unixd /var/cache/kanidm-unixd

# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
NoNewPrivileges=true
PrivateTmp=true
# We have to disable this to allow tpmrm0 access for tpm binding.
PrivateDevices=false
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target

0 comments on commit 13bcc90

Please sign in to comment.