-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #170 from himmelblau-idm/karlholmberg/debian_packa…
…ging Added Debian packaging workflow and files
- Loading branch information
Showing
18 changed files
with
1,340 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
472 changes: 472 additions & 0 deletions
472
.github/workflows/build_debian_source_package_strict.yml
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ | ||
Upstream-Name: himmelblau | ||
Source: https://github.com/openSUSE/himmelblau | ||
|
||
Files: * | ||
Copyright: 2024 David Mulder <[email protected]> | ||
License: GPL-3+ | ||
Comment: | ||
Interoperability suite for Microsoft Azure AD and Intune. | ||
Himmelblau is an interoperability suite for Microsoft Azure AD and | ||
Intune, which allows users to sign into a Linux machine using Azure | ||
Active Directory credentials. It relies on the Microsoft | ||
Authentication Library to communicate with the Microsoft service. | ||
|
||
License: GPL-3+ | ||
This package is free software; you can redistribute it and/or modify | ||
it under the terms of the GNU General Public License as published by | ||
the Free Software Foundation; either version 3 of the License, or | ||
(at your option) any later version. | ||
On Debian systems, the complete text of the GNU General Public License | ||
can be found in `/usr/share/common-licenses/GPL-3`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
src/config/himmelblau.conf etc/himmelblau | ||
target/release/aad-tool usr/bin | ||
platform/debian/himmelblaud.service usr/lib/systemd/system | ||
platform/debian/himmelblaud-tasks.service usr/lib/systemd/system | ||
target/release/himmelblaud usr/sbin | ||
target/release/himmelblaud_tasks usr/sbin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
man/man1/aad-tool.1 | ||
man/man8/himmelblaud.8 | ||
man/man8/himmelblaud_tasks.8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/sh | ||
set -e | ||
|
||
#DEBHELPER# | ||
|
||
case "$1" in | ||
configure) | ||
deb-systemd-helper enable himmelblaud.service >/dev/null || true | ||
deb-systemd-helper enable himmelblaud-tasks.service >/dev/null || true | ||
deb-systemd-invoke start himmelblaud.service >/dev/null || true | ||
deb-systemd-invoke start himmelblaud-tasks.service >/dev/null || true | ||
;; | ||
upgrade|failed-upgrade|abort-install|abort-upgrade) | ||
deb-systemd-invoke restart himmelblaud.service >/dev/null || true | ||
deb-systemd-invoke restart himmelblaud-tasks.service >/dev/null || true | ||
;; | ||
esac | ||
|
||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/bin/sh | ||
set -e | ||
|
||
#DEBHELPER# | ||
|
||
case "$1" in | ||
remove|upgrade|deconfigure) | ||
deb-systemd-invoke stop himmelblaud.service >/dev/null || true | ||
deb-systemd-invoke stop himmelblaud-tasks.service >/dev/null || true | ||
;; | ||
esac | ||
|
||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
target/release/libnss_himmelblau.so.2 lib/x86_64-linux-gnu |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
target/release/pam_himmelblau.so lib/x86_64-linux-gnu/security |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#!/usr/bin/make -f | ||
|
||
# Check if local Rust environment is available | ||
ifneq (,$(wildcard $(HOME)/.cargo/env)) | ||
RUST_ENV = . $(HOME)/.cargo/env && rustup default stable && | ||
else | ||
RUST_ENV = | ||
endif | ||
|
||
export CARGO_HOME=$(CURDIR) | ||
export CARGO_TARGET_DIR=$(CURDIR)/target | ||
|
||
%: | ||
dh $@ | ||
|
||
override_dh_auto_clean: | ||
$(RUST_ENV) export CARGO_HOME=$(CARGO_HOME) && export CARGO_TARGET_DIR=$(CARGO_TARGET_DIR) && cargo clean --offline | ||
|
||
override_dh_auto_build: | ||
# Ensure the necessary development package is installed | ||
# Extract the vendor dependencies | ||
tar -xf vendor.tar.xz | ||
# Build the project with the appropriate flags | ||
$(RUST_ENV) export CARGO_HOME=$(CARGO_HOME) && export CARGO_TARGET_DIR=$(CARGO_TARGET_DIR) && \ | ||
cargo build --release --frozen | ||
# Strip unnecessary symbols from the binaries | ||
strip --strip-unneeded target/release/himmelblaud | ||
strip --strip-unneeded target/release/himmelblaud_tasks | ||
# Copy and set the soname for shared libraries | ||
cp target/release/libnss_himmelblau.so target/release/libnss_himmelblau.so.2 | ||
cp target/release/libpam_himmelblau.so target/release/pam_himmelblau.so | ||
patchelf --set-soname libnss_himmelblau.so.2 target/release/libnss_himmelblau.so.2 | ||
strip --strip-unneeded target/release/libnss_himmelblau.so.2 | ||
strip --strip-unneeded target/release/libpam_himmelblau.so | ||
|
||
override_dh_auto_test: | ||
# Skip tests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
3.0 (quilt) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
vendor.tar.xz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
compression = "xz" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
.TH AAD-TOOL "1" "September 2024" "Himmelblau 0.5.0" "User Commands" | ||
.SH NAME | ||
aad-tool \- Azure Entra ID (AAD) management utility for Himmelblau | ||
.SH SYNOPSIS | ||
.B aad-tool | ||
\fI<COMMAND>\fR [OPTIONS] | ||
.SH DESCRIPTION | ||
The `aad-tool` utility is part of the Himmelblau project, designed to manage and interact with Azure Entra ID through various commands. It allows you to test authentication, manage caches, and check the status of services related to the `himmelblaud` resolver. | ||
|
||
.SS Commands: | ||
.TP | ||
.B auth-test | ||
Test user authentication via the `himmelblaud` resolver using the PAM channel. This does not validate your PAM configuration but ensures that `himmelblaud` is correctly processing and verifying user authentications. | ||
|
||
.TP | ||
.B cache-clear | ||
Clear all entries in the `himmelblaud` resolver cache. This operation removes cached user and group data. Use `cache-invalidate` for safer cache management without erasing data. | ||
|
||
.TP | ||
.B cache-invalidate | ||
Invalidate the `himmelblaud` resolver cache without erasing entries. This forces the `himmelblaud` daemon to refresh all cached user and group data. If offline, the cache remains available and will refresh automatically when back online. | ||
|
||
.TP | ||
.B status | ||
Check if the `himmelblaud` daemon is online and properly connected to the Himmelblau service. | ||
|
||
.TP | ||
.B version | ||
Display the version of the `aad-tool`. | ||
|
||
.TP | ||
.B help | ||
Show help information for the specified subcommand(s). | ||
.SH OPTIONS | ||
.TP | ||
\fB-h\fR, \fB--help\fR | ||
Display help information. | ||
.SH EXAMPLES | ||
.TP | ||
.B aad-tool auth-test | ||
Test user authentication through the `himmelblaud` PAM resolver. | ||
|
||
.TP | ||
.B aad-tool cache-clear | ||
Clear all user and group data from the resolver cache. | ||
|
||
.TP | ||
.B aad-tool status | ||
Check the connection status of the `himmelblaud` daemon. | ||
.SH "SEE ALSO" | ||
.B himmelblau | ||
Documentation is available through the Texinfo manual. Use the following command to access the full manual: | ||
|
||
.BR info himmelblau |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
.TH HIMMELBLAUD "1" "September 2024" "Himmelblau 0.5.0" "System Services" | ||
.SH NAME | ||
himmelblaud \- Himmelblau Authentication Daemon for Azure Entra ID | ||
.SH SYNOPSIS | ||
.B himmelblaud | ||
[\fIOPTIONS\fR] | ||
.SH DESCRIPTION | ||
The `himmelblaud` daemon is responsible for authenticating users against Azure Entra ID and managing group and user information. It operates as a background service, handling authentication requests and maintaining a cache of user and group data. | ||
|
||
.SH OPTIONS | ||
.TP | ||
\fB\-r\fR, \fB\-\-skip\-root\-check\fR | ||
Bypass the check that prevents running the daemon as the root user. This option is risky and should never be used in production environments due to potential security vulnerabilities. It can also be set through the environment variable \fBHIMMELBLAU_SKIP_ROOT_CHECK\fR. | ||
|
||
.TP | ||
\fB\-d\fR, \fB\-\-debug\fR | ||
Enable verbose debug output. This option will show detailed diagnostic information useful for troubleshooting and debugging. Can also be set via the environment variable \fBHIMMELBLAU_DEBUG\fR. | ||
|
||
.TP | ||
\fB\-t\fR, \fB\-\-configtest\fR | ||
Display the daemon’s current configuration and exit. This is useful for verifying that the configuration file is correctly formatted and contains valid options. | ||
|
||
.TP | ||
\fB\-c\fR, \fB\-\-config\fR <config> | ||
Specify the path to the configuration file for the daemon. The default configuration file is located at \fI/etc/himmelblau/himmelblaud.conf\fR. This option can also be set via the environment variable \fBHIMMELBLAU_CONFIG\fR. | ||
|
||
.TP | ||
\fB\-h\fR, \fB\-\-help\fR | ||
Show the help message with information about available options. | ||
|
||
.TP | ||
\fB\-V\fR, \fB\-\-version\fR | ||
Print the version of the `himmelblaud` daemon and exit. | ||
|
||
.SH USAGE EXAMPLES | ||
.TP | ||
.B Start the daemon: | ||
# systemctl start himmelblaud | ||
|
||
.TP | ||
.B Run with a specific config file: | ||
# himmelblaud --config /custom/path/himmelblaud.conf | ||
|
||
.TP | ||
.B Test the configuration: | ||
# himmelblaud --configtest | ||
|
||
.TP | ||
.B Enable debug mode: | ||
# himmelblaud --debug | ||
.SH "SEE ALSO" | ||
Documentation for the `himmelblaud` daemon is available in the Texinfo manual. Use the following command to access the full manual: | ||
|
||
.BR info himmelblaud |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
.TH HIMMELBLAUD_TASKS "1" "September 2024" "Himmelblau 0.5.0" "System Services" | ||
.SH NAME | ||
himmelblaud_tasks \- Home directory creation daemon for Himmelblau | ||
.SH SYNOPSIS | ||
.B himmelblaud_tasks | ||
.SH DESCRIPTION | ||
The `himmelblaud_tasks` daemon is responsible for automatically creating home directories for users upon successful authentication via Azure Entra ID. This service is required to run as the root user, as it needs elevated permissions to create directories in system locations. | ||
|
||
The daemon operates as a background service and does not accept any command-line arguments. It is automatically invoked by the system when required. | ||
|
||
.SH USAGE | ||
The `himmelblaud_tasks` daemon must be run as the root user. If the daemon is started without root privileges, it will fail with an error. No user interaction is needed beyond ensuring the daemon is active and running correctly. | ||
|
||
.SH EXAMPLES | ||
.TP | ||
.B Start the daemon: | ||
# systemctl start himmelblaud_tasks | ||
|
||
.TP | ||
.B Verify the status of the daemon: | ||
# systemctl status himmelblaud_tasks | ||
|
||
.SH NOTES | ||
This daemon is integral to Himmelblau for handling user home directory creation. It ensures that users can properly log in with a valid directory structure in place after authentication. | ||
|
||
.SH "SEE ALSO" | ||
Further documentation for `himmelblaud_tasks` is available in the Texinfo manual. Use the following command to access the complete manual: | ||
|
||
.BR info himmelblaud_tasks |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# You should not need to edit this file. Instead, use a drop-in file: | ||
# systemctl edit himmelblaud-tasks.service | ||
|
||
[Unit] | ||
Description=Himmelblau Local Tasks | ||
After=chronyd.service ntpd.service network-online.target himmelblaud.service | ||
|
||
[Service] | ||
User=root | ||
Type=simple | ||
ExecStart=/usr/sbin/himmelblaud_tasks | ||
|
||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH | ||
# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync | ||
ProtectSystem=strict | ||
ReadWritePaths=/home /var/run/himmelblaud | ||
RestrictAddressFamilies=AF_UNIX | ||
NoNewPrivileges=true | ||
PrivateTmp=true | ||
PrivateDevices=true | ||
PrivateNetwork=true | ||
ProtectHostname=true | ||
ProtectClock=true | ||
ProtectKernelTunables=true | ||
ProtectKernelModules=true | ||
ProtectKernelLogs=true | ||
ProtectControlGroups=true | ||
MemoryDenyWriteExecute=true | ||
|
||
[Install] | ||
WantedBy=multi-user.target | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# You should not need to edit this file. Instead, use a drop-in file: | ||
# systemctl edit himmelblaud.service | ||
|
||
[Unit] | ||
Description=Himmelblau Authentication Daemon | ||
After=chronyd.service ntpd.service network-online.target | ||
|
||
[Service] | ||
DynamicUser=yes | ||
UMask=0027 | ||
CacheDirectory=himmelblaud # /var/cache/himmelblaud | ||
RuntimeDirectory=himmelblaud # /run/himmelblaud | ||
StateDirectory=himmelblaud # /var/lib/himmelblaud | ||
|
||
Type=simple | ||
ExecStart=/usr/sbin/himmelblaud | ||
|
||
# Implied by dynamic user. | ||
# ProtectHome= | ||
# ProtectSystem=strict | ||
# ReadWritePaths=/var/run/kanidm-unixd /var/cache/kanidm-unixd | ||
|
||
# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync | ||
NoNewPrivileges=true | ||
PrivateTmp=true | ||
# We have to disable this to allow tpmrm0 access for tpm binding. | ||
PrivateDevices=false | ||
ProtectHostname=true | ||
ProtectClock=true | ||
ProtectKernelTunables=true | ||
ProtectKernelModules=true | ||
ProtectKernelLogs=true | ||
ProtectControlGroups=true | ||
MemoryDenyWriteExecute=true | ||
|
||
[Install] | ||
WantedBy=multi-user.target |