From 50b95996c600361895c93ecad402ede305eae927 Mon Sep 17 00:00:00 2001 From: Karl Holmberg Date: Fri, 31 May 2024 16:08:50 +0200 Subject: [PATCH] Added Debian packaging workflow and files --- .../workflows/build_debian_source_package.yml | 558 ++++++++++++++++++ .../build_debian_source_package_strict.yml | 472 +++++++++++++++ debian/copyright | 21 + debian/himmelblau.install | 6 + debian/himmelblau.manpages | 3 + debian/himmelblau.postinst | 19 + debian/himmelblau.prerm | 13 + debian/nss-himmelblau.install | 1 + debian/pam-himmelblau.install | 1 + debian/rules | 37 ++ debian/source/format | 1 + debian/source/include-binaries | 1 + debian/source/options | 1 + man/man1/aad-tool.1 | 54 ++ man/man8/himmelblaud.8 | 54 ++ man/man8/himmelblaud_tasks.8 | 29 + platform/debian/himmelblaud-tasks.service | 32 + platform/debian/himmelblaud.service | 37 ++ 18 files changed, 1340 insertions(+) create mode 100644 .github/workflows/build_debian_source_package.yml create mode 100644 .github/workflows/build_debian_source_package_strict.yml create mode 100644 debian/copyright create mode 100644 debian/himmelblau.install create mode 100644 debian/himmelblau.manpages create mode 100644 debian/himmelblau.postinst create mode 100644 debian/himmelblau.prerm create mode 100644 debian/nss-himmelblau.install create mode 100644 debian/pam-himmelblau.install create mode 100644 debian/rules create mode 100644 debian/source/format create mode 100644 debian/source/include-binaries create mode 100644 debian/source/options create mode 100644 man/man1/aad-tool.1 create mode 100644 man/man8/himmelblaud.8 create mode 100644 man/man8/himmelblaud_tasks.8 create mode 100644 platform/debian/himmelblaud-tasks.service create mode 100644 platform/debian/himmelblaud.service diff --git a/.github/workflows/build_debian_source_package.yml b/.github/workflows/build_debian_source_package.yml new file mode 100644 index 0000000..a3ea059 --- /dev/null +++ b/.github/workflows/build_debian_source_package.yml @@ -0,0 +1,558 @@ +name: Build Himmelblau Debian source package + +on: + push: + branches: + - stable-0.4.x + +env: + SCCACHE_GHA_ENABLED: "true" + RUSTC_WRAPPER: "sccache" + +jobs: + build-source-package: + runs-on: ubuntu-latest + + steps: + - name: "[general] - Checkout repository" + uses: actions/checkout@v4 + with: + repository: himmelblau-idm/himmelblau + ref: debian_packaging + fetch-depth: 0 # Fetch all history including tags + + - name: Setup sccache + uses: mozilla/sccache-action@v0.0.4 + with: + version: "v0.4.2" + + - name: "[general] - Install build dependencies" + run: | + sudo apt update + sudo apt install -y \ + libpam0g-dev \ + libudev-dev \ + libssl-dev \ + tpm-udev \ + libtss2-dev \ + libcap-dev \ + libtalloc-dev \ + libtevent-dev \ + libldb-dev \ + libdhash-dev \ + libkrb5-dev \ + libpcre2-dev \ + autoconf \ + gettext \ + build-essential \ + cargo \ + git \ + quilt \ + make \ + gcc \ + libsqlite3-dev \ + lintian \ + patchelf \ + pkgconf \ + debhelper-compat \ + devscripts \ + libclang-14-dev + + - name: "[general] - Fetch submodules" + run: | + git submodule init && git submodule update + + - name: "[general] - Set debian revision" + id: set_revision + run: | + REVISION=1 + echo "REVISION=$REVISION" >> $GITHUB_ENV + + - name: "[general] - Fetch version from Git tags" + id: get_version + run: | + #VERSION=$(git describe --tags --abbrev=0) + VERSION=0.4.1 + FULL_VERSION="${VERSION}-${{ env.REVISION }}" + echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "FULL_VERSION=$FULL_VERSION" >> $GITHUB_ENV + + - name: "[general] - Fetch previous version from Git tags" + id: get_prev_version + run: | + PREVIOUS_VERSION=$(git describe --tags --abbrev=0 "${{ env.VERSION }}"^) + echo "PREVIOUS_VERSION=$PREVIOUS_VERSION" >> $GITHUB_ENV + + - name: "[general] - Fetch timestamp from latest commit" + id: get_timestamp + run: | + LATEST_COMMIT_TIMESTAMP=$(git log -1 --format=%ct) + echo "LATEST_COMMIT_TIMESTAMP=$LATEST_COMMIT_TIMESTAMP" >> $GITHUB_ENV + + - name: '[general] - Generate changelog' + run: | + mkdir -p ../tmp/debian + # Configuration + MAIN_PACKAGE_NAME="himmelblau" + DISTRIBUTION="noble" + URGENCY="low" + MAINTAINER_NAME="David Mulder" + MAINTAINER_EMAIL="dmulder@suse.com" + + echo "Previous version: ${{ env.PREVIOUS_VERSION }}" + echo "Full version: ${{ env.FULL_VERSION }}" + echo "Version: ${{ env.VERSION }}" + + # Output Debian changelog headers + echo "$MAIN_PACKAGE_NAME (${{ env.FULL_VERSION }}) $DISTRIBUTION; urgency=$URGENCY" > ../tmp/debian/changelog + git log --pretty=format:" * %s" "${{ env.PREVIOUS_VERSION }}".."${{ env.VERSION }}" | fold -s -w 72 | awk 'BEGIN {ORS=""; first=1} /^ \*/ {if (!first) print "\n"; first=0; print; next} {print "\n "$0} END {print "\n"}' >> ../tmp/debian/changelog + echo " -- $MAINTAINER_NAME <$MAINTAINER_EMAIL> $(date -R)" >> ../tmp/debian/changelog + echo Generated file content: + cat ../tmp/debian/changelog + + - name: "[general] - Rename source directory" + run: | + cd .. + mv himmelblau himmelblau-${{ env.VERSION }} + ln -s himmelblau-${{ env.VERSION }} himmelblau # Create symlink to maintain CWD consistency + cd himmelblau-${{ env.VERSION }} + + - name: '[general] - Remove .git directory' + run: | + rm -rf .git + + - name: '[general] - Remove .github directory' + run: | + rm -rf .github + + - name: '[general] - Save original source' + run: | + cd .. + tar --mtime=@${{ env.LATEST_COMMIT_TIMESTAMP }} -cJf himmelblau_${{ env.VERSION }}.orig.tar.xz himmelblau-${{ env.VERSION }} + + - name: '[general] - Set up Quilt' + run: | + mkdir -p debian/patches + cat < ~/.quiltrc + d=.pc + if [ -e debian/source/format ] && grep -q "3.0 (quilt)" debian/source/format; then + quilt_patchdir="debian/patches" + quilt_patches="debian/patches" + fi + EOL + + - name: '[patch] - Delete js files from kanidm' + run: | + cd ../himmelblau-${{ env.VERSION }} + + export QUILT_PATCHES=debian/patches + export QUILT_PATCHDIR=debian/patches + + quilt new delete-js-files.patch + quilt add src/kanidm/book/mermaid.min.js + quilt add src/kanidm/server/web_ui/pkg/external/bootstrap.bundle.min.js + quilt add src/kanidm/server/web_ui/pkg/external/confetti.js + quilt add src/kanidm/server/web_ui/pkg/external/viz.js + quilt add src/kanidm/server/web_ui/shared/static/external/bootstrap.bundle.min.js + quilt add src/kanidm/server/web_ui/shared/static/external/confetti.js + quilt add src/kanidm/server/web_ui/shared/static/external/viz.js + rm -f src/kanidm/book/mermaid.min.js + rm -f src/kanidm/server/web_ui/pkg/external/bootstrap.bundle.min.js + rm -f src/kanidm/server/web_ui/pkg/external/confetti.js + rm -f src/kanidm/server/web_ui/pkg/external/viz.js + rm -f src/kanidm/server/web_ui/shared/static/external/bootstrap.bundle.min.js + rm -f src/kanidm/server/web_ui/shared/static/external/confetti.js + rm -f src/kanidm/server/web_ui/shared/static/external/viz.js + quilt refresh + # Avoid adding the patch to the series file multiple times + if ! grep -q "delete-js-files.patch" debian/patches/series; then + echo "delete-js-files.patch" >> debian/patches/series + fi + + - name: '[patch] - vendor crates' + run: | + export QUILT_PATCHES=debian/patches + export QUILT_PATCHDIR=debian/patches + mkdir .cargo + quilt new vendor-crates.patch + quilt add Cargo.lock + quilt add .cargo/config.toml + + cargo generate-lockfile + cargo install cargo-vendor + cargo vendor > .cargo/config.toml + cargo clean --offline + cat .cargo/config.toml + tar --mtime=@${{ env.LATEST_COMMIT_TIMESTAMP }} -cJf vendor.tar.xz vendor + rm -rf vendor + + quilt refresh + # Avoid adding the patch to the series file multiple times + if ! grep -q "vendor-crates.patch" debian/patches/series; then + echo "vendor-crates.patch" >> debian/patches/series + fi + + - name: '[general] - Move changelogs' + run: | + mv ../tmp/debian/changelog debian/ + rm -R -f ../tmp + + - name: '[general] - Create control file' + run: | + # Hardcoded values for the main package + MAIN_PACKAGE_NAME="himmelblau" + MAIN_PACKAGE_ARCHITECTURE="amd64" + MAIN_PACKAGE_MAINTAINER="David Mulder " + MAIN_PACKAGE_DESCRIPTION="Interoperability suite for Microsoft Azure AD and Intune" + MAIN_PACKAGE_DESCRIPTION_LONG=$(cat <<-EOF + Himmelblau is an interoperability suite for Microsoft Azure Entra ID and + Intune, which allows users to sign into a Linux machine using Azure + Entra ID credentials. + EOF + ) + MAIN_PACKAGE_DEPENDS="libsqlite3-dev, libssl-dev, libpam0g-dev" + MAIN_PACKAGE_RECOMMENDS="pam-himmelblau (>= ${{ env.FULL_VERSION }}), nss-himmelblau (>= ${{ env.FULL_VERSION }})" + + # Hardcoded values for the PAM package + PAM_PACKAGE_NAME="pam-himmelblau" + PAM_PACKAGE_ARCHITECTURE="amd64" + PAM_PACKAGE_MAINTAINER="David Mulder " + PAM_PACKAGE_DESCRIPTION="PAM module for Himmelblau" + PAM_PACKAGE_DEPENDS="libpam0g, himmelblau (>= ${{ env.FULL_VERSION }})" + + # Hardcoded values for the NSS package + NSS_PACKAGE_NAME="nss-himmelblau" + NSS_PACKAGE_ARCHITECTURE="amd64" + NSS_PACKAGE_MAINTAINER="David Mulder " + NSS_PACKAGE_DESCRIPTION="NSS module for Himmelblau" + NSS_PACKAGE_DEPENDS="himmelblau (>= ${{ env.FULL_VERSION }})" + + # Output the control file contents + cat << EOF > debian/control + Source: $MAIN_PACKAGE_NAME + Section: misc + Priority: optional + Maintainer: $MAIN_PACKAGE_MAINTAINER + Build-Depends: debhelper-compat (= 13), quilt, rustc, cargo, patchelf, libssl-dev, pkg-config, devscripts, libpcre2-dev, libcap-dev, libtalloc-dev, libtevent-dev, libldb-dev, libkrb5-dev, libpcre2-dev, libpam0g-dev, libudev-dev, libtss2-dev, libdhash-dev, libclang-14-dev, autoconf, gettext, libsqlite3-dev, pkgconf + Standards-Version: 3.9.6 + Homepage: https://github.com/himmelblau-idm/himmelblau + Vcs-Git: https://github.com/himmelblau-idm/himmelblau.git + Vcs-Browser: https://github.com/himmelblau-idm/himmelblau + + Package: $MAIN_PACKAGE_NAME + Architecture: $MAIN_PACKAGE_ARCHITECTURE + Depends: \${shlibs:Depends}, \${misc:Depends}, $MAIN_PACKAGE_DEPENDS + Recommends: $MAIN_PACKAGE_RECOMMENDS + Description: $MAIN_PACKAGE_DESCRIPTION + $MAIN_PACKAGE_DESCRIPTION_LONG + + Package: $PAM_PACKAGE_NAME + Architecture: $PAM_PACKAGE_ARCHITECTURE + Depends: \${shlibs:Depends}, \${misc:Depends}, $PAM_PACKAGE_DEPENDS + Description: $PAM_PACKAGE_DESCRIPTION + $MAIN_PACKAGE_DESCRIPTION_LONG + + Package: $NSS_PACKAGE_NAME + Architecture: $NSS_PACKAGE_ARCHITECTURE + Depends: \${shlibs:Depends}, \${misc:Depends}, $NSS_PACKAGE_DEPENDS + Description: $NSS_PACKAGE_DESCRIPTION + $MAIN_PACKAGE_DESCRIPTION_LONG + EOF + echo Generated file content: + cat debian/control + + - name: '[patch] - Prepare config file' + run: | + export QUILT_PATCHES=debian/patches + export QUILT_PATCHDIR=debian/patches + + quilt new add-config.patch + quilt add src/config/himmelblau.conf + cp src/config/himmelblau.conf.example src/config/himmelblau.conf + quilt refresh + echo Generated file content: + cat src/config/himmelblau.conf + # Avoid adding the patch to the series file multiple times + if ! grep -q "add-config.patch" debian/patches/series; then + echo "add-config.patch" >> debian/patches/series + fi + + - name: '[general] - Build debian source package' + run: | + cd ../himmelblau-${{ env.VERSION }} + rustup default stable + . $HOME/.cargo/env + export PATH="$HOME/.cargo/bin:$PATH" + export QUILT_PATCHES=debian/patches + export QUILT_PATCHDIR=debian/patches + rustc --version + cargo --version + ls -laR debian/patches + echo "Series content:" + cat debian/patches/series + echo "Undoing all patches" + quilt pop -a || true + echo "Series content:" + cat debian/patches/series + echo "Building" + dpkg-buildpackage -S -us -uc + + - name: '[general] - Move source package into new directory' + run: | + mkdir package-source + mv ../himmelblau_${{ env.FULL_VERSION }}.dsc package-source/ + mv ../himmelblau_${{ env.FULL_VERSION }}.debian.tar.xz package-source/ + mv ../himmelblau_${{ env.VERSION }}.orig.tar.xz package-source/ + mv ../himmelblau_${{ env.FULL_VERSION }}_source.buildinfo package-source/ + mv ../himmelblau_${{ env.FULL_VERSION }}_source.changes package-source/ + + - name: '[debug] - List source package files' + run: | + ls -la package-source + + - name: '[general] - Check source package' + run: | + set -e + echo "Lintian:" + lintian --fail-on error package-source/himmelblau_${{ env.FULL_VERSION }}.dsc + continue-on-error: false + + - name: '[general] - Upload Debian source package artifacts' + uses: actions/upload-artifact@v4 + with: + name: source-package-artifact + path: package-source/ + + build-binary-packages: + runs-on: ubuntu-latest + environment: debian_packaging_environment + needs: build-source-package + steps: + + - name: Setup sccache + uses: mozilla/sccache-action@v0.0.4 + with: + version: "v0.4.2" + + - name: "[general] - Install build dependencies" + run: | + sudo apt update + sudo apt install -y \ + libpam0g-dev \ + libudev-dev \ + libssl-dev \ + tpm-udev \ + libtss2-dev \ + libcap-dev \ + libtalloc-dev \ + libtevent-dev \ + libldb-dev \ + libdhash-dev \ + libkrb5-dev \ + libpcre2-dev \ + libclang-14-dev \ + autoconf \ + gettext \ + build-essential \ + cargo \ + git \ + quilt \ + make \ + gcc \ + libsqlite3-dev \ + lintian \ + patchelf \ + pkgconf \ + debhelper-compat \ + devscripts + + - name: '[general] - Download Debian source package artifacts' + uses: actions/download-artifact@v4 + with: + name: source-package-artifact + path: package-source/ + + - name: '[general] - Unpack source package' + run: | + cd package-source + DSC_FILE=$(ls *.dsc | head -n 1) + # Extract the source package + dpkg-source -x "$DSC_FILE" + + - name: "[general] - Fetch version from unpacked source package" + id: get_version + run: | + cd package-source + # Find the unpacked source directory + SRC_DIR=$(ls -d */ | grep -v debian | head -n 1) + cd "$SRC_DIR" + # Extract the version + FULL_VERSION=$(dpkg-parsechangelog --show-field Version) + echo "FULL_VERSION=$FULL_VERSION" >> $GITHUB_ENV + VERSION=${FULL_VERSION%%-*} + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: '[general] - Build binary packages' + run: | + rustup default stable + . $HOME/.cargo/env + export PATH="$HOME/.cargo/bin:$PATH" + rustc --version + cargo --version + cd package-source + # Find the unpacked source directory + SRC_DIR=$(ls -d */ | grep -v debian | head -n 1) + cd "$SRC_DIR" + dpkg-buildpackage -us -uc + + - name: '[debug] - List built binary packages' + run: | + ls -la package-source + + - name: '[general] - Move packages into new directory' + run: | + mkdir debian-packages + mv package-source/himmelblau_${{ env.FULL_VERSION }}_amd64.deb debian-packages/ + mv package-source/pam-himmelblau_${{ env.FULL_VERSION }}_amd64.deb debian-packages/ + mv package-source/nss-himmelblau_${{ env.FULL_VERSION }}_amd64.deb debian-packages/ + + - name: '[himmelblau] - Check Debian package' + run: | + PACKAGE_NAME="debian-packages/himmelblau_${{ env.FULL_VERSION }}_amd64.deb" + echo "Listing package contents for: $PACKAGE_NAME" + dpkg -c $PACKAGE_NAME + echo "-----------------------------" + echo "Package Information:" + dpkg-deb --info $PACKAGE_NAME + echo "-----------------------------" + echo "Lintian:" + set -e + lintian --fail-on error $PACKAGE_NAME + continue-on-error: false + + - name: '[pam-himmelblau] - Check Debian package' + run: | + PACKAGE_NAME="debian-packages/pam-himmelblau_${{ env.FULL_VERSION }}_amd64.deb" + echo "Listing package contents for: $PACKAGE_NAME" + dpkg -c $PACKAGE_NAME + echo "-----------------------------" + echo "Package Information:" + dpkg-deb --info $PACKAGE_NAME + echo "-----------------------------" + echo "Lintian:" + set -e + lintian --fail-on error $PACKAGE_NAME + continue-on-error: false + + - name: '[nss-himmelblau] - Check Debian package' + run: | + PACKAGE_NAME="debian-packages/nss-himmelblau_${{ env.FULL_VERSION }}_amd64.deb" + echo "Listing package contents for: $PACKAGE_NAME" + dpkg -c $PACKAGE_NAME + echo "-----------------------------" + echo "Package Information:" + dpkg-deb --info $PACKAGE_NAME + echo "-----------------------------" + echo "Lintian:" + set -e + lintian --fail-on error $PACKAGE_NAME + continue-on-error: false + + - name: '[general] - Upload Debian package artifacts' + uses: actions/upload-artifact@v4 + with: + name: packages-artifact + path: debian-packages/ + + upload-source-package-to-ppa: + runs-on: ubuntu-latest + environment: debian_packaging_environment + needs: build-binary-packages + steps: + - name: '[general] - Install dependencies' + run: sudo apt-get update && sudo apt-get install -y dpkg-sig dput-ng debhelper devscripts build-essential + + - name: '[general] - Download Debian source package artifacts' + uses: actions/download-artifact@v4 + with: + name: source-package-artifact + path: package-source/ + + - name: '[general] - Set up GPG' + run: | + mkdir -p ~/.gnupg + chmod 700 ~/.gnupg + echo "use-agent" > ~/.gnupg/gpg.conf + + # Import the GPG key + echo "$GPG_KEY" | gpg --batch --import + + # Create a trust file + echo -e "5\ny\n" | gpg --batch --yes --pinentry-mode loopback --command-fd 0 --edit-key $GPG_EMAIL trust + env: + GPG_KEY: ${{ secrets.GPG_KEY }} + GPG_EMAIL: ${{ secrets.GPG_EMAIL }} + + - name: '[general] - Sign the package' + run: | + set -e + export GPG_TTY=$(tty) + + # Extract the GPG Key Fingerprint + GPG_KEY_FINGERPRINT=$(gpg --list-secret-keys --with-colons --fingerprint | awk -F: '/^fpr/{print $10; exit}') + echo "GPG Key Fingerprint: $GPG_KEY_FINGERPRINT" + + # Change directory to package-source + cd package-source + + # Manually clearsign the .dsc file using gpg + DSC_FILE=$(ls *.dsc | head -n 1) + if [ -f "$DSC_FILE" ]; then + echo "Signing .dsc file: $DSC_FILE" + gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --default-key ${GPG_KEY_FINGERPRINT} --clearsign --output "${DSC_FILE}.asc" "$DSC_FILE" + if [ $? -ne 0 ]; then + echo "Error: Failed to clearsign the .dsc file." + exit 1 + fi + mv "${DSC_FILE}.asc" "$DSC_FILE" + else + echo "Error: No .dsc file found." + exit 1 + fi + echo "signed dsc file content:" + cat "$DSC_FILE" + # Sign the .changes file using dpkg-sig + CHANGES_FILE=$(ls *_source.changes | head -n 1) + + # Recalculate checksums + debsign -k${GPG_KEY_FINGERPRINT} "$CHANGES_FILE" + + if [ -f "$CHANGES_FILE" ]; then + echo "Signing .changes file: $CHANGES_FILE" + dpkg-sig --sign builder -k ${GPG_KEY_FINGERPRINT} "$CHANGES_FILE" + else + echo "Error: No .changes file found." + exit 1 + fi + env: + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + + - name: '[general] - Upload to PPA' + run: | + cd package-source + dput ppa:${LAUNCHPAD_USERNAME}/${LAUNCHPAD_PPA} ./*_source.changes + if [ $? -ne 0 ]; then + echo "Error: dput failed." + exit 1 + else + echo "Upload completed successfully." + fi + env: + LAUNCHPAD_USERNAME: ${{ secrets.LAUNCHPAD_USERNAME }} + LAUNCHPAD_PPA: ${{ secrets.LAUNCHPAD_PPA }} + + - name: '[general] - Upload Signed Debian source package artifacts' + uses: actions/upload-artifact@v4 + with: + name: signed-source-package-artifact + path: package-source/ diff --git a/.github/workflows/build_debian_source_package_strict.yml b/.github/workflows/build_debian_source_package_strict.yml new file mode 100644 index 0000000..d1ff9e7 --- /dev/null +++ b/.github/workflows/build_debian_source_package_strict.yml @@ -0,0 +1,472 @@ +name: Build Himmelblau Debian source package strict + +on: + push: + branches: + - stable-0.4.x + - debian_packaging + +env: + SCCACHE_GHA_ENABLED: "true" + RUSTC_WRAPPER: "sccache" + +jobs: + build-source-package: + runs-on: ubuntu-latest + + steps: + - name: "[general] - Checkout repository" + uses: actions/checkout@v4 + with: + repository: himmelblau-idm/himmelblau + ref: debian_packaging + fetch-depth: 0 # Fetch all history including tags + + - name: Setup sccache + uses: mozilla/sccache-action@v0.0.4 + with: + version: "v0.4.2" + + - name: "[general] - Install build dependencies" + run: | + sudo apt update + sudo apt install -y \ + libpam0g-dev \ + libudev-dev \ + libssl-dev \ + tpm-udev \ + libtss2-dev \ + libcap-dev \ + libtalloc-dev \ + libtevent-dev \ + libldb-dev \ + libdhash-dev \ + libkrb5-dev \ + libpcre2-dev \ + autoconf \ + gettext \ + build-essential \ + cargo \ + git \ + quilt \ + make \ + gcc \ + libsqlite3-dev \ + lintian \ + patchelf \ + pkgconf \ + debhelper-compat \ + devscripts \ + libclang-14-dev + + - name: "[general] - Fetch submodules" + run: | + git submodule init && git submodule update + + - name: "[general] - Set debian revision" + id: set_revision + run: | + REVISION=1 + echo "REVISION=$REVISION" >> $GITHUB_ENV + + - name: "[general] - Fetch version from Git tags" + id: get_version + run: | + #VERSION=$(git describe --tags --abbrev=0) + VERSION=0.4.1 + FULL_VERSION="${VERSION}-${{ env.REVISION }}" + echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "FULL_VERSION=$FULL_VERSION" >> $GITHUB_ENV + + - name: "[general] - Fetch previous version from Git tags" + id: get_prev_version + run: | + PREVIOUS_VERSION=$(git describe --tags --abbrev=0 "${{ env.VERSION }}"^) + echo "PREVIOUS_VERSION=$PREVIOUS_VERSION" >> $GITHUB_ENV + + - name: "[general] - Fetch timestamp from latest commit" + id: get_timestamp + run: | + LATEST_COMMIT_TIMESTAMP=$(git log -1 --format=%ct) + echo "LATEST_COMMIT_TIMESTAMP=$LATEST_COMMIT_TIMESTAMP" >> $GITHUB_ENV + + - name: '[general] - Generate changelog' + run: | + mkdir -p ../tmp/debian + # Configuration + MAIN_PACKAGE_NAME="himmelblau" + DISTRIBUTION="noble" + URGENCY="low" + MAINTAINER_NAME="David Mulder" + MAINTAINER_EMAIL="dmulder@suse.com" + + echo "Previous version: ${{ env.PREVIOUS_VERSION }}" + echo "Full version: ${{ env.FULL_VERSION }}" + echo "Version: ${{ env.VERSION }}" + + # Output Debian changelog headers + echo "$MAIN_PACKAGE_NAME (${{ env.FULL_VERSION }}) $DISTRIBUTION; urgency=$URGENCY" > ../tmp/debian/changelog + git log --pretty=format:" * %s" "${{ env.PREVIOUS_VERSION }}".."${{ env.VERSION }}" | fold -s -w 72 | awk 'BEGIN {ORS=""; first=1} /^ \*/ {if (!first) print "\n"; first=0; print; next} {print "\n "$0} END {print "\n"}' >> ../tmp/debian/changelog + echo " -- $MAINTAINER_NAME <$MAINTAINER_EMAIL> $(date -R)" >> ../tmp/debian/changelog + echo Generated file content: + cat ../tmp/debian/changelog + + - name: "[general] - Rename source directory" + run: | + cd .. + mv himmelblau himmelblau-${{ env.VERSION }} + ln -s himmelblau-${{ env.VERSION }} himmelblau # Create symlink to maintain CWD consistency + cd himmelblau-${{ env.VERSION }} + + - name: '[general] - Remove .git directory' + run: | + rm -rf .git + + - name: '[general] - Remove .github directory' + run: | + rm -rf .github + + - name: '[general] - Save original source' + run: | + cd .. + tar --mtime=@${{ env.LATEST_COMMIT_TIMESTAMP }} -cJf himmelblau_${{ env.VERSION }}.orig.tar.xz himmelblau-${{ env.VERSION }} + + - name: '[general] - Set up Quilt' + run: | + mkdir -p debian/patches + cat < ~/.quiltrc + d=.pc + if [ -e debian/source/format ] && grep -q "3.0 (quilt)" debian/source/format; then + quilt_patchdir="debian/patches" + quilt_patches="debian/patches" + fi + EOL + + - name: '[patch] - Delete js files from kanidm' + run: | + cd ../himmelblau-${{ env.VERSION }} + + export QUILT_PATCHES=debian/patches + export QUILT_PATCHDIR=debian/patches + + quilt new delete-js-files.patch + quilt add src/kanidm/book/mermaid.min.js + quilt add src/kanidm/server/web_ui/pkg/external/bootstrap.bundle.min.js + quilt add src/kanidm/server/web_ui/pkg/external/confetti.js + quilt add src/kanidm/server/web_ui/pkg/external/viz.js + quilt add src/kanidm/server/web_ui/shared/static/external/bootstrap.bundle.min.js + quilt add src/kanidm/server/web_ui/shared/static/external/confetti.js + quilt add src/kanidm/server/web_ui/shared/static/external/viz.js + rm -f src/kanidm/book/mermaid.min.js + rm -f src/kanidm/server/web_ui/pkg/external/bootstrap.bundle.min.js + rm -f src/kanidm/server/web_ui/pkg/external/confetti.js + rm -f src/kanidm/server/web_ui/pkg/external/viz.js + rm -f src/kanidm/server/web_ui/shared/static/external/bootstrap.bundle.min.js + rm -f src/kanidm/server/web_ui/shared/static/external/confetti.js + rm -f src/kanidm/server/web_ui/shared/static/external/viz.js + quilt refresh + # Avoid adding the patch to the series file multiple times + if ! grep -q "delete-js-files.patch" debian/patches/series; then + echo "delete-js-files.patch" >> debian/patches/series + fi + + - name: '[patch] - vendor crates' + run: | + export QUILT_PATCHES=debian/patches + export QUILT_PATCHDIR=debian/patches + mkdir .cargo + quilt new vendor-crates.patch + quilt add Cargo.lock + quilt add .cargo/config.toml + + cargo generate-lockfile + cargo install cargo-vendor + cargo vendor > .cargo/config.toml + cargo clean --offline + cat .cargo/config.toml + tar --mtime=@${{ env.LATEST_COMMIT_TIMESTAMP }} -cJf vendor.tar.xz vendor + rm -rf vendor + + quilt refresh + # Avoid adding the patch to the series file multiple times + if ! grep -q "vendor-crates.patch" debian/patches/series; then + echo "vendor-crates.patch" >> debian/patches/series + fi + + - name: '[general] - Move changelogs' + run: | + mv ../tmp/debian/changelog debian/ + rm -R -f ../tmp + + - name: '[general] - Create control file' + run: | + # Hardcoded values for the main package + MAIN_PACKAGE_NAME="himmelblau" + MAIN_PACKAGE_ARCHITECTURE="amd64" + MAIN_PACKAGE_MAINTAINER="David Mulder " + MAIN_PACKAGE_DESCRIPTION="Interoperability suite for Microsoft Azure AD and Intune" + MAIN_PACKAGE_DESCRIPTION_LONG=$(cat <<-EOF + Himmelblau is an interoperability suite for Microsoft Azure Entra ID and + Intune, which allows users to sign into a Linux machine using Azure + Entra ID credentials. + EOF + ) + MAIN_PACKAGE_DEPENDS="libsqlite3-dev, libssl-dev, libpam0g-dev" + MAIN_PACKAGE_RECOMMENDS="pam-himmelblau (>= ${{ env.FULL_VERSION }}), nss-himmelblau (>= ${{ env.FULL_VERSION }})" + + # Hardcoded values for the PAM package + PAM_PACKAGE_NAME="pam-himmelblau" + PAM_PACKAGE_ARCHITECTURE="amd64" + PAM_PACKAGE_MAINTAINER="David Mulder " + PAM_PACKAGE_DESCRIPTION="PAM module for Himmelblau" + PAM_PACKAGE_DEPENDS="libpam0g, himmelblau (>= ${{ env.FULL_VERSION }})" + + # Hardcoded values for the NSS package + NSS_PACKAGE_NAME="nss-himmelblau" + NSS_PACKAGE_ARCHITECTURE="amd64" + NSS_PACKAGE_MAINTAINER="David Mulder " + NSS_PACKAGE_DESCRIPTION="NSS module for Himmelblau" + NSS_PACKAGE_DEPENDS="himmelblau (>= ${{ env.FULL_VERSION }})" + + # Output the control file contents + cat << EOF > debian/control + Source: $MAIN_PACKAGE_NAME + Section: misc + Priority: optional + Maintainer: $MAIN_PACKAGE_MAINTAINER + Build-Depends: debhelper-compat (= 13), quilt, rustc, cargo, patchelf, libssl-dev, pkg-config, devscripts, libpcre2-dev, libcap-dev, libtalloc-dev, libtevent-dev, libldb-dev, libkrb5-dev, libpcre2-dev, libpam0g-dev, libudev-dev, libtss2-dev, libdhash-dev, libclang-14-dev, autoconf, gettext, libsqlite3-dev, pkgconf + Standards-Version: 3.9.6 + Homepage: https://github.com/himmelblau-idm/himmelblau + Vcs-Git: https://github.com/himmelblau-idm/himmelblau.git + Vcs-Browser: https://github.com/himmelblau-idm/himmelblau + + Package: $MAIN_PACKAGE_NAME + Architecture: $MAIN_PACKAGE_ARCHITECTURE + Depends: \${shlibs:Depends}, \${misc:Depends}, $MAIN_PACKAGE_DEPENDS + Recommends: $MAIN_PACKAGE_RECOMMENDS + Description: $MAIN_PACKAGE_DESCRIPTION + $MAIN_PACKAGE_DESCRIPTION_LONG + + Package: $PAM_PACKAGE_NAME + Architecture: $PAM_PACKAGE_ARCHITECTURE + Depends: \${shlibs:Depends}, \${misc:Depends}, $PAM_PACKAGE_DEPENDS + Description: $PAM_PACKAGE_DESCRIPTION + $MAIN_PACKAGE_DESCRIPTION_LONG + + Package: $NSS_PACKAGE_NAME + Architecture: $NSS_PACKAGE_ARCHITECTURE + Depends: \${shlibs:Depends}, \${misc:Depends}, $NSS_PACKAGE_DEPENDS + Description: $NSS_PACKAGE_DESCRIPTION + $MAIN_PACKAGE_DESCRIPTION_LONG + EOF + echo Generated file content: + cat debian/control + + - name: '[patch] - Prepare config file' + run: | + export QUILT_PATCHES=debian/patches + export QUILT_PATCHDIR=debian/patches + + quilt new add-config.patch + quilt add src/config/himmelblau.conf + cp src/config/himmelblau.conf.example src/config/himmelblau.conf + quilt refresh + echo Generated file content: + cat src/config/himmelblau.conf + # Avoid adding the patch to the series file multiple times + if ! grep -q "add-config.patch" debian/patches/series; then + echo "add-config.patch" >> debian/patches/series + fi + + - name: '[general] - Build debian source package' + run: | + cd ../himmelblau-${{ env.VERSION }} + rustup default stable + . $HOME/.cargo/env + export PATH="$HOME/.cargo/bin:$PATH" + export QUILT_PATCHES=debian/patches + export QUILT_PATCHDIR=debian/patches + rustc --version + cargo --version + ls -laR debian/patches + echo "Series content:" + cat debian/patches/series + echo "Undoing all patches" + quilt pop -a || true + echo "Series content:" + cat debian/patches/series + echo "Building" + dpkg-buildpackage -S -us -uc + + - name: '[general] - Move source package into new directory' + run: | + mkdir package-source + mv ../himmelblau_${{ env.FULL_VERSION }}.dsc package-source/ + mv ../himmelblau_${{ env.FULL_VERSION }}.debian.tar.xz package-source/ + mv ../himmelblau_${{ env.VERSION }}.orig.tar.xz package-source/ + mv ../himmelblau_${{ env.FULL_VERSION }}_source.buildinfo package-source/ + mv ../himmelblau_${{ env.FULL_VERSION }}_source.changes package-source/ + + - name: '[debug] - List source package files' + run: | + ls -la package-source + + - name: '[general] - Check source package' + run: | + set -e + echo "Lintian:" + lintian --fail-on error package-source/himmelblau_${{ env.FULL_VERSION }}.dsc + continue-on-error: false + + - name: '[general] - Upload Debian source package artifacts' + uses: actions/upload-artifact@v4 + with: + name: source-package-artifact + path: package-source/ + + build-binary-packages: + runs-on: ubuntu-latest + environment: debian_packaging_environment + needs: build-source-package + steps: + + - name: Setup sccache + uses: mozilla/sccache-action@v0.0.4 + with: + version: "v0.4.2" + + - name: "[general] - Install pbuilder and dependencies" + run: | + sudo apt update + sudo apt install -y \ + sbuild \ + schroot \ + debootstrap \ + devscripts \ + debhelper \ + wget \ + git \ + fakeroot + + - name: '[general] - Download Debian source package artifacts' + uses: actions/download-artifact@v4 + with: + name: source-package-artifact + path: package-source/ + + - name: '[general] - Unpack source package' + run: | + cd package-source + DSC_FILE=$(ls *.dsc | head -n 1) + # Extract the source package + dpkg-source -x "$DSC_FILE" + + - name: "[general] - Fetch version from unpacked source package" + id: get_version + run: | + cd package-source + # Find the unpacked source directory + SRC_DIR=$(ls -d */ | grep -v debian | head -n 1) + cd "$SRC_DIR" + # Extract the version + FULL_VERSION=$(dpkg-parsechangelog --show-field Version) + echo "FULL_VERSION=$FULL_VERSION" >> $GITHUB_ENV + VERSION=${FULL_VERSION%%-*} + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: '[general] - Configure and build with sbuild' + run: | + # Set up a minimal chroot environment + sudo sbuild-createchroot --include=eatmydata,ccache,gnupg focal /srv/chroot/focal http://archive.ubuntu.com/ubuntu/ + + # Ensure necessary filesystems are mounted + sudo mount --bind /dev /srv/chroot/focal/dev + sudo mount --bind /dev/pts /srv/chroot/focal/dev/pts + sudo mount --bind /proc /srv/chroot/focal/proc + sudo mount --bind /sys /srv/chroot/focal/sys + + # Add the GitHub runner user to the sbuild group + sudo sbuild-adduser $USER + + # Ensure the tmp directory is available and writable + sudo mkdir -p /srv/chroot/focal/tmp + sudo chmod 1777 /srv/chroot/focal/tmp + + # Ensure the log directory is available and writable + sudo mkdir -p /srv/chroot/focal/var/log/sbuild + sudo chmod 1777 /srv/chroot/focal/var/log/sbuild + + # Copy the source package into the build environment + sudo mkdir -p /srv/chroot/focal/build/package-source + sudo cp -r package-source/* /srv/chroot/focal/build/package-source/ + + # Build the package using sbuild + sudo sbuild -A -d focal /srv/chroot/focal/build/package-source/*.dsc + + # Move the built packages back to the original folder + sudo cp /var/lib/sbuild/build/*.deb /home/runner/work/himmelblau/himmelblau/package-source/ + + # Unmount filesystems after the build + sudo umount /srv/chroot/focal/dev/pts + sudo umount /srv/chroot/focal/dev + sudo umount /srv/chroot/focal/proc + sudo umount /srv/chroot/focal/sys + + - name: '[debug] - List built binary packages' + run: | + ls -la package-source + + - name: '[general] - Move packages into new directory' + run: | + mkdir debian-packages + mv package-source/himmelblau_${{ env.FULL_VERSION }}_amd64.deb debian-packages/ + mv package-source/pam-himmelblau_${{ env.FULL_VERSION }}_amd64.deb debian-packages/ + mv package-source/nss-himmelblau_${{ env.FULL_VERSION }}_amd64.deb debian-packages/ + + - name: '[himmelblau] - Check Debian package' + run: | + PACKAGE_NAME="debian-packages/himmelblau_${{ env.FULL_VERSION }}_amd64.deb" + echo "Listing package contents for: $PACKAGE_NAME" + dpkg -c $PACKAGE_NAME + echo "-----------------------------" + echo "Package Information:" + dpkg-deb --info $PACKAGE_NAME + echo "-----------------------------" + echo "Lintian:" + set -e + lintian --fail-on error $PACKAGE_NAME + continue-on-error: false + + - name: '[pam-himmelblau] - Check Debian package' + run: | + PACKAGE_NAME="debian-packages/pam-himmelblau_${{ env.FULL_VERSION }}_amd64.deb" + echo "Listing package contents for: $PACKAGE_NAME" + dpkg -c $PACKAGE_NAME + echo "-----------------------------" + echo "Package Information:" + dpkg-deb --info $PACKAGE_NAME + echo "-----------------------------" + echo "Lintian:" + set -e + lintian --fail-on error $PACKAGE_NAME + continue-on-error: false + + - name: '[nss-himmelblau] - Check Debian package' + run: | + PACKAGE_NAME="debian-packages/nss-himmelblau_${{ env.FULL_VERSION }}_amd64.deb" + echo "Listing package contents for: $PACKAGE_NAME" + dpkg -c $PACKAGE_NAME + echo "-----------------------------" + echo "Package Information:" + dpkg-deb --info $PACKAGE_NAME + echo "-----------------------------" + echo "Lintian:" + set -e + lintian --fail-on error $PACKAGE_NAME + continue-on-error: false + + - name: '[general] - Upload Debian package artifacts' + uses: actions/upload-artifact@v4 + with: + name: packages-artifact + path: debian-packages/ diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..1024966 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,21 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: himmelblau +Source: https://github.com/openSUSE/himmelblau + +Files: * +Copyright: 2024 David Mulder +License: GPL-3+ +Comment: + Interoperability suite for Microsoft Azure AD and Intune. + Himmelblau is an interoperability suite for Microsoft Azure AD and + Intune, which allows users to sign into a Linux machine using Azure + Active Directory credentials. It relies on the Microsoft + Authentication Library to communicate with the Microsoft service. + +License: GPL-3+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + On Debian systems, the complete text of the GNU General Public License + can be found in `/usr/share/common-licenses/GPL-3`. \ No newline at end of file diff --git a/debian/himmelblau.install b/debian/himmelblau.install new file mode 100644 index 0000000..e0d3bd9 --- /dev/null +++ b/debian/himmelblau.install @@ -0,0 +1,6 @@ +src/config/himmelblau.conf etc/himmelblau +target/release/aad-tool usr/bin +platform/debian/himmelblaud.service usr/lib/systemd/system +platform/debian/himmelblaud-tasks.service usr/lib/systemd/system +target/release/himmelblaud usr/sbin +target/release/himmelblaud_tasks usr/sbin \ No newline at end of file diff --git a/debian/himmelblau.manpages b/debian/himmelblau.manpages new file mode 100644 index 0000000..e289ba5 --- /dev/null +++ b/debian/himmelblau.manpages @@ -0,0 +1,3 @@ +man/man1/aad-tool.1 +man/man8/himmelblaud.8 +man/man8/himmelblaud_tasks.8 \ No newline at end of file diff --git a/debian/himmelblau.postinst b/debian/himmelblau.postinst new file mode 100644 index 0000000..e11eead --- /dev/null +++ b/debian/himmelblau.postinst @@ -0,0 +1,19 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +case "$1" in + configure) + deb-systemd-helper enable himmelblaud.service >/dev/null || true + deb-systemd-helper enable himmelblaud-tasks.service >/dev/null || true + deb-systemd-invoke start himmelblaud.service >/dev/null || true + deb-systemd-invoke start himmelblaud-tasks.service >/dev/null || true + ;; + upgrade|failed-upgrade|abort-install|abort-upgrade) + deb-systemd-invoke restart himmelblaud.service >/dev/null || true + deb-systemd-invoke restart himmelblaud-tasks.service >/dev/null || true + ;; +esac + +exit 0 diff --git a/debian/himmelblau.prerm b/debian/himmelblau.prerm new file mode 100644 index 0000000..34c506d --- /dev/null +++ b/debian/himmelblau.prerm @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +case "$1" in + remove|upgrade|deconfigure) + deb-systemd-invoke stop himmelblaud.service >/dev/null || true + deb-systemd-invoke stop himmelblaud-tasks.service >/dev/null || true + ;; +esac + +exit 0 diff --git a/debian/nss-himmelblau.install b/debian/nss-himmelblau.install new file mode 100644 index 0000000..adc74f8 --- /dev/null +++ b/debian/nss-himmelblau.install @@ -0,0 +1 @@ +target/release/libnss_himmelblau.so.2 lib/x86_64-linux-gnu \ No newline at end of file diff --git a/debian/pam-himmelblau.install b/debian/pam-himmelblau.install new file mode 100644 index 0000000..703bc67 --- /dev/null +++ b/debian/pam-himmelblau.install @@ -0,0 +1 @@ +target/release/pam_himmelblau.so lib/x86_64-linux-gnu/security \ No newline at end of file diff --git a/debian/rules b/debian/rules new file mode 100644 index 0000000..8149cbd --- /dev/null +++ b/debian/rules @@ -0,0 +1,37 @@ +#!/usr/bin/make -f + +# Check if local Rust environment is available +ifneq (,$(wildcard $(HOME)/.cargo/env)) +RUST_ENV = . $(HOME)/.cargo/env && rustup default stable && +else +RUST_ENV = +endif + +export CARGO_HOME=$(CURDIR) +export CARGO_TARGET_DIR=$(CURDIR)/target + +%: + dh $@ + +override_dh_auto_clean: + $(RUST_ENV) export CARGO_HOME=$(CARGO_HOME) && export CARGO_TARGET_DIR=$(CARGO_TARGET_DIR) && cargo clean --offline + +override_dh_auto_build: + # Ensure the necessary development package is installed + # Extract the vendor dependencies + tar -xf vendor.tar.xz + # Build the project with the appropriate flags + $(RUST_ENV) export CARGO_HOME=$(CARGO_HOME) && export CARGO_TARGET_DIR=$(CARGO_TARGET_DIR) && \ + cargo build --release --frozen + # Strip unnecessary symbols from the binaries + strip --strip-unneeded target/release/himmelblaud + strip --strip-unneeded target/release/himmelblaud_tasks + # Copy and set the soname for shared libraries + cp target/release/libnss_himmelblau.so target/release/libnss_himmelblau.so.2 + cp target/release/libpam_himmelblau.so target/release/pam_himmelblau.so + patchelf --set-soname libnss_himmelblau.so.2 target/release/libnss_himmelblau.so.2 + strip --strip-unneeded target/release/libnss_himmelblau.so.2 + strip --strip-unneeded target/release/libpam_himmelblau.so + +override_dh_auto_test: + # Skip tests diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..46ebe02 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) \ No newline at end of file diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 0000000..0322eb1 --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +vendor.tar.xz \ No newline at end of file diff --git a/debian/source/options b/debian/source/options new file mode 100644 index 0000000..0227b0a --- /dev/null +++ b/debian/source/options @@ -0,0 +1 @@ +compression = "xz" \ No newline at end of file diff --git a/man/man1/aad-tool.1 b/man/man1/aad-tool.1 new file mode 100644 index 0000000..2b689ff --- /dev/null +++ b/man/man1/aad-tool.1 @@ -0,0 +1,54 @@ +.TH AAD-TOOL "1" "September 2024" "Himmelblau 0.5.0" "User Commands" +.SH NAME +aad-tool \- Azure Entra ID (AAD) management utility for Himmelblau +.SH SYNOPSIS +.B aad-tool +\fI\fR [OPTIONS] +.SH DESCRIPTION +The `aad-tool` utility is part of the Himmelblau project, designed to manage and interact with Azure Entra ID through various commands. It allows you to test authentication, manage caches, and check the status of services related to the `himmelblaud` resolver. + +.SS Commands: +.TP +.B auth-test +Test user authentication via the `himmelblaud` resolver using the PAM channel. This does not validate your PAM configuration but ensures that `himmelblaud` is correctly processing and verifying user authentications. + +.TP +.B cache-clear +Clear all entries in the `himmelblaud` resolver cache. This operation removes cached user and group data. Use `cache-invalidate` for safer cache management without erasing data. + +.TP +.B cache-invalidate +Invalidate the `himmelblaud` resolver cache without erasing entries. This forces the `himmelblaud` daemon to refresh all cached user and group data. If offline, the cache remains available and will refresh automatically when back online. + +.TP +.B status +Check if the `himmelblaud` daemon is online and properly connected to the Himmelblau service. + +.TP +.B version +Display the version of the `aad-tool`. + +.TP +.B help +Show help information for the specified subcommand(s). +.SH OPTIONS +.TP +\fB-h\fR, \fB--help\fR +Display help information. +.SH EXAMPLES +.TP +.B aad-tool auth-test +Test user authentication through the `himmelblaud` PAM resolver. + +.TP +.B aad-tool cache-clear +Clear all user and group data from the resolver cache. + +.TP +.B aad-tool status +Check the connection status of the `himmelblaud` daemon. +.SH "SEE ALSO" +.B himmelblau +Documentation is available through the Texinfo manual. Use the following command to access the full manual: + +.BR info himmelblau diff --git a/man/man8/himmelblaud.8 b/man/man8/himmelblaud.8 new file mode 100644 index 0000000..c2b4729 --- /dev/null +++ b/man/man8/himmelblaud.8 @@ -0,0 +1,54 @@ +.TH HIMMELBLAUD "1" "September 2024" "Himmelblau 0.5.0" "System Services" +.SH NAME +himmelblaud \- Himmelblau Authentication Daemon for Azure Entra ID +.SH SYNOPSIS +.B himmelblaud +[\fIOPTIONS\fR] +.SH DESCRIPTION +The `himmelblaud` daemon is responsible for authenticating users against Azure Entra ID and managing group and user information. It operates as a background service, handling authentication requests and maintaining a cache of user and group data. + +.SH OPTIONS +.TP +\fB\-r\fR, \fB\-\-skip\-root\-check\fR +Bypass the check that prevents running the daemon as the root user. This option is risky and should never be used in production environments due to potential security vulnerabilities. It can also be set through the environment variable \fBHIMMELBLAU_SKIP_ROOT_CHECK\fR. + +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable verbose debug output. This option will show detailed diagnostic information useful for troubleshooting and debugging. Can also be set via the environment variable \fBHIMMELBLAU_DEBUG\fR. + +.TP +\fB\-t\fR, \fB\-\-configtest\fR +Display the daemon’s current configuration and exit. This is useful for verifying that the configuration file is correctly formatted and contains valid options. + +.TP +\fB\-c\fR, \fB\-\-config\fR +Specify the path to the configuration file for the daemon. The default configuration file is located at \fI/etc/himmelblau/himmelblaud.conf\fR. This option can also be set via the environment variable \fBHIMMELBLAU_CONFIG\fR. + +.TP +\fB\-h\fR, \fB\-\-help\fR +Show the help message with information about available options. + +.TP +\fB\-V\fR, \fB\-\-version\fR +Print the version of the `himmelblaud` daemon and exit. + +.SH USAGE EXAMPLES +.TP +.B Start the daemon: +# systemctl start himmelblaud + +.TP +.B Run with a specific config file: +# himmelblaud --config /custom/path/himmelblaud.conf + +.TP +.B Test the configuration: +# himmelblaud --configtest + +.TP +.B Enable debug mode: +# himmelblaud --debug +.SH "SEE ALSO" +Documentation for the `himmelblaud` daemon is available in the Texinfo manual. Use the following command to access the full manual: + +.BR info himmelblaud diff --git a/man/man8/himmelblaud_tasks.8 b/man/man8/himmelblaud_tasks.8 new file mode 100644 index 0000000..e150439 --- /dev/null +++ b/man/man8/himmelblaud_tasks.8 @@ -0,0 +1,29 @@ +.TH HIMMELBLAUD_TASKS "1" "September 2024" "Himmelblau 0.5.0" "System Services" +.SH NAME +himmelblaud_tasks \- Home directory creation daemon for Himmelblau +.SH SYNOPSIS +.B himmelblaud_tasks +.SH DESCRIPTION +The `himmelblaud_tasks` daemon is responsible for automatically creating home directories for users upon successful authentication via Azure Entra ID. This service is required to run as the root user, as it needs elevated permissions to create directories in system locations. + +The daemon operates as a background service and does not accept any command-line arguments. It is automatically invoked by the system when required. + +.SH USAGE +The `himmelblaud_tasks` daemon must be run as the root user. If the daemon is started without root privileges, it will fail with an error. No user interaction is needed beyond ensuring the daemon is active and running correctly. + +.SH EXAMPLES +.TP +.B Start the daemon: +# systemctl start himmelblaud_tasks + +.TP +.B Verify the status of the daemon: +# systemctl status himmelblaud_tasks + +.SH NOTES +This daemon is integral to Himmelblau for handling user home directory creation. It ensures that users can properly log in with a valid directory structure in place after authentication. + +.SH "SEE ALSO" +Further documentation for `himmelblaud_tasks` is available in the Texinfo manual. Use the following command to access the complete manual: + +.BR info himmelblaud_tasks diff --git a/platform/debian/himmelblaud-tasks.service b/platform/debian/himmelblaud-tasks.service new file mode 100644 index 0000000..e20fa9d --- /dev/null +++ b/platform/debian/himmelblaud-tasks.service @@ -0,0 +1,32 @@ +# You should not need to edit this file. Instead, use a drop-in file: +# systemctl edit himmelblaud-tasks.service + +[Unit] +Description=Himmelblau Local Tasks +After=chronyd.service ntpd.service network-online.target himmelblaud.service + +[Service] +User=root +Type=simple +ExecStart=/usr/sbin/himmelblaud_tasks + +CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH +# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync +ProtectSystem=strict +ReadWritePaths=/home /var/run/himmelblaud +RestrictAddressFamilies=AF_UNIX +NoNewPrivileges=true +PrivateTmp=true +PrivateDevices=true +PrivateNetwork=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target + diff --git a/platform/debian/himmelblaud.service b/platform/debian/himmelblaud.service new file mode 100644 index 0000000..04a30e5 --- /dev/null +++ b/platform/debian/himmelblaud.service @@ -0,0 +1,37 @@ +# You should not need to edit this file. Instead, use a drop-in file: +# systemctl edit himmelblaud.service + +[Unit] +Description=Himmelblau Authentication Daemon +After=chronyd.service ntpd.service network-online.target + +[Service] +DynamicUser=yes +UMask=0027 +CacheDirectory=himmelblaud # /var/cache/himmelblaud +RuntimeDirectory=himmelblaud # /run/himmelblaud +StateDirectory=himmelblaud # /var/lib/himmelblaud + +Type=simple +ExecStart=/usr/sbin/himmelblaud + +# Implied by dynamic user. +# ProtectHome= +# ProtectSystem=strict +# ReadWritePaths=/var/run/kanidm-unixd /var/cache/kanidm-unixd + +# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync +NoNewPrivileges=true +PrivateTmp=true +# We have to disable this to allow tpmrm0 access for tpm binding. +PrivateDevices=false +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target