From d6224f24542f33382c1334f11176a23136a8befe Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Tue, 28 Mar 2023 18:43:33 +0200 Subject: [PATCH] Initial work on nfpm Signed-off-by: Kristoffer Dalby --- .github/workflows/release-docker.yml | 138 +++++++++++++++++++++++ .github/workflows/release.yml | 131 +-------------------- .nfpm.yaml | 37 ++++++ docs/packaging/README.md | 5 + docs/packaging/headscale.systemd.service | 52 +++++++++ docs/packaging/postinstall.sh | 85 ++++++++++++++ docs/packaging/postremove.sh | 15 +++ flake.nix | 1 + 8 files changed, 334 insertions(+), 130 deletions(-) create mode 100644 .github/workflows/release-docker.yml create mode 100644 .nfpm.yaml create mode 100644 docs/packaging/README.md create mode 100644 docs/packaging/headscale.systemd.service create mode 100644 docs/packaging/postinstall.sh create mode 100644 docs/packaging/postremove.sh diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml new file mode 100644 index 00000000..d82f3268 --- /dev/null +++ b/.github/workflows/release-docker.yml @@ -0,0 +1,138 @@ +--- +name: Release Docker + +on: + push: + tags: + - "*" # triggers only if push new tag version + workflow_dispatch: + +jobs: + docker-release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - name: Set up QEMU for multiple platforms + uses: docker/setup-qemu-action@master + with: + platforms: arm64,amd64 + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + - name: Docker meta + id: meta + uses: docker/metadata-action@v3 + with: + # list of Docker images to use as base name for tags + images: | + ${{ secrets.DOCKERHUB_USERNAME }}/headscale + ghcr.io/${{ github.repository_owner }}/headscale + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + type=raw,value=develop + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Login to GHCR + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push + id: docker_build + uses: docker/build-push-action@v2 + with: + push: true + context: . + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new + build-args: | + VERSION=${{ steps.meta.outputs.version }} + - name: Prepare cache for next build + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache + + docker-debug-release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - name: Set up QEMU for multiple platforms + uses: docker/setup-qemu-action@master + with: + platforms: arm64,amd64 + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache-debug + key: ${{ runner.os }}-buildx-debug-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx-debug- + - name: Docker meta + id: meta-debug + uses: docker/metadata-action@v3 + with: + # list of Docker images to use as base name for tags + images: | + ${{ secrets.DOCKERHUB_USERNAME }}/headscale + ghcr.io/${{ github.repository_owner }}/headscale + flavor: | + suffix=-debug,onlatest=true + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + type=raw,value=develop + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Login to GHCR + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push + id: docker_build + uses: docker/build-push-action@v2 + with: + push: true + context: . + file: Dockerfile.debug + tags: ${{ steps.meta-debug.outputs.tags }} + labels: ${{ steps.meta-debug.outputs.labels }} + platforms: linux/amd64,linux/arm64 + cache-from: type=local,src=/tmp/.buildx-cache-debug + cache-to: type=local,dest=/tmp/.buildx-cache-debug-new + build-args: | + VERSION=${{ steps.meta-debug.outputs.version }} + - name: Prepare cache for next build + run: | + rm -rf /tmp/.buildx-cache-debug + mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d135241d..4c51ea96 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,135 +19,6 @@ jobs: - uses: cachix/install-nix-action@v16 - name: Run goreleaser - run: nix develop --command -- goreleaser release --rm-dist + run: nix develop --command -- goreleaser release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - docker-release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Set up QEMU for multiple platforms - uses: docker/setup-qemu-action@master - with: - platforms: arm64,amd64 - - name: Cache Docker layers - uses: actions/cache@v2 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - name: Docker meta - id: meta - uses: docker/metadata-action@v3 - with: - # list of Docker images to use as base name for tags - images: | - ${{ secrets.DOCKERHUB_USERNAME }}/headscale - ghcr.io/${{ github.repository_owner }}/headscale - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha - type=raw,value=develop - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GHCR - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push - id: docker_build - uses: docker/build-push-action@v2 - with: - push: true - context: . - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - platforms: linux/amd64,linux/arm64 - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache-new - build-args: | - VERSION=${{ steps.meta.outputs.version }} - - name: Prepare cache for next build - run: | - rm -rf /tmp/.buildx-cache - mv /tmp/.buildx-cache-new /tmp/.buildx-cache - - docker-debug-release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Set up QEMU for multiple platforms - uses: docker/setup-qemu-action@master - with: - platforms: arm64,amd64 - - name: Cache Docker layers - uses: actions/cache@v2 - with: - path: /tmp/.buildx-cache-debug - key: ${{ runner.os }}-buildx-debug-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx-debug- - - name: Docker meta - id: meta-debug - uses: docker/metadata-action@v3 - with: - # list of Docker images to use as base name for tags - images: | - ${{ secrets.DOCKERHUB_USERNAME }}/headscale - ghcr.io/${{ github.repository_owner }}/headscale - flavor: | - suffix=-debug,onlatest=true - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha - type=raw,value=develop - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GHCR - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push - id: docker_build - uses: docker/build-push-action@v2 - with: - push: true - context: . - file: Dockerfile.debug - tags: ${{ steps.meta-debug.outputs.tags }} - labels: ${{ steps.meta-debug.outputs.labels }} - platforms: linux/amd64,linux/arm64 - cache-from: type=local,src=/tmp/.buildx-cache-debug - cache-to: type=local,dest=/tmp/.buildx-cache-debug-new - build-args: | - VERSION=${{ steps.meta-debug.outputs.version }} - - name: Prepare cache for next build - run: | - rm -rf /tmp/.buildx-cache-debug - mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug diff --git a/.nfpm.yaml b/.nfpm.yaml new file mode 100644 index 00000000..6a92502b --- /dev/null +++ b/.nfpm.yaml @@ -0,0 +1,37 @@ +# this is the base "template" for the package +name: headscale +description: headscale coordination server for Tailscale +arch: ${ARCH} +version: ${VERSION} +priority: optional +vendor: Juan Font +maintainer: Kristoffer Dalby +homepage: https://github.com/juanfont/headscale +license: BSD +contents: + - src: ./build/headscale + dst: /usr/bin/headscale + - src: ./config-example.yaml + dst: /etc/headscale/config.yaml + type: config|noreplace + file_info: + mode: 0640 + - src: ./docs/packaging/headscale.systemd.service + dst: /etc/systemd/system/headscale.service + - dst: /var/lib/headscale + type: dir + - dst: /var/run/headscale + type: dir +# deb: +# signature: +# method: dpkg-sig +# key_file: ".key.asc" +# rpm: +# signature: +# key_file: ".key.asc" +# apk: +# signature: +# key_file: ".key.rsa" +scripts: + postinstall: ./docs/packaging/postinstall.sh + postremove: ./docs/packaging/postremove.sh diff --git a/docs/packaging/README.md b/docs/packaging/README.md new file mode 100644 index 00000000..c3a80893 --- /dev/null +++ b/docs/packaging/README.md @@ -0,0 +1,5 @@ +# Packaging + +We use [nFPM](https://nfpm.goreleaser.com/) for making `.deb`, `.rpm` and `.apk`. + +This folder contains files we need to package with these releases. diff --git a/docs/packaging/headscale.systemd.service b/docs/packaging/headscale.systemd.service new file mode 100644 index 00000000..954ab37f --- /dev/null +++ b/docs/packaging/headscale.systemd.service @@ -0,0 +1,52 @@ +[Unit] +After=syslog.target +After=network.target +Description=headscale coordination server for Tailscale +X-Restart-Triggers=/etc/headscale/config.yaml + +[Service] +Type=simple +User=headscale +Group=headscale +ExecStart=/usr/bin/headscale serve +Restart=always +RestartSec=5 + +WorkingDirectory=/var/lib/headscale +ReadWritePaths=/var/lib/headscale /var/run + +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN +CapabilityBoundingSet=CAP_CHOWN +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateMounts=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHome=yes +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +RuntimeDirectory=headscale +RuntimeDirectoryMode=0750 +StateDirectory=headscale +StateDirectoryMode=0750 +SystemCallArchitectures=native +SystemCallFilter=@chown +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +UMask=0077 + +[Install] +WantedBy=multi-user.target diff --git a/docs/packaging/postinstall.sh b/docs/packaging/postinstall.sh new file mode 100644 index 00000000..225de614 --- /dev/null +++ b/docs/packaging/postinstall.sh @@ -0,0 +1,85 @@ +#!/bin/sh +# Determine OS platform +# shellcheck source=/dev/null +. /etc/os-release + +HEADSCALE_EXE="/usr/bin/headscale" +BSD_HIER="" +HEADSCALE_RUN_DIR="/var/run/headscale" +HEADSCALE_USER="headscale" +HEADSCALE_GROUP="headscale" + +ensure_sudo() { + if [ "$(id -u)" = "0" ]; then + echo "Sudo permissions detected" + else + echo "No sudo permission detected, please run as sudo" + exit 1 + fi +} + +ensure_headscale_path() { + if [ ! -f "$HEADSCALE_EXE" ]; then + echo "headscale not in default path, exiting..." + exit 1 + fi + + printf "Found headscale %s\n" "$HEADSCALE_EXE" +} + +create_headscale_user() { + printf "PostInstall: Adding headscale user %s\n" "$HEADSCALE_USER" + useradd -s /bin/sh -c "headscale default user" headscale +} + +create_headscale_group() { + if command -V systemctl >/dev/null 2>&1; then + printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP" + groupadd "$HEADSCALE_GROUP" + + printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP" + usermod -a -G "$HEADSCALE_GROUP" "$HEADSCALE_USER" + fi + + if [ "$ID" = "alpine" ]; then + printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP" + addgroup "$HEADSCALE_GROUP" + + printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP" + addgroup "$HEADSCALE_USER" "$HEADSCALE_GROUP" + fi +} + +create_run_dir() { + printf "PostInstall: Creating headscale run directory \n" + mkdir -p "$HEADSCALE_RUN_DIR" + + printf "PostInstall: Modifying group ownership of headscale run directory \n" + chown "$HEADSCALE_USER":"$HEADSCALE_GROUP" "$HEADSCALE_RUN_DIR" +} + +summary() { + echo "----------------------------------------------------------------------" + echo " headscale package has been successfully installed." + echo "" + echo " Please follow the next steps to start the software:" + echo "" + echo " sudo systemctl start headscale" + echo "" + echo " Configuration settings can be adjusted here:" + echo " ${BSD_HIER}/etc/headscale/config.yaml" + echo "" + echo "----------------------------------------------------------------------" +} + +# +# Main body of the script +# +{ + ensure_sudo + ensure_headscale_path + create_headscale_user + create_headscale_group + create_run_dir + summary +} diff --git a/docs/packaging/postremove.sh b/docs/packaging/postremove.sh new file mode 100644 index 00000000..ed480bbf --- /dev/null +++ b/docs/packaging/postremove.sh @@ -0,0 +1,15 @@ +#!/bin/sh +# Determine OS platform +# shellcheck source=/dev/null +. /etc/os-release + +if command -V systemctl >/dev/null 2>&1; then + echo "Stop and disable headscale service" + systemctl stop headscale >/dev/null 2>&1 || true + systemctl disable headscale >/dev/null 2>&1 || true + echo "Running daemon-reload" + systemctl daemon-reload || true +fi + +echo "Removing run directory" +rm -rf "/var/run/headscale.sock" diff --git a/flake.nix b/flake.nix index 9282c8bc..1918b3de 100644 --- a/flake.nix +++ b/flake.nix @@ -97,6 +97,7 @@ golines nodePackages.prettier goreleaser + nfpm gotestsum # Protobuf dependencies