From 38d3c29d57cc5ba7c38809828d0f3ed4d71804e0 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 13 Sep 2025 21:13:25 -0500 Subject: [PATCH] rpm: Drop systemd sub-package The _sshca-cli-systemd_ package was intended for machines to automatically get signed SSH host certificates on first boot. Having the systemd unit files in an RPM package allowed them to be installed by Anaconda, without needing custom post-install scripts or Ansible. Unfortunately, various issues prevented this from actually working as intended most of the time, and with the new webhook-based automatic provisioning process, it's not really necessary. I'm thus removing the sub-package that contained the unit files and moving them to the Ansible configuration policy. --- ssh-host-cert-sign@.service | 34 ---------------------------------- ssh-host-certs-renew.target | 7 ------- ssh-host-certs-renew.timer | 12 ------------ ssh-host-certs.target | 10 ---------- sshca-cli.spec | 35 +---------------------------------- 5 files changed, 1 insertion(+), 97 deletions(-) delete mode 100644 ssh-host-cert-sign@.service delete mode 100644 ssh-host-certs-renew.target delete mode 100644 ssh-host-certs-renew.timer delete mode 100644 ssh-host-certs.target diff --git a/ssh-host-cert-sign@.service b/ssh-host-cert-sign@.service deleted file mode 100644 index 0efde1e..0000000 --- a/ssh-host-cert-sign@.service +++ /dev/null @@ -1,34 +0,0 @@ -[Unit] -Description=Request %I SSH Host Certificate -After=network-online.target -Wants=network-online.target - -[Service] -Type=oneshot -EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign -ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub - -CapabilityBoundingSet=CAP_CHOWN -DeviceAllow= -DevicePolicy=closed -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes -PrivateDevices=yes -PrivateUsers=yes -PrivateTmp=yes -ProcSubset=pid -ProtectClock=yes -ProtectControlGroups=yes -ProtectHome=yes -ProtectHostname=yes -ProtectKernelLogs=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -ProtectProc=invisible -ProtectSystem=strict -ReadWritePaths=/etc/ssh -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -RestrictNamespaces=yes -RestrictRealtime=yes -RestrictSUIDSGID=yes diff --git a/ssh-host-certs-renew.target b/ssh-host-certs-renew.target deleted file mode 100644 index 9e54f1b..0000000 --- a/ssh-host-certs-renew.target +++ /dev/null @@ -1,7 +0,0 @@ -# vim: set ft=systemd : -[Unit] -Description=Request SSH Host Certificates -StopWhenUnneeded=yes -Wants=ssh-host-cert-sign@ed25519.service -Wants=ssh-host-cert-sign@rsa.service -Wants=ssh-host-cert-sign@ecdsa.service diff --git a/ssh-host-certs-renew.timer b/ssh-host-certs-renew.timer deleted file mode 100644 index 3f6f728..0000000 --- a/ssh-host-certs-renew.timer +++ /dev/null @@ -1,12 +0,0 @@ -# vim: set ft=systemd : -[Unit] -Description=Periodically renew SSH host certificates - -[Timer] -Unit=%N.target -OnCalendar=Tue *-*-* 00:00:00 -RandomizedDelaySec=48h -Persistent=yes - -[Install] -WantedBy=timers.target diff --git a/ssh-host-certs.target b/ssh-host-certs.target deleted file mode 100644 index 6277e22..0000000 --- a/ssh-host-certs.target +++ /dev/null @@ -1,10 +0,0 @@ -# vim: set ft=systemd : -[Unit] -Description=Request SSH Host Certificates -ConditionFirstBoot=yes -Wants=ssh-host-cert-sign@ed25519.service -Wants=ssh-host-cert-sign@rsa.service -Wants=ssh-host-cert-sign@ecdsa.service - -[Install] -WantedBy=multi-user.target diff --git a/sshca-cli.spec b/sshca-cli.spec index afe946a..6992133 100644 --- a/sshca-cli.spec +++ b/sshca-cli.spec @@ -8,7 +8,7 @@ Name: sshca-cli Version: 0.1.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: CLI client for SSHCA SourceLicense: MIT OR Apache-2.0 @@ -18,30 +18,17 @@ License: MIT OR Apache-2.0 URL: https://git.pyrocufflink.net/dustin/sshca Source: sshca-cli-%{version}.tar.xz Source: sshca-cli-%{version}-vendor.tar.xz -Source: ssh-host-cert-sign@.service -Source: ssh-host-certs.target -Source: ssh-host-certs-renew.target -Source: ssh-host-certs-renew.timer ExclusiveArch: %{rust_arches} BuildRequires: cargo-rpm-macros >= 25 BuildRequires: openssl-devel -BuildRequires: systemd-rpm-macros %global _description %{expand: CLI client for SSHCA.} %description %{_description} -%package systemd -Summary: systemd units for managing SSH host certificates with SSHCA -Requires: %{name} = %{version} - -%description systemd -A collection of systemd service, timer, and target units that automatically -request and renew SSH host certificates from an SSHCA server. - %prep %autosetup -n %{crate}-%{version} -p1 -a1 %cargo_prep -v vendor @@ -56,28 +43,11 @@ request and renew SSH host certificates from an SSHCA server. %install %cargo_install -mkdir -p $RPM_BUILD_ROOT%{_unitdir} -install -m u=rw,go=r \ - %{SOURCE2} \ - %{SOURCE3} \ - %{SOURCE4} \ - %{SOURCE5} \ - $RPM_BUILD_ROOT%{_unitdir} - %if %{with check} %check %cargo_test %endif -%post systemd -%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer - -%preun systemd -%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer - -%postun systemd -%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer - %files %license LICENSE-Apache-2.0.txt %license LICENSE-MIT.txt @@ -85,9 +55,6 @@ install -m u=rw,go=r \ %license cargo-vendor.txt %{_bindir}/sshca-cli -%files systemd -%{_unitdir}/* - %changelog * Sun Nov 05 2023 Dustin C. Hatch - 0.1.0-1 - Initial package