rpm: Drop systemd sub-package
dustin/sshca-cli/pipeline/head This commit looks good
Details
dustin/sshca-cli/pipeline/head This commit looks good
Details
The _sshca-cli-systemd_ package was intended for machines to automatically get signed SSH host certificates on first boot. Having the systemd unit files in an RPM package allowed them to be installed by Anaconda, without needing custom post-install scripts or Ansible. Unfortunately, various issues prevented this from actually working as intended most of the time, and with the new webhook-based automatic provisioning process, it's not really necessary. I'm thus removing the sub-package that contained the unit files and moving them to the Ansible configuration policy.master
parent
1c36e749c0
commit
38d3c29d57
|
|
@ -1,34 +0,0 @@
|
|||
[Unit]
|
||||
Description=Request %I SSH Host Certificate
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign
|
||||
ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
|
||||
|
||||
CapabilityBoundingSet=CAP_CHOWN
|
||||
DeviceAllow=
|
||||
DevicePolicy=closed
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateUsers=yes
|
||||
PrivateTmp=yes
|
||||
ProcSubset=pid
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc/ssh
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Request SSH Host Certificates
|
||||
StopWhenUnneeded=yes
|
||||
Wants=ssh-host-cert-sign@ed25519.service
|
||||
Wants=ssh-host-cert-sign@rsa.service
|
||||
Wants=ssh-host-cert-sign@ecdsa.service
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Periodically renew SSH host certificates
|
||||
|
||||
[Timer]
|
||||
Unit=%N.target
|
||||
OnCalendar=Tue *-*-* 00:00:00
|
||||
RandomizedDelaySec=48h
|
||||
Persistent=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Request SSH Host Certificates
|
||||
ConditionFirstBoot=yes
|
||||
Wants=ssh-host-cert-sign@ed25519.service
|
||||
Wants=ssh-host-cert-sign@rsa.service
|
||||
Wants=ssh-host-cert-sign@ecdsa.service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
Name: sshca-cli
|
||||
Version: 0.1.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: CLI client for SSHCA
|
||||
|
||||
SourceLicense: MIT OR Apache-2.0
|
||||
|
|
@ -18,30 +18,17 @@ License: MIT OR Apache-2.0
|
|||
URL: https://git.pyrocufflink.net/dustin/sshca
|
||||
Source: sshca-cli-%{version}.tar.xz
|
||||
Source: sshca-cli-%{version}-vendor.tar.xz
|
||||
Source: ssh-host-cert-sign@.service
|
||||
Source: ssh-host-certs.target
|
||||
Source: ssh-host-certs-renew.target
|
||||
Source: ssh-host-certs-renew.timer
|
||||
|
||||
ExclusiveArch: %{rust_arches}
|
||||
|
||||
BuildRequires: cargo-rpm-macros >= 25
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
%global _description %{expand:
|
||||
CLI client for SSHCA.}
|
||||
|
||||
%description %{_description}
|
||||
|
||||
%package systemd
|
||||
Summary: systemd units for managing SSH host certificates with SSHCA
|
||||
Requires: %{name} = %{version}
|
||||
|
||||
%description systemd
|
||||
A collection of systemd service, timer, and target units that automatically
|
||||
request and renew SSH host certificates from an SSHCA server.
|
||||
|
||||
%prep
|
||||
%autosetup -n %{crate}-%{version} -p1 -a1
|
||||
%cargo_prep -v vendor
|
||||
|
|
@ -56,28 +43,11 @@ request and renew SSH host certificates from an SSHCA server.
|
|||
%install
|
||||
%cargo_install
|
||||
|
||||
mkdir -p $RPM_BUILD_ROOT%{_unitdir}
|
||||
install -m u=rw,go=r \
|
||||
%{SOURCE2} \
|
||||
%{SOURCE3} \
|
||||
%{SOURCE4} \
|
||||
%{SOURCE5} \
|
||||
$RPM_BUILD_ROOT%{_unitdir}
|
||||
|
||||
%if %{with check}
|
||||
%check
|
||||
%cargo_test
|
||||
%endif
|
||||
|
||||
%post systemd
|
||||
%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
|
||||
%preun systemd
|
||||
%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
|
||||
%postun systemd
|
||||
%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
|
||||
%files
|
||||
%license LICENSE-Apache-2.0.txt
|
||||
%license LICENSE-MIT.txt
|
||||
|
|
@ -85,9 +55,6 @@ install -m u=rw,go=r \
|
|||
%license cargo-vendor.txt
|
||||
%{_bindir}/sshca-cli
|
||||
|
||||
%files systemd
|
||||
%{_unitdir}/*
|
||||
|
||||
%changelog
|
||||
* Sun Nov 05 2023 Dustin C. Hatch <dustin@hatch.name> - 0.1.0-1
|
||||
- Initial package
|
||||
|
|
|
|||
Loading…
Reference in New Issue