🔖 release v0.6.1 - deb/rpm binary packages

.earthignore

@@ -0,0 +1,2 @@
+target/
+.config.toml

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "aeneid"
-version = "0.6.0"
+version = "0.6.1"
 authors = ["Nikhil Jha <mail@nikhiljha.com>"]
 edition = "2018"
 description = "use GitHub as a free, zero-ops Identity Provider"
@@ -11,7 +11,30 @@ license = "GPL-3.0-only"
 keywords = ["github", "openssh"]
 categories = ["authentication"]
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[package.metadata.deb]
+maintainer = "Nikhil Jha <mail@nikhiljha.com>"
+copyright = "2021, Nikhil Jha <mail@nikhiljha.com>"
+extended-description = """\
+Use GitHub as a free, zero-ops Identity Provider \
+by using github authorized_keys for your sshd."""
+maintainer-scripts = "pkg/deb/"
+conf-files = ["etc/aeneid/config.toml"]
+assets = [
+    ["target/release/aeneid", "usr/bin/", "755"],
+    ["README.md", "usr/share/doc/aeneid/README", "644"],
+    ["src/config.toml", "etc/aeneid/config.toml", "700"],
+]
+
+[package.metadata.rpm]
+package = "aeneid"
+config = "pkg/rpm"
+files = {"../../src/config.toml" = {path = "/etc/aeneid/config.toml"}}
+
+[package.metadata.rpm.cargo]
+buildflags = ["--release"]
+
+[package.metadata.rpm.targets]
+aeneid = { path = "/usr/bin/aeneid" }
 
 [dependencies]
 reqwest = { version = "0.11.4", features = ["blocking", "json", "rustls-tls"], default-features = false }
@@ -20,3 +43,4 @@ regex = "1.4.5"
 toml = "0.5.8"
 serde_derive = "1.0.127"
 serde = "1.0.127"
+

Earthfile

@@ -0,0 +1,26 @@
+FROM rust:1.54-slim
+WORKDIR .
+
+debian:
+    RUN apt-get update
+    RUN apt-get install -y gnulib
+    RUN cargo install cargo-deb
+    COPY Cargo.toml ./
+    COPY Cargo.lock ./
+    COPY src src
+    COPY pkg pkg
+    COPY README.md README.md
+    RUN cargo deb
+    SAVE ARTIFACT /target/debian /debian AS LOCAL target/debian
+
+rpm:
+    RUN apt-get update
+    RUN apt-get install -y rpm
+    RUN cargo install --git https://github.com/iqlusioninc/cargo-rpm
+    COPY Cargo.toml ./
+    COPY Cargo.lock ./
+    COPY src src
+    COPY pkg pkg
+    COPY README.md README.md
+    RUN cargo rpm build
+    SAVE ARTIFACT /target/release/rpmbuild /rpm AS LOCAL target/release/rpmbuild

README.md

@@ -15,13 +15,19 @@ GitHub's "teams" feature is basically a free, zero-ops [IdP](https://en.wikipedi
 
 Install aeneid with your usual package manager. If that's not possible, you can use cargo.
 
-**cargo** (not recommended, see FAQ): `cargo install aeneid && cp $(whereis aeneid | cut -f 2 -d " ") /usr/local/bin && cargo uninstall aeneid && sudo /usr/local/bin/aeneid --init init`
+**deb** (Debian, Ubuntu, etc): [download from GitHub releases](https://github.com/nikhiljha/aeneid/releases) then `dpkg -i /path/to/aeneid.deb`
+
+**rpm** (Fedora, RHEL, etc): [download from GitHub releases](https://github.com/nikhiljha/aeneid/releases) then `rpm -i /path/to/aeneid.rpm`
+
+**nix** (NixOS, etc): coming soon (TM)...
+
+**cargo** (not recommended, see FAQ): `cargo install aeneid && cp $(whereis aeneid | cut -f 2 -d " ") /usr/local/bin && cargo uninstall aeneid && sudo /usr/local/bin/aeneid --init`
 
 ## Configuration
 
 **Automatic Configuration**
 
-If you used one of the commands in the installation section, everything should be automatically configured. Just add credentials to `/etc/aeneid/config.toml`.
+If you used one of the commands in the installation section, everything should be automatically configured. Just add credentials (and/or overrides) to `/etc/aeneid/config.toml`, and then run `sudo aeneid --init` to automatically configure your sshd. If you'd rather manually configure your sshd, see the paragraph about sshd in the manual configuration section.
 
 **Manual Configuration**
 
@@ -33,11 +39,12 @@ You'll also need to set `AuthorizedKeysCommand /path/to/bin/aeneid` and `Authori
 
 ## Usage
 
-If your GitHub username starts with a number, prefix your username with an `_` to login. Otherwise, your username is your GitHub username. See the `unix_to_github` function in `main.rs` for more information.
+If you specified a unix username in `overrides`, use that username. If you're using GitHub teams, and your username starts with a number, prefix your username with an `_` to login. Otherwise, your username is your GitHub username. See the `unix_to_github` function in `main.rs` for more information.
 
-Automatically creating users is currently unsupported, you'll need to create the corresponding user manually before logging in (`adduser username`).
+Automatically creating users is currently unsupported, you'll need to create the corresponding user manually before first login (`adduser username`).
 
 ```bash
+$ # make sure ssh is setup with your GitHub keys, then...
 $ ssh username@example.com # that's it
 ```
 

pkg/.noinit

@@ -0,0 +1 @@
+# the presence of this file will break aeneid --init

pkg/deb/postinst

@@ -0,0 +1,34 @@
+# adapted from PostgreSQL postgresql-common.postinst
+if [ "$1" = configure ]; then
+    # Make sure the administrative user exists
+    if ! getent passwd aeneid > /dev/null; then
+        adduser --system $quiet --home /etc/aeneid --no-create-home \
+            --shell /bin/bash --group --gecos "aeneid user" aeneid
+    fi
+    # if the user was created manually, make sure the group is there as well
+    if ! getent group aeneid > /dev/null; then
+        addgroup --system $quiet aeneid
+    fi
+    # make sure aeneid is in the aeneid group
+    if ! id -Gn aeneid | grep -qw aeneid; then
+        adduser $quiet aeneid aeneid
+    fi
+
+    # check validity of aeneid user and group
+    if [ "`id -u aeneid`" -eq 0 ]; then
+        echo "The aeneid system user must not have uid 0 (root).
+Please fix this and reinstall this package." >&2
+        exit 1
+    fi
+    if [ "`id -g aeneid`" -eq 0 ]; then
+        echo "The aeneid system user must not have root as primary group.
+Please fix this and reinstall this package." >&2
+        exit 1
+    fi
+
+    # ensure config directory ownership
+    mkdir -p /etc/aeneid
+    su -s /bin/sh aeneid -c "test -O /etc/aeneid &&
+            test -G /etc/aeneid" || \
+        chown -R aeneid:aeneid /etc/aeneid
+fi

pkg/rpm/aeneid.spec

@@ -0,0 +1,42 @@
+%define __spec_install_post %{nil}
+%define __os_install_post %{_dbpath}/brp-compress
+%define debug_package %{nil}
+
+Name: aeneid
+Summary: use GitHub as a free, zero-ops Identity Provider
+Version: @@VERSION@@
+Release: @@RELEASE@@%{?dist}
+License: GPLv3
+Group: Applications/System
+Source0: %{name}-%{version}.tar.gz
+URL: https://nikhiljha.com/projects/
+
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+
+%description
+%{summary}
+
+%prep
+%setup -q
+
+%install
+rm -rf %{buildroot}
+mkdir -p %{buildroot}
+cp -a * %{buildroot}
+
+%clean
+rm -rf %{buildroot}
+
+%files
+%defattr(-,root,root,-)
+%{_bindir}/*
+%config(noreplace) %{_sysconfdir}/aeneid/config.toml
+
+%post
+# create aeneid user
+groupadd -r aeneid >/dev/null 2>&1 || :
+useradd -M -n -g aeneid -r -d /etc/aeneid -s /bin/bash \
+    -c "aeneid user" aeneid >/dev/null 2>&1 || :
+# create directories so aeneid can store caches and read config files
+install -d -o aeneid -g aeneid /etc/aeneid
+chown -R aeneid:aeneid /etc/aeneid

src/config.rs

@@ -73,7 +73,7 @@ pub(crate) fn init() {
     if !cmd_configured.is_match(&*contents) && !user_configured.is_match(&*contents) {
         file.write(
             format!(
-                "AuthorizedKeysCommand {}\nAuthorizedKeysCommandUser aeneid",
+                "\nAuthorizedKeysCommand {}\nAuthorizedKeysCommandUser aeneid\n",
                 std::env::current_exe()
                     .expect("get executable")
                     .to_str()

src/main.rs

@@ -12,8 +12,12 @@ fn main() {
         .version(env!("CARGO_PKG_VERSION"))
         .author("Nikhil Jha <mail@nikhiljha.com>")
         .about("authenticate SSH users with their GitHub authorized_keys")
-        .arg("-i, --init 'initialize aeneid'")
-        .arg("<username> 'a unix username'")
+        .arg("-i, --init 'Initializes aeneid'")
+        .arg(clap::Arg::new("username")
+            .conflicts_with("init")
+            .required(true)
+            .about("a unix username")
+        )
         .get_matches();
 
     if args.is_present("init") {