merge stable/2.x -> dev

.github/workflows/ci.yml

@@ -20,6 +20,7 @@ on:
 
 permissions:
   contents: read
+  packages: read
 
 jobs:
   lint:
@@ -231,9 +232,6 @@ jobs:
             --partition hash:${{ matrix.partition }}/8
 
   test-ldap:
-    # binami ldap image is no longer served by ecr
-    # disable this job for now to avoid CI fails
-    if: false
     needs: build
 
     runs-on:
@@ -255,6 +253,13 @@ jobs:
       - name: Download cargo-nextest binary
         run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf -
 
+      - name: Log in to ghcr.io
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Start Postgres and OpenLDAP
         run: docker compose -p defguard-ldap -f docker-compose.ldap-test.yaml up -d --wait db openldap
 

.github/workflows/release.yml

@@ -79,6 +79,9 @@ jobs:
       - X64
     env:
       SQLX_OFFLINE: "1"
+      # Force the installed stable toolchain. RUSTUP_TOOLCHAIN takes precedence
+      # over any stale rustup directory override left on the self-hosted runner.
+      RUSTUP_TOOLCHAIN: "stable"
       # sccache
       SCCACHE_GHA_ENABLED: "true"
       RUSTC_WRAPPER: "sccache"
@@ -221,14 +224,15 @@ jobs:
           fpm_args:
             "defguard-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard
             freebsd/defguard=/usr/local/etc/rc.d/defguard
-            .env.example=/etc/defguard/core.conf"
+            .env.example=/etc/defguard/core.conf.sample"
           fpm_opts:
             "--architecture amd64
             --output-type freebsd
             --version ${{ env.VERSION }}
             --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
             --freebsd-osversion '*'
-            --depends openssl"
+            --depends openssl
+            --after-install freebsd/post-install.sh"
 
       - name: Upload Linux x86_64 archive
         uses: shogo82148/actions-upload-release-asset@394b3c11c3cfc038b5396ad265c074065cf875c3 # v1.10.2

.github/workflows/test-apt-repo.yml

@@ -2,10 +2,11 @@ name: Test APT repository
 
 "on":
   schedule:
-    - cron: "0 6 * * *"
+    - cron: "0 */6 * * *"
   workflow_dispatch:
-  release:
-    types: [published]
+  workflow_run:
+    workflows: ["Update repositories with packages"]
+    types: [completed]
 
 jobs:
   test-apt-install:
@@ -20,7 +21,7 @@ jobs:
       fail-fast: false
       matrix:
         package: [defguard, defguard-proxy, defguard-gateway]
-        component: [release, pre-release]
+        component: [release, pre-release, release-2.0, pre-release-2.0]
         include:
           - package: defguard
             github_repo: DefGuard/defguard
@@ -47,35 +48,65 @@ jobs:
       - name: Update APT cache
         run: apt-get update -y
 
+      - name: Check package availability in component
+        run: |
+          CANDIDATE=$(apt-cache policy ${{ matrix.package }} | awk '/Candidate:/ {print $2}')
+          if [ -z "$CANDIDATE" ] || [ "$CANDIDATE" = "(none)" ]; then
+            echo "::notice::${{ matrix.package }} not available in component ${{ matrix.component }}, skipping"
+            echo "SKIP=true" >> $GITHUB_ENV
+          else
+            echo "Candidate version: $CANDIDATE"
+            echo "SKIP=false" >> $GITHUB_ENV
+          fi
+
       - name: Get expected version from GitHub
+        if: env.SKIP != 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          if [ "${{ matrix.component }}" = "release" ]; then
-            VERSION=$(curl -sf \
-              -H "Authorization: Bearer $GH_TOKEN" \
-              https://api.github.com/repos/${{ matrix.github_repo }}/releases/latest \
-              | jq -r '.tag_name')
-          else
-            VERSION=$(curl -sf \
-              -H "Authorization: Bearer $GH_TOKEN" \
-              https://api.github.com/repos/${{ matrix.github_repo }}/releases \
-              | jq -r '[.[] | select(.prerelease == true)][0].tag_name')
+          case "${{ matrix.component }}" in
+            release-2.0)     PRERELEASE=false; MAJOR=v2. ;;
+            pre-release-2.0) PRERELEASE=true;  MAJOR=v2. ;;
+            release)         PRERELEASE=false; MAJOR=v1. ;;
+            pre-release)     PRERELEASE=true;  MAJOR=v1. ;;
+          esac
+          VERSION=$(curl -sf \
+            -H "Authorization: Bearer $GH_TOKEN" \
+            https://api.github.com/repos/${{ matrix.github_repo }}/releases \
+            | jq -r --argjson pre "$PRERELEASE" --arg major "$MAJOR" \
+              '[.[] | select(.prerelease == $pre and (.tag_name | startswith($major)))][0].tag_name // empty')
+          if [ -z "$VERSION" ]; then
+            echo "::notice::no $MAJOR release (prerelease=$PRERELEASE) of ${{ matrix.package }} on GitHub, skipping"
+            echo "SKIP=true" >> $GITHUB_ENV
+            exit 0
           fi
           VERSION="${VERSION#v}"
+
+          # legacy pre-release still holds 2.0 betas published before the
+          # component split; accept them instead of expecting the latest v1.x
+          CANDIDATE=$(apt-cache policy ${{ matrix.package }} | awk '/Candidate:/ {print $2}')
+          if [ "${{ matrix.component }}" = "pre-release" ] && [ "${CANDIDATE%%.*}" != "1" ]; then
+            echo "::notice::candidate $CANDIDATE is from before the component split, skipping version comparison"
+            VERSION=""
+          fi
+
           echo "Expected version: $VERSION"
           echo "EXPECTED_VERSION=$VERSION" >> $GITHUB_ENV
 
       - name: Install ${{ matrix.package }}
+        if: env.SKIP != 'true'
         run: apt-get install -y ${{ matrix.package }}
 
       - name: Verify ${{ matrix.package }} version
+        if: env.SKIP != 'true'
         run: |
           INSTALLED=$(dpkg -s ${{ matrix.package }} | grep '^Version:' | awk '{print $2}')
           echo "Installed version: $INSTALLED"
-          echo "Expected version:  $EXPECTED_VERSION"
-          if [ "$INSTALLED" != "$EXPECTED_VERSION" ]; then
-            echo "Version mismatch!"
-            exit 1
+          if [ -n "$EXPECTED_VERSION" ]; then
+            echo "Expected version:  $EXPECTED_VERSION"
+            if [ "$INSTALLED" != "$EXPECTED_VERSION" ]; then
+              echo "Version mismatch!"
+              exit 1
+            fi
           fi
           ${{ matrix.package }} -V

.github/workflows/update-repositories.yml

@@ -96,3 +96,54 @@ jobs:
           done
           (aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
           aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
+
+  verify-apt-repo:
+    needs:
+      - apt-sign
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+    steps:
+      - name: Verify published repository signatures and metadata
+        run: |
+          set -euo pipefail
+          sudo apt update -y
+          sudo apt install -y curl gpg
+
+          WORKDIR=$(mktemp -d)
+          trap 'rm -rf "$WORKDIR"' EXIT
+          cd "$WORKDIR"
+
+          curl -fsSL https://apt.defguard.net/defguard.asc | gpg --dearmor -o keyring.gpg
+
+          for DIST in trixie bookworm; do
+            echo "=== Verifying $DIST ==="
+            curl -fsSL "https://apt.defguard.net/dists/${DIST}/Release" -o Release
+            curl -fsSL "https://apt.defguard.net/dists/${DIST}/Release.gpg" -o Release.gpg
+            curl -fsSL "https://apt.defguard.net/dists/${DIST}/InRelease" -o InRelease
+
+            gpgv --keyring "$WORKDIR/keyring.gpg" Release.gpg Release
+            gpgv --keyring "$WORKDIR/keyring.gpg" InRelease
+
+            for COMPONENT in $(awk '/^Components:/ {for (i=2; i<=NF; i++) print $i}' Release); do
+              PACKAGES_PATH="${COMPONENT}/binary-amd64/Packages"
+              EXPECTED_SHA=$(awk -v p="$PACKAGES_PATH" '/^SHA256:/{s=1; next} /^[A-Za-z]/{s=0} s && $3 == p {print $1; exit}' Release)
+              # InRelease must describe the same metadata as the detached-signed
+              # Release, otherwise apt clients see a signature/content mismatch
+              INRELEASE_SHA=$(awk -v p="$PACKAGES_PATH" '/^SHA256:/{s=1; next} /^[A-Za-z-]/{s=0} s && $3 == p {print $1; exit}' InRelease)
+              if [ -z "$EXPECTED_SHA" ] || [ "$EXPECTED_SHA" != "$INRELEASE_SHA" ]; then
+                echo "SHA256 entry for $PACKAGES_PATH missing or differs between Release and InRelease in $DIST"
+                exit 1
+              fi
+              curl -fsSL "https://apt.defguard.net/dists/${DIST}/${PACKAGES_PATH}" -o Packages
+              ACTUAL_SHA=$(sha256sum Packages | awk '{print $1}')
+              if [ "$ACTUAL_SHA" != "$EXPECTED_SHA" ]; then
+                echo "Checksum mismatch for $DIST/$PACKAGES_PATH"
+                echo "expected: $EXPECTED_SHA"
+                echo "actual:   $ACTUAL_SHA"
+                exit 1
+              fi
+              echo "$DIST/$PACKAGES_PATH OK"
+            done
+          done