Build packages with custom user

moubctez · moubctez · commit e8a6bccdee62 · 2026-04-22T09:05:19.000+02:00
diff --git a/.github/workflows/lint-web.yml b/.github/workflows/lint-web.yml
@@ -28,20 +28,30 @@ jobs:
         uses: actions/checkout@v6
         with:
           submodules: recursive
-      - uses: actions/setup-node@v6
+
+      - name: Install NodeJS
+        uses: actions/setup-node@v6
         with:
           node-version: 25
-      - name: install deps
-        working-directory: ./web
-        run: |
-          npm i -g pnpm
-          pnpm i --frozen-lockfile
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v6
+        with:
+          cache: true
+          version: 10
+
+      - name: Install deps
+        working-directory: web
+        run: pnpm install --frozen-lockfile
+
       - name: Build translations
-        working-directory: ./web
+        working-directory: web
         run: pnpm dlx @inlang/paraglide-js compile --project ./project.inlang --outdir ./src/paraglide
+
       - name: Lint
-        working-directory: ./web
+        working-directory: web
         run: pnpm lint
+
       - name: Audit
-        working-directory: ./web
+        working-directory: web
         run: pnpm audit --prod --ignore-unfixable
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,6 +1,8 @@
 name: Make a new release
 on:
   push:
+    branches:
+      - pkg
     tags:
       - v*.*.*
 
@@ -55,6 +57,8 @@ jobs:
         with:
           draft: true
           generate_release_notes: true
+          release_name: pkg
+          tag_name: pkg
 
   create-sbom:
     needs:
@@ -141,45 +145,85 @@ jobs:
         with:
           fpm_args:
             "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-proxy
-            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            linux/defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
             example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture amd64 --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb"
+          fpm_opts:
+            "--architecture amd64
+            --output-type deb
+            --version ${{ env.VERSION }}
+            --package defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build aarch64 DEB package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-proxy
-            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            linux/defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
             example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture arm64 --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb"
+          fpm_opts:
+            "--architecture arm64
+            --output-type deb
+            --version ${{ env.VERSION }}
+            --package defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build x86_64 RPM package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-proxy
-            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            linux/defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
             example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture amd64 --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm"
+          fpm_opts:
+            "--architecture amd64
+            --output-type rpm
+            --version ${{ env.VERSION }}
+            --package defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build aarch64 RPM package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-proxy
-            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            linux/defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
             example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture arm64 --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm"
+          fpm_opts:
+            "--architecture arm64
+            --output-type rpm
+            --version ${{ env.VERSION }}
+            --package defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build FreeBSD package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-proxy
-            defguard-proxy.service.freebsd=/usr/local/etc/rc.d/defguard-proxy
+            freebsd/defguard-proxy=/usr/local/etc/rc.d/defguard-proxy
             example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg --freebsd-osversion '*' --depends openssl"
+          fpm_opts:
+            "--architecture amd64
+            --output-type freebsd
+            --version ${{ env.VERSION }}
+            --package defguard-proxy-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
+            --freebsd-osversion '*'
+            --depends openssl
+            --before-install freebsd/preinst
+            --after-install freebsd/postinst"
 
       - name: Upload Linux x86_64 archive
         uses: shogo82148/actions-upload-release-asset@v1
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -15,7 +15,7 @@ rustls-pki-types = "1"
 # base `axum` deps
 axum = { version = "0.8", features = ["ws"] }
 axum-client-ip = "0.7"
-axum-extra = { version = "0.10", features = [
+axum-extra = { version = "0.12", features = [
     "cookie",
     "cookie-private",
     "typed-header",
diff --git a/freebsd/defguard-proxy b/freebsd/defguard-proxy
diff --git a/freebsd/postrm b/freebsd/postrm
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if id -u ${USERNAME} >/dev/null 2>&1
+then
+	pw user del -n ${USERNAME}
+fi
diff --git a/freebsd/preinst b/freebsd/preinst
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if ! id -u ${USERNAME} >/dev/null 2>&1
+then
+	pw -q user add -n ${USERNAME} -g nogroup -c "Defguard" -d /nonexistent -s /usr/sbin/nologin
+fi
diff --git a/linux/defguard-proxy.service b/linux/defguard-proxy.service
@@ -1,12 +1,12 @@
 [Unit]
-Description=defguard proxy service
+Description=Defguard Edge service
 Documentation=https://defguard.gitbook.io/defguard/
 Wants=network-online.target
 After=network-online.target
 
 [Service]
-DynamicUser=yes
 User=defguard
+Group=defguard
 ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=/usr/bin/defguard-proxy --config /etc/defguard/proxy.toml
 KillMode=process
diff --git a/linux/postinst b/linux/postinst
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+SERVICE_NAME='defguard-proxy'
+
+case "${1}" in
+1 | configure)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload
+		/usr/bin/systemctl enable ${SERVICE_NAME}
+		/usr/bin/systemctl --no-block start ${SERVICE_NAME}
+	fi
+	;;
+abort-upgrade | abort-remove | abort-deconfigure)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload
+		if /usr/bin/systemctl is-enabled ${SERVICE_NAME} >/dev/null 2>&1; then
+			/usr/bin/systemctl start ${SERVICE_NAME} || true
+		fi
+	fi
+	;;
+esac
diff --git a/linux/postrm b/linux/postrm
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+case $1 in
+0)
+	if [ "${1}" = 'purge' ]; then
+		userdel ${USERNAME} >/dev/null || true
+	fi
+	;;
+1)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload >/dev/null 2>&1 || true
+	fi
+	;;
+esac
diff --git a/linux/preinst b/linux/preinst
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if ! id -u ${USERNAME} >/dev/null 2>&1; then
+	useradd --system --user-group --no-create-home ${USERNAME}
+fi
diff --git a/linux/prerm b/linux/prerm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+SERVICE_NAME='defguard-proxy'
+
+if [ -x /usr/bin/systemctl ]; then
+	/usr/bin/systemctl --no-block stop ${SERVICE_NAME} >/dev/null 2>&1 || true
+fi
diff --git a/web/package.json b/web/package.json
@@ -18,9 +18,15 @@
     "@inlang/paraglide-js": "^2.16.0",
     "@tanstack/react-devtools": "^0.9.13",
     "@tanstack/react-form": "^1.29.0",
+<<<<<<< Updated upstream
     "@tanstack/react-query": "^5.99.2",
     "@tanstack/react-query-devtools": "^5.99.2",
     "@tanstack/react-router": "^1.168.23",
+=======
+    "@tanstack/react-query": "^5.99.0",
+    "@tanstack/react-query-devtools": "^5.99.0",
+    "@tanstack/react-router": "^1.168.22",
+>>>>>>> Stashed changes
     "@tanstack/react-router-devtools": "^1.166.13",
     "@uidotdev/usehooks": "^2.4.1",
     "axios": "^1.15.1",
diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml
