From de07dde3e45fbcb3aab337689bd66031d55fa8db Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:00:58 +0000 Subject: [PATCH 01/11] gitattributes: rm upstream lfs stuff --- .gitattributes | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/.gitattributes b/.gitattributes index d4431eb..6009a9d 100644 --- a/.gitattributes +++ b/.gitattributes @@ -2,25 +2,3 @@ vendor/* linguist-vendored website/* linguist-documentation /packagespec.mk linguist-generated -*.ber filter=lfs diff=lfs merge=lfs -text -*.DS_Store filter=lfs diff=lfs merge=lfs -text -*.eot filter=lfs diff=lfs merge=lfs -text -*.gif filter=lfs diff=lfs merge=lfs -text -*.ico filter=lfs diff=lfs merge=lfs -text -*.jks filter=lfs diff=lfs merge=lfs -text -*.jpg filter=lfs diff=lfs merge=lfs -text -*.lzma filter=lfs diff=lfs merge=lfs -text -*.p12 filter=lfs diff=lfs merge=lfs -text -*.pdf filter=lfs diff=lfs merge=lfs -text -*.png filter=lfs diff=lfs merge=lfs -text -*.snap filter=lfs diff=lfs merge=lfs -text -*.ttf filter=lfs diff=lfs merge=lfs -text -*.woff filter=lfs diff=lfs merge=lfs -text -*.woff2 filter=lfs diff=lfs merge=lfs -text -*.xz filter=lfs diff=lfs merge=lfs -text -*.zip filter=lfs diff=lfs merge=lfs -text -bin/codechecker filter=lfs diff=lfs merge=lfs -text -Godeps/_workspace/src/github.com/gocql/gocql/testdata/pki/.keystore filter=lfs diff=lfs merge=lfs -text -Godeps/_workspace/src/github.com/gocql/gocql/testdata/pki/.truststore filter=lfs diff=lfs merge=lfs -text -plugins/database/cassandra/test-fixtures/with_tls/stores/keystore filter=lfs diff=lfs merge=lfs -text -plugins/database/cassandra/test-fixtures/with_tls/stores/truststore filter=lfs diff=lfs merge=lfs -text From 6dcdd730a388d0f57cced180a311fef719990fa7 Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:12:22 +0000 Subject: [PATCH 02/11] debian: add gbp.conf --- debian/gbp.conf | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 debian/gbp.conf diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..83dc0c6 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,8 @@ +[DEFAULT] +debian-branch = debian/stable +dist = DEP14 + +[builder.debspawn] +image = stable +lintian = true +results-dir = ~/open-vault.results From 7c87289cab38379eb543f11a07328b8e1d542dc6 Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:08:37 +0000 Subject: [PATCH 03/11] debian: changelog (1.14.8-1) --- debian/changelog | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 debian/changelog diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..6b46ebd --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +open-vault (1.14.8-1) stable; urgency=low + + * New upstream version + + -- Paul Stemmet Thu, 18 Apr 2024 13:13:56 +0000 From b39b364ac45145fa77a2631fdac163bf72645495 Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:11:15 +0000 Subject: [PATCH 04/11] debian: add control.Source, license --- debian/control | 18 +++ debian/copyright | 367 +++++++++++++++++++++++++++++++++++++++++++ debian/source/format | 1 + 3 files changed, 386 insertions(+) create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/source/format diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..ffda10d --- /dev/null +++ b/debian/control @@ -0,0 +1,18 @@ +Source: open-vault +Maintainer: Paul Stemmet +Section: net +Priority: optional +Build-Depends: debhelper-compat (= 13), + dh-golang, + golang-any (>= 1.18.0), + npm, + yarnpkg, + acl, + git, + ca-certificates +Standards-Version: 4.6.1.0 +XS-Go-Import-Path: github.com/hashicorp/vault +Homepage: https://developer.hashicorp.com/vault/docs/v1.14.x +Vcs-Browser: https://git.st8l.com/luxolus/open-vault +Vcs-Git: https://git.st8l.com/luxolus/open-vault.git +Rules-Requires-Root: no diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..b3701ba --- /dev/null +++ b/debian/copyright @@ -0,0 +1,367 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: open-vault +Upstream-Contact: https://git.st8l.com/luxolus/open-vault/issues +Source: https://git.st8l.com/luxolus/open-vault + +Files: * +Copyright: 2013 HashiCorp, Inc. +License: MPL2 + +Files: debian/* +Copyright: Paul Stemmet +License: MPL2 + +License: MPL2 + Mozilla Public License, version 2.0 + . + 1. Definitions + . + 1.1. “Contributor” + . + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + . + 1.2. “Contributor Version” + . + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + . + 1.3. “Contribution” + . + means Covered Software of a particular Contributor. + . + 1.4. “Covered Software” + . + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + . + 1.5. “Incompatible With Secondary Licenses” + means + . + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + . + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + . + 1.6. “Executable Form” + . + means any form of the work other than Source Code Form. + . + 1.7. “Larger Work” + . + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + . + 1.8. “License” + . + means this document. + . + 1.9. “Licensable” + . + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + . + 1.10. “Modifications” + . + means any of the following: + . + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + . + b. any new file in Source Code Form that contains any Covered Software. + . + 1.11. “Patent Claims” of a Contributor + . + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + . + 1.12. “Secondary License” + . + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + . + 1.13. “Source Code Form” + . + means the form of the work preferred for making modifications. + . + 1.14. “You” (or “Your”) + . + means an individual or a legal entity exercising rights under this + License. For legal entities, “You” includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control” means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + . + . + 2. License Grants and Conditions + . + 2.1. Grants + . + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + . + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + . + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + . + 2.2. Effective Date + . + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + . + 2.3. Limitations on Grant Scope + . + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + . + a. for any code that a Contributor has removed from Covered Software; or + . + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + . + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + . + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + . + 2.4. Subsequent Licenses + . + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + . + 2.5. Representation + . + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + . + 2.6. Fair Use + . + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + . + 2.7. Conditions + . + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + . + . + 3. Responsibilities + . + 3.1. Distribution of Source Form + . + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + . + 3.2. Distribution of Executable Form + . + If You distribute Covered Software in Executable Form then: + . + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + . + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + . + 3.3. Distribution of a Larger Work + . + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + . + 3.4. Notices + . + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + . + 3.5. Application of Additional Terms + . + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + . + 4. Inability to Comply Due to Statute or Regulation + . + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + . + 5. Termination + . + 5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + . + 5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + . + 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + . + 6. Disclaimer of Warranty + . + Covered Software is provided under this License on an “as is” basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + . + 7. Limitation of Liability + . + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + . + 8. Litigation + . + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + . + 9. Miscellaneous + . + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + . + . + 10. Versions of the License + . + 10.1. New Versions + . + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + . + 10.2. Effect of New Versions + . + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + . + 10.3. Modified Versions + . + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + . + 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + . + Exhibit A - Source Code Form License Notice + . + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + . + If it is not possible or desirable to put the notice in a particular file, then + You may include the notice in a location (such as a LICENSE file in a relevant + directory) where a recipient would be likely to look for such a notice. + . + You may add additional accurate notices of copyright ownership. + . + Exhibit B - “Incompatible With Secondary Licenses” Notice + . + This Source Code Form is “Incompatible + With Secondary Licenses”, as defined by + the Mozilla Public License, v. 2.0. diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) From 2ffa95fb7e95db2d9434d747c82a89bf9c577c30 Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:15:58 +0000 Subject: [PATCH 05/11] debian: add control.Package open-vault --- debian/control | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/debian/control b/debian/control index ffda10d..022fc21 100644 --- a/debian/control +++ b/debian/control @@ -16,3 +16,16 @@ Homepage: https://developer.hashicorp.com/vault/docs/v1.14.x Vcs-Browser: https://git.st8l.com/luxolus/open-vault Vcs-Git: https://git.st8l.com/luxolus/open-vault.git Rules-Requires-Root: no + +Package: open-vault +Provides: vault +Conflicts: vault +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Built-Using: ${misc:Built-Using} +Description: A tool for securely accessing secrets + Vault is an API first solution to securely store and tightly control + access to tokens, passwords, certificates, and encryption keys for + protecting secrets and other sensitive data using a UI, CLI, or HTTP API + . + This is a MPL2 licensed fork of Vault. From 1c47ea6618eab6189e2f98790c2a162a8bf44c3d Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:04:49 +0000 Subject: [PATCH 06/11] debian: add open-vault config files All the ancillary configuration files around maintainer scripts, systemd, sysusers, and user overrides --- debian/open-vault.default | 14 ++++++++++++++ debian/open-vault.dirs | 1 + debian/open-vault.links | 1 + debian/open-vault.postinst | 9 +++++++++ debian/open-vault.postrm | 7 +++++++ debian/open-vault.preinst | 7 +++++++ debian/open-vault.prerm | 7 +++++++ debian/open-vault.service | 39 ++++++++++++++++++++++++++++++++++++++ debian/open-vault.sysusers | 1 + 9 files changed, 86 insertions(+) create mode 100644 debian/open-vault.default create mode 100644 debian/open-vault.dirs create mode 100644 debian/open-vault.links create mode 100644 debian/open-vault.postinst create mode 100644 debian/open-vault.postrm create mode 100644 debian/open-vault.preinst create mode 100644 debian/open-vault.prerm create mode 100644 debian/open-vault.service create mode 100644 debian/open-vault.sysusers diff --git a/debian/open-vault.default b/debian/open-vault.default new file mode 100644 index 0000000..069e420 --- /dev/null +++ b/debian/open-vault.default @@ -0,0 +1,14 @@ +# Any additional options to pass to 'vault server' +# +# For more, see: `vault server --help` +VAULT_FLAGS= + +# Consider setting these, if you're in a containerized +# environment. +# +# Go does not handle cgroup based limits well, for either +# CPU or MEM. +# +# For more, see: https://pkg.go.dev/runtime +#GOMAXPROCS= +#GOMEMLIMIT= diff --git a/debian/open-vault.dirs b/debian/open-vault.dirs new file mode 100644 index 0000000..a141160 --- /dev/null +++ b/debian/open-vault.dirs @@ -0,0 +1 @@ +etc/vault.d diff --git a/debian/open-vault.links b/debian/open-vault.links new file mode 100644 index 0000000..8a5e9ae --- /dev/null +++ b/debian/open-vault.links @@ -0,0 +1 @@ +lib/systemd/system/vault.service lib/systemd/system/open-vault.service diff --git a/debian/open-vault.postinst b/debian/open-vault.postinst new file mode 100644 index 0000000..2ba896e --- /dev/null +++ b/debian/open-vault.postinst @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +#DEBHELPER# + +setcap cap_ipc_lock=+ep /usr/bin/vault + +exit 0 diff --git a/debian/open-vault.postrm b/debian/open-vault.postrm new file mode 100644 index 0000000..38bb1a8 --- /dev/null +++ b/debian/open-vault.postrm @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e + +#DEBHELPER# + +exit 0 diff --git a/debian/open-vault.preinst b/debian/open-vault.preinst new file mode 100644 index 0000000..38bb1a8 --- /dev/null +++ b/debian/open-vault.preinst @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e + +#DEBHELPER# + +exit 0 diff --git a/debian/open-vault.prerm b/debian/open-vault.prerm new file mode 100644 index 0000000..38bb1a8 --- /dev/null +++ b/debian/open-vault.prerm @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e + +#DEBHELPER# + +exit 0 diff --git a/debian/open-vault.service b/debian/open-vault.service new file mode 100644 index 0000000..577f0a7 --- /dev/null +++ b/debian/open-vault.service @@ -0,0 +1,39 @@ +[Unit] +Description=A tool for managing secrets +Documentation=https://developer.hashicorp.com/vault/docs/v1.14.x +StartLimitIntervalSec=60 +StartLimitBurst=10 +After=network.target network-online.target + +[Service] +Type=notify +User=vault +Group=vault +EnvironmentFile=/etc/default/vault +ExecStart=/bin/vault server ${VAULT_FLAGS} -config=/etc/vault.d/ +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 + +# Service files / dirs +RuntimeDirectory=vault +StateDirectory=vault +ConfigurationDirectory=vault.d + +# Service limits, hardening +LimitNOFILE=65536 +LimitMEMLOCK=infinity +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +PrivateDevices=yes +SecureBits=keep-caps +AmbientCapabilities=CAP_IPC_LOCK +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +NoNewPrivileges=yes + +[Install] +WantedBy=multi-user.target diff --git a/debian/open-vault.sysusers b/debian/open-vault.sysusers new file mode 100644 index 0000000..a6c8b65 --- /dev/null +++ b/debian/open-vault.sysusers @@ -0,0 +1 @@ +u vault 972 - /var/lib/vault From 565491f8b3480cd48c550d2319e48f6526765cc2 Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:18:59 +0000 Subject: [PATCH 07/11] debian: add rules for open-vault Largely inherited from the open-consul build, however Vault's build requires separate steps for the UI component, and a more complex ldflags. --- debian/rules | 86 +++++++++++++++++++++++++++++++++++++++++ debian/vault-ldflags.sh | 17 ++++++++ 2 files changed, 103 insertions(+) create mode 100755 debian/rules create mode 100755 debian/vault-ldflags.sh diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..82606f5 --- /dev/null +++ b/debian/rules @@ -0,0 +1,86 @@ +#!/usr/bin/make -f + +# Defines: +# DEB_SOURCE +# DEB_VERSION +# DEB_VERSION_EPOCH_UPSTREAM +# DEB_VERSION_UPSTREAM_REVISION +# DEB_VERSION_UPSTREAM +# DEB_DISTRIBUTION +# SOURCE_DATE_EPOCH +include /usr/share/dpkg/pkg-info.mk + +#export DH_VERBOSE := 1 + +PKGNAME := open-vault +PKGALIAS := vault +PKGDIR := debian/$(PKGNAME) +SRCDIR := debian +BUILDDIR := dist +BUILDDATE := $(shell date -u '+%Y-%m-%dT%H:%M:%SZ' -d @$(SOURCE_DATE_EPOCH)) + +export DH_OPTIONS +export DEB_BUILD_OPTIONS ?= terse +export DEB_BUILD_MAINT_OPTIONS := hardening=+all +export YARNCACHE := /tmp/yarncache +export GO111MODULE := on +export GOFLAGS := -buildmode=pie -trimpath -mod=readonly -modcacherw +export GOCACHE := /tmp/gocache +export GOPATH := /tmp/gopath +export GOPROXY := https://proxy.golang.org,direct +export CGO_LDFLAGS = $(LDFLAGS) +export CGO_CFLAGS = $(CFLAGS) +export CGO_CPPFLAGS = $(CPPFLAGS) +export CGO_CXXFLAGS = $(CXXFLAGS) +# dh_golang doesn't do this for you +ifeq ($(DEB_HOST_ARCH), i386) + export GOARCH := 386 +else ifeq ($(DEB_HOST_ARCH), amd64) + export GOARCH := amd64 +else ifeq ($(DEB_HOST_ARCH), armhf) + export GOARCH := arm +else ifeq ($(DEB_HOST_ARCH), arm64) + export GOARCH := arm64 +endif + +%: + dh $@ --builddirectory=$(BUILDDIR) --buildsystem=golang --with=golang + +override_dh_clean: + rm -f debian/debhelper.log + dh_clean + +override_dh_auto_configure: + mkdir -p $(BUILDDIR) $(GOCACHE) $(GOPATH) $(YARNCACHE) /tmp/builder + setfacl -m "default:group::rwx" $(GOCACHE) $(GOPATH) $(YARNCACHE) /tmp/builder + mv $(SRCDIR)/$(PKGNAME).service $(SRCDIR)/$(PKGNAME).$(PKGALIAS).service + mv $(SRCDIR)/$(PKGNAME).default $(SRCDIR)/$(PKGNAME).$(PKGALIAS).default + mv $(SRCDIR)/$(PKGNAME).sysusers $(SRCDIR)/$(PKGNAME).$(PKGALIAS).sysusers + yarnpkg config set cacheFolder $(YARNCACHE) + ( cd "ui" && yarnpkg install ) + go mod download + $(SRCDIR)/vault-ldflags.sh \ + "v$(DEB_VERSION_UPSTREAM)" "$(DEB_VERSION)" "$(BUILDDATE)" \ + > $(BUILDDIR)/.ldflags + +override_dh_auto_build: + ( cd "ui" ; npm rebuild node-sass ; yarnpkg run build ) + go build -tags ui -ldflags "$$(< $(BUILDDIR)/.ldflags)" -o $(BUILDDIR) . + +override_dh_auto_install: + dh_installsysusers --name=$(PKGALIAS) + + install -D -m755 $(BUILDDIR)/vault $(PKGDIR)/usr/bin/$(PKGALIAS) + +override_dh_auto_test: + # Check vault runs and is the correct version + $(BUILDDIR)/vault --version | head -1 | grep -qF -- "v$(DEB_VERSION_UPSTREAM)" + +override_dh_installsystemd: + dh_installsystemd --name=$(PKGALIAS) + +override_dh_installinit: + dh_installinit --name=$(PKGALIAS) + +override_dh_golang: + @echo "Skipping! dh_golang does not support external GOPATH build depends..." diff --git a/debian/vault-ldflags.sh b/debian/vault-ldflags.sh new file mode 100755 index 0000000..f4903c8 --- /dev/null +++ b/debian/vault-ldflags.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +# Small shim to properly generate the ldflags +# Vault expects for its buildconf + +xpath=github.com/hashicorp/vault/sdk/version +version=$1 commit=$2 builddate=$3 + +printf -- '%s ' \ + "-linkmode=external" \ + "-compressdwarf=false" \ + $( + printf -- "-X ${xpath}.%s " \ + "Version=${version}" \ + "GitCommit=${commit}" \ + "BuildDate=${builddate}" + ) From 1f3df3a64ad632da02b2369f36e60925422a4eda Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:16:46 +0000 Subject: [PATCH 08/11] debian: add control.Package open-vault-agent --- debian/control | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/debian/control b/debian/control index 022fc21..9a3cd8b 100644 --- a/debian/control +++ b/debian/control @@ -29,3 +29,18 @@ Description: A tool for securely accessing secrets protecting secrets and other sensitive data using a UI, CLI, or HTTP API . This is a MPL2 licensed fork of Vault. + +Package: open-vault-agent +Provides: vault-agent +Conflicts: vault-agent +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, vault +Built-Using: ${misc:Built-Using} +Description: Systemd service and configuration for Vault agents + Vault agent(s) remove the initial hurdle to adopt Vault by + providing a more scalable and simpler way for applications + to integrate with Vault. + . + Providing the ability to render templates containing the + secrets required by your application, without requiring + changes to your application. From 35743e405a1cbc1ffa1e5add1cc32a933343031d Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:13:28 +0000 Subject: [PATCH 09/11] debian: add open-vault-agent config files --- debian/open-vault-agent.dirs | 1 + debian/open-vault-agent.links | 1 + debian/open-vault-agent@.service | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 debian/open-vault-agent.dirs create mode 100644 debian/open-vault-agent.links create mode 100644 debian/open-vault-agent@.service diff --git a/debian/open-vault-agent.dirs b/debian/open-vault-agent.dirs new file mode 100644 index 0000000..3e2801e --- /dev/null +++ b/debian/open-vault-agent.dirs @@ -0,0 +1 @@ +etc/vault-agent.d diff --git a/debian/open-vault-agent.links b/debian/open-vault-agent.links new file mode 100644 index 0000000..dcbc820 --- /dev/null +++ b/debian/open-vault-agent.links @@ -0,0 +1 @@ +lib/systemd/system/vault-agent@.service lib/systemd/system/open-vault-agent@.service diff --git a/debian/open-vault-agent@.service b/debian/open-vault-agent@.service new file mode 100644 index 0000000..9601900 --- /dev/null +++ b/debian/open-vault-agent@.service @@ -0,0 +1,26 @@ +[Unit] +Description=Vault agent (config:%i) +Documentation=https://developer.hashicorp.com/vault/docs/agent +After=network.target network-online.target + +ConditionPathIsDirectory=/etc/vault-agent.d/%i +ConditionFileNotEmpty=/etc/vault-agent.d/%i/agent.hcl +StartLimitIntervalSec=300 +StartLimitBurst=20 + +[Service] +User=vault +Group=vault +ExecStart=/bin/vault agent -config=/etc/vault-agent.d/%i/agent.hcl +KillSignal=SIGINT + +Environment=GOMAXPROCS=2 +EnvironmentFile=-/etc/default/vault-agent +EnvironmentFile=-/etc/vault-agent.d/%i/agent.env +WorkingDirectory=/etc/vault-agent.d/%i +TimeoutStopSec=30s +Restart=on-failure +RestartSec=15 + +[Install] +WantedBy=multi-user.target From 47303383c4cc45a099c3706bd60c81951ab42917 Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:21:13 +0000 Subject: [PATCH 10/11] debian: add rules for open-vault-agent --- debian/rules | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/rules b/debian/rules index 82606f5..bc6a989 100755 --- a/debian/rules +++ b/debian/rules @@ -56,6 +56,7 @@ override_dh_auto_configure: mv $(SRCDIR)/$(PKGNAME).service $(SRCDIR)/$(PKGNAME).$(PKGALIAS).service mv $(SRCDIR)/$(PKGNAME).default $(SRCDIR)/$(PKGNAME).$(PKGALIAS).default mv $(SRCDIR)/$(PKGNAME).sysusers $(SRCDIR)/$(PKGNAME).$(PKGALIAS).sysusers + mv $(SRCDIR)/$(PKGNAME)-agent@.service $(SRCDIR)/$(PKGNAME)-agent.$(PKGALIAS)-agent@.service yarnpkg config set cacheFolder $(YARNCACHE) ( cd "ui" && yarnpkg install ) go mod download @@ -78,6 +79,7 @@ override_dh_auto_test: override_dh_installsystemd: dh_installsystemd --name=$(PKGALIAS) + dh_installsystemd --name=$(PKGALIAS)-agent@ override_dh_installinit: dh_installinit --name=$(PKGALIAS) From 914743bcddda94679e47075d22dd86e578386ea8 Mon Sep 17 00:00:00 2001 From: Paul Stemmet Date: Sat, 20 Apr 2024 13:14:23 +0000 Subject: [PATCH 11/11] debian: add source, package lintian-overrides --- debian/open-vault-agent.lintian-overrides | 7 +++++++ debian/open-vault.lintian-overrides | 14 ++++++++++++++ debian/source/lintian-overrides | 16 ++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 debian/open-vault-agent.lintian-overrides create mode 100644 debian/open-vault.lintian-overrides create mode 100644 debian/source/lintian-overrides diff --git a/debian/open-vault-agent.lintian-overrides b/debian/open-vault-agent.lintian-overrides new file mode 100644 index 0000000..9d3d1c4 --- /dev/null +++ b/debian/open-vault-agent.lintian-overrides @@ -0,0 +1,7 @@ +# vim: set ft=conf: + +# The 2000s called, they want their init system back. +package-supports-alternative-init-but-no-init.d-script * + +initial-upload-closes-no-bugs * +description-synopsis-starts-with-article * diff --git a/debian/open-vault.lintian-overrides b/debian/open-vault.lintian-overrides new file mode 100644 index 0000000..ed552b8 --- /dev/null +++ b/debian/open-vault.lintian-overrides @@ -0,0 +1,14 @@ +# vim: set ft=conf: + +# The upstream is a go binary that doesn't require stripping, +# doesn't create manpages, and I don't care about +# 'spelling errors' in the .data section of a binary. +unstripped-binary-or-object [usr/bin/vault] +no-manual-page [usr/bin/vault] +spelling-error-in-binary * [usr/bin/vault] + +# The 2000s called, they want their init system back. +package-supports-alternative-init-but-no-init.d-script * + +initial-upload-closes-no-bugs * +description-synopsis-starts-with-article * diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000..e25184f --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,16 @@ +# vim: set ft=conf: + +# The upstream generates and commits these like this. +# +# If this package was to ever be considered for inclusion in +# mainline debian we'd need to fix these, but because I have +# no desire to do that and it would be a massive PITA, ignore +# these missing sources. +source-is-missing *ui/tests* +source-contains-prebuilt-javascript-object *ui/tests* + +# We set debhelper compat >= 13, therefore are unaffected +override_dh_auto_test-does-not-check-DEB_BUILD_OPTIONS + +# Not relevant... +package-does-not-install-examples [website/content/docs/platform/k8s/helm/examples/]