📦👷 — Build better deb package in release.sh + test building in CI

.gitignore

@@ -9,3 +9,5 @@
 *.deb
 *.minisig
 *.qcow2
+debian-packaging/*
+*.swp

.gitlab-ci.yml

@@ -1,38 +1,15 @@
 ---
-image: debian:bookworm
+image: golang:1.20-bookworm
 stages:
-  - deb
+  - build
 
 variables:
-  DEBIAN_FRONTEND: noninteractive  
+  DEBIAN_FRONTEND: noninteractive
-  DEBFULLNAME: Ppom
-  DEBEMAIL: reaction@ppom.me
 
-make_deb:
+test_building:
-  stage: deb
+  stage: build
   before_script:
-    - echo "deb http://deb.debian.org/debian bookworm-backports main" > /etc/apt/sources.list.d/backports.list
     - apt-get -qq -y update
     - apt-get -qq -y install build-essential devscripts debhelper quilt wget
-    - apt-get -qq -y install golang-go -t bookworm-backports
   script:
-    - mkdir debian-packaging public
+    - make reaction ip46tables nft46
-    - cd debian-packaging
-    - wget "https://framagit.org/ppom/reaction/-/archive/${CI_COMMIT_TAG}/reaction-${CI_COMMIT_TAG}.tar.gz" -O "reaction_${CI_COMMIT_TAG:1}.orig.tar.gz"
-    - tar xf "reaction_${CI_COMMIT_TAG:1}.orig.tar.gz"
-    - cp -r ../debian "reaction-${CI_COMMIT_TAG}"
-    - cd "reaction-${CI_COMMIT_TAG}"
-    - if [[ -e debian/changelog ]]; then
-          dch --package reaction --newversion "${CI_COMMIT_TAG:1}-1" "New upstream release.";
-      else
-          dch --create --package reaction --newversion "${CI_COMMIT_TAG:1}-1" "Initial release.";
-      fi
-    - dch --release --distribution stable --urgency low ""
-    - debuild -us -uc
-    - cp debian/changelog "../reaction_${CI_COMMIT_TAG:1}-1_amd64.deb" ../../public
-  artifacts:
-    expire_in: 1 week
-    paths:
-      - public
-  only:
-    - tags

DEBIAN/control

@@ -1,19 +0,0 @@
-Package: reaction
-Version: LAST_TAG
-Architecture: amd64
-Maintainer: ppom <>
-Section: utils
-Package-Type: deb
-Priority: Optional
-Homepage: https://framagit.org/ppom/reaction
-Description: A daemon that scans program outputs for repeated patterns, and takes action
- A common use of reaction is to scan ssh and web server logs,
- and ban hosts that cause multiple authentication errors.
- reaction doesn't have all the features of the honorable fail2ban,
- but it's ~10x faster and easier to configure.
-Tag: admin::automation, admin::logging, admin::monitoring,
- interface::commandline, interface::daemon,
- network::firewall, protocol::ip, role::program,
- security::authentication, security::firewall, security::ids,
- security::log-analyzer, use::login, use::monitor,
- works-with-format::plaintext, works-with::logfile, works-with::text

DEBIAN/postinst

@@ -1,50 +0,0 @@
-#! /bin/sh
-# postinst script for reaction
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#        * <postinst> `configure' <most-recently-configured-version>
-#        * <old-postinst> `abort-upgrade' <new version>
-#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
-#          <new-version>
-#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
-#          <failed-install-package> <version> `removing'
-#          <conflicting-package> <version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-#
-
-case "$1" in
-    configure|abort-upgrade|abort-remove|abort-deconfigure)
-
-    ;;
-
-    *)
-        echo "postinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# The following line should be removed in trixie or trixie+1
-deb-systemd-helper unmask 'reaction.service' >/dev/null || true
-
-# was-enabled defaults to true, so new installations run enable.
-if deb-systemd-helper --quiet was-enabled 'reaction.service'; then
-  # Enables the unit on first installation, creates new
-  # symlinks on upgrades if the unit file has changed.
-  deb-systemd-helper enable 'reaction.service' >/dev/null || true
-else
-  # Update the statefile to add new symlinks (if any), which need to be
-  # cleaned up on purge. Also remove old symlinks.
-  deb-systemd-helper update-state 'reaction.service' >/dev/null || true
-fi
-
-if [ -d /run/systemd/system ]; then
-  systemctl --system daemon-reload >/dev/null || true
-fi
-
-
-exit 0

DEBIAN/postrm

@@ -1,40 +0,0 @@
-#! /bin/sh
-# postrm script for reaction
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#        * <postrm> `remove'
-#        * <postrm> `purge'
-#        * <old-postrm> `upgrade' <new-version>
-#        * <new-postrm> `failed-upgrade' <old-version>
-#        * <new-postrm> `abort-install'
-#        * <new-postrm> `abort-install' <old-version>
-#        * <new-postrm> `abort-upgrade' <old-version>
-#        * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
-# for details, see /usr/doc/packaging-manual/
-
-
-case "$1" in
-		purge|disappear)
-			# Remove configuration
-			rm -f /etc/reaction.yml
-			# Remove database
-			rm -f /var/lib/reaction/*
-		;;
-		remove|upgrade|failed-upgrade|abort-install|abort-upgrade)
-			# nothing
-		;;
-esac
-
-if [ "$1" = remove ] && [ -d /run/systemd/system ] ; then
-	systemctl --system daemon-reload >/dev/null || true
-fi
-
-if [ "$1" = "purge" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper purge 'reaction.service' >/dev/null || true
-	fi
-fi

DEBIAN/prerm

@@ -1,6 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = remove ] && [ -d /run/systemd/system ] ; then
-	deb-systemd-invoke stop 'reaction.service' >/dev/null || true
-fi

Makefile

@@ -6,7 +6,7 @@ SYSTEMDDIR ?= /etc/systemd
 all: reaction ip46tables nft46
 
 clean:
-	rm -f reaction ip46tables nft46 reaction.deb deb reaction.minisig ip46tables.minisig reaction.deb.minisig nft46.minisig
+	rm -f reaction ip46tables nft46 reaction*.deb debian-packaging reaction.minisig ip46tables.minisig nft46.minisig reaction*.deb.minisig
 
 ip46tables: helpers_c/ip46tables.c
 	$(CC) -s -static helpers_c/ip46tables.c -o ip46tables
@@ -17,19 +17,28 @@ nft46: helpers_c/nft46.c
 reaction: app/* reaction.go go.mod go.sum
 	CGO_ENABLED=0 go build -buildvcs=false -ldflags "-s -X main.version=`git tag --sort=v:refname | tail -n1` -X main.commit=`git rev-parse --short HEAD`"
 
-reaction.deb: reaction ip46tables nft46
+reaction_%-1_amd64.deb:
-	chmod +x reaction ip46tables nft46
+	apt-get -qq -y update
-	mkdir -p deb/reaction/usr/bin/ deb/reaction/usr/sbin/ deb/reaction/lib/systemd/system/
+	apt-get -qq -y install build-essential devscripts debhelper quilt wget
-	cp reaction ip46tables nft46 deb/reaction/usr/bin/
+	if [ -e debian-packaging ]; then rm -rf debian-packaging; fi
-	cp config/reaction.debian.service deb/reaction/lib/systemd/system/reaction.service
+	mkdir debian-packaging
-	cp -r DEBIAN/ deb/reaction/DEBIAN
+	wget "https://framagit.org/ppom/reaction/-/archive/v${*}/reaction-v${*}.tar.gz" -O "debian-packaging/reaction_${*}.orig.tar.gz"
-	sed -e "s/LAST_TAG/`git tag --sort=v:refname | tail -n1`/" -e "s/Version: v/Version: /" -i deb/reaction/DEBIAN/*
+	cd debian-packaging && tar xf "reaction_${*}.orig.tar.gz"
-	cd deb && dpkg-deb --root-owner-group --build reaction
+	cp -r debian "debian-packaging/reaction-v${*}"
-	mv deb/reaction.deb reaction.deb
+	if [ -e "debian/changelog" ]; then \
-	rm -rf deb/
+        cd "debian-packaging/reaction-v${*}" && \
+        DEBFULLNAME=Ppom DEBEMAIL=reaction@ppom.me dch --package reaction --newversion "${*}-1" "New upstream release."; \
+    else \
+        cd "debian-packaging/reaction-v${*}" && \
+        DEBFULLNAME=Ppom DEBEMAIL=reaction@ppom.me dch --create --package reaction --newversion "${*}-1" "Initial release."; \
+    fi
+	cd "debian-packaging/reaction-v${*}" && DEBFULLNAME=Ppom DEBEMAIL=reaction@ppom.me dch --release --distribution stable --urgency low ""
+	cd "debian-packaging/reaction-v${*}" && debuild --prepend-path=/go/bin:/usr/local/go/bin -us -uc
+	cp "debian-packaging/reaction-v${*}/debian/changelog" debian/
+	cp "debian-packaging/reaction_${*}-1_amd64.deb" .
 
-signatures: reaction.deb reaction ip46tables nft46
+signatures_%: reaction_%-1_amd64.deb reaction ip46tables nft46
-	minisign -Sm ip46tables nft46 reaction reaction.deb
+	minisign -Sm nft46 ip46tables reaction reaction_${*}-1_amd64.deb
 
 install: all
 	install -m755 reaction $(DESTDIR)$(BINDIR)

debian/control

@@ -1,12 +1,14 @@
 Source: reaction
 Maintainer: Luc Didry <luc.reaction@didry.org>
-Section: misc
+Section: utils
 Priority: optional
 Standards-Version: 4.6.2
-Build-Depends: debhelper-compat (= 13), golang-go (>= 2:1.21~)
+Build-Depends: debhelper-compat (= 13)
+Homepage: https://framagit.org/ppom/reaction
 
 Package: reaction
 Architecture: any
+Package-Type: deb
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: daemon that scans program outputs for patterns, and takes action
  A common use of reaction is to scan ssh and web server logs,

debian/rules

@@ -4,4 +4,5 @@
 
 override_dh_auto_install:
 	install -m755 reaction $$(pwd)/debian/reaction/usr/bin
+	install -m755 nft46 $$(pwd)/debian/reaction/usr/sbin
 	install -m755 ip46tables $$(pwd)/debian/reaction/usr/sbin

release.sh

@@ -4,13 +4,13 @@ set -exu
 
 git push --tags
 
-docker run -it --rm -e HOME=/tmp/ -v "$(pwd)":/tmp/code -w /tmp/code -u "$(id -u)" golang:1.20 make reaction.deb
-
-make signatures
-
 TAG="$(git tag --sort=v:refname | tail -n1)"
 
-rsync -avz -e 'ssh -J pica01' ./ip46tables ./nft46 ./reaction ./reaction.deb ./nft46.minisig ./ip46tables.minisig ./reaction.minisig ./reaction.deb.minisig akesi:/var/www/static/reaction/releases/"$TAG"
+docker run -it --rm -e HOME=/tmp/ -v "$(pwd)":/tmp/code -w /tmp/code debian:bookworm sh -c "make reaction_${TAG:1}-1_amd64.deb reaction ip46tables nft46"
+
+make "signatures_${TAG:1}"
+
+rsync -avz -e 'ssh -J pica01' ./ip46tables ./nft46 ./reaction ./reaction_${TAG:1}-1_amd64.deb ./nft46.minisig ./ip46tables.minisig ./reaction.minisig ./reaction_${TAG:1}-1_amd64.deb.minisig akesi:/var/www/static/reaction/releases/"$TAG"
 
 TOKEN="$(rbw get framagit.org token)"