From f9a23dec99df6184805a82e1228e7b9df985a957 Mon Sep 17 00:00:00 2001
From: Neil Alexander <neilalexander@users.noreply.github.com>
Date: Fri, 27 Oct 2023 17:44:28 +0100
Subject: [PATCH] Update Debian package

---
 contrib/.DS_Store                             | Bin 0 -> 6148 bytes
 contrib/deb/generate.sh                       |  64 ++++++++++++------
 .../systemd/yggdrasil-default-config.service  |  12 ++--
 contrib/systemd/yggdrasil.service             |  12 ++--
 4 files changed, 56 insertions(+), 32 deletions(-)
 create mode 100644 contrib/.DS_Store

diff --git a/contrib/.DS_Store b/contrib/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..6116147462bb7351bfd2bb86ff6280de2c119bb6
GIT binary patch
literal 6148
zcmeHKO^?$s5FNMOHf2HT0nlEMB5`e@%g4fsOX)5Lt`xxmP)V9ns!ii6Nw=V?QqS-o
z_zQ>|e+2#uCwODKRg$t-c7;5Z{T%zv#Ce(6H4%yKEZ8S%5RrqzSh<AiFUI3swyb1&
z*jcC;K7}-V8p?qmZn15LRlq86(G=isw?-aCl+c(m->>vB!lRE-Zv9q<7B2-JP4V+6
zrU^-k_4mHve=YDYBkBy%KLRCvpcd{Ep`>{~aiic@rhtaz7g(PQtSVTN26O^$VJ6~N
zfm@?@nDdaMVm?7Wa%ogxSFn~z8j&pUew@Yg=gHI$l@8ziX*f>OcKfF&l`A{dnp1Oj
zoj1Mra^6e5be43z_!VD0mooI%ZO?x(9?tuXt4A_Qy>T>*mBTm~g7W(1I11#vD`!!V
zDBqqQaOzII-`HC$4h|2R?&1Aq(_QS}ZQp6S5AHo&F6+*<o3|f5>z{;^NPfcHVFIhQ
zvMUDH!0K+E`?MEFp^R7;=I`Kbdr(?Zl2@dBgwbq<R8?O1c*mRFV4WT1Zv}1{Tx4E8
zqRP21nVhTQu2a0X2=8xD;Bvm@xe1sPIz?T~2+pxAx2Ezkp;UPkGD5H#S@w10@Cd&E
zv+#J<c)k{LDMo&CgqG@?V5VEot#UCN3!%^5Ocpr1=ROlV0jq#j;G!wO>w}BJ*fF@$
zsFn^?>IeX=pj#Q*{HK9^T!S5hD~%X|3GE8huEHEKgmy>2Yj_=lD~;NnggJZ&b7x^r
zC_>#G@m)nH(a~sYtAJG?uRvK}HhBMka`yQ@?_{s60#<?lN&!(h?j3jWNM>){dN|%|
uU6i*dY|L9}R4%B@cB~q_74M-a!<fqrV8`G}BYI%=kARZFR#t(3s=yzvGyzQj

literal 0
HcmV?d00001

diff --git a/contrib/deb/generate.sh b/contrib/deb/generate.sh
index ebe2753a..9c256162 100644
--- a/contrib/deb/generate.sh
+++ b/contrib/deb/generate.sh
@@ -21,6 +21,9 @@ if [ $PKGBRANCH = "master" ]; then
   PKGREPLACES=yggdrasil-develop
 fi
 
+LDFLAGS="-X github.com/yggdrasil-network/yggdrasil-go/src/config.defaultConfig=/etc/yggdrasil/yggdrasil.conf"
+LDFLAGS="${LDFLAGS} -X github.com/yggdrasil-network/yggdrasil-go/src/config.defaultAdminListen=unix://var/run/yggdrasil/yggdrasil.sock"
+
 if [ $PKGARCH = "amd64" ]; then GOARCH=amd64 GOOS=linux ./build
 elif [ $PKGARCH = "i386" ]; then GOARCH=386 GOOS=linux ./build
 elif [ $PKGARCH = "mipsel" ]; then GOARCH=mipsle GOOS=linux ./build
@@ -38,7 +41,7 @@ echo "Building $PKGFILE"
 mkdir -p /tmp/$PKGNAME/
 mkdir -p /tmp/$PKGNAME/debian/
 mkdir -p /tmp/$PKGNAME/usr/bin/
-mkdir -p /tmp/$PKGNAME/etc/systemd/system/
+mkdir -p /tmp/$PKGNAME/usr/lib/systemd/system/
 
 cat > /tmp/$PKGNAME/debian/changelog << EOF
 Please see https://github.com/yggdrasil-network/yggdrasil-go/
@@ -68,35 +71,52 @@ EOF
 cat > /tmp/$PKGNAME/debian/install << EOF
 usr/bin/yggdrasil usr/bin
 usr/bin/yggdrasilctl usr/bin
-etc/systemd/system/*.service etc/systemd/system
+usr/lib/systemd/system/*.service usr/lib/systemd/system
 EOF
 cat > /tmp/$PKGNAME/debian/postinst << EOF
 #!/bin/sh
 
+systemctl daemon-reload
+
 if ! getent group yggdrasil 2>&1 > /dev/null; then
-  groupadd --system --force yggdrasil || echo "Failed to create group 'yggdrasil' - please create it manually and reinstall"
+  groupadd --system --force yggdrasil
 fi
 
-if [ -f /etc/yggdrasil.conf ];
+if [ ! -d /etc/yggdrasil ];
+then
+    mkdir -p /etc/yggdrasil
+    chown root:yggdrasil /etc/yggdrasil
+    chmod 750 /etc/yggdrasil
+fi
+
+if [ ! -f /etc/yggdrasil/yggdrasil.conf ];
+then
+    test -f /etc/yggdrasil.conf && mv /etc/yggdrasil.conf /etc/yggdrasil/yggdrasil.conf
+fi
+
+if [ -f /etc/yggdrasil/yggdrasil.conf ];
 then
   mkdir -p /var/backups
   echo "Backing up configuration file to /var/backups/yggdrasil.conf.`date +%Y%m%d`"
-  cp /etc/yggdrasil.conf /var/backups/yggdrasil.conf.`date +%Y%m%d`
-  echo "Normalising and updating /etc/yggdrasil.conf"
-  /usr/bin/yggdrasil -useconf -normaliseconf < /var/backups/yggdrasil.conf.`date +%Y%m%d` > /etc/yggdrasil.conf
-  chgrp yggdrasil /etc/yggdrasil.conf
+  cp /etc/yggdrasil/yggdrasil.conf /var/backups/yggdrasil.conf.`date +%Y%m%d`
 
-  if command -v systemctl >/dev/null; then
-    systemctl daemon-reload >/dev/null || true
-    systemctl enable yggdrasil || true
-    systemctl start yggdrasil || true
-  fi
+  echo "Normalising and updating /etc/yggdrasil/yggdrasil.conf"
+  /usr/bin/yggdrasil -useconf -normaliseconf < /var/backups/yggdrasil.conf.`date +%Y%m%d` > /etc/yggdrasil/yggdrasil.conf
+  
+  chown root:yggdrasil /etc/yggdrasil/yggdrasil.conf
+  chmod 640 /etc/yggdrasil/yggdrasil.conf
 else
-  echo "Generating initial configuration file /etc/yggdrasil.conf"
-  echo "Please familiarise yourself with this file before starting Yggdrasil"
-  sh -c 'umask 0027 && /usr/bin/yggdrasil -genconf > /etc/yggdrasil.conf'
-  chgrp yggdrasil /etc/yggdrasil.conf
+  echo "Generating initial configuration file /etc/yggdrasil/yggdrasil.conf"
+  /usr/bin/yggdrasil -genconf > /etc/yggdrasil/yggdrasil.conf
+
+  chown root:yggdrasil /etc/yggdrasil/yggdrasil.conf
+  chmod 640 /etc/yggdrasil/yggdrasil.conf
 fi
+
+systemctl enable yggdrasil
+systemctl restart yggdrasil
+
+exit 0
 EOF
 cat > /tmp/$PKGNAME/debian/prerm << EOF
 #!/bin/sh
@@ -110,13 +130,13 @@ EOF
 
 cp yggdrasil /tmp/$PKGNAME/usr/bin/
 cp yggdrasilctl /tmp/$PKGNAME/usr/bin/
-cp contrib/systemd/*.service /tmp/$PKGNAME/etc/systemd/system/
+cp contrib/systemd/*.service /tmp/$PKGNAME/usr/lib/systemd/system/
 
-tar -czvf /tmp/$PKGNAME/data.tar.gz -C /tmp/$PKGNAME/ \
+tar --no-xattrs -czvf /tmp/$PKGNAME/data.tar.gz -C /tmp/$PKGNAME/ \
   usr/bin/yggdrasil usr/bin/yggdrasilctl \
-  etc/systemd/system/yggdrasil.service \
-  etc/systemd/system/yggdrasil-default-config.service
-tar -czvf /tmp/$PKGNAME/control.tar.gz -C /tmp/$PKGNAME/debian .
+  usr/lib/systemd/system/yggdrasil.service \
+  usr/lib/systemd/system/yggdrasil-default-config.service
+tar --no-xattrs -czvf /tmp/$PKGNAME/control.tar.gz -C /tmp/$PKGNAME/debian .
 echo 2.0 > /tmp/$PKGNAME/debian-binary
 
 ar -r $PKGFILE \
diff --git a/contrib/systemd/yggdrasil-default-config.service b/contrib/systemd/yggdrasil-default-config.service
index e9fe45be..dc3fdc5a 100644
--- a/contrib/systemd/yggdrasil-default-config.service
+++ b/contrib/systemd/yggdrasil-default-config.service
@@ -1,13 +1,13 @@
 [Unit]
-Description=yggdrasil default config generator
-ConditionPathExists=|!/etc/yggdrasil.conf
-ConditionFileNotEmpty=|!/etc/yggdrasil.conf
+Description=Yggdrasil default config generator
+ConditionPathExists=|!/etc/yggdrasil/yggdrasil.conf
+ConditionFileNotEmpty=|!/etc/yggdrasil/yggdrasil.conf
 Wants=local-fs.target
 After=local-fs.target
 
 [Service]
 Type=oneshot
 Group=yggdrasil
-StandardOutput=file:/etc/yggdrasil.conf
-ExecStart=/usr/bin/yggdrasil -genconf
-ExecStartPost=/usr/bin/chmod 0640 /etc/yggdrasil.conf
+ExecStartPre=/usr/bin/mkdir -p /etc/yggdrasil
+ExecStart=/usr/bin/yggdrasil -genconf > /etc/yggdrasil/yggdrasil.conf
+ExecStartPost=/usr/bin/chmod -R 0640 /etc/yggdrasil
diff --git a/contrib/systemd/yggdrasil.service b/contrib/systemd/yggdrasil.service
index cdada6c0..0b8f8ca8 100644
--- a/contrib/systemd/yggdrasil.service
+++ b/contrib/systemd/yggdrasil.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=yggdrasil
+Description=Yggdrasil Network
 Wants=network-online.target
 Wants=yggdrasil-default-config.service
 After=network-online.target
@@ -8,14 +8,18 @@ After=yggdrasil-default-config.service
 [Service]
 Group=yggdrasil
 ProtectHome=true
-ProtectSystem=true
+ProtectSystem=strict
+NoNewPrivileges=true
+RuntimeDirectory=yggdrasil
+ReadWritePaths=/var/run/yggdrasil/ /run/yggdrasil/
 SyslogIdentifier=yggdrasil
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStartPre=+-/sbin/modprobe tun
-ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
+ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf.backup
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 TimeoutStopSec=5
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
\ No newline at end of file