Better packages

.fpm

@@ -1,6 +1,6 @@
 -s dir
 --name defguard-gateway
---description "Defguard VPN gateway service"
+--description "Defguard Gateway service"
 --url "https://defguard.net/"
 --maintainer "Defguard"
---config-files /etc/defguard/gateway.toml.sample
+--config-files /etc/defguard/gateway.toml

.github/workflows/release.yml

@@ -122,57 +122,101 @@ jobs:
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-gateway
-            defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture amd64 --output-type deb --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb --after-install after-install.sh"
+            linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture amd64
+            --output-type deb
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build aarch64 DEB package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-gateway
-            defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture arm64 --output-type deb --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb --after-install after-install.sh"
+            linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture arm64
+            --output-type deb
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build x86_64 RPM package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-gateway
-            defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture amd64 --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm --after-install after-install.sh"
+            linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture amd64
+            --output-type rpm
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build aarch64 RPM package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-gateway
-            defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture arm64 --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm --after-install after-install.sh"
+            linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture arm64
+            --output-type rpm
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build FreeBSD package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway
-            defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard-gateway
-            example-config.toml=/etc/defguard/gateway.toml.sample"
-          fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg --freebsd-osversion '*' --depends openssl"
+            freebsd/defguard-gateway=/usr/local/etc/rc.d/defguard-gateway
+            example-config.toml=/etc/defguard/gateway.toml"
+          fpm_opts:
+            "--architecture amd64
+            --output-type freebsd
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
+            --freebsd-osversion '*'
+            --depends openssl"
 
       - name: Build OPNsense package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway
-            defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard-gateway
-            example-config.toml=/etc/defguard/gateway.toml.sample
+            freebsd/defguard-gateway=/usr/local/etc/rc.d/defguard-gateway
+            example-config.toml=/etc/defguard/gateway.toml
             defguard-rc.conf=/etc/rc.conf.d/defguard_gateway
             opnsense/src/etc/=/usr/local/etc/
             opnsense/src/opnsense/=/usr/local/opnsense/"
-          fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*' --depends openssl"
+          fpm_opts:
+            "--architecture amd64
+            --output-type freebsd
+            --version ${{ env.VERSION }}
+            --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-opnsense.pkg
+            --freebsd-osversion '*'
+            --depends openssl"
 
       - name: Upload Linux x86_64 archive
         uses: shogo82148/actions-upload-release-asset@v1

example-config.toml

@@ -1,9 +1,9 @@
-# This is an example config file for defguard VPN gateway
-# To use it fill in actual values for your deployment below
+# This is an example config file for Defguard Gateway.
+# To use it fill in actual values for your deployment below.
 
 # Required: use userspace WireGuard implementation (e.g. wireguard-go)
 userspace = false
-# Required: how often should interface stat updates be sent to defguard server (in seconds)
+# Required: how often should interface stat updates be sent to Defguard Core (in seconds)
 stats_period = 60
 # Required: name of WireGuard interface
 ifname = "wg0"
@@ -26,14 +26,13 @@ syslog_socket = "/var/run/log"
 # Example: Add a default route after WireGuard interface is up:
 #post_up = "/path/to/ip route add default via 192.168.1.1 dev wg0"
 
-
 # Optional: Command which will be run before bringing interface down
 # Example: Remove WireGuard-related firewall rules before interface is taken down:
 #pre_down = "/path/to/iptables -D INPUT -i wg0 -j ACCEPT"
 
 # Optional: Command which will be run after bringing interface down
 # Example: Remove the default route after WireGuard interface is down:
-#post_down = "/pat/to/ip route del default via 192.168.1.1 dev wg0"
+#post_down = "/path/to/ip route del default via 192.168.1.1 dev wg0"
 
 # A HTTP port that will expose the REST HTTP gateway health status
 # STATUS CODES:

defguard-gateway.service.freebsd → freebsd/defguard-gateway

@@ -8,13 +8,12 @@
 
 name="defguard_gateway"
 rcvar=defguard_gateway_enable
-command="/usr/local/sbin/defguard-gateway"
+command="/usr/local/bin/defguard-gateway"
 config="/etc/defguard/gateway.toml"
 start_cmd="${name}_start"
 
-defguard_gateway_start()
-{
-  ${command} --config ${config} &
+defguard_gateway_start() {
+	${command} --config ${config} &
 }
 
 load_rc_config $name

linux/defguard-gateway.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Defguard Gateway service
+Documentation=https://docs.defguard.net/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=defguard
+Group=defguard
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/defguard-gateway --config /etc/defguard/gateway.toml
+KillMode=process
+KillSignal=SIGINT
+LimitNOFILE=65536
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+TasksMax=infinity
+OOMScoreAdjust=-1000
+
+[Install]
+WantedBy=multi-user.target

linux/postinst

@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+SERVICE_NAME='defguard-gateway'
+
+case "${1}" in
+1 | configure)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload
+		/usr/bin/systemctl enable ${SERVICE_NAME}
+		/usr/bin/systemctl --no-block start ${SERVICE_NAME}
+	fi
+	;;
+abort-upgrade | abort-remove | abort-deconfigure)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload
+		if /usr/bin/systemctl is-enabled --quiet ${SERVICE_NAME}; then
+			/usr/bin/systemctl --no-block restart ${SERVICE_NAME}
+		fi
+	fi
+	;;
+esac

linux/postrm

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if [ -x /usr/bin/systemctl ]; then
+	/usr/bin/systemctl --quiet daemon-reload || true
+fi
+
+if id -u ${USERNAME} >/dev/null 2>&1; then
+	echo "If no longer needed, remove ${USERNAME} manually: userdel ${USERNAME}"
+fi

linux/preinst

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if ! id -u ${USERNAME} >/dev/null 2>&1; then
+	useradd --system --user-group --no-create-home ${USERNAME}
+fi
+
+mkdir -p /etc/defguard
+chown -R ${USERNAME}:${USERNAME} /etc/defguard
+chmod 750 /etc/defguard

linux/prerm

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+SERVICE_NAME='defguard-gateway'
+
+if [ -x /usr/bin/systemctl ]; then
+	/usr/bin/systemctl --no-block --quiet stop ${SERVICE_NAME} || true
+fi