diff --git a/kairos/PKGBUILD b/kairos/PKGBUILD new file mode 100644 index 0000000..d198137 --- /dev/null +++ b/kairos/PKGBUILD @@ -0,0 +1,34 @@ +# Maintainer: Manuel Vögele +pkgname=kairos-git +pkgver=r1.b944db1 +pkgrel=1 + +arch=('any') +makedepends=( + 'git' + 'cargo' +) +source=( + 'git+ssh://gitea@git.ccn.li/manuel/kairos.git' + 'kairos.service' + 'sysusers.d' +) +sha256sums=('SKIP' + '8b9f5051c907039e9705e317aea37dec78d35263a43aa4991f07d9889ba44e73' + '14bb91d122edffa798fd3d8bb0628d267ce06f37c35b78195a71d4a0fbf61348') + +pkgver() { + cd "${srcdir}/kairos" + printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" +} + +build() { + cd "${srcdir}/kairos" + cargo build --release +} + +package() { + install -Dm755 "${srcdir}/kairos/target/release/kairos" "${pkgdir}/usr/bin/kairos" + install -Dm644 "${srcdir}/kairos.service" "${pkgdir}/usr/lib/systemd/system/kairos.service" + install -Dm644 "${srcdir}/sysusers.d" "${pkgdir}/usr/lib/sysusers.d/kairos.conf" +} diff --git a/kairos/kairos.service b/kairos/kairos.service new file mode 100644 index 0000000..d652b3d --- /dev/null +++ b/kairos/kairos.service @@ -0,0 +1,42 @@ +[Unit] +After=network-online.target + +[Service] +User=kairos +Environment=RUST_LOG=info +Environment=KAIROS_CONFIG_FILE=/etc/kairos.toml +ExecStart=/usr/bin/kairos + +Restart=on-failure +RestartSec=5s + +ReadOnlyPaths=/etc/kairos.toml +ReadWritePaths=/var/lib/kairos/ +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateMounts=yes +DevicePolicy=closed +ProtectSystem=strict +ProtectHome=yes +ProtectClock=yes +ProtectHostname=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK +CapabilityBoundingSet= +SystemCallArchitectures=native +SystemCallFilter=@system-service +ProtectKernelLogs=yes +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes +RemoveIPC=yes + + +[Install] +WantedBy=multi-user.target diff --git a/kairos/sysusers.d b/kairos/sysusers.d new file mode 100644 index 0000000..2f17e49 --- /dev/null +++ b/kairos/sysusers.d @@ -0,0 +1 @@ +u kairos - "Unprivileged user for running kairos"