kairos: Add package

kairos/PKGBUILD

@@ -0,0 +1,34 @@
+# Maintainer: Manuel Vögele <aur@manuel-voegele.de>
+pkgname=kairos-git
+pkgver=r1.b944db1
+pkgrel=1
+
+arch=('any')
+makedepends=(
+	'git'
+	'cargo'
+)
+source=(
+	'git+ssh://gitea@git.ccn.li/manuel/kairos.git'
+	'kairos.service'
+	'sysusers.d'
+)
+sha256sums=('SKIP'
+            '8b9f5051c907039e9705e317aea37dec78d35263a43aa4991f07d9889ba44e73'
+            '14bb91d122edffa798fd3d8bb0628d267ce06f37c35b78195a71d4a0fbf61348')
+
+pkgver() {
+	cd "${srcdir}/kairos"
+	printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+}
+
+build() {
+	cd "${srcdir}/kairos"
+	cargo build --release
+}
+
+package() {
+	install -Dm755 "${srcdir}/kairos/target/release/kairos" "${pkgdir}/usr/bin/kairos"
+	install -Dm644 "${srcdir}/kairos.service" "${pkgdir}/usr/lib/systemd/system/kairos.service"
+	install -Dm644 "${srcdir}/sysusers.d" "${pkgdir}/usr/lib/sysusers.d/kairos.conf"
+}

kairos/kairos.service

@@ -0,0 +1,42 @@
+[Unit]
+After=network-online.target
+
+[Service]
+User=kairos
+Environment=RUST_LOG=info
+Environment=KAIROS_CONFIG_FILE=/etc/kairos.toml
+ExecStart=/usr/bin/kairos
+
+Restart=on-failure
+RestartSec=5s
+
+ReadOnlyPaths=/etc/kairos.toml
+ReadWritePaths=/var/lib/kairos/
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateMounts=yes
+DevicePolicy=closed
+ProtectSystem=strict
+ProtectHome=yes
+ProtectClock=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
+CapabilityBoundingSet=
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+ProtectKernelLogs=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+RemoveIPC=yes
+
+
+[Install]
+WantedBy=multi-user.target

kairos/sysusers.d

@@ -0,0 +1 @@
+u kairos - "Unprivileged user for running kairos"