upgpkg: immudb 1.2.1-3

* Add systemd service template to automatically point at correct documentation URL. * Add systemd service hardening parameters. * Remove unnecessary path from tmpfiles configuration.
author: George Rawlinson 2021-12-30 01:14:29 +0000
committer: George Rawlinson 2021-12-30 01:14:29 +0000
commit: 33bafab52ac07d60ea4df8d8c010bf628299bc97 (patch)
tree: 08c33088a5b025c57d56fd5dba915c267f468cb2
parent: 64a48799fcce9dc1d4b20966ea8025ea5d7a4853 (diff)
download: aur-33bafab52ac07d60ea4df8d8c010bf628299bc97.tar.gz
4 files changed, 48 insertions, 17 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 5ce25ac3192a..d16355df5688 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = immudb
 	pkgdesc = Immutable database built on a zero-trust model
 	pkgver = 1.2.1
-	pkgrel = 2
+	pkgrel = 3
 	url = https://codenotary.com/technologies/immudb/
 	arch = x86_64
 	license = Apache
@@ -19,15 +19,15 @@ pkgbase = immudb
 	source = config.toml
 	sha512sums = SKIP
 	sha512sums = 7c9a218aeaa91edd7a5283f8c09838f3eeca49b9fe358365c29245b3b0ce447748c9aad96dc695cad943e7171e3435a8f869dac050273993dc06bd584eb3b945
-	sha512sums = 914ff4dc617b0e64bf8c98f87a56522d741305c251d798ea9dbaa5a081dbcebe8e1b97584ee60915ef29657c6a5fcf28d61456a16167ae5bb652e699b4a77c8f
+	sha512sums = c95d9df140d239946e29551c63383b83e2e052f91924162876e61f8fd51560556bbe118ff1c264bfe2f7e972e231b79546b78d93e0f7a039b507fc85a13a5035
 	sha512sums = 6368c07fbf02025c207ab7909e4483d274d369e48b69a8062e86b9db9758f21da74131e1dd74a44bf6c778e0a2880ed25039c5c01b1cc52bbe6a6065edca245a
-	sha512sums = 8679bde00795504a344663f0bcbd32c452604727ab53131b97c2c8bdf03638e115b02cc944402f32dbc6432d050aa764f6efab1ae85b97e4ef8c6770e76b06f8
+	sha512sums = 54b4f53c902f4c77000973879881092e62e673bac7149cd77e33172eae1a46b3cf69c07001cc41858d962929213fe48f3185009f664a155e72a830591de3d69f
 	sha512sums = 5a8156ca7a5fa84975acf23fa222715b9c61d17325c56b00983b79922d1a63124a36e41880797bfb774903b0b3c8877e087b3231564f9bd79ad43ab5fd26187d
 	b2sums = SKIP
 	b2sums = 7a0b07c3992f8f45d08e39ec733c857773c5c99db3d8efa1731e291bea0810954e0750d4ceef5c7126039f22c594967fbea40d2363a90a415e42f12a4ebf733c
-	b2sums = e1cc430a9d31094f4c3049a70d2861875e2a5917e8b446d7622253b07f4b34dece991f9bd03ddbaa45ba31a75183f8cb3067b75d2f8a59cbadfadd2233c41c30
+	b2sums = 6a7931e877cefe21b98fe1e0a8bc1a77bbe7bd386347e3a416a189e4a3831d19aaa7ea97cb34f37e0c442eb18758f9427694113d4b10a713e308485ec7cd0de0
 	b2sums = 01777a70ae86d89eafbadae4487bcac03357d1ea9bc76d8de0b5560d43c82d351fe22bdf34a74b7d014abc94057ed38f3dd9e21961645562172e225705ed90f9
-	b2sums = f0bb661fbeae5b58b56b5ba2c4c99f2517521ff7ee90b0b6108fe588940d4a0434ad1ad1552ad16442b1e4c8ba3d33b5d1c5c133d273140afd9c19849f53f2fa
+	b2sums = 29b41df6c374dc6beebd9622760b94b0ce95c1261f0121ce13eee614aa0a53eaa8c8029a087d339f2bdf6a4a6d955a0df9c50bdc0900bca29256e5f0b2bb71e5
 	b2sums = fe3cbf75d72500c0809f3a47c959429e008d648d4298ad53e870be194a4ebe9173805b4c634bc1e5e53a00a350f794afbd0b8ae869d05cff487a9a627891431d
 
 pkgname = immudb
diff --git a/PKGBUILD b/PKGBUILD
index d8e0cf85648c..05badc3f3556 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,7 +2,7 @@
 
 pkgname=immudb
 pkgver=1.2.1
-pkgrel=2
+pkgrel=3
 pkgdesc="Immutable database built on a zero-trust model"
 arch=('x86_64')
 url="https://codenotary.com/technologies/immudb/"
@@ -24,15 +24,15 @@ source=(
 noextract=("$pkgname-webconsole-$_wcver.tar.gz")
 sha512sums=('SKIP'
             '7c9a218aeaa91edd7a5283f8c09838f3eeca49b9fe358365c29245b3b0ce447748c9aad96dc695cad943e7171e3435a8f869dac050273993dc06bd584eb3b945'
-            '914ff4dc617b0e64bf8c98f87a56522d741305c251d798ea9dbaa5a081dbcebe8e1b97584ee60915ef29657c6a5fcf28d61456a16167ae5bb652e699b4a77c8f'
+            'c95d9df140d239946e29551c63383b83e2e052f91924162876e61f8fd51560556bbe118ff1c264bfe2f7e972e231b79546b78d93e0f7a039b507fc85a13a5035'
             '6368c07fbf02025c207ab7909e4483d274d369e48b69a8062e86b9db9758f21da74131e1dd74a44bf6c778e0a2880ed25039c5c01b1cc52bbe6a6065edca245a'
-            '8679bde00795504a344663f0bcbd32c452604727ab53131b97c2c8bdf03638e115b02cc944402f32dbc6432d050aa764f6efab1ae85b97e4ef8c6770e76b06f8'
+            '54b4f53c902f4c77000973879881092e62e673bac7149cd77e33172eae1a46b3cf69c07001cc41858d962929213fe48f3185009f664a155e72a830591de3d69f'
             '5a8156ca7a5fa84975acf23fa222715b9c61d17325c56b00983b79922d1a63124a36e41880797bfb774903b0b3c8877e087b3231564f9bd79ad43ab5fd26187d')
 b2sums=('SKIP'
         '7a0b07c3992f8f45d08e39ec733c857773c5c99db3d8efa1731e291bea0810954e0750d4ceef5c7126039f22c594967fbea40d2363a90a415e42f12a4ebf733c'
-        'e1cc430a9d31094f4c3049a70d2861875e2a5917e8b446d7622253b07f4b34dece991f9bd03ddbaa45ba31a75183f8cb3067b75d2f8a59cbadfadd2233c41c30'
+        '6a7931e877cefe21b98fe1e0a8bc1a77bbe7bd386347e3a416a189e4a3831d19aaa7ea97cb34f37e0c442eb18758f9427694113d4b10a713e308485ec7cd0de0'
         '01777a70ae86d89eafbadae4487bcac03357d1ea9bc76d8de0b5560d43c82d351fe22bdf34a74b7d014abc94057ed38f3dd9e21961645562172e225705ed90f9'
-        'f0bb661fbeae5b58b56b5ba2c4c99f2517521ff7ee90b0b6108fe588940d4a0434ad1ad1552ad16442b1e4c8ba3d33b5d1c5c133d273140afd9c19849f53f2fa'
+        '29b41df6c374dc6beebd9622760b94b0ce95c1261f0121ce13eee614aa0a53eaa8c8029a087d339f2bdf6a4a6d955a0df9c50bdc0900bca29256e5f0b2bb71e5'
         'fe3cbf75d72500c0809f3a47c959429e008d648d4298ad53e870be194a4ebe9173805b4c634bc1e5e53a00a350f794afbd0b8ae869d05cff487a9a627891431d')
 
 pkgver() {
@@ -52,6 +52,9 @@ prepare() {
   # create directory for build output
   mkdir -p output/{bash,fish,zsh}
 
+  # create systemd service with correct link to documentation
+  sed "s/@@PKGVER@@/$pkgver/" ../systemd.service > output/systemd.service
+
   # download dependencies
   go mod download
 }
@@ -67,7 +70,7 @@ build() {
   # generate web console
   go generate -tags webconsole ./webconsole
 
-  # build binary
+  # build binaries
   go build -v \
     -trimpath \
     -buildmode=pie \
@@ -76,13 +79,13 @@ build() {
     -ldflags "-linkmode external -extldflags ${LDFLAGS} \
     -X github.com/codenotary/immudb/cmd/version.Version=${pkgver} \
     -X github.com/codenotary/immudb/cmd/version.Commit=${_commit} \
-    -X github.com/codenotary/immudb/cmd/version.BuiltBy=someone@builder \
+    -X github.com/codenotary/immudb/cmd/version.BuiltBy=makepkg \
     -X github.com/codenotary/immudb/cmd/version.BuiltAt=$(date -d@"$SOURCE_DATE_EPOCH" +%Y%m%d-%H:%M:%S)" \
     -o output \
     -tags webconsole \
     ./cmd/{immudb,immuclient,immuadmin}
 
-  # create completion
+  # create shell completion scripts
   for client in immudb immuclient immuadmin; do
     for shell in bash fish zsh; do
       "./output/$client" completion "$shell" > "output/$shell/$client"
@@ -109,11 +112,11 @@ package() {
     install -vDm644 "output/zsh/$completion" "$pkgdir/usr/share/zsh/site-functions/_$completion"
   done
 
-  # man page
+  # man pages
   install -vDm644 tools/packaging/deb/man/immu{client,db}.1 -t "$pkgdir/usr/share/man/man1"
 
   # systemd integration
-  install -vDm644 ../systemd.service "$pkgdir/usr/lib/systemd/system/$pkgname.service"
+  install -vDm644 output/systemd.service "$pkgdir/usr/lib/systemd/system/$pkgname.service"
   install -vDm644 ../sysusers.conf "$pkgdir/usr/lib/sysusers.d/$pkgname.conf"
   install -vDm644 ../tmpfiles.conf "$pkgdir/usr/lib/tmpfiles.d/$pkgname.conf"
 
diff --git a/systemd.service b/systemd.service
index 163fda2b202e..8759ed190e43 100644
--- a/systemd.service
+++ b/systemd.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=immudb database daemon
 Documentation=https://github.com/codenotary/immudb
-Documentation=https://docs.immudb.io/master/
+Documentation=https://docs.immudb.io/@@PKGVER@@/
 Wants=network-online.target
 After=network-online.target
 
@@ -15,7 +15,36 @@ WorkingDirectory=/var/lib/immudb
 Restart=on-failure
 RestartSec=5
 TimeoutStopSec=20
+
+# Hardening
+ReadWritePaths=/var/log/immudb
+ReadWritePaths=/var/lib/immudb
 UMask=0027
+NoNewPrivileges=true
+LimitNOFILE=1048576
+ProtectSystem=strict
+ProtectHome=true
+PrivateUsers=yes
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+CapabilityBoundingSet=
+AmbientCapabilities=
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target
diff --git a/tmpfiles.conf b/tmpfiles.conf
index 8ec76a18abff..9e086c3e5dd6 100644
--- a/tmpfiles.conf
+++ b/tmpfiles.conf
@@ -1,4 +1,3 @@
 d /var/lib/immudb 0750 immu immu
-d /var/lib/immudb/data 0750 immu immu
 d /var/log/immudb 0750 immu immu
 f /var/log/immudb/immudb.log 0640 immu immu
author	George Rawlinson	2021-12-30 01:14:29 +0000
committer	George Rawlinson	2021-12-30 01:14:29 +0000
commit	33bafab52ac07d60ea4df8d8c010bf628299bc97 (patch)
tree	08c33088a5b025c57d56fd5dba915c267f468cb2
parent	64a48799fcce9dc1d4b20966ea8025ea5d7a4853 (diff)
download	aur-33bafab52ac07d60ea4df8d8c010bf628299bc97.tar.gz