Create Debian package for beszel-agent (#497)

* Add Debian package to build Signed-off-by: Daniel Lo Nigro <git@d.sb> * Fix Lintian issues Signed-off-by: Daniel Lo Nigro <git@d.sb> * - Add prerm script to stop and disable service - Add security/sandboxing options to systemd unit Signed-off-by: Daniel Lo Nigro <git@d.sb> --------- Signed-off-by: Daniel Lo Nigro <git@d.sb>
2025-10-19 01:39:34 +08:00 · 2025-02-03 16:08:01 -08:00
parent 5a8e8c1512
commit e689f547ef
9 changed files with 172 additions and 0 deletions
--- a/beszel/.goreleaser.yml
+++ b/beszel/.goreleaser.yml
@@ -68,6 +68,48 @@ archives:
      {{- .Os }}_
      {{- .Arch }}

+nfpms:
+  - id: beszel-agent
+    package_name: beszel-agent
+    description: |-
+      Agent for Beszel
+      Beszel is a lightweight server monitoring platform that includes Docker
+      statistics, historical data, and alert functions. It has a friendly web
+      interface, simple configuration, and is ready to use out of the box.
+      It supports automatic backup, multi-user, OAuth authentication, and
+      API access.
+    maintainer: henrygd <hank@henrygd.me>
+    section: net
+    builds:
+      - beszel-agent
+    formats:
+      - deb
+    dependencies:
+      - libc6
+    contents:
+      - src: ../supplemental/debian/beszel-agent.service
+        dst: lib/systemd/system/beszel-agent.service
+        packager: deb
+      - src: ../supplemental/debian/copyright
+        dst: usr/share/doc/beszel-agent/copyright
+        packager: deb
+      - src: ../supplemental/debian/lintian-overrides
+        dst: usr/share/lintian/overrides/beszel-agent
+        packager: deb
+    scripts:
+      postinstall: ../supplemental/debian/postinstall.sh
+      preremove: ../supplemental/debian/prerm.sh
+      postremove: ../supplemental/debian/postrm.sh
+    deb:
+      predepends:
+        - adduser
+        - debconf
+      scripts:
+        templates: ../supplemental/debian/templates
+        # Currently broken due to a bug in goreleaser
+        # https://github.com/goreleaser/goreleaser/issues/5487
+        #config: ../supplemental/debian/config.sh
+
 release:
  draft: true

--- a/supplemental/debian/beszel-agent.service
+++ b/supplemental/debian/beszel-agent.service
@@ -0,0 +1,32 @@
+[Unit]
+Description=Beszel Agent Service
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Environment="PORT=45876"
+# Port number can be overridden in beszel-agent.conf if needed
+EnvironmentFile=/etc/beszel-agent.conf
+ExecStart=/usr/bin/beszel-agent
+User=beszel
+Restart=on-failure
+StateDirectory=beszel-agent
+
+# Security/sandboxing settings
+KeyringMode=private
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernel=yes
+ProtectKernelLogs=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RemoveIPC=yes
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
--- a/supplemental/debian/config.sh
+++ b/supplemental/debian/config.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+db_input high beszel-agent/key || true
+db_go
--- a/supplemental/debian/copyright
+++ b/supplemental/debian/copyright
@@ -0,0 +1,8 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Beszel
+Upstream-Contact: henrygd <hank@henrygd.me>
+Source: https://beszel.dev/
+
+Files: *
+Copyright: 2024 henrygd
+License: MIT
--- a/supplemental/debian/lintian-overrides
+++ b/supplemental/debian/lintian-overrides
@@ -0,0 +1,11 @@
+# No changelog in the repo at the moment. This would be good to fix
+beszel-agent: no-changelog
+# Current unable to fix these due to Goreleaser bug
+# https://github.com/goreleaser/goreleaser/issues/5487
+beszel-agent: no-debconf-config
+beszel-agent: postinst-uses-db-input
+# Needs to be fixed in Beszel build
+beszel-agent: hardening-no-pie
+beszel-agent: hardening-no-relro
+# Maybe one day
+beszel-agent: no-manual-page
--- a/supplemental/debian/postinstall.sh
+++ b/supplemental/debian/postinstall.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+set -e
+
+[ "$1" = "configure" ] || exit 0
+
+CONFIG_FILE=/etc/beszel-agent.conf
+SERVICE=beszel-agent
+SERVICE_USER=beszel
+
+. /usr/share/debconf/confmodule
+
+# This would normally be in the config control file, however this is currently
+# broken in goreleaser. Temporarily do it here.
+# https://github.com/goreleaser/goreleaser/issues/5487
+db_version 2.0
+db_input high beszel-agent/key || true
+db_go
+
+# Create group and user
+if ! getent group "$SERVICE_USER" >/dev/null; then
+	echo "Creating $SERVICE_USER group"
+	addgroup --quiet --system "$SERVICE_USER"
+fi
+
+if ! getent passwd "$SERVICE_USER" >/dev/null; then
+	echo "Creating $SERVICE_USER user"
+	adduser --quiet --system "$SERVICE_USER" \
+		--ingroup "$SERVICE_USER" \
+		--no-create-home \
+		--home /nonexistent \
+		--gecos "System user for $SERVICE"
+fi
+
+# Create config file if it doesn't already exist
+if [ ! -f "$CONFIG_FILE" ]; then
+	touch "$CONFIG_FILE"
+	chmod 0600 "$CONFIG_FILE"
+	chown "$SERVICE_USER":"$SERVICE_USER" "$CONFIG_FILE"
+fi;
+
+# Only add key to config if it's not already present
+if ! grep -q "^KEY=" "$CONFIG_FILE"; then
+	db_get beszel-agent/key
+	echo "KEY=$RET" > "$CONFIG_FILE"
+fi;
+
+deb-systemd-helper enable "$SERVICE".service
+systemctl daemon-reload
+deb-systemd-invoke start "$SERVICE".service || echo "could not start $SERVICE.service!"
--- a/supplemental/debian/postrm.sh
+++ b/supplemental/debian/postrm.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "purge" ]; then
+	. /usr/share/debconf/confmodule
+	db_purge
+	rm /etc/beszel-agent.conf
+fi
--- a/supplemental/debian/prerm.sh
+++ b/supplemental/debian/prerm.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+SERVICE=beszel-agent
+
+deb-systemd-invoke stop "$SERVICE".service
+if [ "$1" = "remove" ]; then
+	deb-systemd-helper purge "$SERVICE".service
+fi
--- a/supplemental/debian/templates
+++ b/supplemental/debian/templates
@@ -0,0 +1,5 @@
+Template: beszel-agent/key
+Type: string
+Description: SSH public key provided by beszel hub:
+ If you leave this blank, you will need to configure it in 
+ /etc/beszel-agent.conf before starting Beszel.