diff options
| author | Dawid Rycerz <dawid@rycerz.xyz> | 2026-01-22 22:07:32 +0100 |
|---|---|---|
| committer | Dawid Rycerz <dawid@rycerz.xyz> | 2026-02-10 18:44:26 +0100 |
| commit | 064a1d01c5c14f5ecc032fa9b8346a4a88b893f6 (patch) | |
| tree | a2023f9ccd297ed8a41a3a0cc5699c2add09244d /debian | |
witryna 0.1.0 — initial releasev0.1.0
Minimalist Git-based static site deployment orchestrator.
Webhook-triggered builds in Podman/Docker containers with atomic
symlink publishing, SIGHUP hot-reload, and zero-downtime deploys.
See README.md for usage, CHANGELOG.md for details.
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/postinst | 54 | ||||
| -rw-r--r-- | debian/postrm | 19 | ||||
| -rw-r--r-- | debian/witryna.service | 62 |
3 files changed, 135 insertions, 0 deletions
diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..f47ea01 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,54 @@ +#!/bin/bash +set -e +case "$1" in + configure) + # Create system user/group + if ! getent passwd witryna >/dev/null; then + adduser --system --group --no-create-home --home /var/lib/witryna witryna + fi + # Create data + log directories + install -d -o witryna -g witryna -m 0755 /var/lib/witryna + install -d -o witryna -g witryna -m 0755 /var/lib/witryna/clones + install -d -o witryna -g witryna -m 0755 /var/lib/witryna/builds + install -d -o witryna -g witryna -m 0755 /var/lib/witryna/cache + install -d -o witryna -g witryna -m 0755 /var/log/witryna + # Config file is installed by dpkg from the asset. + # Fix ownership so the witryna service can read it (Group=witryna in unit). + chown root:witryna /etc/witryna/witryna.toml + chmod 640 /etc/witryna/witryna.toml + # Auto-detect and configure container runtime + if command -v docker >/dev/null 2>&1 && docker info >/dev/null 2>&1; then + # Docker: add to docker group + install override + if getent group docker >/dev/null; then + usermod -aG docker witryna || true + fi + mkdir -p /etc/systemd/system/witryna.service.d + cp /usr/share/doc/witryna/examples/systemd/docker.conf \ + /etc/systemd/system/witryna.service.d/10-runtime.conf + chmod 644 /etc/systemd/system/witryna.service.d/10-runtime.conf + systemctl daemon-reload >/dev/null 2>&1 || true + echo "witryna: Docker detected and configured." + elif command -v podman >/dev/null 2>&1 && podman info >/dev/null 2>&1; then + # Podman: subuids + lingering + override + if ! grep -q "^witryna:" /etc/subuid 2>/dev/null; then + usermod --add-subuids 100000-165535 witryna || true + fi + if ! grep -q "^witryna:" /etc/subgid 2>/dev/null; then + usermod --add-subgids 100000-165535 witryna || true + fi + loginctl enable-linger witryna >/dev/null 2>&1 || true + mkdir -p /etc/systemd/system/witryna.service.d + cp /usr/share/doc/witryna/examples/systemd/podman.conf \ + /etc/systemd/system/witryna.service.d/10-runtime.conf + chmod 644 /etc/systemd/system/witryna.service.d/10-runtime.conf + systemctl daemon-reload >/dev/null 2>&1 || true + echo "witryna: Podman detected and configured." + else + echo "witryna: WARNING — no container runtime (docker/podman) detected." + echo " Install one, then reinstall this package or copy an override from" + echo " /usr/share/doc/witryna/examples/systemd/ manually." + fi + ;; +esac +#DEBHELPER# +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..5a7f86a --- /dev/null +++ b/debian/postrm @@ -0,0 +1,19 @@ +#!/bin/bash +set -e +case "$1" in + purge) + if getent passwd witryna >/dev/null; then + deluser --quiet --system witryna >/dev/null || true + fi + if getent group witryna >/dev/null; then + delgroup --quiet --system witryna >/dev/null || true + fi + rm -rf /etc/witryna + rm -rf /etc/systemd/system/witryna.service.d + systemctl daemon-reload >/dev/null 2>&1 || true + loginctl disable-linger witryna >/dev/null 2>&1 || true + # /var/lib/witryna and /var/log/witryna left for manual cleanup + ;; +esac +#DEBHELPER# +exit 0 diff --git a/debian/witryna.service b/debian/witryna.service new file mode 100644 index 0000000..d3e0713 --- /dev/null +++ b/debian/witryna.service @@ -0,0 +1,62 @@ +[Unit] +Description=Witryna - Git-based static site deployment orchestrator +Documentation=man:witryna(1) man:witryna.toml(5) +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=witryna +Group=witryna + +# Start the deployment server +ExecStart=/usr/bin/witryna serve --config /etc/witryna/witryna.toml +ExecReload=/bin/kill -HUP $MAINPID + +# Environment +Environment="RUST_LOG=info" + +# Restart policy +Restart=on-failure +RestartSec=5 +StartLimitBurst=3 +StartLimitIntervalSec=60 + +# Security hardening +NoNewPrivileges=yes +PrivateTmp=yes +ProtectSystem=strict +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes + +# Note: ProtectHome=yes is NOT set because it hides /run/user/<uid>, +# which is required for rootless Podman. The witryna user's home is +# /var/lib/witryna (covered by ReadWritePaths), not /home. + +# Allow read/write to witryna directories +ReadWritePaths=/var/lib/witryna +ReadWritePaths=/var/log/witryna + +# Allow access to container runtime directories +# For Podman (rootless): needs /run/user/<uid> for XDG_RUNTIME_DIR +ReadWritePaths=/run/user +# For Docker: +# SupplementaryGroups=docker +# ReadWritePaths=/var/run/docker.sock + +# Capabilities (minimal for container runtime access) +CapabilityBoundingSet= +AmbientCapabilities= + +# Resource limits +LimitNOFILE=65536 +LimitNPROC=4096 + +[Install] +WantedBy=multi-user.target |