package changes
This commit is contained in:
root
@@ -15,11 +15,13 @@ jobs:
|
||||
include:
|
||||
- target: trixie
|
||||
image: debian:13
|
||||
distro_dir: Trixie
|
||||
nexus_repo_secret: NEXUS_REPO_TRIXIE
|
||||
nexus_user_secret: NEXUS_USER_TRIXIE
|
||||
nexus_pass_secret: NEXUS_PASS_TRIXIE
|
||||
- target: raccoon
|
||||
image: ubuntu:26.04
|
||||
distro_dir: Raccoon
|
||||
nexus_repo_secret: NEXUS_REPO_RACCOON
|
||||
nexus_user_secret: NEXUS_USER_RACCOON
|
||||
nexus_pass_secret: NEXUS_PASS_RACCOON
|
||||
@@ -41,82 +43,90 @@ jobs:
|
||||
id: pkg
|
||||
env:
|
||||
TARGET: ${{ matrix.target }}
|
||||
DISTRO_DIR: ${{ matrix.distro_dir }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
REPO_ROOT="$PWD" # captured before any cd in the build script
|
||||
touch /.dockerenv
|
||||
bash build/${TARGET}.sh new
|
||||
bash build/${TARGET}.sh build
|
||||
bash build/${TARGET}.sh postfix
|
||||
|
||||
PKG_NAME="twiy"
|
||||
NGINX_VER="$(nginx -v 2>&1 | awk -F/ '{print $2}')"
|
||||
VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}~${TARGET}"
|
||||
ARCH="amd64"
|
||||
PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
|
||||
DEB_DIR="${PKG_DIR}/DEBIAN"
|
||||
|
||||
mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
|
||||
"${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
|
||||
"${PKG_DIR}/usr/lib" \
|
||||
"${PKG_DIR}/hostdata/default/public_html" \
|
||||
"${PKG_DIR}/usr/nginx_lua"
|
||||
assemble_deb() {
|
||||
local pkg_name="$1" unit_src="$2" conflicts="$3"
|
||||
local pkg_dir="/opt/${pkg_name}_${VERSION}_${ARCH}"
|
||||
local deb_dir="${pkg_dir}/DEBIAN"
|
||||
|
||||
cp /usr/sbin/nginx "${PKG_DIR}/usr/sbin/"
|
||||
cp -R /nginx/* "${PKG_DIR}/nginx/" || true
|
||||
cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
|
||||
cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
|
||||
cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
|
||||
mkdir -p "${pkg_dir}/usr/sbin" "${pkg_dir}/nginx" \
|
||||
"${pkg_dir}/etc/systemd/system" "${pkg_dir}/var/log/nginx" \
|
||||
"${pkg_dir}/usr/lib" \
|
||||
"${pkg_dir}/hostdata/default/public_html" \
|
||||
"${pkg_dir}/usr/nginx_lua"
|
||||
|
||||
for d in /usr/local/aws-lc /usr/local/LuaJIT /usr/local/modsecurity /usr/local/zlib-ng; do
|
||||
[ -d "$d" ] && cp -R "$d" "${PKG_DIR}/usr/local/" || true
|
||||
done
|
||||
mkdir -p "${PKG_DIR}/usr/local/lib"
|
||||
cp -R /usr/local/lib/. "${PKG_DIR}/usr/local/lib/" 2>/dev/null || true
|
||||
cp /usr/sbin/nginx "${pkg_dir}/usr/sbin/"
|
||||
cp -R /nginx/* "${pkg_dir}/nginx/" || true
|
||||
cp "${unit_src}" "${pkg_dir}/etc/systemd/system/nginx.service"
|
||||
cp -R /hostdata/default "${pkg_dir}/hostdata/" || true
|
||||
cp -R /usr/nginx_lua "${pkg_dir}/usr/" || true
|
||||
|
||||
for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
|
||||
case "$lib" in
|
||||
/usr/local/*) continue ;;
|
||||
esac
|
||||
cp "$lib" "${PKG_DIR}/usr/lib/" || true
|
||||
done
|
||||
for d in /usr/local/aws-lc /usr/local/LuaJIT /usr/local/modsecurity /usr/local/zlib-ng; do
|
||||
[ -d "$d" ] && cp -R "$d" "${pkg_dir}/usr/local/" || true
|
||||
done
|
||||
mkdir -p "${pkg_dir}/usr/local/lib"
|
||||
cp -R /usr/local/lib/. "${pkg_dir}/usr/local/lib/" 2>/dev/null || true
|
||||
|
||||
mkdir -p "${DEB_DIR}"
|
||||
cat > "${DEB_DIR}/control" <<EOF
|
||||
Package: ${PKG_NAME}
|
||||
Version: ${VERSION}
|
||||
Section: base
|
||||
Priority: optional
|
||||
Architecture: ${ARCH}
|
||||
Depends: libjemalloc2, libsystemd0
|
||||
Maintainer: Julio <me@julio.al>
|
||||
Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI for ${TARGET}.
|
||||
EOF
|
||||
for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
|
||||
case "$lib" in /usr/local/*) continue ;; esac
|
||||
cp "$lib" "${pkg_dir}/usr/lib/" || true
|
||||
done
|
||||
|
||||
cat > "${DEB_DIR}/postinst" <<'EOFPOSTINST'
|
||||
#!/bin/bash
|
||||
useradd -r -s /bin/false nginx 2>/dev/null || true
|
||||
install -d -o nginx -g nginx -m 0755 /var/log/nginx
|
||||
# /run/nginx/temp/* is recreated on every systemd start (ExecStartPre)
|
||||
# since /run is tmpfs and cleared on reboot.
|
||||
chown -R nginx:nginx /var/log/nginx /nginx 2>/dev/null || true
|
||||
systemctl daemon-reload 2>/dev/null || true
|
||||
systemctl enable nginx.service 2>/dev/null || true
|
||||
systemctl restart nginx.service 2>/dev/null || true
|
||||
exit 0
|
||||
EOFPOSTINST
|
||||
chmod 755 "${DEB_DIR}/postinst"
|
||||
mkdir -p "${deb_dir}"
|
||||
cat > "${deb_dir}/control" <<EOF
|
||||
Package: ${pkg_name}
|
||||
Version: ${VERSION}
|
||||
Section: base
|
||||
Priority: optional
|
||||
Architecture: ${ARCH}
|
||||
Depends: libjemalloc2, libsystemd0
|
||||
Conflicts: ${conflicts}
|
||||
Replaces: ${conflicts}
|
||||
Maintainer: Julio <me@julio.al>
|
||||
Description: Nginx L7 DDoS Protection (${pkg_name}), built by RAWeb CI for ${TARGET}.
|
||||
EOF
|
||||
|
||||
dpkg-deb --build "${PKG_DIR}"
|
||||
DEB_FILE="${PKG_DIR}.deb"
|
||||
cat > "${deb_dir}/postinst" <<'EOFPOSTINST'
|
||||
#!/bin/bash
|
||||
useradd -r -s /bin/false nginx 2>/dev/null || true
|
||||
install -d -o nginx -g nginx -m 0755 /var/log/nginx
|
||||
chown -R nginx:nginx /var/log/nginx /nginx 2>/dev/null || true
|
||||
systemctl daemon-reload 2>/dev/null || true
|
||||
systemctl enable nginx.service 2>/dev/null || true
|
||||
systemctl restart nginx.service 2>/dev/null || true
|
||||
exit 0
|
||||
EOFPOSTINST
|
||||
chmod 755 "${deb_dir}/postinst"
|
||||
|
||||
dpkg-deb --build "${pkg_dir}"
|
||||
}
|
||||
|
||||
assemble_deb "twiy" "${REPO_ROOT}/static/${DISTRO_DIR}/nginx.service" "twiy-raweb"
|
||||
assemble_deb "twiy-raweb" "${REPO_ROOT}/static/${DISTRO_DIR}/nginx-raweb.service" "twiy"
|
||||
|
||||
DEB_TWIY="/opt/twiy_${VERSION}_${ARCH}.deb"
|
||||
DEB_RAWEB="/opt/twiy-raweb_${VERSION}_${ARCH}.deb"
|
||||
|
||||
{
|
||||
echo "deb_file=${DEB_FILE}"
|
||||
echo "version=${VERSION}"
|
||||
echo "pkg_name=${PKG_NAME}"
|
||||
echo "deb_twiy=${DEB_TWIY}"
|
||||
echo "deb_raweb=${DEB_RAWEB}"
|
||||
echo "version=${VERSION}"
|
||||
} >> "$GITHUB_OUTPUT"
|
||||
|
||||
ls -la "${DEB_FILE}"
|
||||
sha256sum "${DEB_FILE}"
|
||||
ls -la /opt/twiy*.deb
|
||||
sha256sum /opt/twiy*.deb
|
||||
|
||||
- name: Publish
|
||||
env:
|
||||
@@ -124,8 +134,8 @@ jobs:
|
||||
NEXUS_PASS: ${{ secrets[matrix.nexus_pass_secret] }}
|
||||
NEXUS_URL: ${{ secrets.NEXUS_URL }}
|
||||
NEXUS_REPO: ${{ secrets[matrix.nexus_repo_secret] }}
|
||||
DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
|
||||
PKG_NAME: ${{ steps.pkg.outputs.pkg_name }}
|
||||
DEB_TWIY: ${{ steps.pkg.outputs.deb_twiy }}
|
||||
DEB_RAWEB: ${{ steps.pkg.outputs.deb_raweb }}
|
||||
TARGET: ${{ matrix.target }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
@@ -137,8 +147,8 @@ jobs:
|
||||
|| mktemp -d -t twiy-XXXXXXXX)"
|
||||
chmod 700 "$SECDIR"
|
||||
cleanup() {
|
||||
find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
|
||||
rm -rf "$SECDIR"
|
||||
find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
|
||||
rm -rf "$SECDIR"
|
||||
}
|
||||
trap cleanup EXIT INT TERM HUP
|
||||
|
||||
@@ -147,24 +157,33 @@ jobs:
|
||||
"$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
|
||||
unset NEXUS_USER NEXUS_PASS
|
||||
|
||||
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
|
||||
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
|
||||
| PKG_NAME="$PKG_NAME" python3 -c '
|
||||
publish_one() {
|
||||
local deb="$1" pkg_name="$2"
|
||||
|
||||
local old_id
|
||||
old_id="$(curl -fsS --netrc-file "$SECDIR/netrc" \
|
||||
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
|
||||
| PKG_NAME="$pkg_name" python3 -c '
|
||||
import sys, json, os
|
||||
for c in json.load(sys.stdin).get("items", []):
|
||||
if c.get("name") == os.environ["PKG_NAME"]:
|
||||
print(c["id"]); break
|
||||
' || true)"
|
||||
if [ -n "$OLD_ID" ]; then
|
||||
curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
|
||||
"$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
|
||||
fi
|
||||
if [ -n "$old_id" ]; then
|
||||
curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
|
||||
"$NEXUS_URL/service/rest/v1/components/$old_id" -o /dev/null
|
||||
fi
|
||||
|
||||
HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
|
||||
-o "$SECDIR/upload.body" -w '%{http_code}' \
|
||||
-X POST -F "apt.asset=@$DEB_FILE" \
|
||||
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
|
||||
case "$HTTP" in
|
||||
201|204) echo "[$TARGET] uploaded $(basename "$DEB_FILE")" ;;
|
||||
*) echo "[$TARGET] upload failed (HTTP $HTTP)"; cat "$SECDIR/upload.body"; exit 1 ;;
|
||||
esac
|
||||
local http
|
||||
http="$(curl -sS --netrc-file "$SECDIR/netrc" \
|
||||
-o "$SECDIR/upload.body" -w '%{http_code}' \
|
||||
-X POST -F "apt.asset=@$deb" \
|
||||
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
|
||||
case "$http" in
|
||||
201|204) echo "[$TARGET] uploaded $(basename "$deb")" ;;
|
||||
*) echo "[$TARGET] upload failed for $pkg_name (HTTP $http)"; cat "$SECDIR/upload.body"; exit 1 ;;
|
||||
esac
|
||||
}
|
||||
|
||||
publish_one "$DEB_TWIY" "twiy"
|
||||
publish_one "$DEB_RAWEB" "twiy-raweb"
|
||||
|
||||
Reference in New Issue
Block a user