crowdsecurity · mmetc · Apr 12, 2023 · Mar 27, 2023 · Apr 3, 2023 · Apr 11, 2023
diff --git a/.github/release.py b/.github/release.py
@@ -32,24 +32,18 @@ def _goarm(goarch):
     yield '7'
 
 
-def _static():
-    yield True
-    yield False
-
-
 def _build_tarball(os):
     if os == 'linux':
         yield True
-    yield False
+    else:
+        yield False
 
 
 def filename_for_entry(prog_name, entry):
     arch = entry['goarch']
     if entry['goarch'] == 'arm':
         arch += 'v' + entry['goarm']
     ret = f'{prog_name}-{entry["goos"]}-{arch}'
-    if entry['static']:
-        ret += '-static'
     if entry['build_tarball']:
         ret += '.tgz'
     return ret
@@ -59,15 +53,13 @@ def matrix(prog_name):
     for goos in _goos():
         for goarch in _goarch(goos):
             for goarm in _goarm(goarch):
-                for static in _static():
-                    for build_tarball in _build_tarball(goos):
-                        yield {
-                            'goos': goos,
-                            'goarch': goarch,
-                            'goarm': goarm,
-                            'static': static,
-                            'build_tarball': build_tarball,
-                        }
+                for build_tarball in _build_tarball(goos):
+                    yield {
+                        'goos': goos,
+                        'goarch': goarch,
+                        'goarm': goarm,
+                        'build_tarball': build_tarball,
+                    }
 
 
 def print_matrix(prog_name):
@@ -83,15 +75,13 @@ def print_matrix(prog_name):
     'goos': 'linux',
     'goarch': 'amd64',
     'goarm': '',
-    'static': False,
     'build_tarball': True,
 }
 
 default_binary = {
     'goos': 'linux',
     'goarch': 'amd64',
     'goarm': '',
-    'static': False,
     'build_tarball': False,
 }
 
@@ -108,9 +98,6 @@ def run_build(prog_name):
         if entry['goarm']:
             env['GOARM'] = entry['goarm']
 
-        if entry['static']:
-            env['BUILD_STATIC'] = 'yes'
-
         if entry['build_tarball']:
             target = 'tarball'
         else:

diff --git a/.github/workflows/build-binary-package.yml b/.github/workflows/build-binary-package.yml
@@ -18,16 +18,16 @@ jobs:
 
     steps:
 
-    - name: Set up Go 1.20.1
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.20.1
-
     - name: Check out repository
       uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: 1.20.3
+
     - name: Build all versions
       run: |
         make platform-all

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -6,8 +6,17 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      # otherwise, read permission is required at least
+      pull-requests: read
     runs-on: ubuntu-latest
     name: Update the release draft
     steps:

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -13,34 +13,22 @@ jobs:
   build:
     strategy:
       matrix:
-        go-version: ["1.20.1"]
+        go-version: ["1.20.3"]
 
     name: "Build + tests"
     runs-on: ubuntu-latest
 
     steps:
 
-    - name: Set up Go ${{ matrix.go-version }}
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ matrix.go-version }}
-
     - name: Check out code into the Go module directory
       uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
-    - name: Cache Go modules
-      uses: actions/cache@v3
+    - name: Set up Go ${{ matrix.go-version }}
+      uses: actions/setup-go@v4
       with:
-        path: |
-          ~/go/pkg/mod
-          ~/.cache/go-build
-          ~/Library/Caches/go-build
-          %LocalAppData%\go-build
-        key: ${{ runner.os }}-${{ matrix.go-version }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-${{ matrix.go-version }}-go-
+        go-version: ${{ matrix.go-version }}
 
     - name: Build
       run: |

diff --git a/.gitignore b/.gitignore
@@ -1,13 +1,3 @@
-# vscode
-.vscode
-
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
 # Test binary, built with `go test -c`
 *.test
 
@@ -23,7 +13,14 @@ __pycache__/
 *$py.class
 venv/
 
-# built binaries
+# built by make
 /crowdsec-custom-bouncer
 /crowdsec-custom-bouncer-*
 /crowdsec-custom-bouncer.tgz
+
+# built by dpkg-buildpackage
+/debian/crowdsec-custom-bouncer
+/debian/files
+/debian/*.substvars
+/debian/*.debhelper
+/debian/*-stamp
diff --git a/Makefile b/Makefile
@@ -3,33 +3,35 @@ GOBUILD=$(GOCMD) build
 GOTEST=$(GOCMD) test
 
 BINARY_NAME=crowdsec-custom-bouncer
-REPO_NAME=cs-custom-bouncer
+GO_MODULE_NAME=github.com/crowdsecurity/cs-custom-bouncer
 TARBALL_NAME=$(BINARY_NAME).tgz
 
-# Current versioning information from env
+# Versioning information can be overridden in the environment
 BUILD_VERSION?=$(shell git describe --tags)
 BUILD_TIMESTAMP?=$(shell date +%F"_"%T)
 BUILD_TAG?=$(shell git rev-parse HEAD)
 
 LD_OPTS_VARS=\
--X 'github.com/crowdsecurity/$(REPO_NAME)/pkg/version.Version=$(BUILD_VERSION)' \
--X 'github.com/crowdsecurity/$(REPO_NAME)/pkg/version.BuildDate=$(BUILD_TIMESTAMP)' \
--X 'github.com/crowdsecurity/$(REPO_NAME)/pkg/version.Tag=$(BUILD_TAG)'
+-X '$(GO_MODULE_NAME)/pkg/version.Version=$(BUILD_VERSION)' \
+-X '$(GO_MODULE_NAME)/pkg/version.BuildDate=$(BUILD_TIMESTAMP)' \
+-X '$(GO_MODULE_NAME)/pkg/version.Tag=$(BUILD_TAG)'
 
-ifdef BUILD_STATIC
-	export LD_OPTS=-ldflags "-a -s -w -extldflags '-static' $(LD_OPTS_VARS)" -tags netgo
-else
-	export LD_OPTS=-ldflags "-a -s -w $(LD_OPTS_VARS)"
-endif
-
-LD_OPTS += -trimpath
+export LD_OPTS=-ldflags "-a -s -w -extldflags '-static' $(LD_OPTS_VARS)" \
+	-trimpath -tags netgo
 
 .PHONY: all
 all: build test
 
+clean-debian:
+	@$(RM) -r debian/$(BINARY_NAME)
+	@$(RM) -r debian/files
+	@$(RM) -r debian/*.substvars
+	@$(RM) -r debian/*.debhelper
+	@$(RM) -r debian/*-stamp
+
 # Remove everything including all platform binaries and tarballs
 .PHONY: clean
-clean: clean-release-dir
+clean: clean-release-dir clean-debian
 	@$(RM) $(BINARY_NAME)
 	@$(RM) $(TARBALL_NAME)
 	@$(RM) -r $(BINARY_NAME)-*	# platform binary name and leftover release dir

diff --git a/config/crowdsec-custom-bouncer.service b/config/crowdsec-custom-bouncer.service
@@ -2,13 +2,13 @@
 Description=The custom bouncer for CrowdSec
 After=syslog.target network.target remote-fs.target nss-lookup.target crowdsec.service
 
-
 [Service]
 Type=notify
 ExecStart=${BIN} -c ${CFG}/crowdsec-custom-bouncer.yaml
+ExecStartPre=${BIN} -c ${CFG}/crowdsec-custom-bouncer.yaml -t
 ExecStartPost=/bin/sleep 0.1
+Restart=always
+RestartSec=10
 
 [Install]
 WantedBy=multi-user.target
-
-
diff --git a/debian/changelog b/debian/changelog
@@ -1,5 +1,5 @@
 crowdsec-custom-bouncer (1.0.0) UNRELEASED; urgency=medium
 
   * Initial debian packaging
-  
--- Shivam Sandbhor <shivam@crowdsec.net>  Mon Jun 28 10:52:32 2021 +0530
+
+ -- Shivam Sandbhor <shivam@crowdsec.net>  Mon, 28 Jun 2021 10:52:32 +0530
diff --git a/debian/control b/debian/control
@@ -1,11 +1,11 @@
 Source: crowdsec-custom-bouncer
 Maintainer: Crowdsec Team <debian@crowdsec.net>
-Build-Depends: debhelper, bash
+Build-Depends: debhelper
+Section: admin
+Priority: optional
 
 Package: crowdsec-custom-bouncer
 Provides: crowdsec-custom-bouncer
+Depends: gettext-base
 Description: Custom bouncer for Crowdsec
 Architecture: any
-
-
-
diff --git a/debian/postinst b/debian/postinst
@@ -1,38 +1,28 @@
+#!/bin/sh
 
 systemctl daemon-reload
 
+BOUNCER="crowdsec-custom-bouncer"
+BOUNCER_PREFIX="CustomBouncer"
 
-START=0
+#shellcheck source=./scripts/_bouncer.sh
+. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh"
+START=1
 
-if [ "$1" = "configure" ] && [ "$2" = "" ]; then
-
-    type cscli
-
-    if [ "$?" -eq "0" ] ; then
-        START=1
-        echo "cscli/crowdsec is present, generating API key"
-        unique=`date +%s`
-        API_KEY=`cscli -oraw bouncers add CustomBouncer-${unique}`
-        if [ $? -eq 1 ] ; then
-            echo "failed to create API token, service won't be started."
+if [ "$1" = "configure" ]; then
+    if need_api_key; then
+        if ! set_api_key; then
             START=0
-            API_KEY="<API_KEY>"
-        else
-            echo "API Key : ${API_KEY}"
         fi
-
-        TMP=`mktemp -p /tmp/`
-        cp /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml ${TMP}
-        API_KEY=${API_KEY} envsubst < ${TMP} > /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
-        rm ${TMP}
     fi
-else
-    START=1
 fi
 
+systemctl --quiet is-enabled "$SERVICE" || systemctl unmask "$SERVICE" && systemctl enable "$SERVICE"
+
+set_local_lapi_url 'CROWDSEC_LAPI_URL'
 
-if [ ${START} -eq 0 ] ; then
-    echo "no api key was generated"
+if [ "$START" -eq 0 ]; then
+    echo "no api key was generated, you can generate one on your LAPI server by running 'cscli bouncers add <bouncer_name>' and add it to '$CONFIG'" >&2
 fi
 
-echo "please enter the binary path in '/etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml' and start the bouncer via 'sudo systemctl start crowdsec-custom-bouncer' "
+echo "please enter the binary path in '$CONFIG' and start the bouncer via 'sudo systemctl start $SERVICE'"
diff --git a/debian/prerm b/debian/prerm
@@ -1,2 +1,15 @@
-systemctl stop crowdsec-custom-bouncer || echo "cannot stop service"
-systemctl disable crowdsec-custom-bouncer || echo "cannot disable service"
+#!/bin/sh
+
+set -eu
+
+BOUNCER="crowdsec-custom-bouncer"
+
+#shellcheck source=./scripts/_bouncer.sh
+. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh"
+
+systemctl stop "$SERVICE" || echo "cannot stop service"
+systemctl disable "$SERVICE" || echo "cannot disable service"
+
+if [ "$1" = "purge" ]; then
+    delete_bouncer
+fi
diff --git a/debian/rules b/debian/rules
@@ -1,9 +1,7 @@
 #!/usr/bin/make -f
 
-export DEB_VERSION=$(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ')
+export DEB_VERSION=$(shell dpkg-parsechangelog | grep -E '^Version:' | cut -f 2 -d ' ')
 export BUILD_VERSION=v${DEB_VERSION}-debian-pragmatic
-export GO111MODULE=on
-
 
 %:
 	dh $@
@@ -15,9 +13,19 @@ override_dh_auto_test:
 override_dh_auto_build:
 override_dh_auto_install:
 	make
-	mkdir -p debian/crowdsec-custom-bouncer/usr/bin
-	cp crowdsec-custom-bouncer  debian/crowdsec-custom-bouncer/usr/bin
-	mkdir -p debian/crowdsec-custom-bouncer/etc/systemd/system/
-	mkdir -p debian/crowdsec-custom-bouncer/etc/crowdsec/bouncers/
-	BIN=/usr/bin/crowdsec-custom-bouncer CFG=/etc/crowdsec/bouncers envsubst < config/crowdsec-custom-bouncer.service >  debian/crowdsec-custom-bouncer/etc/systemd/system/crowdsec-custom-bouncer.service
-	cp config/crowdsec-custom-bouncer.yaml debian/crowdsec-custom-bouncer/etc/crowdsec/bouncers/
+
+	BOUNCER=crowdsec-custom-bouncer; \
+	PKG="$$BOUNCER"; \
+	mkdir -p "debian/$$PKG/var/lib/crowdsec/$$BOUNCER/cache/"; \
+	install -D "$$BOUNCER" -t "debian/$$PKG/usr/bin/"; \
+	install -D "scripts/_bouncer.sh" -t "debian/$$PKG/usr/lib/$$PKG/"; \
+	install -D "config/$$BOUNCER.yaml" "debian/$$PKG/etc/crowdsec/bouncers/$$BOUNCER.yaml"; \
+	BIN="/usr/bin/$$BOUNCER" CFG="/etc/crowdsec/bouncers" envsubst '$$BIN $$CFG' < "config/$$BOUNCER.service" | install -D /dev/stdin "debian/$$PKG/etc/systemd/system/$$BOUNCER.service"
+
+execute_after_dh_fixperms:
+	BOUNCER=crowdsec-custom-bouncer; \
+	PKG="$$BOUNCER"; \
+	chmod 0755 "debian/$$PKG/usr/bin/$$BOUNCER"; \
+	chmod 0600 "debian/$$PKG/usr/lib/$$PKG/_bouncer.sh"; \
+	chmod 0600 "debian/$$PKG/etc/crowdsec/bouncers/$$BOUNCER.yaml"; \
+	chmod 0644 "debian/$$PKG/etc/systemd/system/$$BOUNCER.service"