[arch-commits] Commit in caddy/trunk/next (PKGBUILD caddy-api.service caddy.service)
Levente Polyak
anthraxx at archlinux.org
Sat May 16 00:15:25 UTC 2020
Date: Saturday, May 16, 2020 @ 00:15:22
Author: anthraxx
Revision: 628137
next: reduce diff to v1, add go hardening
Modified:
caddy/trunk/next/PKGBUILD
caddy/trunk/next/caddy-api.service
caddy/trunk/next/caddy.service
-------------------+
PKGBUILD | 42 +++++++++++++++++++++++++++---------------
caddy-api.service | 18 ++++++++++--------
caddy.service | 18 ++++++++++--------
3 files changed, 47 insertions(+), 31 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-05-15 23:49:26 UTC (rev 628136)
+++ PKGBUILD 2020-05-16 00:15:22 UTC (rev 628137)
@@ -1,22 +1,29 @@
-# Maintainer : Christian Rebischke <chris.rebischke at archlinux.org>
+# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org>
+# Maintainer: Christian Rebischke <chris.rebischke at archlinux.org>
+# Contributor: Wei Congrui < crvv.mail at gmail dot com >
+# Contributor: Carl George < arch at cgtx dot us >
+# Contributor: Eric Engeström <eric at engestrom dot ch>
+# Contributor: Andreas Linz <klingt.net at gmail dot com>
+# Contributor: Akshay S Dinesh <asdofindia at gmail dot com>
pkgname=caddy
pkgver=2.0.0
+_gitcommit=e051e119d1dff75972ed9b07cf97bbb989ba8daa
pkgrel=1
-pkgdesc="Powerful, enterprise-ready, open source web server with automatic HTTPS written in Go"
+pkgdesc='Fast web server with automatic HTTPS'
+url='https://caddyserver.com'
arch=('x86_64')
-url="https://github.com/caddyserver/caddy"
license=('Apache')
depends=('glibc')
-makedepends=('go-pie' 'git')
+makedepends=('go' 'git')
backup=('etc/caddy/caddy.conf')
-source=("git+https://github.com/caddyserver/caddy#tag=v${pkgver}?signed"
- 'index.html'
- 'caddy.service'
- 'caddy-api.service'
- 'caddy.tmpfiles'
- 'caddy.sysusers'
- 'caddy.conf')
+source=("git+https://github.com/caddyserver/caddy#commit=${_gitcommit}?signed"
+ index.html
+ caddy.service
+ caddy-api.service
+ caddy.tmpfiles
+ caddy.sysusers
+ caddy.conf)
sha512sums=('SKIP'
'2abccd41f770daebf61285dc017249f20c707877ea3c870f4a2375bbbd2bf481a8652d1fd3c7afd7d6b5c54838e9d8474a33e2c9790ef67dcf9d79c4e52953b4'
'41e88f85972c5680c919b556f3f163e7908f5a6226b9c38bde0d7cfb32c62e2975fadaaa07534109c29dcdeceb5b696169dccaf8a1c132d578a327c6cf97b76d'
@@ -25,7 +32,7 @@
'c893d88fec89e37da6596030c8dce7103e7e575371e8542a24d2a0741e877358d85219f2d8ade9d6aa0f515efe1156a4badd9fef5f65f553a5b0c72330c4728f'
'399c177475e299bf5736dba1a9d045477072594390b73c7dd2e13e12785abe029d48e480aee98216f7a8735addd353ce4a07b56ed14364f641b138e4fca0ebcd')
validpgpkeys=(
- '29D0817A67156E4F25DC24782A349DD577D586A5' # Matthew Holt <mholt at users.noreply.github.com>
+ 29D0817A67156E4F25DC24782A349DD577D586A5 # Matthew Holt <mholt at users.noreply.github.com>
)
pkgver() {
@@ -40,7 +47,12 @@
build() {
cd "${pkgname}/cmd/caddy/"
- go build -trimpath -ldflags "-extldflags ${LDFLAGS}" -o caddy
+ export CGO_LDFLAGS="${LDFLAGS}"
+ export CGO_CPPFLAGS="${CPPFLAGS}"
+ export CGO_CFLAGS="${CFLAGS}"
+ export CGO_CXXFLAGS="${CXXFLAGS}"
+ export GOFLAGS="-buildmode=pie -trimpath"
+ go build .
}
check() {
@@ -50,12 +62,12 @@
package() {
cd "${pkgname}"
- install -Dm755 "cmd/caddy/${pkgname}" "${pkgdir}/usr/bin/${pkgname}"
+ install -Dm 755 cmd/caddy/caddy -t "${pkgdir}/usr/bin"
install -Dm 644 "${srcdir}/caddy.service" -t "${pkgdir}/usr/lib/systemd/system"
install -Dm 644 "${srcdir}/caddy-api.service" -t "${pkgdir}/usr/lib/systemd/system"
install -Dm 644 "${srcdir}/caddy.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/caddy.conf"
install -Dm 644 "${srcdir}/caddy.sysusers" "${pkgdir}/usr/lib/sysusers.d/caddy.conf"
install -Dm 644 "${srcdir}/caddy.conf" "${pkgdir}/etc/caddy/caddy.conf"
+ install -d "${pkgdir}/etc/caddy/conf.d"
install -Dm 644 "${srcdir}/index.html" "${pkgdir}/usr/share/caddy/index.html"
- install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}
Modified: caddy-api.service
===================================================================
--- caddy-api.service 2020-05-15 23:49:26 UTC (rev 628136)
+++ caddy-api.service 2020-05-16 00:15:22 UTC (rev 628137)
@@ -18,6 +18,8 @@
[Service]
User=caddy
Group=caddy
+Environment=XDG_DATA_HOME=/var/lib
+Environment=XDG_CONFIG_HOME=/var/lib
ExecStart=/usr/bin/caddy run --environ --resume
# Do not allow the process to be restarted in a tight loop. If the
@@ -32,19 +34,19 @@
LimitNOFILE=1048576
LimitNPROC=512
-
+# Hardening options
PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
ProtectSystem=strict
-ProtectKernelModules=true
+ReadWritePaths=/var/lib/caddy /var/log/caddy
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
-LockPersonality=true
ProtectKernelTunables=true
-ProtectHome=true
-ReadWritePaths=/var/lib/caddy /var/log/caddy
-PrivateDevices=true
+ProtectKernelModules=true
ProtectControlGroups=true
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+LockPersonality=true
[Install]
WantedBy=multi-user.target
Modified: caddy.service
===================================================================
--- caddy.service 2020-05-15 23:49:26 UTC (rev 628136)
+++ caddy.service 2020-05-16 00:15:22 UTC (rev 628137)
@@ -24,6 +24,8 @@
[Service]
User=caddy
Group=caddy
+Environment=XDG_DATA_HOME=/var/lib
+Environment=XDG_CONFIG_HOME=/etc
ExecStart=/usr/bin/caddy run --adapter caddyfile --environ --config /etc/caddy/caddy.conf
ExecReload=/usr/bin/caddy reload --adapter caddyfile --config /etc/caddy/caddy.conf
@@ -39,19 +41,19 @@
LimitNOFILE=1048576
LimitNPROC=512
-
+# Hardening options
PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
ProtectSystem=strict
-ProtectKernelModules=true
+ReadWritePaths=/var/lib/caddy /var/log/caddy
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
-LockPersonality=true
ProtectKernelTunables=true
-ProtectHome=true
-ReadWritePaths=/var/lib/caddy /var/log/caddy
-PrivateDevices=true
+ProtectKernelModules=true
ProtectControlGroups=true
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+LockPersonality=true
[Install]
WantedBy=multi-user.target
More information about the arch-commits
mailing list