next: reduce diff to v1, add go hardening

2020-05-16 00:15:22 +00:00 · 2020-05-16 00:15:22 +00:00 · 4d4473add2
commit 4d4473add2
parent a4ae059ffc
3 changed files with 49 additions and 33 deletions
--- a/next/PKGBUILD
+++ b/next/PKGBUILD
@ -1,22 +1,29 @@
 # Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org>
 # Maintainer: Christian Rebischke <chris.rebischke@archlinux.org>
 # Contributor: Wei Congrui < crvv.mail at gmail dot com >
 # Contributor: Carl George < arch at cgtx dot us >
 # Contributor: Eric Engeström <eric at engestrom dot ch>
 # Contributor: Andreas Linz <klingt.net at gmail dot com>
 # Contributor: Akshay S Dinesh <asdofindia at gmail dot com>
 pkgname=caddy
 pkgver=2.0.0
 _gitcommit=e051e119d1dff75972ed9b07cf97bbb989ba8daa
 pkgrel=1
-pkgdesc="Powerful, enterprise-ready, open source web server with automatic HTTPS written in Go"
+pkgdesc='Fast web server with automatic HTTPS'
 url='https://caddyserver.com'
 arch=('x86_64')
 url="https://github.com/caddyserver/caddy"
 license=('Apache')
 depends=('glibc')
-makedepends=('go-pie' 'git')
+makedepends=('go' 'git')
 backup=('etc/caddy/caddy.conf')
-source=("git+https://github.com/caddyserver/caddy#tag=v${pkgver}?signed"
+source=("git+https://github.com/caddyserver/caddy#commit=${_gitcommit}?signed"
-        'index.html'
+        index.html
-        'caddy.service'
+        caddy.service
-        'caddy-api.service'
+        caddy-api.service
-        'caddy.tmpfiles'
+        caddy.tmpfiles
-        'caddy.sysusers'
+        caddy.sysusers
-        'caddy.conf')
+        caddy.conf)
 sha512sums=('SKIP'
            '2abccd41f770daebf61285dc017249f20c707877ea3c870f4a2375bbbd2bf481a8652d1fd3c7afd7d6b5c54838e9d8474a33e2c9790ef67dcf9d79c4e52953b4'
            '41e88f85972c5680c919b556f3f163e7908f5a6226b9c38bde0d7cfb32c62e2975fadaaa07534109c29dcdeceb5b696169dccaf8a1c132d578a327c6cf97b76d'
@ -25,7 +32,7 @@ sha512sums=('SKIP'
            'c893d88fec89e37da6596030c8dce7103e7e575371e8542a24d2a0741e877358d85219f2d8ade9d6aa0f515efe1156a4badd9fef5f65f553a5b0c72330c4728f'
            '399c177475e299bf5736dba1a9d045477072594390b73c7dd2e13e12785abe029d48e480aee98216f7a8735addd353ce4a07b56ed14364f641b138e4fca0ebcd')
 validpgpkeys=(
-  '29D0817A67156E4F25DC24782A349DD577D586A5' # Matthew Holt <mholt@users.noreply.github.com>
+  29D0817A67156E4F25DC24782A349DD577D586A5 # Matthew Holt <mholt@users.noreply.github.com>
 )
 pkgver() {
@ -40,7 +47,12 @@ prepare() {
 build() {
  cd "${pkgname}/cmd/caddy/"
-  go build -trimpath -ldflags "-extldflags ${LDFLAGS}" -o caddy
+  export CGO_LDFLAGS="${LDFLAGS}"
  export CGO_CPPFLAGS="${CPPFLAGS}"
  export CGO_CFLAGS="${CFLAGS}"
  export CGO_CXXFLAGS="${CXXFLAGS}"
  export GOFLAGS="-buildmode=pie -trimpath"
  go build .
 }
 check() {
@ -50,12 +62,12 @@ check() {
 package() {
  cd "${pkgname}"
-  install -Dm755 "cmd/caddy/${pkgname}" "${pkgdir}/usr/bin/${pkgname}"
+  install -Dm 755 cmd/caddy/caddy -t "${pkgdir}/usr/bin"
  install -Dm 644 "${srcdir}/caddy.service" -t "${pkgdir}/usr/lib/systemd/system"
  install -Dm 644 "${srcdir}/caddy-api.service" -t "${pkgdir}/usr/lib/systemd/system"
  install -Dm 644 "${srcdir}/caddy.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/caddy.conf"
  install -Dm 644 "${srcdir}/caddy.sysusers" "${pkgdir}/usr/lib/sysusers.d/caddy.conf"
  install -Dm 644 "${srcdir}/caddy.conf" "${pkgdir}/etc/caddy/caddy.conf"
  install -d "${pkgdir}/etc/caddy/conf.d"
  install -Dm 644 "${srcdir}/index.html" "${pkgdir}/usr/share/caddy/index.html"
  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 }
--- a/next/caddy-api.service
+++ b/next/caddy-api.service
@ -18,6 +18,8 @@ StartLimitBurst=10
 [Service]
 User=caddy
 Group=caddy
 Environment=XDG_DATA_HOME=/var/lib
 Environment=XDG_CONFIG_HOME=/var/lib
 ExecStart=/usr/bin/caddy run --environ --resume
 # Do not allow the process to be restarted in a tight loop. If the
@ -32,19 +34,19 @@ TimeoutStopSec=5s
 LimitNOFILE=1048576
 LimitNPROC=512
-
+# Hardening options
 PrivateTmp=true
 ProtectSystem=strict
 ProtectKernelModules=true
 NoNewPrivileges=true
 LockPersonality=true
 ProtectKernelTunables=true
 ProtectHome=true
 ReadWritePaths=/var/lib/caddy /var/log/caddy
 PrivateDevices=true
-ProtectControlGroups=true
+ProtectHome=true
 ProtectSystem=strict
 ReadWritePaths=/var/lib/caddy /var/log/caddy
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
 LockPersonality=true
 [Install]
 WantedBy=multi-user.target
--- a/next/caddy.service
+++ b/next/caddy.service
@ -24,6 +24,8 @@ StartLimitBurst=10
 [Service]
 User=caddy
 Group=caddy
 Environment=XDG_DATA_HOME=/var/lib
 Environment=XDG_CONFIG_HOME=/etc
 ExecStart=/usr/bin/caddy run --adapter caddyfile --environ --config /etc/caddy/caddy.conf
 ExecReload=/usr/bin/caddy reload --adapter caddyfile --config /etc/caddy/caddy.conf
@ -39,19 +41,19 @@ TimeoutStopSec=5s
 LimitNOFILE=1048576
 LimitNPROC=512
-
+# Hardening options
 PrivateTmp=true
 ProtectSystem=strict
 ProtectKernelModules=true
 NoNewPrivileges=true
 LockPersonality=true
 ProtectKernelTunables=true
 ProtectHome=true
 ReadWritePaths=/var/lib/caddy /var/log/caddy
 PrivateDevices=true
-ProtectControlGroups=true
+ProtectHome=true
 ProtectSystem=strict
 ReadWritePaths=/var/lib/caddy /var/log/caddy
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
 LockPersonality=true
 [Install]
 WantedBy=multi-user.target