rpm: Drop systemd sub-package

The _sshca-cli-systemd_ package was intended for machines to automatically get signed SSH host certificates on first boot. Having the systemd unit files in an RPM package allowed them to be installed by Anaconda, without needing custom post-install scripts or Ansible. Unfortunately, various issues prevented this from actually working as intended most of the time, and with the new webhook-based automatic provisioning process, it's not really necessary. I'm thus removing the sub-package that contained the unit files and moving them to the Ansible configuration policy.
ci: Stop building container images
2025-09-13 21:13:25 -05:00 · 2025-09-13 21:11:38 -05:00 · 2025-09-13 21:11:34 -05:00
7 changed files with 3 additions and 162 deletions
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@ -82,70 +82,5 @@ pipeline {
            }
        }

-        stage('Build Container') {
-            matrix {
-                axes {
-                    axis {
-                        name 'ARCH'
-                        values 'amd64', 'arm64'
-                    }
-                }
-                stages {
-                    stage('Container') {
-                        agent {
-                            kubernetes {
-                                yamlFile 'ci/podTemplate-container.yaml'
-                                yamlMergeStrategy merge()
-                                defaultContainer 'buildah'
-                                nodeSelector "kubernetes.io/arch=${ARCH}"
-                            }
-                        }
-
-                        stages {
-                            stage('Build') {
-                                steps {
-                                    sh '. ci/build-container.sh'
-                                    stash name: env.ARCH, includes: "*.oci.tar"
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-        }
-
-        stage('Publish Container') {
-            agent {
-                kubernetes {
-                    yamlFile 'ci/podTemplate-container.yaml'
-                    yamlMergeStrategy merge()
-                    defaultContainer 'buildah'
-                }
-            }
-
-            environment {
-                REGISTRY_AUTH_FILE = "${env.WORKSPACE_TMP}/auth.json"
-            }
-
-            steps {
-                unstash 'amd64'
-                unstash 'arm64'
-                withCredentials([usernamePassword(
-                    credentialsId: 'jenkins-packages',
-                    usernameVariable: 'BUILDAH_USERNAME',
-                    passwordVariable: 'BUILDAH_PASSWORD',
-                )]) {
-                    sh """
-                        buildah login \
-                        --username \${BUILDAH_USERNAME} \
-                        --password \${BUILDAH_PASSWORD} \
-                        git.pyrocufflink.net
-                    """
-                }
-                sh '. ci/publish-container.sh'
-            }
-        }
-
-
    }
 }
--- a/ci/podTemplate.yaml
+++ b/ci/podTemplate.yaml
@ -13,6 +13,8 @@ spec:
      name: ssh-known-hosts
      subPath: ssh_known_hosts
  hostUsers: false
+  nodeSelector:
+    du5t1n.me/jenkins:
  volumes:
  - name: ssh-known-hosts
    configMap:
--- a/ssh-host-cert-sign@.service
+++ b/ssh-host-cert-sign@.service
@ -1,34 +0,0 @@
-[Unit]
-Description=Request %I SSH Host Certificate
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=oneshot
-EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign
-ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
-
-CapabilityBoundingSet=CAP_CHOWN
-DeviceAllow=
-DevicePolicy=closed
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-PrivateDevices=yes
-PrivateUsers=yes
-PrivateTmp=yes
-ProcSubset=pid
-ProtectClock=yes
-ProtectControlGroups=yes
-ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectProc=invisible
-ProtectSystem=strict
-ReadWritePaths=/etc/ssh
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictNamespaces=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
--- a/ssh-host-certs-renew.target
+++ b/ssh-host-certs-renew.target
@ -1,7 +0,0 @@
-# vim: set ft=systemd :
-[Unit]
-Description=Request SSH Host Certificates
-StopWhenUnneeded=yes
-Wants=ssh-host-cert-sign@ed25519.service
-Wants=ssh-host-cert-sign@rsa.service
-Wants=ssh-host-cert-sign@ecdsa.service
--- a/ssh-host-certs-renew.timer
+++ b/ssh-host-certs-renew.timer
@ -1,12 +0,0 @@
-# vim: set ft=systemd :
-[Unit]
-Description=Periodically renew SSH host certificates
-
-[Timer]
-Unit=%N.target
-OnCalendar=Tue *-*-* 00:00:00
-RandomizedDelaySec=48h
-Persistent=yes
-
-[Install]
-WantedBy=timers.target
--- a/ssh-host-certs.target
+++ b/ssh-host-certs.target
@ -1,10 +0,0 @@
-# vim: set ft=systemd :
-[Unit]
-Description=Request SSH Host Certificates
-ConditionFirstBoot=yes
-Wants=ssh-host-cert-sign@ed25519.service
-Wants=ssh-host-cert-sign@rsa.service
-Wants=ssh-host-cert-sign@ecdsa.service
-
-[Install]
-WantedBy=multi-user.target
--- a/sshca-cli.spec
+++ b/sshca-cli.spec
@ -8,7 +8,7 @@

 Name:           sshca-cli
 Version:        0.1.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        CLI client for SSHCA

 SourceLicense:  MIT OR Apache-2.0
@ -18,30 +18,17 @@ License:        MIT OR Apache-2.0
 URL:            https://git.pyrocufflink.net/dustin/sshca
 Source:         sshca-cli-%{version}.tar.xz
 Source:         sshca-cli-%{version}-vendor.tar.xz
-Source:         ssh-host-cert-sign@.service
-Source:         ssh-host-certs.target
-Source:         ssh-host-certs-renew.target
-Source:         ssh-host-certs-renew.timer

 ExclusiveArch:  %{rust_arches}

 BuildRequires:  cargo-rpm-macros >= 25
 BuildRequires:  openssl-devel
-BuildRequires:  systemd-rpm-macros

 %global _description %{expand:
 CLI client for SSHCA.}

 %description %{_description}

-%package systemd
-Summary:        systemd units for managing SSH host certificates with SSHCA
-Requires:       %{name} = %{version}
-
-%description systemd
-A collection of systemd service, timer, and target units that automatically
-request and renew SSH host certificates from an SSHCA server.
-
 %prep
 %autosetup -n %{crate}-%{version} -p1 -a1
 %cargo_prep -v vendor
@ -56,28 +43,11 @@ request and renew SSH host certificates from an SSHCA server.
 %install
 %cargo_install

-mkdir -p $RPM_BUILD_ROOT%{_unitdir}
-install -m u=rw,go=r \
-	%{SOURCE2} \
-	%{SOURCE3} \
-	%{SOURCE4} \
-	%{SOURCE5} \
-	$RPM_BUILD_ROOT%{_unitdir}
-
 %if %{with check}
 %check
 %cargo_test
 %endif

-%post systemd
-%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer
-
-%preun systemd
-%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer
-
-%postun systemd
-%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer
-
 %files
 %license LICENSE-Apache-2.0.txt
 %license LICENSE-MIT.txt
@ -85,9 +55,6 @@ install -m u=rw,go=r \
 %license cargo-vendor.txt
 %{_bindir}/sshca-cli

-%files systemd
-%{_unitdir}/*
-
 %changelog
 * Sun Nov 05 2023 Dustin C. Hatch <dustin@hatch.name> - 0.1.0-1
 - Initial package