Fix #65593

add traefik service
add traefik sysusers file
noextract tarball, because we need a clean build environment.
Otherwise the go tests will fail, due to service and sysusers files in the repo.

PKGBUILD

@@ -2,28 +2,45 @@
 
 pkgname=traefik
 pkgver=2.1.4
-pkgrel=2
+pkgrel=3
 pkgdesc="Modern reverse proxy written in Go"
 arch=('x86_64')
 url="https://containo.us/traefik/"
 license=('MIT')
 makedepends=('go-pie' 'git' 'go-bindata')
 depends=('glibc')
-source=("${pkgname}-${pkgver}.tar.gz::https://github.com/containous/traefik/releases/download/v${pkgver}/traefik-v${pkgver}.src.tar.gz")
-sha512sums=('c45d8b90bc1fc437f38102c03f7d5383b94e5ee362d2c2c837085d80a5007d0432989abc5698267260fb9ba8b22561c68012b47ad0367bc221d501b776ed8992')
+backup=('etc/traefik/traefik.toml'
+        'etc/traefik/traefik.yaml'
+        'etc/traefik/traefik.yml')
+source=("${pkgname}-${pkgver}.tar.gz::https://github.com/containous/traefik/releases/download/v${pkgver}/traefik-v${pkgver}.src.tar.gz"
+        'traefik.service'
+        'traefik.sysusers')
+noextract=("${pkgname}-${pkgver}.tar.gz")
+sha512sums=('c45d8b90bc1fc437f38102c03f7d5383b94e5ee362d2c2c837085d80a5007d0432989abc5698267260fb9ba8b22561c68012b47ad0367bc221d501b776ed8992'
+            '474dc8274d160bf46a46edf8855378331521b108a767345fb8cb201f23576ceadbee81560d15cf98cac3a978eb24b49f951524da828ffda720797f7ab38bd49c'
+            '5fecfed5df77bf28c2c976ebaebedb030904d41509e740821140a4889bda20327f416e78f8d19b0ee78c8bc422d1907ce05ef3562e4d3e36ddfbdbea5e860b2a')
+
+prepare() {
+  mkdir "${srcdir}/${pkgname}-${pkgver}"
+  tar xfvz "${srcdir}/${pkgname}-${pkgver}.tar.gz" -C "${srcdir}/${pkgname}-${pkgver}"
+}
 
 build() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
   go generate
   cd cmd/traefik
   go build -trimpath -ldflags "-extldflags ${LDFLAGS}"
 }
 
 check() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
   go test ./...
 }
 
 package() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
   install -Dm755 cmd/traefik/"${pkgname}" "${pkgdir}/usr/bin/${pkgname}"
   install -Dm644 LICENSE.md "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
-  install -Dm644 contrib/systemd/traefik.service "${pkgdir}/usr/lib/systemd/system/traefik.service"
+  install -Dm644 "${srcdir}/traefik.service" "${pkgdir}/usr/lib/systemd/system/traefik.service"
+  install -Dm644 "${srcdir}/traefik.sysusers" "${pkgdir}/usr/lib/sysusers.d/traefik.conf"
 }

traefik.service

@@ -0,0 +1,41 @@
+[Unit]
+Description=Traefik
+Documentation=https://docs.traefik.io
+After=network-online.target
+AssertFileIsExecutable=/usr/bin/traefik
+AssertPathExists=/etc/traefik/traefik.toml
+
+[Service]
+# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik)
+User=traefik
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# configure service behavior
+Type=notify
+ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml
+Restart=always
+WatchdogSec=1s
+
+# lock down system access
+# prohibit any operating system and configuration modification
+ProtectSystem=strict
+# create separate, new (and empty) /tmp and /var/tmp filesystems
+PrivateTmp=true
+# make /home directories inaccessible
+ProtectHome=true
+# turns off access to physical devices (/dev/...)
+PrivateDevices=true
+# make kernel settings (procfs and sysfs) read-only
+ProtectKernelTunables=true
+# make cgroups /sys/fs/cgroup read-only
+ProtectControlGroups=true
+
+# allow writing of acme.json
+ReadWritePaths=/etc/traefik/acme.json
+# depending on log and entrypoint configuration, you may need to allow writing to other paths, too
+
+# limit number of processes in this unit
+#LimitNPROC=1
+
+[Install]
+WantedBy=multi-user.target

traefik.sysusers

@@ -0,0 +1 @@
+u traefik - "traefik daemon" -