diff --git a/PKGBUILD b/PKGBUILD index ba8afca..82c8ca9 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -2,28 +2,45 @@ pkgname=traefik pkgver=2.1.4 -pkgrel=2 +pkgrel=3 pkgdesc="Modern reverse proxy written in Go" arch=('x86_64') url="https://containo.us/traefik/" license=('MIT') makedepends=('go-pie' 'git' 'go-bindata') depends=('glibc') -source=("${pkgname}-${pkgver}.tar.gz::https://github.com/containous/traefik/releases/download/v${pkgver}/traefik-v${pkgver}.src.tar.gz") -sha512sums=('c45d8b90bc1fc437f38102c03f7d5383b94e5ee362d2c2c837085d80a5007d0432989abc5698267260fb9ba8b22561c68012b47ad0367bc221d501b776ed8992') +backup=('etc/traefik/traefik.toml' + 'etc/traefik/traefik.yaml' + 'etc/traefik/traefik.yml') +source=("${pkgname}-${pkgver}.tar.gz::https://github.com/containous/traefik/releases/download/v${pkgver}/traefik-v${pkgver}.src.tar.gz" + 'traefik.service' + 'traefik.sysusers') +noextract=("${pkgname}-${pkgver}.tar.gz") +sha512sums=('c45d8b90bc1fc437f38102c03f7d5383b94e5ee362d2c2c837085d80a5007d0432989abc5698267260fb9ba8b22561c68012b47ad0367bc221d501b776ed8992' + '474dc8274d160bf46a46edf8855378331521b108a767345fb8cb201f23576ceadbee81560d15cf98cac3a978eb24b49f951524da828ffda720797f7ab38bd49c' + '5fecfed5df77bf28c2c976ebaebedb030904d41509e740821140a4889bda20327f416e78f8d19b0ee78c8bc422d1907ce05ef3562e4d3e36ddfbdbea5e860b2a') + +prepare() { + mkdir "${srcdir}/${pkgname}-${pkgver}" + tar xfvz "${srcdir}/${pkgname}-${pkgver}.tar.gz" -C "${srcdir}/${pkgname}-${pkgver}" +} build() { + cd "${srcdir}/${pkgname}-${pkgver}" go generate cd cmd/traefik go build -trimpath -ldflags "-extldflags ${LDFLAGS}" } check() { + cd "${srcdir}/${pkgname}-${pkgver}" go test ./... } package() { + cd "${srcdir}/${pkgname}-${pkgver}" install -Dm755 cmd/traefik/"${pkgname}" "${pkgdir}/usr/bin/${pkgname}" install -Dm644 LICENSE.md "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" - install -Dm644 contrib/systemd/traefik.service "${pkgdir}/usr/lib/systemd/system/traefik.service" + install -Dm644 "${srcdir}/traefik.service" "${pkgdir}/usr/lib/systemd/system/traefik.service" + install -Dm644 "${srcdir}/traefik.sysusers" "${pkgdir}/usr/lib/sysusers.d/traefik.conf" } diff --git a/traefik.service b/traefik.service new file mode 100644 index 0000000..72dafa6 --- /dev/null +++ b/traefik.service @@ -0,0 +1,41 @@ +[Unit] +Description=Traefik +Documentation=https://docs.traefik.io +After=network-online.target +AssertFileIsExecutable=/usr/bin/traefik +AssertPathExists=/etc/traefik/traefik.toml + +[Service] +# Run traefik as its own user (create new user with: useradd -r -s /bin/false -U -M traefik) +User=traefik +AmbientCapabilities=CAP_NET_BIND_SERVICE + +# configure service behavior +Type=notify +ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml +Restart=always +WatchdogSec=1s + +# lock down system access +# prohibit any operating system and configuration modification +ProtectSystem=strict +# create separate, new (and empty) /tmp and /var/tmp filesystems +PrivateTmp=true +# make /home directories inaccessible +ProtectHome=true +# turns off access to physical devices (/dev/...) +PrivateDevices=true +# make kernel settings (procfs and sysfs) read-only +ProtectKernelTunables=true +# make cgroups /sys/fs/cgroup read-only +ProtectControlGroups=true + +# allow writing of acme.json +ReadWritePaths=/etc/traefik/acme.json +# depending on log and entrypoint configuration, you may need to allow writing to other paths, too + +# limit number of processes in this unit +#LimitNPROC=1 + +[Install] +WantedBy=multi-user.target diff --git a/traefik.sysusers b/traefik.sysusers new file mode 100644 index 0000000..d5044b5 --- /dev/null +++ b/traefik.sysusers @@ -0,0 +1 @@ +u traefik - "traefik daemon" -