Date: Saturday, May 16, 2020 @ 00:15:22 Author: anthraxx Revision: 628137
next: reduce diff to v1, add go hardening Modified: caddy/trunk/next/PKGBUILD caddy/trunk/next/caddy-api.service caddy/trunk/next/caddy.service -------------------+ PKGBUILD | 42 +++++++++++++++++++++++++++--------------- caddy-api.service | 18 ++++++++++-------- caddy.service | 18 ++++++++++-------- 3 files changed, 47 insertions(+), 31 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-05-15 23:49:26 UTC (rev 628136) +++ PKGBUILD 2020-05-16 00:15:22 UTC (rev 628137) @@ -1,22 +1,29 @@ -# Maintainer : Christian Rebischke <chris.rebisc...@archlinux.org> +# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org> +# Maintainer: Christian Rebischke <chris.rebisc...@archlinux.org> +# Contributor: Wei Congrui < crvv.mail at gmail dot com > +# Contributor: Carl George < arch at cgtx dot us > +# Contributor: Eric Engeström <eric at engestrom dot ch> +# Contributor: Andreas Linz <klingt.net at gmail dot com> +# Contributor: Akshay S Dinesh <asdofindia at gmail dot com> pkgname=caddy pkgver=2.0.0 +_gitcommit=e051e119d1dff75972ed9b07cf97bbb989ba8daa pkgrel=1 -pkgdesc="Powerful, enterprise-ready, open source web server with automatic HTTPS written in Go" +pkgdesc='Fast web server with automatic HTTPS' +url='https://caddyserver.com' arch=('x86_64') -url="https://github.com/caddyserver/caddy" license=('Apache') depends=('glibc') -makedepends=('go-pie' 'git') +makedepends=('go' 'git') backup=('etc/caddy/caddy.conf') -source=("git+https://github.com/caddyserver/caddy#tag=v${pkgver}?signed" - 'index.html' - 'caddy.service' - 'caddy-api.service' - 'caddy.tmpfiles' - 'caddy.sysusers' - 'caddy.conf') +source=("git+https://github.com/caddyserver/caddy#commit=${_gitcommit}?signed" + index.html + caddy.service + caddy-api.service + caddy.tmpfiles + caddy.sysusers + caddy.conf) sha512sums=('SKIP' '2abccd41f770daebf61285dc017249f20c707877ea3c870f4a2375bbbd2bf481a8652d1fd3c7afd7d6b5c54838e9d8474a33e2c9790ef67dcf9d79c4e52953b4' '41e88f85972c5680c919b556f3f163e7908f5a6226b9c38bde0d7cfb32c62e2975fadaaa07534109c29dcdeceb5b696169dccaf8a1c132d578a327c6cf97b76d' @@ -25,7 +32,7 @@ 'c893d88fec89e37da6596030c8dce7103e7e575371e8542a24d2a0741e877358d85219f2d8ade9d6aa0f515efe1156a4badd9fef5f65f553a5b0c72330c4728f' '399c177475e299bf5736dba1a9d045477072594390b73c7dd2e13e12785abe029d48e480aee98216f7a8735addd353ce4a07b56ed14364f641b138e4fca0ebcd') validpgpkeys=( - '29D0817A67156E4F25DC24782A349DD577D586A5' # Matthew Holt <mh...@users.noreply.github.com> + 29D0817A67156E4F25DC24782A349DD577D586A5 # Matthew Holt <mh...@users.noreply.github.com> ) pkgver() { @@ -40,7 +47,12 @@ build() { cd "${pkgname}/cmd/caddy/" - go build -trimpath -ldflags "-extldflags ${LDFLAGS}" -o caddy + export CGO_LDFLAGS="${LDFLAGS}" + export CGO_CPPFLAGS="${CPPFLAGS}" + export CGO_CFLAGS="${CFLAGS}" + export CGO_CXXFLAGS="${CXXFLAGS}" + export GOFLAGS="-buildmode=pie -trimpath" + go build . } check() { @@ -50,12 +62,12 @@ package() { cd "${pkgname}" - install -Dm755 "cmd/caddy/${pkgname}" "${pkgdir}/usr/bin/${pkgname}" + install -Dm 755 cmd/caddy/caddy -t "${pkgdir}/usr/bin" install -Dm 644 "${srcdir}/caddy.service" -t "${pkgdir}/usr/lib/systemd/system" install -Dm 644 "${srcdir}/caddy-api.service" -t "${pkgdir}/usr/lib/systemd/system" install -Dm 644 "${srcdir}/caddy.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/caddy.conf" install -Dm 644 "${srcdir}/caddy.sysusers" "${pkgdir}/usr/lib/sysusers.d/caddy.conf" install -Dm 644 "${srcdir}/caddy.conf" "${pkgdir}/etc/caddy/caddy.conf" + install -d "${pkgdir}/etc/caddy/conf.d" install -Dm 644 "${srcdir}/index.html" "${pkgdir}/usr/share/caddy/index.html" - install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" } Modified: caddy-api.service =================================================================== --- caddy-api.service 2020-05-15 23:49:26 UTC (rev 628136) +++ caddy-api.service 2020-05-16 00:15:22 UTC (rev 628137) @@ -18,6 +18,8 @@ [Service] User=caddy Group=caddy +Environment=XDG_DATA_HOME=/var/lib +Environment=XDG_CONFIG_HOME=/var/lib ExecStart=/usr/bin/caddy run --environ --resume # Do not allow the process to be restarted in a tight loop. If the @@ -32,19 +34,19 @@ LimitNOFILE=1048576 LimitNPROC=512 - +# Hardening options PrivateTmp=true +PrivateDevices=true +ProtectHome=true ProtectSystem=strict -ProtectKernelModules=true +ReadWritePaths=/var/lib/caddy /var/log/caddy +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true -LockPersonality=true ProtectKernelTunables=true -ProtectHome=true -ReadWritePaths=/var/lib/caddy /var/log/caddy -PrivateDevices=true +ProtectKernelModules=true ProtectControlGroups=true -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_BIND_SERVICE +LockPersonality=true [Install] WantedBy=multi-user.target Modified: caddy.service =================================================================== --- caddy.service 2020-05-15 23:49:26 UTC (rev 628136) +++ caddy.service 2020-05-16 00:15:22 UTC (rev 628137) @@ -24,6 +24,8 @@ [Service] User=caddy Group=caddy +Environment=XDG_DATA_HOME=/var/lib +Environment=XDG_CONFIG_HOME=/etc ExecStart=/usr/bin/caddy run --adapter caddyfile --environ --config /etc/caddy/caddy.conf ExecReload=/usr/bin/caddy reload --adapter caddyfile --config /etc/caddy/caddy.conf @@ -39,19 +41,19 @@ LimitNOFILE=1048576 LimitNPROC=512 - +# Hardening options PrivateTmp=true +PrivateDevices=true +ProtectHome=true ProtectSystem=strict -ProtectKernelModules=true +ReadWritePaths=/var/lib/caddy /var/log/caddy +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true -LockPersonality=true ProtectKernelTunables=true -ProtectHome=true -ReadWritePaths=/var/lib/caddy /var/log/caddy -PrivateDevices=true +ProtectKernelModules=true ProtectControlGroups=true -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_BIND_SERVICE +LockPersonality=true [Install] WantedBy=multi-user.target