Refactor Debian/Ubuntu package

Move files for packaging outside the docs directory into its own packaging directory. Replace the existing postinstall and postremove scripts with Debian maintainerscripts to behave more like a typical Debian package: * Start and enable the headscale systemd service by default * Does not print informational messages * No longer stop and disable the service on updates This package also performs migrations for all changes done in previous package versions on upgrade: * Set login shell to /usr/sbin/nologin * Set home directory to /var/lib/headscale * Migrate to system UID/GID The package is lintian-clean with a few exceptions that are documented as excludes and it passes puipars (both tested on Debian 12). The following scenarious were tested on Ubuntu 22.04, Ubuntu 24.04, Debian 11, Debian 12: * Install * Install same version again * Install -> Remove -> Install * Install -> Purge -> Install * Purge * Update from 0.22.0 * Update from 0.26.0 See: #2278 See: #2133 Fixes: #2311
2025-10-28 10:51:44 +01:00 · 2025-05-16 17:59:57 +02:00 · 2025-05-16 17:59:57 +02:00 · 4a941a2cb4
commit 4a941a2cb4
parent d2879b2b36
11 changed files with 189 additions and 119 deletions
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -64,8 +64,15 @@ nfpms:
    vendor: headscale
    maintainer: Kristoffer Dalby <kristoffer@dalby.cc>
    homepage: https://github.com/juanfont/headscale
-    license: BSD
+    description: |-
+      Open source implementation of the Tailscale control server.
+      Headscale aims to implement a self-hosted, open source alternative to the
+      Tailscale control server. Headscale's goal is to provide self-hosters and
+      hobbyists with an open-source server they can use for their projects and
+      labs. It implements a narrow scope, a single Tailscale network (tailnet),
+      suitable for a personal use, or a small open-source organisation.
    bindir: /usr/bin
+    section: net
    formats:
      - deb
    contents:
@ -74,15 +81,21 @@ nfpms:
        type: config|noreplace
        file_info:
          mode: 0644
-      - src: ./docs/packaging/headscale.systemd.service
+      - src: ./packaging/systemd/headscale.service
        dst: /usr/lib/systemd/system/headscale.service
      - dst: /var/lib/headscale
        type: dir
-      - dst: /var/run/headscale
-        type: dir
+      - src: LICENSE
+        dst: /usr/share/doc/headscale/copyright
    scripts:
-      postinstall: ./docs/packaging/postinstall.sh
-      postremove: ./docs/packaging/postremove.sh
+      postinstall: ./packaging/deb/postinst
+      postremove: ./packaging/deb/postrm
+      preremove: ./packaging/deb/prerm
+    deb:
+      lintian_overrides:
+        - no-changelog  # Our CHANGELOG.md uses a different formatting
+        - no-manual-page
+        - statically-linked-binary

 kos:
  - id: ghcr
--- a/docs/packaging/README.md
+++ b/docs/packaging/README.md
@ -1,5 +0,0 @@
-# Packaging
-
-We use [nFPM](https://nfpm.goreleaser.com/) for making `.deb`, `.rpm` and `.apk`.
-
-This folder contains files we need to package with these releases.
--- a/docs/packaging/postinstall.sh
+++ b/docs/packaging/postinstall.sh
@ -1,88 +0,0 @@
-#!/bin/sh
-# Determine OS platform
-# shellcheck source=/dev/null
-. /etc/os-release
-
-HEADSCALE_EXE="/usr/bin/headscale"
-BSD_HIER=""
-HEADSCALE_RUN_DIR="/var/run/headscale"
-HEADSCALE_HOME_DIR="/var/lib/headscale"
-HEADSCALE_USER="headscale"
-HEADSCALE_GROUP="headscale"
-HEADSCALE_SHELL="/usr/sbin/nologin"
-
-ensure_sudo() {
-	if [ "$(id -u)" = "0" ]; then
-		echo "Sudo permissions detected"
-	else
-		echo "No sudo permission detected, please run as sudo"
-		exit 1
-	fi
-}
-
-ensure_headscale_path() {
-	if [ ! -f "$HEADSCALE_EXE" ]; then
-		echo "headscale not in default path, exiting..."
-		exit 1
-	fi
-
-	printf "Found headscale %s\n" "$HEADSCALE_EXE"
-}
-
-create_headscale_user() {
-	printf "PostInstall: Adding headscale user %s\n" "$HEADSCALE_USER"
-	useradd -r -s "$HEADSCALE_SHELL" -d "$HEADSCALE_HOME_DIR" -c "headscale default user" "$HEADSCALE_USER"
-}
-
-create_headscale_group() {
-	if command -V systemctl >/dev/null 2>&1; then
-		printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP"
-		groupadd -r "$HEADSCALE_GROUP"
-
-		printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP"
-		usermod -a -G "$HEADSCALE_GROUP" "$HEADSCALE_USER"
-	fi
-
-	if [ "$ID" = "alpine" ]; then
-		printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP"
-		addgroup -S "$HEADSCALE_GROUP"
-
-		printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP"
-		addgroup "$HEADSCALE_USER" "$HEADSCALE_GROUP"
-	fi
-}
-
-create_run_dir() {
-	printf "PostInstall: Creating headscale run directory \n"
-	mkdir -p "$HEADSCALE_RUN_DIR"
-
-	printf "PostInstall: Modifying group ownership of headscale run directory \n"
-	chown "$HEADSCALE_USER":"$HEADSCALE_GROUP" "$HEADSCALE_RUN_DIR"
-}
-
-summary() {
-	echo "----------------------------------------------------------------------"
-	echo " headscale package has been successfully installed."
-	echo ""
-	echo " Please follow the next steps to start the software:"
-	echo ""
-	echo "    sudo systemctl enable headscale"
-	echo "    sudo systemctl start headscale"
-	echo ""
-	echo " Configuration settings can be adjusted here:"
-	echo "    ${BSD_HIER}/etc/headscale/config.yaml"
-	echo ""
-	echo "----------------------------------------------------------------------"
-}
-
-#
-# Main body of the script
-#
-{
-	ensure_sudo
-	ensure_headscale_path
-	create_headscale_user
-	create_headscale_group
-	create_run_dir
-	summary
-}
--- a/docs/packaging/postremove.sh
+++ b/docs/packaging/postremove.sh
@ -1,15 +0,0 @@
-#!/bin/sh
-# Determine OS platform
-# shellcheck source=/dev/null
-. /etc/os-release
-
-if command -V systemctl >/dev/null 2>&1; then
-	echo "Stop and disable headscale service"
-	systemctl stop headscale >/dev/null 2>&1 || true
-	systemctl disable headscale >/dev/null 2>&1 || true
-	echo "Running daemon-reload"
-	systemctl daemon-reload || true
-fi
-
-echo "Removing run directory"
-rm -rf "/var/run/headscale.sock"
--- a/docs/setup/install/official.md
+++ b/docs/setup/install/official.md
@ -87,8 +87,8 @@ managed by systemd.
    sudo nano /etc/headscale/config.yaml
    ```

-1.  Copy [headscale's systemd service file](../../packaging/headscale.systemd.service) to
-    `/etc/systemd/system/headscale.service` and adjust it to suit your local setup. The following parameters likely need
+1.  Copy [headscale's systemd service file](https://github.com/juanfont/headscale/blob/main/packaging/systemd/headscale.service)
+    to `/etc/systemd/system/headscale.service` and adjust it to suit your local setup. The following parameters likely need
    to be modified: `ExecStart`, `WorkingDirectory`, `ReadWritePaths`.

 1.  In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with a path that is writable by the
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -58,9 +58,6 @@ theme:

 # Excludes
 exclude_docs: |
-  /packaging/README.md
-  /packaging/postinstall.sh
-  /packaging/postremove.sh
  /requirements.txt

 # Plugins
--- a/packaging/README.md
+++ b/packaging/README.md
@ -0,0 +1,5 @@
+# Packaging
+
+We use [nFPM](https://nfpm.goreleaser.com/) for making `.deb` packages.
+
+This folder contains files we need to package with these releases.
--- a/packaging/deb/postinst
+++ b/packaging/deb/postinst
@ -0,0 +1,87 @@
+#!/bin/sh
+# postinst script for headscale.
+
+set -e
+
+# Summary of how this script can be called:
+#        * <postinst> 'configure' <most-recently-configured-version>
+#        * <old-postinst> 'abort-upgrade' <new version>
+#        * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
+#          <new-version>
+#        * <postinst> 'abort-remove'
+#        * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
+#          <failed-install-package> <version> 'removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package.
+
+HEADSCALE_USER="headscale"
+HEADSCALE_GROUP="headscale"
+HEADSCALE_HOME_DIR="/var/lib/headscale"
+HEADSCALE_SHELL="/usr/sbin/nologin"
+HEADSCALE_SERVICE="headscale.service"
+
+case "$1" in
+    configure)
+      groupadd --force --system "$HEADSCALE_GROUP"
+      if ! id -u "$HEADSCALE_USER" >/dev/null 2>&1; then
+        useradd --system --shell "$HEADSCALE_SHELL" \
+          --gid "$HEADSCALE_GROUP" --home-dir "$HEADSCALE_HOME_DIR" \
+          --comment "headscale default user" "$HEADSCALE_USER"
+      fi
+
+      if dpkg --compare-versions "$2" lt-nl "0.27"; then
+        # < 0.24.0-beta.1 used /home/headscale as home and /bin/sh as shell.
+        # The directory /home/headscale was not created by the package or
+        # useradd but the service always used /var/lib/headscale which was
+        # always shipped by the package as empty directory. Previous versions
+        # of the package did not update the user account properties.
+        usermod --home "$HEADSCALE_HOME_DIR" --shell "$HEADSCALE_SHELL" \
+          "$HEADSCALE_USER" >/dev/null
+      fi
+
+      if dpkg --compare-versions "$2" lt-nl "0.27" \
+        && [ $(id --user "$HEADSCALE_USER") -ge 1000 ] \
+        && [ $(id --group "$HEADSCALE_GROUP") -ge 1000 ]; then
+        # < 0.26.0-beta.1 created a regular user/group to run headscale.
+        # Previous versions of the package did not migrate to system uid/gid.
+        # Assume that the *default* uid/gid range is in use and only run this
+        # migration when the current uid/gid is allocated in the user range.
+        # Create a temporary system user/group to guarantee the allocation of a
+        # uid/gid in the system range. Assign this new uid/gid to the existing
+        # user and group and remove the temporary user/group afterwards.
+        tmp_name="headscaletmp"
+        useradd --system --no-log-init --no-create-home --shell "$HEADSCALE_SHELL" "$tmp_name"
+        tmp_uid="$(id --user "$tmp_name")"
+        tmp_gid="$(id --group "$tmp_name")"
+        usermod --non-unique --uid "$tmp_uid" --gid "$tmp_gid" "$HEADSCALE_USER"
+        groupmod --non-unique --gid "$tmp_gid" "$HEADSCALE_USER"
+        userdel --force "$tmp_name"
+      fi
+
+      # Enable service and keep track of its state
+      if deb-systemd-helper --quiet was-enabled "$HEADSCALE_SERVICE"; then
+        deb-systemd-helper enable "$HEADSCALE_SERVICE" >/dev/null || true
+      else
+        deb-systemd-helper update-state "$HEADSCALE_SERVICE" >/dev/null || true
+      fi
+
+      # Bounce service
+      if [ -d /run/systemd/system ]; then
+        systemctl --system daemon-reload >/dev/null || true
+        if [ -n "$2" ]; then
+          deb-systemd-invoke restart "$HEADSCALE_SERVICE" >/dev/null || true
+        else
+          deb-systemd-invoke start "$HEADSCALE_SERVICE" >/dev/null || true
+        fi
+      fi
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument '$1'" >&2
+        exit 1
+    ;;
+esac
--- a/packaging/deb/postrm
+++ b/packaging/deb/postrm
@ -0,0 +1,42 @@
+#!/bin/sh
+# postrm script for headscale.
+
+set -e
+
+# Summary of how this script can be called:
+#        * <postrm> 'remove'
+#        * <postrm> 'purge'
+#        * <old-postrm> 'upgrade' <new-version>
+#        * <new-postrm> 'failed-upgrade' <old-version>
+#        * <new-postrm> 'abort-install'
+#        * <new-postrm> 'abort-install' <old-version>
+#        * <new-postrm> 'abort-upgrade' <old-version>
+#        * <disappearer's-postrm> 'disappear' <overwriter>
+#          <overwriter-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package.
+
+
+case "$1" in
+    remove)
+      if [ -d /run/systemd/system ]; then
+        systemctl --system daemon-reload >/dev/null || true
+      fi
+    ;;
+
+    purge)
+      userdel headscale
+      rm -rf /var/lib/headscale
+      if [ -x "/usr/bin/deb-systemd-helper" ]; then
+        deb-systemd-helper purge headscale.service >/dev/null || true
+      fi
+    ;;
+
+    upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument '$1'" >&2
+        exit 1
+    ;;
+esac
--- a/packaging/deb/prerm
+++ b/packaging/deb/prerm
@ -0,0 +1,34 @@
+#!/bin/sh
+# prerm script for headscale.
+
+set -e
+
+# Summary of how this script can be called:
+#        * <prerm> 'remove'
+#        * <old-prerm> 'upgrade' <new-version>
+#        * <new-prerm> 'failed-upgrade' <old-version>
+#        * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> 'deconfigure' 'in-favour'
+#          <package-being-installed> <version> 'removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package.
+
+
+case "$1" in
+    remove)
+      if [ -d /run/systemd/system ]; then
+          deb-systemd-invoke stop headscale.service >/dev/null || true
+      fi
+    ;;
+    upgrade|deconfigure)
+    ;;
+
+    failed-upgrade)
+    ;;
+
+    *)
+        echo "prerm called with unknown argument '$1'" >&2
+        exit 1
+    ;;
+esac
--- a/docs/packaging/headscale.systemd.service
+++ b/docs/packaging/headscale.systemd.service