# Spec for the ahdapa OAuth2/OIDC identity provider workspace. # # DO NOT edit ahdapa.spec directly — it is generated from this file by # 'make srpm'. Edit ahdapa.spec.in and run 'make srpm' to regenerate. # # Source tarball ('make tarball'): # git archive --format=tar.gz --prefix=ahdapa-{version}/ HEAD \ # -o ahdapa-{version}.tar.gz # # Vendor tarball ('make vendor'): # Uses cargo-vendor-filterer to exclude platform-specific crates (Windows, # macOS, WASM, Redox) and strip test/bench directories from vendored sources: # cargo vendor-filterer --versioned-dirs vendor/ # cp -a vendor/synta-{ver}/asn1 vendor/asn1 # for synta-codegen build.rs # tar czf ahdapa-{version}-vendor.tar.gz -C . vendor/ Cargo.lock # # The vendor tarball is self-sufficient — it contains all crate sources so a # single SRPM builds across Fedora versions. system-crates.txt (Source12) # lists crates that CAN be overlaid by system packages at %%build time; # those overlay crates are then stripped from bundled(crate()) Provides. # # Crates available as system packages (installed via BuildRequires): # native-ossl, rustls-native-ossl — packaged in COPR abbra/synta # synta* 0.2.x — packaged in COPR abbra/synta # 300+ other crates — standard Fedora rust-*-devel packages # # Crates that must NOT be overlaid even when Fedora provides them: # sqlx* 0.8.x — Fedora patches deps (whoami ^2) incompatible with # upstream Cargo.lock (whoami ^1); must stay vendored # criterion 0.5 — benchmarking framework (ahdapa-bench dev-dep); compiled # into the criterion harness executables when --with tools; # excluded from __cargo_common_opts via -Z avoid-dev-deps # for the main %%cargo_build pass. criterion and its unique # deps (criterion-plot, anes, cast, oorandom, tinytemplate, # plotters/plotters-backend/plotters-svg, rayon/rayon-core, # crossbeam-deque/crossbeam-epoch, is-terminal, same-file, # walkdir, futures umbrella, itertools 0.10.x) are filtered # from cargo-vendor.txt so bundled(crate()) Provides reflect # the main ahdapa binary only; ahdapa-tools bundles them. # # PREREQUISITE: install synta* into the mock chroot before rebuilding: # mock --install rust-synta-devel rust-synta-certificate-devel # Snapshot release identifiers — substituted by 'make srpm' via sed. # Do not edit these lines manually; the sed pattern matches the whole line. %global snapdate 202607091640 %global snapcommit 7bb6351a %bcond check 1 # SELinux policy module — labels /usr/bin/ahdapa, /run/ahdapa/, /var/lib/ahdapa, # and /etc/ahdapa with custom types. Covers: httpd_t (mod_proxy) Unix socket # forwarding; gssproxy GSSAPI integration including keytab in /etc/httpd/conf/ # (httpd_config_t); FreeIPA co-deployment (/var/lib/ipa/ search); Kerberos # KEYRING ccache; proc_t anonymous inode association; systemd runtime symlinks. # Disable with: rpmbuild --without selinux %bcond selinux 1 # Optional database backends (in addition to the always-on SQLite default). # Disable with: rpmbuild --without backend_postgres or --without backend_mariadb %bcond backend_postgres 1 %bcond backend_mariadb 1 # Optional management web UI built from webui/ using npm. # Requires Source6 (ahdapa-%%{version}-webui-dist.tar.gz, see 'make webui-dist'). # When disabled, webui assets are not installed but the ahdapa binary still works. # Disable with: rpmbuild --without webui %bcond webui 1 # Optional load-testing / benchmark tools (ahdapa-bench CLI + criterion harness # executables + bench.sh orchestration script). # Disable with: rpmbuild --without tools %bcond tools 1 # Optional system userdb lookup via io.systemd.UserDatabase varlink interface. # Requires systemd 246+. Disable with: rpmbuild --without varlink %bcond varlink 1 # Optional PAM password authentication backend (pam_sss, pam_winbind, etc.). # Requires pam-devel at build time and /etc/pam.d/ahdapa at runtime. # Disable with: rpmbuild --without pam %bcond pam 1 # SPIFFE Workload Proxy daemon — forwards SPIFFE Workload API requests from # IPA-enrolled non-Ahdapa hosts to an Ahdapa node via Kerberos credentials. # Disable with: rpmbuild --without spiffe_proxy %bcond spiffe_proxy 1 # Force --locked for all cargo invocations. Without it, cargo resolves the # dependency graph from scratch in the offline build environment and fails to # locate the vendored crates. --locked tells cargo to use Cargo.lock as-is. %global __cargo_common_opts %{?_smp_mflags} -Z avoid-dev-deps --locked # Feature list passed to cargo: sqlite is always on; postgres/mariadb are opt-in. %global _ahdapa_features backend-sqlite %if %{with backend_postgres} %global _ahdapa_features %{_ahdapa_features},backend-postgres %endif %if %{with backend_mariadb} %global _ahdapa_features %{_ahdapa_features},backend-mariadb %endif %if %{with varlink} %global _ahdapa_features %{_ahdapa_features},varlink %endif %if %{with pam} %global _ahdapa_features %{_ahdapa_features},pam %endif Name: ahdapa Version: 0.1.0 Release: 1.%{snapdate}.git%{snapcommit}%{?dist} Summary: OAuth2/OIDC identity provider with FreeIPA integration License: GPL-3.0-or-later URL: https://codeberg.org/freeipa/ahdapa # git archive --format=tar.gz --prefix=ahdapa-{version}/ HEAD \ # -o ahdapa-{version}.tar.gz Source0: ahdapa-%{version}.tar.gz # Vendor tarball — generated by cargo-vendor-filterer (see generation # instructions at the top of this spec). Platform-specific crates (Windows, # macOS, WASM, Redox) are excluded at vendor time. The tarball is # self-sufficient: it contains ALL remaining crate sources so a single SRPM # builds across Fedora versions. Source12 lists crates that CAN be replaced # by system packages; the replacement happens in %%build as an optimisation. Source1: ahdapa-%{version}-vendor.tar.gz # Systemd service unit (from contrib/systemd/ in the source tree; copied into # _sourcedir by the 'make srpm' target). Source2: ahdapa.service # Systemd socket unit — enables socket activation (optional; see docs). Source7: ahdapa.socket # Example configuration file; installed as %%{_sysconfdir}/ahdapa/ahdapa.toml.example Source3: ahdapa.toml.example # sysusers.d — system user/group definition Source4: ahdapa-sysusers.conf # tmpfiles.d — /var/lib/ahdapa state directory creation Source5: ahdapa-tmpfiles.conf # Pre-built management web UI static assets (Vite/npm output from webui/dist/). # Generated with: cd webui && npm install && npm run build && \ # tar czf ahdapa-{version}-webui-dist.tar.gz dist/ # See 'make webui-dist' in contrib/packages/. Source6: ahdapa-%{version}-webui-dist.tar.gz # PAM service file — installed as /etc/pam.d/ahdapa when --with pam. Source8: ahdapa-pam.conf # SPIFFE Workload Proxy systemd service unit (from contrib/systemd/). Source9: ahdapa-spiffe-proxy.service # sysusers.d — system user for the SPIFFE Workload Proxy (spiffe-proxy). Source10: ahdapa-spiffe-proxy-sysusers.conf # Example configuration; installed as %%{_sysconfdir}/ahdapa/spiffe-proxy.toml.example. Source11: spiffe-proxy.toml.example # Manifest of crates replaceable by Fedora system packages. At %%build time # the spec overlays system crates onto vendor/ when available at the exact # version, falling back to the vendor copy otherwise. Source12: system-crates.txt ExclusiveArch: %{rust_arches} BuildRequires: cargo-rpm-macros >= 26 # System OpenSSL — native-ossl-sys links against it via bindgen-generated FFI. # Rebuild this package whenever openssl-devel is updated in Fedora. BuildRequires: pkgconfig(openssl) BuildRequires: openssl-devel # SQLite — required by the always-on backend-sqlite feature (libsqlite3-sys). BuildRequires: pkgconfig(sqlite3) BuildRequires: sqlite-devel # LDAP / SASL / GSSAPI — required by the ahdapa-ldap and ahdapa-gssapi FFI crates. BuildRequires: openldap-devel BuildRequires: cyrus-sasl-devel BuildRequires: krb5-devel # Optional backend: PostgreSQL (libpq) %if %{with backend_postgres} BuildRequires: pkgconfig(libpq) BuildRequires: libpq-devel %endif # Optional backend: MariaDB / MySQL (Connector/C) %if %{with backend_mariadb} BuildRequires: pkgconfig(libmariadb) BuildRequires: mariadb-connector-c-devel %endif # Optional varlink userdb feature: kirmes is pure Rust, no system library needed. # Optional PAM authentication backend: links against libpam. %if %{with pam} BuildRequires: pam-devel %endif # The native-ossl-sys build script generates FFI bindings via bindgen, which # requires libclang. Rebuild this package whenever openssl-devel changes. BuildRequires: clang-devel # protobuf-compiler (protoc) — required by the ahdapa-spiffe build script # (tonic-prost-build) to compile the SPIFFE Workload API .proto file into Rust. BuildRequires: protobuf-compiler # synta* crates are packaged separately (COPR); install them into the mock # chroot before rebuilding this SRPM: # mock --install rust-synta-devel rust-synta-certificate-devel BuildRequires: rust-synta-devel BuildRequires: rust-synta-certificate-devel # Systemd scriptlet support BuildRequires: systemd-rpm-macros # Management web UI static assets are pre-built (see 'make webui-dist') and # bundled in Source6; no Node.js or npm is needed inside the mock chroot. # Man page compiler (docs/man/*.scd → gzipped groff). BuildRequires: scdoc # SELinux policy module build tooling %if %{with selinux} BuildRequires: selinux-policy-devel BuildRequires: policycoreutils %endif %{?systemd_requires} %if %{with selinux} Requires(post): policycoreutils Requires(postun): policycoreutils %endif %description Ahdapa is a stateless OAuth2 / OpenID Connect identity provider with native FreeIPA / Kerberos integration. It implements the core OAuth2 and OIDC specifications (RFC 6749, RFC 7636, RFC 7662, RFC 8707, RFC 9126, RFC 8628, OIDC Core 1.0) plus WebAuthn passkey authentication, post-quantum signing via ML-DSA (FIPS 204), and OIDC Federation 1.0. State (signing keys, client registrations, cluster membership) is replicated across nodes using a CRDT gossip protocol without a shared database. A SQLite, PostgreSQL, or MariaDB backend can be used for persistence and session storage. %files %license LICENSE %license LICENSE.dependencies %license cargo-vendor.txt %{_bindir}/ahdapa %{_bindir}/ahdapactl %{_mandir}/man8/ahdapa.8.gz %{_mandir}/man5/ahdapa.toml.5.gz %{_mandir}/man1/ahdapactl.1.gz %{_unitdir}/ahdapa.service %{_unitdir}/ahdapa.socket %{_sysusersdir}/ahdapa.conf %{_tmpfilesdir}/ahdapa.conf %dir %{_sysconfdir}/ahdapa %config(noreplace) %{_sysconfdir}/ahdapa/ahdapa.toml.example %ghost %dir %attr(0750,ahdapa,ahdapa) %{_sharedstatedir}/ahdapa %doc docs/src %doc contrib/demo/ahdapa.sample.toml %doc contrib/demo/lib.sh %doc contrib/demo/run.sh %doc contrib/demo/test-users.toml.in %doc contrib/demo/ahdapactl %doc contrib/demo/ccache %doc contrib/demo/cluster %doc contrib/demo/federation %doc contrib/demo/github %doc contrib/demo/ipa %doc contrib/demo/obo %doc contrib/demo/passkey %doc contrib/demo/spiffe %doc contrib/demo/static-clients %if %{with pam} %config(noreplace) %{_sysconfdir}/pam.d/ahdapa %endif %if %{with webui} %{_datadir}/ahdapa/webui/ %endif %if %{with selinux} %{_datadir}/selinux/packages/%{name}.pp %endif # ── Subpackage: tools (benchmark / load testing) ────────────────────────────── %if %{with tools} %package -n ahdapa-tools Summary: Load-testing and benchmark tools for ahdapa License: GPL-3.0-or-later Requires: ahdapa = %{version}-%{release} # bench.sh uses curl for health-check polling and openssl for TLS PKI generation. Requires: curl Requires: openssl # bench.sh uses python3 for JSON parsing and graph generation (matplotlib optional). Requires: python3 %description -n ahdapa-tools ahdapa-tools provides the ahdapa-bench binary and the bench.sh orchestration script for load-testing and benchmarking a running ahdapa cluster. ahdapa-bench probe — health-check all configured nodes ahdapa-bench converge — measure gossip convergence time across all nodes bench.sh spins up a local N-node cluster (or targets a remote one), runs gossip convergence measurements, and invokes criterion benchmark harness executables for endpoint latency measurements. Set AHDAPA_DEV_MODE=1 to switch to dev mode, which uses cargo to build from source and run benchmarks via "cargo bench". %files -n ahdapa-tools %license LICENSE %{_bindir}/ahdapa-bench %dir %{_libexecdir}/ahdapa-bench %{_libexecdir}/ahdapa-bench/client_credentials %{_libexecdir}/ahdapa-bench/auth_code %{_libexecdir}/ahdapa-bench/introspect %{_libexecdir}/ahdapa-bench/device_flow %dir %{_datadir}/ahdapa/bench %{_datadir}/ahdapa/bench/bench.sh %endif # ── Subpackage: SPIFFE Workload Proxy ───────────────────────────────────────── %if %{with spiffe_proxy} %package -n ahdapa-spiffe-proxy Summary: SPIFFE Workload Proxy for IPA-enrolled hosts License: GPL-3.0-or-later %{?systemd_requires} %description -n ahdapa-spiffe-proxy ahdapa-spiffe-proxy is a standalone daemon that IPA-enrolled hosts can run to expose a local SPIFFE Workload API gRPC endpoint (Unix socket). Instead of issuing SVIDs from a local CA, it forwards requests to an Ahdapa node and authenticates using the host's existing Kerberos credentials (keytab or ccache from IPA enrollment). Workloads on the host connect to the local Unix socket as if it were a native SPIFFE Workload API endpoint. The proxy handles JWT-SVID issuance, X.509-SVID issuance (generating ephemeral keypairs locally so the private key never leaves the host), and SPIFFE bundle distribution. %files -n ahdapa-spiffe-proxy %license LICENSE %{_bindir}/ahdapa-spiffe-proxy %{_unitdir}/ahdapa-spiffe-proxy.service %{_sysusersdir}/ahdapa-spiffe-proxy.conf %dir %{_sysconfdir}/ahdapa %config(noreplace) %{_sysconfdir}/ahdapa/spiffe-proxy.toml.example %endif # ── Prep ─────────────────────────────────────────────────────────────────────── %prep # Unpack the source tarball; -a1 unpacks Source1 (vendor/) inside the build dir. %autosetup -n %{name}-%{version} -p1 -a1 # Set up the cargo build environment using the full vendor tree. # %%cargo_prep -v vendor configures .cargo/config.toml to redirect all # crates-io lookups to vendor/. %cargo_prep -v vendor # Strip executable bits from all vendored source files. # unicode-normalization ships scripts/unicode.py with +x and #!/usr/bin/env python # (no version). find-debuginfo copies it to /usr/src/debug/; brp-mangle-shebangs # then expands the shebang to /usr/bin/python, detects it as ambiguous python # (line 160: fail=1), and aborts the build. Stripping +x prevents this. find vendor/ -type f -exec chmod -x {} \; # ── Generate BuildRequires ───────────────────────────────────────────────────── %generate_buildrequires # The vendor tarball (Source1) is self-sufficient: it contains ALL crate # dependencies so the build works on any Fedora version. Source12 # (system-crates.txt) lists crates that CAN be replaced by system packages # when available — the replacement happens in %%build as an optimisation. # # Emit unversioned crate() BuildRequires so rust-*-devel packages are installed. # The %%build overlay loop checks for the exact version match — if the system # provides a different version, the vendor copy is used as fallback. # Unversioned deps avoid cross-Fedora version mismatches (e.g. Rawhide has # bitflags 2.13 but F44 has 2.9; both satisfy "crate(bitflags)"). while read -r _name _ver _cksum; do echo "crate($_name)" done < %{SOURCE12} # # %%cargo_generate_buildrequires is intentionally omitted: it would emit # crate() BuildRequires for every dependency including dev-deps like # criterion 0.5 that are not packaged in Fedora. Non-crate build # requirements are declared statically in the BuildRequires: lines above. # ── Build ────────────────────────────────────────────────────────────────────── %build # The vendor tarball is self-sufficient — no crate overlay needed. System crate # packages are installed (via unversioned crate() deps) only so we can detect # which crates are available as system packages and strip them from the bundled # Provides list (cargo-vendor.txt) below. # # We intentionally do NOT copy system crate sources into vendor/: # Fedora patches Cargo.toml in system crates (relaxing/bumping dep version # constraints), which makes the dependency metadata differ from upstream. # Cargo --locked rejects the mismatch. The vendor copy has identical source # code and correct Cargo.toml metadata matching Cargo.lock. # # Strip executable bits on vendored crates (same reason as in %%prep: # brp-mangle-shebangs chokes on ambiguous python shebangs in vendor scripts). find vendor/ -type f -perm /111 -exec chmod -x {} \; # Build the ahdapa binary. # Pass the feature list explicitly; --no-default-features keeps the set minimal # (only what %%{_ahdapa_features} requests, always at least backend-sqlite). %cargo_build -- --workspace --no-default-features --features %{_ahdapa_features} # Build criterion harness executables for the tools subpackage. # These are [[bench]] targets in ahdapa-bench; they have criterion linked in # and are run directly (without cargo) in installed mode by bench.sh. # Must use a direct cargo invocation without -Z avoid-dev-deps so that criterion # (a dev-dependency) is available for compilation. %if %{with tools} cargo build --release --locked --benches -p ahdapa-bench %endif # Generate the bundled-dependency license summary required by Fedora policy. %{cargo_license_summary} %{cargo_license} > LICENSE.dependencies %{cargo_vendor_manifest} # Platform-specific crates (Windows, macOS, WASM, Redox) are excluded at vendor # time by cargo-vendor-filterer. Criterion and its transitive dependencies are # still vendored (needed by the ahdapa-tools bench harness) but must not appear # in the main package's bundled(crate()) Provides. sed -i -E \ -e '/^criterion/d' \ -e '/^(anes|cast|oorandom|tinytemplate) /d' \ -e '/^plotters/d' \ -e '/^rayon/d' \ -e '/^(crossbeam-deque|crossbeam-epoch) /d' \ -e '/^futures /d' \ -e '/^(is-terminal|same-file|walkdir) /d' \ -e '/^itertools 0\.10\./d' \ cargo-vendor.txt # Strip crates available as system packages — they are not bundled. while read -r _name _ver _cksum; do _sysdir="/usr/share/cargo/registry/${_name}-${_ver}" if [ -d "$_sysdir" ]; then sed -i "/^${_name} ${_ver}/d" cargo-vendor.txt fi done < %{SOURCE12} # Compile man pages from scdoc sources. scdoc < docs/man/ahdapa.8.scd | gzip -9 > ahdapa.8.gz scdoc < docs/man/ahdapa.toml.5.scd | gzip -9 > ahdapa.toml.5.gz scdoc < docs/man/ahdapactl.1.scd | gzip -9 > ahdapactl.1.gz # Compile the SELinux policy module (.te + .fc + .if → ahdapa.pp). %if %{with selinux} make -C contrib/selinux -f /usr/share/selinux/devel/Makefile ahdapa.pp %endif # Unpack the pre-built management web UI static assets (Source6). %if %{with webui} tar -xzf %{SOURCE6} -C webui/ %endif # ── Install ──────────────────────────────────────────────────────────────────── %install # Copy the built binary from target/rpm/ into the buildroot. # Per Fedora Rust packaging guidelines for workspace projects, %%cargo_install # SHOULD NOT be used; copy executables explicitly from target/rpm/. install -Dpm 0755 target/rpm/ahdapa %{buildroot}%{_bindir}/ahdapa # Man pages (compiled from scdoc sources in %%build) install -Dpm 0644 ahdapa.8.gz %{buildroot}%{_mandir}/man8/ahdapa.8.gz install -Dpm 0644 ahdapa.toml.5.gz %{buildroot}%{_mandir}/man5/ahdapa.toml.5.gz install -Dpm 0644 ahdapactl.1.gz %{buildroot}%{_mandir}/man1/ahdapactl.1.gz # Copy the built binary from target/rpm/ into the buildroot. install -Dpm 0755 target/rpm/ahdapactl %{buildroot}%{_bindir}/ahdapactl # Systemd service and socket units install -Dpm 0644 %{SOURCE2} %{buildroot}%{_unitdir}/ahdapa.service install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ahdapa.socket # sysusers.d — system user/group definition install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/ahdapa.conf # tmpfiles.d — /var/lib state directory creation install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/ahdapa.conf # Example configuration file install -Dpm 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/ahdapa/ahdapa.toml.example # SELinux policy module %if %{with selinux} install -Dpm 0644 contrib/selinux/ahdapa.pp \ %{buildroot}%{_datadir}/selinux/packages/%{name}.pp %endif # Tools subpackage: ahdapa-bench CLI binary, criterion harness executables, bench.sh %if %{with tools} install -Dpm 0755 target/rpm/ahdapa-bench \ %{buildroot}%{_bindir}/ahdapa-bench install -dm 0755 %{buildroot}%{_libexecdir}/ahdapa-bench # Bench targets with harness=false are built to target/release/deps/{name}-{hash}. # Find each one by name prefix (hash suffix is not known at install time). for bench_name in client_credentials auth_code introspect device_flow; do bench_exe=$(find target/release/deps -maxdepth 1 -name "${bench_name}-*" \ -type f -perm /111 | head -1) test -n "$bench_exe" || { echo "ERROR: bench $bench_name not found in target/release/deps/"; exit 1; } install -pm 0755 "$bench_exe" \ %{buildroot}%{_libexecdir}/ahdapa-bench/${bench_name} done install -Dpm 0755 contrib/bench/bench.sh \ %{buildroot}%{_datadir}/ahdapa/bench/bench.sh %endif # PAM service file — /etc/pam.d/ahdapa %if %{with pam} install -Dpm 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/ahdapa %endif # SPIFFE Workload Proxy %if %{with spiffe_proxy} install -Dpm 0755 target/rpm/ahdapa-spiffe-proxy \ %{buildroot}%{_bindir}/ahdapa-spiffe-proxy install -Dpm 0644 %{SOURCE9} %{buildroot}%{_unitdir}/ahdapa-spiffe-proxy.service install -Dpm 0644 %{SOURCE10} %{buildroot}%{_sysusersdir}/ahdapa-spiffe-proxy.conf install -Dpm 0644 %{SOURCE11} \ %{buildroot}%{_sysconfdir}/ahdapa/spiffe-proxy.toml.example %endif # Management web UI static assets → %%{_datadir}/ahdapa/webui/ %if %{with webui} install -dm 0755 %{buildroot}%{_datadir}/ahdapa/webui cp -a webui/dist/. %{buildroot}%{_datadir}/ahdapa/webui/ %endif # ── Check ────────────────────────────────────────────────────────────────────── %if %{with check} %check # Documentation tests require external infrastructure (LDAP server, Kerberos # KDC) not available inside the mock build environment. %cargo_test -- --workspace --lib --bins --no-default-features --features %{_ahdapa_features} %endif # ── Systemd scriptlets ───────────────────────────────────────────────────────── %pre %sysusers_create_compat %{SOURCE4} %post %systemd_post ahdapa.service ahdapa.socket %tmpfiles_create %{_tmpfilesdir}/ahdapa.conf %if %{with selinux} semodule -i %{_datadir}/selinux/packages/%{name}.pp 2>/dev/null || : restorecon -R %{_bindir}/ahdapa %{_sysconfdir}/ahdapa \ %{_sharedstatedir}/ahdapa /run/ahdapa 2>/dev/null || : %endif %preun %systemd_preun ahdapa.service ahdapa.socket %postun %systemd_postun_with_restart ahdapa.service ahdapa.socket %if %{with selinux} if [ $1 -eq 0 ]; then semodule -r ahdapa 2>/dev/null || : fi %endif # ── SPIFFE Workload Proxy scriptlets ────────────────────────────────────────── %if %{with spiffe_proxy} %pre -n ahdapa-spiffe-proxy %sysusers_create_compat %{SOURCE10} %post -n ahdapa-spiffe-proxy %systemd_post ahdapa-spiffe-proxy.service %preun -n ahdapa-spiffe-proxy %systemd_preun ahdapa-spiffe-proxy.service %postun -n ahdapa-spiffe-proxy %systemd_postun_with_restart ahdapa-spiffe-proxy.service %endif %changelog %autochangelog