# Spec for the akamu ACME server workspace. # # DO NOT edit akamu.spec directly — it is generated from this file by # 'make srpm'. Edit akamu.spec.in and run 'make srpm' to regenerate. # # Source tarball ('make tarball'): # git archive --format=tar.gz --prefix=akamu-{version}/ HEAD \ # -o akamu-{version}.tar.gz # # Vendor tarball ('make vendor'): # Resolves all optional backend features first so that postgres/mariadb # driver crates are included, then vendors with --versioned-dirs: # cargo check --features backend-sqlite,backend-postgres,backend-mariadb # cargo vendor --versioned-dirs vendor/ # tar czf akamu-{version}-vendor.tar.gz \ # --exclude='*.profraw' -C . vendor/ Cargo.lock # # Crates in the vendor tarball absent from Fedora or at incompatible versions: # openssl / openssl-sys — pqc-prs git fork for ML-DSA/ML-KEM/PQC support # toml 0.8 — Fedora ships 1.1 (incompatible API) # sqlx + drivers 0.8 — not packaged in Fedora / RHEL 10 # sqlx-postgres + deps — needed when %%{with backend_postgres} # sqlx-mysql + deps — needed when %%{with backend_mariadb} # tokio-native-tls 0.3 — DNS-over-TLS transport (system OpenSSL, no rustls conflict) # hickory-resolver 0.24 is a Fedora system package (rust-hickory-resolver-devel). # hickory-client was removed from the hickory project after 0.24.4 and Fedora does # not build its TLS features; hickory-resolver with dns-over-native-tls and # dnssec-openssl is the correct path going forward. # # PREREQUISITE: install synta* into the mock chroot before rebuilding: # mock --install rust-synta-devel rust-synta-certificate-devel \ # rust-synta-x509-verification-devel rust-synta-mtc-devel # Snapshot release identifiers — substituted by 'make srpm' via sed. # Do not edit these lines manually; the sed pattern matches the whole line. %global snapdate 202605070855 %global snapcommit 5b247e9b %bcond check 1 # Optional database backends (in addition to the always-on SQLite default). # Disable with: rpmbuild --without backend_postgres or --without backend_mariadb %bcond backend_postgres 1 %bcond backend_mariadb 1 # Force --locked for all cargo invocations. Without it, cargo resolves the # dependency graph from scratch in the offline build environment, fails to match # the [patch.crates-io] git source for openssl against the vendor directory, # and aborts. --locked tells cargo to use Cargo.lock as-is. %global __cargo_common_opts %{?_smp_mflags} -Z avoid-dev-deps --locked # Feature list passed to cargo: sqlite is always on; postgres/mariadb are opt-in. %global _akamu_features backend-sqlite %if %{with backend_postgres} %global _akamu_features %{_akamu_features},backend-postgres %endif %if %{with backend_mariadb} %global _akamu_features %{_akamu_features},backend-mariadb %endif Name: akamu Version: 0.1.0 Release: 1.%{snapdate}.git%{snapcommit}%{?dist} Summary: ACME server with post-quantum certificate support License: GPL-3.0-or-later URL: https://codeberg.org/abbra/akamu # git archive --format=tar.gz --prefix=akamu-{version}/ HEAD \ # -o akamu-{version}.tar.gz Source0: akamu-%{version}.tar.gz # Full vendor tarball — see the generation instructions at the top of this spec. # Contains all Cargo dependencies, including the openssl pqc-prs fork and # several crates not yet available in Fedora. Source1: akamu-%{version}-vendor.tar.gz # Systemd service units and sysusers/tmpfiles configs (from contrib/systemd/ in # the source tree; copied into _sourcedir by the 'make srpm' target). Source2: akamu.service Source4: akamu-cosigner.service Source5: akamu-sysusers.conf Source6: akamu-cosigner-sysusers.conf Source7: akamu-tmpfiles.conf Source8: akamu-cosigner-tmpfiles.conf # Example configuration file; installed as %%{_sysconfdir}/akamu/config.toml.example Source3: config.toml.example # Example akamuctl configuration file; installed as a doc file. Source9: akamuctl.toml.example ExclusiveArch: %{rust_arches} BuildRequires: cargo-rpm-macros >= 26 # System libraries BuildRequires: pkgconfig(openssl) BuildRequires: openssl-devel BuildRequires: pkgconfig(sqlite3) BuildRequires: sqlite-devel # LDAP / SASL / GSSAPI — required by the akamu-ldap FFI crate BuildRequires: openldap-devel BuildRequires: cyrus-sasl-devel BuildRequires: krb5-devel # Optional backend: PostgreSQL (libpq) %if %{with backend_postgres} BuildRequires: pkgconfig(libpq) BuildRequires: libpq-devel %endif # Optional backend: MariaDB / MySQL (Connector/C) %if %{with backend_mariadb} BuildRequires: pkgconfig(libmariadb) BuildRequires: mariadb-connector-c-devel %endif # The openssl-sys build script generates FFI bindings via bindgen, which # requires libclang. Rebuild this package whenever openssl-devel changes. BuildRequires: clang-devel # synta* crates are packaged separately (COPR); install them into the mock # chroot before rebuilding this SRPM: # mock --install rust-synta-devel rust-synta-certificate-devel \ # rust-synta-x509-verification-devel rust-synta-mtc-devel BuildRequires: rust-synta-devel BuildRequires: rust-synta-certificate-devel BuildRequires: rust-synta-x509-verification-devel BuildRequires: rust-synta-mtc-devel # Man page compiler BuildRequires: scdoc # Systemd scriptlet support BuildRequires: systemd-rpm-macros %{?systemd_requires} Requires: akamuctl = %{version}-%{release} %description akamu is an ACME (RFC 8555) certificate authority server that supports post-quantum cryptography via an ML-DSA/PQC-capable OpenSSL fork. It implements the full ACME protocol including http-01, dns-01, and tls-alpn-01 challenge types, and supports Merkle Tree Certificates (MTC) for compressed certificate delivery. %files %license LICENSE %license LICENSE.dependencies %license cargo-vendor.txt %{_bindir}/akamu %{_unitdir}/akamu.service %{_sysusersdir}/akamu.conf %{_tmpfilesdir}/akamu.conf %dir %{_sysconfdir}/akamu %config(noreplace) %{_sysconfdir}/akamu/config.toml.example %ghost %dir %attr(0750,akamu,akamu) %{_sharedstatedir}/akamu %{_mandir}/man8/akamu.8.gz # ── Subpackage: MTC cosigner daemon ─────────────────────────────────────────── %package -n akamu-cosigner Summary: MTC cosigner daemon for akamu License: GPL-3.0-or-later Requires: akamuctl = %{version}-%{release} %{?systemd_requires} %description -n akamu-cosigner akamu-cosigner is a lightweight daemon that implements the Merkle Tree Certificates (MTC) cosigner REST API (POST /sign). It signs checkpoints produced by the akamu CA and returns DER-encoded SubtreeSignature blobs, adding an independent trust layer to the MTC ecosystem. Supports optional ACME EAB bootstrap (http-01, dns-01, tls-alpn-01) to obtain a WebPKI identity certificate at first run. %files -n akamu-cosigner %license LICENSE %license LICENSE.dependencies %license cargo-vendor.txt %{_bindir}/akamu-cosigner %{_unitdir}/akamu-cosigner.service %{_sysusersdir}/akamu-cosigner.conf %{_tmpfilesdir}/akamu-cosigner.conf %dir %{_sysconfdir}/akamu-cosigner %ghost %dir %attr(0750,akamu-cosigner,akamu-cosigner) %{_sharedstatedir}/akamu-cosigner %{_mandir}/man8/akamu-cosigner.8.gz # ── Subpackage: CLI client binary ────────────────────────────────────────────── %package -n akamu-client Summary: ACME client CLI with ML-DSA account key support License: GPL-3.0-or-later %description -n akamu-client akamu-client is a command-line ACME client that supports ML-DSA (Dilithium) account keys in addition to the standard RSA and ECDSA key types. It can register accounts, obtain and renew certificates, handle http-01, dns-01, tls-alpn-01, and onion-csr-01 challenges, and supports ARI-aware renewal (RFC 9773). %files -n akamu-client %license LICENSE %license LICENSE.dependencies %{_bindir}/akamu-cli # ── Subpackage: server administration CLI ───────────────────────────────────── %package -n akamuctl Summary: akamu server administration CLI License: GPL-3.0-or-later Requires: krb5-libs %description -n akamuctl akamuctl is a command-line administration tool for the akamu ACME server. It communicates with the akamu admin API over mTLS and GSSAPI/Kerberos authentication, and provides commands for managing accounts, orders, external account bindings, and server state. %files -n akamuctl %license LICENSE %license LICENSE.dependencies %license cargo-vendor.txt %{_bindir}/akamuctl %{_mandir}/man1/akamuctl.1.gz %doc %{_docdir}/akamuctl/akamuctl.toml.example # ── Subpackage: documentation (markdown sources) ────────────────────────────── %package -n akamu-doc Summary: Documentation for akamu (markdown) License: GPL-3.0-or-later BuildArch: noarch %description -n akamu-doc Markdown documentation for the akamu ACME server, covering server configuration, challenge validation, MTC cosigner protocol, administration via akamuctl, certificate profiles, and the admin API. Also includes the contrib/configs sample configuration files for common deployment scenarios. %files -n akamu-doc %license LICENSE %doc docs/src %doc contrib/configs # ── Prep ─────────────────────────────────────────────────────────────────────── %prep # Unpack the source tarball; -a1 unpacks Source1 (vendor/) inside the build dir. %autosetup -n %{name}-%{version} -p1 -a1 # Set up the cargo build environment using the full vendor tree. # %%cargo_prep -v vendor configures .cargo/config.toml to redirect all # crates-io lookups (and the [patch.crates-io] git source) to vendor/. %cargo_prep -v vendor # %%cargo_prep -v already wrote the crates-io → vendored-sources redirect. # We also need to redirect the [patch.crates-io] git source for the # openssl pqc-prs fork so cargo resolves it from vendor/ instead of fetching # from git (which is unavailable in the offline mock environment). cat >> .cargo/config.toml << 'EOF' [source."git+https://github.com/abbra/rust-openssl.git?branch=pqc-prs"] git = "https://github.com/abbra/rust-openssl.git" branch = "pqc-prs" replace-with = "vendored-sources" EOF # ── Generate BuildRequires ───────────────────────────────────────────────────── %generate_buildrequires # The full vendor tarball (Source1) bundles every Rust crate dependency that # is absent from Fedora or at an incompatible version (axum-server 0.8, sqlx 0.8, # toml 0.8, the openssl pqc-prs fork, tokio-native-tls, etc.). # hickory-resolver 0.24 IS available as a Fedora system package; its BuildRequires # (including +dns-over-native-tls-devel and +dnssec-openssl-devel feature # subpackages) are generated automatically by %%cargo_generate_buildrequires below. # # All non-crate build requirements (system libraries, Rust toolchain) are # declared statically in the BuildRequires: lines above. %cargo_generate_buildrequires # ── Build ────────────────────────────────────────────────────────────────────── %build # Build all workspace binaries: akamu, akamu-cli, akamu-cosigner. # Pass the feature list explicitly; --no-default-features keeps the set minimal # (only what %{_akamu_features} requests, always at least backend-sqlite). %cargo_build -- --workspace --no-default-features --features %{_akamu_features} # Generate the bundled-dependency license summary required by Fedora policy. %{cargo_license_summary} %{cargo_license} > LICENSE.dependencies %{cargo_vendor_manifest} # Compile man pages from scdoc sources. scdoc < docs/man/akamu.8.scd | gzip -9 > akamu.8.gz scdoc < docs/man/akamu-cosigner.8.scd | gzip -9 > akamu-cosigner.8.gz scdoc < docs/man/akamuctl.1.scd | gzip -9 > akamuctl.1.gz # ── Install ──────────────────────────────────────────────────────────────────── %install # Copy built binaries from target/rpm/ into the buildroot. # Per Fedora Rust packaging guidelines for workspace projects, %cargo_install # SHOULD NOT be used; copy executables explicitly from target/rpm/. install -Dpm 0755 target/rpm/akamu %{buildroot}%{_bindir}/akamu install -Dpm 0755 target/rpm/akamu-cli %{buildroot}%{_bindir}/akamu-cli install -Dpm 0755 target/rpm/akamu-cosigner %{buildroot}%{_bindir}/akamu-cosigner install -Dpm 0755 target/rpm/akamuctl %{buildroot}%{_bindir}/akamuctl # Systemd service units install -Dpm 0644 %{SOURCE2} %{buildroot}%{_unitdir}/akamu.service install -Dpm 0644 %{SOURCE4} %{buildroot}%{_unitdir}/akamu-cosigner.service # sysusers.d — system user/group definitions install -Dpm 0644 %{SOURCE5} %{buildroot}%{_sysusersdir}/akamu.conf install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/akamu-cosigner.conf # tmpfiles.d — /var/lib state directory creation install -Dpm 0644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/akamu.conf install -Dpm 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/akamu-cosigner.conf # Example configuration files install -Dpm 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/akamu/config.toml.example install -Dpm 0644 %{SOURCE9} %{buildroot}%{_docdir}/akamuctl/akamuctl.toml.example # Man pages (compiled from scdoc sources in %build) install -Dpm 0644 akamu.8.gz %{buildroot}%{_mandir}/man8/akamu.8.gz install -Dpm 0644 akamu-cosigner.8.gz %{buildroot}%{_mandir}/man8/akamu-cosigner.8.gz install -Dpm 0644 akamuctl.1.gz %{buildroot}%{_mandir}/man1/akamuctl.1.gz # Create the cosigner configuration directory install -dm 0755 %{buildroot}%{_sysconfdir}/akamu-cosigner # ── Check ────────────────────────────────────────────────────────────────────── %if %{with check} %check # Documentation tests require external infrastructure (live ACME endpoints, # DNS resolver, TLS server) not available inside the mock build environment. %cargo_test -- --workspace --lib --bins --tests --no-default-features --features %{_akamu_features} %endif # ── Systemd scriptlets ───────────────────────────────────────────────────────── %pre %sysusers_create_compat %{SOURCE5} %post %systemd_post akamu.service %tmpfiles_create %{_tmpfilesdir}/akamu.conf %preun %systemd_preun akamu.service %postun %systemd_postun_with_restart akamu.service %pre -n akamu-cosigner %sysusers_create_compat %{SOURCE6} %post -n akamu-cosigner %systemd_post akamu-cosigner.service %tmpfiles_create %{_tmpfilesdir}/akamu-cosigner.conf %preun -n akamu-cosigner %systemd_preun akamu-cosigner.service %postun -n akamu-cosigner %systemd_postun_with_restart akamu-cosigner.service %changelog %autochangelog