# Spec for the ekishib OAuth2/OIDC identity provider workspace. # # DO NOT edit ekishib.spec directly — it is generated from this file by # 'make srpm'. Edit ekishib.spec.in and run 'make srpm' to regenerate. # # Source tarball ('make tarball'): # git archive --format=tar.gz --prefix=ekishib-{version}/ HEAD \ # -o ekishib-{version}.tar.gz # # Vendor tarball ('make vendor'): # Resolves all optional backend features first so that postgres/mariadb # driver crates are included, then vendors with --versioned-dirs: # cargo check --features backend-sqlite,backend-postgres,backend-mariadb # cargo vendor --versioned-dirs vendor/ # cp -a vendor/synta-{ver}/asn1 vendor/asn1 # for synta-codegen build.rs # tar czf ekishib-{version}-vendor.tar.gz \ # --exclude='*.profraw' -C . vendor/ Cargo.lock # # Crates in the vendor tarball absent from Fedora or at incompatible versions: # axum 0.8 — Fedora ships 0.7.x (incompatible API) # sqlx 0.8 — not packaged in Fedora / RHEL 10 # toml 0.8 — Fedora ships 1.1 (incompatible API) # native-ossl 0.1.8 — not packaged in Fedora (wraps system OpenSSL via bindgen) # rustls-native-ossl 0.1.8 — not packaged in Fedora # reqwest 0.12 — Fedora version may differ; vendored for compatibility # synta* 0.2.x — packaged separately in COPR (not in Fedora main) # sqlx-{postgres,mysql} — needed when %%{with backend_postgres/mariadb} # # PREREQUISITE: install synta* into the mock chroot before rebuilding: # mock --install rust-synta-devel rust-synta-certificate-devel # Snapshot release identifiers — substituted by 'make srpm' via sed. # Do not edit these lines manually; the sed pattern matches the whole line. %global snapdate 202605122123 %global snapcommit 7dc529a %bcond check 1 # Optional database backends (in addition to the always-on SQLite default). # Disable with: rpmbuild --without backend_postgres or --without backend_mariadb %bcond backend_postgres 1 %bcond backend_mariadb 1 # Optional management web UI built from webui/ using npm. # Requires Source6 (ekishib-%%{version}-webui-dist.tar.gz, see 'make webui-dist'). # When disabled, webui assets are not installed but the ekishib binary still works. # Disable with: rpmbuild --without webui %bcond webui 1 # Optional system userdb lookup via io.systemd.UserDatabase varlink interface. # Requires systemd 246+. Disable with: rpmbuild --without varlink %bcond varlink 1 # Optional PAM password authentication backend (pam_sss, pam_winbind, etc.). # Requires pam-devel at build time and /etc/pam.d/ekishib at runtime. # Disable with: rpmbuild --without pam %bcond pam 1 # Force --locked for all cargo invocations. Without it, cargo resolves the # dependency graph from scratch in the offline build environment and fails to # locate the vendored crates. --locked tells cargo to use Cargo.lock as-is. %global __cargo_common_opts %{?_smp_mflags} -Z avoid-dev-deps --locked # Feature list passed to cargo: sqlite is always on; postgres/mariadb are opt-in. %global _ekishib_features backend-sqlite %if %{with backend_postgres} %global _ekishib_features %{_ekishib_features},backend-postgres %endif %if %{with backend_mariadb} %global _ekishib_features %{_ekishib_features},backend-mariadb %endif %if %{with varlink} %global _ekishib_features %{_ekishib_features},varlink %endif %if %{with pam} %global _ekishib_features %{_ekishib_features},pam %endif Name: ekishib Version: 0.1.0 Release: 1.%{snapdate}.git%{snapcommit}%{?dist} Summary: OAuth2/OIDC identity provider with FreeIPA integration License: GPL-3.0-or-later URL: https://codeberg.org/abbra/ekishib # git archive --format=tar.gz --prefix=ekishib-{version}/ HEAD \ # -o ekishib-{version}.tar.gz Source0: ekishib-%{version}.tar.gz # Full vendor tarball — see the generation instructions at the top of this spec. # Contains all Cargo dependencies, including several crates not yet available # in Fedora (axum 0.8, sqlx 0.8, native-ossl 0.1.8, rustls-native-ossl 0.1.8). Source1: ekishib-%{version}-vendor.tar.gz # Systemd service unit (from contrib/systemd/ in the source tree; copied into # _sourcedir by the 'make srpm' target). Source2: ekishib.service # Systemd socket unit — enables socket activation (optional; see docs). Source7: ekishib.socket # Example configuration file; installed as %%{_sysconfdir}/ekishib/ekishib.toml.example Source3: ekishib.toml.example # sysusers.d — system user/group definition Source4: ekishib-sysusers.conf # tmpfiles.d — /var/lib/ekishib state directory creation Source5: ekishib-tmpfiles.conf # Pre-built management web UI static assets (Vite/npm output from webui/dist/). # Generated with: cd webui && npm install && npm run build && \ # tar czf ekishib-{version}-webui-dist.tar.gz dist/ # See 'make webui-dist' in contrib/packages/. Source6: ekishib-%{version}-webui-dist.tar.gz # PAM service file — installed as /etc/pam.d/ekishib when --with pam. Source8: ekishib-pam.conf ExclusiveArch: %{rust_arches} BuildRequires: cargo-rpm-macros >= 26 # System OpenSSL — native-ossl-sys links against it via bindgen-generated FFI. # Rebuild this package whenever openssl-devel is updated in Fedora. BuildRequires: pkgconfig(openssl) BuildRequires: openssl-devel # SQLite — required by the always-on backend-sqlite feature (libsqlite3-sys). BuildRequires: pkgconfig(sqlite3) BuildRequires: sqlite-devel # LDAP / SASL / GSSAPI — required by the ekishib-ldap and ekishib-gssapi FFI crates. BuildRequires: openldap-devel BuildRequires: cyrus-sasl-devel BuildRequires: krb5-devel # Optional backend: PostgreSQL (libpq) %if %{with backend_postgres} BuildRequires: pkgconfig(libpq) BuildRequires: libpq-devel %endif # Optional backend: MariaDB / MySQL (Connector/C) %if %{with backend_mariadb} BuildRequires: pkgconfig(libmariadb) BuildRequires: mariadb-connector-c-devel %endif # Optional varlink userdb feature: kirmes is pure Rust, no system library needed. # Optional PAM authentication backend: links against libpam. %if %{with pam} BuildRequires: pam-devel %endif # The native-ossl-sys build script generates FFI bindings via bindgen, which # requires libclang. Rebuild this package whenever openssl-devel changes. BuildRequires: clang-devel # synta* crates are packaged separately (COPR); install them into the mock # chroot before rebuilding this SRPM: # mock --install rust-synta-devel rust-synta-certificate-devel BuildRequires: rust-synta-devel BuildRequires: rust-synta-certificate-devel # Systemd scriptlet support BuildRequires: systemd-rpm-macros # Management web UI static assets are pre-built (see 'make webui-dist') and # bundled in Source6; no Node.js or npm is needed inside the mock chroot. # Man page compiler (docs/man/*.scd → gzipped groff). BuildRequires: scdoc %{?systemd_requires} %description Ekishib is a stateless OAuth2 / OpenID Connect identity provider with native FreeIPA / Kerberos integration. It implements the core OAuth2 and OIDC specifications (RFC 6749, RFC 7636, RFC 7662, RFC 8707, RFC 9126, RFC 8628, OIDC Core 1.0) plus WebAuthn passkey authentication, post-quantum signing via ML-DSA (FIPS 204), and OIDC Federation 1.0. State (signing keys, client registrations, cluster membership) is replicated across nodes using a CRDT gossip protocol without a shared database. A SQLite, PostgreSQL, or MariaDB backend can be used for persistence and session storage. %files %license LICENSE %license LICENSE.dependencies %license cargo-vendor.txt %{_bindir}/ekishib %{_mandir}/man8/ekishib.8.gz %{_mandir}/man5/ekishib.toml.5.gz %{_unitdir}/ekishib.service %{_unitdir}/ekishib.socket %{_sysusersdir}/ekishib.conf %{_tmpfilesdir}/ekishib.conf %dir %{_sysconfdir}/ekishib %config(noreplace) %{_sysconfdir}/ekishib/ekishib.toml.example %ghost %dir %attr(0750,ekishib,ekishib) %{_sharedstatedir}/ekishib %if %{with pam} %config(noreplace) %{_sysconfdir}/pam.d/ekishib %endif %if %{with webui} %{_datadir}/ekishib/webui/ %endif # ── Prep ─────────────────────────────────────────────────────────────────────── %prep # Unpack the source tarball; -a1 unpacks Source1 (vendor/) inside the build dir. %autosetup -n %{name}-%{version} -p1 -a1 # Set up the cargo build environment using the full vendor tree. # %%cargo_prep -v vendor configures .cargo/config.toml to redirect all # crates-io lookups to vendor/. %cargo_prep -v vendor # ── Generate BuildRequires ───────────────────────────────────────────────────── %generate_buildrequires # The full vendor tarball (Source1) bundles every Rust crate dependency that # is absent from Fedora or at an incompatible version (axum 0.8, sqlx 0.8, # toml 0.8, native-ossl 0.1.8, rustls-native-ossl 0.1.8, reqwest 0.12, # synta* from COPR, and the optional postgres/mariadb backends). # # All non-crate build requirements (system libraries, Rust toolchain) are # declared statically in the BuildRequires: lines above. %cargo_generate_buildrequires # ── Build ────────────────────────────────────────────────────────────────────── %build # Build the ekishib binary. # Pass the feature list explicitly; --no-default-features keeps the set minimal # (only what %{_ekishib_features} requests, always at least backend-sqlite). %cargo_build -- --workspace --no-default-features --features %{_ekishib_features} # Generate the bundled-dependency license summary required by Fedora policy. %{cargo_license_summary} %{cargo_license} > LICENSE.dependencies %{cargo_vendor_manifest} # cargo_vendor_manifest is generated with --target=all, which pulls in # platform-specific crates never compiled on Linux. Remove them so that # the bundled(crate()) Provides reflect what is actually linked. sed -i -E \ -e '/^windows[-_]/d' \ -e '/^(schannel|ipconfig|widestring|find-msvc-tools) /d' \ -e '/^core-foundation/d' \ -e '/^security-framework/d' \ -e '/^(js-sys|web-sys) /d' \ -e '/^wasm-bindgen/d' \ -e '/^wit-bindgen/d' \ -e '/^(wasi|wasip2|wasip3|wasite) /d' \ -e '/^(redox_syscall|libredox|r-efi) /d' \ cargo-vendor.txt # Compile man pages from scdoc sources. scdoc < docs/man/ekishib.8.scd | gzip -9 > ekishib.8.gz scdoc < docs/man/ekishib.toml.5.scd | gzip -9 > ekishib.toml.5.gz # Unpack the pre-built management web UI static assets (Source6). %if %{with webui} tar -xzf %{SOURCE6} -C webui/ %endif # ── Install ──────────────────────────────────────────────────────────────────── %install # Copy the built binary from target/rpm/ into the buildroot. # Per Fedora Rust packaging guidelines for workspace projects, %cargo_install # SHOULD NOT be used; copy executables explicitly from target/rpm/. install -Dpm 0755 target/rpm/ekishib %{buildroot}%{_bindir}/ekishib # Man pages (compiled from scdoc sources in %build) install -Dpm 0644 ekishib.8.gz %{buildroot}%{_mandir}/man8/ekishib.8.gz install -Dpm 0644 ekishib.toml.5.gz %{buildroot}%{_mandir}/man5/ekishib.toml.5.gz # Systemd service and socket units install -Dpm 0644 %{SOURCE2} %{buildroot}%{_unitdir}/ekishib.service install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ekishib.socket # sysusers.d — system user/group definition install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/ekishib.conf # tmpfiles.d — /var/lib state directory creation install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/ekishib.conf # Example configuration file install -Dpm 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/ekishib/ekishib.toml.example # PAM service file — /etc/pam.d/ekishib %if %{with pam} install -Dpm 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/ekishib %endif # Management web UI static assets → %{_datadir}/ekishib/webui/ %if %{with webui} install -dm 0755 %{buildroot}%{_datadir}/ekishib/webui cp -a webui/dist/. %{buildroot}%{_datadir}/ekishib/webui/ %endif # ── Check ────────────────────────────────────────────────────────────────────── %if %{with check} %check # Documentation tests require external infrastructure (LDAP server, Kerberos # KDC) not available inside the mock build environment. %cargo_test -- --workspace --lib --bins --no-default-features --features %{_ekishib_features} %endif # ── Systemd scriptlets ───────────────────────────────────────────────────────── %pre %sysusers_create_compat %{SOURCE4} %post %systemd_post ekishib.service ekishib.socket %tmpfiles_create %{_tmpfilesdir}/ekishib.conf %preun %systemd_preun ekishib.service ekishib.socket %postun %systemd_postun_with_restart ekishib.service ekishib.socket %changelog %autochangelog