copy installation scripts from official caddy packages, change user to frankenphp too

Author: henderkes

build-packages.sh

@@ -71,10 +71,13 @@ fpm -s dir -t rpm -n frankenphp -v "${FRANKENPHP_VERSION}" \
 	--config-files /etc/frankenphp/php.ini \
 	--depends "libc.so.6(${glibc_version})(64bit)" \
 	--depends "libstdc++.so.6(${cxxabi_version})(64bit)" \
-	--after-install ../package/after_install.sh \
+	--before-install ../package/rhel/preinstall.sh \
+	--after-install ../package/rhel/postinstall.sh \
+	--before-remove ../package/rhel/preuninstall.sh \
+	--after-remove ../package/rhel/postuninstall.sh \
 	--iteration "${iteration}" \
 	"${bin}=/usr/bin/frankenphp" \
-	"../package/frankenphp.service=/usr/lib/systemd/system/frankenphp.service" \
+	"../package/rhel/frankenphp.service=/usr/lib/systemd/system/frankenphp.service" \
 	"../package/Caddyfile=/etc/frankenphp/Caddyfile" \
 	"../package/etc/php.ini=/etc/frankenphp/php.ini" \
 	"../package/etc/php.d/=/etc/frankenphp/php.d" \
@@ -90,10 +93,12 @@ fpm -s dir -t deb -n frankenphp -v "${FRANKENPHP_VERSION}" \
 	--depends "libc6 (>= ${glibc_version})" \
 	--depends "libstdc++6 (>= ${cxxabi_version})" \
 	--deb-suggests libcap2-bin \
-	--after-install ../package/after_install.sh \
+	--after-install ../package/debian/postinst.sh \
+	--before-remove ../package/debian/prerm.sh \
+	--after-remove ../package/debian/postrm.sh \
 	--iteration "${iteration}" \
 	"${bin}=/usr/bin/frankenphp" \
-	"../package/frankenphp.service=/lib/systemd/system/frankenphp.service" \
+	"../package/debian/frankenphp.service=/usr/lib/systemd/system/frankenphp.service" \
 	"../package/Caddyfile=/etc/frankenphp/Caddyfile" \
 	"../package/etc/php.ini=/etc/frankenphp/php.ini" \
 	"../package/etc/php.d/=/etc/frankenphp/php.d" \

build-static.sh

@@ -128,6 +128,9 @@ if [ -f dist/cache_key ] && [ "$(cat dist/cache_key)" = "${cache_key}" ] && [ -f
 	elif [ -f "bin/spc" ]; then
 		spcCommand="./bin/spc"
 	fi
+
+	PHP_EXTENSIONS="${defaultExtensions}"
+	PHP_EXTENSION_LIBS="${defaultExtensionLibs}"
 else
 	mkdir -p dist/
 	cd dist/

package/after_install.sh

@@ -0,0 +1,27 @@
+# See https://caddyserver.com/docs/install for instructions.
+#
+# WARNING: This service does not use the --resume flag, so if you
+# use the API to make changes, they will be overwritten by the
+# Caddyfile next time the service is restarted. If you intend to
+
+[Unit]
+Description=FrankenPHP
+Documentation=https://frankenphp.dev/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=frankenphp
+Group=frankenphp
+ExecStart=/usr/bin/frankenphp run --environ --config /etc/frankenphp/Caddyfile
+ExecReload=/usr/bin/frankenphp reload --config /etc/frankenphp/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target

package/debian/frankenphp.service

@@ -0,0 +1,67 @@
+#!/bin/sh
+set -e
+
+if command -v setcap >/dev/null 2>&1; then
+	setcap 'cap_net_bind_service=+ep' /usr/bin/frankenphp || echo "Warning: failed to set capabilities on frankenphp"
+	echo "Users without root privileges will not be to run 'frankenphp php-server' on ports 80/443."
+else
+  echo "Warning: setcap not found. Install it with: sudo apt install libcap2-bin"
+	echo "Users without root privileges will not be to run 'frankenphp php-server' on ports 80/443."
+fi
+
+if [ "$1" = "configure" ]; then
+        # Add user and group
+        if ! getent group frankenphp >/dev/null; then
+                groupadd --system frankenphp
+        fi
+        if ! getent passwd frankenphp >/dev/null; then
+                useradd --system \
+                        --gid frankenphp \
+                        --create-home \
+                        --home-dir /var/lib/frankenphp \
+                        --shell /usr/sbin/nologin \
+                        --comment "FrankenPHP web server" \
+                        frankenphp
+        fi
+        if getent group www-data >/dev/null; then
+                usermod -aG www-data frankenphp
+        fi
+
+        # handle cases where package was installed and then purged;
+        # user and group will still exist but with no home dir
+        if [ ! -d /var/lib/frankenphp ]; then
+                mkdir -p /var/lib/frankenphp
+                chown frankenphp:frankenphp /var/lib/frankenphp
+        fi
+
+        # Add log directory with correct permissions
+        if [ ! -d /var/log/frankenphp ]; then
+                mkdir -p /var/log/frankenphp
+                chown frankenphp:frankenphp /var/log/frankenphp
+        fi
+fi
+
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+        # This will only remove masks created by d-s-h on package removal.
+        deb-systemd-helper unmask frankenphp.service >/dev/null || true
+
+        # was-enabled defaults to true, so new installations run enable.
+        if deb-systemd-helper --quiet was-enabled frankenphp.service; then
+                # Enables the unit on first installation, creates new
+                # symlinks on upgrades if the unit file has changed.
+                deb-systemd-helper enable frankenphp.service >/dev/null || true
+                deb-systemd-invoke start frankenphp.service >/dev/null || true
+        else
+                # Update the statefile to add new symlinks (if any), which need to be
+                # cleaned up on purge. Also remove old symlinks.
+                deb-systemd-helper update-state frankenphp.service >/dev/null || true
+        fi
+
+        # Restart only if it was already started
+        if [ -d /run/systemd/system ]; then
+                systemctl --system daemon-reload >/dev/null || true
+                if [ -n "$2" ]; then
+                        deb-systemd-invoke try-restart frankenphp.service >/dev/null || true
+                fi
+        fi
+fi

package/debian/postinst.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+if [ -d /run/systemd/system ]; then
+        systemctl --system daemon-reload >/dev/null || true
+fi
+
+if [ "$1" = "remove" ]; then
+        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper mask frankenphp.service >/dev/null || true
+        fi
+fi
+
+if [ "$1" = "purge" ]; then
+        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper purge frankenphp.service >/dev/null || true
+                deb-systemd-helper unmask frankenphp.service >/dev/null || true
+        fi
+        rm -rf /var/lib/frankenphp /var/log/frankenphp /etc/frankenphp
+fi

package/debian/postrm.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
+        deb-systemd-invoke stop frankenphp.service >/dev/null || true
+        deb-systemd-invoke stop frankenphp-api.service >/dev/null || true
+fi

package/debian/prerm.sh

@@ -4,8 +4,8 @@ After=network.target
 
 [Service]
 Type=notify
-User=caddy
-Group=caddy
+User=frankenphp
+Group=frankenphp
 ExecStartPre=/usr/bin/frankenphp validate --config /etc/frankenphp/Caddyfile
 ExecStart=/usr/bin/frankenphp run --environ --config /etc/frankenphp/Caddyfile
 ExecReload=/usr/bin/frankenphp reload --config /etc/frankenphp/Caddyfile

package/frankenphp.service package/rhel/frankenphp.servicepackage/frankenphp.service renamed to package/rhel/frankenphp.service

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+if command -v setcap >/dev/null 2>&1; then
+	setcap 'cap_net_bind_service=+ep' /usr/bin/frankenphp || echo "Warning: failed to set capabilities on frankenphp"
+	echo "Users without root privileges will not be to run 'frankenphp php-server' on ports 80/443."
+else
+  echo "Warning: setcap not found. Install it with: sudo dnf install libcap"
+	echo "Users without root privileges will not be to run 'frankenphp php-server' on ports 80/443."
+fi
+
+if [ "$1" -eq 1 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then
+    # Initial installation
+    /usr/lib/systemd/systemd-update-helper install-system-units frankenphp.service || :
+fi
+
+if [ -x /usr/sbin/getsebool ]; then
+    # connect to ACME endpoint to request certificates
+    setsebool -P httpd_can_network_connect on
+fi
+if [ -x /usr/sbin/semanage -a -x /usr/sbin/restorecon ]; then
+    # file contexts
+    semanage fcontext --add --type httpd_exec_t        '/usr/bin/frankenphp'         2> /dev/null || :
+    semanage fcontext --add --type httpd_sys_content_t '/usr/share/frankenphp(/.*)?' 2> /dev/null || :
+    semanage fcontext --add --type httpd_config_t      '/etc/frankenphp(/.*)?'       2> /dev/null || :
+    semanage fcontext --add --type httpd_var_lib_t     '/var/lib/frankenphp(/.*)?'   2> /dev/null || :
+    restorecon -r /usr/bin/frankenphp /usr/share/frankenphp /etc/frankenphp /var/lib/frankenphp || :
+fi
+if [ -x /usr/sbin/semanage ]; then
+    # QUIC
+    semanage port --add --type http_port_t --proto udp 80   2> /dev/null || :
+    semanage port --add --type http_port_t --proto udp 443  2> /dev/null || :
+    # admin endpoint
+    semanage port --add --type http_port_t --proto tcp 2019 2> /dev/null || :
+fi

package/rhel/postinstall.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+if [ "$1" -ge 1 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then
+    # Package upgrade, not uninstall
+    /usr/lib/systemd/systemd-update-helper mark-restart-system-units frankenphp.service || :
+fi
+
+
+if [ "$1" -eq 0 ]; then
+    if [ -x /usr/sbin/getsebool ]; then
+        # connect to ACME endpoint to request certificates
+        setsebool -P httpd_can_network_connect off
+    fi
+    if [ -x /usr/sbin/semanage ]; then
+        # file contexts
+        semanage fcontext --delete --type httpd_exec_t        '/usr/bin/frankenphp'         2> /dev/null || :
+        semanage fcontext --delete --type httpd_sys_content_t '/usr/share/frankenphp(/.*)?' 2> /dev/null || :
+        semanage fcontext --delete --type httpd_config_t      '/etc/frankenphp(/.*)?'       2> /dev/null || :
+        semanage fcontext --delete --type httpd_var_lib_t     '/var/lib/frankenphp(/.*)?'   2> /dev/null || :
+        # QUIC
+        semanage port     --delete --type http_port_t --proto udp 80   2> /dev/null || :
+        semanage port     --delete --type http_port_t --proto udp 443  2> /dev/null || :
+        # admin endpoint
+        semanage port     --delete --type http_port_t --proto tcp 2019 2> /dev/null || :
+    fi
+fi