Package distribution deb

.github/workflows/book.yml

@@ -8,7 +8,6 @@ on:
 jobs:
   build-and-upload-to-s3:
     runs-on: ubuntu-18.04
-    environment: protected
     steps:
       - uses: actions/checkout@master
 

.github/workflows/docker.yml

@@ -22,7 +22,6 @@ jobs:
             BRANCH_NAME: ${{ steps.extract_branch.outputs.BRANCH_NAME }}
     build-docker-arm64:
         runs-on: ubuntu-18.04
-        environment: protected
         needs: [extract-branch-name]
         # We need to enable experimental docker features in order to use `docker buildx`
         env:
@@ -61,7 +60,6 @@ jobs:
                       --push
     build-docker-amd64:
         runs-on: ubuntu-18.04
-        environment: protected
         needs: [extract-branch-name]
         steps:
             - uses: actions/checkout@v2

.github/workflows/release.yml

@@ -43,7 +43,6 @@ jobs:
                         platform: macos-latest
 
         runs-on:    ${{ matrix.platform }}
-        environment: protected
         needs: extract-version
         steps:
             - name: Checkout sources

Makefile

@@ -50,6 +50,15 @@ build-aarch64:
 build-aarch64-portable:
 	cross build --release --manifest-path lighthouse/Cargo.toml --target aarch64-unknown-linux-gnu --features portable
 
+# The following commands use `cargo-deb` to create a Debian package for lighthouse.
+#
+# `cargo-deb` can be installed with `cargo install cargo-deb`
+build-deb:
+	cargo deb --manifest-path lighthouse/Cargo.toml -- --locked --features portable
+build-deb-aarch64:
+	cross build --release --manifest-path lighthouse/Cargo.toml --target aarch64-unknown-linux-gnu --features portable
+	cargo deb --target aarch64-unknown-linux-gnu --no-build --manifest-path lighthouse/Cargo.toml
+
 # Create a `.tar.gz` containing a binary for a specific target.
 define tarball_release_binary
 	cp $(1)/lighthouse $(BIN_DIR)/lighthouse

lighthouse/Cargo.toml

@@ -3,6 +3,27 @@ name = "lighthouse"
 version = "1.0.6"
 authors = ["Sigma Prime <[email protected]>"]
 edition = "2018"
+description = "Implementation of https://github.com/ethereum/eth2.0-specs in Rust."
+license = "Apache-2.0"
+
+# Configuration for building a .deb package - for use with `cargo-deb`
+[package.metadata.deb]
+name = "lighthouse"
+extended-description = "Implementation of https://github.com/ethereum/eth2.0-specs in Rust."
+section = "misc"
+maintainer = "[email protected]"
+license-file = ["../LICENSE", "0"]
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html
+maintainer-scripts = "scripts/packaging/deb-maintainer-scripts"
+assets = [
+    ["../target/release/lighthouse", "/usr/bin/", "755"],
+    ["../scripts/packaging/lighthousebeacon.service", "/lib/systemd/system/", "644"],
+    ["../scripts/packaging/lighthousevalidator.service", "/lib/systemd/system/", "644"]
+]
+conf-files = [
+    "/etc/default/lighthousebeacon",
+    "/etc/default/lighthousevalidator"
+]
 
 [features]
 # Writes debugging .ssz files to /tmp during block processing.

scripts/packaging/deb-maintainer-scripts/postinst

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+set -e
+
+action="$1"
+config_file_beacon="/etc/default/lighthousebeacon"
+config_file_validator="/etc/default/lighthousevalidator"
+data_dir_beacon="/var/lib/lighthouse/beacon"
+data_dir_validator="/var/lib/lighthouse/validators"
+
+if [ "$action" = "configure" ]; then
+
+  # make the data dir
+  mkdir -p /var/lib/lighthouse
+
+  # Make user and group
+  getent group lighthousebeacon >/dev/null 2>&1 || addgroup --system lighthousebeacon
+  getent passwd lighthousebeacon >/dev/null 2>&1 ||
+    adduser --system --no-create-home --disabled-password \
+    --ingroup lighthousebeacon lighthousebeacon
+
+  # make the data dir and change ownership
+  mkdir -p /var/lib/lighthouse/beacon
+  chown -R lighthousebeacon:lighthousebeacon /var/lib/lighthouse/beacon
+
+  if [ ! -e "$config_file_beacon" ]; then
+    echo "LIGHTHOUSE_BEACON_CLI_ARGS=\"--datadir $data_dir_beacon\"" > /etc/default/lighthousebeacon
+  fi
+
+  # Make user and group
+  getent group lighthousevalidator >/dev/null 2>&1 || addgroup --system lighthousevalidator
+  getent passwd lighthousevalidator >/dev/null 2>&1 ||
+    adduser --system --no-create-home --disabled-password \
+    --ingroup lighthousevalidator lighthousevalidator
+
+  # make the data dir and change ownership
+  mkdir -p /var/lib/lighthouse/validators
+  chown -R lighthousevalidator:lighthousevalidator /var/lib/lighthouse/validators
+  if [ ! -e "$config_file_validator" ]; then
+    echo "LIGHTHOUSE_VALIDATOR_CLI_ARGS=\"--datadir $data_dir_validator\"" > /etc/default/lighthousevalidator
+  fi
+fi

scripts/packaging/lighthousebeacon.service

@@ -0,0 +1,42 @@
+[Unit]
+Description=Ethereum 2.0 Lighthouse Beacon Node
+After=syslog.target network.target
+Documentation=https://lighthouse-book.sigmaprime.io/
+
+[Service]
+EnvironmentFile=-/etc/default/lighthousebeacon
+ExecStart=/usr/bin/lighthouse bn $LIGHTHOUSE_BEACON_CLI_ARGS
+User=lighthousebeacon
+Group=lighthousebeacon
+Restart=always
+RestartSec=10
+KillMode=process
+KillSignal=SIGINT
+TimeoutStopSec=90
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=lighthousebeacon
+CapabilityBoundingSet=
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@clock @module @mount @reboot @swap @privileged
+UMask=0027
+
+[Install]
+WantedBy=multi-user.target

scripts/packaging/lighthousevalidator.service

@@ -0,0 +1,42 @@
+[Unit]
+Description=Ethereum 2.0 Lighthouse Validator Client
+After=syslog.target network.target
+Documentation=https://lighthouse-book.sigmaprime.io/
+
+[Service]
+EnvironmentFile=-/etc/default/lighthousevalidator
+ExecStart=/usr/bin/lighthouse vc $LIGHTHOUSE_BEACON_CLI_ARGS
+User=lighthousevalidator
+Group=lighthousevalidator
+Restart=always
+RestartSec=10
+KillMode=process
+KillSignal=SIGINT
+TimeoutStopSec=90
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=lighthousevalidator
+CapabilityBoundingSet=
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@clock @module @mount @reboot @swap @privileged
+UMask=0027
+
+[Install]
+WantedBy=multi-user.target