From 3a4b9e43636b6135b8283eb088fbc15b648c7dfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Wed, 22 Apr 2026 15:06:50 +0200 Subject: [PATCH 1/2] Use CAP_NET_BIND_SERVICE --- .github/workflows/release.yml | 11 +++++++---- docs/header.png | Bin 4445 -> 3949 bytes freebsd/postrm | 9 --------- freebsd/preinst | 13 ------------- linux/defguard-proxy.service | 2 ++ linux/postinst | 4 ++-- linux/postrm | 7 +++---- linux/prerm | 2 +- 8 files changed, 15 insertions(+), 33 deletions(-) delete mode 100644 freebsd/postrm delete mode 100644 freebsd/preinst diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4349d5f9..9283c8f8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,8 @@ name: Make a new release on: push: + branches: + - pkg tags: - v*.*.* @@ -55,6 +57,8 @@ jobs: with: draft: true generate_release_notes: true + package_name: pkg + tag_name: pkg create-sbom: needs: @@ -75,7 +79,8 @@ jobs: # Store the version, stripping any v-prefix - name: Write release version run: | - VERSION=${GITHUB_REF_NAME#v} + # VERSION=${GITHUB_REF_NAME#v} + VERSION=2.0.0 echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV @@ -215,9 +220,7 @@ jobs: --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg --freebsd-osversion '*' - --depends openssl - --before-install freebsd/preinst - --after-remove freebsd/postrm" + --depends openssl" - name: Upload Linux x86_64 archive uses: shogo82148/actions-upload-release-asset@v1 diff --git a/docs/header.png b/docs/header.png index 6e4d1b9d23f3b93d17bc2bd16d07bdc6a65e5efa..3e32fc69a97ee89f7f96d3d8f2df1e9cee70ce19 100644 GIT binary patch delta 2641 zcmb_eX*|>m7yfH5GsIZ$9WkU(a$O=cWT`A;l&mFX8M#@q&15g$QP&vjOt#9BEHRdB zktIUIaFu}KrS@ap$_zus@}`Es6f&hwn*+xc;JS-Kp-jpL7-L>10Owy`9W z7>Z9< z&5~l;^t*xemZ|NdqoXeCrvm`M`weAy%_ewsY53c%zbwS@mO{NEX7LtT`y8hMOW)+` ziv#a9bSrgt64zlk;QwT-)g`1PASv(gkQ<#O$3gR;W92$Z)qg2hg?CI3aCr$J_u77I zHq~O^=ZXLcL9Zghn;sNIfN;appKs|yz~zp#bEv>P46tb9q%}gKaJ^@ZFimZF!K~|c z%saXeFspNT*6}_cm}N5fa73LCT<$)%ZZg3O#*}@ZN!@cmgx{aiE31mf0I=IbZnMKT zQ$?YZUImw|Ul~~@Bk91)6mM7P1TzP6EJ#z^wsdfufKs?Rm2gs*V?3uwm}ZryLDjhk zenaQlhQJg4;!DAW+qgdA?DMfMCwvMA`{zP!A=$Ocf2-t1{i5kVQ{;&{xP}1G_!?uB zhO^-@YLi4+zDb0DfdNVa>9LUSGW{Z%SHqHQ4x8Ujo|+O?1Hkm&XGGo~62wl?M>3HU z3;TS#ywsB3><(UJrQygu5gUZF$Pn(fF5fhl}OXmWi7%zx)Ymj zw*}kh``JG*#Hy%nt;~&XT-_*F{kQ0Uz8m(M`X`xqzD21lraZuObKiU2{^&mt2>7ZW zB6+6Gn$LXcXjQT8WoK3pkg~>E9Qi1MU#Q+z<(eQs`jYAxiB(`sYqr zY4al)R%8i^vyMvOTl0q!BC>Fxi(cS+a?gZ2Wq}T{ubDSSNk#i#CfZ zK0bRwfUs_liQzljpGk+&#cPdq1PC)}q@b2;bzFy5Pg&Tz=rtn=rQ>!J{Di>@>npI(UVN5dPtjz4{*#@IN2>--q zD;qkEGNNh}E|w4CW>3JIEL$&Zi;L>v!`03}S^P7F1-y@TZ;MES#nDl2uD?*lH&@h2 z+Pb|l4NjlC={O-1I2 z3>4UkGSK%(ZHo>#C%B=1111_hrFmYhEYd*;smk3psJck>^M_!+_orRf$A7v34@=xqwiy#Y9q8dvN^a4_bQ)gqiIHvA+%S{% zW1zEhw0{c^qB?uor&APGV8UQh= zD6D||_i<4$^G|H>a|D0@ePs>2S4GA&JV%)RjJdz64lK!kk*A*Vpx}b@o`A3bMm(AP z;`v~yy*ZpTcf0J45EwvK+)2;T?F*nfhj_=~k7f7ZQrLs5acolttAqTW?|2v*Yck^f zs>mz0#XHI%nx7oyV$!HH_;U@`hrNG#)r>tV4B!l$FyR|~^>}9}jL<8udN=+nzV!_4 zD!W4qU{>Lv{<1UTO{B&eoB7r|Ib~6~!$QcAD8$;wTEQp~(EXh6&x8_(5wUh%M6(*n zwz|8@lYHKQK+#6?8RchXoQe~ls1U)Id4Y6>iKlgPcl_+%8@$a%xP`gcYi{FO z?={xy$PdI@s7Cp!FQDhP&t{oWzrbCsf32=X0k~l?uy0FW{bpZ-VAid*9cfN}B1i1W zIU>SWzrXb~?4GbT-z(#DA(1bVWB#IAy>l3o@(}?vTfdB9{2yc0$;@bz5B;C}g9X*9ar?NN3>%smB!r)hl%*6ueHUwB?OnM`3)~ltt*adi-RY0nuPdZO0 zD(YzuH_v5Gc`_{MtgNYes_uzqA1tKgW?>MKD4Lq~X>VOA z>gkt$L-sDYNRpA-L8ZGtU{!z68xDzgT0P}x&JK=rlRvBus`(tP=nO=Hd8%~DTE!_f z%%h_|+NboAQwb^RJV~ER%S0X-uAIQB85}bIc%TZet3UAcJuiq1e@bC5=M}%M{C$?C zB;|V)Q$Y%$_3uGXuDV@-7m`jnEdG9i1ZiI@9U`k3z-*zr+VF=SrnEPU#kP3ac)yW# zfoJUzE*|Eb1m%xio&RYRB8J}OM?R|G-7I;{<%MN;b3=ne5&fmHH_YnpW|rbIb(+M8 zkI_dJq3ADbdtY6$R%+qI0hsSZ2%nB3d`5mS))_m0Pvh4qr{5@+N)v){ z_A23>EQG0_w{|xH~*Y_&i$R=J@?GH_nr}5pg)vw3S z-mo)tI;1wPPz+EKu0B=cZ1r!7ND()AdcX-kZOPkp=Wf~(cjJjIN=#*S+%8ZFK?k43 zC;ba%MCl*2I_{IxXZ;K2|3M1>-^KpL+9R-btHNM0`(Ws0!4!2D=)RWaO_f{d1Ey-^ zn>*vHR$?)#yc-+tdg!1a-i_?WDy>hJlAmosbsSR}*@X&q7HsdNis9B6W*q3H5Mb1} zmeFm`maf7vBMqdlD%FL@{J9q)vmXECqN14MWf-pQ;Zlb(izrARxR%9m_{D8G>izr7 zooCel%z70#MrX&OF6t)io8KkgLUF+^jW6Sb6m+?&W`2*!Mr$A5ij^q;ag8H)!qe{W zk5WeTbJc7vQ7d8G8haF$kdDjSi}S)?ZJquRRYQ*xiB{_lhoQj@v_G?Mx-DbXtk{B{rW3L)2J3-q zOqzMIv0qrldYEfLy*a`lN#R&KaIG5u*z;{4^GLd^KgeaPR^gDNCP1Go zpmHZbF$AzNkf|y;1&iSt0I#@Cd1xH!tSF>JxSR682MvQsdwJ1n&g?e`MSM3tlo&JJ zjk=6CGS_S1n0vt6(d)GqC7OP9++x&@w$fD>j6?6>$Wq4L%P=H!aq;A@njtj+BUsqWZicQo~%I#PNIoP_9dLb@kMqs0)P~W`8}>=?ZiJNN&A_i z5bxh^yMvB`5quEO>3u*zns2CLOiFL7{-K%L1pSC6R$dP!9p7x0bJdbSFRyx6k&-wQ zw-hPi80>JNhj`_kI9IyvhPds$+&4umREFV)i8H}oF1ZQXtT_wC2On70Fgsc+7-7ct^xqq7FqYe&AKESN&)29D~z zkO}gYk@k-PRY#iOq7*HbVaZ^akk{6ln3vF9u5(F!Ihu(zEDn9!5NOpkKc!k#?9{!C zZveiPIAUiufibl1LWXKOw*ZfueVF{Dd(Ss6;C7?_U<+-e5kgrm~I64s^9Ls zPqF6();Cy&$A-It7DCCrJZk$h?nH;py1|MB2n%C)2$p1&;}t1QKgZ)(<+`aPFWtZy zf$VU+w$TG&^geXA}rQ4(X zf)zmE9V|psHJ*%|A9`P#X&8Hj4HE$#K3TB~EVM&U28o{a_HJ~lO)i-wjluB^R^pJJ z*r-(N6?|Xw&}`CKaFhnqTq!AIZs^&b^8-hlAT<_sT8lf;T-xFxUNl0W4L`m4U2nm{ zQ^a_NMq7?HlGd5Vc-a_e6aZT88~lTpuGevo08X_#4!FYxV;bamO4? zY2Cc&VF?`2U>)!!t)BW$uOS#rATJ}Yo}TdpnQ&wPp6slrQXZ(C`T-x6dc@+z0W|XW zE67cUeZ#x!x0OjN_Qm^~OWqplvg++X+qYF zeawqDB$^ELM(!Ws@CugWC5CEb9~&00H-F}oTn&rd({`|h{eJW$nsc3^eUx0pFiah- z%#~aW!|lRbG6Iw>JOB?a7LiOMmru}>Olk6(#Kh-TrDj81}I@q&kRSTf5KjWl% zsZSQJFV;?=PHJIjaw+|hhD=Z#P-(9faL}nsg&Wr<3O6sxq_t85?vE1Ql?>*R!aR%^ zE_9jrN!M_j6?!f83hT$rtF#tr9`gjv(?dTI(MyW-`z2YRM!eE3fx!RDyb~;%B!x}U3eiRU`Y1IgzXtwF135)gn!`INDq-)5H8s^ z<8VgOfAXWCIl^3%RdZ}&uwCMBH05IqOvDGc`6%p|k$Nl0AK#p254znja^^@OFk$38 znC?mN(qs)3!6YNaZWMwe_wF6(-e4KW4gtOBJZS-d7)YX)P^uhaB zo5!0-F3O$k(Z>8Sk(Zu($5gOfe%AHy0cUDAQkckAXpef|h5f2v`V;h&yoBcFy1%hT zA4`6C{Nh7caM-3OQx)wA)RLj>_0GZiz+5f#I;1&k;So}@;&{*lLty8A@a9Dqc);W5 z(`EBfkY-y3-?f;X0F9d=ds{{Lt-Yr@t*7-<{QgK%$T(>PY$tuG^)yz5R#&r0U41PpDv;be;90hIPY z?+!G+_QO%XncR7%i*#oIEEv?o^QU@h2uM$$-I@oDXWBMP14mCu^#O%XgYWrAqDj?S ztHs`BNyfM#(<=nmgFop@PNbP9dn?`7;K7fx8hnJD7xD=oV$ zawlWZUdc9-m1lo;_Pi_F*c^WtaXv`2&>O!<65qKXh6}Hw!~L5&uBI|i=PWi`b`h8H zkI|MPa;3{R>#mysSWIf2KNx=xg_$0B>4=itrdD{Xlo|l0hxFQh;2Q#_Z}k`i6sOU! zV=@p$#jSAMf<;@jQRjgyO5{phzdUq#gtPpNKJYq72YRnl{uQ^TBzB2Rd7s@S7*gUc z!D94*&*IlbT_5-){@aX=3HZ{~mpm~45TS!bzR&tUX6t|3zYxbbTSm&IW~>GRaRepw NbFg=`%iVqS(%%^A;${E< diff --git a/freebsd/postrm b/freebsd/postrm deleted file mode 100644 index 9cb6c88c..00000000 --- a/freebsd/postrm +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -set -e - -USERNAME=defguard - -if id -u ${USERNAME} >/dev/null 2>&1 -then - echo "If no longer needed, remove ${USERNAME} manually: pw user del -n ${USERNAME}" -fi diff --git a/freebsd/preinst b/freebsd/preinst deleted file mode 100644 index 212683de..00000000 --- a/freebsd/preinst +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -set -e - -USERNAME=defguard - -if ! id -u ${USERNAME} >/dev/null 2>&1 -then - pw user add -n ${USERNAME} -g nogroup -c "Defguard" -d /nonexistent -s /usr/sbin/nologin -fi - -mkdir -p /etc/defguard -chown ${USERNAME}:${USERNAME} /etc/defguard -chmod 750 /etc/defguard diff --git a/linux/defguard-proxy.service b/linux/defguard-proxy.service index bcf03cb3..ce614eed 100644 --- a/linux/defguard-proxy.service +++ b/linux/defguard-proxy.service @@ -7,6 +7,8 @@ After=network-online.target [Service] User=defguard Group=defguard +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE ExecReload=/bin/kill -HUP $MAINPID ExecStart=/usr/bin/defguard-proxy --config /etc/defguard/proxy.toml KillMode=process diff --git a/linux/postinst b/linux/postinst index 7ed34054..429e757c 100644 --- a/linux/postinst +++ b/linux/postinst @@ -14,8 +14,8 @@ case "${1}" in abort-upgrade | abort-remove | abort-deconfigure) if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload - if /usr/bin/systemctl is-enabled ${SERVICE_NAME} >/dev/null 2>&1; then - /usr/bin/systemctl start ${SERVICE_NAME} || true + if /usr/bin/systemctl is-enabled --quiet ${SERVICE_NAME}; then + /usr/bin/systemctl --no-block restart ${SERVICE_NAME} fi fi ;; diff --git a/linux/postrm b/linux/postrm index 3335ba37..2b473f8a 100644 --- a/linux/postrm +++ b/linux/postrm @@ -4,10 +4,9 @@ set -e USERNAME=defguard if [ -x /usr/bin/systemctl ]; then - /usr/bin/systemctl daemon-reload >/dev/null 2>&1 || true + /usr/bin/systemctl --quiet daemon-reload || true fi -if id -u ${USERNAME} >/dev/null 2>&1 -then - echo "If no longer needed, remove ${USERNAME} manually: userdel ${USERNAME}" +if id -u ${USERNAME} >/dev/null 2>&1; then + echo "If no longer needed, remove ${USERNAME} manually: userdel ${USERNAME}" fi diff --git a/linux/prerm b/linux/prerm index f691f94d..1ca58ce1 100644 --- a/linux/prerm +++ b/linux/prerm @@ -4,5 +4,5 @@ set -e SERVICE_NAME='defguard-proxy' if [ -x /usr/bin/systemctl ]; then - /usr/bin/systemctl --no-block stop ${SERVICE_NAME} >/dev/null 2>&1 || true + /usr/bin/systemctl --no-block --quiet stop ${SERVICE_NAME} || true fi From 8bbc04cff1d91e9011a78a34bda090bad3001d3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Wed, 22 Apr 2026 15:29:16 +0200 Subject: [PATCH 2/2] cleanup --- .github/workflows/release.yml | 7 +------ linux/preinst | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9283c8f8..287d1dcc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,6 @@ name: Make a new release on: push: - branches: - - pkg tags: - v*.*.* @@ -57,8 +55,6 @@ jobs: with: draft: true generate_release_notes: true - package_name: pkg - tag_name: pkg create-sbom: needs: @@ -79,8 +75,7 @@ jobs: # Store the version, stripping any v-prefix - name: Write release version run: | - # VERSION=${GITHUB_REF_NAME#v} - VERSION=2.0.0 + VERSION=${GITHUB_REF_NAME#v} echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV diff --git a/linux/preinst b/linux/preinst index a4b7852b..6cc33233 100755 --- a/linux/preinst +++ b/linux/preinst @@ -8,5 +8,5 @@ if ! id -u ${USERNAME} >/dev/null 2>&1; then fi mkdir -p /etc/defguard -chown ${USERNAME}:${USERNAME} /etc/defguard +chown -R ${USERNAME}:${USERNAME} /etc/defguard chmod 750 /etc/defguard