From 81cb503295a94a1ee7695a966d5ba4249acc6f72 Mon Sep 17 00:00:00 2001
From: Russ Dill <Russ.Dill@gmail.com>
Date: Wed, 15 Oct 2025 01:39:28 -0700
Subject: [PATCH] Add debian build

This adds a debian build, producing the following packages:

rpcd
rpcd-dev
rpcd-mod-file
rpcd-mod-iwinfo
rpcd-mod-rpcsys

rpc-mod-ucode is not yet available as ucode is not yet packaged. This relies
on the recent debian/ additions to libubox and ubus, as well as the following
pull requests adding additional debian packaging:

https://github.com/openwrt/iwinfo/pull/28

This also adds a systemd service file. Note that local ubus access provides
no permissions structure other than permissions on the socket itself. Be
sure to be aware of the implications.
---
 .gitignore                     | 14 +++++++++
 CMakeLists.txt                 |  8 +++++
 debian/acl/file.json           |  0
 debian/acl/iwinfo.json         | 18 ++++++++++++
 debian/acl/rpcsys.json         | 10 +++++++
 debian/control                 | 53 ++++++++++++++++++++++++++++++++++
 debian/generate-changelog.sh   | 15 ++++++++++
 debian/rpcd-dev.install        |  1 +
 debian/rpcd-mod-file.install   |  2 ++
 debian/rpcd-mod-iwinfo.install |  2 ++
 debian/rpcd-mod-rpcsys.install |  2 ++
 debian/rpcd.dirs               |  2 ++
 debian/rpcd.install            |  2 ++
 debian/rpcd.postinst           | 13 +++++++++
 debian/rpcd.postrm             | 10 +++++++
 debian/rpcd.service            | 38 ++++++++++++++++++++++++
 debian/rules                   | 26 +++++++++++++++++
 debian/source/format           |  1 +
 debian/watch                   |  2 ++
 19 files changed, 219 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 debian/acl/file.json
 create mode 100644 debian/acl/iwinfo.json
 create mode 100644 debian/acl/rpcsys.json
 create mode 100644 debian/control
 create mode 100755 debian/generate-changelog.sh
 create mode 100644 debian/rpcd-dev.install
 create mode 100644 debian/rpcd-mod-file.install
 create mode 100644 debian/rpcd-mod-iwinfo.install
 create mode 100644 debian/rpcd-mod-rpcsys.install
 create mode 100644 debian/rpcd.dirs
 create mode 100644 debian/rpcd.install
 create mode 100644 debian/rpcd.postinst
 create mode 100644 debian/rpcd.postrm
 create mode 100644 debian/rpcd.service
 create mode 100755 debian/rules
 create mode 100644 debian/source/format
 create mode 100644 debian/watch

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..eed2562
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,14 @@
+obj-*
+debian/.debhelper/
+debian/*.debhelper
+debian/debhelper-build-stamp
+debian/*.debhelper.log
+debian/*.substvars
+debian/rpcd-dev/
+debian/rpcd-mod-file/
+debian/rpcd-mod-iwinfo/
+debian/rpcd-mod-rpcsys/
+debian/rpcd/
+debian/files
+debian/changelog
+debian/tmp/
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 56255ca..1d363b0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -78,3 +78,11 @@ INSTALL(TARGETS rpcd ${PLUGINS}
 	RUNTIME DESTINATION sbin
 	LIBRARY DESTINATION lib/rpcd
 )
+
+ADD_CUSTOM_TARGET(debian
+        COMMAND ${CMAKE_COMMAND} -E echo "Generating debian/changelog from git..."
+        COMMAND ${CMAKE_SOURCE_DIR}/debian/generate-changelog.sh
+        COMMAND dpkg-buildpackage -b -uc -us
+        WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}
+        COMMENT "Building Debian package"
+)
diff --git a/debian/acl/file.json b/debian/acl/file.json
new file mode 100644
index 0000000..e69de29
diff --git a/debian/acl/iwinfo.json b/debian/acl/iwinfo.json
new file mode 100644
index 0000000..d8344b2
--- /dev/null
+++ b/debian/acl/iwinfo.json
@@ -0,0 +1,18 @@
+{
+  "iwinfo": {
+    "description": "Read-only wireless info via iwinfo plugin",
+    "read": {
+      "ubus": {
+        "iwinfo": [
+          "devices",
+          "info",
+          "assoclist",
+          "freqlist",
+          "txpowerlist",
+          "countrylist",
+          "scan"
+        ]
+      }
+    }
+  }
+}
diff --git a/debian/acl/rpcsys.json b/debian/acl/rpcsys.json
new file mode 100644
index 0000000..05c4ba2
--- /dev/null
+++ b/debian/acl/rpcsys.json
@@ -0,0 +1,10 @@
+{
+  "rpc-sys": {
+    "description": "Read-only rpcd sys plugin calls",
+    "read": {
+      "ubus": {
+        "rpc-sys": [ "board", "info", "uptime" ]
+      }
+    }
+  }
+}
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..20a65e4
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,53 @@
+Source: rpcd
+Section: admin
+Priority: optional
+Maintainer: Russ Dill <russ.dill@gmail.com>
+Build-Depends: debhelper-compat (= 13),
+               cmake,
+               libubus-dev,
+               libubox-dev,
+               libjson-c-dev,
+               libiwinfo-dev
+Standards-Version: 4.7.0
+Homepage: https://github.com/openwrt/rpcd
+Rules-Requires-Root: no
+
+Package: rpcd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ubus, adduser
+Recommends: rpcd-mod-file, rpcd-mod-rpcsys
+Description: ubus JSON-RPC daemon
+ rpcd is a lightweight JSON-RPC server for ubus. It loads plugins from
+ /usr/lib/rpcd and enforces ACLs under /etc/rpcd/acl.d.
+
+Package: rpcd-dev
+Section: libdevel
+Architecture: any
+Multi-Arch: same
+Depends: rpcd (= ${binary:Version}), ${misc:Depends}
+Description: Development headers for rpcd plugins
+ Provides the C header (plugin.h) needed to build rpcd plugins.
+
+Package: rpcd-mod-file
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, rpcd (>= ${binary:Version})
+Description: rpcd plugin: file
+ Exposes basic file operations via rpcd.
+
+Package: rpcd-mod-iwinfo
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, rpcd (>= ${binary:Version}), libiwinfo0
+Description: rpcd plugin: iwinfo
+ Exposes iwinfo radio/assoc data via rpcd.
+
+Package: rpcd-mod-rpcsys
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, rpcd (>= ${binary:Version})
+Description: rpcd plugin: rpc-sys
+ Exposes basic system info/commands via rpcd.
+
+#Package: rpcd-mod-ucode
+#Architecture: any
+#Depends: ${shlibs:Depends}, ${misc:Depends}, rpcd (>= ${binary:Version}), libucode0
+#Description: rpcd plugin: ucode
+# Allows rpcd procedures implemented in ucode.
diff --git a/debian/generate-changelog.sh b/debian/generate-changelog.sh
new file mode 100755
index 0000000..cdb151a
--- /dev/null
+++ b/debian/generate-changelog.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+cd "$(dirname "$0")/.."
+
+COMMIT_DATE=$(git log -1 --format='%cd' --date=format:'%Y%m%d' 2>/dev/null || echo '00000000')
+COMMIT_HASH=$(git log -1 --format='%h' 2>/dev/null || echo 'unknown')
+COMMIT_TIMESTAMP=$(git log -1 --format='%cd' --date=rfc2822 2>/dev/null || date -R)
+
+cat > debian/changelog <<EOF
+rpcd (0.0.${COMMIT_DATE}) unstable; urgency=medium
+
+  * Latest version (${COMMIT_HASH})
+
+ -- Russ Dill <russ.dill@gmail.com>  ${COMMIT_TIMESTAMP}
+EOF
diff --git a/debian/rpcd-dev.install b/debian/rpcd-dev.install
new file mode 100644
index 0000000..fbd4979
--- /dev/null
+++ b/debian/rpcd-dev.install
@@ -0,0 +1 @@
+/usr/include/rpcd/*
diff --git a/debian/rpcd-mod-file.install b/debian/rpcd-mod-file.install
new file mode 100644
index 0000000..6f031b3
--- /dev/null
+++ b/debian/rpcd-mod-file.install
@@ -0,0 +1,2 @@
+usr/lib/rpcd/file.so
+debian/acl/file.json  etc/rpcd/acl.d/
diff --git a/debian/rpcd-mod-iwinfo.install b/debian/rpcd-mod-iwinfo.install
new file mode 100644
index 0000000..48868b1
--- /dev/null
+++ b/debian/rpcd-mod-iwinfo.install
@@ -0,0 +1,2 @@
+usr/lib/rpcd/iwinfo.so
+debian/acl/iwinfo.json  etc/rpcd/acl.d/
diff --git a/debian/rpcd-mod-rpcsys.install b/debian/rpcd-mod-rpcsys.install
new file mode 100644
index 0000000..966b514
--- /dev/null
+++ b/debian/rpcd-mod-rpcsys.install
@@ -0,0 +1,2 @@
+usr/lib/rpcd/rpcsys.so
+debian/acl/rpcsys.json etc/rpcd/acl.d/
diff --git a/debian/rpcd.dirs b/debian/rpcd.dirs
new file mode 100644
index 0000000..f91c2b7
--- /dev/null
+++ b/debian/rpcd.dirs
@@ -0,0 +1,2 @@
+etc/rpcd/acl.d
+usr/lib/rpcd
diff --git a/debian/rpcd.install b/debian/rpcd.install
new file mode 100644
index 0000000..3410be1
--- /dev/null
+++ b/debian/rpcd.install
@@ -0,0 +1,2 @@
+usr/sbin/rpcd
+unauthenticated.json  etc/rpcd/acl.d/
diff --git a/debian/rpcd.postinst b/debian/rpcd.postinst
new file mode 100644
index 0000000..a381b98
--- /dev/null
+++ b/debian/rpcd.postinst
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+  configure)
+    if ! id rpcd >/dev/null 2>&1; then
+      adduser --system --ingroup rpcd --home /var/lib/rpcd --no-create-home \
+        --disabled-login --shell /usr/sbin/nologin rpcd
+    fi
+  ;;
+esac
+
+exit 0
diff --git a/debian/rpcd.postrm b/debian/rpcd.postrm
new file mode 100644
index 0000000..c909f34
--- /dev/null
+++ b/debian/rpcd.postrm
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+case "$1" in
+  remove)
+    ;;
+  purge)
+    deluser --system rpcd >/dev/null 2>&1 || true
+    ;;
+esac
+exit 0
diff --git a/debian/rpcd.service b/debian/rpcd.service
new file mode 100644
index 0000000..d0bc052
--- /dev/null
+++ b/debian/rpcd.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=rpcd ubus RPC daemon
+Documentation=https://github.com/openwrt/rpcd
+After=network-online.target ubusd.service
+Wants=network-online.target ubusd.service
+
+[Service]
+Type=simple
+User=rpcd
+Group=rpcd
+ExecStart=/usr/sbin/rpcd
+Restart=on-failure
+RestartSec=2
+StateDirectory=rpcd
+SupplementaryGroups=ubus
+
+# Hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+PrivateDevices=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true
+RestrictSUIDSGID=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+RuntimeDirectory=rpcd
+ReadOnlyPaths=/etc/rpcd/acl.d /run/ubus/ubus.sock
+ReadWritePaths=/var/lib/rpcd
+
+[Install]
+WantedBy=multi-user.target
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..a52b450
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,26 @@
+#!/usr/bin/make -f
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+%:
+	dh $@ --buildsystem=cmake
+
+override_dh_auto_configure:
+	dh_auto_configure -- \
+	  -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+	  -DCMAKE_INSTALL_PREFIX=/usr \
+	  -DFILE_SUPPORT=ON \
+	  -DIWINFO_SUPPORT=ON \
+	  -DSYS_SUPPORT=ON \
+	  -DUCODE_SUPPORT=OFF
+
+override_dh_auto_install:
+	dh_auto_install --destdir=$(CURDIR)/debian/tmp
+
+	install -d debian/tmp/usr/include/rpcd
+	install -m 0644 include/rpcd/plugin.h debian/tmp/usr/include/rpcd/plugin.h
+	install -m 0644 include/rpcd/session.h debian/tmp/usr/include/rpcd/session.h
+	install -m 0644 include/rpcd/exec.h debian/tmp/usr/include/rpcd/exec.h
+
+override_dh_installsystemd:
+	# Install the unit but don't auto-enable/start
+	dh_installsystemd --name=rpcd --no-enable --no-start
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..b097d9d
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,2 @@
+version=4
+# Fill with tags once upstream publishes versioned releases.