Skip to content

pkg: Update & rework scripts #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BeryJu wants to merge 5 commits into
base: main
Choose a base branch
from
Open

pkg: Update & rework scripts #538

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c040346
start adding rpm scripts
BeryJu Dec 31, 2025
27313cc
add nss
BeryJu Dec 31, 2025
21802f7
init authselect
BeryJu Dec 31, 2025
832cdef
update authselect
BeryJu Dec 31, 2025
04cc44c
fix deb build
BeryJu Dec 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 cmd/agent_local/package/linux/postinst.sh → ...gent_local/package/linux/_deb/postinst.sh
View file
Open in desktop
File renamed without changes.
8 changes: 8 additions & 0 deletions cmd/agent_local/package/linux/_rpm/post.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/usr/bin/env bash
set -euo pipefail

systemctl enable 'ak-agent.service'

systemctl restart 'ak-agent.service'

exit 0
9 changes: 7 additions & 2 deletions cmd/agent_local/package/linux/nfpm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,17 @@ vendor: "Authentik Security Inc."
homepage: "https://goauthentik.io"
maintainer: "Authentik Security Inc."
license: "MIT"
scripts:
postinstall: ./package/linux/postinst.sh
contents:
- src: ../../bin/agent_local/ak-agent
dst: /usr/bin/ak-agent
- src: ./package/linux/etc/systemd/user/ak-agent.service
dst: /etc/systemd/user/ak-agent.service
- src: ./package/linux/usr/share/polkit-1/actions/io.goauthentik.platform.policy
dst: /usr/share/polkit-1/actions/io.goauthentik.platform.policy
overrides:
deb:
scripts:
postinstall: ./package/linux/_deb/postinst.sh
rpm:
scripts:
postinstall: ./package/linux/_rpm/post.sh
0 cmd/agent_system/package/linux/postinst.sh → ...ent_system/package/linux/_deb/postinst.sh
View file
Open in desktop
File renamed without changes.
15 changes: 15 additions & 0 deletions cmd/agent_system/package/linux/_rpm/post.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
set -euo pipefail

systemctl enable 'ak-sysd.service'

if [ $1 -eq 1 ] ; then
# creating _ak-agent group if he isn't already there
if ! getent group _ak-agent >/dev/null; then
addgroup --system --force-badname _ak-agent
fi
fi

systemctl restart 'ak-sysd.service'

exit 0
9 changes: 7 additions & 2 deletions cmd/agent_system/package/linux/nfpm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,6 @@ vendor: "Authentik Security Inc."
homepage: "https://goauthentik.io"
maintainer: "Authentik Security Inc."
license: "MIT"
scripts:
postinstall: ./package/linux/postinst.sh
contents:
- src: ../../bin/agent_system/ak-sysd
dst: /usr/bin/ak-sysd
Expand All @@ -35,3 +33,10 @@ contents:
dst: /etc/opt/edge/native-messaging-hosts/io.goauthentik.platform.json
- src: ./package/linux/browser-host-firefox.json
dst: /usr/lib/mozilla/native-messaging-hosts/io.goauthentik.platform.json
overrides:
deb:
scripts:
postinstall: ./package/linux/_deb/postinst.sh
rpm:
scripts:
postinstall: ./package/linux/_rpm/post.sh
2 changes: 1 addition & 1 deletion nss/debian/postinst.sh → nss/_deb/postinst.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/usr/bin/env bash
#DEBHELPER#
set -eu
set -euo pipefail

mkdir -p /var/log/authentik

Expand Down
4 changes: 4 additions & 0 deletions nss/_rpm/post.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
set -euo pipefail

mkdir -p /var/log/authentik
5 changes: 4 additions & 1 deletion nss/nfpm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,7 @@ contents:
overrides:
deb:
scripts:
postinstall: ./debian/postinst.sh
postinstall: ./_deb/postinst.sh
rpm:
scripts:
postinstall: ./_rpm/post.sh
0 pam/debian/pam_config → pam/_deb/pam_config
View file
Open in desktop
File renamed without changes.
2 changes: 1 addition & 1 deletion pam/debian/postinst.sh → pam/_deb/postinst.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!/usr/bin/env bash
set -eu
set -euo pipefail

function sshd_notice {
if ! grep -q '^KbdInteractiveAuthentication.*yes' /etc/ssh/sshd_config; then
Expand Down
3 changes: 1 addition & 2 deletions pam/debian/prerm.sh → pam/_deb/prerm.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#!/usr/bin/env bash

set -eu
set -euo pipefail

if [ "$1" = remove ]; then
pam-auth-update --package --remove authentik
Expand Down
5 changes: 5 additions & 0 deletions pam/_rpm/authselect/README
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Enable authentik for system authentication
================

Selecting this profile will enable local files as the source of identity
and authentication providers.
Empty file added pam/_rpm/authselect/REQUIREMENTS
View file
Open in desktop
Empty file.
3 changes: 3 additions & 0 deletions pam/_rpm/authselect/dconf-db
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[org/gnome/login-screen]
enable-smartcard-authentication=false
enable-fingerprint-authentication={if "with-fingerprint":true|false}
2 changes: 2 additions & 0 deletions pam/_rpm/authselect/dconf-locks
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/org/gnome/login-screen/enable-smartcard-authentication
/org/gnome/login-screen/enable-fingerprint-authentication
24 changes: 24 additions & 0 deletions pam/_rpm/authselect/fingerprint-auth
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"}
{continue if "with-fingerprint"}
auth required pam_env.so
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth [success=done default=bad] pam_fprintd.so
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so

account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
account required pam_permit.so

password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
16 changes: 16 additions & 0 deletions pam/_rpm/authselect/nsswitch.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }systemd authentik
shadow: files systemd authentik
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd authentik
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files
netgroup: files
automount: files

aliases: files
ethers: files
gshadow: files systemd
networks: files dns
protocols: files
publickey: files
rpc: files
34 changes: 34 additions & 0 deletions pam/_rpm/authselect/password-auth
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
auth [success=2 default=ignore] pam_authentik.so
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so

account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so

password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so

session required pam_authentik.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
8 changes: 8 additions & 0 deletions pam/_rpm/authselect/postlogin
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}

password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}

session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog2.so {if "with-silent-lastlog":silent}
session optional pam_lastlog2.so silent
1 change: 1 addition & 0 deletions pam/_rpm/authselect/smartcard-auth
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
auth required pam_debug.so auth=authinfo_unavail
35 changes: 35 additions & 0 deletions pam/_rpm/authselect/system-auth
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
auth [success=2 default=ignore] pam_authentik.so
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so

account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so

password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so

session required pam_authentik.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
25 changes: 25 additions & 0 deletions pam/_rpm/post.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/usr/bin/env bash
set -euo pipefail

function sshd_notice {
if ! grep -q '^KbdInteractiveAuthentication.*yes' /etc/ssh/sshd_config; then
cat <<EOF
Because of design limitations of sshd, you need to set the following in your sshd
config file at /etc/ssh/sshd_config:

KbdInteractiveAuthentication yes

Then reload sshd:

sudo systemctl reload sshd
EOF
fi
}

if [ $1 == 1 ]; then
mkdir -p /var/log/authentik
pam-auth-update --package --enable authentik
sshd_notice
fi

exit 0
6 changes: 6 additions & 0 deletions pam/_rpm/preun.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail

if [ $1 == 0 ]; then
pam-auth-update --package --remove authentik
fi
22 changes: 15 additions & 7 deletions pam/nfpm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,27 @@ contents:
file_info:
mode: 0644
packager: deb
- src: "../pam/debian/pam_config"
- src: "../cache/pam/release/libauthentik_pam.so"
dst: "/usr/lib64/security/pam_authentik.so"
file_info:
mode: 0644
packager: rpm
# Config
- src: "./_deb/pam_config"
dst: "/usr/share/pam-configs/authentik"
file_info:
mode: 0644
packager: deb
type: config
- src: "../cache/pam/release/libauthentik_pam.so"
dst: "/usr/lib64/security/pam_authentik.so"
file_info:
mode: 0644
- src: "./_rpm/authselect"
dst: /usr/share/authselect/vendor/authentik
packager: rpm
overrides:
deb:
scripts:
postinstall: ./debian/postinst.sh
preremove: ./debian/prerm.sh
postinstall: ./_deb/postinst.sh
preremove: ./_deb/prerm.sh
rpm:
scripts:
postinstall: ./_rpm/post.sh
preremove: ./_rpm/preun.sh
Loading