Skip to content

feat: packaging — .deb/.rpm via nfpm and Docker image#14

Merged
Crank-Git merged 1 commit into
mainfrom
feat/p2-packaging
Apr 11, 2026
Merged

feat: packaging — .deb/.rpm via nfpm and Docker image#14
Crank-Git merged 1 commit into
mainfrom
feat/p2-packaging

Conversation

@Crank-Git
Copy link
Copy Markdown
Owner

@Crank-Git Crank-Git commented Apr 11, 2026

Summary

  • .deb / .rpm packages via nfpm: amd64 + arm64 for both formats, produced in the release workflow on every tag push
  • Dockerfile — two-stage build, non-root user, capabilities granted at runtime via --cap-add
  • packaging/postinst — creates ja4monitor system user/group, data + log dirs, grants CAP_NET_RAW + CAP_NET_ADMIN via setcap so the daemon runs without root
  • Release workflow updated to install nfpm and upload .deb/.rpm packages to GitHub Releases

Capability model

Deployment How
.deb/.rpm postinst runs setcap cap_net_raw,cap_net_admin=eip /usr/bin/ja4monitor; daemon runs as ja4monitor system user
Docker (live) docker run --cap-add NET_RAW --cap-add NET_ADMIN --network host
Docker (PCAP replay) No special capabilities needed
Kubernetes Privileged DaemonSet or custom seccomp profile (documented in Dockerfile header)

Quick start after install

# Debian/Ubuntu
sudo apt install ./ja4monitor_0.8.0_linux_amd64.deb
# Edit /etc/ja4monitor/ja4monitor.toml (set interface, db_path, etc.)
sudo systemctl start ja4monitor

# Docker
docker run --rm -it --cap-add NET_RAW --cap-add NET_ADMIN --network host \
  -v /var/lib/ja4monitor:/data \
  ja4monitor:latest \
  --interface eth0 --db /data/ja4monitor.db

Test plan

  • Build passes: go build ./... + go test ./... all green
  • Shell scripts are +x and use set -e
  • postinst is idempotent (uses getent checks before useradd/groupadd)
  • postrm purge cleans up user, group, and data dirs; plain remove leaves data intact
  • nfpm.yaml paths match what the release workflow produces (../dist/ja4monitor)
  • Smoke-test on next tag: verify .deb installs cleanly on Ubuntu 22.04 + 24.04

🤖 Generated with Claude Code

@Crank-Git @claude
feat: packaging — .deb/.rpm via nfpm and Docker image
6afdf69 
Operators can now install ja4monitor via apt/rpm or run it in Docker.

## .deb / .rpm (via nfpm)

packaging/
  nfpm.yaml             — nfpm package config (arch/version templated from env)
  ja4monitor.service    — systemd unit with capability bounding set + hardening
  scripts/postinst      — creates ja4monitor system user, data dir, setcap
  scripts/prerm         — stops/disables systemd unit before removal
  scripts/postrm        — purge removes user, data, and config dirs

postinst grants CAP_NET_RAW and CAP_NET_ADMIN via setcap so the daemon
runs as the ja4monitor system user without root. Falls back gracefully when
setcap is unavailable (prints a warning).

## Docker

Dockerfile — two-stage build (golang:1.25-bookworm builder + debian:bookworm-slim
runtime). Runtime image: libpcap + ca-certificates, non-root ja4monitor user,
/data volume for SQLite. Capabilities granted at runtime via --cap-add; binary is
NOT setuid in the container.

.dockerignore added to exclude testdata, captures, and build artifacts.

## Release workflow

.github/workflows/release.yml updated to:
1. Install nfpm after building
2. Package amd64 and arm64 .deb and .rpm
3. Upload all packages alongside binaries in the GitHub Release

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Crank-Git Crank-Git merged commit 3d004bd into main Apr 11, 2026
2 checks passed
Crank-Git added a commit that referenced this pull request May 9, 2026
@Crank-Git
Merge pull request #14 from Crank-Git/feat/p2-packaging
1562f81 
feat: packaging — .deb/.rpm via nfpm and Docker image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Crank-Git