From d839ed99b82850b63d0a6ef82ce485eef5f85a2c Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Tue, 20 Dec 2022 16:24:41 +0000
Subject: [PATCH] Make the Debian package preserve its state on restart

---
 cmd/keystored/main.go     | 10 +++++-----
 debian/compat             |  2 +-
 debian/control            |  2 +-
 debian/keystored.default  |  1 +
 debian/keystored.service  |  5 +++--
 debian/keystored.tmpfiles |  1 +
 6 files changed, 12 insertions(+), 9 deletions(-)
 create mode 100644 debian/keystored.tmpfiles

diff --git a/cmd/keystored/main.go b/cmd/keystored/main.go
index 5fe0b892..c8800a6e 100644
--- a/cmd/keystored/main.go
+++ b/cmd/keystored/main.go
@@ -22,13 +22,13 @@ import (
 var (
 	addr       = flag.String("addr", ":5006", "address to listen on")
 	configFile = flag.String("config", "/etc/keystore/config.yml", "path of config file")
+	stateFile  = flag.String("state-file", "", "path of state file for transparent restarts")
 )
 
 // Config wraps the keystore server.Config together with the HTTP
 // server config in a single object for YAML deserialization.
 type Config struct {
 	server.Config `yaml:",inline"`
-	StateFile     string                   `yaml:"state_file"`
 	ServerConfig  *serverutil.ServerConfig `yaml:"http_server"`
 }
 
@@ -94,8 +94,8 @@ func main() {
 	}
 	prometheus.MustRegister(server.NewKeystoreCollector(ks))
 
-	if config.StateFile != "" {
-		if err := loadState(ks, config.StateFile); err != nil {
+	if *stateFile != "" {
+		if err := loadState(ks, *stateFile); err != nil {
 			log.Printf("error loading state: %v", err)
 		}
 	}
@@ -106,8 +106,8 @@ func main() {
 		log.Fatal(err)
 	}
 
-	if config.StateFile != "" {
-		if err := dumpState(ks, config.StateFile); err != nil {
+	if *stateFile != "" {
+		if err := dumpState(ks, *stateFile); err != nil {
 			log.Fatalf("error dumping state: %v", err)
 		}
 	}
diff --git a/debian/compat b/debian/compat
index f599e28b..b1bd38b6 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-10
+13
diff --git a/debian/control b/debian/control
index 0dd0ab49..1c06d751 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: keystore
 Section: admin
 Priority: optional
 Maintainer: Autistici/Inventati <debian@autistici.org>
-Build-Depends: debhelper (>=9), golang-any (>=1.11), dh-golang
+Build-Depends: debhelper (>=13), golang-any (>=1.14), dh-golang
 Standards-Version: 3.9.6
 
 Package: keystored
diff --git a/debian/keystored.default b/debian/keystored.default
index 54d99b80..74ea6feb 100644
--- a/debian/keystored.default
+++ b/debian/keystored.default
@@ -1 +1,2 @@
 ADDR=:5006
+STATE_FILE=/var/lib/keystored/reload-state
diff --git a/debian/keystored.service b/debian/keystored.service
index 16dbdf68..a2362066 100644
--- a/debian/keystored.service
+++ b/debian/keystored.service
@@ -5,8 +5,8 @@ After=network.target
 [Service]
 User=keystored
 Group=keystored
-EnvironmentFile=-/etc/default/keystored
-ExecStart=/usr/bin/keystored --addr $ADDR
+EnvironmentFile=/etc/default/keystored
+ExecStart=/usr/bin/keystored --addr $ADDR --state-file $STATE_FILE
 Restart=always
 
 # Hardening
@@ -16,6 +16,7 @@ PrivateDevices=yes
 ProtectHome=yes
 ProtectSystem=full
 ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/keystored
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
 [Install]
diff --git a/debian/keystored.tmpfiles b/debian/keystored.tmpfiles
new file mode 100644
index 00000000..2d4a4ad4
--- /dev/null
+++ b/debian/keystored.tmpfiles
@@ -0,0 +1 @@
+d /var/lib/keystored 700 keystored keystored
-- 
GitLab