Merge pull request #242 from fosrl/dev

1.10.0
Merge branch 'main' into dev
2026-03-26 20:46:41 +00:00 · 2026-02-22 16:36:25 -08:00 · 2026-02-22 16:36:15 -08:00 · 2026-02-20 20:42:42 -08:00 · 2026-02-17 22:36:28 -08:00 · 2026-02-17 21:01:10 -08:00
9 changed files with 227 additions and 353 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -589,23 +589,15 @@ jobs:
      #     sarif_file: trivy-ghcr.sarif
      #     category: Image Vulnerability Scan
-      #- name: Build binaries
+      - name: Build binaries
      #  env:
      #    CGO_ENABLED: "0"
      #    GOFLAGS: "-trimpath"
      #  run: |
      #    set -euo pipefail
      #    TAG_VAR="${TAG}"
      #    make -j 10 go-build-release tag=$TAG_VAR
      #  shell: bash
      - name: Run GoReleaser (binaries + deb/rpm/apk)
        uses: goreleaser/goreleaser-action@v6
        with:
          version: latest
          args: release --clean
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CGO_ENABLED: "0"
          GOFLAGS: "-trimpath"
        run: |
          set -euo pipefail
          TAG_VAR="${TAG}"
          make -j 10 go-build-release tag=$TAG_VAR
        shell: bash
      - name: Create GitHub Release
        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
--- a/.github/workflows/publish-apt.yml
+++ b/.github/workflows/publish-apt.yml
@@ -1,62 +0,0 @@
 name: Publish APT repo to S3/CloudFront
 on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      tag:
        description: "Tag to publish (e.g. v1.9.0). Leave empty to use latest release."
        required: false
        type: string
      backfill_all:
        description: "Build/publish repo for ALL releases."
        required: false
        default: false
        type: boolean
 permissions:
  id-token: write
  contents: read
 jobs:
  publish:
    runs-on: ubuntu-latest
    env:
      PKG_NAME: newt
      SUITE: stable
      COMPONENT: main
      REPO_BASE_URL: https://repo.dev.fosrl.io/apt
      AWS_REGION: ${{ vars.AWS_REGION }}
      S3_BUCKET: ${{ vars.S3_BUCKET }}
      S3_PREFIX: ${{ vars.S3_PREFIX }}
      CLOUDFRONT_DISTRIBUTION_ID: ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }}
      INPUT_TAG: ${{ inputs.tag }}
      BACKFILL_ALL: ${{ inputs.backfill_all }}
      EVENT_TAG: ${{ github.event.release.tag_name }}
      GH_REPO: ${{ github.repository }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Configure AWS credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: ${{ vars.AWS_REGION }}
      - name: Install dependencies
        run: sudo apt-get update && sudo apt-get install -y dpkg-dev apt-utils gnupg curl jq gh
      - name: Install nfpm
        run: curl -fsSL https://github.com/goreleaser/nfpm/releases/latest/download/nfpm_Linux_x86_64.tar.gz | sudo tar -xz -C /usr/local/bin nfpm
      - name: Publish APT repo
        env:
          GH_TOKEN: ${{ github.token }}
          APT_GPG_PRIVATE_KEY: ${{ secrets.APT_GPG_PRIVATE_KEY }}
          APT_GPG_PASSPHRASE: ${{ secrets.APT_GPG_PASSPHRASE }}
        run: ./scripts/publish-apt.sh
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,62 +0,0 @@
 project_name: newt
 release:
  # du nutzt Tags wie 1.2.3 und 1.2.3-rc.1 (ohne v)
  draft: true
  prerelease: auto
  name_template: "{{ .Tag }}"
  mode: replace
 builds:
  - id: newt
    main: ./main.go   # <- falls du cmd/newt hast: ./cmd/newt
    binary: newt
    env:
      - CGO_ENABLED=0
    goos:
      - linux
      - darwin
      - windows
      - freebsd
    goarch:
      - amd64
      - arm64
    goarm:
      - "6"
      - "7"
    flags:
      - -trimpath
    ldflags:
      - -s -w -X main.version={{ .Tag }}
 archives:
  # Wichtig: format "binary" -> keine tar.gz, sondern raw binary wie bei dir aktuell
  - id: raw
    builds:
      - newt
    format: binary
    name_template: >-
      {{ .ProjectName }}_{{ .Os }}_{{ if eq .Arch "amd64" }}amd64{{ else if eq .Arch "arm64" }}arm64{{ else if eq .Arch "386" }}386{{ else }}{{ .Arch }}{{ end }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}{{ if .Amd64 }}_{{ .Amd64 }}{{ end }}{{ if .Riscv64 }}_{{ .Riscv64 }}{{ end }}{{ if .Os | eq "windows" }}.exe{{ end }}
 checksum:
  name_template: "checksums.txt"
 nfpms:
  - id: packages
    package_name: newt
    builds:
      - newt
    vendor: fosrl
    maintainer: fosrl <repo@fosrl.io>
    description: Newt - userspace tunnel client and TCP/UDP proxy
    license: AGPL-3.0
    formats:
      - deb
      - rpm
      - apk
    bindir: /usr/bin
    # sorgt dafür, dass die Paketnamen gut pattern-matchbar sind
    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}"
    contents:
      - src: LICENSE
        dst: /usr/share/doc/newt/LICENSE
--- a/authdaemon/connection.go
+++ b/authdaemon/connection.go
@@ -7,8 +7,8 @@ import (
 // ProcessConnection runs the same logic as POST /connection: CA cert, user create/reconcile, principals.
 // Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API.
 func (s *Server) ProcessConnection(req ConnectionRequest) {
-	logger.Info("connection: niceId=%q username=%q metadata.sudo=%v metadata.homedir=%v",
+	logger.Info("connection: niceId=%q username=%q metadata.sudoMode=%q metadata.sudoCommands=%v metadata.homedir=%v metadata.groups=%v",
-		req.NiceId, req.Username, req.Metadata.Sudo, req.Metadata.Homedir)
+		req.NiceId, req.Username, req.Metadata.SudoMode, req.Metadata.SudoCommands, req.Metadata.Homedir, req.Metadata.Groups)
 	cfg := &s.cfg
 	if cfg.CACertPath != "" {
--- a/authdaemon/host_linux.go
+++ b/authdaemon/host_linux.go
@@ -122,6 +122,55 @@ func sudoGroup() string {
 	return "sudo"
 }
 const skelDir = "/etc/skel"
 // copySkelInto copies files from srcDir (e.g. /etc/skel) into dstDir (e.g. user's home).
 // Only creates files that don't already exist. All created paths are chowned to uid:gid.
 func copySkelInto(srcDir, dstDir string, uid, gid int) {
 	entries, err := os.ReadDir(srcDir)
 	if err != nil {
 		if !os.IsNotExist(err) {
 			logger.Warn("auth-daemon: read %s: %v", srcDir, err)
 		}
 		return
 	}
 	for _, e := range entries {
 		name := e.Name()
 		src := filepath.Join(srcDir, name)
 		dst := filepath.Join(dstDir, name)
 		if e.IsDir() {
 			if st, err := os.Stat(dst); err == nil && st.IsDir() {
 				copySkelInto(src, dst, uid, gid)
 				continue
 			}
 			if err := os.MkdirAll(dst, 0755); err != nil {
 				logger.Warn("auth-daemon: mkdir %s: %v", dst, err)
 				continue
 			}
 			if err := os.Chown(dst, uid, gid); err != nil {
 				logger.Warn("auth-daemon: chown %s: %v", dst, err)
 			}
 			copySkelInto(src, dst, uid, gid)
 			continue
 		}
 		if _, err := os.Stat(dst); err == nil {
 			continue
 		}
 		data, err := os.ReadFile(src)
 		if err != nil {
 			logger.Warn("auth-daemon: read %s: %v", src, err)
 			continue
 		}
 		if err := os.WriteFile(dst, data, 0644); err != nil {
 			logger.Warn("auth-daemon: write %s: %v", dst, err)
 			continue
 		}
 		if err := os.Chown(dst, uid, gid); err != nil {
 			logger.Warn("auth-daemon: chown %s: %v", dst, err)
 		}
 	}
 }
 // ensureUser creates the system user if missing, or reconciles sudo and homedir to match meta.
 func ensureUser(username string, meta ConnectionMetadata) error {
 	if username == "" {
@@ -137,6 +186,43 @@ func ensureUser(username string, meta ConnectionMetadata) error {
 	return reconcileUser(u, meta)
 }
 // desiredGroups returns the exact list of supplementary groups the user should have:
 // meta.Groups plus the sudo group when meta.SudoMode is "full" (deduped).
 func desiredGroups(meta ConnectionMetadata) []string {
 	seen := make(map[string]struct{})
 	var out []string
 	for _, g := range meta.Groups {
 		g = strings.TrimSpace(g)
 		if g == "" {
 			continue
 		}
 		if _, ok := seen[g]; ok {
 			continue
 		}
 		seen[g] = struct{}{}
 		out = append(out, g)
 	}
 	if meta.SudoMode == "full" {
 		sg := sudoGroup()
 		if _, ok := seen[sg]; !ok {
 			out = append(out, sg)
 		}
 	}
 	return out
 }
 // setUserGroups sets the user's supplementary groups to exactly groups (local mirrors metadata).
 // When groups is empty, clears all supplementary groups (usermod -G "").
 func setUserGroups(username string, groups []string) {
 	list := strings.Join(groups, ",")
 	cmd := exec.Command("usermod", "-G", list, username)
 	if out, err := cmd.CombinedOutput(); err != nil {
 		logger.Warn("auth-daemon: usermod -G %s: %v (output: %s)", list, err, string(out))
 	} else {
 		logger.Info("auth-daemon: set %s supplementary groups to %s", username, list)
 	}
 }
 func createUser(username string, meta ConnectionMetadata) error {
 	args := []string{"-s", "/bin/bash"}
 	if meta.Homedir {
@@ -150,75 +236,136 @@ func createUser(username string, meta ConnectionMetadata) error {
 		return fmt.Errorf("useradd %s: %w (output: %s)", username, err, string(out))
 	}
 	logger.Info("auth-daemon: created user %s (homedir=%v)", username, meta.Homedir)
-	if meta.Sudo {
+	if meta.Homedir {
-		group := sudoGroup()
+		if u, err := user.Lookup(username); err == nil && u.HomeDir != "" {
-		cmd := exec.Command("usermod", "-aG", group, username)
+			uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
-		if out, err := cmd.CombinedOutput(); err != nil {
+			copySkelInto(skelDir, u.HomeDir, uid, gid)
 			logger.Warn("auth-daemon: usermod -aG %s %s: %v (output: %s)", group, username, err, string(out))
 		} else {
 			logger.Info("auth-daemon: added %s to %s", username, group)
 		}
 	}
 	setUserGroups(username, desiredGroups(meta))
 	switch meta.SudoMode {
 	case "full":
 		if err := configurePasswordlessSudo(username); err != nil {
 			logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", username, err)
 		}
 	case "commands":
 		if len(meta.SudoCommands) > 0 {
 			if err := configureSudoCommands(username, meta.SudoCommands); err != nil {
 				logger.Warn("auth-daemon: configure sudo commands for %s: %v", username, err)
 			}
 		}
 	default:
 		removeSudoers(username)
 	}
 	return nil
 }
 const sudoersFilePrefix = "90-pangolin-"
 func sudoersPath(username string) string {
 	return filepath.Join("/etc/sudoers.d", sudoersFilePrefix+username)
 }
 // writeSudoersFile writes content to the user's sudoers.d file and validates with visudo.
 func writeSudoersFile(username, content string) error {
 	sudoersFile := sudoersPath(username)
 	tmpFile := sudoersFile + ".tmp"
 	if err := os.WriteFile(tmpFile, []byte(content), 0440); err != nil {
 		return fmt.Errorf("write temp sudoers file: %w", err)
 	}
 	cmd := exec.Command("visudo", "-c", "-f", tmpFile)
 	if out, err := cmd.CombinedOutput(); err != nil {
 		os.Remove(tmpFile)
 		return fmt.Errorf("visudo validation failed: %w (output: %s)", err, string(out))
 	}
 	if err := os.Rename(tmpFile, sudoersFile); err != nil {
 		os.Remove(tmpFile)
 		return fmt.Errorf("move sudoers file: %w", err)
 	}
 	return nil
 }
 // configurePasswordlessSudo creates a sudoers.d file to allow passwordless sudo for the user.
 func configurePasswordlessSudo(username string) error {
 	content := fmt.Sprintf("# Created by Pangolin auth-daemon\n%s ALL=(ALL) NOPASSWD:ALL\n", username)
 	if err := writeSudoersFile(username, content); err != nil {
 		return err
 	}
 	logger.Info("auth-daemon: configured passwordless sudo for %s", username)
 	return nil
 }
 // configureSudoCommands creates a sudoers.d file allowing only the listed commands (NOPASSWD).
 // Each command should be a full path (e.g. /usr/bin/systemctl).
 func configureSudoCommands(username string, commands []string) error {
 	var b strings.Builder
 	b.WriteString("# Created by Pangolin auth-daemon (restricted commands)\n")
 	n := 0
 	for _, c := range commands {
 		c = strings.TrimSpace(c)
 		if c == "" {
 			continue
 		}
 		fmt.Fprintf(&b, "%s ALL=(ALL) NOPASSWD: %s\n", username, c)
 		n++
 	}
 	if n == 0 {
 		return fmt.Errorf("no valid sudo commands")
 	}
 	if err := writeSudoersFile(username, b.String()); err != nil {
 		return err
 	}
 	logger.Info("auth-daemon: configured restricted sudo for %s (%d commands)", username, len(commands))
 	return nil
 }
 // removeSudoers removes the sudoers.d file for the user.
 func removeSudoers(username string) {
 	sudoersFile := sudoersPath(username)
 	if err := os.Remove(sudoersFile); err != nil && !os.IsNotExist(err) {
 		logger.Warn("auth-daemon: remove sudoers for %s: %v", username, err)
 	} else if err == nil {
 		logger.Info("auth-daemon: removed sudoers for %s", username)
 	}
 }
 func mustAtoi(s string) int {
 	n, _ := strconv.Atoi(s)
 	return n
 }
 func reconcileUser(u *user.User, meta ConnectionMetadata) error {
-	group := sudoGroup()
+	setUserGroups(u.Username, desiredGroups(meta))
-	inGroup, err := userInGroup(u.Username, group)
+	switch meta.SudoMode {
-	if err != nil {
+	case "full":
-		logger.Warn("auth-daemon: check group %s: %v", group, err)
+		if err := configurePasswordlessSudo(u.Username); err != nil {
-		inGroup = false
+			logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", u.Username, err)
 	}
 	if meta.Sudo && !inGroup {
 		cmd := exec.Command("usermod", "-aG", group, u.Username)
 		if out, err := cmd.CombinedOutput(); err != nil {
 			logger.Warn("auth-daemon: usermod -aG %s %s: %v (output: %s)", group, u.Username, err, string(out))
 		} else {
 			logger.Info("auth-daemon: added %s to %s", u.Username, group)
 		}
-	} else if !meta.Sudo && inGroup {
+	case "commands":
-		cmd := exec.Command("gpasswd", "-d", u.Username, group)
+		if len(meta.SudoCommands) > 0 {
-		if out, err := cmd.CombinedOutput(); err != nil {
+			if err := configureSudoCommands(u.Username, meta.SudoCommands); err != nil {
-			logger.Warn("auth-daemon: gpasswd -d %s %s: %v (output: %s)", u.Username, group, err, string(out))
+				logger.Warn("auth-daemon: configure sudo commands for %s: %v", u.Username, err)
 			}
 		} else {
-			logger.Info("auth-daemon: removed %s from %s", u.Username, group)
+			removeSudoers(u.Username)
 		}
 	default:
 		removeSudoers(u.Username)
 	}
 	if meta.Homedir && u.HomeDir != "" {
 		uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
 		if st, err := os.Stat(u.HomeDir); err != nil || !st.IsDir() {
 			if err := os.MkdirAll(u.HomeDir, 0755); err != nil {
 				logger.Warn("auth-daemon: mkdir %s: %v", u.HomeDir, err)
 			} else {
 				uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
 				_ = os.Chown(u.HomeDir, uid, gid)
 				copySkelInto(skelDir, u.HomeDir, uid, gid)
 				logger.Info("auth-daemon: created home %s for %s", u.HomeDir, u.Username)
 			}
 		} else {
 			// Ensure .bashrc etc. exist (e.g. home existed but was empty or skel was minimal)
 			copySkelInto(skelDir, u.HomeDir, uid, gid)
 		}
 	}
 	return nil
 }
 func userInGroup(username, groupName string) (bool, error) {
 	// getent group wheel returns "wheel:x:10:user1,user2"
 	cmd := exec.Command("getent", "group", groupName)
 	out, err := cmd.Output()
 	if err != nil {
 		return false, err
 	}
 	parts := strings.SplitN(strings.TrimSpace(string(out)), ":", 4)
 	if len(parts) < 4 {
 		return false, nil
 	}
 	members := strings.Split(parts[3], ",")
 	for _, m := range members {
 		if strings.TrimSpace(m) == username {
 			return true, nil
 		}
 	}
 	return false, nil
 }
--- a/authdaemon/routes.go
+++ b/authdaemon/routes.go
@@ -13,8 +13,10 @@ func (s *Server) registerRoutes() {
 // ConnectionMetadata is the metadata object in POST /connection.
 type ConnectionMetadata struct {
-	Sudo    bool `json:"sudo"`
+	SudoMode     string   `json:"sudoMode"`     // "none" | "full" | "commands"
-	Homedir bool `json:"homedir"`
+	SudoCommands []string `json:"sudoCommands"`  // used when sudoMode is "commands"
 	Homedir      bool     `json:"homedir"`
 	Groups       []string `json:"groups"`        // system groups to add the user to
 }
 // ConnectionRequest is the JSON body for POST /connection.
--- a/main.go
+++ b/main.go
@@ -1378,15 +1378,18 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		// Define the structure of the incoming message
 		type SSHCertData struct {
-			MessageId int    `json:"messageId"`
+			MessageId          int    `json:"messageId"`
-			AgentPort int    `json:"agentPort"`
+			AgentPort          int    `json:"agentPort"`
-			AgentHost string `json:"agentHost"`
+			AgentHost          string `json:"agentHost"`
-			CACert    string `json:"caCert"`
+			ExternalAuthDaemon bool   `json:"externalAuthDaemon"`
-			Username  string `json:"username"`
+			CACert             string `json:"caCert"`
-			NiceID    string `json:"niceId"`
+			Username           string `json:"username"`
-			Metadata  struct {
+			NiceID             string `json:"niceId"`
-				Sudo    bool `json:"sudo"`
+			Metadata           struct {
-				Homedir bool `json:"homedir"`
+				SudoMode     string   `json:"sudoMode"`
 				SudoCommands []string `json:"sudoCommands"`
 				Homedir      bool     `json:"homedir"`
 				Groups       []string `json:"groups"`
 			} `json:"metadata"`
 		}
@@ -1406,7 +1409,7 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		}
 		// Check if we're running the auth daemon internally
-		if authDaemonServer != nil {
+		if authDaemonServer != nil && !certData.ExternalAuthDaemon { // if the auth daemon is running internally and the external auth daemon is not enabled
 			// Call ProcessConnection directly when running internally
 			logger.Debug("Calling internal auth daemon ProcessConnection for user %s", certData.Username)
@@ -1415,8 +1418,10 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 				NiceId:   certData.NiceID,
 				Username: certData.Username,
 				Metadata: authdaemon.ConnectionMetadata{
-					Sudo:    certData.Metadata.Sudo,
+					SudoMode:     certData.Metadata.SudoMode,
-					Homedir: certData.Metadata.Homedir,
+					SudoCommands: certData.Metadata.SudoCommands,
 					Homedir:      certData.Metadata.Homedir,
 					Groups:       certData.Metadata.Groups,
 				},
 			})
@@ -1450,8 +1455,10 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 				"niceId":   certData.NiceID,
 				"username": certData.Username,
 				"metadata": map[string]interface{}{
-					"sudo":    certData.Metadata.Sudo,
+					"sudoMode":     certData.Metadata.SudoMode,
-					"homedir": certData.Metadata.Homedir,
+					"sudoCommands": certData.Metadata.SudoCommands,
 					"homedir":      certData.Metadata.Homedir,
 					"groups":       certData.Metadata.Groups,
 				},
 			}
--- a/scripts/nfpm.yaml.tmpl
+++ b/scripts/nfpm.yaml.tmpl
@@ -1,11 +0,0 @@
 name: __PKG_NAME__
 arch: __ARCH__
 platform: linux
 version: __VERSION__
 section: net
 priority: optional
 maintainer: fosrl
 description: Newt - userspace tunnel client and TCP/UDP proxy
 contents:
  - src: build/newt
    dst: /usr/bin/newt
--- a/scripts/publish-apt.sh
+++ b/scripts/publish-apt.sh
@@ -1,139 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # ---- required env ----
 : "${GH_REPO:?}"
 : "${S3_BUCKET:?}"
 : "${AWS_REGION:?}"
 : "${CLOUDFRONT_DISTRIBUTION_ID:?}"
 : "${PKG_NAME:?}"
 : "${SUITE:?}"
 : "${COMPONENT:?}"
 : "${APT_GPG_PRIVATE_KEY:?}"
 S3_PREFIX="${S3_PREFIX:-}"
 if [[ -n "${S3_PREFIX}" && "${S3_PREFIX}" != */ ]]; then
  S3_PREFIX="${S3_PREFIX}/"
 fi
 WORKDIR="$(pwd)"
 mkdir -p repo/apt assets build
 echo "${APT_GPG_PRIVATE_KEY}" | gpg --batch --import >/dev/null 2>&1 || true
 KEYID="$(gpg --list-secret-keys --with-colons | awk -F: '$1=="sec"{print $5; exit}')"
 if [[ -z "${KEYID}" ]]; then
  echo "ERROR: No GPG secret key available after import."
  exit 1
 fi
 # Determine which tags to process
 TAGS=""
 if [[ "${BACKFILL_ALL:-false}" == "true" ]]; then
  echo "Backfill mode: collecting all release tags..."
  TAGS="$(gh release list -R "${GH_REPO}" --limit 200 --json tagName --jq '.[].tagName')"
 else
  if [[ -n "${INPUT_TAG:-}" ]]; then
    TAGS="${INPUT_TAG}"
  elif [[ -n "${EVENT_TAG:-}" ]]; then
    TAGS="${EVENT_TAG}"
  else
    echo "No tag provided; using latest release tag..."
    TAGS="$(gh release view -R "${GH_REPO}" --json tagName --jq '.tagName')"
  fi
 fi
 echo "Tags to process:"
 printf '%s\n' "${TAGS}"
 # Pull existing repo from S3 so we keep older versions
 echo "Sync existing repo from S3..."
 aws s3 sync "s3://${S3_BUCKET}/${S3_PREFIX}apt/" repo/apt/ >/dev/null 2>&1 || true
 # Build and add packages
 while IFS= read -r TAG; do
  [[ -z "${TAG}" ]] && continue
  echo "=== Processing tag: ${TAG} ==="
  rm -rf assets build
  mkdir -p assets build
  gh release download "${TAG}" -R "${GH_REPO}" -p "newt_linux_amd64" -D assets
  gh release download "${TAG}" -R "${GH_REPO}" -p "newt_linux_arm64" -D assets
  VERSION="${TAG#v}"
  for arch in amd64 arm64; do
    bin="assets/newt_linux_${arch}"
    if [[ ! -f "${bin}" ]]; then
      echo "ERROR: Missing release asset: ${bin}"
      exit 1
    fi
    install -Dm755 "${bin}" "build/newt"
    # Create nfpm config from template file (no heredoc here)
    sed \
      -e "s/__PKG_NAME__/${PKG_NAME}/g" \
      -e "s/__ARCH__/${arch}/g" \
      -e "s/__VERSION__/${VERSION}/g" \
      scripts/nfpm.yaml.tmpl > nfpm.yaml
    nfpm package -p deb -f nfpm.yaml -t "build/${PKG_NAME}_${VERSION}_${arch}.deb"
  done
  mkdir -p "repo/apt/pool/${COMPONENT}/${PKG_NAME:0:1}/${PKG_NAME}/"
  cp -v build/*.deb "repo/apt/pool/${COMPONENT}/${PKG_NAME:0:1}/${PKG_NAME}/"
 done <<< "${TAGS}"
 # Regenerate metadata
 cd repo/apt
 for arch in amd64 arm64; do
  mkdir -p "dists/${SUITE}/${COMPONENT}/binary-${arch}"
  dpkg-scanpackages -a "${arch}" pool > "dists/${SUITE}/${COMPONENT}/binary-${arch}/Packages"
  gzip -fk "dists/${SUITE}/${COMPONENT}/binary-${arch}/Packages"
 done
 # Release file with hashes
 cat > apt-ftparchive.conf <<EOF
 APT::FTPArchive::Release::Origin "fosrl";
 APT::FTPArchive::Release::Label "newt";
 APT::FTPArchive::Release::Suite "${SUITE}";
 APT::FTPArchive::Release::Codename "${SUITE}";
 APT::FTPArchive::Release::Architectures "amd64 arm64";
 APT::FTPArchive::Release::Components "${COMPONENT}";
 APT::FTPArchive::Release::Description "Newt APT repository";
 EOF
 apt-ftparchive -c apt-ftparchive.conf release "dists/${SUITE}" > "dists/${SUITE}/Release"
 # Sign Release
 cd "dists/${SUITE}"
 gpg --batch --yes --pinentry-mode loopback \
  ${APT_GPG_PASSPHRASE:+--passphrase "${APT_GPG_PASSPHRASE}"} \
  --local-user "${KEYID}" \
  --clearsign -o InRelease Release
 gpg --batch --yes --pinentry-mode loopback \
  ${APT_GPG_PASSPHRASE:+--passphrase "${APT_GPG_PASSPHRASE}"} \
  --local-user "${KEYID}" \
  -abs -o Release.gpg Release
 # Export public key into apt repo root
 cd ../../..
 gpg --batch --yes --armor --export "${KEYID}" > public.key
 # Upload to S3
 echo "Uploading to S3..."
 aws s3 sync "${WORKDIR}/repo/apt" "s3://${S3_BUCKET}/${S3_PREFIX}apt/" --delete
 # Invalidate metadata
 echo "CloudFront invalidation..."
 aws cloudfront create-invalidation \
  --distribution-id "${CLOUDFRONT_DISTRIBUTION_ID}" \
  --paths "/${S3_PREFIX}apt/dists/*" "/${S3_PREFIX}apt/public.key"
 echo "Done. Repo base: ${REPO_BASE_URL}"
Author	SHA1	Message	Date
Owen Schwartz	1a3eaedfa5	Merge pull request #242 from fosrl/dev 1.10.0	2026-02-22 16:36:25 -08:00
Owen	01e2ba31b7	Merge branch 'main' into dev	2026-02-22 16:36:15 -08:00
miloschwartz	556be90b7e	support sudo configuration and daemon mode	2026-02-20 20:42:42 -08:00
Owen	5d04be92f7	Allow sudo passwordless	2026-02-17 22:36:28 -08:00
miloschwartz	60dac98514	fix flag	2026-02-17 21:01:10 -08:00
Owen	759e4c5bac	Add daemon into newt	2026-02-17 14:44:28 -08:00
miloschwartz	8609be130e	remove defaults	2026-02-16 20:50:13 -08:00
miloschwartz	e06b8de0a7	add auth daemon	2026-02-16 20:36:13 -08:00
Owen	0af6fb8fef	Add round trip tracking for any message	2026-02-16 20:29:19 -08:00
Owen	9526768dfe	Add basic newt command relay to auth daemon	2026-02-16 20:04:33 -08:00
Owen	051ab6ca9d	Remove legacy ssh	2026-02-16 17:55:17 -08:00