chore: update packaging to use config files

CONFIG.md

@@ -4,19 +4,36 @@ This document describes all configuration options available for the FDO server.
 
 Command-line arguments take precedence over configuration file values. The server address can be specified either as a command-line argument or in the configuration file under the appropriate section.
 
-Configuration files are loaded using the `--config` flag, for example:
+## Configuration File Location
+
+The configuration file can be specified via the `--config` server command line parameter, for example:
 
 ```bash
-# Using TOML configuration file
-go-fdo-server manufacturing --config config.toml
+# Using TOML configuration file:
+go-fdo-server manufacturing --config /etc/config.toml
 
-# Using YAML configuration file
+# Using YAML configuration file in the local directory with listening address override:
 go-fdo-server owner --config config.yaml 127.0.0.1:8080
 
 # Using TOML, enable debug logging
-go-fdo-server rendezvous --log-level=debug --config config.toml
+go-fdo-server rendezvous --log-level=debug --config /home/fdo/config.toml
 ```
 
+If `--config` is not provided the server will search the following directories in order until a configuration file is found:
+
+- `$HOME/.config/go-fdo-server/`
+- `/etc/go-fdo-server/`
+- `/usr/share/go-fdo-server/`
+
+The name of the configuration file is based on the server's role, with the file name suffix corresponding to the file format:
+
+| Role | Filename | Examples |
+|------|----------|----------|
+| Manufacturer | `manufacturing.<suffix>` | `manufacturing.yaml`, `manufacturing.toml` |
+| Owner | `owner.<suffix>` | `owner.yaml`, `owner.toml` |
+| Rendezvous | `rendezvous.<suffix>` | `rendezvous.yaml`, `rendezvous.toml` |
+
+
 ## Configuration Structure
 
 The configuration file uses a hierarchical structure that defines the following sections:

build/package/rpm/README.md

@@ -20,31 +20,18 @@ sudo dnf install go-fdo-server go-fdo-server-manufacturer go-fdo-server-rendezvo
 
 ## 2.Configuration
 
-Each service can be configured via /etc/sysconfig/ configuration files.
-- `/etc/sysconfig/go-fdo-server-manufacturer`
-- `/etc/sysconfig/go-fdo-server-rendezvous`
-- `/etc/sysconfig/go-fdo-server-owner`
-
-Example configuration (`/etc/sysconfig/go-fdo-server-manufacturer`):
-```bash
-LISTEN_IP="0.0.0.0"
-LISTEN_PORT="8038"
-DATABASE_DSN="/var/lib/go-fdo-server-manufacturer/db.sqlite"
-#Please update the password field with real password.
-DATABASE_PASSWORD="******"
-MANUFACTURER_KEY="/etc/go-fdo-server/manufacturer.key"
-OWNER_CRT="/etc/go-fdo-server/owner.crt"
-DEVICE_CA_CRT="/etc/go-fdo-server/device-ca.crt"
-DEVICE_CA_KEY="/etc/go-fdo-server/device-ca.key"
-```
+Each service can be configured via a configuration file located in the /etc/go-fdo-server directory.
+- `/etc/go-fdo-server/manufacturing.yaml`
+- `/etc/go-fdo-server/rendezvous.yaml`
+- `/etc/go-fdo-server/owner.yaml`
 
 If the **certificates** do not exist then they are automatically generated when the service starts. 
-Default location for the certificates is /etc/go-fdo-server/.
+Default location for the certificates is /etc/pki/go-fdo-server/.
 
 **Database files** are generated by default at below locations:
 - `Manufacturer: /var/lib/go-fdo-server-manufacturer/db.sqlite`
 - `Rendezvous: /var/lib/go-fdo-server-rendezvous/db.sqlite`
-- `Owner: /var/lib/go-fdo-server-owner/db.sqlit`
+- `Owner: /var/lib/go-fdo-server-owner/db.sqlite`
 
 ## 3.Service Management
 

build/package/rpm/go-fdo-server.spec

@@ -52,22 +52,27 @@ export LDFLAGS="-X %{goipath}/internal/version.VERSION=%{commit}"
 %install
 install -m 0755 -vd %{buildroot}%{_bindir}
 install -m 0755 -vp -s %{gobuilddir}/bin/* %{buildroot}%{_bindir}
-# Configuration dir
-install -m 0755 -vd %{buildroot}%{_sysconfdir}/%{name}
+# Configuration
+install -m 0750 -vd %{buildroot}%{_sysconfdir}/%{name}
+install -m 0644 -vp configs/manufacturing.yaml %{buildroot}%{_sysconfdir}/%{name}
+install -m 0644 -vp configs/owner.yaml %{buildroot}%{_sysconfdir}/%{name}
+install -m 0644 -vp configs/rendezvous.yaml %{buildroot}%{_sysconfdir}/%{name}
+# Certificates
+install -m 0750 -vd %{buildroot}%{_sysconfdir}/pki/%{name}
 # Sysusers
 install -m 0644 -vp -D %{SOURCE3} %{buildroot}/%{_sysusersdir}/go-fdo-server.conf
 install -m 0644 -vp -D %{SOURCE4} %{buildroot}/%{_sysusersdir}/go-fdo-server-manufacturer.conf
 install -m 0644 -vp -D %{SOURCE5} %{buildroot}/%{_sysusersdir}/go-fdo-server-rendezvous.conf
 install -m 0644 -vp -D %{SOURCE6} %{buildroot}/%{_sysusersdir}/go-fdo-server-owner.conf
-# Sysconfig files
-install -m 0755 -vd %{buildroot}%{_sysconfdir}/sysconfig
-install -m 0644 -vp -D configs/sysconfig/* %{buildroot}%{_sysconfdir}/sysconfig/
 # Systemd units
 install -m 0755 -vd %{buildroot}%{_unitdir}
 install -m 0644 -vp -D init/systemd/* %{buildroot}%{_unitdir}
 # Helpers
-install -m 0755 -vd %{buildroot}%{_datadir}/%{name}
-install -m 0755 -vp -D scripts/* %{buildroot}%{_datadir}/%{name}
+install -m 0755 -vd %{buildroot}%{_libexecdir}/%{name}
+install -m 0755 -vp scripts/cert-utils.sh %{buildroot}%{_libexecdir}/%{name}
+install -m 0755 -vp scripts/generate-device-ca-certs.sh %{buildroot}%{_libexecdir}/%{name}
+install -m 0755 -vp scripts/generate-manufacturer-certs.sh %{buildroot}%{_libexecdir}/%{name}
+install -m 0755 -vp scripts/generate-owner-certs.sh %{buildroot}%{_libexecdir}/%{name}
 
 %check
 %if %{with check}
@@ -78,18 +83,29 @@ install -m 0755 -vp -D scripts/* %{buildroot}%{_datadir}/%{name}
 %license LICENSE vendor/modules.txt
 %doc DOCKERFILE_USAGE.md FSIM_USAGE.md README.md SECURITY.md
 %{_bindir}/go-fdo-server
-%config(noreplace) %attr(770, root, go-fdo-server) %{_sysconfdir}/%{name}
+%dir %attr(750, root, go-fdo-server) %{_sysconfdir}/%{name}
+%dir %attr(750, root, go-fdo-server) %{_sysconfdir}/pki/%{name}
 %{_sysusersdir}/%{name}.conf
-%dir %{_datadir}/%{name}
-%{_datadir}/%{name}/fdo-utils.sh
-%{_datadir}/%{name}/cert-utils.sh
-%{_datadir}/%{name}/generate-manufacturer-certs.sh
-%{_datadir}/%{name}/generate-device-ca-certs.sh
-%{_datadir}/%{name}/generate-owner-certs.sh
+%dir %{_libexecdir}/%{name}
+%{_libexecdir}/%{name}/cert-utils.sh
+%{_libexecdir}/%{name}/generate-manufacturer-certs.sh
+%{_libexecdir}/%{name}/generate-device-ca-certs.sh
+%{_libexecdir}/%{name}/generate-owner-certs.sh
+# Systemd unit
+%{_unitdir}/go-fdo-server-init.service
 
 %pre
 %sysusers_create_compat %{SOURCE3}
 
+%post
+%systemd_post go-fdo-server-init.service
+
+%preun
+%systemd_preun go-fdo-server-init.service
+
+%postun
+%systemd_postun_with_restart go-fdo-server-init.service
+
 %package manufacturer
 Requires: go-fdo-server
 Requires: group(go-fdo-server)
@@ -104,9 +120,11 @@ preparing devices for the on-boarding process during the manufacturing phase.
 %files manufacturer
 # Systemd unit
 %{_unitdir}/go-fdo-server-manufacturer.service
-%config(noreplace) %{_sysconfdir}/sysconfig/go-fdo-server-manufacturer
 # Sysuser
 %{_sysusersdir}/go-fdo-server-manufacturer.conf
+# Default config
+%config(noreplace) %attr(644, root, go-fdo-server) %{_sysconfdir}/%{name}/manufacturing.yaml
+
 %pre manufacturer
 %sysusers_create_compat %{SOURCE4}
 
@@ -133,9 +151,11 @@ voucher.
 %files rendezvous
 # Systemd unit
 %{_unitdir}/go-fdo-server-rendezvous.service
-%config(noreplace) %{_sysconfdir}/sysconfig/go-fdo-server-rendezvous
 # Sysuser
 %{_sysusersdir}/go-fdo-server-rendezvous.conf
+# Default config
+%config(noreplace) %attr(644, root, go-fdo-server) %{_sysconfdir}/%{name}/rendezvous.yaml
+
 %pre rendezvous
 %sysusers_create_compat %{SOURCE5}
 
@@ -162,9 +182,11 @@ necessary credentials and configuration for operation.
 %files owner
 # Systemd unit
 %{_unitdir}/go-fdo-server-owner.service
-%config(noreplace) %{_sysconfdir}/sysconfig/go-fdo-server-owner
 # Sysuser
 %{_sysusersdir}/go-fdo-server-owner.conf
+# Default config
+%config(noreplace) %attr(644, root, go-fdo-server) %{_sysconfdir}/%{name}/owner.yaml
+
 %pre owner
 %sysusers_create_compat %{SOURCE6}
 

configs/manufacturing.yaml

@@ -0,0 +1,23 @@
+# FDO Manufacturing server default configuration
+log:
+  level: "info"
+db:
+  type: "sqlite"
+  dsn: "file:/var/lib/go-fdo-server-manufacturer/db.sqlite"
+http:
+  ip: "0.0.0.0"
+  port: "8038"
+  # To enable HTTPS provide the server certificate and matching
+  # private key below. If the certificate is signed by a certificate
+  # authority, the certFile should be the concatenation of the
+  # server's certificate, any intermediates, and the CA's certificate.
+  ##cert: /etc/pki/go-fdo-server/manufacturer-https-example.crt
+  ##key: /etc/pki/go-fdo-server/manufacturer-https-example.key
+manufacturing:
+  key: "/etc/pki/go-fdo-server/manufacturer-example.key"
+device_ca:
+  cert: "/etc/pki/go-fdo-server/device-ca-example.crt"
+  key: "/etc/pki/go-fdo-server/device-ca-example.key"
+owner:
+  cert: "/etc/pki/go-fdo-server/owner-example.crt"
+

configs/owner.yaml

@@ -0,0 +1,21 @@
+# FDO Owner server default configuration
+log:
+  level: "info"
+db:
+  type: "sqlite"
+  dsn: "file:/var/lib/go-fdo-server-owner/db.sqlite"
+http:
+  ip: "0.0.0.0"
+  port: "8043"
+  # To enable HTTPS provide the server certificate and matching
+  # private key below. If the certificate is signed by a certificate
+  # authority, the certFile should be the concatenation of the
+  # server's certificate, any intermediates, and the CA's certificate.
+  ##cert: /etc/pki/go-fdo-server/owner-https-example.crt
+  ##key: /etc/pki/go-fdo-server/owner-https-example.key
+device_ca:
+  cert: "/etc/pki/go-fdo-server/device-ca-example.crt"
+owner:
+  cert: "/etc/pki/go-fdo-server/owner-example.crt"
+  key: "/etc/pki/go-fdo-server/owner-example.key"
+

configs/rendezvous.yaml

@@ -0,0 +1,15 @@
+# FDO Rendezvous server default configuration
+log:
+  level: "info"
+db:
+  type: "sqlite"
+  dsn: "file:/var/lib/go-fdo-server-rendezvous/db.sqlite"
+http:
+  ip: "0.0.0.0"
+  port: "8041"
+  # To enable HTTPS provide the server certificate and matching
+  # private key below. If the certificate is signed by a certificate
+  # authority, the certFile should be the concatenation of the
+  # server's certificate, any intermediates, and the CA's certificate.
+  ##cert: /etc/pki/go-fdo-server/rendezvous-https-example.crt
+  ##key: /etc/pki/go-fdo-server/rendezvous-https-example.key

init/systemd/go-fdo-server-init.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Create default certificates for the go-fdo-servers
+
+ConditionPathExists=|!/etc/pki/go-fdo-server/manufacturer-example.key
+ConditionPathExists=|!/etc/pki/go-fdo-server/manufacturer-example.crt
+ConditionPathExists=|!/etc/pki/go-fdo-server/device-ca-example.key
+ConditionPathExists=|!/etc/pki/go-fdo-server/device-ca-example.crt
+ConditionPathExists=|!/etc/pki/go-fdo-server/owner-example.key
+ConditionPathExists=|!/etc/pki/go-fdo-server/owner-example.crt
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+Group=go-fdo-server
+
+ExecStart=/usr/libexec/go-fdo-server/generate-manufacturer-certs.sh
+ExecStart=/usr/libexec/go-fdo-server/generate-owner-certs.sh
+ExecStart=/usr/libexec/go-fdo-server/generate-device-ca-certs.sh

init/systemd/go-fdo-server-manufacturer.service

@@ -1,25 +1,28 @@
+# Modifying this file in-place is not recommended because changes will
+# be overwritten during package upgrades. Customization should be done
+# by using a systemd "drop-in" instead.
+#
+# For example to add an additional command line option to enable debug
+# logging create an override "drop-in" unit (as is done by systemctl
+# edit) and enter the following:
+#
+#	[Service]
+#       ExecStart=
+#       ExecStart=/usr/bin/go-fdo-server manufacturing --log-level debug
+
 [Unit]
 Description=Go FDO manufacturer server
+Requires=go-fdo-server-init.service
+After=go-fdo-server-init.service
 After=network.target
 
 [Service]
 Type=simple
 PrivateDevices=yes
 CacheDirectory=go-fdo-server-manufacturer
 StateDirectory=go-fdo-server-manufacturer
-ExecStartPre=/usr/share/go-fdo-server/generate-manufacturer-certs.sh
-ExecStart=/bin/sh -c 'exec /usr/bin/go-fdo-server \
-                                 --db-type ${DATABASE_TYPE} \
-                                 --db-dsn ${DATABASE_DSN} \
-                                 manufacturing ${LISTEN_IP}:${LISTEN_PORT} \
-                                 --manufacturing-key ${MANUFACTURER_KEY} \
-                                 --owner-cert ${OWNER_CRT} \
-                                 --device-ca-cert ${DEVICE_CA_CRT} \
-                                 --device-ca-key ${DEVICE_CA_KEY} \
-                                 ${ADDITIONAL_OPTS}'
+ExecStart=/usr/bin/go-fdo-server manufacturing
 User=go-fdo-server-manufacturer
 
-EnvironmentFile=-/etc/sysconfig/go-fdo-server-manufacturer
-
 [Install]
 WantedBy=multi-user.target

init/systemd/go-fdo-server-owner.service

@@ -1,23 +1,28 @@
+# Modifying this file in-place is not recommended because changes will
+# be overwritten during package upgrades. Customization should be done
+# by using a systemd "drop-in" instead.
+#
+# For example to add an additional command line option to enable debug
+# logging create an override "drop-in" unit (as is done by systemctl
+# edit) and enter the following:
+#
+#	[Service]
+#       ExecStart=
+#       ExecStart=/usr/bin/go-fdo-server owner --log-level debug
+
 [Unit]
 Description=Go FDO owner server
+Requires=go-fdo-server-init.service
+After=go-fdo-server-init.service
 After=network.target
 
 [Service]
 Type=simple
 PrivateDevices=yes
 CacheDirectory=go-fdo-server-owner
 StateDirectory=go-fdo-server-owner
-ExecStartPre=/usr/share/go-fdo-server/generate-owner-certs.sh
-ExecStart=/bin/sh -c 'exec /usr/bin/go-fdo-server \
-                                 --db-type ${DATABASE_TYPE} \
-                                 --db-dsn ${DATABASE_DSN} \
-                                 owner ${LISTEN_IP}:${LISTEN_PORT} \
-                                 --owner-key ${OWNER_KEY} \
-                                 --device-ca-cert ${DEVICE_CA_CRT} \
-                                 ${ADDITIONAL_OPTS}'
+ExecStart=/usr/bin/go-fdo-server owner
 User=go-fdo-server-owner
 
-EnvironmentFile=-/etc/sysconfig/go-fdo-server-owner
-
 [Install]
 WantedBy=multi-user.target