From 005bfa055d1384e3a0b9b2cf7bcab3eb07d5a648 Mon Sep 17 00:00:00 2001
From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Mon, 20 Oct 2025 12:44:55 +0200
Subject: [PATCH] wip

---
 distro/common/knot.sysusers.conf           |  1 +
 distro/common/knot.tmpfiles                |  3 +++
 distro/pkg/deb-nolibxdp/control            |  2 +-
 distro/pkg/deb-nolibxdp/knot.sysusers.conf |  1 +
 distro/pkg/deb-nolibxdp/knot.tmpfiles      |  1 +
 distro/pkg/deb/control                     |  2 +-
 distro/pkg/deb/knot.postinst               | 10 ++++------
 distro/pkg/deb/knot.postrm                 |  2 --
 distro/pkg/deb/knot.sysusers.conf          |  1 +
 distro/pkg/deb/knot.tmpfiles               |  1 +
 10 files changed, 14 insertions(+), 10 deletions(-)
 create mode 100644 distro/common/knot.sysusers.conf
 create mode 100644 distro/common/knot.tmpfiles
 create mode 120000 distro/pkg/deb-nolibxdp/knot.sysusers.conf
 create mode 120000 distro/pkg/deb-nolibxdp/knot.tmpfiles
 create mode 120000 distro/pkg/deb/knot.sysusers.conf
 create mode 120000 distro/pkg/deb/knot.tmpfiles

diff --git a/distro/common/knot.sysusers.conf b/distro/common/knot.sysusers.conf
new file mode 100644
index 0000000000..7adade668b
--- /dev/null
+++ b/distro/common/knot.sysusers.conf
@@ -0,0 +1 @@
+u! knot - - /var/lib/knot
diff --git a/distro/common/knot.tmpfiles b/distro/common/knot.tmpfiles
new file mode 100644
index 0000000000..3bd468670b
--- /dev/null
+++ b/distro/common/knot.tmpfiles
@@ -0,0 +1,3 @@
+d /var/lib/knot       0770 root knot
+d /etc/knot           0750 root knot
+f /etc/knot/knot.conf 0640 root knot
diff --git a/distro/pkg/deb-nolibxdp/control b/distro/pkg/deb-nolibxdp/control
index b60928b5b7..1610c548f1 100644
--- a/distro/pkg/deb-nolibxdp/control
+++ b/distro/pkg/deb-nolibxdp/control
@@ -13,6 +13,7 @@ Build-Depends:
  automake,
  debhelper (>= 11),
  dh-python,
+ dh-sequence-installsysusers,
  libbpf-dev,
  libcap-ng-dev,
  libedit-dev,
@@ -40,7 +41,6 @@ Vcs-Git: https://gitlab.nic.cz/knot/knot-dns.git
 Package: knot
 Architecture: any
 Depends:
- adduser,
  libdnssec10 (= ${binary:Version}),
  libknot16 (= ${binary:Version}),
  libzscanner5 (= ${binary:Version}),
diff --git a/distro/pkg/deb-nolibxdp/knot.sysusers.conf b/distro/pkg/deb-nolibxdp/knot.sysusers.conf
new file mode 120000
index 0000000000..aa4c690685
--- /dev/null
+++ b/distro/pkg/deb-nolibxdp/knot.sysusers.conf
@@ -0,0 +1 @@
+../deb/knot.sysusers.conf
\ No newline at end of file
diff --git a/distro/pkg/deb-nolibxdp/knot.tmpfiles b/distro/pkg/deb-nolibxdp/knot.tmpfiles
new file mode 120000
index 0000000000..c2216c1008
--- /dev/null
+++ b/distro/pkg/deb-nolibxdp/knot.tmpfiles
@@ -0,0 +1 @@
+../deb/knot.tmpfiles
\ No newline at end of file
diff --git a/distro/pkg/deb/control b/distro/pkg/deb/control
index 32f42080e2..9a2f0a6db2 100644
--- a/distro/pkg/deb/control
+++ b/distro/pkg/deb/control
@@ -14,6 +14,7 @@ Build-Depends:
  automake,
  debhelper (>= 11),
  dh-python,
+ dh-sequence-installsysusers,
  libbpf-dev,
  libcap-ng-dev,
  libedit-dev,
@@ -43,7 +44,6 @@ Vcs-Git: https://gitlab.nic.cz/knot/knot-dns.git
 Package: knot
 Architecture: any
 Depends:
- adduser,
  libdnssec10 (= ${binary:Version}),
  libknot16 (= ${binary:Version}),
  libzscanner5 (= ${binary:Version}),
diff --git a/distro/pkg/deb/knot.postinst b/distro/pkg/deb/knot.postinst
index da747c8263..9ed7222619 100644
--- a/distro/pkg/deb/knot.postinst
+++ b/distro/pkg/deb/knot.postinst
@@ -1,16 +1,14 @@
 #!/bin/sh
 set -e
 
-if [ "$1" = "configure" ]; then
-    if ! getent passwd knot > /dev/null; then
-        adduser --quiet --system --group --no-create-home --home /var/lib/knot knot
-    fi
+# Ensure sysusers.d/tmpfiles.d are applied before statoverride runs
+
+#DEBHELPER#
 
+if [ "$1" = "configure" ]; then
     dpkg-statoverride --list /var/lib/knot >/dev/null 2>&1 || dpkg-statoverride --update --add root knot 0770 /var/lib/knot
     dpkg-statoverride --list /etc/knot/knot.conf >/dev/null 2>&1 || dpkg-statoverride --update --add root knot 0640 /etc/knot/knot.conf
     dpkg-statoverride --list /etc/knot >/dev/null 2>&1 || dpkg-statoverride --update --add root knot 0750 /etc/knot
 fi
 
-#DEBHELPER#
-
 exit 0
diff --git a/distro/pkg/deb/knot.postrm b/distro/pkg/deb/knot.postrm
index 14b3d69b62..c3b5f95842 100644
--- a/distro/pkg/deb/knot.postrm
+++ b/distro/pkg/deb/knot.postrm
@@ -12,8 +12,6 @@ if test "$1" = "purge"; then
     dpkg-statoverride --remove /var/lib/knot >/dev/null 2>&1 || true
     dpkg-statoverride --remove /etc/knot/knot.conf >/dev/null 2>&1 || true
     dpkg-statoverride --remove /etc/knot >/dev/null 2>&1 || true
-
-    deluser --quiet knot >/dev/null 2>&1 || true
 fi
 
 #DEBHELPER#
diff --git a/distro/pkg/deb/knot.sysusers.conf b/distro/pkg/deb/knot.sysusers.conf
new file mode 120000
index 0000000000..343289627f
--- /dev/null
+++ b/distro/pkg/deb/knot.sysusers.conf
@@ -0,0 +1 @@
+../../common/knot.sysusers.conf
\ No newline at end of file
diff --git a/distro/pkg/deb/knot.tmpfiles b/distro/pkg/deb/knot.tmpfiles
new file mode 120000
index 0000000000..76b7acf6ce
--- /dev/null
+++ b/distro/pkg/deb/knot.tmpfiles
@@ -0,0 +1 @@
+../../common/knot.tmpfiles
\ No newline at end of file
-- 
2.47.3