chore(gui-client/linux): add install script and change group to firezone-client (#4879)

Closes #4873

rust/gui-client/src-tauri/deb_files/firezone-client-ipc.service

@@ -44,7 +44,7 @@ ExecStart=firezone-client-ipc
 Type=notify
 # Unfortunately we may need root to control DNS
 User=root
-Group=firezone
+Group=firezone-client
 
 [Install]
 WantedBy=default.target

rust/gui-client/src-tauri/deb_files/sysusers.conf

@@ -0,0 +1,4 @@
+# This file is part of the Firezone Client.
+# This creates the `firezone-client` group automatically at startup
+
+g firezone-client -

rust/gui-client/src-tauri/tauri.conf.json

@@ -21,7 +21,8 @@
       "active": true,
       "deb": {
         "files": {
-          "/usr/lib/systemd/system/firezone-client-ipc.service": "./firezone-client-ipc.service"
+          "/usr/lib/systemd/system/firezone-client-ipc.service": "./deb_files/firezone-client-ipc.service",
+          "/usr/lib/sysusers.d/firezone-client-ipc.conf": "./deb_files/sysusers.conf"
         }
       },
       "targets": ["deb", "msi"],

scripts/README.md

@@ -34,7 +34,7 @@ You can achieve this more easily by using `pre-commit`. See
 
 ## Scripting tips
 
-- Use `#!/usr/bin/env bash` along with `set -euo pipefail` in general for dev
+- Use `#!/usr/bin/env bash` along with `set -euox pipefail` in general for dev
   and test scripts.
 - In Docker images and other minimal envs, stick to `#!/bin/sh` and simply
   `set -eu`.

scripts/build/tauri-rename-ubuntu.sh

@@ -23,7 +23,10 @@ make_hash "$BINARY_DEST_PATH.dwp"
 make_hash "$BINARY_DEST_PATH.deb"
 
 # Test the deb package, since this script is the easiest place to get a release build
-sudo dpkg --install "$BINARY_DEST_PATH.deb"
+DEB_PATH=$(realpath "$BINARY_DEST_PATH.deb")
+sudo apt-get install "$DEB_PATH"
+# Update users / groups
+sudo systemd-sysusers
 
 # Debug-print the files. The icons and both binaries should be in here
 dpkg --listfiles firezone-client-gui
@@ -37,5 +40,5 @@ stat /usr/share/icons/hicolor/512x512/apps/firezone-client-gui.png
 firezone-client-gui --help | grep "Usage: firezone-client-gui"
 
 # Try to start the IPC service
-sudo groupadd --force firezone
+sudo groupadd --force firezone-client
 sudo systemctl start firezone-client-ipc || systemctl status firezone-client-ipc

scripts/firezone-client-gui-install.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# Usage: ./firezone-client-gui-install.sh ./firezone-client-gui_VERSION_ARCH.deb
+#
+# The `./` is necessary
+#
+# This script should be idempotent
+set -euox pipefail
+
+# `apt-get` needs either a leading `./` or `/` to recognize a local file path
+DEB_PATH=$(realpath "$1")
+
+echo "Installing Firezone..."
+sudo apt-get install "$DEB_PATH"
+
+echo "Adding your user to the firezone-client group..."
+# Creates the system group `firezone-client`
+sudo systemd-sysusers
+sudo adduser "$USER" firezone-client
+
+echo "Starting and enabling Firezone IPC service..."
+sudo systemctl enable --now firezone-client-ipc
+
+# Unfortunately Ubuntu seems to need a reboot here, at least 20.04 does
+echo "Reboot to finish adding yourself to the group"

scripts/tests/linux-group.sh

@@ -6,7 +6,7 @@
 source "./scripts/tests/lib.sh"
 
 BINARY_NAME=firezone-client-ipc
-FZ_GROUP="firezone"
+FZ_GROUP="firezone-client"
 SERVICE_NAME=firezone-client-ipc
 SOCKET=/run/dev.firezone.client/ipc.sock
 export RUST_LOG=info
@@ -15,7 +15,7 @@ export RUST_LOG=info
 sudo cp "rust/target/debug/firezone-headless-client" "/usr/bin/$BINARY_NAME"
 
 # Set up the systemd service
-sudo cp "rust/gui-client/src-tauri/$SERVICE_NAME.service" /usr/lib/systemd/system/
+sudo cp "rust/gui-client/src-tauri/deb_files/$SERVICE_NAME.service" /usr/lib/systemd/system/
 sudo cp "scripts/tests/systemd/env" "/etc/default/firezone-client-ipc"
 
 # The firezone group must exist before the daemon starts
@@ -23,7 +23,7 @@ sudo groupadd "$FZ_GROUP"
 sudo systemctl start "$SERVICE_NAME" || { systemctl status "$SERVICE_NAME"; exit 1; }
 
 # Make sure the socket has the right permissions
-if [ "root firezone" != "$(stat -c '%U %G' $SOCKET)" ]
+if [ "root $FZ_GROUP" != "$(stat -c '%U %G' $SOCKET)" ]
 then
     exit 1
 fi