feat(packaging): add RPM and DEB package support via nFPM

[abtreece]

Summary

• Add Linux package generation (RPM and DEB) using goreleaser's nFPM integration
• Include systemd service with security hardening
• Support environment file configuration pattern (/etc/default/confd or /etc/sysconfig/confd)
• Packages automatically attached to GitHub Releases

Package Contents

Path	Description
/usr/bin/confd	Binary
/usr/lib/systemd/system/confd.service	Systemd unit with security hardening
/etc/confd/confd.toml	Default config (preserved on upgrade)
/etc/confd/conf.d/	Template resources directory
/etc/confd/templates/	Templates directory
/etc/default/confd	Environment file (deb)
/etc/sysconfig/confd	Environment file (rpm)
/var/lib/confd/	State directory

Systemd Security Hardening

The service runs as root but with significant restrictions:

• CapabilityBoundingSet - Only essential capabilities
• ProtectSystem=strict - Read-only filesystem except allowed paths
• NoNewPrivileges=true - Prevent privilege escalation
• PrivateTmp, PrivateDevices - Isolation
• SystemCallFilter=@system-service - Restricted syscalls

Usage After Install

# Configure backend and options
sudo vi /etc/default/confd

# Create template resources and templates
sudo vi /etc/confd/conf.d/myapp.toml
sudo vi /etc/confd/templates/myapp.conf.tmpl

# Enable and start
sudo systemctl enable --now confd

Test plan

• go test ./... passes
• make snapshot builds packages successfully
• Package contents verified (correct files in correct locations)
• Test install on Debian/Ubuntu
• Test install on RHEL/Fedora

[Copilot]

Pull request overview

This PR adds Linux package distribution support for confd by integrating goreleaser's nFPM tool to generate RPM and DEB packages. The packages include a systemd service with comprehensive security hardening features and follow standard Linux filesystem conventions for configuration and state management.

Changes:

• Added nFPM configuration to .goreleaser.yml for automated RPM and DEB package generation
• Created systemd service unit with security hardening (capability restrictions, filesystem protection, syscall filtering)
• Added lifecycle scripts (postinstall/preremove) for proper service management and user guidance

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.goreleaser.yml	Defines package structure, file locations, dependencies, and build configuration for RPM/DEB packages
packaging/confd.service	Systemd unit file with security hardening directives and service lifecycle management
packaging/confd.default	Environment file template for configuring backend and runtime options
packaging/confd.toml.default	Default configuration file with commented examples of all available settings
packaging/scripts/postinstall.sh	Post-installation script that creates directories and displays usage instructions
packaging/scripts/preremove.sh	Pre-removal script that stops and disables the service before package removal

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Granting write access to the entire /etc directory is overly permissive and undermines the ProtectSystem=strict hardening. This allows confd to modify any system configuration file. Consider restricting this to only the specific paths confd needs to write to, such as /etc/confd or specific application configuration directories that confd manages.

Suggested change

	ReadWritePaths=/etc /var/lib/confd /var/run
	ReadWritePaths=/etc/confd /var/lib/confd /var/run

[Copilot]

This documentation link references the 'main' branch which may not correspond to the installed version of confd. Consider using a version-specific documentation link or a stable URL that redirects to the appropriate version's documentation.

Suggested change

	# See https://github.com/abtreece/confd/blob/main/docs/configuration-guide.md
	# See the confd configuration guide in the project's documentation (docs/configuration-guide.md).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.50%. Comparing base (d10a1dd) to head (f9897cc).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #520      +/-   ##
==========================================
+ Coverage   62.45%   62.50%   +0.05%     
==========================================
  Files          48       48              
  Lines        5420     5420              
==========================================
+ Hits         3385     3388       +3     
+ Misses       1828     1825       -3     
  Partials      207      207              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 45c42cf41d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid disabling the service on package upgrades

The preremove script always stops and disables the service. nFPM runs this hook for upgrades as well as removals, so an in-place upgrade will leave confd disabled afterward, and the postinstall hook never re-enables it. This means users who upgrade the package will unexpectedly lose the service until they manually re-enable it. Gate the systemctl disable (and possibly the stop) on a true removal/purge, or check the maintainer-script arguments so upgrades don’t disable the service.

Useful? React with 👍 / 👎.