feat(packaging): add RPM and DEB package support via nFPM

.goreleaser.yml

@@ -31,6 +31,82 @@ archives:
       formats: [zip]
     files:
     - none*
+
+nfpms:
+  - id: confd
+    package_name: confd
+    vendor: abtreece
+    homepage: https://github.com/abtreece/confd
+    maintainer: Andrew Treece <abtreece@users.noreply.github.com>
+    description: Lightweight configuration management tool
+    license: MIT
+    formats:
+      - deb
+      - rpm
+    bindir: /usr/bin
+
+    # Package dependencies
+    dependencies:
+      - systemd
+
+    contents:
+      # Systemd service file
+      - src: ./packaging/confd.service
+        dst: /usr/lib/systemd/system/confd.service
+        file_info:
+          mode: 0644
+
+      # Default config file (won't overwrite on upgrade)
+      - src: ./packaging/confd.toml.default
+        dst: /etc/confd/confd.toml
+        type: config|noreplace
+        file_info:
+          mode: 0644
+
+      # Environment file for Debian/Ubuntu
+      - src: ./packaging/confd.default
+        dst: /etc/default/confd
+        type: config|noreplace
+        file_info:
+          mode: 0644
+        packager: deb
+
+      # Environment file for RHEL/Fedora
+      - src: ./packaging/confd.default
+        dst: /etc/sysconfig/confd
+        type: config|noreplace
+        file_info:
+          mode: 0644
+        packager: rpm
+
+      # Create config directories
+      - dst: /etc/confd/conf.d
+        type: dir
+        file_info:
+          mode: 0755
+
+      - dst: /etc/confd/templates
+        type: dir
+        file_info:
+          mode: 0755
+
+      - dst: /var/lib/confd
+        type: dir
+        file_info:
+          mode: 0755
+
+    scripts:
+      postinstall: ./packaging/scripts/postinstall.sh
+      preremove: ./packaging/scripts/preremove.sh
+
+    rpm:
+      group: System Environment/Daemons
+      compression: gzip
+
+    deb:
+      lintian_overrides:
+        - statically-linked-binary
+
 checksum:
   name_template: 'checksums.txt'
   algorithm: sha256

docs/installation.md

@@ -1,6 +1,77 @@
 # Installation
 
-### Binary Download
+## Linux Packages (Recommended)
+
+confd provides native packages for Debian/Ubuntu (.deb) and RHEL/Fedora/CentOS (.rpm). These packages include systemd integration with security hardening.
+
+### Debian / Ubuntu
+
+```bash
+# Download the latest release (replace VERSION and ARCH as needed)
+VERSION=0.34.0
+ARCH=amd64  # or arm64
+
+curl -LO "https://github.com/abtreece/confd/releases/download/v${VERSION}/confd_${VERSION}_linux_${ARCH}.deb"
+sudo dpkg -i "confd_${VERSION}_linux_${ARCH}.deb"
+```
+
+### RHEL / Fedora / CentOS
+
+```bash
+# Download the latest release (replace VERSION and ARCH as needed)
+VERSION=0.34.0
+ARCH=x86_64  # or aarch64
+
+curl -LO "https://github.com/abtreece/confd/releases/download/v${VERSION}/confd-${VERSION}-1.${ARCH}.rpm"
+sudo rpm -i "confd-${VERSION}-1.${ARCH}.rpm"
+```
+
+### Package Contents
+
+The packages install:
+
+| Path | Description |
+|------|-------------|
+| `/usr/bin/confd` | Binary |
+| `/usr/lib/systemd/system/confd.service` | Systemd service with security hardening |
+| `/etc/confd/confd.toml` | Default configuration file |
+| `/etc/confd/conf.d/` | Template resource directory |
+| `/etc/confd/templates/` | Template directory |
+| `/etc/default/confd` | Environment file (Debian) |
+| `/etc/sysconfig/confd` | Environment file (RHEL) |
+| `/var/lib/confd/` | State directory |
+
+### Post-Installation Setup
+
+1. Configure the backend and options in the environment file:
+
+   ```bash
+   # Debian/Ubuntu
+   sudo vi /etc/default/confd
+
+   # RHEL/Fedora
+   sudo vi /etc/sysconfig/confd
+   ```
+
+   Example configuration:
+   ```bash
+   CONFD_BACKEND="etcd"
+   CONFD_OPTS="--watch --systemd-notify --watchdog-interval 30s --log-level info"
+   ```
+
+2. Create template resources and templates in `/etc/confd/conf.d/` and `/etc/confd/templates/`
+
+3. Enable and start the service:
+   ```bash
+   sudo systemctl enable confd
+   sudo systemctl start confd
+   ```
+
+See [Service Deployment Guide](service-deployment.md) for advanced systemd configuration.
+
+---
+
+## Binary Download
 
 confd ships binaries for OS X, Linux, and Windows for both amd64 and arm64 architectures. You can download the latest release from [GitHub](https://github.com/abtreece/confd/releases).
 

docs/service-deployment.md

@@ -15,6 +15,36 @@ This guide covers deploying confd as a production service with systemd, Docker,
 
 confd supports systemd's `sd_notify` protocol for improved service management.
 
+### Package-Based Installation (Recommended)
+
+If you installed confd via RPM or DEB packages, systemd integration is pre-configured. Configure confd using the environment file:
+
+```bash
+# Debian/Ubuntu
+sudo vi /etc/default/confd
+
+# RHEL/Fedora/CentOS
+sudo vi /etc/sysconfig/confd
+```
+
+Example configuration:
+```bash
+CONFD_BACKEND="etcd"
+CONFD_OPTS="--watch --systemd-notify --watchdog-interval 30s --node http://etcd.example.com:2379"
+```
+
+Then enable and start:
+```bash
+sudo systemctl enable confd
+sudo systemctl start confd
+```
+
+The packaged service includes security hardening (see [Security Hardening](#security-hardening) below).
+
+### Manual Installation
+
+If you installed confd via binary download, create a systemd service file manually.
+
 ### Type=notify (Recommended)
 
 The `Type=notify` service provides better reliability and monitoring:

packaging/confd.default

@@ -0,0 +1,49 @@
+# confd environment configuration
+# This file is sourced by the confd systemd service.
+#
+# Documentation: https://github.com/abtreece/confd/blob/main/docs/
+# Quick start:   https://github.com/abtreece/confd/blob/main/docs/quick-start-guide.md
+
+# Backend to use (required)
+# Options: etcd, consul, vault, redis, zookeeper, dynamodb, ssm, acm,
+#          secretsmanager, env, file, imds
+CONFD_BACKEND="etcd"
+
+# Command-line options passed to confd
+# Common options:
+#   --watch                Enable watch mode (real-time updates)
+#   --interval N           Polling interval in seconds (default: 600)
+#   --onetime              Run once and exit
+#   --node URL             Backend node address (can specify multiple times)
+#   --prefix PATH          Key prefix
+#   --log-level LEVEL      Log level: debug, info, warn, error
+#   --config-file PATH     Path to confd.toml config file
+#   --confdir PATH         Path to conf.d directory
+#   --systemd-notify       Enable systemd sd_notify support
+#   --watchdog-interval D  Systemd watchdog ping interval (e.g., 30s)
+#
+# Backend-specific options vary. Run 'confd <backend> --help' for details.
+
+CONFD_OPTS="--watch --systemd-notify --watchdog-interval 30s --log-level info"
+
+# Examples:
+#
+# etcd with watch mode:
+#   CONFD_BACKEND="etcd"
+#   CONFD_OPTS="--watch --node http://127.0.0.1:2379 --systemd-notify"
+#
+# Consul with watch mode:
+#   CONFD_BACKEND="consul"
+#   CONFD_OPTS="--watch --node 127.0.0.1:8500 --systemd-notify"
+#
+# Vault with polling:
+#   CONFD_BACKEND="vault"
+#   CONFD_OPTS="--interval 60 --node https://vault.example.com:8200 --auth-type approle"
+#
+# File backend with watch mode:
+#   CONFD_BACKEND="file"
+#   CONFD_OPTS="--watch --file /etc/myapp/config.yaml --systemd-notify"
+#
+# AWS SSM Parameter Store:
+#   CONFD_BACKEND="ssm"
+#   CONFD_OPTS="--interval 300 --prefix /myapp/production"

packaging/confd.service

@@ -0,0 +1,54 @@
+[Unit]
+Description=confd configuration management
+Documentation=https://github.com/abtreece/confd
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+EnvironmentFile=-/etc/default/confd
+EnvironmentFile=-/etc/sysconfig/confd
+ExecStart=/usr/bin/confd $CONFD_BACKEND $CONFD_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+
+# Restart behavior
+Restart=on-failure
+RestartSec=5s
+WatchdogSec=60s
+
+# Graceful shutdown
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=30
+
+# Security hardening - run as root but with restrictions
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_KILL CAP_CHOWN CAP_FOWNER CAP_DAC_READ_SEARCH
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+
+# Allow writes to config directories and common application paths
+# Note: /etc is required because confd writes to arbitrary config locations
+# (e.g., /etc/nginx/nginx.conf, /etc/myapp/config.yaml). To restrict further,
+# replace /etc with specific paths your templates write to:
+#   ReadWritePaths=/etc/nginx /etc/myapp /etc/confd /var/lib/confd /var/run
+ReadWritePaths=/etc /var/lib/confd /var/run
+
+# Restrict system calls
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+
+# Resource limits
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target

packaging/confd.toml.default

@@ -0,0 +1,69 @@
+# confd configuration file
+# Documentation: https://github.com/abtreece/confd/blob/main/docs/configuration-guide.md
+# CLI reference:  https://github.com/abtreece/confd/blob/main/docs/command-line-flags.md
+#
+# This file provides default values. Command-line flags and environment
+# variables (CONFD_*) override these settings.
+#
+# Note: The backend and connection settings are typically specified via
+# command-line in /etc/default/confd (or /etc/sysconfig/confd on RHEL).
+
+# Configuration directories
+# confdir = "/etc/confd"
+
+# Global key prefix applied to all template resources
+# prefix = ""
+
+# Polling interval in seconds (used when watch mode is disabled)
+# interval = 600
+
+# Error handling mode:
+#   "best-effort" - Continue processing remaining templates when one fails
+#   "fail-fast"   - Stop all processing on first template error
+# failure_mode = "best-effort"
+
+# Logging
+# log-level = "info"
+# log-format = "text"
+
+# Backend connection (typically set via CLI in /etc/default/confd)
+# nodes = ["http://127.0.0.1:2379"]
+# scheme = "http"
+
+# Authentication (if required by backend)
+# basic_auth = false
+# username = ""
+# password = ""
+# auth_token = ""
+
+# TLS configuration
+# client_cert = ""
+# client_key = ""
+# client_cakeys = ""
+# client_insecure = false
+
+# Timeouts
+# dial_timeout = "5s"
+# read_timeout = "1s"
+# write_timeout = "1s"
+# backend_timeout = "30s"
+# check_cmd_timeout = "30s"
+# reload_cmd_timeout = "60s"
+
+# Retry configuration
+# retry_max_attempts = 3
+# retry_base_delay = "100ms"
+# retry_max_delay = "5s"
+
+# Watch mode settings
+# watch_error_backoff = "2s"
+# debounce = ""
+# batch_interval = ""
+
+# Performance
+# template_cache = true
+# stat_cache_ttl = "1s"
+
+# Metrics endpoint (disabled if empty)
+# Exposes /metrics, /health, /ready, /ready/detailed
+# metrics_addr = ":9100"