Introduce a _tang system user, migrate database to /var/lib/tang

There is no need for the tang process to run as root.

debian/patches/debian/2021-09-30.run-as-tang-user.patch

@@ -0,0 +1,13 @@
+Subject: Run tang as the _tang system user
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2021-09-30
+Forwarded: not-needed
+
+--- a/units/tangd@.service.in
++++ b/units/tangd@.service.in
+@@ -7,3 +7,5 @@
+ StandardOutput=socket
+ StandardError=journal
+ ExecStart=@libexecdir@/tangd @jwkdir@
++User=_tang
++Group=_tang

debian/patches/debian/2021-09-30.use-var-lib.patch

@@ -0,0 +1,16 @@
+Subject: Store the tang db in /var/lib/tang
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2021-09-30
+Forwarded: not-needed
+
+--- a/meson.build
++++ b/meson.build
+@@ -19,7 +19,7 @@
+ if build_machine.system() == 'freebsd'
+   licensedir += '-'+meson.project_version()
+ endif
+-jwkdir = join_paths(get_option('localstatedir'), 'db', meson.project_name())
++jwkdir = join_paths('/var/lib/tang')
+ 
+ data = configuration_data()
+ data.set('libexecdir', libexecdir)

debian/patches/series

@@ -7,3 +7,5 @@ for-upstream/2018-08-12.add-systemd-documentation-key.patch
 
 # patches for Debian
 debian/2021-04-19.non-usrmerged.patch
+debian/2021-09-30.run-as-tang-user.patch
+debian/2021-09-30.use-var-lib.patch

debian/rules

@@ -10,4 +10,3 @@ include /usr/share/dpkg/buildflags.mk
 override_dh_auto_install:
 	dh_auto_install --buildsystem=meson
 	rm -rf debian/tang/usr/share/licenses
-	mkdir -p debian/tang/var/db/tang

debian/tang.postinst

@@ -0,0 +1,51 @@
+#!/bin/sh
+
+set -e
+
+DB_DIR_OLD=/var/db/tang
+DB_DIR=/var/lib/tang
+
+case "$1" in
+configure)
+    if ! getent passwd _tang >/dev/null; then
+        adduser --quiet --system --group --no-create-home --home /nonexistent --force-badname _tang
+    fi
+
+    # Migrate tang db:
+    # * Change location
+    # * Give it to _tang user
+    # (Retire after bookworm release)
+    if \
+        dpkg --compare-versions "$2" lt "10-3" &&
+        [ -d "$DB_DIR_OLD" ] &&
+        [ ! -d "$DB_DIR" ]
+    then
+        echo 'I: Migrating tang db'
+        mv "$DB_DIR_OLD" "$DB_DIR"
+        chown -R _tang:_tang "$DB_DIR"
+    fi
+
+    # Possibly remove /var/db/
+    # (Retire after bookworm release)
+    if \
+        dpkg --compare-versions "$2" lt "10-3" &&
+        [ -d /var/db/ ]
+    then
+        rmdir /var/db/ >/dev/null 2>&1 || :
+    fi
+
+    # assert db directory
+    mkdir -p "$DB_DIR"
+    chown _tang:_tang "$DB_DIR"
+
+    ;;
+abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+*)
+    echo "postinst called with unknown argument '$1'" >&2
+    exit 1
+    ;;
+esac
+
+#DEBHELPER#
+exit 0