From 3bb5b3c425dcd4743f75e0019eff47b54f549545 Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Thu, 16 Apr 2026 14:33:08 +0300
Subject: [PATCH] fix(rpm): drop %attr(,,user) on config files to avoid dnf
 silent filter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Using %attr(,,cortex) / %attr(,,neuron) on config files caused rpm's
auto-dep-generator to emit Requires: user(name) and group(name) on
each package. When those Requires couldn't be resolved — whether due
to sysusers Provides mismatches, missing GPG keys, or dnf5 cache
state — dnf5 silently filtered the package out of the candidate set
and reported "Nothing to do" rather than an unsatisfied-dep error.

Adopt the pattern that already works reliably across our infra
(grenade/monsoon): ship config files as default root:root with 0644
perms, don't declare user/group ownership in the rpm file list.
systemd-sysusers still creates the service user via the shipped
sysusers.d file; the service drops to that user at runtime via the
User= directive in the unit.

This removes the user(cortex)/user(neuron) Requires entirely, which
is the root cause of the dnf5 filtering. File permission tightening
can be reintroduced later — either via a separate secrets file with
different mode bits, or by moving secret material to /var/lib/<svc>/
where the service drop-privileges account already has write access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cortex.spec | 18 ++++++------------
 neuron.spec | 14 ++++----------
 2 files changed, 10 insertions(+), 22 deletions(-)

diff --git a/cortex.spec b/cortex.spec
index 5f44a1b..01991d2 100644
--- a/cortex.spec
+++ b/cortex.spec
@@ -22,12 +22,6 @@ BuildRequires:  systemd-rpm-macros
 Requires(pre):  shadow-utils
 Requires:       systemd
 
-# rpm's sysusers provides-generator only emits versioned user(cortex) when
-# the u-line has GECOS/home/shell fields. %attr(,,cortex) in %files emits
-# an unversioned Requires: user(cortex), so we provide it explicitly.
-Provides:       user(cortex)
-Provides:       group(cortex)
-
 %description
 Cortex is a Rust reverse-proxy that sits in front of multiple inference
 nodes (via neuron daemons) and presents a unified OpenAI and Anthropic
@@ -53,9 +47,9 @@ cargo build --release -p cortex-cli
 install -Dm755 target/release/cortex %{buildroot}%{_bindir}/cortex
 install -Dm644 data/cortex.service %{buildroot}%{_unitdir}/cortex.service
 install -Dm644 data/cortex-sysusers.conf %{buildroot}%{_sysusersdir}/cortex.conf
-install -dm750 %{buildroot}%{_sysconfdir}/cortex
-install -Dm640 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
-install -Dm640 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
+install -dm755 %{buildroot}%{_sysconfdir}/cortex
+install -Dm644 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
+install -Dm644 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
 
 %pre
 %sysusers_create_compat %{_builddir}/%{name}-%{version}/data/cortex-sysusers.conf
@@ -75,9 +69,9 @@ install -Dm640 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
 %{_bindir}/cortex
 %{_unitdir}/cortex.service
 %{_sysusersdir}/cortex.conf
-%dir %attr(750,root,cortex) %{_sysconfdir}/cortex
-%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/cortex.toml
-%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/models.toml
+%dir %{_sysconfdir}/cortex
+%config(noreplace) %{_sysconfdir}/cortex/cortex.toml
+%config(noreplace) %{_sysconfdir}/cortex/models.toml
 
 %changelog
 * Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
diff --git a/neuron.spec b/neuron.spec
index d672b67..02bb014 100644
--- a/neuron.spec
+++ b/neuron.spec
@@ -22,12 +22,6 @@ BuildRequires:  systemd-rpm-macros
 Requires(pre):  shadow-utils
 Requires:       systemd
 
-# rpm's sysusers provides-generator only emits versioned user(neuron) when
-# the u-line has GECOS/home/shell fields. %attr(,,neuron) in %files emits
-# an unversioned Requires: user(neuron), so we provide it explicitly.
-Provides:       user(neuron)
-Provides:       group(neuron)
-
 %description
 Neuron is a per-node daemon for cortex inference clusters. It discovers
 local GPU hardware via nvidia-smi, manages inference harnesses (mistral.rs,
@@ -52,8 +46,8 @@ cargo build --release -p neuron
 install -Dm755 target/release/neuron %{buildroot}%{_bindir}/neuron
 install -Dm644 data/neuron.service %{buildroot}%{_unitdir}/neuron.service
 install -Dm644 data/neuron-sysusers.conf %{buildroot}%{_sysusersdir}/neuron.conf
-install -dm750 %{buildroot}%{_sysconfdir}/neuron
-install -Dm640 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
+install -dm755 %{buildroot}%{_sysconfdir}/neuron
+install -Dm644 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
 
 %pre
 %sysusers_create_compat %{_builddir}/%{name}-%{version}/data/neuron-sysusers.conf
@@ -73,8 +67,8 @@ install -Dm640 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
 %{_bindir}/neuron
 %{_unitdir}/neuron.service
 %{_sysusersdir}/neuron.conf
-%dir %attr(750,root,neuron) %{_sysconfdir}/neuron
-%config(noreplace) %attr(640,root,neuron) %{_sysconfdir}/neuron/neuron.toml
+%dir %{_sysconfdir}/neuron
+%config(noreplace) %{_sysconfdir}/neuron/neuron.toml
 
 %changelog
 * Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1