fix(rpm): explicitly Provides user(name) to satisfy systemd unit Requires

Diagnosing the persistent "Nothing to do" on v0.1.10 surfaced that
removing %attr(,,name) from %files wasn't enough. systemd-rpm-macros
ships its own rpm dep generator (/usr/lib/rpm/systemd.req) that parses
User=/Group= directives from every .service file the package ships
and emits Requires: user(NAME)/group(NAME) accordingly.

Rpmbuild log from v0.1.10 shows these Requires are still emitted even
after the %attr removal. Meanwhile the sysusers provides-generator
emits group(NAME) in both unversioned and versioned forms, but only
a versioned user(NAME) = <base64> when the u-line has GECOS/home/shell
fields. The asymmetry leaves Requires: user(NAME) unresolvable.

Add explicit Provides: user(NAME) back to both specs, with a comment
documenting the actual cause (systemd unit parsing, not file attrs)
so the next person touching these specs doesn't repeat the mistake.

Why monsoon didn't hit this: it creates its user in %pre via
groupadd/useradd (not sysusers.d), so no Provides are generated at
all — matching the Requires: user(monsoon) by luck of the rpm solver
treating unknown symbols as soft-fails for that path. Ours went through
the sysusers Provides code path and hit the asymmetry instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -2,11 +2,21 @@ name: CI
 
 on:
   push:
-    branches: ['**']
+    branches: ["**"]
-    tags: ['v*']
+    tags: ["v*"]
   pull_request:
     branches: [main]
 
+env:
+  CARGO_INCREMENTAL: "0"
+  RUSTC_WRAPPER: sccache
+  SCCACHE_BUCKET: sccache
+  SCCACHE_ENDPOINT: http://caveman.kosherinata.internal:9000
+  SCCACHE_REGION: auto
+  SCCACHE_S3_USE_SSL: "false"
+  AWS_ACCESS_KEY_ID: ${{ secrets.SCCACHE_S3_ACCESS_KEY }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.SCCACHE_S3_SECRET_KEY }}
+
 jobs:
   check:
     name: Format, lint, build, test
@@ -14,39 +24,68 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Cache cargo registry and target
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/bin
+            ~/.cargo/registry/index
+            ~/.cargo/registry/cache
+            ~/.cargo/git/db
+            target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-
+
+      - name: Ensure sccache with S3 support
+        env:
+          RUSTC_WRAPPER: ""
+        run: |
+          if sccache --version 2>/dev/null && sccache --show-stats 2>/dev/null; then
+            echo "sccache with S3 support already installed"
+          else
+            cargo install sccache --features s3 --locked
+          fi
+
       - name: Check formatting
         run: cargo fmt --check --all
 
       - name: Clippy
         run: cargo clippy --workspace -- -D warnings
 
-      - name: Build
-        run: cargo build --workspace
-
       - name: Test
         run: cargo test --workspace
 
-  rpm:
+      - name: Show sccache stats
-    name: Build SRPM
+        run: sccache --show-stats
+
+  srpm-cortex:
+    name: Build cortex SRPM
     runs-on: fedora
     needs: check
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Determine version
         id: version
         run: |
           VERSION="${GITHUB_REF#refs/tags/v}"
           echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "Building version: ${VERSION}"
 
-      - name: Stamp version into spec
+      - name: Stamp version
         run: |
           VERSION="${{ steps.version.outputs.VERSION }}"
           sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
           sed -i "s/^Version:.*/Version:        ${VERSION}/" cortex.spec
-          echo "Stamped version ${VERSION}"
+
+      - name: Generate changelog entry
+        uses: https://git.lair.cafe/actions/rpm-changelog@v1
+        with:
+          spec: cortex.spec
+          version: ${{ steps.version.outputs.VERSION }}
 
       - name: Generate source tarball
         run: |
@@ -77,24 +116,126 @@ jobs:
       - name: Upload SRPM artifact
         uses: actions/upload-artifact@v3
         with:
-          name: srpm
+          name: srpm-cortex
-          path: '*.src.rpm'
+          path: "*.src.rpm"
 
-  copr:
+  srpm-neuron:
-    name: Publish to COPR
+    name: Build neuron SRPM
     runs-on: fedora
-    needs: rpm
+    needs: check
     if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine version
+        id: version
+        run: |
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
+
+      - name: Stamp version
+        run: |
+          VERSION="${{ steps.version.outputs.VERSION }}"
+          sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
+          sed -i "s/^Version:.*/Version:        ${VERSION}/" neuron.spec
+
+      - name: Generate changelog entry
+        uses: https://git.lair.cafe/actions/rpm-changelog@v1
+        with:
+          spec: neuron.spec
+          version: ${{ steps.version.outputs.VERSION }}
+
+      - name: Generate source tarball
+        run: |
+          set -ex
+          VERSION="${{ steps.version.outputs.VERSION }}"
+          tar czf /tmp/neuron-${VERSION}.tar.gz \
+            --transform "s,^\.,neuron-${VERSION}," \
+            --exclude='./target' \
+            --exclude='./.git' \
+            --exclude='*.tar.gz' \
+            --exclude='*.src.rpm' \
+            .
+          mv /tmp/neuron-${VERSION}.tar.gz .
+
+      - name: Vendor Rust dependencies
+        run: |
+          VERSION="${{ steps.version.outputs.VERSION }}"
+          cargo vendor vendor/
+          tar czf neuron-${VERSION}-vendor.tar.gz vendor/
+          rm -rf vendor/
+
+      - name: Build SRPM
+        run: |
+          rpmbuild -bs neuron.spec \
+            --define "_sourcedir $(pwd)" \
+            --define "_srcrpmdir $(pwd)"
+
+      - name: Upload SRPM artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: srpm-neuron
+          path: "*.src.rpm"
+
+  copr-cortex:
+    name: Publish cortex to COPR
+    runs-on: fedora
+    needs: srpm-cortex
     steps:
       - name: Download SRPM
         uses: actions/download-artifact@v3
         with:
-          name: srpm
+          name: srpm-cortex
 
-      - name: Configure copr-cli
+      - name: Publish to COPR
+        uses: https://git.lair.cafe/actions/copr-publish@v1
+        with:
+          project: helexa/cortex
+          srpm: "*.src.rpm"
+          copr-config: ${{ secrets.COPR_CONFIG }}
+
+  copr-neuron:
+    name: Publish neuron to COPR
+    runs-on: fedora
+    needs: srpm-neuron
+    steps:
+      - name: Download SRPM
+        uses: actions/download-artifact@v3
+        with:
+          name: srpm-neuron
+
+      - name: Publish to COPR
+        uses: https://git.lair.cafe/actions/copr-publish@v1
+        with:
+          project: helexa/neuron
+          srpm: "*.src.rpm"
+          copr-config: ${{ secrets.COPR_CONFIG }}
+
+  bump-version:
+    name: Bump version in source
+    runs-on: fedora
+    needs: [copr-cortex, copr-neuron]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Stamp version and push
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
         run: |
-          mkdir -p ~/.config
+          VERSION="${GITHUB_REF#refs/tags/v}"
-          echo "${{ secrets.COPR_CONFIG }}" > ~/.config/copr
+          sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
-
+          sed -i "s/^Version:.*/Version:        ${VERSION}/" cortex.spec
-      - name: Submit build to COPR
+          sed -i "s/^Version:.*/Version:        ${VERSION}/" neuron.spec
-        run: copr-cli build cortex *.src.rpm
+          cargo check --workspace 2>/dev/null || true
+          git config user.name "Gitea Actions"
+          git config user.email "actions@git.lair.cafe"
+          git add Cargo.toml Cargo.lock cortex.spec neuron.spec
+          if git diff --cached --quiet; then
+            echo "Version already at ${VERSION}"
+          else
+            git commit -m "chore: bump version to ${VERSION}"
+            git remote set-url origin "https://gitea-actions:${GITEA_TOKEN}@git.lair.cafe/helexa/cortex.git"
+            git push origin HEAD:main
+          fi

CLAUDE.md

@@ -590,30 +590,22 @@ Topology-aware placement (min_devices, min_device_vram_mb) deferred —
 the router currently routes based on polled model status. Catalogue
 placement matching can be added incrementally.
 
-### Phase 10: neuron packaging (RPM)
+### Phase 10: RPM packaging ✅
 
-**Goal:** `neuron` and `cortex` are installable via `dnf` from the
+Completed. Both packages have RPM specs, systemd units, and example configs.
-grenade COPR repo.
+CI builds parallel SRPMs on tag push and publishes to separate COPR repos.
 
-**Steps:**
+- `cortex.spec` → `helexa/cortex` COPR: binary, systemd unit, config files
-1. `neuron.spec` — RPM spec file for the neuron binary. Install to
+- `neuron.spec` → `helexa/neuron` COPR: binary, systemd unit, config
-   `/usr/libexec/cortex/neuron`. Systemd unit
+- `data/cortex.service`, `data/neuron.service` — systemd units
-   `neuron.service`. Config at `/etc/cortex/neuron.toml`.
+- `cortex.example.toml`, `neuron.example.toml`, `models.example.toml`
-2. Update `cortex.spec` — ensure the cortex binary, config, and
+- CI: parallel `srpm-cortex` + `srpm-neuron` jobs, then parallel COPR publish
-   `models.toml` are packaged correctly.
-3. Gitea Actions CI job: on tag push, build SRPM, submit to COPR.
-4. Document the install path:
-   ```sh
-   dnf copr enable grenade/cortex
-   # on the gateway host:
-   dnf install cortex
-   # on each GPU node:
-   dnf install neuron
-   ```
 
-**Done when:** `dnf install neuron` on a Fedora 43 host drops the
+Install:
-binary, config, and systemd unit. `systemctl start neuron` runs
+```sh
-discovery and serves `/discovery`.
+dnf copr enable helexa/cortex && dnf install cortex    # gateway host
+dnf copr enable helexa/neuron && dnf install neuron    # GPU nodes
+```
 
 ### Phase 11: llama.cpp harness stub
 

Cargo.lock

@@ -351,7 +351,7 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 
 [[package]]
 name = "cortex-cli"
-version = "0.1.0"
+version = "0.1.10"
 dependencies = [
  "anyhow",
  "clap",
@@ -366,7 +366,7 @@ dependencies = [
 
 [[package]]
 name = "cortex-core"
-version = "0.1.0"
+version = "0.1.10"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -381,7 +381,7 @@ dependencies = [
 
 [[package]]
 name = "cortex-gateway"
-version = "0.1.0"
+version = "0.1.10"
 dependencies = [
  "anyhow",
  "axum",
@@ -1184,7 +1184,7 @@ dependencies = [
 
 [[package]]
 name = "neuron"
-version = "0.1.0"
+version = "0.1.10"
 dependencies = [
  "anyhow",
  "async-trait",

Cargo.toml

@@ -8,7 +8,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.1.0"
+version = "0.1.10"
 edition = "2024"
 license = "GPL-3.0-or-later"
 repository = "https://git.lair.cafe/helexa/cortex"

cortex.spec

@@ -1,7 +1,7 @@
 Name:           cortex
-Version:        0.1.0
+Version:        0.1.10
 Release:        1%{?dist}
-Summary:        Inference gateway for multi-node mistral.rs clusters
+Summary:        Inference gateway for multi-node GPU clusters
 
 License:        GPL-3.0-or-later
 URL:            https://git.lair.cafe/helexa/cortex
@@ -13,13 +13,29 @@ ExclusiveArch:  x86_64
 BuildRequires:  rust >= 1.85
 BuildRequires:  cargo
 BuildRequires:  gcc
+BuildRequires:  gcc-c++
+BuildRequires:  cmake
+BuildRequires:  perl-interpreter
+BuildRequires:  pkgconfig(openssl)
 BuildRequires:  systemd-rpm-macros
 
+Requires(pre):  shadow-utils
+Requires:       systemd
+
+# systemd-rpm-macros ships a unit dep generator that parses User=/Group=
+# from our .service file and emits Requires: user(cortex)/group(cortex).
+# rpm's sysusers provides-generator emits the unversioned form for groups
+# but only a versioned user(cortex) = <base64> for users with GECOS/home/
+# shell. Provide the unversioned user(cortex) explicitly so dnf can resolve
+# the auto-generated Requires. Without this, dnf5 silently filters the
+# package and reports "Nothing to do".
+Provides:       user(cortex)
+
 %description
-Cortex is a Rust reverse-proxy that sits in front of multiple mistral.rs
+Cortex is a Rust reverse-proxy that sits in front of multiple inference
-inference nodes and presents a unified OpenAI and Anthropic compatible
+nodes (via neuron daemons) and presents a unified OpenAI and Anthropic
-API surface. It handles model routing, lifecycle management, request
+compatible API surface. It handles model routing, lifecycle management,
-translation, and metrics collection.
+request translation, and metrics collection.
 
 %prep
 %autosetup
@@ -38,12 +54,34 @@ cargo build --release -p cortex-cli
 
 %install
 install -Dm755 target/release/cortex %{buildroot}%{_bindir}/cortex
+install -Dm644 data/cortex.service %{buildroot}%{_unitdir}/cortex.service
+install -Dm644 data/cortex-sysusers.conf %{buildroot}%{_sysusersdir}/cortex.conf
+install -dm755 %{buildroot}%{_sysconfdir}/cortex
+install -Dm644 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
+install -Dm644 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
+
+%pre
+%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/cortex-sysusers.conf
+
+%post
+%systemd_post cortex.service
+
+%preun
+%systemd_preun cortex.service
+
+%postun
+%systemd_postun_with_restart cortex.service
 
 %files
 %license LICENSE
 %doc README.md
 %{_bindir}/cortex
+%{_unitdir}/cortex.service
+%{_sysusersdir}/cortex.conf
+%dir %{_sysconfdir}/cortex
+%config(noreplace) %{_sysconfdir}/cortex/cortex.toml
+%config(noreplace) %{_sysconfdir}/cortex/models.toml
 
 %changelog
-* Mon Apr 14 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
+* Wed Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
 - Initial package

data/cortex-sysusers.conf

@@ -0,0 +1,3 @@
+g cortex - -
+u cortex - "Cortex inference cluster" /var/lib/cortex /sbin/nologin
+m cortex cortex

data/cortex.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Cortex — inference gateway for multi-node GPU clusters
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/cortex serve --config /etc/cortex/cortex.toml
+Restart=on-failure
+RestartSec=5
+User=cortex
+Group=cortex
+
+[Install]
+WantedBy=multi-user.target

data/neuron-sysusers.conf

@@ -0,0 +1,3 @@
+g neuron - -
+u neuron - "Neuron GPU node daemon" /var/lib/neuron /sbin/nologin
+m neuron neuron

data/neuron.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Neuron — per-node GPU discovery and harness daemon for cortex
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/neuron --config /etc/neuron/neuron.toml
+Restart=on-failure
+RestartSec=5
+User=neuron
+Group=neuron
+
+[Install]
+WantedBy=multi-user.target

models.example.toml

@@ -0,0 +1,29 @@
+# models.example.toml — model catalogue
+#
+# Copy to /etc/cortex/models.toml and adjust for your environment.
+# Describes how to serve each model. Cortex matches these profiles
+# against discovered neuron topologies for placement decisions.
+
+[[models]]
+id = "your-org/large-model"
+harness = "mistralrs"
+quant = "Q4_K_M"
+vram_mb = 19000
+min_devices = 2
+min_device_vram_mb = 10000
+pinned_on = ["gpu-large"]
+
+[[models]]
+id = "your-org/medium-model"
+harness = "mistralrs"
+quant = "Q6_K"
+vram_mb = 12000
+min_devices = 1
+pinned_on = ["gpu-medium"]
+
+[[models]]
+id = "your-org/embedding-model"
+harness = "mistralrs"
+quant = "Q8_0"
+vram_mb = 8000
+min_devices = 1

neuron.example.toml

@@ -0,0 +1,16 @@
+# neuron.example.toml — example configuration
+#
+# Copy to /etc/neuron/neuron.toml and adjust for your environment.
+#
+# Environment variable overrides use NEURON_ prefix with __ separators:
+#   NEURON_PORT=9090
+
+port = 9090
+
+# -- Harnesses ---------------------------------------------------------------
+# Each [[harnesses]] entry declares an inference engine managed by neuron.
+
+[[harnesses]]
+name = "mistralrs"
+endpoint = "http://localhost:8080"
+systemd_unit = "mistralrs.service"

neuron.spec

@@ -0,0 +1,84 @@
+Name:           neuron
+Version:        0.1.10
+Release:        1%{?dist}
+Summary:        Per-node GPU discovery and harness management daemon for cortex
+
+License:        GPL-3.0-or-later
+URL:            https://git.lair.cafe/helexa/cortex
+Source0:        %{name}-%{version}.tar.gz
+Source1:        %{name}-%{version}-vendor.tar.gz
+
+ExclusiveArch:  x86_64
+
+BuildRequires:  rust >= 1.85
+BuildRequires:  cargo
+BuildRequires:  gcc
+BuildRequires:  gcc-c++
+BuildRequires:  cmake
+BuildRequires:  perl-interpreter
+BuildRequires:  pkgconfig(openssl)
+BuildRequires:  systemd-rpm-macros
+
+Requires(pre):  shadow-utils
+Requires:       systemd
+
+# systemd-rpm-macros ships a unit dep generator that parses User=/Group=
+# from our .service file and emits Requires: user(neuron)/group(neuron).
+# rpm's sysusers provides-generator emits the unversioned form for groups
+# but only a versioned user(neuron) = <base64> for users with GECOS/home/
+# shell. Provide the unversioned user(neuron) explicitly so dnf can resolve
+# the auto-generated Requires. Without this, dnf5 silently filters the
+# package and reports "Nothing to do".
+Provides:       user(neuron)
+
+%description
+Neuron is a per-node daemon for cortex inference clusters. It discovers
+local GPU hardware via nvidia-smi, manages inference harnesses (mistral.rs,
+llama.cpp), and exposes an HTTP API for model lifecycle management.
+
+%prep
+%autosetup
+tar xf %{SOURCE1}
+mkdir -p .cargo
+cat > .cargo/config.toml << 'EOF'
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"
+EOF
+
+%build
+cargo build --release -p neuron
+
+%install
+install -Dm755 target/release/neuron %{buildroot}%{_bindir}/neuron
+install -Dm644 data/neuron.service %{buildroot}%{_unitdir}/neuron.service
+install -Dm644 data/neuron-sysusers.conf %{buildroot}%{_sysusersdir}/neuron.conf
+install -dm755 %{buildroot}%{_sysconfdir}/neuron
+install -Dm644 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
+
+%pre
+%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/neuron-sysusers.conf
+
+%post
+%systemd_post neuron.service
+
+%preun
+%systemd_preun neuron.service
+
+%postun
+%systemd_postun_with_restart neuron.service
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/neuron
+%{_unitdir}/neuron.service
+%{_sysusersdir}/neuron.conf
+%dir %{_sysconfdir}/neuron
+%config(noreplace) %{_sysconfdir}/neuron/neuron.toml
+
+%changelog
+* Wed Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
+- Initial package