With this PR we add cargo-deb to our CI pipeline and build a debian package for the Gateway. The debian package comes with several configuration files that make it easy for admins to start and maintain a Gateway installation:

• The embedded systemd unit file is essentially the same one as what we currently install with the install script with some minor modifications.
  • The token is read from /etc/firezone/gateway-token and passed as a systemd credential. This allows us to set the permissions for this file to 0400 and have it owned by root:root.
  • The configuration is read from /etc/firezone/gateway-env.
  • Both of these changes basically mean the user should never need to touch the unit file itself.
• The sysusers configuration file ensures the firezone user and group are present on the system.
• The tmpfiles configuration file ensures the necessary directories are present.

All of the above is automatically installed and configured using the post-installation script which is called by apt once the package is installed.

In addition to the Gateway, we also package a first version of the firezone-cli. Right now, firezone-cli (installed as firezone) has three subcommands:

• gateway authenticate: Asks for the Gateway's token and installs it at /etc/firezone/gateway-token. The user doesn't have to know how we manage this token and can trust that we are using safe defaults.
• gateway enable: Enables and starts the systemd service.
• gateway disable: Disables the systemd service.

Right now, the .deb file is only uploaded to the preview APT repository and not attached to the release. It should therefore not yet be user-visible unless somebody pokes around a lot, meaning we can defer documentation to a later PR and start testing it from the preview repository for our own purposes.

Related: #10598
Resolves: #8484
Resolves: #10681