Install and use sysusers.d/tmpfiles.d config files

sysusers.d/tmpfiles.d config files allow a package to use
declarative configuration instead of manually written maintainer
scripts. This also allows image-based systems to be created
with /usr/ only, and also allows for factory resetting a system
and recreating /etc/ on boot.

https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html
https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html

Tests:

- /var/lib/plinth and /var/lib/plinth/sessions/ are created on package install.
  Ownership is plinth:plinth. 0755 is permissions.

- /var/lib/plinth/firstboot-wizard-secret file is created on package install.
  Ownership is plinth:plinth. 0400 is permissions. During first wizard,
  providing the secret works.

- /var/lib/plinth/backups-data is owned by root:root.

- When upgrading from old package to new the permissions don't change.

- When reinstalling the new package, the permissions do not change.

- User is created same as before.
  plinth❌987:987:FreedomBox service:/var/lib/plinth:/usr/sbin/nologin
- Group is created same as before.
  plinth❌987:
- id plinth
  uid=987(plinth) gid=987(plinth) groups=987(plinth)

- Upgrading from old package to new does not change user and group records.

- Reinstalling new version does not change user and group records.

[sunil: Don't recursively change ownership for /var/lib/plinth/]
[sunil: Change ownership specifically for /var/lib/plinth/firstboot-wizard-secret]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>

debian/control

@@ -11,6 +11,7 @@ Uploaders:
  James Valleroy <jvalleroy@mailbox.org>,
 Build-Depends:
  debhelper-compat (= 13),
+ dh-sequence-installsysusers,
  dblatex,
  dh-python,
  docbook-xsl,
@@ -74,7 +75,6 @@ Depends:
  ${python3:Depends},
  ${misc:Depends},
  ${freedombox:Depends},
- adduser,
  augeas-tools,
  bind9-dnsutils,
  curl,

debian/freedombox.postinst

@@ -13,21 +13,9 @@ sed -i 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth
 
 case "$1" in
     configure)
-        if ! getent group plinth >/dev/null; then
-            addgroup --system --quiet plinth
-        fi
-
-        if ! getent passwd plinth >/dev/null; then
-            adduser --system --quiet --ingroup plinth --no-create-home --home /var/lib/plinth plinth
-        fi
-
-        chown plinth: /var/lib/plinth
-        chown plinth: /var/lib/plinth/sessions
-
         if [ ! -e '/var/lib/freedombox/is-freedombox-disk-image' ]; then
             umask 377
             base64 < /dev/urandom | head -c 16 | sed -e 's+$+\n+' > /var/lib/plinth/firstboot-wizard-secret
-            chown plinth:plinth /var/lib/plinth/firstboot-wizard-secret
             db_subst plinth/firstboot_wizard_secret secret $(cat /var/lib/plinth/firstboot-wizard-secret)
             db_input high plinth/firstboot_wizard_secret || true
             db_go

debian/freedombox.sysusers

@@ -0,0 +1 @@
+u! plinth - "FreedomBox service" /var/lib/plinth

debian/freedombox.tmpfiles

@@ -0,0 +1,3 @@
+d /var/lib/plinth 0755 plinth plinth
+d /var/lib/plinth/sessions 0755 plinth plinth
+Z /var/lib/plinth/firstboot-wizard-secret 0400 plinth plinth