feat: CI/CD pour packages .deb et .rpm + tests d'installation

Nouveaux workflows GitHub Actions:
- .github/workflows/build-deb.yml : Build et release DEB sur Ubuntu
- .github/workflows/build-rpm.yml : Build et release RPM sur Fedora
- Déclenchement sur tags v*, push main/master, workflow_dispatch
- Upload des artifacts et création automatique de release

Système de build de packages:
- packaging/build-deb.sh : Script de build .deb avec sanitization version
- packaging/build-rpm.sh : Script de build .rpm (via Docker)
- packaging/Dockerfile.deb : Container Ubuntu 22.04 pour build DEB
- packaging/Dockerfile.rpm : Container Go 1.24 + rpm pour build RPM

Fichiers de configuration systemd:
- packaging/systemd/ja4sentinel.service : Unit avec security hardening
  * NoNewPrivileges, ProtectSystem, ProtectHome
  * CAP_NET_RAW, CAP_NET_ADMIN pour packet capture
- packaging/systemd/config.yml : Configuration par défaut

Scripts mainteneur DEB:
- packaging/deb/postinst : Création user/group, dirs, config
- packaging/deb/prerm : Stop service avant upgrade/remove
- packaging/deb/postrm : Cleanup complet en purge

Spec file RPM:
- packaging/rpm/ja4sentinel.spec : Spec complet avec dependencies
  * Requires: systemd, libpcap
  * %pre/%post/%preun/%postun scripts

Tests d'installation dans containers:
- packaging/test/test-deb.sh : Build + test Docker Ubuntu
- packaging/test/test-rpm.sh : Build + test Docker Fedora
- packaging/test/test-install-deb.sh : 11 tests automatisés
- packaging/test/test-install-rpm.sh : 11 tests automatisés
- Dockerfile.deb/rpm : Containers de test dédiés

Makefile:
- package-deb : Build .deb
- package-rpm : Build .rpm via Docker (no-cache)
- package : Build les deux
- test-package-deb : Build + test installation DEB
- test-package-rpm : Build + test installation RPM
- test-package : Test les deux packages

Tests:
- ✅ DEB: 11/11 tests passés (binaire, config, service, user, dirs)
- ✅ RPM: Build réussi (3.3 MB)
- Version sanitization pour git tags (ex: efd4481-dirty → 0.0.0+efd4481-dirty)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

packaging/systemd/config.yml

@@ -0,0 +1,35 @@
+# JA4Sentinel Configuration
+# Default configuration file for ja4sentinel service
+
+core:
+  # Network interface to monitor (use 'ip link' to list available interfaces)
+  interface: eth0
+  
+  # TCP ports to monitor for TLS handshakes
+  listen_ports:
+    - 443
+    - 8443
+  
+  # Optional BPF filter (leave empty for default port-based filter)
+  bpf_filter: ""
+  
+  # Timeout in seconds for TLS handshake extraction per flow
+  flow_timeout_sec: 30
+
+# Output configuration - enable one or more outputs
+outputs:
+  # Log to stdout (captured by journald)
+  - type: stdout
+    enabled: true
+  
+  # Log to file (optional)
+  # - type: file
+  #   enabled: false
+  #   params:
+  #     path: /var/log/ja4sentinel/ja4.json
+  
+  # Log to UNIX socket (optional, for external processing)
+  # - type: unix_socket
+  #   enabled: false
+  #   params:
+  #     socket_path: /var/run/ja4sentinel/ja4.sock

packaging/systemd/ja4sentinel.service

@@ -0,0 +1,39 @@
+[Unit]
+Description=JA4 client fingerprinting daemon
+Documentation=https://github.com/your-repo/ja4sentinel
+After=network.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=ja4sentinel
+Group=ja4sentinel
+WorkingDirectory=/var/lib/ja4sentinel
+ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
+Restart=on-failure
+RestartSec=5
+Environment=JA4SENTINEL_LOG_LEVEL=info
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+
+# Capabilities for packet capture
+AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=64
+
+[Install]
+WantedBy=multi-user.target