Update spec for compiler flags and systemd user

C and C++ flags are now retrieved from 'optflags' macro. In Fedora this
is:

CFLAGS='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer '

Additionally, user creation is moved to systemd.

pki.spec

@@ -669,6 +669,9 @@ Provides:         bundled(js-jquery-i18n-properties) = 1.2.7
 Provides:         bundled(js-patternfly) = 3.59.2
 Provides:         bundled(js-underscore) = 1.9.2
 
+Provides:       user(%{pki_username})
+Provides:       group(%{pki_groupname})
+
 %description -n   %{product_id}-server
 This package provides libraries and utilities needed by %{product_name} services.
 
@@ -1197,6 +1200,13 @@ fi
 %if %{with console}
 %mvn_package org.dogtagpki.pki:pki-console        pki-console
 %endif
+
+# Create a sysusers.d config file
+
+cat > %{product_id}.sysusers.conf <<EOF
+g %{pki_username} %{pki_gid}
+u %{pki_groupname} %{pki_uid} 'Certificate System' %{pki_homedir} -
+EOF
 
 ################################################################################
 %build
@@ -1266,45 +1276,8 @@ popd
 %endif
 
 # Remove all symbol table and relocation information from the executable.
-C_FLAGS="-s"
-CXX_FLAGS="$CXX_FLAGS -g -fPIE -pie"
-
-%if 0%{?fedora} || 0%{?rhel} && 0%{?rhel} >= 10
-# https://sourceware.org/annobin/annobin.html/Test-gaps.html
-C_FLAGS="$C_FLAGS -fplugin=annobin"
-
-%ifarch x86_64
-# https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
-C_FLAGS="$C_FLAGS -fcf-protection=full"
-CXX_FLAGS="$CXX_FLAGS -fcf-protection=full"
-%endif
-
-# https://sourceware.org/annobin/annobin.html/Test-optimization.html
-C_FLAGS="$C_FLAGS -O2"
-CXX_FLAGS="$CXX_FLAGS -O2"
-
-# https://sourceware.org/annobin/annobin.html/Test-glibcxx-assertions.html
-C_FLAGS="$C_FLAGS -D_GLIBCXX_ASSERTIONS"
-CXX_FLAGS="$CXX_FLAGS -D_GLIBCXX_ASSERTIONS"
-
-# https://sourceware.org/annobin/annobin.html/Test-lto.html
-C_FLAGS="$C_FLAGS -flto"
-
-# https://sourceware.org/annobin/annobin.html/Test-fortify.html
-C_FLAGS="$C_FLAGS -D_FORTIFY_SOURCE=3"
-CXX_FLAGS="$CXX_FLAGS -D_FORTIFY_SOURCE=3"
-
-# https://sourceware.org/annobin/annobin.html/Test-stack-clash.html
-C_FLAGS="$C_FLAGS -fstack-clash-protection"
-CXX_FLAGS="$CXX_FLAGS -fstack-clash-protection"
-
-%ifarch aarch64
-# https://sourceware.org/annobin/annobin.html/Test-dynamic-tags.html
-C_FLAGS="$C_FLAGS -mbranch-protection=standard"
-CXX_FLAGS="$CXX_FLAGS -mbranch-protection=standard"
-%endif
-
-%endif
+C_FLAGS="%{optflags}"
+CXX_FLAGS="%{optflags}"
 
 pkgs=base\
 %{?with_server:,server}\
@@ -1541,15 +1514,9 @@ xmlstarlet edit --inplace \
 
 %if %{with server}
 
-%pre -n %{product_id}-server
-
-# create PKI group if it doesn't exist
-getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
+install -m0644 -D %{product_id}.sysusers.conf %{buildroot}%{_sysusersdir}/%{product_id}.conf
 
-# create PKI user if it doesn't exist
-if ! getent passwd %{pki_username} >/dev/null ; then
-    useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
-fi
+%pre -n %{product_id}-server
 
 # create PKI home directory if it doesn't exist
 if [ ! -d %{pki_homedir} ] ; then
@@ -1820,6 +1787,7 @@ fi
 %{_mandir}/man8/pki-healthcheck.8.gz
 %{_datadir}/pki/setup/
 %{_datadir}/pki/server/
+%{_sysusersdir}/%{product_id}.conf
 
 %if %{without maven}
 %{_datadir}/java/pki/pki-server.jar