ports/main/nnd-s6-services/APKBUILD

# Contributor: Alex Denes <caskd@redxen.eu>
# Maintainer: Alex Denes <caskd@redxen.eu>
. ../../APKBUILD.template

pkgname=nnd-s6-services
pkgver=3.61
pkgrel=0
pkgdesc="Base services for s6"
depends="
	s6-rc>=0.5.4
	s6-portable-utils>=2.3.0
	s6-linux-utils>=2.6.2
	execline>=2.9
"
makedepends="
	go>=1.22.5
"
_s6netdev_commit="0a70be7e65a412894e5860d600a2500249c6a0ea"
source="
	s6-netdev-${_s6netdev_commit}.tar.gz::https://git.redxen.eu/nnd/s6-netdev/archive/${_s6netdev_commit}.tar.gz
"
builddir="$srcdir/"
_distpfx="usr/share/nnd/s6/dist"
options="net"

prepare() {
	default_prepare
	cp -R "$startdir"/rc "$builddir"/rc
	cp -R "$startdir"/tmpl "$builddir"/tmpl
	cp -R "$startdir"/scripts "$builddir"/scripts
	cp "$startdir"/manage.sh "$builddir"/manage.sh
}

build() {
	# Generate generic network configuration
	cd "$builddir"/s6-netdev
	go build -v -o bin ./generic

	cd "$builddir"
	"$builddir"/s6-netdev/bin

	cd "$builddir"/rc
	# Autogenerate some repetitive services

	msg "generate-module.sh"
	"$builddir"/scripts/generate-module.sh <<-EOF
		8021q
		9p
		binfmt_misc
		bonding
		br_netfilter
		bridge
		btrfs
		ceph
		cifs
		dm-mod
		dm-multipath
		dummy
		efivarfs
		ext2
		ext3
		ext4
		fat
		fuse
		hfs
		hfsplus
		hpfs
		ipv6
		jffs2
		kvm
		loop
		nfs
		ntfs3
		overlay
		snd
		stp
		tun
		udf
		ufs
		vfat
		vfio
		vhost_net
		vrf
		wireguard
		xfs
		zstd
	EOF

	msg "generate-sysctl.sh"
	"$builddir"/scripts/generate-sysctl.sh <<-EOF
		dev/tty/legacy_tiocsti,0,0
		fs/aio-max-nr,262140,65535
		kernel/hostname,nnd-localhost,nnd-localhost
		kernel/kptr_restrict,2,0
		kernel/sysrq,0,1
		fs/protected_symlinks,1,0
		fs/protected_hardlinks,1,0
		fs/protected_fifos,2,0
		fs/protected_regular,2,0
		net/bridge/bridge-nf-call-ip6tables,1,0
		net/bridge/bridge-nf-call-iptables,1,0
		net/ipv4/conf/all/forwarding,1,0
		net/ipv4/conf/all/keep_addr_on_down,1,0
		net/ipv4/conf/default/forwarding,1,0
		net/ipv4/conf/default/keep_addr_on_down,1,0
		net/ipv4/ip_forward,1,0
		net/ipv4/ip_unprivileged_port_start,0,1024
		net/ipv4/tcp_ecn,1,2
		net/ipv4/tcp_l3mdev_accept,1,0
		net/ipv4/udp_l3mdev_accept,1,0
		net/ipv6/conf/all/forwarding,1,0
		net/ipv6/conf/all/keep_addr_on_down,1,0
		net/ipv6/conf/default/forwarding,1,0
		net/ipv6/conf/default/keep_addr_on_down,1,0
		vm/dirty_background_ratio,10,10
		vm/dirty_expire_centisecs,3000,10
		vm/dirty_ratio,20,10
		vm/dirty_writeback_centisecs,500,10
		vm/nr_hugepages,1000,0
		vm/overcommit_memory,2,0
		vm/overcommit_ratio,95,95
		vm/swappiness,10,10
	EOF

	msg "generate-mount.sh"
	"$builddir"/scripts/generate-mount.sh <<-EOF
		LABEL=nnd-root,/,btrfs,rw
		LABEL=nnd-boot,/boot,ext4,rw
		LABEL=nnd-efi,/boot/efi,vfat,rw
		none,/proc,proc,nosuid,nodev,noexec,hidepid=2
		none,/dev,devtmpfs,nosuid,noexec,mode=755,inode64
		none,/dev/hugepages,hugetlbfs,pagesize=2M
		none,/dev/mqueue,mqueue,nosuid,noexec,nodev
		none,/dev/pts,devpts,nosuid,noexec,mode=620,ptmxmode=000
		none,/dev/shm,tmpfs,nosuid,noexec,nodev,inode64
		none,/proc/sys/fs/binfmt_misc,binfmt_misc,rw,nosuid,nodev,noexec,relatime
		none,/run,tmpfs,nodev,nosuid,mode=755,inode64
		none,/sys/firmware/efi/efivars,efivarfs,nosuid,nodev,noexec
		none,/sys/fs/cgroup,cgroup2,rw,nosuid,nodev,noexec,relatime,nsdelegate
		none,/sys/fs/pstore,pstore,nosuid,nodev,noexec
		none,/sys/kernel/security,securityfs,nosuid,nodev,noexec
		none,/sys,sysfs,nosuid,nodev,noexec
		none,/tmp,tmpfs,nodev,nosuid
	EOF
	# IMPORTANT NOTE: SOME PROPERTIES OF THESE SERVICES ARE STILL INTENTIONALLY PRESENT IN THE RC DIRECTORY

	msg "generate-dir.sh"
	"$builddir"/scripts/generate-dir.sh <<-EOF
		/boot,mount.root
		/boot/efi,mount.boot
		/dev,mount.root
		/proc,mount.root
		/run,mount.root
		/run/dbus,mount.run
		/run/podman,mount.run
		/run/lldpd,mount.run
		/run/lvm,mount.run
		/run/wpa_supplicant,mount.run
		/run/hostapd,mount.run
		/etc,mount.root
		/etc/crontabs,dir.etc
		/etc/acpi,dir.etc
		/sys,mount.root
		/tmp,mount.root
		/var,mount.root
		/var/empty,dir.var
		/var/lib/i2pd,dir.var
		/var/lib/libvirt,dir.var
		/var/lib/tor,dir.var
		/var/lock,dir.var
		/var/log,dir.var
	EOF

	msg "generate-user.sh"
	"$builddir"/scripts/generate-user.sh <<-EOF
		sshd,/sbin/nologin
		seat,/sbin/nologin
		tor,/sbin/nologin
		i2pd,/sbin/nologin
		yggdrasil,/sbin/nologin
		nginx,/sbin/nologin
	EOF

	msg "generate-group.sh"
	"$builddir"/scripts/generate-group.sh <<-EOF
		seat
	EOF

	msg "generate-libvirt.sh"
	"$builddir"/scripts/generate-libvirt.sh <<-EOF
		interface,bundle.hw-coldplug,libvirt.lock,libvirt.log,module.tun
		lock,dir.var-lock
		log,libvirt.lock,mount.root
		lxc,libvirt.lock,libvirt.log
		network,libvirt.lock,libvirt.log,module.tun
		nodedev,bundle.hw-coldplug,libvirt.lock,libvirt.log,mount.dev
		proxy,libvirt.lock,libvirt.log
		qemu,libvirt.lock,module.kvm,mount.root,libvirt.log,sys.kernel-mm-ksm-run
		secret,libvirt.lock,libvirt.log,mount.root
		storage,libvirt.lock,libvirt.log,mount.root,libvirt.secret
	EOF

	msg "generate-logger.sh"
	"$builddir"/scripts/generate-logger.sh <<-EOF
		acpid
		auditd
		bird
		bluetoothd
		ceph-exporter
		chronyd
		containerd
		crond
		cupsd
		dbus
		dbus-session
		dmeventd
		dockerd
		gortr
		hostapd
		i2pd
		irqbalance
		klogd
		kubelet
		libvirt.interface
		libvirt.lock
		libvirt.log
		libvirt.lxc
		libvirt.network
		libvirt.nodedev
		libvirt.proxy
		libvirt.qemu
		libvirt.secret
		libvirt.storage
		lldpd
		lvmlockd
		lxd
		mdevd
		multipathd
		nginx
		ntpd
		pcscd
		pipewire
		pipewire-pulse
		polkitd
		prometheus-node-exporter
		prometheus-smartctl-exporter
		qemu-ga
		radvd
		seatd
		sshd
		syslogd
		tor
		udevd
		wireplumber
		wpa_supplicant
		yggdrasil
	EOF

	msg "generate-binfmt.sh"
	"$builddir"/scripts/generate-binfmt.sh <<-EOF
		qemu-x86_64
		qemu-aarch64
		qemu-riscv64
		wine
	EOF

	# Enforce signature checks by default if not already doing so, protecting at least after init
	msg "generate-module-params.sh"
	"$builddir"/scripts/generate-module-params.sh <<-EOF
		module,sig_enforce,1,0
	EOF
	rm -v "module.module.sig_enforce"/dependencies.d/module.module

	# Generate 2 TTYs
	msg "generate-tty.sh"
	seq 1 2 | sed 's/^/tty/' | "$builddir"/scripts/generate-getty.sh
}

package() {
	# Distributed bundles
	mkdir -p "$pkgdir/$_distpfx"
	mkdir -p "$pkgdir/$_distpfx"/env
	mv "$builddir"/rc "$pkgdir/$_distpfx"/rc

	mkdir -p "$pkgdir/usr/libexec/nnd/"
	mv "$builddir"/tmpl "$pkgdir/usr/libexec/nnd"/s6
	mv "$builddir"/scripts "$pkgdir/usr/libexec/nnd"/s6/scripts

	# Manager
	install -Dm755 "$builddir"/manage.sh "$pkgdir"/usr/bin/nnd-s6

	# Defaults
	mkdir -p "$pkgdir"/etc/s6/sv

	mkdir -p "$pkgdir"/etc/s6/env

	local RCPFX="/etc/s6/rc"
	mkdir -p "$pkgdir"/"$RCPFX"
	for x in default bundle.custom; do 
		mkdir -p "$pkgdir"/"$RCPFX"/"$x"/contents.d
		echo bundle > "$pkgdir"/"$RCPFX"/"$x"/type
	done
}

check() {
	s6-rc-compile "$builddir"/compiled "$builddir"/rc
}

_bundle() {
	local _BNAME="${subpkgname##$pkgname-}"
	[ -d "$pkgdir/$_distpfx/env/$_BNAME" ] && amove "$_distpfx/env/$_BNAME"
	amove "$_distpfx/rc/$_BNAME"
}
sha512sums="
30f263674452a1f70a9ac6c904d19fd1cde056935823027ce343b67b04a5bc35461c2ae703668c90839050cc648c03da6726984917bd18debbc7545fce21b3c9  s6-netdev-0a70be7e65a412894e5860d600a2500249c6a0ea.tar.gz
"