317 lines
7.0 KiB
Plaintext
317 lines
7.0 KiB
Plaintext
# Contributor: Alex Denes <caskd@redxen.eu>
|
|
# Maintainer: Alex Denes <caskd@redxen.eu>
|
|
. ../../APKBUILD.template
|
|
|
|
pkgname=nnd-s6-services
|
|
pkgver=3.61
|
|
pkgrel=0
|
|
pkgdesc="Base services for s6"
|
|
depends="
|
|
s6-rc>=0.5.4
|
|
s6-portable-utils>=2.3.0
|
|
s6-linux-utils>=2.6.2
|
|
execline>=2.9
|
|
"
|
|
makedepends="
|
|
go>=1.22.5
|
|
"
|
|
_s6netdev_commit="0a70be7e65a412894e5860d600a2500249c6a0ea"
|
|
source="
|
|
s6-netdev-${_s6netdev_commit}.tar.gz::https://git.redxen.eu/nnd/s6-netdev/archive/${_s6netdev_commit}.tar.gz
|
|
"
|
|
builddir="$srcdir/"
|
|
_distpfx="usr/share/nnd/s6/dist"
|
|
options="net"
|
|
|
|
prepare() {
|
|
default_prepare
|
|
cp -R "$startdir"/rc "$builddir"/rc
|
|
cp -R "$startdir"/tmpl "$builddir"/tmpl
|
|
cp -R "$startdir"/scripts "$builddir"/scripts
|
|
cp "$startdir"/manage.sh "$builddir"/manage.sh
|
|
}
|
|
|
|
build() {
|
|
# Generate generic network configuration
|
|
cd "$builddir"/s6-netdev
|
|
go build -v -o bin ./generic
|
|
|
|
cd "$builddir"
|
|
"$builddir"/s6-netdev/bin
|
|
|
|
cd "$builddir"/rc
|
|
# Autogenerate some repetitive services
|
|
|
|
msg "generate-module.sh"
|
|
"$builddir"/scripts/generate-module.sh <<-EOF
|
|
8021q
|
|
9p
|
|
binfmt_misc
|
|
bonding
|
|
br_netfilter
|
|
bridge
|
|
btrfs
|
|
ceph
|
|
cifs
|
|
dm-mod
|
|
dm-multipath
|
|
dummy
|
|
efivarfs
|
|
ext2
|
|
ext3
|
|
ext4
|
|
fat
|
|
fuse
|
|
hfs
|
|
hfsplus
|
|
hpfs
|
|
ipv6
|
|
jffs2
|
|
kvm
|
|
loop
|
|
nfs
|
|
ntfs3
|
|
overlay
|
|
snd
|
|
stp
|
|
tun
|
|
udf
|
|
ufs
|
|
vfat
|
|
vfio
|
|
vhost_net
|
|
vrf
|
|
wireguard
|
|
xfs
|
|
zstd
|
|
EOF
|
|
|
|
msg "generate-sysctl.sh"
|
|
"$builddir"/scripts/generate-sysctl.sh <<-EOF
|
|
dev/tty/legacy_tiocsti,0,0
|
|
fs/aio-max-nr,262140,65535
|
|
kernel/hostname,nnd-localhost,nnd-localhost
|
|
kernel/kptr_restrict,2,0
|
|
kernel/sysrq,0,1
|
|
fs/protected_symlinks,1,0
|
|
fs/protected_hardlinks,1,0
|
|
fs/protected_fifos,2,0
|
|
fs/protected_regular,2,0
|
|
net/bridge/bridge-nf-call-ip6tables,1,0
|
|
net/bridge/bridge-nf-call-iptables,1,0
|
|
net/ipv4/conf/all/forwarding,1,0
|
|
net/ipv4/conf/all/keep_addr_on_down,1,0
|
|
net/ipv4/conf/default/forwarding,1,0
|
|
net/ipv4/conf/default/keep_addr_on_down,1,0
|
|
net/ipv4/ip_forward,1,0
|
|
net/ipv4/ip_unprivileged_port_start,0,1024
|
|
net/ipv4/tcp_ecn,1,2
|
|
net/ipv4/tcp_l3mdev_accept,1,0
|
|
net/ipv4/udp_l3mdev_accept,1,0
|
|
net/ipv6/conf/all/forwarding,1,0
|
|
net/ipv6/conf/all/keep_addr_on_down,1,0
|
|
net/ipv6/conf/default/forwarding,1,0
|
|
net/ipv6/conf/default/keep_addr_on_down,1,0
|
|
vm/dirty_background_ratio,10,10
|
|
vm/dirty_expire_centisecs,3000,10
|
|
vm/dirty_ratio,20,10
|
|
vm/dirty_writeback_centisecs,500,10
|
|
vm/nr_hugepages,1000,0
|
|
vm/overcommit_memory,2,0
|
|
vm/overcommit_ratio,95,95
|
|
vm/swappiness,10,10
|
|
EOF
|
|
|
|
msg "generate-mount.sh"
|
|
"$builddir"/scripts/generate-mount.sh <<-EOF
|
|
LABEL=nnd-root,/,btrfs,rw
|
|
LABEL=nnd-boot,/boot,ext4,rw
|
|
LABEL=nnd-efi,/boot/efi,vfat,rw
|
|
none,/proc,proc,nosuid,nodev,noexec,hidepid=2
|
|
none,/dev,devtmpfs,nosuid,noexec,mode=755,inode64
|
|
none,/dev/hugepages,hugetlbfs,pagesize=2M
|
|
none,/dev/mqueue,mqueue,nosuid,noexec,nodev
|
|
none,/dev/pts,devpts,nosuid,noexec,mode=620,ptmxmode=000
|
|
none,/dev/shm,tmpfs,nosuid,noexec,nodev,inode64
|
|
none,/proc/sys/fs/binfmt_misc,binfmt_misc,rw,nosuid,nodev,noexec,relatime
|
|
none,/run,tmpfs,nodev,nosuid,mode=755,inode64
|
|
none,/sys/firmware/efi/efivars,efivarfs,nosuid,nodev,noexec
|
|
none,/sys/fs/cgroup,cgroup2,rw,nosuid,nodev,noexec,relatime,nsdelegate
|
|
none,/sys/fs/pstore,pstore,nosuid,nodev,noexec
|
|
none,/sys/kernel/security,securityfs,nosuid,nodev,noexec
|
|
none,/sys,sysfs,nosuid,nodev,noexec
|
|
none,/tmp,tmpfs,nodev,nosuid
|
|
EOF
|
|
# IMPORTANT NOTE: SOME PROPERTIES OF THESE SERVICES ARE STILL INTENTIONALLY PRESENT IN THE RC DIRECTORY
|
|
|
|
msg "generate-dir.sh"
|
|
"$builddir"/scripts/generate-dir.sh <<-EOF
|
|
/boot,mount.root
|
|
/boot/efi,mount.boot
|
|
/dev,mount.root
|
|
/proc,mount.root
|
|
/run,mount.root
|
|
/run/dbus,mount.run
|
|
/run/podman,mount.run
|
|
/run/lldpd,mount.run
|
|
/run/lvm,mount.run
|
|
/run/wpa_supplicant,mount.run
|
|
/run/hostapd,mount.run
|
|
/etc,mount.root
|
|
/etc/crontabs,dir.etc
|
|
/etc/acpi,dir.etc
|
|
/sys,mount.root
|
|
/tmp,mount.root
|
|
/var,mount.root
|
|
/var/empty,dir.var
|
|
/var/lib/i2pd,dir.var
|
|
/var/lib/libvirt,dir.var
|
|
/var/lib/tor,dir.var
|
|
/var/lock,dir.var
|
|
/var/log,dir.var
|
|
EOF
|
|
|
|
msg "generate-user.sh"
|
|
"$builddir"/scripts/generate-user.sh <<-EOF
|
|
sshd,/sbin/nologin
|
|
seat,/sbin/nologin
|
|
tor,/sbin/nologin
|
|
i2pd,/sbin/nologin
|
|
yggdrasil,/sbin/nologin
|
|
nginx,/sbin/nologin
|
|
EOF
|
|
|
|
msg "generate-group.sh"
|
|
"$builddir"/scripts/generate-group.sh <<-EOF
|
|
seat
|
|
EOF
|
|
|
|
msg "generate-libvirt.sh"
|
|
"$builddir"/scripts/generate-libvirt.sh <<-EOF
|
|
interface,bundle.hw-coldplug,libvirt.lock,libvirt.log,module.tun
|
|
lock,dir.var-lock
|
|
log,libvirt.lock,mount.root
|
|
lxc,libvirt.lock,libvirt.log
|
|
network,libvirt.lock,libvirt.log,module.tun
|
|
nodedev,bundle.hw-coldplug,libvirt.lock,libvirt.log,mount.dev
|
|
proxy,libvirt.lock,libvirt.log
|
|
qemu,libvirt.lock,module.kvm,mount.root,libvirt.log,sys.kernel-mm-ksm-run
|
|
secret,libvirt.lock,libvirt.log,mount.root
|
|
storage,libvirt.lock,libvirt.log,mount.root,libvirt.secret
|
|
EOF
|
|
|
|
msg "generate-logger.sh"
|
|
"$builddir"/scripts/generate-logger.sh <<-EOF
|
|
acpid
|
|
auditd
|
|
bird
|
|
bluetoothd
|
|
ceph-exporter
|
|
chronyd
|
|
containerd
|
|
crond
|
|
cupsd
|
|
dbus
|
|
dbus-session
|
|
dmeventd
|
|
dockerd
|
|
gortr
|
|
hostapd
|
|
i2pd
|
|
irqbalance
|
|
klogd
|
|
kubelet
|
|
libvirt.interface
|
|
libvirt.lock
|
|
libvirt.log
|
|
libvirt.lxc
|
|
libvirt.network
|
|
libvirt.nodedev
|
|
libvirt.proxy
|
|
libvirt.qemu
|
|
libvirt.secret
|
|
libvirt.storage
|
|
lldpd
|
|
lvmlockd
|
|
lxd
|
|
mdevd
|
|
multipathd
|
|
nginx
|
|
ntpd
|
|
pcscd
|
|
pipewire
|
|
pipewire-pulse
|
|
polkitd
|
|
prometheus-node-exporter
|
|
prometheus-smartctl-exporter
|
|
qemu-ga
|
|
radvd
|
|
seatd
|
|
sshd
|
|
syslogd
|
|
tor
|
|
udevd
|
|
wireplumber
|
|
wpa_supplicant
|
|
yggdrasil
|
|
EOF
|
|
|
|
msg "generate-binfmt.sh"
|
|
"$builddir"/scripts/generate-binfmt.sh <<-EOF
|
|
qemu-x86_64
|
|
qemu-aarch64
|
|
qemu-riscv64
|
|
wine
|
|
EOF
|
|
|
|
# Enforce signature checks by default if not already doing so, protecting at least after init
|
|
msg "generate-module-params.sh"
|
|
"$builddir"/scripts/generate-module-params.sh <<-EOF
|
|
module,sig_enforce,1,0
|
|
EOF
|
|
rm -v "module.module.sig_enforce"/dependencies.d/module.module
|
|
|
|
# Generate 2 TTYs
|
|
msg "generate-tty.sh"
|
|
seq 1 2 | sed 's/^/tty/' | "$builddir"/scripts/generate-getty.sh
|
|
}
|
|
|
|
package() {
|
|
# Distributed bundles
|
|
mkdir -p "$pkgdir/$_distpfx"
|
|
mkdir -p "$pkgdir/$_distpfx"/env
|
|
mv "$builddir"/rc "$pkgdir/$_distpfx"/rc
|
|
|
|
mkdir -p "$pkgdir/usr/libexec/nnd/"
|
|
mv "$builddir"/tmpl "$pkgdir/usr/libexec/nnd"/s6
|
|
mv "$builddir"/scripts "$pkgdir/usr/libexec/nnd"/s6/scripts
|
|
|
|
# Manager
|
|
install -Dm755 "$builddir"/manage.sh "$pkgdir"/usr/bin/nnd-s6
|
|
|
|
# Defaults
|
|
mkdir -p "$pkgdir"/etc/s6/sv
|
|
|
|
mkdir -p "$pkgdir"/etc/s6/env
|
|
|
|
local RCPFX="/etc/s6/rc"
|
|
mkdir -p "$pkgdir"/"$RCPFX"
|
|
for x in default bundle.custom; do
|
|
mkdir -p "$pkgdir"/"$RCPFX"/"$x"/contents.d
|
|
echo bundle > "$pkgdir"/"$RCPFX"/"$x"/type
|
|
done
|
|
}
|
|
|
|
check() {
|
|
s6-rc-compile "$builddir"/compiled "$builddir"/rc
|
|
}
|
|
|
|
_bundle() {
|
|
local _BNAME="${subpkgname##$pkgname-}"
|
|
[ -d "$pkgdir/$_distpfx/env/$_BNAME" ] && amove "$_distpfx/env/$_BNAME"
|
|
amove "$_distpfx/rc/$_BNAME"
|
|
}
|
|
sha512sums="
|
|
30f263674452a1f70a9ac6c904d19fd1cde056935823027ce343b67b04a5bc35461c2ae703668c90839050cc648c03da6726984917bd18debbc7545fce21b3c9 s6-netdev-0a70be7e65a412894e5860d600a2500249c6a0ea.tar.gz
|
|
"
|