scripts/makeroot

#!/bin/bash

set -xeuo pipefail

packages=(
	# Basics
	base
	linux-firmware
	linux-zen
	linux-zen-headers
	intel-ucode
	amd-ucode

	# ostree-related
	ostree

	# Useful filesystem and partitioning utils
	btrfs-progs
	cryptsetup
	dosfstools
	lvm2
	sshfs
	xfsprogs

	# Security
	apparmor
	sudo

	# Utilities
	android-tools
	bash-completion
	bc
	fd
	git
	htop
	jq
	man-db
	neovim
	ripgrep
	openssh
	sd
	tmux
	usbutils
	yq

	# Containers
	podman
	toolbox

	# QEMU
	qemu-user-static
	qemu-user-static-binfmt

	# Audio
	pavucontrol
	pipewire
	pipewire-alsa
	pipewire-audio
	pipewire-jack
	pipewire-pulse
	wireplumber

	# GPU
	glxinfo
	vulkan-icd-loader
	vulkan-intel
	vulkan-radeon
	vulkan-tools

	# GUI: basics
	dunst
	grim
	hyprland
	kdeconnect
	polkit-kde-agent
	qt5-wayland
	sddm
	slurp
	xdg-desktop-portal
	xdg-desktop-portal-gtk
	xdg-desktop-portal-hyprland
	xorg-xwayland

	# GUI: fonts
	ttf-dejavu
	ttf-dejavu-nerd
	ttf-font-awesome
	ttf-roboto
	ttf-roboto-mono
	noto-fonts
	noto-fonts-cjk
	noto-fonts-emoji
	noto-fonts-extra
	otf-font-awesome

	# GUI: apps
	alacritty
	flatpak
	meld
	mpv
	swaylock
	swayidle
	waybar
	wofi

	# Networking
	networkmanager
	wireguard-tools

	# Bluetooth
	bluez
	bluez-utils
	blueberry

	# OBS webcam
	v4l2loopback-dkms
	v4l2loopback-utils
	v4l-utils

	# file sharing
	samba

	# remote unlock
	tinyssh

	# retroarch
	retroarch
	retroarch-assets-ozone
	retroarch-assets-xmb
	libretro-core-info
)
patched_packages=(
)
aur_packages=(
	mkinitcpio-systemd-extras
	xwaylandvideobridge-cursor-mode-2-git
)

rootfs="$ARCH_ROOTFS"
chroot="/root/chroot"
aur_package_files=()

build_patched_packages() {
	for package in "${patched_packages[@]}"; do
		version=$(arch-chroot "$chroot" pacman -Q "$package" | awk '{print $2}')
		sudo \
			-u builder \
			PACKAGE_NAME="$package" \
			PACKAGE_VERSION="$version" \
			PKGCACHE_PATCHED="$PKGCACHE_PATCHED" \
			"$PWD/scripts/package_patcher"
	done
}

# Everything here is done that early so the post installation hooks will run
# with the correct config even during pacstrap. This is especially interesting
# for anything used by mkinitcpio since it's slow and we don't want to do it
# twice.
pre_pacstrap_config() {
	mkdir -p "$rootfs/etc/mkinitcpio.conf.d"
	cp "$PWD/files/mkinitcpio.conf" "$rootfs/etc/mkinitcpio.conf.d/ostree.conf"

	mkdir -p "$rootfs/usr/share/kbd/keymaps/i386/dvorak"
	cp "$PWD/files/dvorak-m1cha.map" "$rootfs/usr/share/kbd/keymaps/i386/dvorak/"
	cp "$PWD/files/vconsole.conf" "$rootfs/etc/"

	mkdir -p "$rootfs/etc/systemd/network-initramfs"
	cp "$PWD/files/20-wired.network" "$rootfs/etc/systemd/network-initramfs/"

	mkdir -p "$rootfs/etc/ssh"
	cp "/etc/ssh/ssh_host_ed25519_key"* "$rootfs/etc/ssh/"

	mkdir -p "$rootfs/root/.ssh"
	cp "/root/.ssh/authorized_keys" "$rootfs/root/.ssh/authorized_keys"
}

install_dvorak_m1cha() {
	set +e
	read -rd '' needle <<'EOF'
        <variant>
          <configItem>
            <name>dvp</name>
            <description>English (programmer Dvorak)</description>
          </configItem>
        </variant>
EOF

	read -rd '' replacement <<'EOF'
        <variant>
          <configItem>
            <name>dvp-m1cha</name>
            <description>English (programmer Dvorak - m1cha)</description>
          </configItem>
        </variant>
EOF
	set -e

	sd -s "$needle" "${needle}${replacement}" "$rootfs/usr/share/X11/xkb/rules/evdev.xml"

	cat "$PWD/files/xkb-symbols-us" >> "$rootfs/usr/share/X11/xkb/symbols/us"

	cp "$PWD/files/sddm-Xsetup" "$rootfs/usr/share/sddm/scripts/Xsetup"
}

post_install_steps() {
	ln -sf /usr/share/zoneinfo/Europe/Berlin "$rootfs/etc/localtime"
	sed -i 's/^#\(en_US.UTF-8 UTF-8\)/\1/' "$rootfs/etc/locale.gen"

	sed -i 's/^#\(write-cache\)/\1/' "$rootfs/etc/apparmor/parser.conf"

	echo "PasswordAuthentication no" >> "$rootfs/etc/ssh/sshd_config"

	cp "$PWD/files/modules-load.conf" "$rootfs/etc/modules-load.d/ostree.conf"

	install_dvorak_m1cha

	# /usr/lib/sddm/sddm.conf.d would make more sense conceptionally, but
	# for some reason sddm doesn't load configs from readonly mounts.
	cp -r "$PWD/files/sddm-theme" "$rootfs/usr/share/sddm/themes/m1cha"
	mkdir "$rootfs/etc/sddm.conf.d"
	cp "$PWD/files/sddm.conf" "$rootfs/etc/sddm.conf.d/00-ostree.conf"

	build_patched_packages
	cp -r "$PKGCACHE_PATCHED" "$rootfs/var/cache/pkgcache-patched"

	mkdir "$rootfs/var/cache/aur-packages"
	cp "${aur_package_files[@]}" "$rootfs/var/cache/aur-packages"

	arch-chroot "$chroot" bash -c " \
		set -euo pipefail; \
		locale-gen; \
		systemctl enable apparmor.service; \
		systemctl enable bluetooth.service; \
		systemctl enable NetworkManager.service; \
		systemctl enable sddm.service; \
		systemctl enable smb.service; \
		systemctl enable sshd.service; \
		pacman --noconfirm -U /var/cache/aur-packages/*; \
		"
}

move_from_var() {
	# This database must not be deleted, so we can modify it temporarily
	# after running `ostree admin unlock`.
	sed -i \
		-e 's|^#\(DBPath\s*=\s*\).*|\1/usr/lib/pacman|g' \
		-e 's|^#\(IgnoreGroup\s*=\s*\).*|\1modified|g' \
		"$rootfs/etc/pacman.conf"
	mv "$rootfs/var/lib/pacman" "$rootfs/usr/lib/"
}

move_to_var() {
	mv "$rootfs/home" "$rootfs/var/"
	ln -s var/home "$rootfs/home"

	mv "$rootfs/mnt" "$rootfs/var/"
	ln -s var/mnt "$rootfs/mnt"

	# This is recommended by ostree but I don't see a good reason for it.
	# rmdir "$rootfs/var/opt"
	# mv "$rootfs/opt" "$rootfs/var/"
	# ln -s var/opt "$rootfs/opt"

	mv "$rootfs/root" "$rootfs/var/roothome"
	ln -s var/roothome "$rootfs/root"

	rm -r "$rootfs/usr/local"
	ln -s ../var/usrlocal "$rootfs/usr/local"

	mv "$rootfs/srv" "$rootfs/var/srv"
	ln -s var/srv "$rootfs/srv"

	cp "$PWD/files/ostree-0-integration.conf" "$rootfs/usr/lib/tmpfiles.d/"
}

clean_rootfs() {
	# They'll be unused
	rm -r "$rootfs/var/"*

	# pacman leaves behind sockets which are not supported by ostree
	rm "$rootfs/etc/pacman.d/gnupg/S.gpg-agent"*
}

ostreeify() {
	# Those are required so the ostree tools can use them
	mkdir "$rootfs/sysroot"
	ln -s sysroot/ostree "$rootfs/ostree"

	# etc is handled by ostree and expected to be in /usr
	mv "$rootfs/etc" "$rootfs/usr/"

	# ostree expects the initramfs in a different path.
	# Also, we need to prepend microcode updates.
	moduledir=$(find "$rootfs/usr/lib/modules" -mindepth 1 -maxdepth 1 -type d)
	cat \
		"$rootfs"/boot/*-ucode.img \
		"$rootfs/boot/initramfs-linux-zen.img" \
		> "$moduledir/initramfs.img"
}

build_aur_package() {
	local name="$1"
	local url="https://aur.archlinux.org/$name.git"
	local dir="$OUTDIR/aur_packages/$name"

	if [ -e "$dir" ]; then
		pushd "$dir"
		branch_name="$(sudo -u builder git rev-parse --abbrev-ref HEAD)"
		sudo -u builder git fetch origin "$branch_name"
		current="$(sudo -u builder git rev-parse @)"
		remote="$(sudo -u builder git rev-parse FETCH_HEAD)"

		if [ "$current" != "$remote" ]; then
			sudo -u builder git clean -dffx
			sudo -u builder git checkout FETCH_HEAD
		fi
	else
		git clone "$url" "$dir"
		chown -R builder:builder "$dir"
		pushd "$dir"
	fi

	pkg="$(find . -mindepth 1 -maxdepth 1 -name '*.pkg.tar.zst')"
	if [ -z "$pkg" ]; then
		sudo -u builder makepkg --noconfirm -s
		pkg="$(find . -mindepth 1 -maxdepth 1 -name '*.pkg.tar.zst')"
	fi

	pkg="$(realpath "$pkg")"
	aur_package_files+=("$pkg")
	popd
}

# With the current rootless container setup pacstrap and arch-chroot fail to
# unmount everything. So make them use a different, bind-mounted directory so
# we can still see the original without any mounts.
mkdir -p "$chroot"
mkdir -p "$rootfs"
mount -o bind "$rootfs" "$chroot"

mkdir -p "$OUTDIR/aur_packages"

for package in "${aur_packages[@]}"; do
	build_aur_package "$package"
done

pre_pacstrap_config
# The docker image has a bunch of NoExtract lines that'd hurt our new system.
sed -e 's|^NoExtract.*||g' /etc/pacman.conf > /tmp/pacman.conf
pacstrap -C /tmp/pacman.conf -c -K "$chroot" "${packages[@]}"

post_install_steps
move_from_var
move_to_var
clean_rootfs
ostreeify