Move towards custom packages.

Change the build image process in a way that custom-built packages can be utilized. This means a simpler `Makefile` since every modification is implemented on the level of packages. Include the sources for every customized package.
author: PÁLI Gábor János <pali.gabor@gmail.com> 2022-04-10 18:17:21 +0200
committer: PÁLI Gábor János <pali.gabor@gmail.com> 2022-04-10 23:09:31 +0200
commit: bcbf7c6c9fc7d8a96b1d5c4cc9247b85fe3da2ad (patch)
tree: 46d796182b2249408b0597485462ef1698dc4c13 /aports/base-layout
parent: 40d2daea11738408b7bf7b60f14a558ff8c47fb0 (diff)
download: freebsd-wifibox-alpine-bcbf7c6c9fc7d8a96b1d5c4cc9247b85fe3da2ad.zip
8 files changed, 389 insertions, 0 deletions
diff --git a/aports/base-layout/APKBUILD b/aports/base-layout/APKBUILD
new file mode 100644
index 0000000..616cfc5
--- /dev/null
+++ b/aports/base-layout/APKBUILD
@@ -0,0 +1,195 @@
+# Maintainer: Gabor Pali <pali.gabor@gmail.com>
+
+pkgname=baselayout
+pkgver=3.2.0
+pkgrel=18
+pkgdesc="Base dir structure and init scripts (Alpine Linux)"
+url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
+arch="all"
+license="GPL-2.0-only"
+pkggroups="shadow"
+options="!fhs !check"
+install=
+_nbver=6.2
+source="crontab
+	locale.sh
+
+	group
+	inittab
+	passwd
+	profile
+	protocols-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/protocols
+	services-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/services
+	"
+builddir="$srcdir/build"
+
+prepare() {
+	default_prepare
+	mkdir -p "$builddir"
+	mv "$srcdir"/protocols-$_nbver "$srcdir"/protocols
+	mv "$srcdir"/services-$_nbver "$srcdir"/services
+}
+
+build() {
+	# generate shadow
+	awk -F: '{
+		pw = ":!:"
+		if ($1 == "root") { pw = "::" }
+		print($1 pw ":0:::::")
+	}' "$srcdir"/passwd > shadow
+}
+
+package() {
+	mkdir -p "$pkgdir"
+	cd "$pkgdir"
+	install -m 0755 -d \
+		dev \
+		dev/pts \
+		dev/shm \
+		etc \
+		etc/conf.d \
+		etc/crontabs \
+		etc/init.d \
+		etc/modprobe.d \
+		etc/modules-load.d \
+		etc/network/if-down.d \
+		etc/network/if-post-down.d \
+		etc/network/if-pre-up.d \
+		etc/network/if-up.d \
+		etc/periodic/15min \
+		etc/periodic/daily \
+		etc/periodic/hourly \
+		etc/periodic/monthly \
+		etc/periodic/weekly \
+		etc/profile.d \
+		etc/sysctl.d \
+		lib/firmware \
+		lib/mdev \
+		lib/modules-load.d \
+		lib/sysctl.d \
+		media/etc \
+		media/wpa \
+		proc \
+		run \
+		sbin \
+		sys \
+		usr/bin \
+		usr/lib/modules-load.d \
+		usr/local/bin \
+		usr/local/lib \
+		usr/local/share \
+		usr/sbin \
+		usr/share \
+		usr/share/man \
+		usr/share/misc \
+		var/cache \
+		var/cache/misc \
+		var/lib \
+		var/lib/misc \
+		var/local \
+		var/lock/subsys \
+		var/log \
+		var/opt \
+		var/spool \
+		var/spool/cron \
+		var/mail
+
+	ln -s /run var/run
+	install -d -m 0555 var/empty
+	install -d -m 0700 "$pkgdir"/root
+	install -d -m 1777 "$pkgdir"/tmp "$pkgdir"/var/tmp
+
+	install -m600 "$srcdir"/crontab "$pkgdir"/etc/crontabs/root
+	install -m644 \
+		"$srcdir"/locale.sh \
+		"$pkgdir"/etc/profile.d/
+
+	echo "wifibox" > "$pkgdir"/etc/hostname
+	cat > "$pkgdir"/etc/hosts <<-EOF
+		127.0.0.1	localhost localhost.localdomain
+		::1		localhost localhost.localdomain
+	EOF
+	cat > "$pkgdir"/etc/modules <<-EOF
+		af_packet
+		ipv6
+	EOF
+	cat > "$pkgdir"/etc/shells <<-EOF
+		/bin/sh
+		/bin/ash
+	EOF
+	cat > "$pkgdir"/etc/sysctl.conf <<-EOF
+		net.ipv4.ip_forward=1
+	EOF
+	cat > "$pkgdir"/lib/sysctl.d/00-alpine.conf <<-EOF
+		# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
+		net.ipv4.tcp_syncookies = 1
+
+		# Prevents ip spoofing.
+		net.ipv4.conf.default.rp_filter = 1
+		net.ipv4.conf.all.rp_filter = 1
+
+		# Only groups within this id range can use ping.
+		net.ipv4.ping_group_range=999 59999
+
+		# Redirects can potentially be used to maliciously alter hosts
+		# routing tables.
+		net.ipv4.conf.all.accept_redirects = 0
+		net.ipv4.conf.all.secure_redirects = 1
+		net.ipv6.conf.all.accept_redirects = 0
+
+		# The source routing feature includes some known vulnerabilities.
+		net.ipv4.conf.all.accept_source_route = 0
+		net.ipv6.conf.all.accept_source_route = 0
+
+		# See RFC 1337
+		net.ipv4.tcp_rfc1337 = 1
+
+		## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
+		net.ipv6.conf.default.use_tempaddr = 2
+		net.ipv6.conf.all.use_tempaddr = 2
+
+		# Restarts computer after 120 seconds after kernel panic
+		kernel.panic = 120
+
+		# Users should not be able to create soft or hard links to files
+		# which they do not own. This mitigates several privilege
+		# escalation vulnerabilities.
+		fs.protected_hardlinks = 1
+		fs.protected_symlinks = 1
+	EOF
+	cat > "$pkgdir"/etc/fstab <<-EOF
+		tmpfs      /tmp       tmpfs    size=128K                                     0 0
+		config     /media/etc 9p       trans=virtio,ro,noatime,nodiratime,norelatime 0 0
+		wpa_config /media/wpa 9p       trans=virtio,rw                               0 0
+		var        /var       9p       trans=virtio,rw                               0 0
+	EOF
+
+	install -m644 \
+		"$srcdir"/group \
+		"$srcdir"/passwd \
+		"$srcdir"/inittab \
+		"$srcdir"/profile \
+		"$srcdir"/protocols \
+		"$srcdir"/services \
+		"$pkgdir"/etc/
+
+	install -m640 -g shadow "$builddir"/shadow \
+		"$pkgdir"/etc/
+
+	# symlinks
+	ln -s /dev/null "$pkgdir"/root/.ash_history
+	ln -s /etc/crontabs "$pkgdir"/var/spool/cron/crontabs
+	ln -s /proc/mounts "$pkgdir"/etc/mtab
+	ln -s /var/mail "$pkgdir"/var/spool/mail
+}
+
+sha512sums="
+6e169c0975a1ad1ad871a863e8ee83f053de9ad0b58d94952efa4c28a8c221445d9e9732ad8b52832a50919c2f39aa965a929b3d5b3f9e62f169e2b2e0813d82  crontab
+b2fc9b72846a43a45ba9a8749e581cef34d1915836833b51b7919dfbf4e275b7d55fec4dea7b23df3796380910971a41331e53e8cf0d304834e3da02cc135e5a  locale.sh
+806b8f23f823a9471846d12fa6b55690b95eedb4c613b82aefaba7ffef23f83e17552befd891a487864f72ef24e395d8611738933f684a85eb4c336cb20994f8  group
+7cc3c23062c730ec7a1d7850423d9901047005520da5b347b7b24e5f33a9c9a9129b430557f7f41e565f143624b7f3c47e3f6e4a6a446e75f0ea245c03d70880  inittab
+06d12a7b9ca14fe17e412d0f24814620b67d035ae859be7906cbf4782dd69e359a6a555dafb98060b7fb7e4714aaa676c88d9017cded36e6d8398e23369bb290  passwd
+b14920eae431d1f15b066e264a94f804540c5dcbf91caef034019d95456c975c0c054672e53369082682dd9454a034f26bd45b312adfc0ab68a0311d97b037ac  profile
+eadc83e47fcc354ab83fd109bee452bda170886fb684e67faf615930c11480919505f4af60c685b124efc54af0ded9522663132f911eac6622144f8b4c8be695  protocols-6.2
+adfae0d2f569c2a2f413b7e27683a007fc8ca689b8c3349672fe0dcb6208c192ede4402eff09c604b7e7b4fd9d8df93b875efa5bdaa6c14ff1d8022a7caad5cd  services-6.2
+"
diff --git a/aports/base-layout/aliases.conf b/aports/base-layout/aliases.conf
new file mode 100644
index 0000000..b179017
--- /dev/null
+++ b/aports/base-layout/aliases.conf
@@ -0,0 +1,57 @@
+# Aliases to tell insmod/modprobe which modules to use
+
+# Uncomment the network protocols you don't want loaded:
+# alias net-pf-1 off		# Unix
+# alias net-pf-2 off		# IPv4
+# alias net-pf-3 off		# Amateur Radio AX.25
+# alias net-pf-4 off		# IPX
+# alias net-pf-5 off		# DDP / appletalk
+# alias net-pf-6 off		# Amateur Radio NET/ROM
+# alias net-pf-9 off		# X.25
+# alias net-pf-10 off		# IPv6
+# alias net-pf-11 off		# ROSE / Amateur Radio X.25 PLP
+# alias net-pf-19 off		# Acorn Econet
+
+alias char-major-10-175	agpgart
+alias char-major-10-200	tun
+alias char-major-81	bttv
+alias char-major-108	ppp_generic
+alias /dev/ppp		ppp_generic
+alias tty-ldisc-3	ppp_async
+alias tty-ldisc-14	ppp_synctty
+alias ppp-compress-21	bsd_comp
+alias ppp-compress-24	ppp_deflate
+alias ppp-compress-26	ppp_deflate
+
+# Crypto modules (see http://www.kerneli.org/)
+alias loop-xfer-gen-0	loop_gen
+alias loop-xfer-3	loop_fish2
+alias loop-xfer-gen-10	loop_gen
+alias cipher-2		des
+alias cipher-3		fish2
+alias cipher-4		blowfish
+alias cipher-6		idea
+alias cipher-7		serp6f
+alias cipher-8		mars6
+alias cipher-11		rc62
+alias cipher-15		dfc2
+alias cipher-16		rijndael
+alias cipher-17		rc5
+
+# Support for i2c and lm_sensors
+alias char-major-89    i2c-dev
+
+# xfrm
+alias xfrm-type-2-4 xfrm4_tunnel
+alias xfrm-type-2-50 esp4
+alias xfrm-type-2-51 ah4
+alias xfrm-type-2-108 ipcomp
+alias xfrm-type-10-41 xfrm6_tunnel
+alias xfrm-type-10-50 esp6
+alias xfrm-type-10-51 ah6
+alias xfrm-type-10-108 ipcomp6
+
+alias sha1 sha1-generic
+# change to aes-i586 to boost performance
+alias aes aes-generic
+
diff --git a/aports/base-layout/crontab b/aports/base-layout/crontab
new file mode 100644
index 0000000..fd8acd8
--- /dev/null
+++ b/aports/base-layout/crontab
@@ -0,0 +1,8 @@
+# do daily/weekly/monthly maintenance
+# min	hour	day	month	weekday	command
+*/15	*	*	*	*	run-parts /etc/periodic/15min
+0	*	*	*	*	run-parts /etc/periodic/hourly
+0	2	*	*	*	run-parts /etc/periodic/daily
+0	3	*	*	6	run-parts /etc/periodic/weekly
+0	5	1	*	*	run-parts /etc/periodic/monthly
+
diff --git a/aports/base-layout/group b/aports/base-layout/group
new file mode 100644
index 0000000..23b124b
--- /dev/null
+++ b/aports/base-layout/group
@@ -0,0 +1,48 @@
+root:x:0:root
+bin:x:1:root,bin,daemon
+daemon:x:2:root,bin,daemon
+sys:x:3:root,bin,adm
+adm:x:4:root,adm,daemon
+tty:x:5:
+disk:x:6:root,adm
+lp:x:7:lp
+mem:x:8:
+kmem:x:9:
+wheel:x:10:root
+floppy:x:11:root
+mail:x:12:mail
+news:x:13:news
+uucp:x:14:uucp
+man:x:15:man
+cron:x:16:cron
+console:x:17:
+audio:x:18:
+cdrom:x:19:
+dialout:x:20:root
+ftp:x:21:
+sshd:x:22:
+input:x:23:
+at:x:25:at
+tape:x:26:root
+video:x:27:root
+netdev:x:28:
+readproc:x:30:
+squid:x:31:squid
+xfs:x:33:xfs
+kvm:x:34:kvm
+games:x:35:
+shadow:x:42:
+cdrw:x:80:
+www-data:x:82:
+usb:x:85:
+vpopmail:x:89:
+users:x:100:games
+ntp:x:123:
+nofiles:x:200:
+smmsp:x:209:smmsp
+locate:x:245:
+abuild:x:300:
+utmp:x:406:
+ping:x:999:
+nogroup:x:65533:
+nobody:x:65534:
diff --git a/aports/base-layout/inittab b/aports/base-layout/inittab
new file mode 100644
index 0000000..d4dbd79
--- /dev/null
+++ b/aports/base-layout/inittab
@@ -0,0 +1,6 @@
+::sysinit:/sbin/openrc sysinit
+::sysinit:/sbin/openrc boot
+::wait:/sbin/openrc default
+::restart:/sbin/init
+ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100
+::shutdown:/sbin/openrc shutdown
diff --git a/aports/base-layout/locale.sh b/aports/base-layout/locale.sh
new file mode 100644
index 0000000..bf75c08
--- /dev/null
+++ b/aports/base-layout/locale.sh
@@ -0,0 +1,3 @@
+export CHARSET=UTF-8
+export LANG=C.UTF-8
+export LC_COLLATE=C
diff --git a/aports/base-layout/passwd b/aports/base-layout/passwd
new file mode 100644
index 0000000..cc124a9
--- /dev/null
+++ b/aports/base-layout/passwd
@@ -0,0 +1,27 @@
+root:x:0:0:root:/root:/bin/ash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/mail:/sbin/nologin
+news:x:9:13:news:/usr/lib/news:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+man:x:13:15:man:/usr/man:/sbin/nologin
+postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
+cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
+squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
+xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
+games:x:35:35:games:/usr/games:/sbin/nologin
+cyrus:x:85:12::/usr/cyrus:/sbin/nologin
+vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
+ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
+guest:x:405:100:guest:/dev/null:/sbin/nologin
+nobody:x:65534:65534:nobody:/:/sbin/nologin
diff --git a/aports/base-layout/profile b/aports/base-layout/profile
new file mode 100644
index 0000000..fd7506b
--- /dev/null
+++ b/aports/base-layout/profile
@@ -0,0 +1,45 @@
+# Append "$1" to $PATH when not already in.
+# Copied from Arch Linux, see #12803 for details.
+append_path () {
+	case ":$PATH:" in
+		*:"$1":*)
+			;;
+		*)
+			PATH="${PATH:+$PATH:}$1"
+			;;
+	esac
+}
+
+append_path "/usr/local/sbin"
+append_path "/usr/local/bin"
+append_path "/usr/sbin"
+append_path "/usr/bin"
+append_path "/sbin"
+append_path "/bin"
+unset -f append_path
+
+export PATH
+export PAGER=less
+umask 022
+
+# set up fallback default PS1
+: "${HOSTNAME:=$(hostname)}"
+PS1='${HOSTNAME%%.*}:$PWD'
+[ "$(id -u)" = "0" ] && PS1="${PS1}# "
+[ "$(id -u)" = "0" ] || PS1="${PS1}\$ "
+
+# use nicer PS1 for bash and busybox ash
+[ -n "$BASH_VERSION" -o "$BB_ASH_VERSION" ] && PS1='\h:\w\$ '
+
+# use nicer PS1 for zsh
+[ -n "$ZSH_VERSION" ] && PS1='%m:%~%# '
+
+# export PS1 as before
+export PS1
+
+for script in /etc/profile.d/*.sh ; do
+	if [ -r "$script" ] ; then
+		. "$script"
+	fi
+done
+unset script
author	PÁLI Gábor János <pali.gabor@gmail.com>	2022-04-10 18:17:21 +0200
committer	PÁLI Gábor János <pali.gabor@gmail.com>	2022-04-10 23:09:31 +0200
commit	bcbf7c6c9fc7d8a96b1d5c4cc9247b85fe3da2ad (patch)
tree	46d796182b2249408b0597485462ef1698dc4c13 /aports/base-layout
parent	40d2daea11738408b7bf7b60f14a558ff8c47fb0 (diff)
download	freebsd-wifibox-alpine-bcbf7c6c9fc7d8a96b1d5c4cc9247b85fe3da2ad.zip