# Maintainer: Gabor Pali pkgname=baselayout # base: alpine-baselayout, alpine-baselayout-data pkgver=3.4.3 pkgrel=1 # base: 1 pkgdesc="Base dir structure and init scripts" url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout" arch="noarch" license="GPL-2.0-only" pkggroups="shadow" options="!fhs !check" install= _nbver=6.4 source="crontab 20locale.sh group inittab passwd profile protocols-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/protocols services-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/services " builddir="$srcdir/build" prepare() { default_prepare mkdir -p "$builddir" mv "$srcdir"/protocols-$_nbver "$srcdir"/protocols mv "$srcdir"/services-$_nbver "$srcdir"/services } build() { # generate shadow awk -F: '{ pw = ":!:" if ($1 == "root") { pw = "::" } print($1 pw ":0:::::") }' "$srcdir"/passwd > shadow } package() { mkdir -p "$pkgdir" cd "$pkgdir" install -m 0755 -d \ dev \ dev/pts \ dev/shm \ etc \ etc/conf.d \ etc/crontabs \ etc/init.d \ etc/modprobe.d \ etc/modules-load.d \ etc/network/if-down.d \ etc/network/if-post-down.d \ etc/network/if-pre-up.d \ etc/network/if-up.d \ etc/periodic/15min \ etc/periodic/daily \ etc/periodic/hourly \ etc/periodic/monthly \ etc/periodic/weekly \ etc/profile.d \ etc/sysctl.d \ lib/firmware \ lib/mdev \ lib/modules-load.d \ lib/sysctl.d \ media/etc \ proc \ run \ sbin \ sys \ usr/bin \ usr/lib/modules-load.d \ usr/local/bin \ usr/local/lib \ usr/local/share \ usr/sbin \ usr/share \ usr/share/man \ usr/share/misc \ var/cache \ var/cache/misc \ var/lib \ var/lib/misc \ var/local \ var/lock/subsys \ var/log \ var/opt \ var/spool \ var/spool/cron \ var/mail ln -s /run var/run install -d -m 0555 var/empty install -d -m 0700 "$pkgdir"/root install -d -m 1777 "$pkgdir"/tmp "$pkgdir"/var/tmp install -m600 "$srcdir"/crontab "$pkgdir"/etc/crontabs/root install -m644 \ "$srcdir"/20locale.sh \ "$pkgdir"/etc/profile.d/ cat > "$pkgdir"/etc/hosts <<-EOF 127.0.0.1 localhost localhost.localdomain ::1 localhost localhost.localdomain EOF cat > "$pkgdir"/etc/modules <<-EOF af_packet ipv6 EOF cat > "$pkgdir"/etc/shells <<-EOF /bin/sh /bin/ash EOF cat > "$pkgdir"/etc/sysctl.conf <<-EOF net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 2 net.ipv6.conf.default.forwarding = 2 # Enable IPv6 Privacy Extensions net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 net.ipv6.conf.eth0.use_tempaddr = 2 net.ipv6.conf.wlan0.use_tempaddr = 2 EOF cat > "$pkgdir"/lib/sysctl.d/00-alpine.conf <<-EOF # Prevents SYN DOS attacks. Applies to ipv6 as well, despite name. net.ipv4.tcp_syncookies = 1 # Prevents ip spoofing. net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 # Only groups within this id range can use ping. net.ipv4.ping_group_range=999 59999 # Redirects can potentially be used to maliciously alter hosts # routing tables. net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 1 net.ipv6.conf.all.accept_redirects = 0 # The source routing feature includes some known vulnerabilities. net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # See RFC 1337 net.ipv4.tcp_rfc1337 = 1 ## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041) net.ipv6.conf.default.use_tempaddr = 2 net.ipv6.conf.all.use_tempaddr = 2 # Restarts computer after 120 seconds after kernel panic kernel.panic = 120 # Users should not be able to create soft or hard links to files # which they do not own. This mitigates several privilege # escalation vulnerabilities. fs.protected_hardlinks = 1 fs.protected_symlinks = 1 EOF cat > "$pkgdir"/etc/fstab <<-EOF tmpfs /tmp tmpfs size=128K 0 0 config /media/etc 9p trans=virtio,ro,noatime,nodiratime,norelatime 0 0 var /var 9p trans=virtio,rw 0 0 EOF cat > "$pkgdir"/etc/nsswitch.conf <<-EOF # musl itself does not support NSS, however some third-party DNS # implementations use the nsswitch.conf file to determine what # policy to follow. # Editing this file is not recommended. hosts: files dns EOF install -m644 \ "$srcdir"/group \ "$srcdir"/passwd \ "$srcdir"/inittab \ "$srcdir"/profile \ "$srcdir"/protocols \ "$srcdir"/services \ "$pkgdir"/etc/ install -m640 -g shadow "$builddir"/shadow \ "$pkgdir"/etc/ # symlinks ln -s /dev/null "$pkgdir"/root/.ash_history ln -s /etc/crontabs "$pkgdir"/var/spool/cron/crontabs ln -s /proc/mounts "$pkgdir"/etc/mtab ln -s /var/mail "$pkgdir"/var/spool/mail ln -s /tmp/resolv.conf "$pkgdir"/etc/resolv.conf ln -s /media/etc/hostname "$pkgdir"/etc/hostname } sha512sums=" 6e169c0975a1ad1ad871a863e8ee83f053de9ad0b58d94952efa4c28a8c221445d9e9732ad8b52832a50919c2f39aa965a929b3d5b3f9e62f169e2b2e0813d82 crontab b2fc9b72846a43a45ba9a8749e581cef34d1915836833b51b7919dfbf4e275b7d55fec4dea7b23df3796380910971a41331e53e8cf0d304834e3da02cc135e5a 20locale.sh 0b786df3a610e84ae98cbef8dc74998404a048c4a48d7acf57eafb04fb481b4b7f8a80c065f1ca10cced22c89243cc6e81b0ad46d5ca4a194d63ce49969cce09 group 7cc3c23062c730ec7a1d7850423d9901047005520da5b347b7b24e5f33a9c9a9129b430557f7f41e565f143624b7f3c47e3f6e4a6a446e75f0ea245c03d70880 inittab b3508f9dc77e7eeb761c2d72b5f1003d09dbeaef1cd2d6b7ac47fb5c770cad507c89713d70d5ab0b645378e486cab2e130e9862cbfd2eea783b1808d4ca075f5 passwd 4eb857ed59c2edb257636d2bf196989e514a273e9701e9f076c9ae8c1589b4898269180569960acf072c0981ec7ea54014fd230f014401d6bb92314285d1e6aa profile 3a00083bcdf5a9e884c9d07877d52311e3d99e79cbee656e236ba06e08ba0dddb7ba76494fdc9dd1a826c48e197a790a69e6bb458e9df64832d6b5e904e9fd15 protocols-6.4 47b0f3ee73af2d259bd206a026204be0ea25531a895a0b035a904b38fe5407bc3dd2beab7f8fcb3d760587e6159702ebdb9cbc4f508942befdf7f10c10c87888 services-6.4 "