.forgejo/patches/linux-template-builder_use-fuse.patch

@@ -0,0 +1,184 @@
+diff --git a/cleanup_image b/cleanup_image
+index 224c04a..911b238 100755
+--- a/cleanup_image
++++ b/cleanup_image
+@@ -1,6 +1,7 @@
+ #!/bin/sh
+ 
+ export INSTALLDIR=$1
++export TEMPLATE_USE_FUSE=1
+ 
+ . ./builder_setup
+ 
+@@ -20,5 +21,8 @@ fi
+ echo "--> Cleaning up image file..."
+ $SCRIPTSDIR/09_cleanup.sh
+ 
+-echo "--> Compacting image file..."
+-/sbin/fstrim -v "$INSTALLDIR"
++# fstrim not supported in userspace
++if [ "$TEMPLATE_USE_FUSE" -ne 1 ]; then
++	echo "--> Compacting image file..."
++	/sbin/fstrim -v "$INSTALLDIR"
++fi
+diff --git a/prepare_image b/prepare_image
+index 6334879..de1a2af 100755
+--- a/prepare_image
++++ b/prepare_image
+@@ -19,6 +19,8 @@ RETCODE=0
+ . ./builder_setup >/dev/null
+ . ./umount_kill.sh >/dev/null
+ 
++export TEMPLATE_USE_FUSE=1
++
+ if ! [ $# -eq 1 ]; then
+     echo "usage ${0} <img_file_name>"
+     exit
+@@ -55,11 +57,20 @@ echo "-> Preparing instalation of ${DIST} template..."
+ if [ -f "${IMG}" ]; then
+     echo "-> Image file already exists, assuming *update*..."
+     if [ "0$TEMPLATE_ROOT_WITH_PARTITIONS" -eq 1 ]; then
+-        IMG_LOOP=$(/sbin/losetup -P -f --show "$IMG")
+-        IMG_DEV=${IMG_LOOP}p3
++		if [ "$TEMPLATE_USE_FUSE" -eq 1 ]; then
++			echo "Fuse mode not implemented when TEMPLATE_ROOT_WITH_PARTITIONS is true"
++			exit
++		else
++    	    IMG_LOOP=$(/sbin/losetup -P -f --show "$IMG")
++        	IMG_DEV=${IMG_LOOP}p3
++		fi
+     else
+-        IMG_LOOP=$(/sbin/losetup -f --show "$IMG")
+-        IMG_DEV=${IMG_LOOP}
++		if [ "$TEMPLATE_USE_FUSE" -eq 1 ]; then
++			IMG_DEV=$IMG
++		else
++	        IMG_LOOP=$(/sbin/losetup -f --show "$IMG")
++    	    IMG_DEV=${IMG_LOOP}
++		fi
+     fi
+     udevadm settle --exit-if-exists="$IMG_DEV"
+ else
+@@ -78,11 +89,20 @@ size=2MiB, type=21686148-6449-6E6F-744E-656564454649, uuid=1e6c9db4-1e91-46c4-84
+ type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=693244e6-3e07-47bf-ad79-acade4293fe7, name="Root filesystem"
+ EOF
+ 
+-        IMG_LOOP=$(/sbin/losetup -P -f --show "$IMG")
+-        IMG_DEV=${IMG_LOOP}p3
++		if [ "$TEMPLATE_USE_FUSE" -eq 1 ]; then
++			echo "Fuse mode not implemented when TEMPLATE_ROOT_WITH_PARTITIONS is true"
++			exit
++		else
++        	IMG_LOOP=$(/sbin/losetup -P -f --show "$IMG")
++        	IMG_DEV=${IMG_LOOP}p3
++		fi
+     else
+-        IMG_LOOP=$(/sbin/losetup -f --show "$IMG")
+-        IMG_DEV=${IMG_LOOP}
++		if [ "$TEMPLATE_USE_FUSE" -eq 1 ]; then
++			IMG_DEV=$IMG
++		else
++        	IMG_LOOP=$(/sbin/losetup -f --show "$IMG")
++        	IMG_DEV=${IMG_LOOP}
++		fi
+     fi
+     udevadm settle --exit-if-exists="$IMG_DEV"
+ 
+@@ -90,7 +110,9 @@ EOF
+     /sbin/mkfs.ext4 -q -F "${IMG_DEV}" || exit 1
+ fi
+ 
+-mount "${IMG_DEV}" "${INSTALLDIR}" || exit 1
++if [ "$TEMPLATE_USE_FUSE" -eq 1 ]; then
++	fuse2fs "${IMG_DEV}" "${INSTALLDIR}" || exit 1
++fi
+ trap "umount_kill $(readlink -m ${INSTALLDIR})" EXIT
+ "${SCRIPTSDIR}/01_install_core.sh"
+ 
+@@ -107,6 +129,8 @@ trap - EXIT
+ 
+ echo "-> Unmounting prepared_image..."
+ umount_kill "$(readlink -m ${INSTALLDIR})" || true
+-/sbin/losetup -d ${IMG_LOOP}
++if [ "$TEMPLATE_USE_FUSE" -ne 1 ]; then
++	/sbin/losetup -d ${IMG_LOOP}
++fi
+ 
+ exit ${RETCODE}
+diff --git a/qubeize_image b/qubeize_image
+index 19c37cb..9e5179d 100755
+--- a/qubeize_image
++++ b/qubeize_image
+@@ -13,6 +13,8 @@ export CLEANIMG="$1"
+ export NAME="$2"
+ export LC_ALL=POSIX
+ 
++export TEMPLATE_USE_FUSE=1
++
+ . ./builder_setup >/dev/null
+ . ./umount_kill.sh >/dev/null
+ 
+@@ -50,7 +52,9 @@ function cleanup() {
+     trap - ERR
+     trap
+     umount_kill "$PWD/mnt" || true
+-    /sbin/losetup -d ${IMG_LOOP}
++	if [ "$TEMPLATE_USE_FUSE" -ne 1 ]; then
++	    /sbin/losetup -d ${IMG_LOOP}
++	fi
+     exit $errval
+ }
+ trap cleanup ERR
+@@ -72,14 +76,27 @@ fi
+ echo "--> Mounting $IMG"
+ mkdir -p mnt
+ if [ "0$TEMPLATE_ROOT_WITH_PARTITIONS" -eq 1 ]; then
+-    IMG_LOOP=$(/sbin/losetup -P -f --show "$IMG")
+-    IMG_DEV=${IMG_LOOP}p3
++	if [ "$TEMPLATE_USE_FUSE" -eq 1 ]; then
++		echo "Fuse mode not implemented when TEMPLATE_ROOT_WITH_PARTITIONS is true"
++		exit
++	else
++ 		IMG_LOOP=$(/sbin/losetup -P -f --show "$IMG")
++    	IMG_DEV=${IMG_LOOP}p3
++	fi
+ else
+-    IMG_LOOP=$(/sbin/losetup -f --show "$IMG")
+-    IMG_DEV=${IMG_LOOP}
++	if [ "$TEMPLATE_USE_FUSE" -eq 1 ]; then
++		IMG_DEV=$IMG
++	else
++    	IMG_LOOP=$(/sbin/losetup -f --show "$IMG")
++    	IMG_DEV=${IMG_LOOP}
++	fi
+ fi
+ udevadm settle --exit-if-exists="$IMG_DEV"
+-mount "$IMG_DEV" mnt || exit 1
++if [ "$TEMPLATE_USE_FUSE" -eq 1 ]; then
++	fuse2fs "$IMG_DEV" mnt
++else
++	mount "$IMG_DEV" mnt || exit 1
++fi
+ export INSTALLDIR=mnt
+ 
+ # prepare for template.conf, so the qubeize script may generate it dynamically
+@@ -159,7 +176,9 @@ ls -als $IMG
+ # ------------------------------------------------------------------------------
+ echo "--> Unmounting $IMG"
+ umount_kill "$PWD/mnt" || true
+-/sbin/losetup -d ${IMG_LOOP}
++if [ "$TEMPLATE_USE_FUSE" -ne 1 ]; then
++	/sbin/losetup -d ${IMG_LOOP}
++fi
+ 
+ echo "Qubeized image stored at: $IMG"
+ 
+diff --git a/templates.spec b/templates.spec
+index e1a82e9..210ef57 100644
+--- a/templates.spec
++++ b/templates.spec
+@@ -193,3 +193,4 @@ rm -rf $RPM_BUILD_ROOT
+ %attr (664,root,qubes) %{dest_dir}/vm-whitelisted-appmenus.list
+ %attr (664,root,qubes) %{dest_dir}/netvm-whitelisted-appmenus.list
+ %attr (664,root,qubes) %{dest_dir}/template.conf
++%define _arch x86_64

.forgejo/workflows/test-build.yaml

@@ -0,0 +1,36 @@
+on: 
+  pull_request:
+    types: [ assigned, opened, synchronize, reopened ]
+
+jobs:
+  build-test:
+    runs-on: x86_64
+    container:
+      image: alpine:3.20
+    steps:
+      - name: Environment setup
+        run: |
+          apk add rpm wget coreutils eudev e2fsprogs xen doas sudo curl nodejs git alpine-sdk fuse2fs patch findutils grep
+          cd /etc/apk/keys
+          curl -JO https://ayakael.net/api/packages/forge/alpine/key
+      - name: Repo pull
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 500
+      - name: RPM build
+        run: |
+          git clone https://github.com/QubesOS/qubes-builder
+          mkdir qubes-builder/qubes-src
+          ln -s $GITHUB_WORKSPACE qubes-builder/qubes-src/builder-alpine
+          cp builder.conf qubes-builder/.
+          git clone https://github.com/QubesOS/qubes-linux-template-builder qubes-builder/qubes-src/linux-template-builder
+          patch -d qubes-builder/qubes-src/linux-template-builder -p1 -i $GITHUB_WORKSPACE/.forgejo/patches/linux-template-builder_use-fuse.patch
+          echo "%define _arch x86_64" >> qubes-builder/qubes-src/linux-template-builder/templates.spec
+          cd qubes-builder
+          make linux-template-builder
+          cp qubes-src/linux-template-builder/rpm/noarch/qubes-template-*.rpm $GITHUB_WORKSPACE/.
+      - name: Package upload
+        uses: forgejo/upload-artifact@v3
+        with:
+          name: package
+          path: qubes-template-*.rpm

.gitlab-ci.yml

@@ -1,107 +0,0 @@
-stages:
-  - build
-  - release
-
-variables:
-  GIT_STRATEGY: clone
-  GIT_DEPTH: "500"
-
-.verify:
-  stage: build
-  rules:
-    - if: $CI_MERGE_REQUEST_ID
-  interruptible: true
-  script:
-    - |
-      sudo apk add rpm wget losetup coreutils eudev e2fsprogs xen
-      doas addgroup $USER abuild
-      export PATH="$PATH:$CI_PROJECT_DIR/.gitlab/bin"
-      git clone https://github.com/QubesOS/qubes-builder
-      mkdir qubes-builder/qubes-src
-      ln -s $CI_PROJECT_DIR qubes-builder/qubes-src/builder-alpine
-      cp builder.conf qubes-builder/.
-      git clone https://github.com/QubesOS/qubes-linux-template-builder qubes-builder/qubes-src/linux-template-builder
-      echo "%define _arch x86_64" >> qubes-builder/qubes-src/linux-template-builder/templates.spec
-      cd qubes-builder
-      make linux-template-builder
-      cp qubes-src/linux-template-builder/rpm/noarch/qubes-template-*.rpm $CI_PROJECT_DIR/.
-  artifacts:
-    paths:
-      - qubes-template-*.rpm
-    expire_in: 7 days
-    when: always
-  tags:
-    - qubes-template
-
-verify-alpine320:
-  extends: .verify
-  variables: 
-    CI_ALPINE_TARGET_RELEASE: alpine320
-
-.build:
-  stage: build
-  rules:
-    - if: $CI_COMMIT_TAG
-  interruptible: true
-  script:
-    - |
-      sudo apk add rpm wget losetup coreutils eudev e2fsprogs xen
-      doas addgroup $USER abuild
-      export PATH="$PATH:$CI_PROJECT_DIR/.gitlab/bin"
-      git clone https://github.com/QubesOS/qubes-builder
-      mkdir qubes-builder/qubes-src
-      ln -s $CI_PROJECT_DIR qubes-builder/qubes-src/builder-alpine
-      cp builder.conf qubes-builder/.
-      git clone https://github.com/QubesOS/qubes-linux-template-builder qubes-builder/qubes-src/linux-template-builder
-      echo "%define _arch x86_64" >> qubes-builder/qubes-src/linux-template-builder/templates.spec
-      cd qubes-builder
-      make linux-template-builder
-      cp qubes-src/linux-template-builder/rpm/noarch/qubes-template-*.rpm $CI_PROJECT_DIR/.
-      cd $CI_PROJECT_DIR
-      CI_ALPINE_RPM_NAME="$(find qubes-template*.rpm)"
-      echo "ALPINE_RPM_NAME=$CI_ALPINE_RPM_NAME" > job.env
-      echo "Generating sha512sum"
-      sha512sum $CI_ALPINE_RPM_NAME > $CI_ALPINE_RPM_NAME.sha512sum
-  after_script:
-    - echo "JOB_ID=$CI_JOB_ID" >> job.env
-  artifacts:
-    paths:
-      - qubes-template*.rpm
-      - qubes-template*.sha512sum
-    expire_in: never
-    when: always
-    reports:
-      dotenv: job.env
-  tags:
-    - qubes-template
-
-build-alpine320:
-  extends: .build
-  variables: 
-    CI_ALPINE_TARGET_RELEASE: alpine320
-
-release:
-  stage: release
-  allow_failure: false
-  tags:
-    - qubes-template
-  rules:
-    - if: $CI_COMMIT_TAG
-  when: on_success
-  script:
-    - echo "Create Release $GI_COMMIT_TAG"
-    - echo $JOB_ID
-    - echo $ALPINE_RPM_NAME
-  release:
-    name: 'Release $CI_COMMIT_TAG'
-    description: 'Release $CI_COMMIT_TAG'
-    tag_name: '$CI_COMMIT_TAG'
-    ref: '$CI_COMMIT_SHA'
-    assets:
-      links:
-        - name: "$ALPINE_RPM_NAME"
-          filepath: "/template/qubes-template-$CI_COMMIT_TAG.rpm"
-          url: "https://lab.ilot.io/ayakael/qubes-builder-alpine/-/jobs/$JOB_ID/artifacts/raw/$ALPINE_RPM_NAME"
-        - name: "$ALPINE_RPM_NAME.sha512sum"
-          filepath: "/template/qubes-template-$CI_COMMIT_TAG.rpm.sha512sum"
-          url: "https://lab.ilot.io/ayakael/qubes-builder-alpine/-/jobs/$JOB_ID/artifacts/raw/$ALPINE_RPM_NAME.sha512sum"

scripts/04_install_qubes.sh

@@ -17,8 +17,8 @@ fi
 
 APKTOOLS_CACHE_DIR="${CACHEDIR}/apk_cache"
 ALPINELINUX_VERSION=${DIST_VER:-latest-stable}
-QUBESALPINE_MIRROR="${QUBESALPINE_MIRROR:-https://lab.ilot.io/ayakael/repo-apk/-/raw}"
-QUBESALPINE_KEYFILE="${QUBESALPINE_KEYFILE:-antoine.martin@protonmail.com-5b3109ad.rsa.pub}"
+QUBESALPINE_MIRROR="${QUBESALPINE_MIRROR:-https://ayakael.net/api/packages/forge/alpine}"
+QUBESALPINE_KEYFILE="${QUBESALPINE_KEYFILE:-https://ayakael.net/api/packages/forge/alpine/key}"
 QUBES_REL="${QUBES_REL:-r4.2}"
 export APK_CACHE_DIR
 
@@ -28,8 +28,10 @@ if [ "$VERBOSE" -ge 2 ] || [ "$DEBUG" -gt 0 ]; then
 fi
 
 echo "  --> Adding Qubes custom repository..."
-su -c "echo '$QUBESALPINE_MIRROR/$ALPINELINUX_VERSION/qubes/$QUBES_REL' >> $INSTALLDIR/etc/apk/repositories"
-wget "$QUBESALPINE_MIRROR/$ALPINELINUX_VERSION/$QUBESALPINE_KEYFILE" -P "$INSTALLDIR"/etc/apk/keys
+su -c "echo '$QUBESALPINE_MIRROR/$ALPINELINUX_VERSION/qubes-$QUBES_REL' >> $INSTALLDIR/etc/apk/repositories"
+pushd "$INSTALLDIR"/etc/apk/keys
+curl -JO "$QUBESALPINE_KEYFILE"
+popd
 
 echo "  --> Synchronize resolv.conf..."
 cp /etc/resolv.conf "${INSTALLDIR}/etc/resolv.conf"

scripts/alpine-chroot

@@ -31,7 +31,7 @@ chroot_setup() {
     chroot_add_mount sys "$1/sys" -t sysfs -o nosuid,noexec,nodev,ro &&
     # alpine-chroot will never have occasion to use efivars, so don't bother
     # mounting efivarfs here
-    chroot_add_mount udev "$1/dev" -t devtmpfs -o mode=0755,nosuid &&
+    chroot_add_mount /dev "$1/dev" -o bind &&
     chroot_add_mount devpts "$1/dev/pts" -t devpts -o mode=0620,gid=5,nosuid,noexec &&
     chroot_add_mount shm "$1/dev/shm" -t tmpfs -o mode=1777,nosuid,nodev &&
     chroot_add_mount run "$1/run" -t tmpfs -o nosuid,nodev,mode=0755 &&