mrrl-containers

confz_site_containers_init (35249B)

---

 #!zsh
 #  vim: ft=zsh noet ts=4 sts=4 sw=4
 
 typeset -gA site_containers_mountpoints=(
 	init	/home/ccx/bzr/container-user-init
 	ccx-bzr	/home/ccx/bzr
 	ccx-dotfiles	/home/ccx/bzr/container-dotfiles
 	ccx-scripts	/home/ccx/bzr/container-scripts
 	ccx-password-store	/home/ccx/bzr/password-store
 	ccx-development	/home/ccx/development
 	ccx-baregit	/home/ccx/baregit
 	#ccx-opt	/home/ccx/opt
 	rcm-devops	/mnt/volumes/containers/user/ccx/git/home/ccx/git/rcm-devops
 	# ccx-git	/home/ccx/git
 	# ccx-git-recombee	/home/ccx/git/recombee
 	ccx-task	/home/ccx/task
 	pthbs	/usr/src/pthbs
 	mrrl	/usr/src/mrrl
 	audio	/mnt/volumes/audio
 	video	/mnt/volumes/video
 	photos	/mnt/volumes/photos
 	versions	/versions
 	mail-te2000.cz-ccx	/home/ccx/mail/te2000.cz/ccx
 	mail-disroot.org-ccx	/home/ccx/mail/disroot.org/ccx
 	mail-recombee.com-jan.pobrislo	/home/ccx/mail/recombee.com/jan.pobrislo
 )
 
 confz_site_containers_usersvc_simple_check() {
 	checkvars containers_dir svscan_dir user uid gid image_name
 	defvar container_name "$vars[image_name]"
 	defvar mount_ro "init ccx-dotfiles ccx-scripts"
 	defvar container_type generic
 
 	local userdir bindroot flags mtp src dst src_el dst_el
 	local -a fstab mnt_dirs_extra pid1_el_lines
 	userdir=$vars[containers_dir]/user/$vars[user]
 	bindroot=$userdir/$vars[container_name]/root
 
 	if (($+vars[mount_ro])); then
 		flags=$'\tnone\tbind,ro,nosuid,nodev\t0 0'
 		for mtp in ${=vars[mount_ro]}; do
 			src=$site_containers_mountpoints[$mtp]
 			dst=$bindroot/mnt/$mtp
 			mnt_dirs_extra+=( $mtp )
 			fstab+=( $src$'\t'$dst$flags )
 			src_el=\"${${src//\\/\\\\}//\"/\\\"}\"
 			dst_el=\"${${dst//\\/\\\\}//\"/\\\"}\"
 			pid1_el_lines+=(
 				"if { mkdir -p $dst_el }"
 				"if { s6-mount -r -o bind,nodev,nosuid $src_el $dst_el }"
 				"if { s6-mount -o remount,bind,ro,nodev,nosuid . $dst_el }"
 			)
 		done
 	fi
 	if (($+vars[mount_rw])); then
 		flags=$'\tnone\tbind,rw,nosuid,nodev\t0 0'
 		for mtp in ${=vars[mount_rw]}; do
 			src=$site_containers_mountpoints[$mtp]
 			dst=$bindroot/mnt/$mtp
 			mnt_dirs_extra+=( $mtp )
 			fstab+=( $src$'\t'$dst$flags )
 			src_el=\"${${src//\\/\\\\}//\"/\\\"}\"
 			dst_el=\"${${dst//\\/\\\\}//\"/\\\"}\"
 			pid1_el_lines+=(
 				"if { mkdir -p $dst_el }"
 				"if { s6-mount -r -o bind,nodev,nosuid $src_el $dst_el }"
 				"if { s6-mount -o remount,bind,rw,nodev,nosuid . $dst_el }"
 			)
 		done
 	fi
 
 	(($+vars[pid1_el])) && pid1_el_lines+=( $vars[pid1_el] )
 
 	if (($#mnt_dirs_extra)); then
 		unify mnt_dirs_extra "$mnt_dirs_extra"
 		unify fstab_extra ${(F)fstab}
 	fi
 
 	require container_service_$vars[container_type] \
 		:image_name :container_name :containers_dir :svscan_dir :user \
 		\?mnt_dirs_extra \?fstab_extra \?prepare_chroot \?linux_caps \
 		\?seccomp_profile \?display_number \
 		pid1_el=${(F)pid1_el_lines}
 
 	#local chome=$userdir/$vars[container_name]/home/$vars[user]
 	#if ! [[ -d $chome/run ]]; then
 	#	require fs_l filename=$chome/run  destination=/mnt/init
 	#	require fs_o filename=$chome/run  owner=$uid:$gid
 	#fi
 }
 
 confz_site_containers_xorg_check() {
 	checkvars containers_dir svscan_dir
 	defvar user xorg
 	local display container bind bindroot chome uid gid
 	local -a fstab
 	bind=$'\tnone\tbind,nosuid,nodev\t0 0'
 	uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
 	gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
 
 	for display in 5 6 7 8; do
 		container=X$display
 		require container_service_xorg \
 			vtN=$display image_name=gentoo-xorg \
 			:containers_dir :svscan_dir :user
 	done
 }
 
 confz_site_containers_user_single_check() {
 	checkvars containers_dir svscan_dir user container_name image_name
 	defvar mount_ro init
 	require container_uidgid_for_name name=$vars[user] %uid %gid
 	require site_containers_usersvc_simple \
 		:containers_dir :svscan_dir :user :uid :gid \
 		:container_name :image_name :mount_ro \?mount_rw \?linux_caps \
 		\?seccomp_profile \
 		\?prepare_chroot
 }
 
 # User Container
 UC() {
 	local container image
 	container=$1
 	shift
 	image=${1:-$container}
 	(($#)) && shift
 	require site_containers_usersvc_simple \
 		:containers_dir :svscan_dir :user :uid :gid \
 		container_name=$container image_name=$image "$@"
 }
 
 SUC() {
 	local container image
 	container=$1
 	shift
 	image=${1:-$container}
 	(($#)) && shift
 	require site_containers_user_single :containers_dir :svscan_dir \
 		user=$container container_name=$container image_name=$image "$@"
 }
 #typeset -f -t UC
 
 UCa() {
 	local container=$1
 	shift
 	UC $container alpine-$container "$@"
 }
 
 SUCa() {
 	local container=$1
 	shift
 	SUC $container alpine-$container "$@"
 }
 
 UCv() {
 	local container=$1
 	shift
 	UC $container void-$container "$@"
 }
 
 confz_site_containers_user_check() {
 	checkvars containers_dir svscan_dir user
 	require container_uidgid_for_name name=$vars[user] %uid %gid
 
 	local ro="mount_ro=init ccx-dotfiles ccx-scripts"
 
 	local -a el_netns=(
 		'unshare -n  # make new network namespace'
 		'if { ip addr add 127.0.0.1/8 dev lo }'
 		'if { ip addr add ::1/128 dev lo }'
 		'if { ip link set lo up }'
 	)
 	local in_netns=pid1_el=${(F)el_netns}
 
 	local with_more_fds=pid1_el='zsh -c "ulimit -Hn 16384 && exec \"$@\"" --'
 
 	local -a el_mount_usb_devices=(
 		"#!$(which execlineb) -P"
 		'if { mount -o bind,ro /dev/bus/usb dev/bus/usb }'
 		'mount -t sysfs sysfs sys'
 	)
 	local with_usb=prepare_chroot=${(F)el_mount_usb_devices}
 
 	local -a el_mount_audio_devices=(
 		"#!$(which execlineb) -P"
 		'if { mount -o bind,ro /dev/snd dev/snd }'
 		'mount -t sysfs sysfs sys'  # maybe not necessary?
 	)
 	local with_audio=prepare_chroot=${(F)el_mount_audio_devices}
 
 	local -a el_mount_ccx_opt=(
 		"#!$(which execlineb) -P"
 		'if { mount -o bind,ro /home/ccx/opt ./opt }'
 	)
 	local with_opt=prepare_chroot=${(F)el_mount_ccx_opt}
 
 	local display
 	for display in 5 6 7 8; do
 		UC xsession.$display alpine-xsession \
 			container_type=xsession \
 			display_number=$display \
 			:containers_dir :svscan_dir :user
 	done
 
 	UC  alpine-browsers
 	UC  pentoo
 	UCa weechat
 	UCa senpai
 	UCa profanity
 	UCa gomuks
 	UCa testssl
 	UCa tinyproxy
 	UCa tor
 	UCa syncthing
 	UCa mpv
 	UCa imgproc
 	UCa ghosttext $in_netns
 	UC  rcm-jira alpine-ghosttext $in_netns seccomp_profile=ptrace
 	UC  socks alpine-tinyproxy "$ro versions"
 	UC  pypi-mirror alpine-httpd $in_netns
 	UCa ssh
 	UCa pass mount_rw="ccx-password-store" $in_netns
 	# seccomp profile for OpenSSH: KnownHostsCommand-ORDER: setresgid 1000: Operation not permitted
 	UC  rcm-ssh alpine-ssh seccomp_profile=setuidgid "$ro rcm-devops versions" $with_more_fds
 	UCa socials $in_netns
 	UCa gpg $with_usb $in_netns
 	UCa notes $in_netns mount_rw=ccx-task
 	UCa gimp $in_netns
 	UCa ebook $in_netns
 	UCv telegram
 	UC  mumble gentoo-mumble
 	UC  gentoo-dev gentoo-dev
 	UCa pdf
 	UCa poezio
 	UCa libervia
 	UCa signal
 	UCa bugwarrior mount_rw=ccx-task
 	UC  signal2 alpine-signal
 	UC  scrapbook alpine-pywebscrapbook $in_netns
 	UC  ff-artemislena-audio void-browsers
 	UC  ff-te2000-audio void-browsers
 	UC  ff-rcm-audio void-browsers
 	UC  ff-hanka-audio void-browsers
 	UC  ff-rcm-slack alpine-browsers
 	UC  ff-blesmrt.net alpine-browsers
 	UC  ff-syncthing alpine-browsers $in_netns
 	UC  ff-rcm-google alpine-browsers $in_netns
 	UC  ff-rcm-internal alpine-browsers $in_netns
 	UC  ff-rcm-other alpine-browsers $in_netns
 	UC  ff-recombee.1password.eu alpine-browsers $in_netns
 	UC  ff-kosik.cz alpine-browsers $in_netns
 	UC  ff-template alpine-browsers $in_netns
 	UC  ff-te2000 alpine-browsers $in_netns
 	UC  ff-te2000-google alpine-browsers $in_netns
 	UC  ff-webcomics alpine-browsers $in_netns
 	UC  ff-csas.cz alpine-browsers $in_netns
 	UC  ff-flife alpine-browsers $in_netns
 	UC  ff-github.com alpine-browsers $in_netns
 	UC  ff-sopuli.xyz alpine-browsers $in_netns
 	UC  ff-kumi.tube alpine-browsers $in_netns
 	UC  ff-diode.zone alpine-browsers $in_netns
 	UC  ff-kosik.cz alpine-browsers $in_netns
 	UC  ff-disroot.org alpine-browsers $in_netns
 	UC  ff-codeberg.org alpine-browsers $in_netns
 	UC  ff-wise.com alpine-browsers $in_netns
 	UC  ff-pixelfed.de alpine-browsers $in_netns
 	UC  ff-time4vps.com alpine-browsers $in_netns
 	UC  ff-itch.io alpine-browsers $in_netns
 	UC  ff-mobilizon.envs.net alpine-browsers $in_netns
 	UC  ff-lulu.com alpine-browsers $in_netns
 	UC  ff-mojemana.cz alpine-browsers $in_netns
 	UC  ff-norwegian.com alpine-browsers # $in_netns
 	UC  ff-finnair.com alpine-browsers # $in_netns
 	UC  gentoo-browsers gentoo-torbrowser $in_netns
 	UC  gentoo-video gentoo-video $in_netns "$ro video"
 	UC  syncplay gentoo-video "$ro video"
 	#UC  twitch             void-browsers
 	UCa aria2 mount_rw="video audio"
 	UC  neonmodem          alpine-go
 	UC  iamb               alpine-rust
 	UC  simplex            alpine-haskell
 	UC  xpra               gentoo-xorg            container_type=ephemeral $in_netns seccomp_profile=xpra
 	UC  bzr                alpine-breezy          mount_rw=ccx-bzr "$ro ccx-baregit" $in_netns
 	UC  git                alpine-git             mount_rw=ccx-baregit $in_netns
 	UC  sndiod             alpine-sndio           $with_audio $in_netns
 	UC  mpd                void-mpd               "$ro init audio"
 	UC  doom               void-doom              $in_netns seccomp_profile=ptrace
 	#UC  {,}alpine-recombee
 	UC  rcm-puppet         alpine-puppet          $in_netns
 	UC  rcm-postgresql-dev alpine-postgresql-dev  $in_netns seccomp_profile=ptrace
 	UC  spark              alpine-dev-spark       mount_rw="ccx-bzr" seccomp_profile=ptrace
 	UC  ssrn-master-dev    alpine-postgresql-dev  mount_rw="ccx-bzr" $in_netns seccomp_profile=ptrace
 	UC  ssrn-monitor-dev   alpine-postgresql-dev  mount_rw="ccx-bzr" $in_netns seccomp_profile=ptrace
 	UC  pthbs-dev          alpine-pthbs-dev       mount_rw="ccx-bzr" "$ro pthbs mrrl" $in_netns seccomp_profile=ptrace
 	UC  ledum-dev          alpine-pthbs-dev       "$ro pthbs mrrl" $in_netns seccomp_profile=ptrace
 	UC  pthbs-build        mrrl-bindmount         "$ro versions mrrl" $in_netns $with_more_fds seccomp_profile=build
 	UC  gentoo-prefix-dev  alpine-gentoo-dev      $with_opt "$ro versions" seccomp_profile=ptrace
 	UC  x11-dev            gentoo-xorg            mount_rw="ccx-bzr" $in_netns seccomp_profile=ptrace
 	UCa weechat-dev $in_netns seccomp_profile=ptrace
 	UCa ocaml-dev $in_netns seccomp_profile=ptrace
 	# -- mail
 	UCa mail-net                   mount_rw="mail-te2000.cz-ccx mail-disroot.org-ccx"
 	UC  {rcm,alpine}-mail-net      mount_rw="mail-recombee.com-jan.pobrislo"
 	UC  mail      alpine-mail-read mount_rw="mail-te2000.cz-ccx mail-disroot.org-ccx" $in_netns
 	UC  rcm-mail  alpine-mail-read mount_rw="mail-recombee.com-jan.pobrislo" $in_netns
 
 }
 
 confz_site_container_services_check() {
 	defvar containers_dir /mnt/volumes/containers
 	defvar svscan_dir /run/service
 	require site_containers_xorg user=xorg :containers_dir :svscan_dir
 	require site_containers_user user=ccx :containers_dir :svscan_dir
 	#require container_service_sysroot :containers_dir :svscan_dir \
 	#	image_name=alpine-dev
 	local -a el_rfkill_and_sys=(
 		"#!$(which execlineb) -P"
 		'importas -i GID GID'
 		'if { mknod -m 660 ./dev/rfkill c 10 242 }'
 		'if { chown 0:${GID} ./dev/rfkill }'
 		'mount -t sysfs sysfs sys'
 	)
 	local -a el_net_tun=(
 		"#!$(which execlineb) -P"
 		'importas -i GID GID'
 		'if { mknod -m 660 ./dev/net/tun c 10 200 }'
 		'if { chown 0:${GID} ./dev/net/tun }'
 	)
 
 	SUCa wpa_supplicant linux_caps='^CAP_NET_ADMIN,^CAP_NET_RAW' \
 		prepare_chroot=${(F)el_rfkill_and_sys}
 	SUCa dhcpcd linux_caps='^CAP_NET_ADMIN,^CAP_NET_RAW,^CAP_NET_BIND_SERVICE'
 	SUCa unbound linux_caps='^CAP_NET_BIND_SERVICE'
 	SUCa tinc linux_caps='^CAP_NET_ADMIN' prepare_chroot=${(F)el_net_tun}
 	SUCa networking linux_caps='^CAP_NET_ADMIN,^CAP_NET_RAW' \
 		prepare_chroot=${(F)el_rfkill_and_sys}
 }
 
 confz_site_container_alpine_check() {
 	checkvars containers_dir svscan_dir image_name packages
 	defvar arch x86_64
 	defvar repositories 'main community'  # abduco lives in community
 
 	require container_alpine_image \
 		:containers_dir :arch :image_name :repositories \?release
 	require container_alpine_packages_installed \
 		:containers_dir :svscan_dir :image_name :packages
 }
 
 confz_site_container_void_musl_check() {
 	checkvars containers_dir svscan_dir image_name packages
 	defvar arch x86_64-musl
 	defvar repository current/musl
 
 	require container_void_image \
 		:containers_dir :arch :repository :image_name
 	require container_void_packages_installed \
 		:containers_dir :svscan_dir :image_name :packages
 }
 
 confz_site_container_void_glibc_check() {
 	checkvars containers_dir svscan_dir image_name packages
 	defvar arch x86_64
 	defvar repository current
 
 	require container_void_image \
 		xbps_install_executable=xbps-install.static \
 		:containers_dir :arch :repository :image_name
 	require container_void_packages_installed \
 		:containers_dir :svscan_dir :image_name :packages
 }
 
 confz_site_container_void_glibc_nonfree_check() {
 	checkvars containers_dir svscan_dir image_name packages
 	defvar arch x86_64
 	defvar repository current
 
 	require container_void_image \
 		xbps_install_executable=xbps-install.static \
 		:containers_dir :arch :repository :image_name
 	require container_void_packages_installed \
 		:containers_dir :svscan_dir :image_name packages=void-repo-nonfree
 	require container_void_packages_installed \
 		:containers_dir :svscan_dir :image_name :packages
 }
 
 confz_site_container_gentoo_check() {
 	checkvars containers_dir svscan_dir image_name system
 	defvar system amd64-musl-hardened
 
 	require container_gentoo_from_snapshot \
 		:containers_dir :system :image_name :svscan_dir
 }
 
 confz_site_container_nix_check() {
 	checkvars containers_dir svscan_dir image_name packages
 	defvar system x86_64-linux
 	defvar repository current/musl
 
 	require container_nix_image_from_release \
 		:containers_dir :repository :image_name :svscan_dir :system
 	require container_nix_packages_installed \
 		:containers_dir :svscan_dir :image_name :packages
 	require container_nix_bin_linked :containers_dir :image_name
 }
 
 confz_site_container_debian_puppetserver_check() {
 	checkvars containers_dir svscan_dir image_name
 	defvar arch amd64
 	defvar suite bullseye  # Debian 11
 	defvar packages puppetserver
 
 	require container_debian_image \
 		:containers_dir :image_name :svscan_dir :arch :suite \?root
 	require container_puppet_apt_repo \
 		:containers_dir :image_name :svscan_dir :arch :suite
 	require container_debian_packages_installed_with_fakeroot \
 		:containers_dir :svscan_dir :image_name :packages
 }
 
 confz_site_container_images_check() {
 	checkvars containers_dir svscan_dir
 
 	local -a gentoo_images_musl
 	gentoo_images_musl=(
 		xorg
 		video
 		torbrowser
 		mumble
 		dev
 	)
 
 	local i
 	for i in $gentoo_images_musl; do
 		require site_container_gentoo :containers_dir :svscan_dir \
 			system=amd64-musl-hardened image_name=gentoo-$i
 	done
 
 	require container_mrrl_image :containers_dir :svscan_dir \
 		image_name=mrrl-bindmount
 
 	require site_container_gentoo :containers_dir :svscan_dir \
 		system=amd64-nomultilib-openrc image_name=gentoo-dev-glibc
 
 	local -a alpine_core=(
 		s6
 		s6-{rc,linux-utils,portable-utils}
 		execline
 		ncurses-terminfo
 		zsh
 		tree
 		strace
 		musl-utils
 	)
 
 	local -a alpine_community=(
 		$alpine_core
 		abduco
 		rxvt-unicode-terminfo
 	)
 
 	local -a alpine_x11=(
 		$alpine_community
 		fontconfig
 		rxvt-unicode
 		nsxiv
 		font-terminus
 		font-unifont
 		#wmctrl
 		xauth
 		xbindkeys
 		xclip
 		xdotool
 		xdpyinfo
 		xev
 		xrandr
 		xrdb
 	)
 
 	local -a alpine_terminal=(
 		$alpine_community
 		tmux
 		strace
 		vis
 		# mandoc
 	)
 
 	local -a alpine_dev_core=(
 		$alpine_terminal
 		vim
 		ctags
 		ripgrep delta bat
 		git
 		git-lfs
 		tig
 		make
 		patch
 		rsync
 		strace
 		{skalibs,s6,execline}-{dev,static}
 	)
 
 	local -a alpine_dev_py3=(
 		$alpine_dev_core
 		py3-setuptools
 		py3-pip
 		py3-pysocks  # for proxy support in pip
 		py3-wheel
 		py3-pip-tools
 		breezy
 		py3-tzlocal  # for breezy
 		py3-cffi  # not strictly necessary but used by eg. taskwarrior/bugwarrior
 		s6-networking # for tunneling proxy through unix sockets
 		man-pages
 		man-pages-posix
 		mandoc
 		ctags-doc
 	)
 	local -a alpine_dev_py3_gcc=(
 		$alpine_dev_py3
 		python3-dev
 		gcc
 		g++
 		musl-dev
 		ncurses-dev
 		zlib-dev
 		openssl-dev
 		gmp-dev
 		libffi-dev
 	)
 	local -a alpine_dev_py3_gdb=(
 		$alpine_dev_py3_gcc
 		curl{,-dev,-dbg}
 		musl-dbg
 		openssl-{dev,dbg}
 		readline-dev
 		sqlite{,-dev}
 		python3-dbg
 		gdb
 		perf
 	)
 
 	local -a alpine_dev_ocaml=(
 		$alpine_dev_core
 		s6-networking # for tunneling proxy through unix sockets
 		man-pages
 		man-pages-posix
 		mandoc
 		ctags-doc
 		python3-dev
 		gcc
 		g++
 		musl-dev
 		ncurses-dev
 		zlib-dev
 		openssl-dev
 		gmp-dev
 		libffi-dev
 		# ocaml{,-doc}  # ocaml-4.x
 		# ocamlbuild{,-doc}
 		opam{,-doc}
 		dune{,-doc}
 		ocaml5{,-doc,-ocamldoc,-compiler-libs}
 	)
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-ocaml-dev packages="$alpine_dev_ocaml"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-sndio \
 		packages="$alpine_community sndio alsa-utils strace tmux"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-httpd \
 		packages="$alpine_terminal s6-networking thttpd thttpd-doc tipidee tipidee-doc w3m"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-tinyproxy \
 		packages="$alpine_terminal s6-networking w3m tinyproxy"  # tinyproxy-doc mandoc"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-aria2 \
 		packages="$alpine_terminal aria2 aria2-doc"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-syncthing \
 		packages="$alpine_community syncthing ncdu"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-mpv \
 		packages="$alpine_x11 mpv mpv-dbg strace gdb"
 
 	local -a alpine_pdf=(
 		$alpine_x11
 		qpdf
 		xpdf
 		pdf4qt
 		mupdf
 		zathura zathura-pdf-poppler
 		corepdf
 		ghostscript ghostscript-doc
 		poppler-utils poppler-doc
 		mandoc
 		tmux
 		vis
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-pdf \
 		packages="$alpine_pdf"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-tor \
 		packages="$alpine_community tor"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-wpa_supplicant \
 		packages="$alpine_community wpa_supplicant"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-unbound \
 		packages="$alpine_community unbound"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-dhcpcd \
 		packages="$alpine_community dhcpcd"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-tinc \
 		packages="$alpine_community tinc-pre"
 
 	local -a alpine_networking=(
 		$alpine_community
 		util-linux util-linux-misc  # for rfkill
 		iproute2
 		dhcpcd
 		unbound ldns-tools drill
 		fping traceroute tcptraceroute
 		iptraf-ng
 		mtr
 		arping
 		bridge-utils
 		tshark
 		tcpdump
 		conntrack-tools
 		iptables
 		nftables
 		ethtool
 		macchanger
 		stunnel
 		socat
 		s6-networking
 		sslscan
 		ssldump
 		htop
 		gdb
 		iftop
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-networking \
 		packages="$alpine_networking"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-go \
 		packages="$alpine_dev_core go"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-git \
 		packages="$alpine_dev_core git-daemon s6-networking"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-rust \
 		packages="$alpine_dev_core rust cargo rustup"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-gpg packages="$alpine_terminal gnupg gnupg-scdaemon pinentry-tty pinentry-curses-ss"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-pass packages="$alpine_terminal gnupg pass pass-otp git"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-ssh packages="$alpine_terminal openssh dropbear make rsync got"
 
 	local -a alpine_weechat=(
 		$alpine_terminal
 		weechat weechat-matrix weechat-python weechat-perl weechat-spell
 		aspell aspell-utils
 		git
 		perl-pod-parser  # for multiline.pl
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-weechat packages="$alpine_weechat"
 
 	local -a alpine_weechat_dev=(
 		$alpine_dev_py3_gdb
 		socat
 		weechat weechat-matrix weechat-python weechat-perl weechat-spell
 		weechat-dev
 		aspell aspell-utils
 		aspell-dev
 		cmake
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-weechat-dev packages="$alpine_weechat_dev"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-senpai \
 		packages="$alpine_terminal senpai senpai-doc mandoc"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-profanity packages="$alpine_terminal profanity"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-gomuks packages="$alpine_terminal gomuks"
 
 	local -a alpine_haskell=(
 		# deps claimed by ghcup
 		binutils-gold curl gcc g++ gmp-dev libffi-dev make musl-dev ncurses-dev perl tar xz
 		# for verifying ghcup
 		gnupg gnupg-wks-client	
 		# other
 		git zlib-dev openssl-dev
 		cabal
 		grep findutils ripgrep
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-haskell \
 		packages="$alpine_haskell"
 
 	local -a alpine_testssl=(
 		$alpine_terminal
 		bash
 		coreutils  # (for dd)
 		procps-ng  # (for ps)
 		git
 		make
 		patch
 		ldns-tools
 		drill
 		sfeed curl
 		openssl
 		gnutls-utils
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-testssl packages="$alpine_testssl"
 
 	local -a alpine_mail_net=(
 		$alpine_terminal
 		make patch
 		mandoc
 		{mblaze,slrn,msmtp}{,-doc}
 		py3-{setuptools,pip,wheel}  # Python 3 / venv
 		py3-{cryptography,urllib3,certifi,distro,python-gssapi}  # offlineimap3
 		git git-doc  # offlineimap3 source
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-mail-net packages="$alpine_mail_net"
 
 	local -a alpine_mail_read=(
 		$alpine_terminal
 		make
 		mandoc
 		{neomutt,mblaze,notmuch,elinks,w3m,lynx,git,par}{,-doc}
 		py3-{setuptools,pip,wheel}  # Python 3 / venv
 		py3-{notmuch,urwid{,trees},twisted,magic,gpgme}  # alot
 		poppler-utils poppler-doc # pdftotext
 		catdoc{,-doc}  # .doc/.xls
 		gnumeric{,-doc} font-noto  # ssconvert
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-mail-read packages="$alpine_mail_read"
 
 	local -a alpine_dev_spark=(
 		$alpine_dev_py3
 		postgresql14
 		py3-psycopg2
 		openssh
 		rsync
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-dev-spark \
 		packages="$alpine_dev_spark"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-breezy \
 		packages="$alpine_dev_py3"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-bugwarrior \
 		packages="$alpine_dev_py3 task"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-notes \
 		packages="$alpine_dev_py3 broot task neovim py3-pynvim py3-six w3m par gawk"
 
 	local -a alpine_dev_pthbs=(
 		$alpine_dev_py3_gcc
 		broot
 		vim
 		neovim
 		py3-jinja2
 		py3-yaml
 		wget
 		pkgconf
 		htop
 		skalibs-dev
 		s6-dev
 		execline-dev
 		linux-headers
 		libcap-static
 		libcap-dev
 		socat
 		curl
 		gdb
 		ncdu
 		swi-prolog
 		gpg
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-pthbs-dev \
 		packages="$alpine_dev_pthbs"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-pywebscrapbook \
 		packages="$alpine_dev_py3 py3-pynvim"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-ebook \
 		packages="$alpine_dev_py3 py3-pynvim ebook-tools epy"
 
 	local -a alpine_poezio=(
 		$alpine_dev_py3_gcc
 		py3-{cryptography,asn1,asn1-modules,aiodns,pycares,typing-extensions}
 		py3-sphinx
 		cmake
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-poezio \
 		packages="$alpine_poezio"
 
 	local -a alpine_libervia=(
 		$alpine_dev_py3_gcc
 		py3-{cryptography,asn1,asn1-modules,aiodns,pycares,typing-extensions}
 		py3-{alembic,twisted,gobject3,lxml,lxml-html-clean,dbus,babel,pillow}
 		py3-{openssl,sqlalchemy,cairo,cairo-dev,libxml2,netifaces}
 		# Mercurial
 		mercurial mercurial-zsh-completion
 		# libcairo 2 with development header
 		cairo{,-dev,-dbg}
 		# libjpeg with development headers
 		libjpeg
 		libjpeg-turbo{,-dev}
 		# libgirepository 1.0 with development headers
 		# libdbus-1 with development headers
 		dbus{,-dev}
 		# libdbus-glib-1 with development headers
 		dbus-glib{,-dev}
 		# libxml2 with development headers
 		libxml2{,-dev,-dbg}
 		# libxlt2 with development headers
 		# D-Bus x11 tools (this doesn’t needs X11, it is just needed for dbus-launch)
 		cmake
 		libsodium{,-dev}
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-libervia \
 		packages="$alpine_libervia"
 
 	local -a alpine_imgproc=(
 		$alpine_dev_py3_gcc
 		python3-dev
 		py3-{matplotlib,numpy{,-dev},pillow,pyarrow}
 		tesseract-ocr
 		tesseract-ocr-data-{ces,eng,fin,pol,rus,ukr,osd}
 		cmake
 		swig
 		blas
 		openblas{,-dev}
 		gflags{,-dev}
 		graphicsmagick
 		poppler-utils
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-imgproc \
 		packages="$alpine_imgproc"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community" \
 		image_name=alpine-gimp \
 		packages="$alpine_x11 gimp"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main testing community" \
 		image_name=alpine-signal \
 		packages="$alpine_x11 signal-desktop"
 
 	local -a alpine_browsers=(
 		$alpine_x11
 		firefox
 		font-noto
 		#lxappearance
 		mupdf
 		mupdf-x11
 		7zip
 		qutebrowser
 		rsync
 		vimb
 		#visurf
 		w3m
 		privoxy  # can use upstream SOCKS proxy
 		s6-networking
 		execline
 		coreutils  # cat -s in ff-mkprofile
 		yad  # Yet Another Dialog, fork of Zenity
 		# py3-pynvim neovim # neovim + bindings for https://github.com/fregante/GhostText
 		# git  # for nvim plugins
 		# py3-pip py3-wheel  # for vim-ghost autoinstall procedure
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-browsers packages="$alpine_browsers"
 
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-ghosttext \
 		packages="$alpine_dev_py3 py3-pynvim neovim neovim-doc pandoc-cli pandoc-cli-doc w3m lynx elinks"
 
 	local -a alpine_socials=(
 		$alpine_x11
 		firefox
 		font-noto
 		#lxappearance
 		7zip
 		rsync
 		coreutils  # cat -s in ff-mkprofile
 		py3-pynvim neovim # neovim + bindings for https://github.com/fregante/GhostText
 		git  # for nvim plugins
 		py3-pip py3-wheel  # for vim-ghost autoinstall procedure
 		py3-{setuptools,pip,wheel}  # Python 3 / venv
 		py3-{cryptography,urllib3,certifi,distro,python-gssapi}  # offlineimap3
 		git-lfs
 		zsh-vcs
 		vim vis
 		tmux
 		htop
 		openssh
 		make
 		patch
 		ripgrep bat delta
 		colordiff
 		tree broot
 		gnupg pass
 		sfeed sfeed-doc lynx elinks w3m curl  # alternative RSS/ATOM processor
 		musl-utils  # for getent
 		notmuch mblaze notmuch-doc mblaze-doc notmuch-vim
 		socat
 		gawk
 		mksh
 		openssl
 		s6-networking
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		repositories="main community testing" \
 		image_name=alpine-socials packages="$alpine_socials"
 
 	local -a alpine_office=(
 		$alpine_x11
 		font-noto
 		#lxappearance
 		mupdf
 		mupdf-x11
 		7zip
 		catdoc
 		abiword
 		gnumeric
 		libreoffice
 	)
 #	require site_container_alpine :containers_dir :svscan_dir \
 #		repositories="main community testing" \
 #		image_name=alpine-office packages="$alpine_office"
 
 	local -a alpine_dev_postgresql=(
 		$alpine_dev_py3_gdb
 		git
 		git-daemon
 		git-doc
 		zsh-vcs
 		vim
 		ctags
 		htop
 		colordiff
 		tree broot
 		strace gdb
 		postgresql16{-jit,-contrib,-contrib-jit,-doc,-dev,-plpython3}
 		postgresql17{-jit,-contrib,-contrib-jit,-doc,-dev,-plpython3}
 		postgresql-{pgvector,timescaledb,plpgsql_check}
 		musl-dev
 		ncurses-dev
 		readline-dev
 		openssl-dev
 		py3-psycopg2
 		py3-pytest
 		py3-hypothesis
 		bison flex
 		libpq-dev libecpg-dev icu-dev lz4-dev zstd-dev
 		util-linux-dev zlib-dev
 		linux-headers
 		pg_top
 		pg_activity
 	)
 	alpine_dev_postgresql+=(  # timescaledb build deps
 		bash
 		cmake
 		# 'openssl-dev>3'
 		openssl-dev
 		perl-ipc-run
 		perl-utils
 		# postgresql
 		# postgresql-dev
 		samurai
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-postgresql-dev packages="$alpine_dev_postgresql"
 
 	local -a alpine_dev_gentoo=(
 		$alpine_dev_py3
 		bash
 		wget
 		git
 		git-daemon
 		git-doc
 		zsh-vcs
 		vim
 		ctags
 		htop
 		colordiff
 		tree broot
 		strace gdb
 		musl-dev
 		ncurses-dev
 		openssl-dev
 		gcc
 		g++
 		binutils
 		alpine-release
 		lsb-release-minimal
 		linux-headers
 		gettext{,-dev}
 		automake
 		autoconf
 		tar
 		findutils
 		coreutils
 		util-linux
 		mksh
 		bmake
 		nawk
 	)
 	#require site_container_alpine :containers_dir :svscan_dir \
 	#	image_name=alpine-gentoo-dev packages="$alpine_dev_gentoo"
 
 	local -a alpine_puppet=(
 		$alpine_terminal
 		# from alpine_dev_core
 		vim
 		ctags
 		ripgrep bat
 		delta
 		git
 		git-lfs
 		make
 		patch
 		rsync
 		strace
 		{skalibs,s6,execline}-{dev,static}
 		s6-networking
 		# added
 		man-pages
 		# man-pages-posix  ## missing
 		mandoc
 		zsh-vcs
 		htop
 		ruby-full ruby-bundler # for puppet
 		# ruby-json  # missing
 		colordiff
 		# jq
 		file
 		gawk
 		# openssl
 		ruby-dev
 		gcc
 		g++
 		musl-dev
 		ncurses-dev
 		zlib-dev
 		openssl-dev
 		gmp-dev
 		libffi-dev
 	)
 	# I see /opt/puppetlabs/puppet/bin/ruby --version
 	# => ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
 	# The newest alpine with ruby 3.1.x is v3.17 with 3.1.5-r0
 	# (was v3.17 with 2.7.6p219 previously)
 	require site_container_alpine :containers_dir :svscan_dir \
 		release=v3.17 image_name=alpine-puppet packages="$alpine_puppet"
 
 	local -a alpine_recombee=(
 		$alpine_community
 		# man-db
 		man-pages # man-pages-posix
 		git
 		git-lfs
 		git-daemon
 		git-doc
 		zsh-vcs
 		vim vis
 		tmux
 		htop
 		openssh
 		python3 ipython py3-pip py3-wheel
 		python3-dev libffi{,-dev}  # for compiling cffi
 		py3-cffi py3-cryptography py3-pynacl
 		ruby ruby-bundler ruby-json  # for puppet
 		ruby-bigdecimal ruby-rdoc  # for gitlab
 		make
 		patch
 		ripgrep bat  # delta
 		colordiff
 		jq
 		weechat weechat-python py3-websocket-client  # for wee-slack
 		weechat-spell aspell aspell-utils
 		py3-feedparser  # for weemustfeed.py
 		rsync
 		tree  # broot
 		gnupg pass
 		go  # for DC/OS CLI
 		file
 		strace gdb
 		task py3-cffi  # for taskwarrior/bugwarrior
 		sfeed sfeed-doc lynx elinks w3m curl  # alternative RSS/ATOM processor
 		drill ldns-tools  # for drill
 		musl-utils  # for getent
 		notmuch mblaze notmuch-doc mblaze-doc notmuch-vim
 		py3-notmuch py3-gpgme  # for alot
 		ncurses-dev  # for building sfeed from source
 		socat
 		gawk
 		# postgresql-dev  # for developing pg_cgroup
 		mksh
 		dpkg dpkg-dev
 		fuse3-dev pcre2-dev  # for tup
 		openssl
 		ctags
 		jsonnet
 		yq
 	)
 	#require site_container_alpine :containers_dir :svscan_dir \
 	#	release=v3.13 image_name=alpine-recombee packages="$alpine_recombee"
 
 	local -a void_core=(
 		abduco
 		s6
 		s6-{rc,linux-utils,portable-utils}
 		execline
 		ncurses-base
 		rxvt-unicode-terminfo
 		zsh
 		coreutils
 		which
 		grep
 		gawk
 		sed
 		findutils
 		strace
 		htop
 		procps-ng
 		vis
 	)
 	local -a void_x11=(
 		$void_core
 		xauth
 		xdg-utils
 		wmctrl
 		xdotool
 		xclip
 		file  # for xdg-open
 		rxvt-unicode
 		# xorg-fonts
 		font-misc-misc
 		dejavu-fonts-ttf
 		terminus-font
 	)
 
 	require site_container_void_musl :containers_dir :svscan_dir \
 		image_name=void-mpd packages="$void_core sndio sox mpd mpc ncmpcpp"
 
 	require site_container_void_musl :containers_dir :svscan_dir \
 		image_name=void-telegram packages="$void_x11 sndio sox telegram-desktop nsxiv"
 		# TODO: packages="p7zip" fails despite being installed
 
 	require site_container_void_musl :containers_dir :svscan_dir \
 		image_name=void-browsers packages="$void_x11 sndio sox firefox yad"
 
 	require site_container_void_musl :containers_dir :svscan_dir \
 		image_name=void-mumble packages="$void_x11 sndio sox mumble"
 
 	local -a void_doom=(
 		$void_x11
 		sndio sox
 		git
 		tmux
 		wget
 		curl
 		w3m
 		# p7zip
 		nsxiv
 		SLADE
 		deutex
 		crispy-doom
 		gzdoom
 		glxinfo
 	)
 	require site_container_void_musl :containers_dir :svscan_dir \
 		image_name=void-doom packages="$void_doom"
 
 	require site_container_void_glibc :containers_dir :svscan_dir \
 		image_name=void-signal \
 		packages="$void_x11 htop xdg-utils mesa-demos Signal-Desktop"
 
 	# require site_container_void_glibc_nonfree :containers_dir :svscan_dir \
 	# 	image_name=void-games \
 	# 	packages="$void_core dwarffortress adom"
 
 	local -a nix_core=(
 		s6
 		s6-{rc,linux-utils,portable-utils}
 		execline
 		# ncurses  # version stripping doesn't work for this ATM
 		zsh
 		abduco
 		rxvt-unicode
 	)
 
 	# require site_container_nix :containers_dir :svscan_dir \
 	# 	image_name=nix-signal packages="$nix_core signal-desktop"
 
 	#require site_container_debian_puppetserver :containers_dir :svscan_dir \
 	#	image_name=rcm-puppetserver
 
 	local -a alpine_xsession=(
 		$alpine_x11
 		# 9base
 		dmenu
 		fluxbox
 		font-arabic-misc
 		font-cursor-misc
 		# font-daewoo-misc
 		font-dec-misc
 		font-isas-misc
 		font-jis-misc
 		font-micro-misc
 		font-misc-cyrillic
 		font-misc-ethiopic
 		# font-misc-meltho
 		font-misc-misc
 		font-mutt-misc
 		font-noto
 		font-schumacher-misc
 		font-sony-misc
 		font-sun-misc
 		font-terminus-nerd
 		# fontforge
 		# fontforge-python3
 		gvncviewer
 		s6-networking
 		htop
 		i3lock{,-doc}
 		i3wm{,-doc}
 		mandoc
 		man-pages
 		multitail
 		ncurses
 		plan9port
 		py3-cairo
 		redshift
 		rxvt-unicode
 		rxvt-unicode-doc
 		scrot
 		setxkbmap
 		nsxiv
 		font-terminus
 		tmux{,-doc}
 		font-unifont
 		vis
 		# wmctrl
 		xautolock{,-doc}
 		xwininfo{,-doc}
 		xprop{,-doc}
 		xinput{,-doc}
 		xpra{,-doc}
 		xset{,-doc}
 		xfontsel{,-doc}
 		rofi{,-doc,-blocks}
 	)
 	require site_container_alpine :containers_dir :svscan_dir \
 		image_name=alpine-xsession \
 		packages="$alpine_xsession"
 }
 
 confz_site_containers_check() {
 	defvar containers_dir /mnt/volumes/containers
 	defvar svscan_dir /run/service
 	require site_container_images :containers_dir :svscan_dir
 	require site_container_services :containers_dir :svscan_dir
 }
 
 confz_container_sysroot_rundir_check() {
 	checkvars container_root container_name tmp_dir
 	require fs_contentnl filename=$vars[tmp_dir]/run/init \
 		content=$'#!/bin/sh\nexec sleep 3600'
 	require fs_m filename=$vars[tmp_dir]/run/init mode=755
 }