Sam & Claude 2dac2d108d feat(poudriere): lean scripts for first-party pkg.clawdie.si build server

Turns the manual Phase 2–3 runbook (docs/POUDRIERE-BUILD-SERVER.md) into
repeatable, idempotent steps for the mother-build host — the package half of
the trusted supply chain (layered-soul HIVE-ONBOARDING §10).

- poudriere-setup.sh: verify-then-act setup. Validates root, FreeBSD version
  format, pkg/openssl, and that the ZFS pool exists BEFORE acting; then installs
  poudriere, generates the repo signing key (0400), writes poudriere.conf (only
  if absent), and creates the build jail + ports tree. Re-running skips anything
  already present.
- poudriere-build.sh: validates jail, ports tree, and each origin (category/name
  + Makefile present) before `poudriere bulk`; repo is signed automatically via
  PKG_REPO_SIGNING_KEY.
- clawdie-repo.conf.in: client repo template (signature_type pubkey) + the
  first-party-only priority note.
- README.md: the three-step flow and conventions.

Style matches live/operator-session/hw-report: POSIX sh, set -u, fixed PATH,
strict arg parsing, minimal checks (only what is acted upon). Host provisioning
(ZFS/base/network) stays in the runbook — these assume a FreeBSD host with a
pool. sh -n clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-20 17:22:28 +02:00

2.5 KiB

Raw Blame History

First-party package build server (`pkg.clawdie.si`)

Lean scripts that turn the manual Phase 2–3 runbook in ../../docs/POUDRIERE-BUILD-SERVER.md into repeatable, idempotent steps. They run on the mother-build host (FreeBSD) and produce the first-party, signed package repo that paid tenants pull from instead of public mirrors — the package half of the trusted supply chain (layered-soul HIVE-ONBOARDING.md §10).

These scripts deliberately do not provision the host (ZFS pool, base system, networking) — that is hardware-specific and stays in the runbook. They assume a FreeBSD host with a ZFS pool already present.

Flow

poudriere-setup.sh     →  poudriere-build.sh     →  serve + client config
(config, key, jail,       (build ports into the     (nginx over the repo dir;
 ports tree)              signed repo)              clawdie-repo.conf.in)

Set up (idempotent; re-run anytime):
```
mdo -u root ./poudriere-setup.sh --zpool zroot
```
Generates /usr/local/etc/ssl/clawdie-pkg.{key,pub}, writes /usr/local/etc/poudriere.conf (only if absent), and creates the build jail and ports tree. The public key is what clients trust.
Build (signs the repo automatically via PKG_REPO_SIGNING_KEY):
```
mdo -u root ./poudriere-build.sh --jail clawdie-amd64 --ports clawdie sysutils/colibri
```
The sysutils/colibri port itself (Makefile/distinfo/pkg-plist) is created in the ports tree per the runbook's Phase 2.4.

Serve + clients. Point nginx at /usr/local/poudriere/data/packages/clawdie-amd64-clawdie for https://pkg.clawdie.si/ (osa/mother-build already carry nginx + acme). Generate each client's repo config from the template and ship the public key:

sed "s#__PKG_URL__#https://pkg.clawdie.si/#; s#__PUBKEY_PATH__#/usr/share/keys/pkg/clawdie.pub#" \
    clawdie-repo.conf.in > /usr/local/etc/pkg/repos/clawdie.conf
install -m 0444 /usr/local/etc/ssl/clawdie-pkg.pub /usr/share/keys/pkg/clawdie.pub

Conventions

POSIX sh, set -u, fixed PATH, usage() + strict arg parsing, verify-then-act (inputs and environment are validated before anything is created). Matches live/operator-session/hw-report.
Idempotent: existing config, key, jail, and ports tree are left untouched.
Defaults are overridable by flag or POUDRIERE_* env var.

2.5 KiB Raw Blame History Unescape Escape

First-party package build server (pkg.clawdie.si)

Flow

Conventions

2.5 KiB

Raw Blame History

First-party package build server (`pkg.clawdie.si`)