2dac2d108d
Turns the manual Phase 2–3 runbook (docs/POUDRIERE-BUILD-SERVER.md) into repeatable, idempotent steps for the mother-build host — the package half of the trusted supply chain (layered-soul HIVE-ONBOARDING §10). - poudriere-setup.sh: verify-then-act setup. Validates root, FreeBSD version format, pkg/openssl, and that the ZFS pool exists BEFORE acting; then installs poudriere, generates the repo signing key (0400), writes poudriere.conf (only if absent), and creates the build jail + ports tree. Re-running skips anything already present. - poudriere-build.sh: validates jail, ports tree, and each origin (category/name + Makefile present) before `poudriere bulk`; repo is signed automatically via PKG_REPO_SIGNING_KEY. - clawdie-repo.conf.in: client repo template (signature_type pubkey) + the first-party-only priority note. - README.md: the three-step flow and conventions. Style matches live/operator-session/hw-report: POSIX sh, set -u, fixed PATH, strict arg parsing, minimal checks (only what is acted upon). Host provisioning (ZFS/base/network) stays in the runbook — these assume a FreeBSD host with a pool. sh -n clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
18 lines
699 B
Text
18 lines
699 B
Text
# First-party Clawdie package repo. Install on clients (ISO build root and
|
|
# deployed jails) as /usr/local/etc/pkg/repos/clawdie.conf, after substituting
|
|
# __PKG_URL__ and shipping the public key to __PUBKEY_PATH__.
|
|
#
|
|
# sed "s#__PKG_URL__#https://pkg.clawdie.si/#" clawdie-repo.conf.in > clawdie.conf
|
|
# install -m 0444 clawdie-pkg.pub __PUBKEY_PATH__ # from poudriere-setup.sh
|
|
#
|
|
# For first-party-only (paid) tenants, also set the stock FreeBSD repo to a
|
|
# lower priority (or disabled) so resolution prefers signed Clawdie packages.
|
|
|
|
clawdie: {
|
|
url: "__PKG_URL__",
|
|
mirror_type: "none",
|
|
signature_type: "pubkey",
|
|
pubkey: "__PUBKEY_PATH__",
|
|
priority: 100,
|
|
enabled: yes
|
|
}
|