# defining macros needed by SELinux
%global with_selinux 1
%global selinuxtype targeted
%global modulename guix-daemon

%global selinux_policy_dir %{_datadir}/selinux/packages
%global guix_builder_group guixbuild

%global guile_site_dir %(pkg-config --variable sitedir guile-3.0)
%global guile_ccache_dir %(pkg-config --variable siteccachedir guile-3.0)

%bcond_without ssh

Name:           guix
Version:        1.4.0
Release:        5%{?dist}
Summary:        GNU Package manager

License:        GPL-3.0-or-later
URL:            http://www.gnu.org/software/guix/
Source0:        https://ftp.gnu.org/gnu/guix/%{name}-%{version}.tar.gz

Source1:        guix.sysusers
Source2:        guix.sh

# Protect against CVE-2024-27297
# https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/
Patch0:         guix-CVE-2024-27297-1.patch
Patch1:         guix-CVE-2024-27297-2.patch

# Backport changes to the selinux policy since 1.4.0 release
Patch11:        guix-selinux-1.patch
Patch12:        guix-selinux-2.patch
Patch13:        guix-selinux-3.patch
Patch14:        guix-selinux-4.patch
# Try to fix the selinux policy:
# Remove guix-daemon in store from context
# Add /usr/bin/guix and /usr/libexec/guile
# Allow systemd-userdb and sssd
Patch15:        guix-selinux-5.patch
Patch16:        guix-selinux-6.patch

BuildRequires:  gcc, gcc-c++, make, texinfo, gettext, help2man, po4a
BuildRequires:  glibc-langpack-en
# BuildRequires:  autoconf, automake,
BuildRequires:  pkgconfig(guile-3.0), guile30 >= 3.0.3
BuildRequires:  guile-sqlite3 >= 0.1.0, guile-json >= 4.3.0, guile-gcrypt >= 0.2.0
BuildRequires:  guile-git >= 0.5.0, guile-zlib >= 0.1.0
BuildRequires:  guile-gnutls, guile-lzlib, guile-avahi
# Optional packages
BuildRequires:  guile-lib, guile-zstd, guile-semver

BuildRequires:  git, gzip, bzip2, xz
BuildRequires:  pkgconfig(libgcrypt), pkgconfig(sqlite3)
BuildRequires:  systemd-rpm-macros
%{?sysusers_requires_compat}

%if %{with ssh}
BuildRequires:  guile-ssh >= 0.13.0
%endif

Requires:       guile30 >= 3.0.3
Requires:       guile-sqlite3 >= 0.1.0, guile-json >= 4.3.0, guile-gcrypt >= 0.2.0
Requires:       guile-git >= 0.5.0, guile-zlib >= 0.1.0
Requires:       guile-gnutls, guile-lzlib, guile-avahi
Requires:       guile-lib, guile-zstd, guile-semver

Requires:       bzip2, gzip, zlib, xz, sqlite3, libgcrypt, git
Requires:       disarchive, guile-bzip2, guile-lzma

%if 0%{?with_selinux}
# https://fedoraproject.org/wiki/SELinux/IndependentPolicy
# This ensures that the *-selinux package and all its dependencies are not pulled
# into containers and other systems that do not use SELinux
Requires:        (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif

%if %{with ssh}
Requires:       guile-ssh >= 0.13.0
%endif

# Only libexecdir is neccesary, but add both
Provides:       %{_libexecdir}/guix/guile
Provides:       %{_bindir}/guix-daemon

%if 0%{?with_selinux}
%package selinux
Summary:        SELinux policy module for %{name}
BuildRequires:  selinux-policy
Requires(post): guix = %{version}-%{release}
BuildArch:      noarch
%{?selinux_requires}

%description selinux
This package contains the SELinux policy module for %{name}.
%endif

%package bash-completion
Summary:        Bash completion for %{name}
Requires:       %{name} = %{version}-%{release}
Requires:       bash-completion
Supplements:    (%{name} and bash-completion)

%description bash-completion
Bash command line completion support for %{name}.

%package zsh-completion

Summary:        Zsh completion for %{name}
Requires:       %{name} = %{version}-%{release}
Requires:       zsh
Supplements:    (%{name} and zsh)

%description zsh-completion

Zsh command line completion support for %{name}.

%package fish-completion
Summary:        Fish completion for %{name}
Requires:       %{name} = %{version}-%{release}
Requires:       fish
Supplements:    (%{name} and fish)

%description fish-completion
Fish command line completion support for %{name}.


%description
# Based on the description in nixpkgs
GNU Guix is a purely functional package manager for the GNU system, and a distribution thereof.
In addition to standard package management features, Guix supports
transactional upgrades and roll-backs, unprivileged package management,
per-user profiles, and garbage collection.
It provides Guile Scheme APIs, including high-level embedded
domain-specific languages (EDSLs), to describe how packages are built
and composed.
A user-land free software distribution for GNU/Linux comes as part of
Guix. Guix is based on the Nix package manager.

%prep
%autosetup -p1


%build
%configure \
     --with-bash-completion-dir=%{bash_completions_dir} \
     --with-zsh-completion-dir=%{zsh_completions_dir}   \
     --with-fish-completion-dir=%{fish_completions_dir} \
     --with-selinux-policy-dir=%{selinux_policy_dir}
%make_build


%install
# Patch services to refer to bindir
sed -i 's|%{_localstatedir}/guix/profiles/per-user/root/current-guix/bin/|%{_bindir}/|' etc/guix-daemon.service etc/guix-publish.service etc/guix-gc.service

# https://bugs.debian.org/1012536
sed -i 's|Environment=.*|Environment=LC_ALL=C.UTF-8|' etc/guix-daemon.service etc/guix-publish.service

# Replace syslog with journal
# https://issues.guix.gnu.org/48323
sed -i 's|syslog|journal|g' etc/guix-daemon.service etc/guix-publish.service

%make_install systemdservicedir=%{_unitdir}
install etc/guix-gc.timer %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{_sysconfdir}/guix
mkdir -p %{buildroot}%{_localstatedir}/guix

install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/guix.conf
install -p -D  %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/guix.sh

# manually create the store here at /gnu/store
install -d -m 0755 %{buildroot}/gnu
install -d -m 0755 %{buildroot}/gnu/store

%find_lang %{name}
%find_lang %{name}-packages

%check
# %{__make} %{?_smp_mflags} check

%pre
%sysusers_create_compat %{SOURCE1}

%post
%systemd_post guix-daemon.service guix-publish.service

# Authorize keys of the guix substitute servers to enable binary substitutes
if [ $1 -eq 1 ]; then
for key in %{_datadir}/guix/*.pub; do
    guix archive --authorize < "$key"
done
fi

%preun
%systemd_preun guix-daemon.service guix-publish.service

%postun
%systemd_postun_with_restart guix-daemon.service guix-publish.service

%if 0%{?with_selinux}
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}

%post selinux
%selinux_modules_install -s %{selinuxtype}  %{selinux_policy_dir}/guix-daemon.cil
%selinux_relabel_post -s %{selinuxtype}

if [ "$1" -le "1" ]; then # First install
   # the daemon needs to be restarted for the custom label to be applied
   %systemd_postun_with_restart %{modulename}.service
fi

%postun selinux
if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
    %selinux_relabel_post -s %{selinuxtype}
fi
%endif

%files -f %{name}.lang -f %{name}-packages.lang
%license COPYING
%doc AUTHORS ChangeLog CODE-OF-CONDUCT NEWS README ROADMAP THANKS TODO

%{_bindir}/guix
%{_bindir}/guix-daemon

%dir %{_libexecdir}/guix
%{_libexecdir}/guix/guile

%{_sysusersdir}/guix.conf
%{_sysconfdir}/profile.d/guix.sh

# Eclude non systemd services
%exclude %{_sysconfdir}/init.d/guix-daemon
%exclude %{_sysconfdir}/openrc/guix-daemon
%exclude %{_libdir}/upstart/system/guix-daemon.conf
%exclude %{_libdir}/upstart/system/guix-publish.conf


%{_unitdir}/gnu-store.mount
%{_unitdir}/guix-daemon.service
%{_unitdir}/guix-publish.service

%{_unitdir}/guix-gc.timer
%{_unitdir}/guix-gc.service


# Guile modules
%{guile_site_dir}/guix.scm
%{guile_ccache_dir}/guix.go
%{guile_site_dir}/guix/
%{guile_ccache_dir}/guix/
%{guile_site_dir}/gnu.scm
%{guile_ccache_dir}/gnu.go
%{guile_site_dir}/gnu/
%{guile_ccache_dir}/gnu/

# Subsitute server public keys
%dir %{_datadir}/guix
%{_datadir}/guix/bordeaux.guix.gnu.org.pub
%{_datadir}/guix/ci.guix.gnu.org.pub

# Same as ci.guix.gnu.org.pub
%exclude %{_datadir}/guix/berlin.guix.gnu.org.pub
%exclude %{_datadir}/guix/ci.guix.info.pub

# localstatedir and sysconfdir
%dir %{_localstatedir}/guix
# %dir %{_localstatedir}/log/guix
%dir %{_sysconfdir}/guix

# The store directory
%attr(755,root,root) %dir /gnu
%attr(775,root,%{guix_builder_group}) %dir /gnu/store

# man and info files
%{_mandir}/man1/guix*
%{_infodir}/%{name}*
%{_infodir}/images/*
%exclude  %{_infodir}/dir

%if 0%{?with_selinux}
%files selinux
%{selinux_policy_dir}/guix-daemon.cil
%else
%exclude %{selinux_policy_dir}/guix-daemon.cil
%endif

# Shell completions
%files bash-completion
%{bash_completions_dir}/%{name}
%{bash_completions_dir}/%{name}-daemon

%files zsh-completion
%{zsh_completions_dir}/_%{name}

%files fish-completion
%{fish_completions_dir}/%{name}.fish


%changelog
%autochangelog