# No compiled binaries — suppress empty debugsource subpackage
%global debug_package %{nil}

# Allow SRPM generation on non-Fedora builders where selinux-policy macros are absent.
%{!?selinux_requires_min:%global selinux_requires_min %{nil}}
%{!?selinux_modules_install:%define selinux_modules_install() %{nil}}
%{!?selinux_modules_uninstall:%define selinux_modules_uninstall() %{nil}}

# SELinux module names (space-separated, no .pp extension)
%global selinux_modules \
    code_insiders_container \
    container-execmem \
    container-k3s-projected-volumes \
    container-var-lib-exec \
    iptables_ptmx \
    mcpserver \
    my-nmdispatcher \
    my-unnersh \
    sonarr_radarr_coreclr_exec

Name:           fedora-setup-scripts-host
Version:        0.1.0
Release:        2%{?dist}
Summary:        Fedora host setup — systemd units and SELinux policy modules
License:        MIT
URL:            https://github.com/mrcsdf/fedora-setup-scripts
Source0:        %{name}-%{version}.tar.gz
Source1:        %{name}.rpmlintrc

BuildRequires:  selinux-policy-devel
BuildRequires:  pkgconfig(systemd)

%selinux_requires_min
Requires:       systemd
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd

%description
Systemd timer units and SELinux policy modules for the fedora-setup-scripts
host configuration.

Provides:
  - fss-monitoring-metrics-emitter.service + .timer
  - Compiled SELinux .pp modules for k3s, containers, monitoring, and tools

%prep
%autosetup
cp %{SOURCE1} .  # rpmlint overrides installed alongside the spec

%build
# Compile all .te policy sources using the standard SELinux devel Makefile.
# The Makefile creates .pp (and intermediates) in the policies/ directory;
# we move only the .pp files to selinux/build/ and clean up the rest.
make -f /usr/share/selinux/devel/Makefile -C selinux/policies
mkdir -p selinux/build
mv selinux/policies/*.pp selinux/build/
rm -rf selinux/policies/tmp selinux/policies/*.if selinux/policies/*.fc

%install
# ── Systemd units ─────────────────────────────────────────────────────────────
install -D -m 0644 systemd/fss-monitoring-metrics-emitter.service \
    %{buildroot}%{_unitdir}/fss-monitoring-metrics-emitter.service
# Render fss_repo_root Jinja2 template variable to its fixed install path
sed -i 's|{{ fss_repo_root }}|/opt/fedora-setup-scripts|g' \
    %{buildroot}%{_unitdir}/fss-monitoring-metrics-emitter.service

install -D -m 0644 systemd/fss-monitoring-metrics-emitter.timer \
    %{buildroot}%{_unitdir}/fss-monitoring-metrics-emitter.timer

# ── SELinux policy modules ─────────────────────────────────────────────────────
install -d %{buildroot}%{_datadir}/selinux/packages/%{name}
for pp in selinux/build/*.pp; do
    install -m 0644 "${pp}" %{buildroot}%{_datadir}/selinux/packages/%{name}/
done

# ── Config defaults dir ────────────────────────────────────────────────────────
install -d %{buildroot}%{_sysconfdir}/fedora-setup-scripts

%post
%systemd_post fss-monitoring-metrics-emitter.service fss-monitoring-metrics-emitter.timer
# Use inline shell rather than %%selinux_modules_install: that macro expands
# incorrectly when its argument list spans multiple lines, placing the .pp
# paths outside the if-block so semodule is called with no files.
if [ -e /etc/selinux/config ]; then
  . /etc/selinux/config
fi
_policytype="${SELINUXTYPE:-targeted}"
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then
  rm -rf /var/lib/selinux/${_policytype}/active/modules/400/extra_varrun || :
  semodule -n -s "${_policytype}" -X 200 -i \
    %{_datadir}/selinux/packages/%{name}/code_insiders_container.pp \
    %{_datadir}/selinux/packages/%{name}/container-execmem.pp \
    %{_datadir}/selinux/packages/%{name}/container-k3s-projected-volumes.pp \
    %{_datadir}/selinux/packages/%{name}/container-var-lib-exec.pp \
    %{_datadir}/selinux/packages/%{name}/iptables_ptmx.pp \
    %{_datadir}/selinux/packages/%{name}/mcpserver.pp \
    %{_datadir}/selinux/packages/%{name}/my-nmdispatcher.pp \
    %{_datadir}/selinux/packages/%{name}/my-unnersh.pp \
    %{_datadir}/selinux/packages/%{name}/sonarr_radarr_coreclr_exec.pp || :
  selinuxenabled && load_policy || :
  %{_libexecdir}/selinux/varrun-convert.sh "${_policytype}" || :
fi

%preun
%systemd_preun fss-monitoring-metrics-emitter.service fss-monitoring-metrics-emitter.timer
%selinux_modules_uninstall %{selinux_modules}

%postun
%systemd_postun_with_restart fss-monitoring-metrics-emitter.service

%files
%license LICENSE
%doc README.md
%{_unitdir}/fss-monitoring-metrics-emitter.service
%{_unitdir}/fss-monitoring-metrics-emitter.timer
%{_datadir}/selinux/packages/%{name}/
%dir %{_sysconfdir}/fedora-setup-scripts

%changelog
* Wed Apr 23 2026 mrcsdf <b6j472jcnf@privaterelay.appleid.com> - 0.1.0-2
- Fix %%post SELinux scriptlet: replace %%selinux_modules_install macro (broken
  with multi-line args) with inline shell; semodule was called with no files

* Tue Apr 21 2026 mrcsdf <b6j472jcnf@privaterelay.appleid.com> - 0.1.0-1
- Initial packaging of systemd units and SELinux policy modules
- %%build uses SELinux devel Makefile; %%post/%%preun use %%selinux_modules_install/uninstall macros