build-tails

#!/bin/sh

set -e
set -x

if [ -n "${TAILS_PROXY:-}" ]; then
	export http_proxy="${TAILS_PROXY}"
fi

as_root_do() {
	sudo \
		${RSYNC_PROXY:+RSYNC_PROXY="${RSYNC_PROXY}"} \
		${http_proxy:+http_proxy="${http_proxy}"} \
		${https_proxy:+https_proxy="${https_proxy}"} \
		${ftp_proxy:+ftp_proxy="${ftp_proxy}"} \
		${no_proxy:+no_proxy="${no_proxy}"} \
		${MKSQUASHFS_OPTIONS:+MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS}"} \
                ${TAILS_MERGE_BASE_BRANCH:+TAILS_MERGE_BASE_BRANCH="${TAILS_MERGE_BASE_BRANCH}"} \
		${GIT_COMMIT:+GIT_COMMIT="${GIT_COMMIT}"} \
		${GIT_REF:+GIT_REF="${GIT_REF}"} \
		${BASE_BRANCH_GIT_COMMIT:+BASE_BRANCH_GIT_COMMIT="${BASE_BRANCH_GIT_COMMIT}"} \
		"${@}"
}

cleanup() {
	[ -n "${BUILD_DIR}" ] || return 0
	cd /
	remove_build_dirs
	sudo rm -rf "${BUILD_DIR}"
}

remove_build_dirs() {
	for mountpoint in $(old_build_dirs | tac) ; do
		tries=0
		sudo lsof | grep --fixed-strings "${mountpoint}" || true
		while ! sudo umount -f --verbose "${mountpoint}" && [ $tries -lt 12 ]; do
			sudo fuser --ismountpoint --mount "${mountpoint}" --kill || true
			sleep 5
			tries=$(expr $tries + 1)
		done
		sudo rm -rf "${mountpoint}"
	done
}

old_build_dirs() {
	mount | \
	perl -ni -E 'say $mountpoint if (($mountpoint) = ($_ =~ m{^(?:aufs|tmpfs|devpts-live|proc-live|sysfs-live) on (/tmp/tails-build(?:-tmpfs)?\.[/[:alnum:]]+)}))'
}

ntp_synchronized() {
	timedatectl status | grep -qs -E '^\s*NTP\s+synchronized:\s+yes$'
}

if [ "${TAILS_BUILD_FAILURE_RESCUE}" != 1 ]; then
	trap cleanup EXIT
	remove_build_dirs
fi

TAILS_GIT_DIR="/home/vagrant/amnesia"
if [ ! -d "${TAILS_GIT_DIR}" ]; then
    git clone /amnesia.git/.git "${TAILS_GIT_DIR}"
fi
cd "${TAILS_GIT_DIR}"
# Mirror the branches amnesia.git tracks on its "origin" remote as if
# they were on our own "origin" remote, (i.e. under the origin/$REF
# name), even if it's untrue (our own "origin" is amnesia.git and has
# only one local ref, which is the branch we work on and that it has
# checked out as a local tracking branch). We need this for the base
# branch merge we do (if the 'mergebasebranch'/TAILS_MERGE_BASE_BRANCH
# option is set) later in auto/build.
git config remote.origin.fetch +refs/remotes/origin/*:refs/remotes/origin/*
git fetch --tags
git checkout --force "${GIT_REF}"
git reset --hard "${GIT_COMMIT}"
git submodule update --init

if as_root_do systemctl --quiet is-active apt-cacher-ng.service ; then
	as_root_do ./auto/scripts/update-acng-config
	as_root_do systemctl restart apt-cacher-ng.service
fi

if [ "${TAILS_OFFLINE_MODE}" != 1 ]; then
	as_root_do timedatectl set-ntp true
	echo -n "Waiting for the time to be synchronized..."
	while ! ntp_synchronized; do
		sleep 1
		echo -n "."
	done
	echo " done."
fi
if [ -n "$TAILS_DATE_OFFSET" ]; then
	as_root_do timedatectl set-ntp false
	DESIRED_DATE=$(date --utc --date="${TAILS_DATE_OFFSET} days" '+%F %T')
	echo "Setting system time to ${DESIRED_DATE}"
	as_root_do timedatectl set-time "$DESIRED_DATE"
fi

if [ "${TAILS_PROXY_TYPE}" = "vmproxy" ]; then
    # The apt-cacher-ng cache disk is 15G, so let's ensure at most 10G
    # of it is used there is 5G before each build, which should be
    # enough for any build, even if we have to download a complete set
    # of new packages for a new Debian release.
    /usr/lib/apt-cacher-ng/acngtool shrink 10G -f || \
        echo "The clean-up of apt-cacher-ng's cache failed: this is" \
             "not fatal and most likely just means that some disk" \
             "space could not be reclaimed -- in order to fix that" \
             "situation you need to manually investigate " \
             "/var/cache/apt-cacher-ng/apt-cacher-ng-log/main_*.html" >&2
fi

BUILD_DIR=$(mktemp -d /tmp/tails-build.XXXXXXXX)
if [ "${TAILS_RAM_BUILD}" ]; then
	as_root_do mount -t tmpfs -o "noatime,size=100%,mode=0770,uid=root,gid=${USER}" tmpfs "${BUILD_DIR}"
fi
as_root_do rsync -a "${TAILS_GIT_DIR}"/ "${BUILD_DIR}"/

cd "${BUILD_DIR}"
as_root_do lb config --cache false

as_root_do lb build

mv -f tails-* "${TAILS_GIT_DIR}/"