artixpkg: fix parallel agent setting on config

.github/workflows/lint.yaml

@@ -0,0 +1,28 @@
+name: Artools shellcheck
+run-name: ${{ gitea.actor }}
+on:
+  push:
+    branches:
+      - artools/0.32.x
+      - master
+    tags:
+      - 0.*
+  pull_request:
+    types: [opened, reopened]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@main
+      - name: build artools
+        run: make
+      - name: shellcheck artools
+        uses: ludeeus/action-shellcheck@master
+        env:
+          SHELLCHECK_OPTS: -x -e SC2034
+        with:
+          scandir: './build/bin'
+          format: tty
+

.gitignore

@@ -12,3 +12,5 @@ PKGBUILD
 contrib/artixlinux
 build/
 tmp/
+checks/
+check.sh

Makefile

@@ -1,6 +1,6 @@
 SHELL=/bin/bash
 
-V=0.31
+V=0.32
 BUILDTOOLVER ?= $(V)
 
 CHROOTVER=0.12
@@ -32,7 +32,6 @@ MAKEPKG_CONFIGS=$(wildcard config/makepkg/*)
 PACMAN_CONFIGS=$(wildcard config/pacman/*)
 SETARCH_ALIASES = $(wildcard config/setarch-aliases.d/*)
 
-TOOLS_CONFIGS_BASE=$(wildcard config/conf/*base*)
 TOOLS_CONFIGS_PKG=$(wildcard config/conf/*pkg*)
 TOOLS_CONFIGS_ISO=$(wildcard config/conf/*iso*)
 
@@ -73,7 +72,6 @@ $(eval $(call buildInScript,build/lib,src/lib/,,644))
 conf_base:
 	@install -d $(BUILDDIR)/pacman.conf.d $(BUILDDIR)/artools
 	@cp -a $(PACMAN_CONFIGS) $(BUILDDIR)/pacman.conf.d
-	@cp -a $(TOOLS_CONFIGS_BASE) $(BUILDDIR)/artools
 
 conf_pkg:
 	@install -d $(BUILDDIR)/makepkg.conf.d $(BUILDDIR)/artools
@@ -95,8 +93,6 @@ install_base: binprogs_base
 	install -dm0755 $(DESTDIR)$(LIBDIR)
 	cp -ra $(BUILDDIR)/lib/base $(DESTDIR)$(LIBDIR)
 
-	for conf in $(notdir $(TOOLS_CONFIGS_BASE)); do install -Dm0644 $(BUILDDIR)/$(TOOLS)/$$conf $(DESTDIR)$(SYSCONFDIR)/$(TOOLS)/$${conf##*/}; done
-
 	for conf in $(notdir $(PACMAN_CONFIGS)); do install -Dm0644 $(BUILDDIR)/pacman.conf.d/$$conf $(DESTDIR)$(DATADIR)/pacman.conf.d/$${conf##*/}; done
 
 install_pkg: binprogs_pkg

README.md

@@ -45,21 +45,22 @@ artools
   * libisoburn
   * mtools
   * squashfs-tools
+  * go-yq
 
 
 #### Configuration
 
-artools-{base,pkg,iso}.conf are the configuration files for artools.
+artools-{pkg,iso}.conf are the configuration files for artools.
 By default, the config files are installed in
 
 ```bash
-/etc/artools/artools-{base,pkg,iso}.conf
+/etc/artools/artools-{pkg,iso}.conf
 ```
 
-A user artools-{base,pkg,iso}.conf can be placed in
+A user artools-{pkg,iso}.conf can be placed in
 
 ```bash
-$HOME/.config/artools/artools-{base,pkg,iso}.conf
+$HOME/.config/artools/artools-{pkg,iso}.conf
 ```
 
 If the userconfig is present, artools will load the userconfig values, however, if variables have been set in the systemwide
@@ -68,8 +69,8 @@ These values take precedence over the userconfig.
 Best practise is to leave systemwide file untouched.
 By default it is commented and shows just initialization values done in code.
 
-Tools configuration is done in artools-{base,pkg,iso}.conf or by args.
+Tools configuration is done in artools-{pkg,iso}.conf or by args.
-Specifying args will override artools-{base,pkg,iso}.conf settings.
+Specifying args will override artools-{pkg,iso}.conf settings.
 
 Both, pacman.conf and makepkg.conf for chroots are loaded from
 

config/conf/artools-base.conf

@@ -1,20 +0,0 @@
-#!/hint/bash
-# shellcheck disable=2034
-
-#############################################
-################ artools-base ###############
-#############################################
-
-# build dir where buildpkg or buildiso chroots are created
-# CHROOTS_DIR=/var/lib/artools
-
-# the workspace directory
-# WORKSPACE_DIR="${USER_HOME}/artools-workspace"
-
-# the arch to build
-# ARCH=$(uname -m)
-
-# default pacman.conf repos to include
-# possible buildpkg values: {system,world,galaxy,lib32}{-gremlins,-goblins}
-# possible buildiso values: {world,galaxy}{-gremlins,-goblins}
-# REPO="world"

config/conf/artools-iso.conf

@@ -5,20 +5,33 @@
 ################ artools-iso ################
 #############################################
 
-# the iso storage directory
+# default chroots dir where buildiso chroots are created
+# CHROOTS_DIR=/var/lib/artools
+
+# default workspace directory
+# WORKSPACE_DIR="${USER_HOME}/artools-workspace"
+
+# default arch to build
+# ARCH=$(uname -m)
+
+# default pacman.conf repos to include
+# possible values: {world,galaxy}{-gremlins,-goblins}
+# REPO="world"
+
+# default iso storage directory
 # ISO_POOL="${WORKSPACE_DIR}/iso"
 
-# the dist release; default: auto
+# default dist release; default: auto
 # ISO_VERSION=$(date +%Y%m%d)
 
-# possible values: openrc, runit, s6, suite66, dinit
+# default init system, possible values: openrc, runit, s6, suite66, dinit
 # INITSYS="openrc"
 
 # gpg key; leave empty or commented to skip img signing
 # GPG_KEY=""
 
-# possible values: zstd (default), xz
+# default compression, possible values: zstd (default), xz
 # COMPRESSION="zstd"
 
-# zstd only: range 1..22
+# default compression level, zstd only: range 1..22
 # COMPRESSION_LEVEL=15

config/conf/artools-pkg.conf

@@ -5,9 +5,23 @@
 ################ artools-pkg ################
 #############################################
 
-# gitea user access token for buildtree
+# default chroots dir where buildpkg chroots are created
+# CHROOTS_DIR=/var/lib/artools
+
+# default workspace directory
+# WORKSPACE_DIR="${USER_HOME}/artools-workspace"
+
+# default arch to build
+# ARCH=$(uname -m)
+
+# default pacman.conf repos to include
+# possible values: {system,world,galaxy,lib32}{-gremlins,-goblins}
+# REPO="world"
+
+# gitea user access token for gitea api
 # GIT_TOKEN=''
 
+# default workspace dir for artixpkg
 # TREE_DIR_ARTIX=${WORKSPACE_DIR}/artixlinux
 
 # default repos root for deploypkg

config/makepkg/x86_64.conf

@@ -44,7 +44,8 @@ CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
         -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \
         -fstack-clash-protection -fcf-protection"
 CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
-LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
+LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \
+         -Wl,-z,pack-relative-relocs"
 LTOFLAGS="-flto=auto"
 RUSTFLAGS=""
 #-- Make Flags: change this for DistCC/SMP systems

contrib/iso/profile.conf.example

@@ -0,0 +1,17 @@
+################ install ################
+
+# start services
+# bluetoothd, cupsd, DM are added to the pkglist dynamicly
+# metalog or syslog-ng is added to the pkglist dynamicly
+# connmand or NetworkManager is added to the pkglist dynamicly
+# only added if in array, these pkgs have no list entry
+
+SERVICES=('acpid' 'bluetoothd' 'cronie' 'cupsd' 'metalog' 'connmand')
+
+################# live-session #################
+
+# default value
+# PASSWORD="artix"
+
+# Set to false to disable autologin in the live session
+AUTOLOGIN="false"

src/base/artix-chroot.in

@@ -8,40 +8,81 @@ LIBDIR=${LIBDIR:-'@libdir@'}
 
 # shellcheck source=src/lib/base/message.sh
 source "${LIBDIR}"/base/message.sh
-# shellcheck source=src/lib/base/chroot.sh
-source "${LIBDIR}"/base/chroot.sh
 # shellcheck source=src/lib/base/mount.sh
 source "${LIBDIR}"/base/mount.sh
+# shellcheck source=src/lib/base/unshare-mount.sh
+source "${LIBDIR}"/base/unshare-mount.sh
+# shellcheck source=src/lib/base/chroot.sh
+source "${LIBDIR}"/base/chroot.sh
+
+
+artix-chroot() {
+    check_root "" "${BASH_SOURCE[0]}" "${orig_args[@]}"
+#     (( EUID == 0 )) || die 'This script must be run with root privileges'
+
+    [[ -d $chrootdir ]] || die "Can't create chroot on non-directory %s" "$chrootdir"
+
+    "$setup" "$chrootdir" || die "failed to setup chroot %s" "$chrootdir"
+    if (( ! keepresolvconf )); then
+        chroot_add_resolv_conf "$chrootdir" || die "failed to setup resolv.conf"
+    fi
+
+    if ! mountpoint -q "$chrootdir"; then
+        warning "$chrootdir is not a mountpoint. This may have undesirable side effects."
+    fi
+
+    chroot_args=()
+    [[ $userspec ]] && chroot_args+=(--userspec "$userspec")
+
+    SHELL=/bin/bash $pid_unshare chroot "${chroot_args[@]}" -- "$chrootdir" "${args[@]}"
+}
 
 usage() {
-    printf 'usage: %s chroot-dir [command]\n' "${0##*/}"
+    cat <<EOF
-    printf '    -h             Print this help message\n'
+usage: ${0##*/} chroot-dir [command] [arguments...]
-    printf '\n'
+
-    printf "    If 'command' is unspecified, %s will launch /bin/sh.\n" "${0##*/}"
+    -h                  Print this help message
-    printf '\n'
+    -N                  Run in unshare mode as a regular user
-    printf '\n'
+    -u <user>[:group]   Specify non-root user and optional group to use
-    exit "$1"
+    -r                  Do not change the resolv.conf within the chroot
+
+If 'command' is unspecified, ${0##*/} will launch /bin/bash.
+
+Note that when using artix-chroot, the target chroot directory *should* be a
+mountpoint. This ensures that tools such as pacman(8) or findmnt(8) have an
+accurate hierarchy of the mounted filesystems within the chroot.
+
+If your chroot target is not a mountpoint, you can bind mount the directory on
+itself to make it a mountpoint, i.e. 'mount --bind /your/chroot /your/chroot'.
+
+EOF
 }
 
 orig_args=("$@")
 
-opts=':h'
+opts=':hNu:r'
 
 while getopts ${opts} arg; do
     case "${arg}" in
-        h|?) usage 0 ;;
+        h) usage; exit 0 ;;
+        N) unshare=1 ;;
+        u) userspec=$OPTARG ;;
+        r) keepresolvconf=1 ;;
+        :) die '%s: option requires an argument -- '\''%s'\' "${0##*/}" "$OPTARG" ;;
+        ?) die '%s: invalid option -- '\''%s'\' "${0##*/}" "$OPTARG" ;;
     esac
 done
-shift $(( OPTIND - 1 ))
 
-check_root "" "${BASH_SOURCE[0]}" "${orig_args[@]}"
+(( $# )) || die 'No chroot directory specified'
 
-chrootdir=$1
+chrootdir="$1"
 shift
 
-[[ -d ${chrootdir} ]] || die "Can't create chroot on non-directory %s" "${chrootdir}"
+args=("$@")
-
+if (( unshare )); then
-chroot_api_mount "${chrootdir}" || die "failed to setup API filesystems in chroot %s" "${chrootdir}"
+    setup=unshare_setup
-chroot_add_resolv_conf "${chrootdir}"
+    "$mount_unshare" bash -c "$(declare_all); artix-chroot"
-
+else
-SHELL=/bin/sh unshare --fork --pid chroot "${chrootdir}" "$@"
+    setup=chroot_setup
+    artix-chroot
+fi

src/base/basestrap.in

@@ -18,26 +18,50 @@ LIBDIR=${LIBDIR:-'@libdir@'}
 source "${LIBDIR}"/base/message.sh
 # shellcheck source=src/lib/base/mount.sh
 source "${LIBDIR}"/base/mount.sh
+# shellcheck source=src/lib/base/unshare-mount.sh
+source "${LIBDIR}"/base/unshare-mount.sh
 # shellcheck source=src/lib/base/chroot.sh
 source "${LIBDIR}"/base/chroot.sh
 
+
 #{{{ functions
 
-copy_mirrorlist(){
+basestrap() {
-    cp -a /etc/pacman.d/mirrorlist "$1/etc/pacman.d/"
+    check_root "" "${BASH_SOURCE[0]}" "${orig_args[@]}"
-}
+#     (( EUID == 0 )) || die 'This script must be run with root privileges'
 
-copy_keyring(){
+    # create obligatory directories
-    if [[ -d /etc/pacman.d/gnupg ]] && [[ ! -d $1/etc/pacman.d/gnupg ]]; then
+    msg "Creating install root at %s" "$newroot"
-        cp -a /etc/pacman.d/gnupg "$1/etc/pacman.d/"
+    install -d -m755 "$newroot"/var/{cache/pacman/pkg,lib/pacman,log}
+    install -d -m755 "$newroot"/{dev,run,etc/pacman.d}
+    install -d -m1777 "$newroot"/tmp
+    install -d -m555 "$newroot"/{sys,proc}
+
+    # mount API filesystems
+    "$setup" "$newroot" || die "failed to setup chroot %s" "$newroot"
+
+    if [[ ! -d $newroot/etc/pacman.d/gnupg ]]; then
+        if (( initkeyring )); then
+            pacman-key --gpgdir "$newroot"/etc/pacman.d/gnupg --init
+        elif (( copykeyring )) && [[ -d /etc/pacman.d/gnupg ]]; then
+            # if there's a keyring on the host, copy it into the new root
+            cp -a --no-preserve=ownership /etc/pacman.d/gnupg "$newroot/etc/pacman.d/"
+        fi
     fi
-}
 
-create_min_fs(){
+    msg 'Installing packages to %s' "$newroot"
-    msg "Creating install root at %s" "$1"
+    if ! $pid_unshare pacman -r "$newroot" "${pacman_args[@]}"; then
-    mkdir -m 0755 -p "$1"/var/{cache/pacman/pkg,lib/pacman,log} "$1"/{dev,run,etc/pacman.d}
+        die 'Failed to install packages to new root'
-    mkdir -m 1777 -p "$1"/tmp
+    fi
-    mkdir -m 0555 -p "$1"/{sys,proc}
+
+    if (( copymirrorlist )); then
+        # install the host's mirrorlist onto the new root
+        cp -a /etc/pacman.d/mirrorlist "$newroot/etc/pacman.d/"
+    fi
+
+    if (( copyconf )); then
+        cp -a "$pacman_config" "$newroot/etc/pacman.conf"
+    fi
 }
 
 #}}}
@@ -46,50 +70,69 @@ newroot=/mnt
 
 hostcache=0
 copykeyring=1
+initkeyring=0
 copymirrorlist=1
 pacmode=-Sy
+pacman_args=()
+unshare=0
+copyconf=0
+pacman_config=/etc/pacman.conf
 
 usage() {
-    printf "usage: %s [options] root [packages...]\n" "${0##*/}"
+  cat <<EOF
-    printf " -C <config>      Use an alternate config file for pacman\n"
+usage: ${0##*/} [options] root [packages...]
-    printf " -c               Use the package cache on the host, rather than the target\n"
+
-    printf " -G               Avoid copying the host's pacman keyring to the target\n"
+  Options:
-    printf " -i               Avoid auto-confirmation of package selections\n"
+    -C <config>    Use an alternate config file for pacman
-    printf " -M               Avoid copying the host's mirrorlist to the target\n"
+    -c             Use the package cache on the host, rather than the target
-    printf ' -U               Use pacman -U to install packages\n'
+    -D             Skip pacman dependency checks
-    printf " -h               Print this help message\n"
+    -G             Avoid copying the host's pacman keyring to the target
-    printf '\n'
+    -i             Prompt for package confirmation when needed (run interactively)
-    printf ' basestrap installs packages to the specified new root directory.\n'
+    -K             Initialize an empty pacman keyring in the target (implies '-G')
-    printf ' If no packages are given, basestrap defaults to the "base" group.\n'
+    -M             Avoid copying the host's mirrorlist to the target
-    printf '\n'
+    -N             Run in unshare mode as a regular user
-    printf '\n'
+    -P             Copy the host's pacman config to the target
-    exit "$1"
+    -U             Use pacman -U to install packages
+
+    -h             Print this help message
+
+basestrap installs packages to the specified new root directory. If no packages
+are given, basestrap defaults to the "base" group.
+
+EOF
 }
 
 orig_args=("$@")
 
-opts=':C:cGiMU'
+opts=':C:cDGiKMNPU'
 
 while getopts ${opts} arg; do
     case "${arg}" in
-        C) pacman_conf=$OPTARG ;;
+        C) pacman_config=$OPTARG ;;
+        D) pacman_args+=(-dd) ;;
         c) hostcache=1 ;;
         i) interactive=1 ;;
         G) copykeyring=0 ;;
+        K) initkeyring=1 ;;
         M) copymirrorlist=0 ;;
+        N) unshare=1 ;;
+        P) copyconf=1 ;;
         U) pacmode=-U ;;
-        h|?) usage 0 ;;
+        :) die '%s: option requires an argument -- '\''%s'\' "${0##*/}" "$OPTARG" ;;
+        ?) die '%s: invalid option -- '\''%s'\' "${0##*/}" "$OPTARG" ;;
     esac
 done
 shift $(( OPTIND - 1 ))
 
-check_root "" "${BASH_SOURCE[0]}" "${orig_args[@]}"
 
 (( $# )) || die "No root directory specified"
 newroot=$1; shift
-pacman_args=("${@:-base}")
 
-if (( ! hostcache ));then
+[[ -d $newroot ]] || die "%s is not a directory" "$newroot"
+
+pacman_args+=("$pacmode" "${@:-base}" --config="$pacman_config")
+
+if (( ! hostcache )); then
   pacman_args+=(--cachedir="$newroot/var/cache/pacman/pkg")
 fi
 
@@ -97,26 +140,10 @@ if (( ! interactive )); then
   pacman_args+=(--noconfirm)
 fi
 
-[[ -n $pacman_conf ]] && pacman_args+=(--config="$pacman_conf")
+if (( unshare )); then
-
+    setup=unshare_setup
-[[ -d $newroot ]] || die "%s is not a directory" "$newroot"
+    "$mount_unshare" bash -c "$(declare_all); basestrap"
-
+else
-# create obligatory directories
+    setup=chroot_setup
-create_min_fs "$newroot"
+    basestrap
-
-# mount API filesystems
-chroot_api_mount "$newroot" || die "failed to setup API filesystems in new root"
-
-if (( copykeyring ));then
-    copy_keyring "$newroot"
-fi
-
-msg2 'Installing packages to %s' "$newroot"
-if ! unshare --fork --pid pacman -r "$newroot" $pacmode "${pacman_args[@]}"; then
-    die 'Failed to install packages to new root'
-fi
-
-
-if (( copymirrorlist ));then
-    copy_mirrorlist "$newroot"
 fi

src/base/fstabgen.in

@@ -12,10 +12,12 @@ source "${LIBDIR}"/base/message.sh
 #{{{ filesystems
 
 declare -A pseudofs_types=([anon_inodefs]=1
+                        [apparmorfs]=1
                         [autofs]=1
                         [bdev]=1
-                        [bpf]=1
+                        [binder]=1
                         [binfmt_misc]=1
+                        [bpf]=1
                         [cgroup]=1
                         [cgroup2]=1
                         [configfs]=1
@@ -25,31 +27,55 @@ declare -A pseudofs_types=([anon_inodefs]=1
                         [devpts]=1
                         [devtmpfs]=1
                         [dlmfs]=1
+                        [dmabuf]=1
+                        [drm]=1
                         [efivarfs]=1
+                        [fuse]=1
+                        [fuse.archivemount]=1
+                        [fuse.avfsd]=1
+                        [fuse.dumpfs]=1
+                        [fuse.encfs]=1
                         [fuse.gvfs-fuse-daemon]=1
+                        [fuse.gvfsd-fuse]=1
+                        [fuse.lxcfs]=1
+                        [fuse.rofiles-fuse]=1
+                        [fuse.vmware-vmblock]=1
+                        [fuse.xwmfs]=1
                         [fusectl]=1
                         [hugetlbfs]=1
+                        [ipathfs]=1
                         [mqueue]=1
                         [nfsd]=1
                         [none]=1
+                        [nsfs]=1
+                        [overlay]=1
                         [pipefs]=1
                         [proc]=1
                         [pstore]=1
                         [ramfs]=1
+                        [resctrl]=1
                         [rootfs]=1
                         [rpc_pipefs]=1
                         [securityfs]=1
+                        [selinuxfs]=1
+                        [smackfs]=1
                         [sockfs]=1
                         [spufs]=1
                         [sysfs]=1
-                        [tmpfs]=1)
+                        [tmpfs]=1
+                        [tracefs]=1
+                        [vboxsf]=1
+                        [virtiofs]=1)
 
-declare -A fsck_types=([cramfs]=1
+declare -A fsck_types=([btrfs]=0    # btrfs doesn't need a regular fsck utility
+                    [cramfs]=1
+                    [erofs]=1
                     [exfat]=1
                     [ext2]=1
                     [ext3]=1
                     [ext4]=1
-                    [ext4dev]=1
+                    [f2fs]=1
+                    [fat]=1
                     [jfs]=1
                     [minix]=1
                     [msdos]=1
@@ -69,11 +95,15 @@ fstype_has_fsck() {
     (( fsck_types["$1"] ))
 }
 
+try_cast() (
+    _=$(( $1#$2 ))
+) 2>/dev/null
+
 valid_number_of_base() {
-    local base=$1 len=${#2} i
+    local base="$1" len=${#2} i
 
     for (( i = 0; i < len; i++ )); do
-        { _=$(( $base#${2:i:1} )) || return 1; } 2>/dev/null
+        try_cast "$base" "${2:i:1}" || return 1
     done
 
     return 0
@@ -81,7 +111,6 @@ valid_number_of_base() {
 
 mangle() {
     local i chr out
-
     local {a..f}= {A..F}=
 
     for (( i = 0; i < ${#1}; i++ )); do
@@ -100,7 +129,6 @@ mangle() {
 
 unmangle() {
     local i chr out len=$(( ${#1} - 4 ))
-
     local {a..f}= {A..F}=
 
     for (( i = 0; i < len; i++ )); do
@@ -127,7 +155,6 @@ dm_name_for_devnode() {
     else
         # don't leave the caller hanging, just print the original name
         # along with the failure.
-        print '%s' "$1"
         error 'Failed to resolve device mapper name for: %s' "$1"
     fi
 }
@@ -185,19 +212,11 @@ optstring_append_option() {
     optstring_normalize "$1"
 }
 
-optstring_prepend_option() {
-    if ! optstring_has_option "$1" "$2"; then
-        declare -g "$1=$2,${!1}"
-    fi
-
-    optstring_normalize "$1"
-}
-
 optstring_get_option() {
-    local opts o
+    local _opts o
 
-    IFS=, read -ra opts <<<"${!1}"
+    IFS=, read -ra _opts <<<"${!1}"
-    for o in "${opts[@]}"; do
+    for o in "${_opts[@]}"; do
         if optstring_match_option "$2" "$o"; then
             declare -g "$o"
             return 0
@@ -214,7 +233,7 @@ optstring_has_option() {
 }
 
 write_source() {
-    local src=$1 spec label uuid comment=()
+    local src="$1" spec label uuid comment=()
 
     label=$(lsblk -rno LABEL "$1" 2>/dev/null)
     uuid=$(lsblk -rno UUID "$1" 2>/dev/null)
@@ -242,7 +261,7 @@ write_source() {
         ;;
     esac
 
-    [[ -n "${comment[*]}" ]] && printf '# %s\n' "${comment[*]}"
+    [[ -n ${comment[*]} ]] && printf '# %s\n' "${comment[*]}"
 
     if [[ $spec ]]; then
         printf '%-20s' "$bytag=$(mangle "$spec")"
@@ -267,15 +286,27 @@ optstring_apply_quirks() {
     fi
 
     case $fstype in
+        btrfs)
+            # Having only one of subvol= and subvolid= is enough for mounting a btrfs subvolume
+            # And having subvolid= set prevents things like 'snapper rollback' to work, as it
+            # updates the subvolume in-place, leaving subvol= unchanged with a different subvolid.
+            if optstring_has_option "$varname" subvol; then
+                optstring_remove_option "$varname" subvolid
+            fi
+        ;;
         f2fs)
-            # These are Kconfig options for f2fs. Kernels supporting the options will
+            # These are build-time or runtime-unchangeable options for f2fs.
-            # only provide the negative versions of these (e.g. noacl), and vice versa
+            # The former means that kernels supporting the options will only
+            # provide the negative versions of these (e.g. noacl), and vice versa
             # for kernels without support.
-            optstring_remove_option "$varname" noacl,acl,nouser_xattr,user_xattr
+            # The latter means that the options can only be specified/changed
+            # during the initial mount but not remount.
+            optstring_remove_option "$varname" noacl,acl,nouser_xattr,user_xattr,atgc
         ;;
         vfat)
             # Before Linux v3.8, "cp" is prepended to the value of the codepage.
-            if optstring_get_option "$varname" codepage && [[ "$codepage" = cp* ]]; then
+            # shellcheck disable=SC2154
+            if optstring_get_option "$varname" codepage && [[ $codepage = cp* ]]; then
                 optstring_remove_option "$varname" codepage
                 optstring_append_option "$varname" "codepage=${codepage#cp}"
             fi
@@ -290,11 +321,12 @@ usage() {
 usage: ${0##*/} [options] root
 
   Options:
-    -f FILTER      Restrict output to mountpoints matching the prefix FILTER
+    -f <filter>    Restrict output to mountpoints matching the prefix FILTER
     -L             Use labels for source identifiers (shortcut for -t LABEL)
     -p             Exclude pseudofs mounts (default behavior)
-    -P             Include printing mounts
+    -P             Include pseudofs mounts
-    -t TAG         Use TAG for source identifiers
+    -t <tag>       Use TAG for source identifiers (TAG should be one of: LABEL,
+                      UUID, PARTLABEL, PARTUUID)
     -U             Use UUIDs for source identifiers (shortcut for -t UUID)
 
     -h             Print this help message
@@ -332,7 +364,6 @@ if ! mountpoint -q "$root"; then
 fi
 
 # handle block devices
-findmnt -Recvruno SOURCE,TARGET,FSTYPE,OPTIONS,FSROOT "$root" |
 while read -r src target fstype opts fsroot; do
     if (( !pseudofs )) && fstype_is_pseudofs "$fstype"; then
         continue
@@ -360,6 +391,7 @@ while read -r src target fstype opts fsroot; do
     if [[ $fsroot != / && $fstype != btrfs ]]; then
         # it's a bind mount
         src=$(findmnt -funcevo TARGET "$src")$fsroot
+        src="/${src#"$root"/}"
         if [[ $src -ef $target ]]; then
             # hrmm, this is weird. we're probably looking at a file or directory
             # that was bound into a chroot from the host machine. Ignore it,
@@ -393,7 +425,7 @@ while read -r src target fstype opts fsroot; do
     printf '\t%-10s' "/$(mangle "${target#/}")" "$fstype" "$opts"
     printf '\t%s %s' "$dump" "$pass"
     printf '\n\n'
-done
+done < <(findmnt -Recvruno SOURCE,TARGET,FSTYPE,OPTIONS,FSROOT "$root")
 
 # handle swaps devices
 {
@@ -409,6 +441,9 @@ done
         # skip files marked deleted by the kernel
         [[ $device = *'\040(deleted)' ]] && continue
 
+        # skip devices not part of the prefix
+        [[ $device = "$prefixfilter"* ]] || continue
+
         if [[ $type = file ]]; then
             printf '%-20s' "${device#"${root%/}"}"
         elif [[ $device = /dev/dm-+([0-9]) ]]; then

src/iso/buildiso.in

@@ -6,20 +6,16 @@ LIBDIR=${LIBDIR:-'@libdir@'}
 DATADIR=${DATADIR:-'@datadir@'}
 SYSCONFDIR=${SYSCONFDIR:-'@sysconfdir@/artools'}
 
-# shellcheck source=src/lib/base/util.sh
-source "${LIBDIR}"/base/util.sh
 # shellcheck source=src/lib/iso/util.sh
 source "${LIBDIR}"/iso/util.sh
 # shellcheck source=src/lib/base/message.sh
 source "${LIBDIR}"/base/message.sh
 # shellcheck source=src/lib/base/chroot.sh
 source "${LIBDIR}"/base/chroot.sh
-# shellcheck source=src/lib/base/mount.sh
+# shellcheck source=src/lib/iso/mount.sh
 source "${LIBDIR}"/iso/mount.sh
 # shellcheck source=src/lib/iso/services.sh
 source "${LIBDIR}"/iso/services.sh
-# shellcheck source=src/lib/base/yaml.sh
-source "${LIBDIR}"/base/yaml.sh
 # shellcheck source=src/lib/iso/calamares.sh
 source "${LIBDIR}"/iso/calamares.sh
 # shellcheck source=src/lib/iso/config.sh
@@ -92,6 +88,8 @@ make_rootfs() {
         msg "Prepare [Base installation] (rootfs)"
         local rootfs="${work_dir}/rootfs"
 
+        load_pkgs "${root_list}"
+
         prepare_dir "${rootfs}"
 
         basestrap "${basestrap_args[@]}" "${rootfs}" "${packages[@]}"
@@ -113,6 +111,8 @@ make_livefs() {
         msg "Prepare [Live installation] (livefs)"
         local livefs="${work_dir}/livefs"
 
+        load_pkgs "${live_list}"
+
         prepare_dir "${livefs}"
 
         mount_overlayfs "${livefs}" "${work_dir}"
@@ -137,6 +137,8 @@ make_bootfs() {
     if [[ ! -e ${work_dir}/bootfs.lock ]]; then
         msg "Prepare [/iso/boot]"
 
+        load_pkgs "${common_dir}/Packages-boot"
+
         prepare_dir "${iso_root}/boot"
 
         cp "${work_dir}"/rootfs/boot/vmlinuz* "${iso_root}"/boot/vmlinuz-"${arch}"
@@ -148,6 +150,7 @@ make_bootfs() {
         if "${use_dracut}"; then
             prepare_initramfs_dracut "${bootfs}"
         else
+            basestrap "${basestrap_args[@]}" "${bootfs}" "${packages[@]}"
             prepare_initramfs_mkinitcpio "${bootfs}"
         fi
 
@@ -262,10 +265,8 @@ mk_boot(){
 }
 
 mk_chroots(){
-    load_pkgs "${root_list}"
     run_safe "make_rootfs"
     if [[ -n ${live_list} ]]; then
-        load_pkgs "${live_list}"
         run_safe "make_livefs"
     fi
 }

src/lib/base/message.sh

@@ -81,7 +81,7 @@ trap_abort() {
 trap_exit() {
     local r=$?
     trap - EXIT INT QUIT TERM HUP
-    cleanup $r
+    cleanup "$r"
 }
 
 cleanup() {

src/lib/base/mount.sh

@@ -9,73 +9,39 @@ ignore_error() {
     return 0
 }
 
-trap_setup(){
+chroot_add_mount() {
-    [[ $(trap -p EXIT) ]] && die 'Error! Attempting to overwrite existing EXIT trap'
-    trap "$1" EXIT
-}
-
-chroot_mount() {
 #     msg2 "mount: [%s]" "$2"
     mount "$@" && CHROOT_ACTIVE_MOUNTS=("$2" "${CHROOT_ACTIVE_MOUNTS[@]}")
 }
 
-chroot_add_resolv_conf() {
+chroot_maybe_add_mount() {
-    local chrootdir=$1 resolv_conf=$1/etc/resolv.conf
-
-    [[ -e /etc/resolv.conf ]] || return 0
-
-    # Handle resolv.conf as a symlink to somewhere else.
-    if [[ -L $chrootdir/etc/resolv.conf ]]; then
-        # readlink(1) should always give us *something* since we know at this point
-        # it's a symlink. For simplicity, ignore the case of nested symlinks.
-        resolv_conf=$(readlink "$chrootdir/etc/resolv.conf")
-        if [[ $resolv_conf = /* ]]; then
-            resolv_conf=$chrootdir$resolv_conf
-        else
-            resolv_conf=$chrootdir/etc/$resolv_conf
-        fi
-
-        # ensure file exists to bind mount over
-        if [[ ! -f $resolv_conf ]]; then
-            install -Dm644 /dev/null "$resolv_conf" || return 1
-        fi
-    elif [[ ! -e $chrootdir/etc/resolv.conf ]]; then
-        # The chroot might not have a resolv.conf.
-        return 0
-    fi
-
-    chroot_mount /etc/resolv.conf "$resolv_conf" --bind
-}
-
-chroot_mount_conditional() {
     local cond=$1; shift
     if eval "$cond"; then
-        chroot_mount "$@"
+        chroot_add_mount "$@"
     fi
 }
 
 chroot_setup(){
     local mnt="$1"
     local tmpfs_opts="${2:-mode=1777,strictatime,nodev,nosuid}"
-    chroot_mount_conditional "! mountpoint -q '$mnt'" "$mnt" "$mnt" --bind &&
-    chroot_mount proc "$mnt/proc" -t proc -o nosuid,noexec,nodev &&
-    chroot_mount sys "$mnt/sys" -t sysfs -o nosuid,noexec,nodev,ro &&
-    ignore_error chroot_mount_conditional "[[ -d '$mnt/sys/firmware/efi/efivars' ]]" \
-        efivarfs "$mnt/sys/firmware/efi/efivars" -t efivarfs -o nosuid,noexec,nodev &&
-    chroot_mount udev "$mnt/dev" -t devtmpfs -o mode=0755,nosuid &&
-    chroot_mount devpts "$mnt/dev/pts" -t devpts -o mode=0620,gid=5,nosuid,noexec &&
-    chroot_mount shm "$mnt/dev/shm" -t tmpfs -o mode=1777,nosuid,nodev &&
-    chroot_mount /run "$mnt/run" -t tmpfs -o nosuid,nodev,mode=0755 &&
-    chroot_mount tmp "$mnt/tmp" -t tmpfs -o "${tmpfs_opts}"
-}
 
-chroot_api_mount() {
     CHROOT_ACTIVE_MOUNTS=()
-    trap_setup chroot_api_umount
+    [[ $(trap -p EXIT) ]] && die 'Error! Attempting to overwrite existing EXIT trap'
-    chroot_setup "$1" "$2"
+    trap 'chroot_teardown' EXIT
+
+    #chroot_maybe_add_mount "! mountpoint -q '$mnt'" "$mnt" "$mnt" --bind &&
+    chroot_add_mount proc "$mnt/proc" -t proc -o nosuid,noexec,nodev &&
+    chroot_add_mount sys "$mnt/sys" -t sysfs -o nosuid,noexec,nodev,ro &&
+    ignore_error chroot_maybe_add_mount "[[ -d '$mnt/sys/firmware/efi/efivars' ]]" \
+        efivarfs "$mnt/sys/firmware/efi/efivars" -t efivarfs -o nosuid,noexec,nodev &&
+    chroot_add_mount udev "$mnt/dev" -t devtmpfs -o mode=0755,nosuid &&
+    chroot_add_mount devpts "$mnt/dev/pts" -t devpts -o mode=0620,gid=5,nosuid,noexec &&
+    chroot_add_mount shm "$mnt/dev/shm" -t tmpfs -o mode=1777,nosuid,nodev &&
+    chroot_add_mount /run "$mnt/run" -t tmpfs -o nosuid,nodev,mode=0755 &&
+    chroot_add_mount tmp "$mnt/tmp" -t tmpfs -o "${tmpfs_opts}"
 }
 
-chroot_api_umount() {
+chroot_teardown() {
     if (( ${#CHROOT_ACTIVE_MOUNTS[@]} )); then
 #         msg2 "umount: [%s]" "${CHROOT_ACTIVE_MOUNTS[@]}"
         umount "${CHROOT_ACTIVE_MOUNTS[@]}"
@@ -83,4 +49,40 @@ chroot_api_umount() {
     unset CHROOT_ACTIVE_MOUNTS
 }
 
+resolve_link() {
+    local target=$1
+    local root=$2
+
+    # If a root was given, make sure it ends in a slash.
+    [[ -n $root && $root != */ ]] && root=$root/
+
+    while [[ -L $target ]]; do
+        target=$(readlink -m "$target")
+        # If a root was given, make sure the target is under it.
+        # Make sure to strip any leading slash from target first.
+        [[ -n $root && $target != $root* ]] && target=$root${target#/}
+    done
+
+    printf %s "$target"
+}
+
+chroot_add_resolv_conf() {
+    local chrootdir=$1
+    local src
+    local dest="$chrootdir/etc/resolv.conf"
+
+    src=$(resolve_link /etc/resolv.conf)
+
+    # If we don't have a source resolv.conf file, there's nothing useful we can do.
+    [[ -e $src ]] || return 0
+
+    if [[ ! -e "$dest" && ! -h "$dest" ]]; then
+            # There may be no resolv.conf in the chroot. In this case, we'll just exit.
+            # The chroot environment must not be concerned with DNS resolution.
+            return 0
+    fi
+
+    chroot_add_mount "$src" "$dest" -c --bind
+}
+
 #}}}

src/lib/base/unshare-mount.sh

@@ -0,0 +1,78 @@
+#!/hint/bash
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+#{{{ mount
+
+chroot_add_mount_lazy() {
+    mount "$@" && CHROOT_ACTIVE_LAZY=("$2" "${CHROOT_ACTIVE_LAZY[@]}")
+}
+
+chroot_bind_device() {
+    touch "$2" && CHROOT_ACTIVE_FILES=("$2" "${CHROOT_ACTIVE_FILES[@]}")
+    chroot_add_mount "$1" "$2" --bind
+}
+
+chroot_add_link() {
+    ln -sf "$1" "$2" && CHROOT_ACTIVE_FILES=("$2" "${CHROOT_ACTIVE_FILES[@]}")
+}
+
+unshare_setup() {
+    CHROOT_ACTIVE_MOUNTS=()
+    CHROOT_ACTIVE_LAZY=()
+    CHROOT_ACTIVE_FILES=()
+    [[ $(trap -p EXIT) ]] && die '(BUG): attempting to overwrite existing EXIT trap'
+    trap 'unshare_teardown' EXIT
+
+    chroot_add_mount_lazy "$1" "$1" --bind &&
+    chroot_add_mount proc "$1/proc" -t proc -o nosuid,noexec,nodev &&
+    chroot_add_mount_lazy /sys "$1/sys" --rbind &&
+    chroot_add_link /proc/self/fd "$1/dev/fd" &&
+    chroot_add_link /proc/self/fd/0 "$1/dev/stdin" &&
+    chroot_add_link /proc/self/fd/1 "$1/dev/stdout" &&
+    chroot_add_link /proc/self/fd/2 "$1/dev/stderr" &&
+    chroot_bind_device /dev/full "$1/dev/full" &&
+    chroot_bind_device /dev/null "$1/dev/null" &&
+    chroot_bind_device /dev/random "$1/dev/random" &&
+    chroot_bind_device /dev/tty "$1/dev/tty" &&
+    chroot_bind_device /dev/urandom "$1/dev/urandom" &&
+    chroot_bind_device /dev/zero "$1/dev/zero" &&
+    chroot_add_mount run "$1/run" -t tmpfs -o nosuid,nodev,mode=0755 &&
+    chroot_add_mount tmp "$1/tmp" -t tmpfs -o mode=1777,strictatime,nodev,nosuid
+}
+
+unshare_teardown() {
+    chroot_teardown
+
+    if (( ${#CHROOT_ACTIVE_LAZY[@]} )); then
+        umount --lazy "${CHROOT_ACTIVE_LAZY[@]}"
+    fi
+    unset CHROOT_ACTIVE_LAZY
+
+    if (( ${#CHROOT_ACTIVE_FILES[@]} )); then
+        rm "${CHROOT_ACTIVE_FILES[@]}"
+    fi
+    unset CHROOT_ACTIVE_FILES
+}
+
+pid_unshare="unshare --fork --pid"
+mount_unshare="$pid_unshare --mount --map-auto --map-root-user --setuid 0 --setgid 0"
+
+# This outputs code for declaring all variables to stdout. For example, if
+# FOO=BAR, then running
+#     declare -p FOO
+# will result in the output
+#     declare -- FOO="bar"
+# This function may be used to re-declare all currently used variables and
+# functions in a new shell.
+declare_all() {
+  # Remove read-only variables to avoid warnings. Unfortunately, declare +r -p
+  # doesn't work like it looks like it should (declaring only read-write
+  # variables). However, declare -rp will print out read-only variables, which
+  # we can then use to remove those definitions.
+  declare -p | grep -Fvf <(declare -rp)
+  # Then declare functions
+  declare -pf
+}
+
+#}}}

src/lib/base/util.sh

@@ -1,48 +0,0 @@
-#!/hint/bash
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-#{{{ base conf
-
-prepare_dir(){
-    [[ ! -d $1 ]] && mkdir -p "$1"
-    return 0
-}
-
-if [[ -n $SUDO_USER ]]; then
-    eval "USER_HOME=~$SUDO_USER"
-else
-    USER_HOME=$HOME
-fi
-
-USER_CONF_DIR="${XDG_CONFIG_HOME:-$USER_HOME/.config}/artools"
-
-prepare_dir "${USER_CONF_DIR}"
-
-load_base_config(){
-
-    local conf="$1/artools-base.conf"
-
-    [[ -f "$conf" ]] || return 1
-
-    # shellcheck source=config/conf/artools-base.conf
-    [[ -r "$conf" ]] && source "$conf"
-
-    CHROOTS_DIR=${CHROOTS_DIR:-'/var/lib/artools'}
-
-    WORKSPACE_DIR=${WORKSPACE_DIR:-"${USER_HOME}/artools-workspace"}
-
-    ARCH=${ARCH:-"$(uname -m)"}
-
-    REPO=${REPO:-'world'}
-
-    return 0
-}
-
-#}}}
-
-
-load_base_config "${USER_CONF_DIR}" || load_base_config "${SYSCONFDIR}"
-
-prepare_dir "${WORKSPACE_DIR}"
-

src/lib/iso/calamares.sh

@@ -4,44 +4,50 @@
 
 #{{{ calamares
 
-write_services_conf(){
+yaml_array() {
-    local key1="$1" val1="$2" key2="$3" val2="$4"
+    local array
-    local yaml
+
-    yaml=$(write_yaml_header)
+    for entry in "$@"; do
-    yaml+=$(write_yaml_map 0 "$key1" "$val1")
+        array="${array:-}${array:+,} ${entry}"
-    yaml+=$(write_yaml_map 0 "$key2" "$val2")
-    yaml+=$(write_yaml_map 0 'services')
-    for svc in "${SERVICES[@]}"; do
-        yaml+=$(write_yaml_seq 2 "$svc")
     done
-    yaml+=$(write_empty_line)
+    printf "%s\n" "[${array}]"
-    printf '%s\n' "${yaml}"
+}
+
+write_services_conf() {
+    local key1="$1" key2="$2" val1="$3" val2="$4"
+    local conf="$5"/services-"${INITSYS}".conf
+    local svc
+    svc=$(yaml_array "${SERVICES[@]}")
+
+    yq -n '"---"' > "$conf"
+
+    key1="$key1" key2="$key2" val1="$val1" val2="$val2" svc="$svc" \
+    yq -P 'with(
+        .;
+            eval(strenv(key1)) = env(val1) |
+            eval(strenv(key2)) = env(val2) |
+            .services = env(svc))' \
+        -i "$conf"
+
+    if [[ ${INITSYS} == 's6' ]]; then
+        yq -P '.defaultBundle = "default"' -i "$conf"
+    fi
 }
 
 write_services_openrc_conf(){
-    local conf="$1"/services-openrc.conf
+    write_services_conf '.initdDir' '.runlevelsDir' '/etc/init.d' '/etc/runlevels' "$1"
-    write_services_conf 'initdDir' '/etc/init.d' 'runlevelsDir' '/etc/runlevels' > "$conf"
 }
 
 write_services_runit_conf(){
-    local conf="$1"/services-runit.conf
+    write_services_conf '.svDir' '.runsvDir' '/etc/runit/sv' '/etc/runit/runsvdir' "$1"
-    write_services_conf 'svDir' '/etc/runit/sv' 'runsvDir' '/etc/runit/runsvdir' > "$conf"
 }
 
 write_services_s6_conf(){
-    local conf="$1"/services-s6.conf
+    write_services_conf '.svDir' '.dbDir' '/etc/s6/sv' '/etc/s6/rc/compiled' "$1"
-    write_services_conf 'svDir' '/etc/s6/sv' 'dbDir' '/etc/s6/rc/compiled' > "$conf"
-    printf '%s\n' "defaultBundle: default" >> "$conf"
-}
-
-write_services_suite66_conf(){
-    local conf="$1"/services-suite66.conf
-    write_services_conf 'svDir' '/etc/66/service' 'runsvDir' '/var/lib/66/system' > "$conf"
 }
 
 write_services_dinit_conf(){
-    local conf="$1"/services-dinit.conf
+    write_services_conf '.initdDir' '.runsvDir' '/etc/dinit.d' '/etc/dinit.d/boot.d' "$1"
-    write_services_conf 'initdDir' '/etc/dinit.d' 'runsvDir' '/etc/dinit.d/boot.d' > "$conf"
 }
 
 configure_calamares(){

src/lib/iso/initcpio.sh

@@ -28,15 +28,12 @@ export_gpg_publickey() {
 }
 
 prepare_initramfs_mkinitcpio() {
-    local mnt="$1" packages=() mkinitcpio_conf k
+    local mnt="$1" mkinitcpio_conf k
 
     mkinitcpio_conf=mkinitcpio-default.conf
     [[ "${profile}" == 'base' ]] && mkinitcpio_conf=mkinitcpio-pxe.conf
     k=$(<"$mnt"/usr/src/linux/version)
 
-    packages+=($(read_from_list "${common_dir}/Packages-boot"))
-    basestrap "${basestrap_args[@]}" "$mnt" "${packages[@]}"
-
     if [[ -n "${GPG_KEY}" ]]; then
         exec {ARTIX_GNUPG_FD}<>"${key_export}"
         export ARTIX_GNUPG_FD

src/lib/iso/iso.sh

@@ -5,13 +5,13 @@
 #{{{ iso
 
 get_disturl(){
-    # shellcheck disable=1091
+    # shellcheck disable=SC2034
     . /usr/lib/os-release
     printf "%s\n" "${HOME_URL}"
 }
 
 get_osname(){
-    # shellcheck disable=1091
+    # shellcheck disable=SC2034
     . /usr/lib/os-release
     printf "%s\n" "${NAME}"
 }

src/lib/iso/profile.sh

@@ -26,7 +26,7 @@ load_profile(){
 
     [[ -f $profile_dir/${profile}/profile.conf ]] || return 1
 
-    # shellcheck disable=1090
+    # shellcheck source=contrib/iso/profile.conf.example
     [[ -r "$profile_dir/${profile}"/profile.conf ]] && . "$profile_dir/${profile}"/profile.conf
 
     AUTOLOGIN=${AUTOLOGIN:-true}
@@ -43,20 +43,35 @@ load_profile(){
 read_from_list() {
     local list="$1"
     local _space="s| ||g"
-    local _clean=':a;N;$!ba;s/\n/ /g'
+    #local _clean=':a;N;$!ba;s/\n/ /g'
+    local _clean='/^$/d'
     local _com_rm="s|#.*||g"
     local _init="s|@initsys@|${INITSYS}|g"
-    local pkgs
 
     mapfile -t pkgs < <(sed "$_com_rm" "$list" \
             | sed "$_space" \
             | sed "$_init" \
-            | sed "$_clean")
+            | sed "$_clean" | sort -u)
-
-    printf "%s\n" "${pkgs[@]}"
 }
 
-read_from_services() {
+load_pkgs(){
+    local pkglist="$1"
+    packages=()
+
+    if [[ "${pkglist##*/}" == "Packages-Root" ]]; then
+        for l in base apps "${INITSYS}"; do
+            msg2 "Loading Packages: [%s] ..." "Packages-${l}"
+            read_from_list "${common_dir}/Packages-${l}"
+            packages+=("${pkgs[@]}")
+
+        done
+
+        if [[ -n "${live_list}" ]]; then
+            msg2 "Loading Packages: [Packages-xorg] ..."
+            read_from_list "${common_dir}/Packages-xorg"
+            packages+=("${pkgs[@]}")
+        fi
+
         for svc in "${SERVICES[@]}"; do
             case "$svc" in
                 sddm|gdm|lightdm|mdm|greetd|lxdm|xdm)
@@ -68,28 +83,11 @@ read_from_services() {
                 syslog-ng|metalog) packages+=("$svc-${INITSYS}") ;;
             esac
         done
-}
 
-load_pkgs(){
-    local pkglist="$1"
-    packages=()
-
-    if [[ "${pkglist##*/}" == "Packages-Root" ]]; then
-        for l in base apps "${INITSYS}"; do
-            msg2 "Loading Packages: [%s] ..." "Packages-${l}"
-            packages+=($(read_from_list "${common_dir}/Packages-${l}"))
-        done
-        if [[ -n "${live_list}" ]]; then
-            msg2 "Loading Packages: [%s] ..." "Packages-xorg"
-            packages+=($(read_from_list "${common_dir}/Packages-xorg"))
     fi
     msg2 "Loading Packages: [%s] ..." "${pkglist##*/}"
-        packages+=($(read_from_list "${pkglist}"))
+    read_from_list "${pkglist}"
-        read_from_services
+    packages+=("${pkgs[@]}")
-    else
-        msg2 "Loading Packages: [%s] ..." "${pkglist##*/}"
-        packages+=($(read_from_list "${pkglist}"))
-    fi
 }
 
 #}}}

src/lib/iso/util.sh

@@ -4,6 +4,21 @@
 
 #{{{ iso conf
 
+prepare_dir(){
+    [[ ! -d $1 ]] && mkdir -p "$1"
+    return 0
+}
+
+if [[ -n $SUDO_USER ]]; then
+    eval "USER_HOME=~$SUDO_USER"
+else
+    USER_HOME=$HOME
+fi
+
+USER_CONF_DIR="${XDG_CONFIG_HOME:-$USER_HOME/.config}/artools"
+
+prepare_dir "${USER_CONF_DIR}"
+
 load_iso_config(){
 
     local conf="$1/artools-iso.conf"
@@ -13,6 +28,14 @@ load_iso_config(){
     # shellcheck source=config/conf/artools-iso.conf
     [[ -r "$conf" ]] && source "$conf"
 
+    CHROOTS_DIR=${CHROOTS_DIR:-'/var/lib/artools'}
+
+    WORKSPACE_DIR=${WORKSPACE_DIR:-"${USER_HOME}/artools-workspace"}
+
+    ARCH=${ARCH:-"$(uname -m)"}
+
+    REPO=${REPO:-'world'}
+
     ISO_POOL=${ISO_POOL:-"${WORKSPACE_DIR}/iso"}
 
     ISO_VERSION=${ISO_VERSION:-"$(date +%Y%m%d)"}

src/lib/pkg/db/db.sh

@@ -272,8 +272,17 @@ update_yaml_move() {
             -i "${REPO_DB}"
 }
 
+show_agent() {
+    local agent="orion"
+    if grep @galaxy "${REPO_CI}" &>/dev/null; then
+        agent="taurus"
+    fi
+    msg2 "agent: %s" "$agent"
+}
+
 show_db() {
-    if ! yq -r ${REPO_DB} 1>/dev/null 2>/dev/null; then
+    show_agent
+    if ! yq -r "${REPO_DB}" 1>/dev/null 2>/dev/null; then
         die "${REPO_DB} invalid!"
     fi
     yq -rP '. | with_entries(select(.value.name))' "${REPO_DB}"

src/lib/pkg/git/config.sh

@@ -13,8 +13,8 @@ set -e
 
 commit_ci(){
     [[ -d .artixlinux ]] || mkdir .artixlinux
-    if [[ ${AGENT} == ${ARTIX_DB[11]} ]]; then
+    if [[ ${AGENT} == "${ARTIX_DB[11]}" ]]; then
-        printf "@Library('artix-ci@${AGENT}') import org.artixlinux.RepoPackage\n" > "${REPO_CI}"
+        printf "@Library('artix-ci@%s') import org.artixlinux.RepoPackage\n" "${AGENT}" > "${REPO_CI}"
     else
         printf "@Library('artix-ci') import org.artixlinux.RepoPackage\n" > "${REPO_CI}"
     fi
@@ -35,7 +35,7 @@ artixpkg_git_config_usage() {
     OPTIONS
         -m, --maintainer       Set the maintainer topic via gitea api
         -d, --drop             Drop the maintainer topic via gitea api
-        -a, --agent=NAME       Set the CI agent (default: official)
+        -a, --agent NAME       Set the CI agent (default: official)
                                Possible values: [official, galaxy]
         --protocol https       Configure remote url to use https
         -j, --jobs N           Run up to N jobs in parallel (default: $(nproc))
@@ -136,10 +136,12 @@ artixpkg_git_config() {
         -a|--agent)
             (( $# <= 1 )) && die "missing argument for %s" "$1"
             AGENT="$2"
+            RUNCMD+=" -a ${AGENT}"
             shift 2
         ;;
         --agent=*)
             AGENT="${1#*=}"
+            RUNCMD+=" -a ${AGENT}"
             shift
         ;;
         --protocol=https)
@@ -186,7 +188,7 @@ artixpkg_git_config() {
 
     # Load makepkg.conf variables to be available for packager identity
     msg "Collecting packager identity from makepkg.conf"
-    # shellcheck disable=2119
+    # shellcheck source=config/makepkg/x86_64.conf
     load_makepkg_config
     if [[ -n ${PACKAGER} ]]; then
         if ! packager_name=$(get_packager_name "${PACKAGER}") || \

src/lib/pkg/git/create.sh

@@ -108,7 +108,7 @@ artixpkg_git_create() {
             fi
             msg_success "Successfully created ${pkgbase}"
         fi
-        if [[ ${TEAM} == ${ARTIX_DB[11]} ]]; then
+        if [[ ${TEAM} == "${ARTIX_DB[11]}" ]]; then
             AGENT+=(--agent="${TEAM}")
         fi
         if (( clone )); then

src/lib/pkg/git/pull.sh

@@ -124,7 +124,7 @@ artixpkg_git_pull() {
 
     for pkgbase in "${pkgbases[@]}"; do
         if [[ -d ${pkgbase} ]]; then
-            ( cd ${pkgbase} || return
+            ( cd "${pkgbase}" || return
 
                 msg "Pulling ${pkgbase} ..."
                 if ! git pull origin master; then

src/lib/pkg/git/push.sh

@@ -113,7 +113,7 @@ artixpkg_git_push() {
 
     for pkgbase in "${pkgbases[@]}"; do
         if [[ -d ${pkgbase} ]]; then
-            ( cd ${pkgbase} || return
+            ( cd "${pkgbase}" || return
 
                 msg "Pushing ${pkgbase} ..."
                 if ! git push origin master; then

src/lib/pkg/repo.sh

@@ -11,33 +11,6 @@ source "${LIBDIR}"/pkg/db/db.sh
 set -e
 
 
-check_pkgbuild_validity() {
-    # shellcheck source=contrib/makepkg/PKGBUILD.proto
-    . ./PKGBUILD
-
-    # skip when there are no sources available
-    if (( ! ${#source[@]} )); then
-        return
-    fi
-
-    # validate sources hash algo is at least > sha1
-    local bad_algos=("cksums" "md5sums" "sha1sums")
-    local good_hash_algo=false
-
-    # from makepkg libmakepkg/util/schema.sh
-    for integ in "${known_hash_algos[@]}"; do
-        local sumname="${integ}sums"
-        if [[ -n ${!sumname} ]] && ! in_array "${sumname}" "${bad_algos[@]}"; then
-            good_hash_algo=true
-            break
-        fi
-    done
-
-    if ! $good_hash_algo; then
-        die "PKGBUILD lacks a secure cryptographic checksum, insecure algorithms: ${bad_algos[*]}"
-    fi
-}
-
 has_remote_changes() {
     local status
     msg "Checking for remote changes ..."

src/lib/pkg/repo/add.sh

@@ -8,6 +8,30 @@ ARTOOLS_INCLUDE_REPO_ADD_SH=1
 set -e
 
 
+check_pkgbuild_validity() {
+    # skip when there are no sources available
+    if (( ! ${#source[@]} )); then
+        return
+    fi
+
+    # validate sources hash algo is at least > sha1
+    local bad_algos=("cksums" "md5sums" "sha1sums")
+    local good_hash_algo=false
+
+    # from makepkg libmakepkg/util/schema.sh
+    for integ in "${known_hash_algos[@]}"; do
+        local sumname="${integ}sums"
+        if [[ -n ${!sumname} ]] && ! in_array "${sumname}" "${bad_algos[@]}"; then
+            good_hash_algo=true
+            break
+        fi
+    done
+
+    if ! $good_hash_algo; then
+        die "PKGBUILD lacks a secure cryptographic checksum, insecure algorithms: ${bad_algos[*]}"
+    fi
+}
+
 artixpkg_repo_add_usage() {
     local -r COMMAND=${_ARTOOLS_COMMAND:-${BASH_SOURCE[0]##*/}}
     cat <<- _EOF_
@@ -86,6 +110,8 @@ artixpkg_repo_add() {
             fi
             ( cd "${pkgbase}" || return
 
+                if ! has_remote_changes; then
+
                     if [[ ! -f PKGBUILD ]]; then
                         die "No PKGBUILD found in (%s)" "${pkgbase}"
                     fi
@@ -93,6 +119,10 @@ artixpkg_repo_add() {
                     # shellcheck source=contrib/makepkg/PKGBUILD.proto
                     source PKGBUILD
 
+                    check_pkgbuild_validity
+
+                    manage-pkgbuild-keys --export
+
                     update_yaml_base
                     update_yaml_add "${REBUILD}" "${ADD}" "${NOCHECK}" "${DEST}"
 
@@ -130,6 +160,8 @@ artixpkg_repo_add() {
                             warning "Could not query ${REPO_DB}"
                         fi
                     fi
+
+                fi
             )
         fi
 

src/lib/pkg/repo/move.sh

@@ -80,22 +80,24 @@ artixpkg_repo_move() {
             fi
             ( cd "${pkgbase}" || return
 
+                if ! has_remote_changes; then
+
                     if [[ ! -f PKGBUILD ]]; then
                         die "No PKGBUILD found in (%s)" "${pkgbase}"
                     fi
 
-                local commit_msg src_version dest_version
+                    local commit_msg src_version # dest_version
                     commit_msg=$(get_commit_msg 'move' "${DEST}" "${SRC}")
 
                     src_version=$(version_from_yaml "${SRC}")
-                dest_version=$(version_from_yaml "${DEST}")
+#                     dest_version=$(version_from_yaml "${DEST}")
 
                     if [[ "$src_version" != null ]]; then
 
-                    local ret
+#                         local ret
-                    ret=$(vercmp "$src_version" "$dest_version")
+#                         ret=$(vercmp "$src_version" "$dest_version")
-
+#
-                    if (( ret > 0 )); then
+#                         if (( ret > 0 )); then
 
                             update_yaml_move "${SRC}" "${DEST}"
 
@@ -128,17 +130,19 @@ artixpkg_repo_move() {
 
                             fi
 
-                    elif (( ret < 0 )); then
+#                         elif (( ret < 0 )); then
-
+#
-                        error "invalid move: version $src_version < $dest_version!"
+#                             error "${pkgbase}: invalid move: version $src_version < $dest_version!"
+#
+#                         else
+#                             error "${pkgbase}: invalid move: version $src_version = $dest_version!"
+#
+#                         fi
 
                     else
-                        error "invalid move: version $src_version = $dest_version!"
+                        error "${pkgbase}: invalid move: version $src_version!"
-
                     fi
 
-                else
-                    error "invalid move: version $src_version!"
                 fi
 
             )

src/lib/pkg/repo/remove.sh

@@ -73,6 +73,8 @@ artixpkg_repo_remove() {
             fi
             ( cd "${pkgbase}" || return
 
+                if ! has_remote_changes; then
+
                     if [[ ! -f PKGBUILD ]]; then
                         die "No PKGBUILD found in (%s)" "${pkgbase}"
                     fi
@@ -106,6 +108,8 @@ artixpkg_repo_remove() {
                         fi
 
                     fi
+
+                fi
             )
         fi
 

src/lib/pkg/util.sh

@@ -4,6 +4,21 @@
 
 #{{{ pkg conf
 
+prepare_dir(){
+    [[ ! -d $1 ]] && mkdir -p "$1"
+    return 0
+}
+
+if [[ -n $SUDO_USER ]]; then
+    eval "USER_HOME=~$SUDO_USER"
+else
+    USER_HOME=$HOME
+fi
+
+USER_CONF_DIR="${XDG_CONFIG_HOME:-$USER_HOME/.config}/artools"
+
+prepare_dir "${USER_CONF_DIR}"
+
 load_pkg_config(){
 
     local conf="$1/artools-pkg.conf"
@@ -13,6 +28,14 @@ load_pkg_config(){
     # shellcheck source=config/conf/artools-pkg.conf
     [[ -r "$conf" ]] && source "$conf"
 
+    CHROOTS_DIR=${CHROOTS_DIR:-'/var/lib/artools'}
+
+    WORKSPACE_DIR=${WORKSPACE_DIR:-"${USER_HOME}/artools-workspace"}
+
+    ARCH=${ARCH:-"$(uname -m)"}
+
+    REPO=${REPO:-'world'}
+
     local git_domain="gitea.artixlinux.org"
 
     GIT_HTTPS=${GIT_HTTPS:-"https://${git_domain}"}

src/pkg/artixpkg.in

@@ -37,8 +37,6 @@ fi
 
 export _ARTOOLS_COMMAND='artixpkg'
 
-# shellcheck source=src/lib/base/util.sh
-source "${LIBDIR}"/base/util.sh
 # shellcheck source=src/lib/pkg/util.sh
 source "${LIBDIR}"/pkg/util.sh
 

src/pkg/buildpkg.in

@@ -6,12 +6,12 @@ LIBDIR=${LIBDIR:-'@libdir@'}
 DATADIR=${DATADIR:-'@datadir@'}
 SYSCONFDIR=${SYSCONFDIR:-'@sysconfdir@/artools'}
 
-# shellcheck source=src/lib/base/util.sh
-source "${LIBDIR}"/base/util.sh
 # shellcheck source=src/lib/base/message.sh
 source "${LIBDIR}"/base/message.sh
 # shellcheck source=src/lib/base/chroot.sh
 source "${LIBDIR}"/base/chroot.sh
+# shellcheck source=src/lib/pkg/util.sh
+source "${LIBDIR}"/pkg/util.sh
 
 create_first=false
 rebuild=false
@@ -52,7 +52,7 @@ while getopts "${opts}" arg; do
         d) repo="$OPTARG" ;;
         a) arch="$OPTARG" ;;
         c) create_first=true ;;
-        m) rebuild=true; repo=${repo%-*} ;;
+        m) rebuild=true ;;
         C) mkchrootpkg_args+=(-C) ;;
         N) mkchrootpkg_args+=(-N) ;;
         n) mkchrootpkg_args+=(-n) ;;
@@ -60,6 +60,10 @@ while getopts "${opts}" arg; do
     esac
 done
 
+if "${rebuild}"; then
+    repo=${repo%-*}
+fi
+
 if [[ "${repo}" == lib32* ]]; then
     base_packages+=('multilib-devel')
 fi

src/pkg/checkpkg.in

@@ -57,7 +57,7 @@ while (( $# )); do
             shift
             break
             ;;
-        -*|--*)
+        --*|-*)
             die "invalid argument: %s" "$1"
             ;;
         *)
@@ -76,10 +76,10 @@ fi
 
 # Source user-specific makepkg.conf overrides
 if [[ -r "${XDG_CONFIG_HOME:-$HOME/.config}/pacman/makepkg.conf" ]]; then
-    # shellcheck source=/dev/null
+    # shellcheck source=config/makepkg/x86_64.conf
     source "${XDG_CONFIG_HOME:-$HOME/.config}/pacman/makepkg.conf"
 elif [[ -r "$HOME/.makepkg.conf" ]]; then
-    # shellcheck source=/dev/null
+    # shellcheck source=config/makepkg/x86_64.conf
     source "$HOME/.makepkg.conf"
 fi
 
@@ -152,7 +152,11 @@ for _pkgname in "${pkgname[@]}"; do
     find-libprovides "$pkgfile" 2>/dev/null | sort > "$TEMPDIR/libraries-$_pkgname"
     if ! diff_output="$(sdiff -s "$TEMPDIR/libraries-$_pkgname-old" "$TEMPDIR/libraries-$_pkgname")"; then
         message="Sonames differ in $_pkgname!"
-        (( WARN )) && warning "$message" || msg "$message"
+        if (( WARN )); then
+            warning "$message"
+        else
+            msg "$message"
+        fi
         printf "%s\n" "$diff_output" 2>&1 | tee "${pkgfile##*/}-checkpkg.log"
         changed=1
     else

src/pkg/checkrepo.in

@@ -6,8 +6,6 @@ LIBDIR=${LIBDIR:-'@libdir@'}
 DATADIR=${DATADIR:-'@datadir@'}
 SYSCONFDIR=${SYSCONFDIR:-'@sysconfdir@/artools'}
 
-# shellcheck source=src/lib/base/util.sh
-source "${LIBDIR}"/base/util.sh
 # shellcheck source=src/lib/pkg/util.sh
 source "${LIBDIR}"/pkg/util.sh
 # shellcheck source=src/lib/base/message.sh
@@ -32,6 +30,7 @@ update_linksdb_cache(){
     local cachedir url
     for repo in "${search[@]}"; do
         cachedir=${db_cache_dir}/linksdb/$repo
+        # shellcheck disable=SC2153
         url=${REPOS_MIRROR}/$repo/os/${CARCH}/$repo.${linksdb_ext}
         extract_db "$url" "$cachedir"
     done

src/pkg/chroot-run.in

@@ -39,7 +39,7 @@ umask 0022
 working_dir=''
 
 files=()
-mount_args=("-B:/etc/hosts:/etc/hosts")
+mount_args="-B:/etc/hosts:/etc/hosts"
 
 usage() {
     printf "Usage: %s [options] working-dir [run arguments]\n" "${0##*/}"
@@ -72,7 +72,7 @@ while getopts ${opts} arg; do
         f) files+=("$OPTARG") ;;
         s) nosetarch=1 ;;
         t) tmpfs_opts="$OPTARG" ;;
-        b) bindmounts="$OPTARG"; mount_args+=(${bindmounts}) ;;
+        b) bindmounts="$OPTARG"; mount_args+=" ${bindmounts}" ;;
         h|?) usage ;;
         *) error "invalid argument '%s'" "$arg"; usage ;;
     esac
@@ -96,6 +96,7 @@ mapfile -t host_mirrors < <(pacman-conf --repo world Server 2> /dev/null | sed -
 
 for host_mirror in "${host_mirrors[@]}"; do
     if [[ $host_mirror == *file://* ]]; then
+        # shellcheck disable=SC2016
         host_mirror=$(echo "$host_mirror" | sed -r 's#file://(/.*)/\$repo/os/\$arch#\1#g')
         for m in "$host_mirror"/pool/*/; do
             in_array "$m" "${cache_dirs[@]}" || cache_dirs+=("$m")
@@ -114,10 +115,10 @@ while read -r line; do
     done
 done < <(pacman-conf --config "${pacman_conf:-$working_dir/etc/pacman.conf}" --repo-list)
 
-mount_args+=("-B:${cache_dirs[0]//:/\\:}:${cache_dirs[0]//:/\\:}")
+mount_args+=" -B:${cache_dirs[0]//:/\\:}:${cache_dirs[0]//:/\\:}"
 
 for cache_dir in "${cache_dirs[@]:1}"; do
-    mount_args+=("-Br:${cache_dir//:/\\:}:${cache_dir//:/\\:}")
+    mount_args+=" -Br:${cache_dir//:/\\:}:${cache_dir//:/\\:}"
 done
 
 # {{{ functions
@@ -144,13 +145,13 @@ copy_hostconf () {
 chroot_extra_mount() {
     chroot_add_resolv_conf "${working_dir}"
 
-    for arg in "${mount_args[@]}"; do
+    for arg in ${mount_args}; do
         local flag dest src
         flag=${arg%%:*}
         dest=${arg##*:}
         src=${arg%:*}
         src=${src#*:}
-        chroot_mount "${src}" "${working_dir}${dest}" "${flag}"
+        chroot_add_mount "${src}" "${working_dir}${dest}" "${flag}"
     done
 }
 
@@ -165,7 +166,7 @@ elif [[ $(cat "$working_dir/.artix-chroot") != "${CHROOTVERSION}" ]]; then
     die "chroot '%s' is not at version %s. Please rebuild." "$working_dir" "${CHROOTVERSION}"
 fi
 
-chroot_api_mount "${working_dir}" "${tmpfs_opts}" || die "failed to setup API filesystems in chroot %s" "${working_dir}"
+chroot_setup "${working_dir}" "${tmpfs_opts}" || die "failed to setup API filesystems in chroot %s" "${working_dir}"
 
 chroot_extra_mount
 

src/pkg/ckchrootpkg.in

@@ -4,12 +4,12 @@
 
 LIBDIR=${LIBDIR:-'@libdir@'}
 
-# shellcheck source=src/lib/base/util.sh
-source "${LIBDIR}"/base/util.sh
 # shellcheck source=src/lib/base/message.sh
 source "${LIBDIR}"/base/message.sh
 # shellcheck source=src/lib/base/chroot.sh
 source "${LIBDIR}"/base/chroot.sh
+# shellcheck source=src/lib/pkg/util.sh
+source "${LIBDIR}"/pkg/util.sh
 
 shopt -s nullglob
 
@@ -76,6 +76,7 @@ umask 0022
 
 ORIG_HOME=$HOME
 IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}")
+# shellcheck source=config/makepkg/x86_64.conf
 load_makepkg_config
 HOME=$ORIG_HOME
 

src/pkg/diffpkg.in

@@ -127,7 +127,7 @@ while (( $# )); do
             shift
             break
         ;;
-        -*|--*)
+        --*|-*)
             die "invalid argument: %s" "$1"
         ;;
         *)

src/pkg/export-pkgbuild-keys.in

@@ -1,73 +0,0 @@
-#!/bin/bash
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-LIBDIR=${LIBDIR:-'@libdir@'}
-
-# shellcheck source=src/lib/base/message.sh
-source "${LIBDIR}"/base/message.sh
-
-usage() {
-    cat <<- _EOF_
-        Usage: ${BASH_SOURCE[0]##*/}
-
-        Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
-        subdirectory. Useful for distributing packager validated source signing
-        keys alongside PKGBUILDs.
-
-        OPTIONS
-            -h, --help      Show this help text
-_EOF_
-}
-
-# option checking
-while (( $# )); do
-    case $1 in
-        -h|--help) usage; exit 0 ;;
-        *) die "invalid argument: %s" "$1" ;;
-    esac
-done
-
-if [[ ! -f PKGBUILD ]]; then
-    die "This must be run a directory containing a PKGBUILD."
-fi
-
-mapfile -t validpgpkeys < <(
-    # shellcheck source=contrib/makepkg/PKGBUILD.proto
-    . ./PKGBUILD
-    if (( ${#validpgpkeys[@]} )); then
-        printf "%s\n" "${validpgpkeys[@]}"
-    fi
-)
-
-msg "Exporting ${#validpgpkeys[@]} PGP keys..."
-if (( ${#validpgpkeys[@]} == 0 )); then
-    exit 0
-fi
-
-trap 'rm -rf $TEMPDIR' EXIT INT TERM QUIT
-TEMPDIR=$(mktemp -d --tmpdir export-pkgbuild-keys.XXXXXXXXXX)
-
-mkdir -p keys/pgp
-error=0
-
-for key in "${validpgpkeys[@]}"; do
-    gpg --output "$TEMPDIR/$key.asc" --armor --export --export-options export-minimal "$key" 2>/dev/null
-
-    # gpg does not give a non-zero return value if it fails to export...
-    if [[ -f $TEMPDIR/$key.asc ]]; then
-        msg2 "Exported $key"
-        mv "$TEMPDIR/$key.asc" "keys/pgp/$key.asc"
-    else
-        if [[ -f keys/pgp/$key.asc ]]; then
-            warning "Failed to update key: $key"
-        else
-            error "Key unavailable: $key"
-            error=1
-        fi
-    fi
-done
-
-if (( error )); then
-    die "Failed to export all \'validpgpkeys\' entries."
-fi

src/pkg/makerepropkg.in

@@ -10,12 +10,12 @@ LIBDIR=${LIBDIR:-'@libdir@'}
 DATADIR=${DATADIR:-'@datadir@'}
 SYSCONFDIR=${SYSCONFDIR:-'@sysconfdir@/artools'}
 
-# shellcheck source=src/lib/base/util.sh
-source "${LIBDIR}"/base/util.sh
 # shellcheck source=src/lib/base/message.sh
 source "${LIBDIR}"/base/message.sh
 # shellcheck source=src/lib/base/chroot.sh
 source "${LIBDIR}"/base/chroot.sh
+# shellcheck source=src/lib/pkg/util.sh
+source "${LIBDIR}"/pkg/util.sh
 
 declare -A buildinfo
 declare -a buildenv buildopts installed installpkgs
@@ -133,7 +133,7 @@ while getopts 'dM:c:l:h' arg; do
         c) cache_dirs+=("$OPTARG") ;;
         l) chroot="$OPTARG" ;;
         h) usage; exit 0 ;;
-        *|?) usage; exit 1 ;;
+        ?|*) usage; exit 1 ;;
     esac
 done
 shift $((OPTIND - 1))
@@ -222,10 +222,12 @@ TEMPDIR=$(mktemp -d --tmpdir makerepropkg.XXXXXXXXXX)
 makepkg_conf="${TEMPDIR}/makepkg.conf"
 # anything before buildtool support is pinned to the last none buildtool aware release
 if [[ -z "${BUILDTOOL}" ]]; then
-    get_makepkg_conf "artools-pkg-0.28.2-1-any" "${CARCH}" "${makepkg_conf}" || exit 1
+    # shellcheck disable=SC2153
+    get_makepkg_conf "artools-pkg-0.31.7-1-any" "${CARCH}" "${makepkg_conf}" || exit 1
 # prefere to assume artools-pkg up until matching makepkg version so repository packages remain reproducible
 elif [[ "${BUILDTOOL}" = makepkg ]] && (( $(vercmp "${BUILDTOOLVER}" 6.0.1) <= 0 )); then
-    get_makepkg_conf "artools-pkg-0.28.2-1-any" "${CARCH}" "${makepkg_conf}" || exit 1
+    # shellcheck disable=SC2153
+    get_makepkg_conf "artools-pkg-0.31.7-1-any" "${CARCH}" "${makepkg_conf}" || exit 1
 # all artools-pkg builds
 elif [[ "${BUILDTOOL}" = artools ]] && get_makepkg_conf "${BUILDTOOL}-${BUILDTOOLVER}" "${makepkg_conf}"; then
     true

src/pkg/manage-pkgbuild-keys.in

@@ -0,0 +1,99 @@
+#!/bin/bash
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+LIBDIR=${LIBDIR:-'@libdir@'}
+
+# shellcheck source=src/lib/base/message.sh
+source "${LIBDIR}"/base/message.sh
+
+
+usage() {
+    cat <<- _EOF_
+        Usage: ${BASH_SOURCE[0]##*/}
+
+        Export or import the PGP keys from a PKGBUILDs validpgpkeys array into/from the keys/pgp/
+        subdirectory. Useful for distributing packager validated source signing
+        keys alongside PKGBUILDs.
+
+        OPTIONS
+            -i, --import    Import keys
+            -e, --export    Export keys
+            -h, --help      Show this help text
+_EOF_
+}
+
+action=''
+error=0
+
+# option checking
+while (( $# )); do
+    case $1 in
+        -i|--import) action="import"; shift ;;
+        -e|--export) action="export"; shift ;;
+        -h|--help) usage; exit 0 ;;
+        *) die "invalid argument: %s" "$1" ;;
+    esac
+done
+
+if [[ ! -f PKGBUILD ]]; then
+    die "This must be run a directory containing a PKGBUILD."
+fi
+
+mapfile -t validpgpkeys < <(
+    # shellcheck source=contrib/makepkg/PKGBUILD.proto
+    . ./PKGBUILD
+    if (( ${#validpgpkeys[@]} )); then
+        printf "%s\n" "${validpgpkeys[@]}"
+    fi
+)
+
+if [[ "$action" == 'export' ]]; then
+    msg "Exporting ${#validpgpkeys[@]} PGP keys..."
+    if (( ${#validpgpkeys[@]} == 0 )); then
+        exit 0
+    fi
+
+    trap 'rm -rf $TEMPDIR' EXIT INT TERM QUIT
+    TEMPDIR=$(mktemp -d --tmpdir export-pkgbuild-keys.XXXXXXXXXX)
+
+    mkdir -p keys/pgp
+
+    for key in "${validpgpkeys[@]}"; do
+        gpg --output "$TEMPDIR/$key.asc" --armor --export --export-options export-minimal "$key" 2>/dev/null
+
+        # gpg does not give a non-zero return value if it fails to export...
+        if [[ -f $TEMPDIR/$key.asc ]]; then
+            msg2 "Exported $key"
+            mv "$TEMPDIR/$key.asc" "keys/pgp/$key.asc"
+        else
+            if [[ -f keys/pgp/$key.asc ]]; then
+                warning "Failed to update key: $key"
+            else
+                error "Key unavailable: $key"
+                error=1
+            fi
+        fi
+    done
+elif [[ "$action" == 'import' ]]; then
+
+    msg "Ensuring required PGP keys are present..."
+    for key in "${validpgpkeys[@]}"; do
+        if ! gpg --list-keys "$key" &>/dev/null; then
+            msg2 "Checking for $key..."
+            if ! gpg --recv-keys "$key" || ! gpg --fingerprint "$key"; then
+                if [[ -f keys/pgp/$key.asc ]]; then
+                    msg2 "Importing key from local..."
+                    gpg --import "keys/pgp/$key.asc"
+                else
+                    error "Key unavailable: $key"
+                    error=1
+                fi
+            fi
+        fi
+    done
+fi
+
+if (( error )); then
+    die "Failed to $action all \'validpgpkeys\' entries."
+fi

src/pkg/mkchroot.in

@@ -20,6 +20,7 @@ umode=''
 
 files=()
 chroot_args=()
+nosetarch=0
 
 usage() {
     printf "Usage: %s [options] working-dir package-list...\n" "${0##*/}"

src/pkg/mkchrootpkg.in

@@ -177,7 +177,7 @@ prepare_chroot() {
     done
 
     cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
-builduser ALL = NOPASSWD: /usr/bin/pacman
+builduser ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman
 EOF
     chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
 
@@ -205,6 +205,7 @@ _chrootbuild() {
     # No coredumps
     ulimit -c 0
 
+    # shellcheck disable=SC1091
     . /etc/locale.conf
 
     # shellcheck source=/dev/null
@@ -263,6 +264,7 @@ move_products() {
 
         # Fix broken symlink because of temporary chroot PKGDEST /pkgdest
         if [[ "$PWD" != "$PKGDEST" && -L "$PWD/${pkgfile##*/}" ]]; then
+            # shellcheck disable=SC2226
             ln -sf "$PKGDEST/${pkgfile##*/}"
         fi
     done
@@ -275,6 +277,7 @@ move_products() {
 
         # Fix broken symlink because of temporary chroot SRCPKGDEST /srcpkgdest
         if [[ "$PWD" != "$SRCPKGDEST" && -L "$PWD/${s##*/}" ]]; then
+            # shellcheck disable=SC2226
             ln -sf "$SRCPKGDEST/${s##*/}"
         fi
     done

src/pkg/pkg2yaml.in

@@ -6,10 +6,12 @@ LIBDIR=${LIBDIR:-'@libdir@'}
 
 # shellcheck source=src/lib/base/message.sh
 source "${LIBDIR}"/base/message.sh
-# shellcheck source=src/lib/base/yaml.sh
+# shellcheck source=src/lib/pkg/yaml.sh
-source "${LIBDIR}"/base/yaml.sh
+source "${LIBDIR}"/pkg/yaml.sh
 
+# shellcheck disable=1091
 source "${MAKEPKG_LIBRARY}"/util/pkgbuild.sh
+# shellcheck disable=1091
 source "${MAKEPKG_LIBRARY}"/util/schema.sh
 
 #{{{ functions
@@ -121,6 +123,7 @@ usage() {
     exit "$1"
 }
 
+# shellcheck source=config/makepkg/x86_64.conf
 load_makepkg_config
 
 opts='h'

src/pkg/repopkg.in

@@ -6,8 +6,6 @@ LIBDIR=${LIBDIR:-'@libdir@'}
 DATADIR=${DATADIR:-'@datadir@'}
 SYSCONFDIR=${SYSCONFDIR:-'@sysconfdir@/artools'}
 
-# shellcheck source=src/lib/base/util.sh
-source "${LIBDIR}"/base/util.sh
 # shellcheck source=src/lib/pkg/util.sh
 source "${LIBDIR}"/pkg/util.sh
 # shellcheck source=src/lib/base/message.sh
@@ -34,6 +32,7 @@ remove(){
 
 repo_action() {
     local repo_path
+    # shellcheck disable=SC2153
     repo_path=${REPOS_ROOT}/${dest_repo}/os/${CARCH}
 
     local packages=() action func="$1"

src/pkg/signpkg.in

@@ -9,6 +9,7 @@ source "${LIBDIR}"/base/message.sh
 # shellcheck source=src/lib/pkg/deploy.sh
 source "${LIBDIR}"/pkg/deploy.sh
 
+# shellcheck source=config/makepkg/x86_64.conf
 load_makepkg_config
 
 passfiles=("$@")