#!/bin/bash

# Slackware build script for Unbound

# Copyright 2024 Badchay <badchay@protonmail.com>
# All rights reserved.
# Copyright 2020 Gerardo Zamudio <gerardo.zamudio@linux.com> Mexico City, Mexico
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
#
#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
#  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
#  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
#  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
#  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
#  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
#  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

cd $(dirname $0) ; CWD=$(pwd)

PRGNAM=unbound
VERSION=${VERSION:-1.19.3}
BUILD=${BUILD:-2}
TAG=${TAG:-_SBo}
PKGTYPE=${PKGTYPE:-tgz}

if [ -z "$ARCH" ]; then
  case "$( uname -m )" in
    i?86) ARCH=i586 ;;
    arm*) ARCH=arm ;;
       *) ARCH=$( uname -m ) ;;
  esac
fi

# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
# the name of the created package would be, and then exit. This information
# could be useful to other scripts.
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
  echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
  exit 0
fi

TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}

if [ "$ARCH" = "i586" ]; then
  SLKCFLAGS="-O2 -march=i586 -mtune=i686"
  LIBDIRSUFFIX=""
elif [ "$ARCH" = "i686" ]; then
  SLKCFLAGS="-O2 -march=i686 -mtune=i686"
  LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
  SLKCFLAGS="-O2 -fPIC"
  LIBDIRSUFFIX="64"
else
  SLKCFLAGS="-O2"
  LIBDIRSUFFIX=""
fi

UB_USER=${UB_USER:-unbound}
UB_GROUP=${UB_GROUP:-unbound}

# Check the system user and group for unbound:
if ! grep -q ^"$UB_GROUP": /etc/group ; then
  echo "  You will need a dedicated group to run unbound"
  echo "    # groupadd -g 304 $UB_GROUP"
  echo "  should do the job."
  exit 1
fi

if ! grep -q ^"$UB_USER": /etc/passwd ; then
  echo "  You will need a dedicated user to run unbound, something like"
  echo "    # useradd -r -u 304 -g $UB_GROUP -d /etc/unbound/ -s /sbin/nologin -c 'Unbound DNS resolver' $UB_USER"
  exit 1
fi

# This needs to be set. Otherwise Unbound will build
# against Python 2 on Slackware 15.0.
# Setting this to "3" allows Unbound to build with
# Python 3.9 and 3.11, depending which one is installed.
UNB_PY_VERSION=${UNB_PY_VERSION:-3}

set -e

rm -rf $PKG
mkdir -p $TMP $PKG $OUTPUT
cd $TMP
rm -rf $PRGNAM-$VERSION
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
cd $PRGNAM-$VERSION
chown -R root:root .
find -L . \
 \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
  -o -perm 511 \) -exec chmod 755 {} \; -o \
 \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
  -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;

CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
PYTHON_VERSION="$UNB_PY_VERSION" \
./configure \
  --prefix=/usr \
  --libdir=/usr/lib${LIBDIRSUFFIX} \
  --sysconfdir=/etc \
  --localstatedir=/var \
  --mandir=/usr/man \
  --docdir=/usr/doc/$PRGNAM-$VERSION \
  --with-libevent \
  --with-ssl \
  --enable-dnscrypt \
  --disable-static \
  --enable-sha2 \
  --enable-subnet \
  --with-pythonmodule \
  --with-pyunbound \
  --with-username=$UB_USER \
  --with-pidfile=/run/unbound/unbound.pid \
  --with-rootkey-file=/var/lib/unbound/root.key \
  --build=$ARCH-slackware-linux \
  --host=$ARCH-slackware-linux \

make
make install DESTDIR=$PKG

rm -f --verbose $PKG/usr/lib${LIBDIRSUFFIX}/libunbound.la

find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
  | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true

find $PKG/usr/man -type f -exec gzip -9 {} \;
for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done

mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a doc/README* doc/FEATURES doc/CREDITS doc/TODO $PKG/usr/doc/$PRGNAM-$VERSION

# Shorten the Changelog and restore its timestamp
head -n 500 doc/Changelog > $PKG/usr/doc/$PRGNAM-$VERSION/Changelog
touch -r doc/Changelog $PKG/usr/doc/$PRGNAM-$VERSION/Changelog

# Save the upstream unbound.conf and set some reasonable defaults:
# 1) Set the default log path to /var/log/unbound/
# 2) Enable Unbound control interface. It's used for logrotate script
#    but also gives you the power to control your process without
#    restarts/reloads. It binds to localhost and cannot be used by
#    unprivileged users.
# 3) Change timestamps to ASCII format (from Epoch).
# 4) Turn off chroot.
# 5) Disable systemd socket activation.
# 6) Set num-threads to $(nproc).
# 7) Use root-hints file.
# 8) Set DNS prefetch to "yes".
# 9) Harden against out of zone rrsets (harden-glue).
# 10) Harden against receiving dnssec-stripped data (harden-dnssec-stripped).
# 11) Enable aggressive NSEC, root-key-sentinel and RFC8145 (trust anchor
# signaling).
cp -a $PKG/etc/unbound/unbound.conf $PKG/etc/unbound/unbound.conf.upstream
sed -i \
-e 's/# control-interface:/control-interface:/g' \
-e 's/# control-enable: no/control-enable: yes/g' \
-e 's/# log-time-ascii: no/log-time-ascii: yes/g' \
-e 's/# use-systemd: no/use-systemd: no/g' \
-e 's/# logfile: ""/logfile: "\/var\/log\/unbound\/unbound.log"/g' \
-e 's/# chroot: "\/etc\/unbound"/chroot: ""/g' \
-e 's/# num-threads: 1/num-threads: '$(nproc)' # Set to the value of nproc by SlackBuild/g' \
-e 's/# root-hints: ""/root-hints: "\/var\/lib\/unbound\/root.hints"/g' \
-e 's/# prefetch: no/prefetch: yes/g' \
-e 's/# harden-glue: yes/harden-glue: yes/g' \
-e 's/# harden-dnssec-stripped: yes/harden-dnssec-stripped: yes/g' \
-e 's/# aggressive-nsec: yes/aggressive-nsec: yes/g' \
-e 's/# trust-anchor-signaling: yes/trust-anchor-signaling: yes/g' \
-e 's/# root-key-sentinel: yes/root-key-sentinel: yes/g' \
-e '/# auto-trust-anchor-file: ".*/a\        auto-trust-anchor-file: "/var/lib/unbound/root.key"' \
$PKG/etc/unbound/unbound.conf \

mkdir -p $PKG/run/unbound
mkdir -p $PKG/var/log/unbound
mkdir -p $PKG/var/lib/unbound
mkdir -p $PKG/etc/logrotate.d

chown $UB_USER:$UB_GROUP $PKG/run/unbound/
chown $UB_USER:$UB_GROUP $PKG/var/log/unbound/
chown $UB_USER:$UB_GROUP $PKG/var/lib/unbound/

cp -a $CWD/unbound.logrotate $PKG/etc/logrotate.d/unbound.new
cp -a $CWD/root.hints $PKG/var/lib/unbound/root.hints
chown $UB_USER:$UB_GROUP $PKG/var/lib/unbound/root.hints
chown root:root $PKG/etc/logrotate.d/unbound.new
mv $PKG/etc/unbound/unbound.conf $PKG/etc/unbound/unbound.conf.new
install -m 0644 -D $CWD/rc.unbound $PKG/etc/rc.d/rc.unbound.new

mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
cat $CWD/doinst.sh > $PKG/install/doinst.sh
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild

cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE