# SPDX-FileCopyrightText: William Moreno Reyes CP | MBA
# SPDX-License-Identifier: Apache-2.0

%global commit ecd8bcae804e6329314564f1e43c29d06c77266d

Name:    admiral-common
Version: 0.0.1.alpha1
Release: 8%{?dist}
Summary: Common files and utilities for Admiral PaaS

License: Apache-2.0
URL:     https://github.com/admiral-project/admiral
Source0: https://github.com/admiral-project/admiral/archive/%{commit}/admiral-%{version}.tar.gz

BuildArch: noarch

Requires: python3
Requires: caddy
Requires: ansible-core
Requires: openssh-clients
Requires: openssh-server
Requires: shadow-utils
Requires: systemd
Requires: wireguard-tools
Requires: policycoreutils-python-utils

%description
Common configuration files, Ansible playbooks, and utility scripts
shared by all Admiral components. Admiral is a lightweight PaaS for
agencies to sell and operate SaaS applications on Enterprise Linux.

%prep
%autosetup -n admiral-v%{version}

%build

%install
# Ansible playbooks
mkdir -p %{buildroot}%{_datadir}/admiral/ansible
cp -r ansible/* %{buildroot}%{_datadir}/admiral/ansible/

# HTTPS setup script
install -Dm0755 scripts/admiral_https_setup.py %{buildroot}%{_bindir}/admiral_https_setup

# Configuration directory (owned by root, 755)
mkdir -p %{buildroot}%{_sysconfdir}/admiral

# Log directory (admiral user needs write)
mkdir -p %{buildroot}%{_localstatedir}/log/admiral

# Data directories (fleet runs as root then switches to admiral-apps)
mkdir -p %{buildroot}%{_sysconfdir}/containers/systemd/admiral
mkdir -p %{buildroot}%{_localstatedir}/lib/admiral/outbox
mkdir -p %{buildroot}%{_localstatedir}/lib/admiral/backups
mkdir -p %{buildroot}%{_localstatedir}/lib/admiral/instances
mkdir -p %{buildroot}%{_localstatedir}/lib/admiral-apps

%pre
# Create users and groups before file install so RPM can apply ownership
getent group admiral >/dev/null || groupadd -r admiral
getent passwd admiral >/dev/null || \
    useradd -r -g admiral \
    -d %{_localstatedir}/lib/admiral \
    -s /sbin/nologin \
    -c "Admiral service account" admiral

getent passwd admiral-apps >/dev/null || \
    useradd -m -d /var/lib/admiral-apps \
    -s /bin/bash -c "Admiral rootless apps" admiral-apps

%files
%license LICENSE
%doc README.md

%dir %attr(0755, root, root) %{_sysconfdir}/admiral
%dir %attr(0755, root, root) %{_sysconfdir}/containers/systemd/admiral
%dir %attr(0750, admiral, admiral) %{_localstatedir}/log/admiral
%dir %attr(0755, root, root) %{_localstatedir}/lib/admiral
%dir %attr(0755, root, root) %{_localstatedir}/lib/admiral/outbox
%dir %attr(0755, root, root) %{_localstatedir}/lib/admiral/backups
%dir %attr(0755, root, root) %{_localstatedir}/lib/admiral/instances
%dir %attr(0755, admiral-apps, admiral-apps) %{_localstatedir}/lib/admiral-apps

%{_bindir}/admiral_https_setup
%{_datadir}/admiral/ansible/

%post
# Set ownership of log directory
chown admiral:admiral %{_localstatedir}/log/admiral 2>/dev/null || :

# Restore ownership of the shared Admiral data tree.
chown root:root %{_localstatedir}/lib/admiral 2>/dev/null || :
chown root:root %{_localstatedir}/lib/admiral/outbox 2>/dev/null || :
chown root:root %{_localstatedir}/lib/admiral/backups 2>/dev/null || :
chown root:root %{_localstatedir}/lib/admiral/instances 2>/dev/null || :

# Ensure rootless runtime directories exist before admiral-fleet first start
mkdir -p %{_sysconfdir}/containers/systemd/admiral
if getent passwd admiral-apps >/dev/null 2>&1; then
    ADMIRAL_APPS_UID=$(id -u admiral-apps)
    mkdir -p %{_localstatedir}/lib/admiral-apps
    chown admiral-apps:admiral-apps %{_localstatedir}/lib/admiral-apps 2>/dev/null || :
    mkdir -p %{_sysconfdir}/containers/systemd/users/${ADMIRAL_APPS_UID}
    loginctl enable-linger admiral-apps >/dev/null 2>&1 || :
    mkdir -p /run/user/${ADMIRAL_APPS_UID}/libpod
    chown admiral-apps:admiral-apps /run/user/${ADMIRAL_APPS_UID}
    chown admiral-apps:admiral-apps /run/user/${ADMIRAL_APPS_UID}/libpod
    cat > /usr/lib/tmpfiles.d/admiral-apps.conf << TMPFILESEOF
# Generated by admiral-common - ensure podman runtime directory exists
# for the rootless admiral-apps user.
d /run/user/${ADMIRAL_APPS_UID}/libpod 0700 admiral-apps admiral-apps - -
TMPFILESEOF
    grep -q '^admiral-apps:100000:131072$' /etc/subuid 2>/dev/null || \
        echo 'admiral-apps:100000:131072' >> /etc/subuid
    grep -q '^admiral-apps:100000:131072$' /etc/subgid 2>/dev/null || \
        echo 'admiral-apps:100000:131072' >> /etc/subgid
fi

# SELinux contexts
restorecon -R %{_sysconfdir}/admiral 2>/dev/null || :
restorecon -R %{_sysconfdir}/containers 2>/dev/null || :
restorecon -R %{_localstatedir}/lib/admiral-apps 2>/dev/null || :
restorecon -F %{_bindir}/admiral_https_setup 2>/dev/null || :

# Set default SELinux context for rootless container storage
# Files under admiral-apps' podman storage inherit var_lib_t from /var/lib,
# but container_t domain needs container_file_t to read them.
semanage fcontext -a -t container_file_t "/var/lib/admiral-apps/.local/share/containers/storage(/.*)?" 2>/dev/null || :
restorecon -R /var/lib/admiral-apps/.local/share/containers/storage/ 2>/dev/null || :

%preun
if [ $1 -eq 0 ]; then
    userdel admiral 2>/dev/null || true
    groupdel admiral 2>/dev/null || true
fi

%changelog
* Wed Jun 03 2026 Admiral Project <dev@admiral-project.org> - 0.1.0-1
- Initial Admiral packaging