From 0d7f48c88ac61c1ffc022927052e218e3a405286 Mon Sep 17 00:00:00 2001
From: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
Date: Tue, 19 Mar 2024 15:42:37 -0700
Subject: [PATCH] Fix perms

---
 DEVELOP.md                         | 28 ++++++++++++++++++----------
 Dockerfile                         |  7 ++++---
 context/runtime/boot/entrypoint.sh | 11 ++++++-----
 context/runtime/boot/mdns.sh       |  4 +---
 4 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/DEVELOP.md b/DEVELOP.md
index d312032..38cf677 100644
--- a/DEVELOP.md
+++ b/DEVELOP.md
@@ -72,14 +72,22 @@ Be sure to run `./hack/lint.sh` and `./hack/test.sh` before submitting anything.
     * no write
     * no cap
  * use the provided infrastructure
-    * runnable artifacts go to:
-        * `/boot/bin` (read-only)
-    * configuration should be read from:
-        * `/config` (read-only)
-    * certificates should go to:
-        * `/certs` (either read-only or read-write)
-    * persistent application data should use:
-        * `/data` (usually read-write)
-    * volatile data should use:
-        * `/tmp` (usually read-write)
+   * runnable artifacts go to:
+     * `/boot/bin` (read-only)
+   * configuration should be read from:
+     * `/magnetar/system/config` (read-only)
+   * and:
+     * `/magnetar/user/config` (read-write, user controlled)
+   * certificates should go to:
+     * `/magnetar/user/data` (either read-only or read-write)
+   * or:
+     * `/magnetar/system/data` (read-only)
+   * persistent application data should use:
+     * `/magnerar/system/data` (usually read-only)
+   * runtime data (socket, pipes) should use:
+     * `/magnerar/runtime`
+   * temp data (logs, states, etc) should use:
+     * `/magnerar/state`
+   * cache should use:
+     * `/magnerar/cache`
  * only use chroot to downgrade if you really REALLY need to start your entrypoint with "root"
diff --git a/Dockerfile b/Dockerfile
index e6c8a9e..a2ff7a6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -283,6 +283,7 @@ RUN           --mount=type=secret,uid=100,id=CA \
               && apt-get -qq autoremove       \
               && apt-get -qq clean            \
               && rm -rf /var/lib/apt/lists/*  \
+              && rm -rf /tmp/*               \
               && rm -rf /var/tmp/*
 
 # Deviate avahi temporary files into /tmp (there is a socket, so, probably need exec). Avahi is also braindead and requires the folder to belong to user avahi
@@ -321,8 +322,8 @@ EXPOSE        $ADVANCED_AIRPLAY_PORT/tcp
 EXPOSE        319
 EXPOSE        320
 
-VOLUME        $XDG_RUNTIME_DIR
-VOLUME        $XDG_CACHE_HOME
-VOLUME        $XDG_STATE_HOME
+VOLUME        "$XDG_RUNTIME_DIR"
+VOLUME        "$XDG_CACHE_HOME"
+VOLUME        "$XDG_STATE_HOME"
 
 HEALTHCHECK   --interval=120s --timeout=30s --start-period=10s --retries=1 CMD rtsp-health || exit 1
diff --git a/context/runtime/boot/entrypoint.sh b/context/runtime/boot/entrypoint.sh
index 7d5bc46..0499e74 100755
--- a/context/runtime/boot/entrypoint.sh
+++ b/context/runtime/boot/entrypoint.sh
@@ -21,11 +21,11 @@ nqptp &
 [ "${MOD_MQTT_ENABLED:-}" == true ] && MOD_MQTT_ENABLED=yes || MOD_MQTT_ENABLED=no
 [ "${MOD_MQTT_COVER:-}" == true ] && MOD_MQTT_COVER=yes || MOD_MQTT_COVER=no
 
-cp "$XDG_CONFIG_DIRS"/shairport-sync/main.conf "$XDG_RUNTIME_DIR"/shairport-sync/main.conf
-[ ! -e "$XDG_CONFIG_HOME"/shairport-sync/main.conf ] || cat "$XDG_CONFIG_HOME"/shairport-sync/main.conf >> "$XDG_RUNTIME_DIR"/shairport-sync/main.conf
+configuration="$(cat "$XDG_CONFIG_DIRS"/shairport-sync/main.conf)"
+[ ! -e "$XDG_CONFIG_HOME"/shairport-sync/main.conf ] || configuration+="$(cat "$XDG_CONFIG_HOME"/shairport-sync/main.conf)"
 
 # shellcheck disable=SC2016
-printf 'mqtt {
+configuration+="$(printf 'mqtt {
 	enabled = "%s"; // set this to yes to enable the mqtt-metadata-service
 	hostname = "%s"; // Hostname of the MQTT Broker
 	port = %s; // Port on the MQTT Broker to connect to
@@ -54,8 +54,9 @@ printf 'mqtt {
   "${MOD_MQTT_CA:-NULL}" \
   "${MOD_MQTT_CERT:-NULL}" \
   "${MOD_MQTT_KEY:-NULL}" \
-  "$MOD_MQTT_COVER" \
-  >> "$XDG_RUNTIME_DIR"/shairport-sync/main.conf
+  "$MOD_MQTT_COVER")"
+
+printf "%s" "$configuration" > "$XDG_RUNTIME_DIR"/shairport-sync/main.conf
 
 # https://github.com/mikebrady/shairport-sync/blob/master/scripts/shairport-sync.conf
 args=(\
diff --git a/context/runtime/boot/mdns.sh b/context/runtime/boot/mdns.sh
index 943efd1..9462d76 100755
--- a/context/runtime/boot/mdns.sh
+++ b/context/runtime/boot/mdns.sh
@@ -109,10 +109,8 @@ mdns::start::dbus(){
   # https://man7.org/linux/man-pages/man3/sd_bus_default.3.html
   # https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html
 
-  # $XDG_RUNTIME_DIR=/tmp/runtime
-  # Configuration file also has that ^ hardcoded, so, cannot use the variable...
-
   local dbussocket=/magnetar/runtime/dbus/system_bus_socket
+  # Configuration file also has that ^ hardcoded, so, cannot use the variable...
 
   # Ensure directory exists
   helpers::dir::writable "$(dirname "$dbussocket")" create