infrastructure/roles/gitlab_runner/files/libvirt-executor-update-base-image

#!/bin/bash
set -o nounset -o errexit
readonly libvirt_default_pool_path="/var/lib/libvirt/images"
readonly arch_boxes_signing_key=/usr/local/lib/libvirt-executor/arch-boxes.asc
readonly arch_boxes_fingerprint=1B9A16984A4E8CB448712D2AE0B78BF4326C6F8F

loopdev=""

cleanup() {
  set +o errexit

  if mountpoint -q mnt; then
    umount -R mnt
  fi
  if [[ -n ${loopdev} ]]; then
    losetup -d "${loopdev}"
  fi
  rm -r "${tmpdir}"
}

tmpdir="$(mktemp --directory --tmpdir="/var/tmp")"
trap cleanup EXIT

cd "${tmpdir}"
curl -sSf --remote-name-all https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-basic.qcow2{,.sig}
sq cert import "${arch_boxes_signing_key}"
sq pki link add --all "${arch_boxes_fingerprint}"
sq verify --signer-cert "${arch_boxes_fingerprint}" --detached Arch-Linux-x86_64-basic.qcow2.sig Arch-Linux-x86_64-basic.qcow2

image=Arch-Linux-x86_64-basic.img
qemu-img convert -f qcow2 -O raw Arch-Linux-x86_64-basic.qcow2 Arch-Linux-x86_64-basic.img

loopdev="$(losetup --find --partscan --show "${image}")"
mount --mkdir "${loopdev}p3" mnt

arch-chroot mnt pacman-key --init
arch-chroot mnt pacman-key --populate

arch-chroot mnt systemctl disable systemd-time-wait-sync
arch-chroot mnt pacman -Sy --noconfirm --needed archlinux-keyring
arch-chroot mnt pacman -Syu --noconfirm --needed git git-lfs gitlab-runner
sed -E 's/^#(IgnorePkg *=)/\1 linux/' -i mnt/etc/pacman.conf
arch-chroot mnt userdel -r arch
sed 's/^\(GRUB_CMDLINE_LINUX=".*\)"$/\1 lockdown=confidentiality"/' -i mnt/etc/default/grub
arch-chroot mnt /usr/bin/grub-mkconfig -o /boot/grub/grub.cfg
install -d -m0700 mnt/root/.ssh
install -m0600 /etc/libvirt-executor/id_ed25519.pub mnt/root/.ssh/authorized_keys
rm -f mnt/etc/machine-id

cp -a mnt/boot/{initramfs-linux-fallback.img,initramfs-linux.img}

rm -r mnt/etc/pacman.d/gnupg/{openpgp-revocs.d,private-keys-v1.d}/
arch-chroot mnt pacman-key --delete pacman@localhost
umount mnt
losetup -d "${loopdev}"
loopdev=""

qemu-img convert -f raw -O qcow2 Arch-Linux-x86_64-basic.img Arch-Linux-x86_64-basic.qcow2
printf -v image_path '%s/runner-base-%(%s)T.qcow2' "${libvirt_default_pool_path}"
cp Arch-Linux-x86_64-basic.qcow2 "${image_path}.tmp"
mv "${image_path}"{.tmp,}

# Keep one week of base images
compgen -G "${libvirt_default_pool_path}/runner-base-*.qcow2" | sort -n -t - -k3,3 | head -n -7 | xargs --no-run-if-empty rm -vf