Move shell scripts out of the Makefile

Embedding one pieces of code into another (shell script into a makefiles
in this case) is rarely pretty. Split things up, as appropriate.

While here, simplify the rootfs in a few ways:
 - pass only the extra non-base (and effectively group name) package
 - add a handy variable for the fakeroot/fakechroot combo
 - split and rewrap long lines

As a bonus point, this makes it easier to use pattern rules in the
makefile - which will be handy for the upcoming multilib-devel
group/target.

Plus we can check the scripts via shellcheck/etc CI stage, as follow-up.

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>

Makefile

@@ -2,69 +2,21 @@ OCITOOL=podman # or docker
 BUILDDIR=$(shell pwd)/build
 OUTPUTDIR=$(shell pwd)/output
 
-define rootfs
-	mkdir -vp $(BUILDDIR)/alpm-hooks/usr/share/libalpm/hooks
-	find /usr/share/libalpm/hooks -exec ln -sf /dev/null $(BUILDDIR)/alpm-hooks{} \;
-
-	mkdir -vp $(BUILDDIR)/var/lib/pacman/ $(OUTPUTDIR)
-	install -Dm644 /usr/share/devtools/pacman.conf.d/extra.conf $(BUILDDIR)/etc/pacman.conf
-	cat pacman-conf.d-noextract.conf >> $(BUILDDIR)/etc/pacman.conf
-
-	sed 's/Include = /&rootfs/g' < $(BUILDDIR)/etc/pacman.conf > pacman.conf
-
-	fakechroot -- fakeroot -- pacman -Sy -r $(BUILDDIR) \
-		--noconfirm --dbpath $(BUILDDIR)/var/lib/pacman \
-		--config pacman.conf \
-		--noscriptlet \
-		--hookdir $(BUILDDIR)/alpm-hooks/usr/share/libalpm/hooks/ $(2)
-
-	cp --recursive --preserve=timestamps rootfs/* $(BUILDDIR)/
-
-	fakechroot -- fakeroot -- chroot $(BUILDDIR) update-ca-trust
-	fakechroot -- fakeroot -- chroot $(BUILDDIR) sh -c 'pacman-key --init && pacman-key --populate && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"'
-
-	ln -fs /usr/lib/os-release $(BUILDDIR)/etc/os-release
-
-	# add system users
-	fakechroot -- fakeroot -- chroot $(BUILDDIR) /usr/bin/systemd-sysusers --root "/"
-
-	# remove passwordless login for root (see CVE-2019-5021 for reference)
-	sed -i -e 's/^root::/root:!:/' "$(BUILDDIR)/etc/shadow"
-
-	# fakeroot to map the gid/uid of the builder process to root
-	# fixes #22
-	fakeroot -- tar --numeric-owner --xattrs --acls --exclude-from=exclude -C $(BUILDDIR) -c . -f $(OUTPUTDIR)/$(1).tar
-
-	cd $(OUTPUTDIR); zstd --long -T0 -8 $(1).tar; sha256sum $(1).tar.zst > $(1).tar.zst.SHA256
-endef
-
-define dockerfile
-	sed -e "s|TEMPLATE_ROOTFS_FILE|$(1).tar.zst|" \
-	    -e "s|TEMPLATE_ROOTFS_RELEASE_URL|Local build|" \
-	    -e "s|TEMPLATE_ROOTFS_DOWNLOAD|ROOTFS=\"$(1).tar.zst\"|" \
-	    -e "s|TEMPLATE_ROOTFS_HASH|$$(cat $(OUTPUTDIR)/$(1).tar.zst.SHA256)|" \
-	    -e "s|TEMPLATE_TITLE|Arch Linux Dev Image|" \
-	    -e "s|TEMPLATE_VERSION_ID|dev|" \
-	    -e "s|TEMPLATE_REVISION|$$(git rev-parse HEAD)|" \
-	    -e "s|TEMPLATE_CREATED|$$(date -Is)|" \
-	    Dockerfile.template > $(OUTPUTDIR)/Dockerfile.$(1)
-endef
-
 .PHONY: clean
 clean:
 	rm -rf $(BUILDDIR) $(OUTPUTDIR)
 
 $(OUTPUTDIR)/base.tar.zst:
-	$(call rootfs,base,base)
+	scripts/make-rootfs.sh base $(BUILDDIR) $(OUTPUTDIR)
 
 $(OUTPUTDIR)/base-devel.tar.zst:
-	$(call rootfs,base-devel,base base-devel)
+	scripts/make-rootfs.sh base-devel $(BUILDDIR) $(OUTPUTDIR)
 
 $(OUTPUTDIR)/Dockerfile.base: $(OUTPUTDIR)/base.tar.zst
-	$(call dockerfile,base)
+	scripts/make-dockerfile.sh base $(OUTPUTDIR)
 
 $(OUTPUTDIR)/Dockerfile.base-devel: $(OUTPUTDIR)/base-devel.tar.zst
-	$(call dockerfile,base-devel)
+	scripts/make-dockerfile.sh base-devel $(OUTPUTDIR)
 
 # The following is for local builds only, it is not used by the CI/CD pipeline
 

scripts/make-dockerfile.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+
+declare -r GROUP="$1"
+declare -r OUTPUTDIR="$2"
+
+sed -e "s|TEMPLATE_ROOTFS_FILE|$GROUP.tar.zst|" \
+    -e "s|TEMPLATE_ROOTFS_RELEASE_URL|Local build|" \
+    -e "s|TEMPLATE_ROOTFS_DOWNLOAD|ROOTFS=\"$GROUP.tar.zst\"|" \
+    -e "s|TEMPLATE_ROOTFS_HASH|$(cat $OUTPUTDIR/$GROUP.tar.zst.SHA256)|" \
+    -e "s|TEMPLATE_TITLE|Arch Linux Dev Image|" \
+    -e "s|TEMPLATE_VERSION_ID|dev|" \
+    -e "s|TEMPLATE_REVISION|$(git rev-parse HEAD)|" \
+    -e "s|TEMPLATE_CREATED|$(date -Is)|" \
+    Dockerfile.template > "$OUTPUTDIR/Dockerfile.$GROUP"

scripts/make-rootfs.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -euo pipefail
+
+declare -r WRAPPER="fakechroot -- fakeroot"
+
+declare -r GROUP="$1"
+declare -r BUILDDIR="$2"
+declare -r OUTPUTDIR="$3"
+
+mkdir -vp "$BUILDDIR/alpm-hooks/usr/share/libalpm/hooks"
+find /usr/share/libalpm/hooks -exec ln -sf /dev/null "$BUILDDIR/alpm-hooks"{} \;
+
+mkdir -vp "$BUILDDIR/var/lib/pacman/" "$OUTPUTDIR"
+install -Dm644 /usr/share/devtools/pacman.conf.d/extra.conf "$BUILDDIR/etc/pacman.conf"
+cat pacman-conf.d-noextract.conf >> "$BUILDDIR/etc/pacman.conf"
+
+sed 's/Include = /&rootfs/g' < "$BUILDDIR/etc/pacman.conf" > pacman.conf
+
+$WRAPPER -- \
+    pacman -Sy -r "$BUILDDIR" \
+        --noconfirm --dbpath "$BUILDDIR/var/lib/pacman" \
+        --config pacman.conf \
+        --noscriptlet \
+        --hookdir "$BUILDDIR/alpm-hooks/usr/share/libalpm/hooks/" base "$GROUP"
+
+cp --recursive --preserve=timestamps rootfs/* "$BUILDDIR/"
+
+$WRAPPER -- chroot "$BUILDDIR" update-ca-trust
+$WRAPPER -- chroot "$BUILDDIR" pacman-key --init
+$WRAPPER -- chroot "$BUILDDIR" pacman-key --populate
+
+rm -rf "$BUILDDIR/etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"
+
+ln -fs /usr/lib/os-release "$BUILDDIR/etc/os-release"
+
+# add system users
+$WRAPPER -- chroot "$BUILDDIR" /usr/bin/systemd-sysusers --root "/"
+
+# remove passwordless login for root (see CVE-2019-5021 for reference)
+sed -i -e 's/^root::/root:!:/' "$BUILDDIR/etc/shadow"
+
+# fakeroot to map the gid/uid of the builder process to root
+# fixes #22
+fakeroot -- \
+    tar \
+        --numeric-owner \
+        --xattrs \
+        --acls \
+        --exclude-from=exclude \
+        -C "$BUILDDIR" \
+        -c . \
+        -f "$OUTPUTDIR/$GROUP.tar"
+
+cd "$OUTPUTDIR"
+zstd --long -T0 -8 "$GROUP.tar"
+sha256sum "$GROUP.tar.zst" > "$GROUP.tar.zst.SHA256"