b305f98e32ae - leafscale/repoman

docker: add profile + recipes/ install layout for Docker-in-Incus (security keys + bind-mounted apparmor-mask drop-in); v0.5.0

Author: Chris Tusa <chris.tusa@leafscale.com>

Date: May 14, 2026 20:49

Node: b305f98e32ae6d1dd186579528840a1e2962588f

Branch: default

Tags: v0.5.0

Changed files:

A profiles/docker.yml

A recipes/docker/mask-apparmor.conf

M Makefile

M reef.toml

M src/cli.reef

Diff

diff -r a30b60dbeb6b -r b305f98e32ae Makefile
--- a/Makefile	Mon May 11 16:55:45 2026 -0500
+++ b/Makefile	Thu May 14 20:49:12 2026 -0500
@@ -2,6 +2,7 @@
 BINDIR  = $(PREFIX)/bin
 SHAREDIR = $(PREFIX)/share/repoman
 PROFILES_DIR = $(SHAREDIR)/profiles
+RECIPES_DIR = $(SHAREDIR)/recipes
 DESTDIR ?=
 
 .PHONY: all build test clean install uninstall
@@ -25,7 +26,10 @@
 	install -m 0755 build/repoman $(DESTDIR)$(BINDIR)/repoman
 	install -d $(DESTDIR)$(PROFILES_DIR)
 	install -m 0644 profiles/*.yml $(DESTDIR)$(PROFILES_DIR)/
+	install -d $(DESTDIR)$(RECIPES_DIR)/docker
+	install -m 0644 recipes/docker/*.conf $(DESTDIR)$(RECIPES_DIR)/docker/
 
 uninstall:
 	rm -f $(DESTDIR)$(BINDIR)/repoman
 	rm -rf $(DESTDIR)$(PROFILES_DIR)
+	rm -rf $(DESTDIR)$(RECIPES_DIR)
diff -r a30b60dbeb6b -r b305f98e32ae profiles/docker.yml
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/profiles/docker.yml	Thu May 14 20:49:12 2026 -0500
@@ -0,0 +1,13 @@
+name: docker
+description: Enable Docker-in-container — Incus security keys plus a systemd drop-in that masks /sys/kernel/security for dockerd. After attaching, install docker.io inside the container.
+config:
+  security.nesting: "true"
+  security.syscalls.intercept.mknod: "true"
+  security.syscalls.intercept.setxattr: "true"
+devices:
+  docker-mask-apparmor:
+    type: disk
+    source: /usr/local/share/repoman/recipes/docker/mask-apparmor.conf
+    path: /etc/systemd/system/docker.service.d/mask-apparmor.conf
+    readonly: "true"
+    shift: "true"
diff -r a30b60dbeb6b -r b305f98e32ae recipes/docker/mask-apparmor.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/recipes/docker/mask-apparmor.conf	Thu May 14 20:49:12 2026 -0500
@@ -0,0 +1,4 @@
+# Mask /sys/kernel/security so dockerd's apparmor.HostSupports() returns false.
+# Needed because this is an Incus container with restricted apparmor visibility.
+[Service]
+ExecStartPre=/bin/sh -c 'test -e /sys/kernel/security/apparmor && mount -t tmpfs -o size=1M tmpfs /sys/kernel/security || true'
diff -r a30b60dbeb6b -r b305f98e32ae reef.toml
--- a/reef.toml	Mon May 11 16:55:45 2026 -0500
+++ b/reef.toml	Thu May 14 20:49:12 2026 -0500
@@ -1,6 +1,6 @@
 [package]
 name = "repoman"
-version = "0.4.4"
+version = "0.5.0"
 author = "Chris Tusa <christusa@gmail.com>"
 description = "Per-project Incus containers + opinionated NFS/ZFS backup"
 license = "CDDL-1.0"
diff -r a30b60dbeb6b -r b305f98e32ae src/cli.reef
--- a/src/cli.reef	Mon May 11 16:55:45 2026 -0500
+++ b/src/cli.reef	Thu May 14 20:49:12 2026 -0500
@@ -958,7 +958,7 @@
 end cmd_profile_show
 
 fn version_string(): string
-    return "repoman 0.4.4"
+    return "repoman 0.5.0"
 end version_string
 
 proc print_usage()