CONFIG_BUILD

# Copyright (C) 2011-2012 Tresys Technology, LLC
# Copyright (C) 2013 Cubic Corporation
#
# Authors: Spencer Shimko <sshimko@tresys.com>
#          Spencer Shimko <spencer@quarksecurity.com>
#

# These values can be used to tweak the build to facilitate development and debugging.
# CONFIG_BUILD_ENFORCING_MODE is used to put the system in permissive mode or enforcing mode after install.
# CONFIG_BUILD_REMEDIATE openscap (oscap) audits the system using SCAP content then remediates issues by 
#                                 modifying the system to resolve identified problems.  CLIP uses oscap in 
#                                 %post of the kickstart.  If this is set to "n" oscap is used to audit but
#                                 not remediate.  You can still remediate at run-time after deployment.
# CONFIG_BUILD_UNCONFINED_TOOR allows the toor user to run the unconfined (read->all powerful) toor_r:toor_t role.
#                              Normally the toor user is confined in the sysadm_r:sysadm_t role.
# CONFIG_BUILD_ENABLE_DHCP enable DHCP for all network interfaces
# CONFIG_BUILD_SELINUX_POL_TYPE Set this to mcs or mls depending on the policy you need to build
# CONFIG_BUILD_CHECK_KICKSTART enable verification of the kickstart including package dep checking, prior to rolling the ISO. Checking
#			       increases the build time by a minute or so, but avoids rolling a full ISO and starting an install
# 			       just to discover dep problems. This is mostly useful when adjusting the packages/groups to be installed
#			       or requirements have changed within packages. I.e., you might not need this if those are changing. 
# CONFIG_BUILD_ENABLE_GUI Enables X11 + GNOME
# CONFIG_BUILD_BREAK_GUI Clobber X/GNOME conf and package set to tighten down the environment. This might very well break you GUI environment
#			 as it does rude things like ignoring deps when removing packages or just ignoring packaging all together and removing executables.
#			 Checkout kickstart/includes/gui-config to see what is being done.
#			        
# Note: these variables and values will be inserted into /root/clip-info.txt for inspection at run-time.
CONFIG_BUILD_ENFORCING_MODE := y
CONFIG_BUILD_REMEDIATE := y
CONFIG_BUILD_UNCONFINED_TOOR := y
CONFIG_BUILD_ENABLE_DHCP := n
CONFIG_BUILD_SELINUX_POL_TYPE := mcs
CONFIG_BUILD_CHECK_KICKSTART := y
CONFIG_BUILD_ENABLE_GUI := n
CONFIG_BUILD_BREAK_GUI := n

# DEPRECATED OPTIONS
# These CONFIG_BUILD_ options are deprecated and no longer tested/used.
# They are here to prevent breakage of existing kickstarts referring to them. They will be removed from default kickstarts soonish.
# CONFIG_BUILD_ENABLE_SSH_6 enable OpenSSH version 6 with modern crypto and the Secure Secure Shell configuation.
# 			    This includes support for ED25519 and RSA keys and disables weak algorithms.
# 			    See here for info on the configuration: https://stribika.github.io/2015/01/04/secure-secure-shell.html
CONFIG_BUILD_ENABLE_SSH_6 := n
# CONFIG_BUILD_VPN_INCLUDE_TOOR enable toor user for vpn variant
CONFIG_BUILD_VPN_ENABLE_TOOR := n

# This is the default ISO to use as a starting point for fast builds.
# It should be a valid RHEL/CLIP installation image. You can also
# change it at build time via something like:
# 	make clip-minimal-inst-iso-fast DONOR_ISO=clip-minimal-DVD-x86_64-7e8135f.iso
DONOR_ISO := $(CURDIR)/shell.iso

# List of RPMs that are pre-rolled.  These will be linked into our custom yum repo during the build process.
# Once referenced here you can start using them in the kickstart.
# NOTE: You could perform the same task by putting the packages in a directory, creating a yum repo, then adding the path
# to CONFIG_REPOS.
# PRE_ROLLED_PACKAGES := "/home/joeuser/lha-1.14i-19.2.2.el6.rf.x86_64.rpm"

# The ISO_VERSION field doesn't alter functionality at all.  The variable name and value will appear in /root/clip-info.txt.
# This provides a way to figure out what version of your repo was used to generate the ISO once it is installed.  E.g. 
#   Tester: "My install is busted."
#   Developer: "What version do you have installed?"
#   Tester: "I don't know.  How do I figure that out?"
#   Developer: "Run '# cat /root/clip-info.txt' and send me the output."
ISO_VERSION := $(strip $(shell test -d .git && git log -1|head -1|awk '{ print substr ($$2, 0, 7); }'))
ifeq ($(strip $(ISO_VERSION)),)
  ISO_VERSION := 0.1
endif

################################################
### STOP USER CONFIG 
################################################
# The values below probably won't have to change.

# This variable can be leveraged by sub-makes (eg in the packages/foo/Makefile).
# if files at this top-level should trigger a rebuild.
ADDTL_DEPS := $(CURDIR)/CONFIG_REPOS $(CURDIR)/CONFIG_BUILD $(CURDIR)/Makefile

# Translate the CONFIG_BUILD_* flags into BASH vars that we insert into things like a kickstart %post
CONFIG_BUILD_BASH_VARS := export CONFIG_BUILD_ENFORCING_MODE=$(strip $(CONFIG_BUILD_ENFORCING_MODE)) 
CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_UNCONFINED_TOOR=$(strip $(CONFIG_BUILD_UNCONFINED_TOOR)) 
CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_REMEDIATE=$(strip $(CONFIG_BUILD_REMEDIATE)) 
CONFIG_BUILD_BASH_VARS += ISO_VERSION=$(strip $(ISO_VERSION)) 
CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_ENABLE_DHCP=$(strip $(CONFIG_BUILD_ENABLE_DHCP)) 
CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_ENABLE_GUI=$(strip $(CONFIG_BUILD_ENABLE_GUI)) 
CONFIG_BUILD_BASH_VARS += CONFIG_BUILD_BREAK_GUI=$(strip $(CONFIG_BUILD_BREAK_GUI))

# Typically we are rolling builds on the target arch.  Changing this may have dire consequences.
# (read -> hasn't be tested at all and may result in broken builds and ultimately the end of the universe as we know it).
TARGET_ARCH := $(shell uname -i)

# Quiet down the build output a bit.
QUIET := n

export TARGET_ARCH ADDTL_DEPS QUIET CONFIG_BUILD_BASH_VARS CONFIG_BUILD_ENFORCING_MODE CONFIG_BUILD_UNCONFINED_TOOR ISO_VERSION CONFIG_BUILD_REMEDIATE CONFIG_BUILD_ENABLE_DHCP CONFIG_BUILD_VPN_ENABLE_TOOR CONFIG_BUILD_SELINUX_POL_TYPE CONFIG_BUILD_CHECK_KICKSTART CONFIG_BUILD_ENABLE_GUI CONFIG_BUILD_BREAK_GUI