app-containers/incus: add 6.8

 - add 'qemu' use flag to pull all necessary dependencies to allow managing
   qemu-based virtual machines in incus,
 - add new env.d file to set INCUS_EDK2_PATH so OVMF files are found when using
   virtual machines,
 - allow selecting between iptables and nftables.

All possible changes are synced to the LTS release upon new LTS version release.

Closes: https://bugs.gentoo.org/944335
Closes: https://bugs.gentoo.org/946184
Closes: https://bugs.gentoo.org/945768
Signed-off-by: Joonas Niilola <juippis@gentoo.org>

3 files changed, 231 insertions, 0 deletions

diff --git a/app-containers/incus/Manifest b/app-containers/incus/Manifest
index 4606bb6665bf..4c40e7c663b7 100644
--- a/app-containers/incus/Manifest
+++ b/app-containers/incus/Manifest
@@ -2,3 +2,5 @@ DIST incus-6.0.2.tar.xz 11197324 BLAKE2B fa15816ea05865ce48f7cb668c3138d2d186a18
 DIST incus-6.0.2.tar.xz.asc 833 BLAKE2B bcdeb0d2a3684dcdcb620166865523a2e9eb595f0e7760f05a06ea0608dc4fc7111b75206fe62a63cfd90a0d0ec79206404994e53770d5e35a639a67e1ad753c SHA512 18587ddc7b7cb41418ee0e7a43875663e71c9d39a505fd55bc29fe83717b5d5cdc876c46912561610735ddf80462631716354a943a272ae5ccf0ee495aff1c1c
 DIST incus-6.7.tar.xz 11313960 BLAKE2B c55ec6c584eeb6123d707b628ff27f96f6555ad5d17a720c55cc69cfb2abee9c6692544fba63ec2c63c5c8cb0d68baf0c9fadc2bb538dfce20362097fa3809ee SHA512 4b7e9af926d6132f63cbc53466d98691b2fb182a1900cf4ac5964df8678829da0241c4a468cfe3e49d448ecb25d2e8b1be0f52ac71c176a87d554fcd59ab5f97
 DIST incus-6.7.tar.xz.asc 833 BLAKE2B 6c72ca10f20f55607b1059bf908e4b36d81b499c2b6e329855c8769cafe9def44bf8cc6a320718150192daf6e820f6e42beb1b9e7a90f794b9c906734b0ba742 SHA512 dd6d55f8f3e8538f8050fce0124bbab1495978ad1ccee954a3d38cc1bb33c0a8f9f6a7f673e7e0942e9bc732a2acdbcb71245c110eb091ef0b53015ef05e9d74
+DIST incus-6.8.tar.xz 11403916 BLAKE2B 09d8e2a8619a040550600234d7fe2e65eea8c6a7054e0b790f3774721ad5de982dee5d0151f8141cda0f5c6b9d63e18b1c4964e4027bf9470ed44a28d482f999 SHA512 c7b0cc22014f482981777f3cef3b0064c02b46c7ced4e8572fd9548eec45a0d87ac868e94ab8d2af80eb24986db64a930ac578c8555e2759022cad559b74ac5c
+DIST incus-6.8.tar.xz.asc 833 BLAKE2B 77b937177b4239da27478ff7826c633d34ee3b5e02e988387fdc63ff43fad307786c27dee2c3cefb8c4129ce8777fad3361c2e2a86152d202c55231d4105d7a8 SHA512 3111e196da18d362c2e60482e313da888ba6ffba1b5ae134bf9d7e89951ebf6d2b2af922d78ee6fd2e9b51bffea5ccadd0d11bf0a3527d07d8351733ce66f2e3
diff --git a/app-containers/incus/incus-6.8.ebuild b/app-containers/incus/incus-6.8.ebuild
new file mode 100644
index 000000000000..607f1c8b3147
--- /dev/null
+++ b/app-containers/incus/incus-6.8.ebuild
@@ -0,0 +1,228 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module linux-info optfeature systemd toolchain-funcs verify-sig
+
+DESCRIPTION="Modern, secure and powerful system container and virtual machine manager"
+HOMEPAGE="https://linuxcontainers.org/incus/introduction/ https://github.com/lxc/incus"
+SRC_URI="https://linuxcontainers.org/downloads/incus/${P}.tar.xz
+	verify-sig? ( https://linuxcontainers.org/downloads/incus/${P}.tar.xz.asc )"
+
+LICENSE="Apache-2.0 BSD LGPL-3 MIT"
+SLOT="0/stable"
+KEYWORDS="~amd64 ~arm64"
+IUSE="apparmor fuidshift nls qemu"
+
+DEPEND="acct-group/incus
+	acct-group/incus-admin
+	app-arch/xz-utils
+	>=app-containers/lxc-5.0.0:=[apparmor?,seccomp(+)]
+	dev-db/sqlite:3
+	>=dev-libs/cowsql-1.15.6
+	dev-libs/lzo
+	>=dev-libs/raft-0.22.1:=[lz4]
+	>=dev-util/xdelta-3.0[lzma(+)]
+	net-dns/dnsmasq[dhcp]
+	sys-libs/libcap
+	virtual/udev"
+RDEPEND="${DEPEND}
+	|| (
+		net-firewall/iptables
+		net-firewall/nftables
+	)
+	fuidshift? ( !app-containers/lxd )
+	net-firewall/ebtables
+	sys-apps/iproute2
+	sys-fs/fuse:*
+	>=sys-fs/lxcfs-5.0.0
+	sys-fs/squashfs-tools[lzma]
+	virtual/acl
+	qemu? (
+		app-cdr/cdrtools
+		app-emulation/qemu[spice,usbredir,virtfs]
+		sys-apps/gptfdisk
+	)"
+BDEPEND=">=dev-lang/go-1.21
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-linuxcontainers )"
+
+CONFIG_CHECK="
+	~CGROUPS
+	~IPC_NS
+	~NET_NS
+	~PID_NS
+
+	~SECCOMP
+	~USER_NS
+	~UTS_NS
+
+	~KVM
+	~MACVTAP
+	~VHOST_VSOCK
+"
+
+ERROR_IPC_NS="CONFIG_IPC_NS is required."
+ERROR_NET_NS="CONFIG_NET_NS is required."
+ERROR_PID_NS="CONFIG_PID_NS is required."
+ERROR_SECCOMP="CONFIG_SECCOMP is required."
+ERROR_UTS_NS="CONFIG_UTS_NS is required."
+
+WARNING_KVM="CONFIG_KVM and CONFIG_KVM_AMD/-INTEL is required for virtual machines."
+WARNING_MACVTAP="CONFIG_MACVTAP is required for virtual machines."
+WARNING_VHOST_VSOCK="CONFIG_VHOST_VSOCK is required for virtual machines."
+
+# Go magic.
+QA_PREBUILT="/usr/bin/incus
+	/usr/bin/incus-agent
+	/usr/bin/incus-benchmark
+	/usr/bin/incus-migrate
+	/usr/bin/lxc-to-incus
+	/usr/sbin/fuidshift
+	/usr/sbin/incusd
+	/usr/sbin/lxd-to-incus"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/linuxcontainers.asc
+
+# The testsuite must be run as root.
+# make: *** [Makefile:156: check] Error 1
+RESTRICT="test"
+
+GOPATH="${S}/_dist"
+
+src_unpack() {
+	verify-sig_src_unpack
+	go-module_src_unpack
+}
+
+src_prepare() {
+	export GOPATH="${S}/_dist"
+
+	default
+
+	sed -i \
+		-e "s:\./configure:./configure --prefix=/usr --libdir=${EPREFIX}/usr/lib/incus:g" \
+		-e "s:make:make ${MAKEOPTS}:g" \
+		Makefile || die
+
+	sed -i \
+		-e "s:/usr/share/OVMF:/usr/share/edk2/OvmfX64:g" \
+		-e "s:OVMF_VARS.ms.fd:OVMF_VARS.fd:g" \
+		internal/server/instance/drivers/edk2/driver_edk2.go || die "Failed to fix hardcoded ovmf paths."
+
+	# Fix hardcoded virtfs-proxy-helper file path, see bug 798924
+	sed -i \
+		-e "s:/usr/lib/qemu/virtfs-proxy-helper:/usr/libexec/virtfs-proxy-helper:g" \
+		internal/server/device/device_utils_disk.go || die "Failed to fix virtfs-proxy-helper path."
+
+	cp "${FILESDIR}"/incus-0.4.service "${T}"/incus.service || die
+	if use apparmor; then
+		sed -i \
+			'/^EnvironmentFile=.*/a ExecStartPre=\/usr\/libexec\/lxc\/lxc-apparmor-load' \
+			"${T}"/incus.service || die
+	fi
+
+	# Disable -Werror's from go modules.
+	find "${S}" -name "cgo.go" -exec sed -i "s/ -Werror / /g" {} + || die
+}
+
+src_configure() { :; }
+
+src_compile() {
+	export GOPATH="${S}/_dist"
+	export CGO_LDFLAGS_ALLOW="-Wl,-z,now"
+
+	for k in incus-benchmark incus-simplestreams incus-user incus lxc-to-incus lxd-to-incus ; do
+		ego install -v -x "${S}/cmd/${k}"
+	done
+
+	if use fuidshift ; then
+		ego install -v -x "${S}/cmd/fuidshift"
+	fi
+
+	ego install -v -x -tags libsqlite3 "${S}"/cmd/incusd
+
+	# Needs to be built statically
+	CGO_ENABLED=0 go install -v -tags netgo "${S}"/cmd/incus-migrate
+	CGO_ENABLED=0 go install -v -tags agent,netgo "${S}"/cmd/incus-agent
+
+	use nls && emake build-mo
+}
+
+src_test() {
+	emake check
+}
+
+src_install() {
+	export GOPATH="${S}/_dist"
+
+	if tc-is-cross-compiler ; then
+		local bindir="_dist/bin/linux_${GOARCH}"
+	else
+		local bindir="_dist/bin"
+	fi
+
+	newsbin "${FILESDIR}"/incus-startup-0.4.sh incus-startup
+
+	# Admin tools
+	for l in incusd incus-user lxd-to-incus ; do
+		dosbin ${bindir}/${l}
+	done
+
+	# User tools
+	for m in incus-agent incus-benchmark incus-migrate incus-simplestreams incus lxc-to-incus ; do
+		dobin ${bindir}/${m}
+	done
+
+	# fuidshift, should be moved under admin tools at some point
+	if use fuidshift ; then
+		dosbin ${bindir}/fuidshift
+	fi
+
+	newconfd "${FILESDIR}"/incus-6.0.confd incus
+	newinitd "${FILESDIR}"/incus-6.0.initd incus
+	newinitd "${FILESDIR}"/incus-user-0.4.initd incus-user
+
+	systemd_dounit "${T}"/incus.service
+	systemd_newunit "${FILESDIR}"/incus-0.4.socket incus.socket
+	systemd_newunit "${FILESDIR}"/incus-startup-0.4.service incus-startup.service
+	systemd_newunit "${FILESDIR}"/incus-user-0.4.service incus-user.service
+	systemd_newunit "${FILESDIR}"/incus-user-0.4.socket incus-user.socket
+
+	if ! tc-is-cross-compiler; then
+		# Generate and install shell completion files.
+		mkdir -p "${D}"/usr/share/{bash-completion/completions/,fish/vendor_completions.d/,zsh/site-functions/} || die
+		"${bindir}"/incus completion bash > "${D}"/usr/share/bash-completion/completions/incus || die
+		"${bindir}"/incus completion fish > "${D}"/usr/share/fish/vendor_completions.d/incus.fish || die
+		"${bindir}"/incus completion zsh > "${D}"/usr/share/zsh/site-functions/_incus || die
+	else
+		ewarn "Shell completion files not installed! Install them manually with incus completion --help"
+	fi
+
+	dodoc AUTHORS
+	dodoc -r doc/*
+	use nls && domo po/*.mo
+
+	# Incus needs INCUS_EDK2_PATH in env to find OVMF files for virtual machines, #946184
+	newenvd - 90incus <<- _EOF_
+		INCUS_EDK2_PATH=${EPREFIX}/usr/share/edk2-ovmf
+	_EOF_
+}
+
+pkg_postinst() {
+	elog
+	elog "Please see"
+	elog "  https://wiki.gentoo.org/wiki/Incus"
+	elog "  https://wiki.gentoo.org/wiki/Incus#Migrating_from_LXD"
+	elog
+	optfeature "OCI container images support" app-containers/skopeo app-containers/umoci
+	optfeature "btrfs storage backend" sys-fs/btrfs-progs
+	optfeature "ipv6 support" net-dns/dnsmasq[ipv6]
+	optfeature "full incus-migrate support" net-misc/rsync
+	optfeature "lvm2 storage backend" sys-fs/lvm2
+	optfeature "zfs storage backend" sys-fs/zfs
+	elog
+	elog "Be sure to add your local user to the incus group."
+	elog
+}
diff --git a/app-containers/incus/metadata.xml b/app-containers/incus/metadata.xml
index ca40c46198bd..1dd049fe8831 100644
--- a/app-containers/incus/metadata.xml
+++ b/app-containers/incus/metadata.xml
@@ -11,6 +11,7 @@
   </maintainer>
   <use>
     <flag name="fuidshift">Install the fuidshift binary - currently conflicts with app-containers/lxd</flag>
+	<flag name="qemu">Pull dependencies needed to manage QEMU-based virtual machines with Incus</flag>
   </use>
   <longdescription>
     Incus is a modern, secure and powerful system container and virtual machine manager.