#! /bin/sh

set -eu

case ${PASS:-} in
    *.live)
        ;;
    *)
        exit 0
        ;;
esac

mkdir -p /etc/initramfs-tools/conf.d/
cat <<EOF > /etc/initramfs-tools/conf.d/default-layer.conf
LAYERFS_PATH=${PASS}.squashfs
EOF

cat <<EOF > /etc/sysctl.d/20-apparmor.conf
# AppArmor restrictions of unprivileged user namespaces

# Allows to restrict the use of unprivileged user namespaces to applications
# which have an AppArmor profile loaded which specifies the userns
# permission. All other applications (whether confined by AppArmor or not) will
# be denied the use of unprivileged user namespaces.
#
# See
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
#
# If it is desired to disable this restriction, it is preferable to create an
# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
# current file and sets this value to 0 rather than editing this current file
kernel.apparmor_restrict_unprivileged_userns = 0
kernel.apparmor_restrict_unprivileged_unconfined = 1
EOF

if which glib-compile-schemas >/dev/null 2>&1; then
	glib-compile-schemas /usr/share/glib-2.0/schemas/
fi