debate/scripts/setup-sandbox.sh

#!/bin/bash
# Initialize sandbox environment for ISO builds
# Run once to create base container image

set -euo pipefail

SANDBOX_ROOT="${SANDBOX_ROOT:-/var/lib/debate/sandbox}"
SANDBOX_BASE="${SANDBOX_ROOT}/base"
ALLOWED_MIRRORS=(
    "https://geo.mirror.pkgbuild.com/\$repo/os/\$arch"
    "https://mirror.cachyos.org/repo/\$arch/\$repo"
)

log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}

# Check prerequisites
if ! command -v pacstrap &> /dev/null; then
    log "ERROR: pacstrap not found. Install arch-install-scripts package."
    exit 1
fi

if ! command -v systemd-nspawn &> /dev/null; then
    log "ERROR: systemd-nspawn not found. Install systemd-container package."
    exit 1
fi

# Create sandbox directories
log "Creating sandbox directories..."
mkdir -p "$SANDBOX_ROOT"/{base,builds,cache}

# Bootstrap base Arch environment
if [ ! -d "$SANDBOX_BASE/usr" ]; then
    log "Bootstrapping base Arch Linux environment..."
    pacstrap -c -G -M "$SANDBOX_BASE" base archiso

    # Configure mirrors (whitelist only)
    log "Configuring mirrors..."
    MIRRORLIST="$SANDBOX_BASE/etc/pacman.d/mirrorlist"
    : > "$MIRRORLIST"
    for mirror in "${ALLOWED_MIRRORS[@]}"; do
        echo "Server = $mirror" >> "$MIRRORLIST"
    done

    # Set fixed locale for determinism
    echo "en_US.UTF-8 UTF-8" > "$SANDBOX_BASE/etc/locale.gen"
    systemd-nspawn -D "$SANDBOX_BASE" locale-gen

    log "Base environment created at $SANDBOX_BASE"
else
    log "Base environment already exists at $SANDBOX_BASE"
fi

log "Sandbox setup complete"