#!/bin/sh

if getent group guixbuild >/dev/null; then
	cat 1>&2 <<-EOF
		*
		* Starting with Guix 1.5.0 the OpenRC guix-daemon service can
		* run as an unprivileged user. This has become the default in
		* Alpine. To use this setup, set ROOTLESS=yes in the service
		* configuration and change the ownership of all store files.
		* The guixbuild group and all guixbuilder users should be removed.
		* Support for running the daemon as root will be removed in the future.
		*
		* See https://guix.gnu.org/manual/1.5.0/en/html_node/Build-Environment-Setup.html#unprivileged_002ddaemon_002dmigration
		*
	EOF
fi

addgroup -S guix-daemon 2>/dev/null
adduser -S -D -H -h /var/empty -s /sbin/nologin -G guix-daemon \
	-g "Guix Daemon" guix-daemon 2>/dev/null

# Needed to have `guix system vm` and related commands work out-of-the-box.
# See https://guix.gnu.org/manual/1.5.0/en/html_node/Build-Environment-Setup.html#Daemon-Running-as-Root
adduser guix-daemon kvm 2>/dev/null

# Allow 'newgidmap' to map the "kvm" group.
# Taken from: https://codeberg.org/guix/guix/src/commit/c5728c3ba058ec45f224b646a261d9921b9d87e7/etc/guix-install.sh#L547-L552
if ! grep -q '^guix-daemon' /etc/subgid; then
	kvmgid="$(getent group kvm | cut -f3 -d:)"
	echo "guix-daemon:$kvmgid:1" >> /etc/subgid
fi

exit 0
