2 files changed, 159 insertions, 0 deletions

diff --git a/util/podman/norce_build_and_run.sh b/util/podman/norce_build_and_run.sh
new file mode 100755
index 0000000..35c6df5
--- /dev/null
+++ b/util/podman/norce_build_and_run.sh
@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# --- Configuration ---
+PKG_NAME="kel-lbm"
+PKG_VERSION="0.0.5"
+
+NIX_STORE_VOL="nix-store"
+NIX_STATE_VOL="nix-state"
+
+# --- Ensure we're in the Git root ---
+if ! GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null); then
+    echo "Error: Not inside a git repository."
+    exit 1
+fi
+cd "$GIT_ROOT"
+
+# --- Ensure default.nix exists ---
+if [[ ! -f default.nix ]]; then
+    echo "Error: no default.nix in Git root ($GIT_ROOT)"
+    exit 1
+fi
+
+# --- Ensure Podman volumes exist (one-time setup) ---
+ensure_volume() {
+    local vol="$1"
+    if ! podman volume inspect "$vol" >/dev/null 2>&1; then
+        echo "📦 Creating Podman volume: $vol"
+        podman volume create "$vol" >/dev/null
+    fi
+}
+
+ensure_volume "$NIX_STORE_VOL"
+ensure_volume "$NIX_STATE_VOL"
+
+# --- Detect host CA bundle ---
+HOST_CA_BUNDLE=""
+if [[ -f /etc/ssl/certs/ca-certificates.crt ]]; then
+    HOST_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"
+elif [[ -f /etc/pki/tls/certs/ca-bundle.crt ]]; then
+    HOST_CA_BUNDLE="/etc/pki/tls/certs/ca-bundle.crt"
+fi
+
+# --- Run build + packaging inside container ---
+podman run --rm -it \
+    -v "$GIT_ROOT":/workspace \
+    -v "$NIX_STORE_VOL":/nix/store \
+    -v "$NIX_STATE_VOL":/nix/var \
+    -v /etc/ssl/certs:/etc/ssl/certs:ro \
+    -v /etc/pki:/etc/pki:ro \
+    ${HOST_CA_BUNDLE:+-v "$HOST_CA_BUNDLE:$HOST_CA_BUNDLE:ro"} \
+    -w /workspace \
+    -e USER=nix \
+    -e PKG_NAME="$PKG_NAME" \
+    -e PKG_VERSION="$PKG_VERSION" \
+    -e SSL_CERT_FILE="$HOST_CA_BUNDLE" \
+    -e NIX_SSL_CERT_FILE="$HOST_CA_BUNDLE" \
+    docker.io/nixos/nix:latest \
+    nix-shell -p bash --run "
+        set -euo pipefail
+
+        echo \"🔐 Using CA bundle: \${SSL_CERT_FILE:-system default}\"
+
+        # Optional sanity check (never fatal)
+        nix-store --verify --check-contents || true
+
+        # Build
+        nix-build default.nix -A release.examples --out-link result
+
+				        # --- Interactive binary selection ---
+        BIN_DIR=./result/bin
+        mapfile -t BINARIES < <(ls -1 \$BIN_DIR)
+        if (( \${#BINARIES[@]} == 0 )); then
+            echo 'No binaries found in result/bin'
+            exit 0
+        fi
+
+        echo 'Available binaries:'
+        select CHOSEN_BIN in \"\${BINARIES[@]}\" 'Quit'; do
+            if [[ \"\$CHOSEN_BIN\" == 'Quit' ]]; then
+                echo 'Exiting.'
+                break
+            elif [[ -n \"\$CHOSEN_BIN\" ]]; then
+                echo \"Running \$CHOSEN_BIN...\"
+                \$BIN_DIR/\$CHOSEN_BIN
+                break
+            else
+                echo 'Invalid selection, try again.'
+            fi
+        done
+    "
+
+echo "✅ Build complete!"
+echo "   • Persistent Nix store: $NIX_STORE_VOL"
+echo "   • Persistent Nix state: $NIX_STATE_VOL"
diff --git a/util/podman/norce_old_build.sh b/util/podman/norce_old_build.sh
new file mode 100755
index 0000000..62dc169
--- /dev/null
+++ b/util/podman/norce_old_build.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# --- Configuration: package name and version ---
+PKG_NAME="kel-lbm"
+PKG_VERSION="0.0.3"
+
+# --- Ensure we're in the Git root ---
+if ! GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null); then
+    echo "Error: Not inside a git repository."
+    exit 1
+fi
+cd "$GIT_ROOT"
+
+# --- Ensure default.nix exists ---
+if [[ ! -f default.nix ]]; then
+    echo "Error: no default.nix in Git root ($GIT_ROOT)"
+    exit 1
+fi
+
+# --- Detect host CA bundle (best effort) ---
+HOST_CA_BUNDLE=""
+if [[ -f /etc/ssl/certs/ca-certificates.crt ]]; then
+    HOST_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"
+elif [[ -f /etc/pki/tls/certs/ca-bundle.crt ]]; then
+    HOST_CA_BUNDLE="/etc/pki/tls/certs/ca-bundle.crt"
+fi
+
+# --- Run build + packaging inside container ---
+podman run --rm -it \
+    -v "$GIT_ROOT":/workspace \
+    -v /etc/ssl/certs:/etc/ssl/certs:ro \
+    -v /etc/pki:/etc/pki:ro \
+    ${HOST_CA_BUNDLE:+-v "$HOST_CA_BUNDLE:$HOST_CA_BUNDLE:ro"} \
+    -w /workspace \
+    -e USER=nix \
+    -e PKG_NAME="$PKG_NAME" \
+    -e PKG_VERSION="$PKG_VERSION" \
+    -e SSL_CERT_FILE="$HOST_CA_BUNDLE" \
+    -e NIX_SSL_CERT_FILE="$HOST_CA_BUNDLE" \
+    docker.io/nixos/nix:latest \
+    nix-shell -p bash --run "
+        set -euo pipefail
+
+        echo \"Using CA bundle: \${SSL_CERT_FILE:-system default}\"
+
+        # Build the derivation
+        nix-build default.nix -A release.examples --out-link result
+
+        # Install fpm if missing
+        if ! command -v fpm >/dev/null 2>&1; then
+            nix-shell -p fpm --run 'true'
+        fi
+
+        # Create .deb package
+        nix-shell -p fpm --run \"fpm -s dir -t deb -n \$PKG_NAME -v \$PKG_VERSION -C result --prefix /usr/local .\"
+
+        # RPM disabled for now
+        # nix-shell -p fpm rpm --run \"fpm -s dir -t rpm -n \$PKG_NAME -v \$PKG_VERSION -C result --prefix /usr/local .\"
+    "
+
+echo "✅ Build complete!"
+echo " - result -> $GIT_ROOT/result"
+echo " - ${PKG_NAME}_${PKG_VERSION}.deb is in $GIT_ROOT"