From 7f70c6ef034701f87c33e664c1b85569a1376e47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Tue, 12 Sep 2023 23:21:22 -0400
Subject: [PATCH] Initial packaging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 .github/FUNDING.yml                           |   5 +
 .github/workflows/builds.yml                  | 574 ++++++++++++++++++
 .github/workflows/commits.yml                 |  40 ++
 README.md                                     |  81 +++
 bin/incusd                                    |   4 +
 bin/lxc-to-incus                              |   4 +
 debian/control                                |  59 ++
 debian/copyright                              |  24 +
 debian/incus.install                          |   5 +
 debian/incus.postinst                         |  21 +
 debian/incus.preinst                          |  22 +
 debian/rules                                  |  13 +
 debian/source/format                          |   1 +
 edk2-vars-generator/UEFI/Filesystems.py       | 101 +++
 edk2-vars-generator/UEFI/Qemu.py              | 180 ++++++
 edk2-vars-generator/UEFI/SignedBinary.py      |  52 ++
 edk2-vars-generator/edk2-vars-generator       | 140 +++++
 etc/default/incus                             |   9 +
 etc/logrotate.d/incus                         |   9 +
 etc/sysctl.d/50-incus.conf                    |  10 +
 patches/edk2-0001-force-DUID-LLT.patch        |  34 ++
 patches/edk2-0002-logo.bmp                    | Bin 0 -> 331914 bytes
 patches/edk2-0003-boot-delay.patch            |  29 +
 patches/edk2-0004-gcc-errors.patch            |  26 +
 ...sable-EFI-memory-attributes-protocol.patch |  29 +
 patches/lxcfs-0001-hook.patch                 |  20 +
 patches/nasm-0000-disable-manpages.patch      |  14 +
 patches/nasm-0001-old-autoconf.patch          |  21 +
 patches/nvidia-0001-Fix-for-22.04-build.patch |  36 ++
 patches/nvidia-0002-pre-load-libdl.patch      |  29 +
 patches/seabios-0001-CSM-memory.patch         |  58 ++
 systemd/incus-lxcfs.service                   |  18 +
 systemd/incus-startup.service                 |  16 +
 systemd/incus.service                         |  25 +
 systemd/incus.socket                          |  11 +
 zabbly-sb.oem.crt                             |   1 +
 36 files changed, 1721 insertions(+)
 create mode 100644 .github/FUNDING.yml
 create mode 100644 .github/workflows/builds.yml
 create mode 100644 .github/workflows/commits.yml
 create mode 100644 README.md
 create mode 100755 bin/incusd
 create mode 100755 bin/lxc-to-incus
 create mode 100644 debian/control
 create mode 100644 debian/copyright
 create mode 100644 debian/incus.install
 create mode 100644 debian/incus.postinst
 create mode 100644 debian/incus.preinst
 create mode 100755 debian/rules
 create mode 100644 debian/source/format
 create mode 100644 edk2-vars-generator/UEFI/Filesystems.py
 create mode 100644 edk2-vars-generator/UEFI/Qemu.py
 create mode 100644 edk2-vars-generator/UEFI/SignedBinary.py
 create mode 100755 edk2-vars-generator/edk2-vars-generator
 create mode 100644 etc/default/incus
 create mode 100644 etc/logrotate.d/incus
 create mode 100644 etc/sysctl.d/50-incus.conf
 create mode 100644 patches/edk2-0001-force-DUID-LLT.patch
 create mode 100644 patches/edk2-0002-logo.bmp
 create mode 100644 patches/edk2-0003-boot-delay.patch
 create mode 100644 patches/edk2-0004-gcc-errors.patch
 create mode 100644 patches/edk2-0005-disable-EFI-memory-attributes-protocol.patch
 create mode 100644 patches/lxcfs-0001-hook.patch
 create mode 100644 patches/nasm-0000-disable-manpages.patch
 create mode 100644 patches/nasm-0001-old-autoconf.patch
 create mode 100644 patches/nvidia-0001-Fix-for-22.04-build.patch
 create mode 100644 patches/nvidia-0002-pre-load-libdl.patch
 create mode 100644 patches/seabios-0001-CSM-memory.patch
 create mode 100644 systemd/incus-lxcfs.service
 create mode 100644 systemd/incus-startup.service
 create mode 100644 systemd/incus.service
 create mode 100644 systemd/incus.socket
 create mode 100644 zabbly-sb.oem.crt

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..445aca9
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,5 @@
+# Frequent committers who contribute to Incus on their own time can add
+# themselves to the list here so users who feel like sponsoring can find
+# them.
+github:
+ - stgraber
diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml
new file mode 100644
index 0000000..b8ca4d2
--- /dev/null
+++ b/.github/workflows/builds.yml
@@ -0,0 +1,574 @@
+name: Builds
+on:
+  - push
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-incus:
+    name: Build Incus
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-20.04
+          - ubuntu-22.04
+          - debian-11
+          - debian-12
+        arch:
+          - amd64
+          - arm64
+        exclude:
+          - os: debian-11
+            arch: arm64
+    runs-on:
+      - self-hosted
+      - cpu-4
+      - mem-4G
+      - disk-50G
+      - arch-${{ matrix.arch }}
+      - image-${{ matrix.os }}
+
+    env:
+      OS_ARCH: ${{ matrix.arch }}
+      HOME: "/root/"
+      PKG_CONFIG_PATH: "/opt/incus/lib/pkgconfig/"
+      CGO_LDFLAGS: "-L/opt/incus/lib/"
+      CGO_CFLAGS: "-I/opt/incus/include/"
+      LD_LIBRARY_PATH: "/opt/incus/lib/"
+      PATH: "/opt/incus/bin:/root/.cargo/bin:/usr/local/go/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+      LXC_TAG: "lxc-5.0.3"
+      LXCFS_TAG: "lxcfs-5.0.4"
+      INCUS_TAG: "main"
+      RAFT_TAG: "main"
+      COWSQL_TAG: "main"
+      CRIU_TAG: "v3.18"
+      EDK2_TAG: "edk2-stable202308"
+      GOLANG_TAG: "1.21.1"
+      LIBTPMS_TAG: "v0.9.6"
+      LIBURING_TAG: "liburing-2.4"
+      MINIO_TAG: "RELEASE.2023-09-07T02-05-02Z"
+      NASM_TAG: "nasm-2.16.01"
+      NVIDIA_CONTAINER_TAG: "v1.14.1"
+      QEMU_TAG: "v8.1.0"
+      SEABIOS_TAG: "rel-1.16.2"
+      SWTPM_TAG: "v0.8.0"
+      VIRTIOFSD_TAG: "v1.8.0"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Configure git
+        run: |
+          git config --global --add advice.detachedHead false
+
+      - name: Install dependencies
+        run: |
+          apt-get update
+          apt-get install --no-install-recommends --yes \
+            acpica-tools \
+            asciidoc \
+            autoconf \
+            automake \
+            bison \
+            bmake \
+            build-essential \
+            curl \
+            debhelper \
+            devscripts \
+            dosfstools \
+            expect \
+            flex \
+            gawk \
+            git \
+            iproute2 \
+            libacl1-dev \
+            libaio-dev \
+            libapparmor-dev \
+            libcap-dev \
+            libcap-ng-dev \
+            libdbus-1-dev \
+            libelf-dev \
+            libfuse3-dev \
+            libglib2.0-dev \
+            libgnutls28-dev \
+            libjson-glib-dev \
+            libnet1-dev \
+            libnl-3-dev \
+            libnuma-dev \
+            libpam0g-dev \
+            libpixman-1-dev \
+            libprotobuf-c-dev \
+            libprotobuf-dev \
+            librbd-dev \
+            libseccomp-dev \
+            libselinux1-dev \
+            libspice-server-dev \
+            libsqlite3-dev \
+            libssl-dev \
+            libtool \
+            libudev-dev \
+            libusb-1.0-0-dev \
+            libusbredirhost-dev \
+            libuv1-dev \
+            lsb-release \
+            mtools \
+            ninja-build \
+            pkg-config \
+            protobuf-c-compiler \
+            protobuf-compiler \
+            python3-cryptography \
+            python3-jinja2 \
+            python3-pexpect \
+            python3-pip \
+            python3-setuptools \
+            python3-venv \
+            rsync \
+            socat \
+            uuid-dev \
+            xmlto \
+            xorriso
+
+          pip3 install meson || pip3 install meson --break-system-packages
+
+      - name: Install Go
+        run: |
+          curl -sL "https://go.dev/dl/go${GOLANG_TAG}.linux-${OS_ARCH}.tar.gz" | tar -C /usr/local/ -zx
+          go version
+
+      - name: Install Rust
+        run: |
+          curl -sL https://sh.rustup.rs -o install-rust.sh
+          bash install-rust.sh -y
+
+      - name: Build environment
+        run: |
+          mkdir /build/
+          mkdir -p \
+            /opt/incus/bin/ \
+            /opt/incus/include/ \
+            /opt/incus/lib/ \
+            /opt/incus/lib/systemd/system/ \
+            /opt/incus/share/
+
+      - name: Get the code
+        run: |
+          git clone https://github.com/axboe/liburing /build/liburing --depth 1 -b "${LIBURING_TAG}"
+          git clone https://github.com/cowsql/raft /build/raft --depth 1 -b "${RAFT_TAG}"
+          git clone https://github.com/cowsql/cowsql /build/cowsql --depth 1 -b "${COWSQL_TAG}"
+          git clone https://github.com/lxc/lxc /build/lxc --depth 1 -b "${LXC_TAG}"
+          git clone https://github.com/lxc/lxcfs /build/lxcfs --depth 1 -b "${LXCFS_TAG}"
+          git clone https://github.com/lxc/incus /build/incus --depth 1 -b "${INCUS_TAG}"
+
+          git clone https://github.com/checkpoint-restore/criu /build/criu --depth 1 -b "${CRIU_TAG}"
+          git clone https://github.com/NVIDIA/libnvidia-container /build/libnvidia-container --depth 1 -b "${NVIDIA_CONTAINER_TAG}"
+          git clone https://github.com/minio/minio /build/minio --depth 1 -b "${MINIO_TAG}"
+
+          git clone https://gitlab.com/qemu-project/seabios /build/seabios --depth 1 -b "${SEABIOS_TAG}"
+          git clone https://github.com/netwide-assembler/nasm /build/nasm --depth 1 -b "${NASM_TAG}"
+          git clone https://github.com/tianocore/edk2 /build/edk2 --recurse-submodules --shallow-submodules --depth 1 -b "${EDK2_TAG}"
+          git clone https://github.com/stefanberger/libtpms /build/libtpms --depth 1 -b "${LIBTPMS_TAG}"
+          git clone https://github.com/stefanberger/swtpm /build/swtpm --depth 1 -b "${SWTPM_TAG}"
+          git clone https://gitlab.com/virtio-fs/virtiofsd /build/virtiofsd --depth 1 -b "${VIRTIOFSD_TAG}"
+          git clone https://gitlab.com/qemu-project/qemu /build/qemu --depth 1 -b "${QEMU_TAG}"
+
+      - name: Build liburing
+        run: |
+          cd /build/liburing
+          ./configure --prefix=/opt/incus
+          make
+
+          mkdir -p /build/target/liburing/
+          DESTDIR=/build/target/liburing make install
+          rsync -a /build/target/liburing/opt/incus/include/* /opt/incus/include/
+          rsync -a /build/target/liburing/opt/incus/lib/* /opt/incus/lib/
+
+      - name: Build raft
+        run: |
+          cd /build/raft
+          autoreconf -i
+          ./configure --prefix=/opt/incus
+          make
+
+          mkdir -p /build/target/raft/
+          DESTDIR=/build/target/raft/ make install
+          rsync -a /build/target/raft/opt/incus/include/ /opt/incus/include/
+          rsync -a /build/target/raft/opt/incus/lib/ /opt/incus/lib/
+
+      - name: Build cowsql
+        run: |
+          cd /build/cowsql
+          autoreconf -i
+          ./configure --prefix=/opt/incus
+          make
+
+          mkdir -p /build/target/cowsql/
+          DESTDIR=/build/target/cowsql/ make install
+          rsync -a /build/target/cowsql/opt/incus/include/ /opt/incus/include/
+          rsync -a /build/target/cowsql/opt/incus/lib/ /opt/incus/lib/
+
+      - name: Build LXC
+        run: |
+          cd /build/lxc
+          meson setup build \
+                  --prefix=/opt/incus \
+                  --libdir=/opt/incus/lib \
+                  -Dexamples=false \
+                  -Dman=false \
+                  -Dtools=false \
+                  -Dtests=false \
+                  -Dmemfd-rexec=false \
+                  -Dapparmor=true \
+                  -Dseccomp=true \
+                  -Dselinux=true \
+                  -Dcapabilities=true \
+                  -Dio-uring-event-loop=true
+          meson compile -C build
+
+          mkdir -p /build/target/lxc/
+          DESTDIR=/build/target/lxc/ meson install -C build
+          rsync -a /build/target/lxc/opt/incus/include/ /opt/incus/include/
+          rsync -a /build/target/lxc/opt/incus/lib/ /opt/incus/lib/
+          mkdir -p /opt/incus/share/lxc/config/common.conf.d/
+
+      - name: Build LXCFS
+        run: |
+          REPO="${PWD}"
+
+          cd /build/lxcfs
+          meson setup build \
+                  --prefix=/opt/incus \
+                  --libdir=/opt/incus/lib \
+                  -Ddocs=false \
+                  -Dtests=false
+          meson compile -C build
+
+          mkdir -p /build/target/lxcfs/
+          DESTDIR=/build/target/lxcfs/ meson install -C build
+          rsync -a /build/target/lxcfs/opt/incus/bin/ /opt/incus/bin/
+          rsync -a /build/target/lxcfs/opt/incus/share/ /opt/incus/share/
+          rsync -a /build/target/lxcfs/opt/incus/lib/ /opt/incus/lib/
+
+          sed -i "s#/var/lib/lxcfs#/var/lib/incus-lxcfs#g" /opt/incus/share/lxcfs/lxc.mount.hook
+          patch -p1 /opt/incus/share/lxcfs/lxc.mount.hook < "${REPO}/patches/lxcfs-0001-hook.patch"
+
+      - name: Build Incus
+        run: |
+          REPO="${PWD}"
+
+          cd /build/incus
+          go build -o "/opt/incus/bin/incus" github.com/lxc/incus/cmd/incus
+          go build -o "/opt/incus/bin/incus-benchmark" -tags=libsqlite3 github.com/lxc/incus/cmd/incus-benchmark
+          go build -o "/opt/incus/bin/incus-user" -tags=libsqlite3 github.com/lxc/incus/cmd/incus-user
+          go build -o "/opt/incus/bin/incusd" -tags=libsqlite3 github.com/lxc/incus/incusd
+          go build -o "/opt/incus/bin/lxc-to-incus" github.com/lxc/incus/cmd/lxc-to-incus
+          CGO_ENABLED=0 go build -o "/opt/incus/bin/incus-agent" -tags=agent,netgo github.com/lxc/incus/cmd/incus-agent
+
+          mkdir -p /opt/incus/share/bash_completion.d/
+          cp scripts/bash/incus /opt/incus/share/bash_completion.d/incus
+
+          cd /build/incus/cmd/lxd-to-incus
+          go build -o "/opt/incus/bin/lxd-to-incus" -tags=libsqlite3 ./
+
+      - name: Build CRIU
+        run: |
+          cd /build/criu
+          make
+          cp criu/criu /opt/incus/bin/
+
+      - name: Build libnvidia-container
+        run: |
+          REPO="${PWD}"
+
+          cd /build/libnvidia-container
+          patch -p1 < "${REPO}/patches/nvidia-0001-Fix-for-22.04-build.patch"
+          patch -p1 < "${REPO}/patches/nvidia-0002-pre-load-libdl.patch"
+          make prefix=/
+
+          mkdir /build/target/libnvidia-container
+          DESTDIR=/build/target/libnvidia-container make install prefix=/
+          rsync -a /build/target/libnvidia-container/bin/ /opt/incus/bin/
+          rsync -a /build/target/libnvidia-container/include/ /opt/incus/include/
+          rsync -a /build/target/libnvidia-container/lib/ /opt/incus/lib/
+
+      - name: Build minio
+        run: |
+          cd /build/minio
+          make build
+          cp minio /opt/incus/bin/
+
+      - name: Build seabios
+        if: ${{ matrix.arch == 'amd64' }}
+        run: |
+          REPO="${PWD}"
+
+          cd /build/seabios
+          patch -p1 < "${REPO}/patches/seabios-0001-CSM-memory.patch"
+
+          make clean distclean
+          echo "CONFIG_QEMU_HARDWARE=y" > .config
+          echo "CONFIG_CSM=y" >> .config
+          echo "CONFIG_BOOTSPLASH=n" >> .config
+          echo "CONFIG_ROM_SIZE=128" >> .config
+          echo "CONFIG_PVSCSI=n" >> .config
+          echo "CONFIG_ESP_SCSI=n" >> .config
+          echo "CONFIG_LSI_SCSI=n" >> .config
+          echo "CONFIG_MEGASAS=n" >> .config
+          echo "CONFIG_MPT_SCSI=n" >> .config
+          echo "CONFIG_FLOPPY=n" >> .config
+          echo "CONFIG_FLASH_FLOPPY=n" >> .config
+          make oldnoconfig V=1
+          make V=1 PYTHON=python3
+
+      - name: Build nasm
+        run: |
+          REPO="${PWD}"
+
+          cd /build/nasm
+          patch -p1 < "${REPO}/patches/nasm-0000-disable-manpages.patch"
+          patch -p1 < "${REPO}/patches/nasm-0001-old-autoconf.patch"
+          ./autogen.sh
+          ./configure --prefix=/opt/incus
+          make
+
+          mkdir -p /build/target/nasm/
+          DESTDIR=/build/target/nasm make install
+          rsync -a /build/target/nasm/opt/incus/bin/ /opt/incus/bin/
+
+      - name: Build EDK2
+        run: |
+          REPO="${PWD}"
+
+          cd /build/edk2
+          patch -p1 < "${REPO}/patches/edk2-0001-force-DUID-LLT.patch"
+          cp "${REPO}/patches/edk2-0002-logo.bmp" MdeModulePkg/Logo/Logo.bmp
+          patch -p1 < "${REPO}/patches/edk2-0003-boot-delay.patch"
+          patch -p1 < "${REPO}/patches/edk2-0004-gcc-errors.patch"
+          patch -p1 < "${REPO}/patches/edk2-0005-disable-EFI-memory-attributes-protocol.patch"
+
+          if [ "$(uname -m)" = "x86_64" ]; then
+              cp ../seabios/out/Csm16.bin OvmfPkg/Csm/Csm16/Csm16.bin
+          fi
+
+          EDK2_ARCH="X64"
+          EDK2_PKG="OvmfPkg/OvmfPkgX64.dsc"
+          EDK2_FV_CODE="OVMF_CODE"
+          EDK2_FV_VARS="OVMF_VARS"
+          if [ "$(uname -m)" = "aarch64" ]; then
+              EDK2_ARCH="AARCH64"
+              EDK2_PKG="ArmVirtPkg/ArmVirtQemu.dsc"
+              EDK2_FV_CODE="QEMU_EFI"
+              EDK2_FV_VARS="QEMU_VARS"
+          fi
+
+          build_edk2() {
+              TARGET_CODE="$1"
+              shift
+              TARGET_VARS="$1"
+              shift
+
+              set -ex
+              (
+              cat << EOF
+                  . ./edksetup.sh
+                  make -C BaseTools ARCH=${EDK2_ARCH}
+                  build -a ${EDK2_ARCH} -t GCC5 -b RELEASE -p ${EDK2_PKG} \
+                    -DSMM_REQUIRE=FALSE \
+                    -DSECURE_BOOT_ENABLE=TRUE \
+                    -DNETWORK_IP4_ENABLE=TRUE \
+                    -DNETWORK_IP6_ENABLE=TRUE \
+                    -DNETWORK_TLS_ENABLE=TRUE \
+                    -DNETWORK_HTTP_BOOT_ENABLE=TRUE \
+                    -DTPM2_ENABLE=TRUE \
+                    -DTPM2_CONFIG_ENABLE=TRUE \
+                    $@
+          EOF
+              ) | bash -e
+
+              cp Build/*/*/FV/${EDK2_FV_CODE}.fd "${TARGET_CODE}"
+              cp Build/*/*/FV/${EDK2_FV_VARS}.fd "${TARGET_VARS}"
+
+              if [ "$(uname -m)" = "aarch64" ]; then
+                  truncate -s 64m "${TARGET_CODE}"
+                  truncate -s 64m "${TARGET_VARS}"
+              fi
+          }
+
+          mkdir -p "/opt/incus/share/qemu/"
+          build_edk2 \
+            "/opt/incus/share/qemu/OVMF_CODE.4MB.fd" \
+            "/opt/incus/share/qemu/OVMF_VARS.4MB.fd" \
+            -DFD_SIZE_4MB
+
+          if [ "$(uname -m)" = "x86_64" ]; then
+              build_edk2 \
+                "/opt/incus/share/qemu/OVMF_CODE.4MB.CSM.fd" \
+                "/opt/incus/share/qemu/OVMF_VARS.4MB.CSM.fd" \
+                -DFD_SIZE_4MB \
+                -DCSM_ENABLE=TRUE
+          fi
+
+          ln -s OVMF_CODE.4MB.fd /opt/incus/share/qemu/OVMF_CODE.fd
+          ln -s OVMF_VARS.4MB.fd /opt/incus/share/qemu/OVMF_VARS.fd
+
+      - name: Build libtmps
+        run: |
+          cd /build/libtpms
+          ./autogen.sh
+          ./configure --prefix=/opt/incus --with-tpm2 --with-openssl
+          make
+
+          mkdir -p /build/target/libtpms/
+          DESTDIR=/build/target/libtpms make install
+          rsync -a /build/target/libtpms/opt/incus/include/ /opt/incus/include/
+          rsync -a /build/target/libtpms/opt/incus/lib/ /opt/incus/lib/
+
+      - name: Build swtpm
+        run: |
+          cd /build/swtpm
+          ./autogen.sh
+          ./configure --prefix=/opt/incus --with-seccomp --with-openssl --without-cuse
+          make
+
+          mkdir -p /build/target/swtpm/
+          DESTDIR=/build/target/swtpm make install
+          rsync -a /build/target/swtpm/opt/incus/bin/ /opt/incus/bin/
+          rsync -a /build/target/swtpm/opt/incus/include/ /opt/incus/include/
+          rsync -a /build/target/swtpm/opt/incus/lib/ /opt/incus/lib/
+
+      - name: Build virtiofsd
+        run: |
+          cd /build/virtiofsd
+          cargo build --release
+          cp target/release/virtiofsd /opt/incus/bin/
+
+      - name: Build QEMU
+        run: |
+          cd /build/qemu
+          sed -i "s/^unset target_list$/target_list=\"$(uname -m)-softmmu\"/" configure
+          sed -i 's#libseccomp_minver=".*#libseccomp_minver="0.0"#g' configure
+          ./configure \
+                  --prefix=/opt/incus \
+                  --libexecdir=lib/qemu \
+                  --libdir=lib \
+                  --disable-bochs \
+                  --disable-cloop \
+                  --disable-dmg \
+                  --disable-docs  \
+                  --disable-guest-agent \
+                  --disable-parallels \
+                  --disable-qed \
+                  --disable-slirp \
+                  --disable-user \
+                  --disable-vdi \
+                  --disable-vnc \
+                  --disable-xen \
+                  --disable-install-blobs \
+                  --enable-attr \
+                  --enable-cap-ng \
+                  --enable-kvm \
+                  --enable-libusb \
+                  --enable-usb-redir \
+                  --enable-linux-aio \
+                  --enable-linux-io-uring \
+                  --enable-numa \
+                  --enable-pie \
+                  --enable-rbd \
+                  --enable-seccomp \
+                  --enable-spice \
+                  --enable-system \
+                  --enable-tcg \
+                  --enable-tools \
+                  --enable-vhost-crypto \
+                  --enable-vhost-kernel \
+                  --enable-vhost-net \
+                  --enable-vhost-user \
+                  --enable-virtfs
+          make
+
+          mkdir /build/target/qemu/
+          DESTDIR=/build/target/qemu/ make install
+          rsync -a /build/target/qemu/opt/incus/bin/ /opt/incus/bin/
+          rsync -a /build/target/qemu/opt/incus/lib/ /opt/incus/lib/
+          rsync -a /build/target/qemu/opt/incus/share/qemu/ /opt/incus/share/qemu/
+          cp /build/qemu/pc-bios/kvmvapic.bin /opt/incus/share/qemu/
+          cp /build/qemu/pc-bios/vgabios-qxl.bin /opt/incus/share/qemu/
+          cp /build/qemu/pc-bios/vgabios-virtio.bin /opt/incus/share/qemu/
+          cp /build/qemu/pc-bios/efi-virtio.rom /opt/incus/share/qemu/
+
+      - name: Build Secure Boot firmware
+        run: |
+          REPO="${PWD}"
+
+          cd /build/edk2
+
+          FIRMWARE="OVMF"
+          if [ "$(uname -m)" = "aarch64" ]; then
+            FIRMWARE="AAVMF"
+          fi
+
+          cd "${REPO}/edk2-vars-generator"
+          ./edk2-vars-generator -f "${FIRMWARE}" \
+            -e /build/edk2/Build/*/*/*/EnrollDefaultKeys.efi \
+            -s /build/edk2/Build/*/*/*/Shell.efi \
+            -c "/opt/incus/share/qemu/OVMF_CODE.4MB.fd" \
+            -V "/opt/incus/share/qemu/OVMF_VARS.4MB.fd" \
+            -C "$(cat ${REPO}/zabbly-sb.oem.crt)" \
+            -o "/opt/incus/share/qemu/OVMF_VARS.4MB.ms.fd"
+
+      - name: Systemd units
+        run: |
+          cp systemd/* /opt/incus/lib/systemd/system/
+
+      - name: Strip and cleanup binaries
+        run: |
+          rm -Rf /opt/incus/lib/debug/
+          rm -Rf /opt/incus/include/
+          rm -Rf /opt/incus/lib/pkgconfig/
+          strip /opt/incus/bin/*
+          strip /opt/incus/lib/*so*
+          rm /opt/incus/lib/*.a /opt/incus/lib/*.la /opt/incus/lib/*/*.a /opt/incus/lib/*/*.la
+
+      - name: Make a Debian package
+        env:
+          PKGOS: ${{ matrix.os }}
+        run: |
+          [ "${PKGOS}" = "debian-11" ] && CODENAME=bullseye
+          [ "${PKGOS}" = "debian-12" ] && CODENAME=bookworm
+          [ "${PKGOS}" = "ubuntu-20.04" ] && CODENAME=focal
+          [ "${PKGOS}" = "ubuntu-22.04" ] && CODENAME=jammy
+
+          mkdir -p pkg/ pkg/lib/systemd/system/ pkg/opt/ pkg/usr/bin/
+
+          cp -R debian pkg/debian
+          cp bin/* pkg/usr/bin/
+          cp -R /opt/incus pkg/opt/
+          cp -R etc pkg/etc
+          ln -s ../../../opt/incus/lib/systemd/system/incus.service pkg/lib/systemd/system/incus.service
+          ln -s ../../../opt/incus/lib/systemd/system/incus.socket pkg/lib/systemd/system/incus.socket
+          ln -s ../../../opt/incus/lib/systemd/system/incus-startup.service pkg/lib/systemd/system/incus-startup.service
+          ln -s ../../../opt/incus/lib/systemd/system/incus-lxcfs.service pkg/lib/systemd/system/incus-lxcfs.service
+          ln -s /opt/incus/bin/incus pkg/usr/bin/incus
+          ln -s /opt/incus/bin/lxd-to-incus pkg/usr/bin/lxd-to-incus
+          mkdir -p pkg/var/lib/incus
+          chmod 711 pkg/var/lib/incus
+
+          cd pkg
+          dch --package incus --create -D ${CODENAME} -M -m "Automated Incus daily build" -v 0~$(date -u +%Y%m%d%H%M)-$(echo ${PKGOS} | sed "s/-//g") --force-distribution
+          dpkg-buildpackage -b
+
+          cd ..
+          mkdir out
+          mv incus_* out/
+
+      - name: Upload resulting build
+        uses: actions/upload-artifact@v3
+        continue-on-error: true
+        with:
+          name: ${{ matrix.os }}-${{ matrix.arch }}
+          path: out/*
diff --git a/.github/workflows/commits.yml b/.github/workflows/commits.yml
new file mode 100644
index 0000000..1680311
--- /dev/null
+++ b/.github/workflows/commits.yml
@@ -0,0 +1,40 @@
+name: Commits
+on:
+  - pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  dco-check:
+    permissions:
+      pull-requests: read  # for tim-actions/get-pr-commits to get list of commits from the PR
+    name: Signed-off-by (DCO)
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Get PR Commits
+      id: 'get-pr-commits'
+      uses: tim-actions/get-pr-commits@master
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Check that all commits are signed-off
+      uses: tim-actions/dco@master
+      with:
+        commits: ${{ steps.get-pr-commits.outputs.commits }}
+
+  target-branch:
+    permissions:
+      contents: none
+    name: Branch target
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Check branch target
+      env:
+        TARGET: ${{ github.event.pull_request.base.ref }}
+      run: |
+        set -x
+        [ "${TARGET}" = "daily" ] && exit 0
+
+        echo "Invalid branch target: ${TARGET}"
+        exit 1
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..92d01c6
--- /dev/null
+++ b/README.md
@@ -0,0 +1,81 @@
+# Incus builds
+Incus package builds provided by Zabbly.
+
+Currently only daily builds are available.
+Those are development builds, use at your own risk!
+
+## Availability
+Those packages are built for:
+
+ * Ubuntu 20.04 LTS (`focal`)
+ * Ubuntu 22.04 LTS (`jammy`)
+ * Debian 11 (`bullseye`) (`x86_64` only)
+ * Debian 12 (`bookworm`)
+
+## Installation
+On any of those, you can add the package repository at `/etc/apt/sources.list.d/zabbly-incus-daily.sources`:
+
+```
+Enabled: yes
+Types: deb
+URIs: https://pkgs.zabbly.com/incus/daily
+Suites: DISTRO
+Components: main
+Architectures: ARCH
+Signed-By: /etc/apt/keyrings/zabbly.asc
+```
+
+Make sure to replace `DISTRO` with one of `focal`, `jammy`, `bullseye` or `bookworm`
+and then replace `ARCH` with one of `amd64` or `arm64`.
+
+After that, add the [GPG keyring](https://pkgs.zabbly.com/key.asc) to `/etc/apt/keyrings/zabbly.asc`:
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGTlYcIBDACYQoVXVyQ6Y3Of14GwEaiv/RstQ8jWnH441OtvDbD/VVT8yF0P
+pUfypWjQS8aq0g32Qgb9H9+b8UAAKojA2W0szjJFlmmSq19YDMMmNC4AnfeZlKYM
+61Zonna7fPaXmlsTlSiUeo/PGvmAXrkFURC9S8FbhZdWEcUpf9vcKAoEzV8qGA4J
+xbKlj8EOjSkdq3OQ1hHjP8gynbbzMhZQwjbnWqoiPj35ed9EMn+0QcX+GmynGq6T
+hBXdRdeQjZC6rmXzNF2opCyxqx3BJ0C7hUtpHegmeoH34wnJHCqGYkEKFAjlRLoW
+tOzHY9J7OFvB6U7ENtnquj7lg2VQK+hti3uiHW+oide06QgjVw2irucCblQzphgo
+iX5QJs7tgFFDsA9Ee0DZP6cu83hNFdDcXEZBc9MT5Iu0Ijvj7Oeym3DJpkCuIWgk
+SeP56sp7333zrg73Ua7YZsZHRayAe/4YdNUua+90P4GD12TpTtJa4iRWRd7bis6m
+tSkKRj7kxyTsxpEAEQEAAbQmWmFiYmx5IEtlcm5lbCBCdWlsZHMgPGluZm9AemFi
+Ymx5LmNvbT6JAdQEEwEKAD4WIQRO/FkGlssVuHxzo62CzIeXyDjc/QUCZOVhwgIb
+AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCCzIeXyDjc/W05C/4n
+lGRTlyOETF2K8oWbjtan9wlttQ+pwymJCnP8T+JJDycGL8dPsGdG1ldHdorVZpFi
+1P+Bem9bbiW73TpbX+WuCfP1g3WN7AVa2mYRfSVhsLNeBAMRgWgNW9JYsmg99lmY
+aPsRYZdGu/PB+ffMIyWhjL3CKCbYS6lV5N5Mi4Lobyz/I1Euxpk2vJhhUqh786nJ
+pQpDnvEl1CRANS6JD9bIvEdfatlAhFlrz1TTf6R7SlppyYI7tme4I/G3dnnHWYSG
+cGRaLwpwobTq0UNSO71g7+at9eY8dh5nn2lZUvvxZvlbXoOoPxKUoeGVXqoq5F7S
+QcMVAogYtyNlnLnsUfSPw6YFRaQ5o00h30bR3hk+YmJ47AJCRY9GIc/IEdSnd/Z5
+Ea7CrP2Bo4zxPgcl8fe311FQRTRoWr19l5PXZgGjzy6siXTrYQi6GjLtqVB5SjJf
+rrIIy1vZRyDL96WPu6fS+XQMpjsSygj+DBFk8OAvHhQhMCXHgT4BMyg4D5GE0665
+AY0EZOVhwgEMAMIztf6WlRsweysb0tzktYE5E/GxIK1lwcD10Jzq3ovJJPa2Tg2t
+J6ZBmMQfwU4OYO8lJxlgm7t6MYh41ZZaRhySCtbJiAXqK08LP9Gc1iWLRvKuMzli
+NFSiFDFGT1D6kwucVfL/THxvZlQ559kK+LB4iXEKXz37r+MCX1K9uiv0wn63Vm0K
+gD3HDgfXWYJcNyXXfJBe3/T5AhuSBOQcpa7Ow5n8zJ+OYg3FFKWHDBTSSZHpbJFr
+ArMIGARz5/f+EVj9XGY4W/+ZJlxNh8FzrTLeRArmCWqKLPRG/KF36dTY7MDpOzlw
+vu7frv+cgiXHZ2NfPrkH8oOl4L+ufze5KBGcN0QwFDcuwCkv/7Ft9Ta7gVaIBsK7
+12oHInUJ6EkBovxpuaLlHlP8IfmZLZbbHzR2gR0e6IhLtrzd7urB+gXUtp6+wCL+
+kWD14TTJhSQ+SFU8ajvUah7/1m2bxdjZNp9pzOPGkr/jEjCM0CpZiCY62SeIJqVc
+4/ID9NYLAGmSIwARAQABiQG8BBgBCgAmFiEETvxZBpbLFbh8c6OtgsyHl8g43P0F
+AmTlYcICGwwFCQPCZwAACgkQgsyHl8g43P0wEgv+LuknyXHpYpiUcJOl9Q5yLokd
+o7tJwJ+9Fu7EDAfM7mPgyBj7Ad/v9RRP+JKWHqIYEjyrRnz9lmzciU+LT/CeoQu/
+MgpU8wRI4gVtLkX2238amrTKKlVjQUUNHf7cITivUs/8e5W21JfwvcSzu5z4Mxyw
+L6vMlBUAixtzZSXD6O7MO9uggHUZMt5gDSPXG2RcIgWm0Bd1yTHL7jZt67xBgZ4d
+hUoelMN2XIDLv4SY78jbHAqVN6CLLtWrz0f5YdaeYj8OT6Ohr/iJQdlfVaiY4ikp
+DzagLi0LvG9/GuB9eO6yLuojg45JEH8DC7NW5VbdUITxQe9NQ/j5kaRKTEq0fyZ+
+qsrryTyvXghxK8oMUcI10l8d41qXDDPCA40kruuspCZSAle3zdqpYqiu6bglrgWr
+Zr2Nm9ecm/kkqMIcyJ8e2mlkuufq5kVem0Oez+GIDegvwnK3HAqWQ9lzdWKvnLiE
+gNkvg3bqIwZ/WoHBnSwOwwAzwarJl/gn8OG6CIeP
+=8Uc6
+-----END PGP PUBLIC KEY BLOCK-----
+```
+
+Update your repository list with: `apt-get update`
+
+Then to install Incus, run: `apt-get install incus`
+
+## Repository
+This repository gets actively rebased as new releases come out, DO NOT expect a linear git history.
diff --git a/bin/incusd b/bin/incusd
new file mode 100755
index 0000000..cce1520
--- /dev/null
+++ b/bin/incusd
@@ -0,0 +1,4 @@
+#!/bin/sh
+export PATH=/opt/incus/bin/:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+export LD_LIBRARY_PATH=/opt/incus/lib/
+exec incusd "$@"
diff --git a/bin/lxc-to-incus b/bin/lxc-to-incus
new file mode 100755
index 0000000..693247d
--- /dev/null
+++ b/bin/lxc-to-incus
@@ -0,0 +1,4 @@
+#!/bin/sh
+export PATH=/opt/incus/bin/:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+export LD_LIBRARY_PATH=/opt/incus/lib/
+exec lxc-to-incus "$@"
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..68f2af9
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,59 @@
+Source: incus
+Section: admin
+Priority: optional
+Maintainer: Zabbly ZFS builds <info@zabbly.com>
+Build-Depends: debhelper-compat (= 12)
+Standards-Version: 4.6.2
+Homepage: https://linuxcontainers.org
+Rules-Requires-Root: no
+
+Package: incus
+Architecture: linux-any
+Depends: ${misc:Depends},
+  apparmor,
+  attr,
+  ca-certificates,
+  dnsmasq-base,
+  libacl1,
+  libaio1,
+  libapparmor1,
+  libbsd0,
+  libcap2,
+  libfuse3-3,
+  libgcc-s1,
+  libgnutls30,
+  libjson-glib-1.0-0,
+  libnet1,
+  libnftables1,
+  libnl-3-200,
+  libnuma1,
+  libpixman-1-0,
+  libprotobuf-c1,
+  librados2,
+  librbd1,
+  libseccomp2,
+  libseccomp2,
+  libselinux1,
+  libspice-server1,
+  libudev1,
+  libusb-1.0-0,
+  libusbredirparser1,
+  libuv1,
+  nftables | iptables,
+  rsync,
+  squashfs-tools,
+  xdelta3,
+  xz-utils
+Suggests:
+  btrfs-progs,
+  ceph-common,
+  lvm2,
+  zfsutils-linux | openzfs-zfsutils
+Pre-Depends: ${misc:Pre-Depends}
+Description: Incus -  Container and virtualization daemon
+ Incus provides the ability to run containers and virtual machines locally
+ along with very flexible networking and storage akin to what's offered
+ in a public cloud environment.
+ .
+ This build of Incus is provided for free by Zabbly.
+ Zabbly can be contacted for commercial support and development on Incus.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..fc0a181
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,24 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: incus
+Upstream-Contact: lxc-devel@lists.linuxcontainers.org
+Source: https://linuxcontainers.org/incus/downloads
+
+Files: debian/*
+Copyright: 2023 Stéphane Graber <stgraber@stgraber.org>
+License: Apache-2.0
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .  
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+Comment:
+ On Debian systems, the complete text of the Apache version 2.0 license
+ can be found in "/usr/share/common-licenses/Apache-2.0".
diff --git a/debian/incus.install b/debian/incus.install
new file mode 100644
index 0000000..1fcd60c
--- /dev/null
+++ b/debian/incus.install
@@ -0,0 +1,5 @@
+etc
+lib
+opt
+usr
+var
diff --git a/debian/incus.postinst b/debian/incus.postinst
new file mode 100644
index 0000000..34f4bde
--- /dev/null
+++ b/debian/incus.postinst
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+    install|upgrade)
+        # Apply the sysctls.
+        systemctl restart systemd-sysctl || true
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/incus.preinst b/debian/incus.preinst
new file mode 100644
index 0000000..5391053
--- /dev/null
+++ b/debian/incus.preinst
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+    install|upgrade)
+        if ! getent group incus >/dev/null; then
+            addgroup --system incus
+        fi
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..58e90e0
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,13 @@
+#!/usr/bin/make -f
+%:
+	dh $@
+
+override_dh_dwz:
+override_dh_strip:
+override_dh_shlibdeps:
+
+override_dh_installsystemd:
+	dh_installsystemd -p incus --no-stop-on-upgrade incus-lxcfs.service
+	dh_installsystemd -p incus --no-stop-on-upgrade incus-startup.service
+	dh_installsystemd -p incus incus.service
+	dh_installsystemd -p incus incus.socket
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/edk2-vars-generator/UEFI/Filesystems.py b/edk2-vars-generator/UEFI/Filesystems.py
new file mode 100644
index 0000000..923db30
--- /dev/null
+++ b/edk2-vars-generator/UEFI/Filesystems.py
@@ -0,0 +1,101 @@
+#
+# Copyright 2019-2022 Canonical Ltd.
+# Authors:
+# - dann frazier <dann.frazier@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 3, as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
+# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import shutil
+import subprocess
+import tempfile
+
+
+class FatFsImage:
+    def __init__(self, size_in_mb):
+        with tempfile.NamedTemporaryFile(delete=False) as f:
+            self.path = f.name
+
+        subprocess.check_call(
+            [
+                'dd', 'if=/dev/zero', 'of=%s' % (self.path),
+                'count=0', 'bs=1M', 'seek=%d' % (size_in_mb), 'status=none'
+            ]
+        )
+        new_env = os.environ.copy()
+        new_env['PATH'] = f"{os.environ['PATH']}:/sbin"
+        subprocess.check_call(['mkdosfs', '-F', '32', self.path], env=new_env)
+
+    def __del__(self):
+        os.unlink(self.path)
+
+    def mkdir(self, dir):
+        subprocess.run(['mmd', '-i', self.path, dir])
+
+    def makedirs(self, dir):
+        dirs = dir.split(os.path.sep)
+        for dir_idx in range(1, len(dirs)+1):
+            next_dir = os.path.sep.join(dirs[:dir_idx])
+            self.mkdir(next_dir)
+
+    def insert_file(self, src, dest):
+        subprocess.check_call(
+            [
+                'mcopy', '-i', self.path, src, '::%s' % (dest)
+            ]
+        )
+
+
+class EfiBootableIsoImage:
+    def __init__(self, eltorito_img):
+        with tempfile.TemporaryDirectory() as iso_root:
+            eltorito_iso_root = 'boot'
+            eltorito_iso_path = os.path.join(eltorito_iso_root, 'efi.img')
+            eltorito_local_root = os.path.join(iso_root, eltorito_iso_root)
+            eltorito_local_path = os.path.join(iso_root, eltorito_iso_path)
+
+            os.makedirs(eltorito_local_root)
+            shutil.copyfile(eltorito_img.path, eltorito_local_path)
+
+            with tempfile.NamedTemporaryFile(delete=False) as f:
+                self.path = f.name
+
+            subprocess.check_call(
+                [
+                    'xorriso', '-as', 'mkisofs', '-J', '-l',
+                    '-c', 'boot/boot.cat',
+                    '-partition_offset', '16', '-append_partition', '2',
+                    '0xef', eltorito_local_path,
+                    '-e', '--interval:appended_partition_2:all::',
+                    '-no-emul-boot', '-o', self.path, iso_root
+                ]
+            )
+
+    def __del__(self):
+        os.unlink(self.path)
+
+
+class GrubShellBootableIsoImage(EfiBootableIsoImage):
+    def __init__(self, efi_arch, shim_path, grub_path):
+        efi_img = FatFsImage(64)
+        efi_img.makedirs(os.path.join('EFI', 'BOOT'))
+        removable_media_path = os.path.join(
+            'EFI', 'BOOT', 'BOOT%s.EFI' % (efi_arch.upper())
+        )
+        grub_dest = os.path.join(
+            'EFI', 'BOOT', 'GRUB%s.EFI' % (efi_arch.upper())
+        )
+        efi_img.insert_file(shim_path, removable_media_path)
+        efi_img.insert_file(grub_path, grub_dest)
+        super().__init__(efi_img)
diff --git a/edk2-vars-generator/UEFI/Qemu.py b/edk2-vars-generator/UEFI/Qemu.py
new file mode 100644
index 0000000..d4d8668
--- /dev/null
+++ b/edk2-vars-generator/UEFI/Qemu.py
@@ -0,0 +1,180 @@
+#
+# Copyright 2019-2021 Canonical Ltd.
+# Authors:
+# - dann frazier <dann.frazier@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 3, as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
+# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import enum
+import os
+import shutil
+import tempfile
+
+
+class QemuEfiMachine(enum.Enum):
+    OVMF_PC = enum.auto()
+    OVMF_Q35 = enum.auto()
+    OVMF32 = enum.auto()
+    AAVMF = enum.auto()
+    AAVMF32 = enum.auto()
+
+
+class QemuEfiVariant(enum.Enum):
+    MS = enum.auto()
+    SECBOOT = enum.auto()
+    SNAKEOIL = enum.auto()
+
+
+class QemuEfiFlashSize(enum.Enum):
+    DEFAULT = enum.auto
+    SIZE_2MB = enum.auto()
+    SIZE_4MB = enum.auto()
+
+
+class QemuCommand:
+    Qemu_Common_Params = [
+        '-no-user-config', '-nodefaults',
+        '-m', '256',
+        '-smp', '1,sockets=1,cores=1,threads=1',
+        '-display', 'none',
+        '-serial', 'stdio',
+    ]
+    Ovmf_Common_Params = Qemu_Common_Params + [
+        '-chardev', 'pty,id=charserial1',
+        '-device', 'isa-serial,chardev=charserial1,id=serial1',
+    ]
+    Aavmf_Common_Params = Qemu_Common_Params + [
+        '-machine', 'virt', '-device', 'virtio-serial-device',
+    ]
+    Machine_Base_Command = {
+        QemuEfiMachine.AAVMF: [
+            'qemu-system-aarch64', '-cpu', 'cortex-a57',
+        ] + Aavmf_Common_Params,
+        QemuEfiMachine.AAVMF32: [
+            'qemu-system-aarch64', '-cpu', 'cortex-a15',
+        ] + Aavmf_Common_Params,
+        QemuEfiMachine.OVMF_PC: [
+            'qemu-system-x86_64', '-machine', 'pc,accel=tcg',
+        ] + Ovmf_Common_Params,
+        QemuEfiMachine.OVMF_Q35: [
+            'qemu-system-x86_64', '-machine', 'q35,accel=tcg',
+        ] + Ovmf_Common_Params,
+        QemuEfiMachine.OVMF32: [
+            'qemu-system-i386', '-machine', 'q35,accel=tcg',
+        ] + Ovmf_Common_Params,
+    }
+
+    def _get_default_flash_paths(self, machine, variant, flash_size):
+        assert(machine in QemuEfiMachine)
+        assert(variant is None or variant in QemuEfiVariant)
+        assert(flash_size in QemuEfiFlashSize)
+
+        code_ext = vars_ext = ''
+        if variant == QemuEfiVariant.MS:
+            code_ext = vars_ext = '.ms'
+        elif variant == QemuEfiVariant.SECBOOT:
+            code_ext = '.secboot'
+        elif variant == QemuEfiVariant.SNAKEOIL:
+            vars_ext = '.snakeoil'
+
+        if machine == QemuEfiMachine.AAVMF:
+            assert(flash_size == QemuEfiFlashSize.DEFAULT)
+            return (
+                f'/usr/share/AAVMF/AAVMF_CODE{code_ext}.fd',
+                f'/usr/share/AAVMF/AAVMF_VARS{code_ext}.fd',
+            )
+        if machine == QemuEfiMachine.AAVMF32:
+            assert(variant is None)
+            assert(flash_size == QemuEfiFlashSize.DEFAULT)
+            return (
+                '/usr/share/AAVMF/AAVMF32_CODE.fd',
+                '/usr/share/AAVMF/AAVMF32_VARS.fd'
+            )
+        if machine == QemuEfiMachine.OVMF32:
+            assert(variant is None or variant in [QemuEfiVariant.SECBOOT])
+            assert(
+                flash_size in [
+                    QemuEfiFlashSize.DEFAULT, QemuEfiFlashSize.SIZE_4MB
+                ]
+            )
+            return (
+                '/usr/share/OVMF/OVMF32_CODE_4M.secboot.fd',
+                '/usr/share/OVMF/OVMF32_VARS_4M.fd',
+            )
+        # Remaining possibilities are OVMF variants
+        if machine == QemuEfiMachine.OVMF_PC:
+            assert(variant is None)
+        if variant == QemuEfiVariant.SNAKEOIL:
+            # We provide one size - you don't get to pick.
+            assert(flash_size == QemuEfiFlashSize.DEFAULT)
+        size_ext = '' if flash_size == QemuEfiFlashSize.SIZE_2MB else '_4M'
+        return (
+            f'/usr/share/OVMF/OVMF_CODE{size_ext}{code_ext}.fd',
+            f'/usr/share/OVMF/OVMF_VARS{size_ext}{vars_ext}.fd'
+        )
+
+    def __init__(
+            self, machine, variant=None,
+            code_path=None, vars_template_path=None,
+            flash_size=QemuEfiFlashSize.DEFAULT,
+    ):
+        assert(
+            (code_path and vars_template_path) or
+            (not code_path and not vars_template_path)
+        )
+
+        if not code_path:
+            (code_path, vars_template_path) = self._get_default_flash_paths(
+                machine, variant, flash_size)
+
+        self.pflash = self.PflashParams(code_path, vars_template_path)
+        self.command = self.Machine_Base_Command[machine] + self.pflash.params
+        if variant in [QemuEfiVariant.MS, QemuEfiVariant.SECBOOT] and \
+           flash_size == QemuEfiFlashSize.SIZE_2MB:
+            # 2MB images have 64-bit PEI that does not support S3 w/ SMM
+            self.command.extend(['-global', 'ICH9-LPC.disable_s3=1'])
+
+    def add_disk(self, path):
+        self.command = self.command + [
+            '-drive', 'file=%s,format=raw' % (path)
+        ]
+
+    def add_oem_string(self, type, string):
+        string = string.replace(",", ",,")
+        self.command = self.command + [
+            '-smbios', f'type={type},value={string}'
+        ]
+
+    class PflashParams:
+        '''
+        Used to generate the appropriate -pflash arguments for QEMU. Mostly
+        used as a fancy way to generate a per-instance vars file and have it
+        be automatically cleaned up when the object is destroyed.
+        '''
+        def __init__(self, code_path, vars_template_path):
+            with tempfile.NamedTemporaryFile(delete=False) as varfile:
+                self.varfile_path = varfile.name
+                with open(vars_template_path, 'rb') as template:
+                    shutil.copyfileobj(template, varfile)
+                self.params = [
+                    '-drive',
+                    'file=%s,if=pflash,format=raw,unit=0,readonly=on' %
+                    (code_path),
+                    '-drive',
+                    'file=%s,if=pflash,format=raw,unit=1,readonly=off' %
+                    (varfile.name)
+                ]
+
+        def __del__(self):
+            os.unlink(self.varfile_path)
diff --git a/edk2-vars-generator/UEFI/SignedBinary.py b/edk2-vars-generator/UEFI/SignedBinary.py
new file mode 100644
index 0000000..5bb33aa
--- /dev/null
+++ b/edk2-vars-generator/UEFI/SignedBinary.py
@@ -0,0 +1,52 @@
+#
+# Copyright 2022 Canonical Ltd.
+# Authors:
+# - dann frazier <dann.frazier@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 3, as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
+# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import subprocess
+import tempfile
+
+
+class SignedBinary:
+    def __init__(self, binary_path, key_path, cert_path, password=None):
+        openssl_password_args = []
+        if password:
+            openssl_password_args = [
+                "-passin", f"pass:{password}"
+            ]
+        with tempfile.NamedTemporaryFile() as keytmp:
+            subprocess.check_call(
+                [
+                    "openssl", "rsa",
+                ] + openssl_password_args + [
+                    "-in", f"{key_path}",
+                    "-out", f"{keytmp.name}",
+                ]
+            )
+            with tempfile.NamedTemporaryFile(delete=False) as f:
+                self.path = f.name
+
+            subprocess.check_call(
+                [
+                    "sbsign", "--key", f"{keytmp.name}",
+                    "--cert", f"{cert_path}",
+                    binary_path, "--output", f"{self.path}"
+                ]
+            )
+
+    def __del__(self):
+        os.unlink(self.path)
diff --git a/edk2-vars-generator/edk2-vars-generator b/edk2-vars-generator/edk2-vars-generator
new file mode 100755
index 0000000..9af5ff1
--- /dev/null
+++ b/edk2-vars-generator/edk2-vars-generator
@@ -0,0 +1,140 @@
+#!/usr/bin/env python3
+#
+# Copyright 2021 Canonical Ltd.
+# Authors:
+# - dann frazier <dann.frazier@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 3, as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
+# SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import argparse
+import os.path
+import pexpect
+import shutil
+import sys
+from UEFI.Filesystems import FatFsImage, EfiBootableIsoImage
+from UEFI.Qemu import QemuEfiMachine, QemuEfiVariant, QemuEfiFlashSize
+from UEFI import Qemu
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "-f", "--flavor", help="UEFI Flavor",
+        choices=['AAVMF', 'OVMF', 'OVMF_4M'],
+        required=True,
+    )
+    parser.add_argument(
+        "-e", "--enrolldefaultkeys",
+        help='Path to "EnrollDefaultKeys" EFI binary',
+        required=True,
+    )
+    parser.add_argument(
+        "-s", "--shell",
+        help='Path to "Shell" EFI binary',
+        required=True,
+    )
+    parser.add_argument(
+        "-C", "--certificate",
+        help='base64-encoded PK/KEK1 certificate',
+        required=True,
+    )
+    parser.add_argument(
+        "-c", "--code",
+        help='UEFI code image',
+        required=True,
+    )
+    parser.add_argument(
+        "--no-default",
+        action="store_true",
+        help='Do not enroll the default keys, just the PK/KEK1 certificate',
+    )
+    parser.add_argument(
+        "-V", "--vars-template",
+        help='UEFI vars template',
+        required=True,
+    )
+    parser.add_argument(
+        "-o", "--out-file",
+        help="Output file for generated vars template",
+        required=True,
+    )
+    parser.add_argument("-d", "--debug", action="store_true",
+                        help="Emit debug messages")
+    args = parser.parse_args()
+
+    FlavorConfig = {
+        'AAVMF': {
+            'EfiArch': 'AA64',
+            'QemuCommand': Qemu.QemuCommand(
+                QemuEfiMachine.AAVMF,
+                code_path=args.code,
+                vars_template_path=args.vars_template,
+            ),
+        },
+        'OVMF': {
+            'EfiArch': 'X64',
+            'QemuCommand': Qemu.QemuCommand(
+                QemuEfiMachine.OVMF_Q35,
+                variant=QemuEfiVariant.SECBOOT,
+                flash_size=QemuEfiFlashSize.SIZE_2MB,
+                code_path=args.code,
+                vars_template_path=args.vars_template,
+            ),
+        },
+        'OVMF_4M': {
+            'EfiArch': 'X64',
+            'QemuCommand': Qemu.QemuCommand(
+                QemuEfiMachine.OVMF_Q35,
+                variant=QemuEfiVariant.SECBOOT,
+                flash_size=QemuEfiFlashSize.SIZE_2MB,
+                code_path=args.code,
+                vars_template_path=args.vars_template,
+            ),
+        },
+    }
+
+    eltorito = FatFsImage(64)
+    eltorito.makedirs(os.path.join('EFI', 'BOOT'))
+    removable_media_path = os.path.join(
+        'EFI', 'BOOT', f"BOOT{FlavorConfig[args.flavor]['EfiArch']}.EFI"
+    )
+    eltorito.insert_file(args.shell, removable_media_path)
+    eltorito.insert_file(
+        args.enrolldefaultkeys,
+        args.enrolldefaultkeys.split(os.path.sep)[-1]
+    )
+    iso = EfiBootableIsoImage(eltorito)
+
+    q = FlavorConfig[args.flavor]['QemuCommand']
+    q.add_disk(iso.path)
+    q.add_oem_string(11, args.certificate)
+
+    child = pexpect.spawn(' '.join(q.command))
+    if args.debug:
+        child.logfile = sys.stdout.buffer
+    child.expect(['Press .* or any other key to continue'], timeout=60)
+    child.sendline('\x1b')
+    child.expect(['Shell> '])
+    child.sendline('FS0:\r')
+    child.expect(['FS0:\\\\> '])
+    enrollcmd = ['EnrollDefaultKeys.efi']
+    if args.no_default:
+        enrollcmd.append("--no-default")
+    child.sendline(f'{" ".join(enrollcmd)}\r')
+    child.expect(['FS0:\\\\> '])
+    # Clear the BootOrder. See #1015759
+    child.sendline('setvar BootOrder =\r')
+    child.expect(['FS0:\\\\> '])
+    child.sendline('reset -s\r')
+    child.wait()
+    shutil.copy(q.pflash.varfile_path, args.out_file)
diff --git a/etc/default/incus b/etc/default/incus
new file mode 100644
index 0000000..c3cc267
--- /dev/null
+++ b/etc/default/incus
@@ -0,0 +1,9 @@
+# INCUS_OPTS can be used to pass additional arguments to the daemon
+#
+# Common options include:
+#  --group GROUPNAME    # Group of users that can control Incus
+#  --debug              # Debug mode (noisy)
+#  --verbose            # Verbose mode
+#  --syslog             # Log to syslog
+#  --trace              # Trace mode (very noisy)
+INCUS_OPTS=""
diff --git a/etc/logrotate.d/incus b/etc/logrotate.d/incus
new file mode 100644
index 0000000..f15ab30
--- /dev/null
+++ b/etc/logrotate.d/incus
@@ -0,0 +1,9 @@
+/var/log/incus/incusd.log {
+       copytruncate
+       daily
+       rotate 7
+       delaycompress
+       compress
+       notifempty
+       missingok
+}
diff --git a/etc/sysctl.d/50-incus.conf b/etc/sysctl.d/50-incus.conf
new file mode 100644
index 0000000..3829fa4
--- /dev/null
+++ b/etc/sysctl.d/50-incus.conf
@@ -0,0 +1,10 @@
+fs.aio-max-nr=524288
+fs.inotify.max_queued_events=1048576
+fs.inotify.max_user_instances=1048576
+fs.inotify.max_user_watches=1048576
+kernel.keys.maxbytes=2000000
+kernel.keys.maxkeys=2000
+net.ipv4.fib_sync_mem=33554432
+net.ipv4.neigh.default.gc_thresh3=8192
+net.ipv6.neigh.default.gc_thresh3=8192
+vm.max_map_count=262144
diff --git a/patches/edk2-0001-force-DUID-LLT.patch b/patches/edk2-0001-force-DUID-LLT.patch
new file mode 100644
index 0000000..3c99034
--- /dev/null
+++ b/patches/edk2-0001-force-DUID-LLT.patch
@@ -0,0 +1,34 @@
+From a27ea9e98aefe5e49de1bd92b4c56f6141c3217c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
+Date: Thu, 4 Jun 2020 15:02:27 -0400
+Subject: [PATCH] dhcp6: Force DUID-LLT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+LXD VMs set the SMBIOS UUID but guest operating systems usually do not
+use it for DHCPv6 DUID. As we have users who need to be able to use
+MAC-based config in their DHCP servers, we'll just force the use of
+DUID-LLT instead.
+
+Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+index d249a1cca7..35d785df91 100644
+--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
++++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+@@ -58,7 +58,7 @@ Dhcp6GenerateClientId (
+   //
+   // If System UUID is found from SMBIOS Table, use DUID-UUID type.
+   //
+-  if ((PcdGet8 (PcdDhcp6UidType) == Dhcp6DuidTypeUuid) && !EFI_ERROR (NetLibGetSystemGuid (&Uuid)) && !CompareGuid (&Uuid, &gZeroGuid)) {
++  if (0 && (PcdGet8 (PcdDhcp6UidType) == Dhcp6DuidTypeUuid) && !EFI_ERROR (NetLibGetSystemGuid (&Uuid)) && !CompareGuid (&Uuid, &gZeroGuid)) {
+     //
+     //
+     //  The format of DUID-UUID:
+-- 
+2.25.1
+
diff --git a/patches/edk2-0002-logo.bmp b/patches/edk2-0002-logo.bmp
new file mode 100644
index 0000000000000000000000000000000000000000..476d27690557b28dc86856d69f7106c5f13711ae
GIT binary patch
literal 331914
zcmeI53G@}!eaA<$b&)1%8k&Wstxe1+$+3+&Hl!XS;gnDgA;b{TkQgXb14fB}pjc!T
zWJd%91Qby=k$qGABjN%Iq6jJwgG5n55)-o+qS^YTuMESR_vZfY++~*cedjOEn|J3f
z-?{gG=HB_;-)+-z+y~wh9RG~Ne}nN~>(hhaA^iWe;3N1KAN)S_jNt$NtDHFg@1IWm
z{okoJ?Y`0f<ZrSgB*PCCpaN8Y3Qz$mKn17(6`%rCfC^9nDnJFO02QDDRDcRl0V+TR
zr~nn90#twsPys4H1*iZOpaN8Y3Qz$mKn17(6`%rCfC^9nDnJFO02QDDRDcRl0V+TR
zr~nn90#twsPys4H1*iZOpaN8Y3Qz$mKn17(6`%rCfC^9nDnJFO02QDDRDcRl0V+TR
zr~nn90#twsPys4H1*iZOpaN8Y3Qz$mKn17(6`%rCfC^9nDnJFO02QDDRDcRl0V+TR
zr~nn90#twsPys4H1*iZOpaN8Y3jDtUH{5W;minIu9(Z8IiWT$c&!0AJ+JFHATC`|E
z;i3w(yC9f&L$Gv4ux@^^WhwtMR-kENuxw5+XIyakx1x86$5em{lv9C)3m5)L{CWHB
zw_kkm#ipjFe*OBDQx0*dx_vWPe`m0#DR_1h|MIB7)|J7H1A=DF#CMbdsQ?uyngUw<
zih}OYp+gvy6|J}y^85bx2lFNe&yrk40QaWFL5B-0+;m1k1*kv{6-dpm3d;^0IMB0a
z&m5M^QI<aQ$>URn9CH;&fgNjuo|ibP4vdxxP=PEJFyt2~cI?=(1{sK9GHS&f!mD@+
zY+n<!Z<A#!W7<@J3b;_foL@lLAO7%%dGqGE$X>4EoHD$4U3Y;7N=~!dw21G*a@Cla
z87g2w0W16h!v6TjKi+!ltrjwr*C<+jKG?Z|{3@^lBO2Z2D6dV6`Jw`86|luGAPm-t
zy?gggn~}U<H+MpTyKbjLo1#R%bw%Fm81qL3sDPFN7WoB)9X@=xWy_XY87NBN$5xVG
zg;$`*#YL%Z%qJC~0%`^9@(T#N|Ni^csTM6n*N%nnx{ESOa+=RsV~SSum|rSD1?np>
zcI?>aYJIRy`L)+xd+V*YfF!NY?|%2YtFF4Leu9Pk<%S=SUu94L-Z}W80#u-J6zI{T
z$C4#WjvP56r`W!I`%0$I#35zqy`2ti3K99ng(a()EDjZ*0wM+G%$f6>-~2{Mu@NIi
zh$1aWpqXRHuQDj`@UntbIA)UyPyyQt^y<}1IHP#*;6dAoXBpp&o66987h;IyG?V04
zmaT|sQ-Q1%fWLaY;gXEPCQX`@b!M%lPkuSYinqwgFKbPL5mA9+Du7K@B>aN;M={G+
zBiH1YH^ewii2SNixp|5TG?D^X;q}v>{#1f67&n$f81l<0R=h<{ewCv=vJ_OnM1h$z
zXG-{08bd_#%Nt^xCPaRjw0d4k1<Ij7vu4eX9zCi=7@Q))<f8;dCcm6w#ara$R|y&;
zi$Dd;6@bHeCBG2hvBw@WPb>2n$S-e*aheeMm3dQQ2B<(D6ll?+#hY)wsYDo@`nGP}
zIu98($piW26f52$C%;Tu0k5S3Wl{jH4wd{ufE6nW@A#Yi@`f0v36WoA>VH@kDqx~O
zmo8nfbEOhtZ@lpa-j|sql=-#fms6~Gi=6z*yeTmQR3JYJJpcUjN`4{0O*h??pFF3?
z3Hjv>F-{XAzfx3wUP1-Rs=&mF6D9oGy?b||6(GNyV#QnJ<X54aAu~?}>?(kX!Jqx?
zXG(<q{`bGX@WKo2Chape^2-}yoF<ejezj}Yu7CgjqeqX%L*T8q-im*R4<CN*wbx#L
z`Q>MyeYVf)ozJxJdZJICK5$qEWu{G=hJObS9*n)2&N=6td}i2suFgF3Ol<!#aNxj^
zBS%i2JQ*TjBJ29=ukY5aTl414ttZ!*5w2akR>>~}ShHqLarGg;oMOdW<k|A8Lx&D`
z+;PX_k3as(E3d#VH=)&F;UtWE4;(nKZQC|n(y3FY;<g=m&M&&?qD6}qJ^AF5hYlS&
zcI;R^eIU-yfBy3qUU*@{h7E%T4J!J(^(uW(B9seTGXCTzKfz;vJrUr97JFJf^UN~~
z7A&~rl1r*0;a9l=7+59f9O{o@T5)TdH-62Z67;;Jf&QkB^y=6@6MkX5aMxXTz5Mda
z=y=2Cpml%?4<A0fY15|e-MdQ~CLYwW+fnkzywgKwl9Rx%vu4dwW*Br{zkWU3rKZ#8
z*T4StqmMp%#T8d56LJw?)TmKP5io32CXG?mjvYIG`O9BwRg5q&s>jl$OS4+3gn0v{
z2$*V6ijY-+J$v?qN+ukP8#gYi92%zUjb8(M8|JiNmw)>kW#(6_R;|!8%XiI7Xgigk
z(8KTDyLbHf@yWOO7r*$0GODRlrzS_D{PoT|?^LFOVP--+S6+D~I&I;87Rt0RT*YK#
zLUJyC`r!|MsLUA3STAWj(odg0{l`E4u`&`#0H_Ur5g6vzOU}{xXP<pmnY{-ee9%$q
z=F!4WuQLA#fMS}bl}QZbmm}Fr%r6W*e)X$gN!mq<F#GrK$4iiUHzoi4!kZne9+k}7
zXo&;9@7lGiYuB#zl(Bx^gkP6ldg+gT^dqeTN&;i*6-#cRu=T>$i?HbYnm>QOMA+h5
zagbm2s;=SrQt}JKF7%?37GV+w58LRbYR<{$oL{iYz<ifU*^{qD2M!10hBZ@od1`)P
zO8K|H{cUnVOn${XR@i<BOJNwS==_3KLaEoSTW6?MCYO_6j$|(%zwq$yv~#X%XjqvN
zx5vvfzizzo#su4ps?wQ!g`Lb<XPxD!-iFbp;}>3KniNfVtv8MrnqRQ^73zs#1-0TJ
zzrqG<_n>6_f>8ua<K)f3N=Q6CcJACcdS7zOFDw(V^|nhQ9c&aa7LF=o{aBY@a2pE)
zOG)Ofgu#UBz4zX0z0_3^7MfppJE<i#)^Su7KmT9JFGu&NO#Euwwyk7SA+5$D42=C`
zqi^l=$uF3lNZic{i!2NVQ+%wmb5wf~tuDW|Z{IG=xy4|3)#y$E#9Ul{wQ1Alop;{R
zk{U}JoQmlpa`MZCs)(~p{1RH>YBd&l;8$OLH5_Z?kY8AoZP5->E(=0p<wAUl)mDAh
z;uqdmYUSKw;8m+u*(!28p5pRr*|KH2BI6m%eC<hGL#JoRFGup0hF@5CtJ@H)hlgo>
z#VteL_=TrjIPtb#UU`J*U>!NEkn;=kPX33Vp+uNSoIQKCqgGs8eqoV#D3SaCi((up
z=_p$A%aO3<;1}lZ(hV-KUKMSB<;s;<2HUr9Up&`gq<~MyjvZm7cgroetX{nuF0$p3
zBRuX@-uNY)G{Z{dr=NcMo_p>YGiD4HN4Ia^9@dqZmHp0lzB6ptu!Rd3!XzX0>qSTF
zkA(cf%3|T#WO&usvSkaLuD}roJZPPN{`s(khZMbg_l658R24j>Bs*`Z*AL^(qhuv@
zik4nbe!&@6J*|?@qY^rL97-X+<PvZE8gY#zJLL&e4t`<LXmW+G`V|ku`}XadFkwPX
z>-YHGMKCO}MBlD7en5bJ{rcsKUqCa;TctqsD@G-Fr-05xsK#~IT?Z2gr4-R5aEv?v
zi*aoY&j|Si@>b=i>g!u?y#>N1tm%v96LystOuh8dOI495zhV@8-g)Omqq1^bP<~0W
zT~AUxOIVT4PbA*>wflkKi=Wpk(-+SP+Fel8zmWq9?|%c&##*m{(d}StrFV}{gvN?j
zm`f$&01xmO$kc0h;dwv)H$WNKmV}AM4_<unMF96i`858I0UD?mk1*j3ux{O!L&C4u
zUw=K}mSI)wLk~TKah68mPXwJZWs2^^Y=Se86R~RlUjhP0<6rH(p11(cHcgh#V-$QM
zrULxm8^7Sm_OX@0-+fF&6YvYv^X3A#&<VNle<<`{UFlahZ{BP^^MJ{;WGE!`;o(ny
z_!TA>KS1w+x91uay;e}nvuQm%?A*DtRy66)N%$2ndw2%xi7=c@pL`Htwi$&ABa|Fi
zw*W69zhILo(W+jUVp(zc<QD+3e0K2Xf2L8X;qtf8Sn-y57yOd1R)$}3jhmVn6sCs4
ztz+voz-;-2rL`kQj7Th^^hXTeB;(DB4j2c)Q?4{>K{ykBVI&UA7C|EFAj_98uXm&4
z=V7#9*Sl2V_=Qz?k~#LcbkQ@eS0$+Lx;TVqexX0Vd024TY0~^5<oLlvm|6kr{JQM2
z%c4~};TT(8NN=Ys9L90F@7<!=%aC7ymtBZpQ!qKgU`{W5(I&YMsrhyA;K6XcgCrqk
z7}&i;?{D(4`N%h#pThAA>*$m9k^G7sj?Cv$qB6QW_RlXM?7uG7DA4=f7u+*b-GO@>
z>EtsZ>->UIoTRG5k*}>M?P#4qKm5cKPe?Kl50e$YF!ADIABv$vhsrHFu)j=HMw8=o
z{K5#xMSZ|~wD^s#c?RYp=bn46Nx`Gn7LH%G+$O_9II2T#k2B%d?xx`Uf76iUV}Bbw
zvYZG@QouUDgwAK&`S8ILV7e|eD}G@OuST8L2`XQLhy6-)B2EgMLVQ@i_v+OvDblpR
zp)z0-nVP_gpTu}AZ93K06^maGKf#=)B9t;fB^a!TtF_4G_e}VOA<R}yTaH%e1kY?t
z>cI0kEb^8s>->V(i+Imabp~$6Ek5hU+XoCFF_lr3sPbzj{IWZD7nef*Ty1NouoV2V
zJ9k$l0?aantHWTpXlwebSp0hU;fIy20~HAqyvkshOu*vAs#}o5uUYX69lNeA2WB0;
z;h=B{S?3q#VU(5J`kSwK1Hp`(G8<I^{PPQq{pzc)j%VKD8SEG$oJF*CQ*`--ZKiEe
zqn>V9<6L#G>wPt^1C=}!h+i<*lz0Qc{yTH$&aJ0g^!&z+8|&SO{G88_UtolmEeAxS
zEk`}D+T|BURneMU?-=u19%?c=<a!yXdEUJ5lI*`6P5P;)p7Nl>qmMosO|;%ItnRI>
z<kjWZq)C%pi_o%VOW}ANo9|f3Oo8}?ZP)5miSRt$R>M9MGD@CKVaEt-Mk_M9izHiq
zp*Mzwy!><AmSYA-VKo%6%P;I&64v>I1MGMuzjvuaVrjG1dQ8v!!r%)od{dWBe&K}|
zUMO4<hP7kzXzPX4;uoCZ*NeyQdEu)-TM#c0za(2#hD)s_GmU8Y7R`a|R)a9M%=rad
zjxT*7%#QltxGl%B8Xb7Ofk}g$x67}dJ$oi#EBxt-E3Q!AFdHF+#w3-DdFI#t{rhbc
zQ51(z2P;|9;+GX-N+dY@?6W1aWT**NvQ!j)VX1i7D(fA<as%zUA~ITTy<pMvr~{Il
zl3|$4`31hfmg5s2*U*5r9C0Yy<rfT@qSd(GF+9*}+%|)tSO!%u5ApM!`89p|bc2%V
zU5dqJ@$$ycVDy1GBE6_%q2>GnP=J+K1g=gz^2j6cBFE3{+O^9(2SwqR<iQ4(8&N?d
zRvbW{&~arnW}nA-;1_!1)prDE{DnrjyI;g1*eMFw<rmz=$2)}h8K=gFRkcAfJyOY`
zPkv#+vR#J{Ri%!974C~+KD8_77dp>)KHZ%eIB;ORD#p*?^^JKR3c)WtMoK1@XU&=w
z73B8YZ;y)>KhxCI6ul~M$2s8_5H@AFhF=cIc;moRI`H_Aq@m8(<rkKq#%pr?Os7tr
zywzv<etbUpWy?-LE+hO*#&1OYjJXRSIluhBB@ym5W4;)z5d4z3*s54=M5~$5iUXVD
z<k^ZNKl}o2{`*@|ffdK^doOJ{P7>TMzhDS0F`4M!zrW%p+4~tb67gQT<{6*-vhtEe
zOQhk$hu181)k&=O)rvMASjaC}_4^!#SMs@a>(;9B*8I9)!Gd_Xw9XWQUlNzsq2)%j
z_(CfV_@s(nm8;`i@r$+`smF|V`GqP9|KT<Jgy_lJZoAEAWfnel`{bAZw*%NAOR^9Q
zUK0&(jgVj7EDxi_!5(4JdRXrmUNoaur8v$%zp(XNz2b-Gqm~;{5rkG8FTC(V^r~DP
z=ZatGy>)FlzVJEv<v2bHv(7Jx!v{RS`K-*CtP7iD!htt_VNS+p@x!#>>m#A~;ZLx)
z4=+h^AmkUUDN;mkcuCi;UBhA~9AFDJ!-VqBFG&uoEH|Q>2(37<d_H<revb3TFLcFg
zG;KM$ee>irTI%sj(J!>lFKqRm&@)tif-Qm1nk?Lp%p1S5@)0Lo$ZY6LSjaD!0r;!~
zVOn^2P}WcLL8ycdHK*pnd^$bo(xr=Jp1;a+Bbp_l700Gco1$0c=QxM_0!pTg(6i<6
zyxDOMVP~CRa6ql>9}r;V$dTSEGxp?_WXT)9JP$uZotG?GBGJLnjjfPhg9Z%>Gv@O^
zGH`%OhD$th&M(PUm4JAHi7c!*B<tzo<{v)qbwXPC<QD*OS=WSISN{ZCjwQD?^eD_a
zzhHt0&l1Xh(%ep<`d-%mj{O{!`9T10{93$tasA9X{N<*bZj$I=_{=Qi*ZJq4@35%#
zqu#!KyF>&-zm$3AmvE~}<?v8w#R12O_3uVzzvPx*$89-UX~^=?<_+za!#ckpJ={1*
zx`=u6=4sp~gP?FnFUgNLeodG#!JsthFNH%bi4IRb`DFSuf<VGAJi41CVREf-GI{*?
z@g}L{nO`$z%urT?dX^heO@vk)2`|y2v3WkuEx#}XdwflB<|j1tIOns$uKOEw6y}0o
zm^N275CniZ9QIh$xK9Q_B|}1Q{K7(7gQBFr6wWRr_XPk-pN5QIo?n1Qi*xtgcS}To
zE9U4`y2p9um&C$KI6Z=G<CJ0oh1io_S3uX{^UN<GOxKp<($3_UwJHNsZK1nwY|La%
z4N1PS<CwCcnde04e;!^+BzblbMxp~YG%-n9GX8q$rI$>SFu7Lves<NWRVJzAmS2*s
zD$!DeD_pRQQQ52z0Bh$>#B_0O&iMs|-9lTAO=>8+7=NL@37>K+m4D~Xovyodyo^>h
zG;jREj!Q0@q$EzsQn;f>k4mDd7e>Oby?gi8yWI784EdEc0Rc8_*kF>A-11A}1QLw}
zkD!v`3%w%CBa|d+B~1SL1%!Q1XCqM9ax88<TMkG3!aL&EUw>WFQB=ZUE)lO?;C!!H
zvu0N6XH_I{YNyPMH-0%PV^xuBewDafzzX!5*9uQc_=WCW7@PHA*Is+AvL+yap%F_y
z`6b+{Qfs&*0V4Fo%5m$r(j>w{@C&va7wFh>eB{H&*Yg5=jq~S-U#MDe5+!l?P}P~>
zQ4RY}!a{HG;KAm;(8C&@AAVuoO_(eH2S<(^sS-T?6`t!%GA7}d6(8^EGTEn3pLmhu
zXAIXk<da{Lttxe2S6zAKm2vgrXM``*(%sV(R~3R^z|a$Gf`9sZjq-i&v%%AiWXs`>
zUl3jHJ2zh8aRx>g=u6>1{<-I#gG-;)t5;*bea@UYc!e=>;>1y-MuBm#g@A`c<wvq=
z)zA0~9=|oJqwS!tzWQoSsiP;c$F51T5`JOE*dz&)Yf)9Ag{^lCPl+a}<da{LyPpCy
zLMsk)ugE5Mr0UwD@CyiAJ1;onFRQYj^!3}{;P@*^AFbbni$v;mBR<dj;TOkWxTjA)
z{j^psvKUx6UMS!AOE_^VwA_f^5up{wLk~R^y(-(|0`Ut7gDuDDr)dZ_@|s3LnA7nW
z6vw-s#~**(Cx%j|<%eI$o<>Eq9aORln1}aYd-m+HT{3BW0|pF`)DY$B-Q@IgIR3)>
zWo5zB8CnRfI54ia_(mXEf90>m;ujFs>r!QzP6lWkTMpO!s%Q#pWX!88n@_d@yzwi;
zRxH^az;JPvWd88^=bt~>*!&*daKjCfYG$|(THg32+^SN`awB@*gjO7w{EuFh;c?;k
zwWld)`y~y*ntv$Rd{6mDVSe}p-Qm1QV!SQsTO5V)#xFw$?;4dj7F6Q1?(pHmvFkKW
zNcd&$;9Vm_rv}BFQ%U{7%hpq`)BBb;eyv!sLRo5E%Z;ca!dY23pNw9W;c?;kMOzLi
z5dZVWFVt1Iyn`8r#PPMVt+@!`jbDBH_RXZ_Vo`%+6rAD>ezZ6eeqn7z^b()P@LDFR
zJXpYJlB-<t3v>9AbrXj7U1G%n<>7V8L|9wb7Li}*y>)Flx_-SzpC6|{anJbVSEcTC
z@812Xr=H3o#U@RfWY{`{{x>ibHB2bo<riIak)-Q3G_H{FE2|yQpxeroD<vXKo;*37
z$d#*d#jmkr$4ZK9xI{~6#bIa|V{%iX*A|pt0L|2qdbS)RN^Q&GpI?<))VXtKcv6+T
zj*&DyD`7^D9v!XWDUOBwGW4yNB4d?Hh71`Z5z5d`Ou{b=1G9Pwh#3Hh2r%<Vturpn
z6~D0jL|No?mK#xtgjO7w!A8jFg_#@|mtR2G72nm+47MDLrk8dUmKDFk8-U5Qb?er_
zAzq5b&dOG)6#(6Pn5%RLLVh(hHKmK+@G4>U@UFxpAql^5U#`09Dw9-FUyDucCAFec
zr%tJpz=iqY7d*2`oL3t@v{bYbZjg$Rnu)ent}QgbbZt34{Gs5%lG<`)&abdGVzWH#
zX}EOhQrO$WMK*?Jl6EKQi-cheAGuKwAs}||-W`_O=K*{oNu<DbpC-8y@@v|(X(p+p
zzE(2iKX&X`>i8=c=7(P!H*QqkbPR{FtlO~2xE#+U%CrywZ_3QmGK`_n{K61S*DuGv
zex{s$Ir77=niaA`hYn~I*sK|5W0;?Z{VhJ&AXxW<9!c4<usv4IJjhQ9`GuG1@;EJq
z6q3bI2VpAcS1lGz7!}OOB^E3%zx=W=!g|4S!Y@1%!h?;n<{MgWL`4u<abz|64zpTx
zegR=??+luq5f(^&@U2cIoJGtzztnd{7DCyI(X9!6ZYLxt<QLLv*REYcJT88M5t_t!
z9viF}rY__c=J5;@N^!Z+cpiH+r-(dyNly5My^odfLI6X{jcCDzRvegVj9%scxCHzH
z!lvD*XUj3Xf7uY$ApBBx-G)y8Dh*J`FZ38U-+Z&@HY;4AV?Oi{@(XvQdGqF;MR?$W
z2PFOZz4zX0n6aGj3j-@<dCe_1qFTwVI5ONt2pKL1zksmscaO@iIDYSYf`!vcg|G(U
zm(n=I%8Dd8zhDKYsA{%<7TS%QzsDEy3;pV_VZ&^fQW2lTfh{s-zCm^#_|?02Zza4C
z!2FI^i7vF_Kx3)8(C63E@C&vaU(xZ)Q8HVOM&K9xT__teY>dsDkDOm{MPi<uRt&-y
z6Nc-akR>_44ENa5Dn0^Z`J3eBmz9BG9{45X2r#FsWO8_+6^HpqKRFx8zm|qy7=mqI
z8+`H~l8bxFum94rJhmK-z^@S_Mkx7(nWa<iajGwJejz{CU3XooMABR&G@{0$^7GC+
zFHHiGYvla$Y{w$;p@jQl#W!Q-{5tpCbCq-ED6At#URVyJY;g#1_0?BLDvsB~GVv>g
zEyu-QE6FTkBk&8p?3Ar()~s3P?MI7WSSDbeqA&({qg5(^09Fi}<@`d5*l}A}1oL1L
z-}}fCOk2&<%A8;De<iu&7A-fTq6wXJ`JY7(Gg&fz0b#So1gD=KmQQ^!tX~-r)(HH<
zYBFV8?%A`a`j)FgXz>e{esBn>iqgXGu&b18KMjen_|7~%Eq-CIZSxc*F~Db+vJM~s
zmK++cT&`p$bACzQ^ucDy+~&5X_(CfVtZKnHv1SaePnM5gK-iVtHDr7DyMy^t3XibT
z^9wJ(l<S~vy^Yf17kbO}>(^^kxU@krpb&Q5aO#ydk(1YH@e41cU>JGwVrNIf*MGLG
z`m^O1rluu#+`8pP^zI4YzTI`#UD2z&9hZ_{u;plXfrf;C^Vh+HONx!K((_B=e*jzi
zY25YtL3R0sHxzB!w5cDTg<oK$EF65<>bkY~g>H7&u3Z+&nHa@{2@@p!Il|x$CdMTF
zF<XA^+__U(UOYMU>eWkH9{q5A`t(ue0RavjI;0=Bg)2(QuZk_lr~XkxAJ}p{bzgxI
zR&IWE?AQ_0bjo%#ckWz`TV6k?F29g5*Kfh_jIAtwC4iyZs8AJMexV~BHEL9Nx%C4O
z{Eau>kcfblP_|slX2>rrjeqBzca-IIWVsQ&eL^dae*OAIukv$TR(=6t>*nkE<>>NN
z^2<-9(@q7R29*u@?YG}<)vA?t)U_^1!7udQ@Qzh0G7IOfzy5mV+-XIhqeqXzL5GDT
zb?oQETLVKxcdJ?D1UKAsIjUZU{1Td3I<nk|iXgP&*tTt3^eR8cCFU0pcH3AzTaKZ9
zi;A!kkH27z5cZG>2iT0vR+CA=FJuh9t*|u7RvyB5+P7~n-|*USyT&k49O#a}D!0bb
zEFuP#ctS|H`{7R*v%uMAv>+zOS@BD_Ri!)2ji_jNCXv|iV}``m17tMy<l}Pl3kd7e
zBUyk`euXW^oi`T}VXpawS4%^O4n0LIFJErI{dVEd!{Tm|>G*{%6mJ3SHeuM6Nvtj_
zy*GwG7VXf|@e4V@esFfH1{Tsv{5Drau)CN#D}Id|H?C5g<bStp*<x4fda((2TU)ST
zLA@9poi9DVj@xpy))23twj8ecRT%>8-Me@2;K3Sdngw08YL)P*8)n94Nu6?aYJQ=&
zIe74(`P$)1ZU7?)p4@{)f4$|FTTUs4*_YJ(LYCm<$}I7dR|8(y<vCi+gkyxXC4MCb
zS@BD<RV8$AYPoUp9t45VisO}6UWs1i;kfktY7kovKm4k69q<@)+ika5eAJKEa~Nz0
zn{XvdcDrs9ejz`vz4lu7?%m^s(mI3XOL#S3DV^kB4AZpYR|YoW7c%_FBadL$4`nLJ
z0mhCUizzZm@hf4hTXAQ?udZFYO6D9qSZ+k`4qCnBMwt7Yj3%l)ZUlY-VfQZxKJZsc
zF-`{P^p%3mBKqW4r5a;O97cC=ykOV;I2J-KU%p&EUxdt9x80TS3qG1)F;cHZLmZRc
zY2m$4Xf0pK0A4*<S-5?&0m$BeCBGIykB8^>Xq@t67!bl0n4}vIZvhBy%XTHqXD0j-
zde_GedSO0297q}k?uBbZ+^Ui`2)}@^+2izVIffL<mcu{4!hQpt7@GOQg$uEQ)uaP~
z{q5$>o3);|kq2<Zy8AUrQw6-1En60fQ1bvC`1tYTt6E(0S4_|D+qbV~YzZe}A(k9%
zieDw;FDy_>ek=!owr<_pqld;zXpHNDe#!RAQ9)2`x^(H1qL|5-_~(~!t4fr&Wy_Yy
znYa6^+=|2Q6mD`U8i!v%*bjOpi*d@Yu;rLHxiF)!4EYu9MlcY-v<BYxV(X<zlP2Nu
z8|HJT$a>-nMs4VDFnohs33P*U6T4_~IJRgkeIjdtkY6YQhJID~iGPK^zWeUG4>s@#
z1691`!OK2LZ1MOV`EHW%YsZcqxW#yci03ML1}`xI<wc7YVP-58x#|GDF^m=-e)wVe
z+paJP#6NA?w5kZLeD%*SIPeV1m2lwAaw96E(24^$I(n7U<A&mwt}VxhJ{W9TTnvQe
zgkLpV9QrrR2fq2{n}Ag1gCU#HFr#LK;YmyxwP?}8dIJ&i3+ZC$r`(b(%q>D<doq}0
zz{nguKMeliBONcx66PVpYwI20jkzP&b3%SW1h~(tm%aFT+<L5s#mh}Rv_J%`?AyP8
zKNcoyO%+x}Yu(~8tWo~?C4A}W&2l4@qEg$dl&|>}RXTc=)8mHXSBY&o^31QAmE8O!
z%*ElOz(wnj^9!lNl*I~*QwV~G0V}Q!YicOx7bcA*3(Qj#P;!Yar(rck@XRkzNm7?Q
zTW&;^NuDka@7JI~gQ8ctJ8m?7Rctvv_<jvVzg7fWjz;4bp4hu}>!xuRb%JW~3lVD#
zK*Ba|c!2Tj<(FTsQ!Kr(a(*FRi~%K{(hZ9ozZ~3jF#r#h^2{%xvs}-X8=)FFkTeb4
zrtRCeN3U{s+<^Q_W6N=M-e(aTieHBhABH=6ca1{QNHOUb%>c~B<Gri9GkB+#@GdEu
zvDC*}{6Z=i2_89e#9fi&F~ig?;gw?Qf=4g($uB$uNX%~iTW&-J5n6Geb@<s-s4@8k
zg!R2FdRr97$89+#<r-m)!!Nu%a@{mi@Cy}4zS=t86>FWr5^0MrlIm4`U49{+)~#C$
zU*BkzHy#+1Y#TOgsF!n#=Y8@E&MV?2jh}&ui^T$_h)QV1v1G}T6p`y*(y;u3EysVh
z)=(?wwj8ec1-CpY48!8B&*TiAPT@{U<DR7rnvP#c4bD_0kI<<_fRO|2EnN>fDzc^E
z7cPYLJLZm37f^B`{7jA>Jv!~Z)w|9ozhL$tDSq$Xz4gjqJ2Y&TB>BW7iS3kY#MiL=
z!Vqld`k>{fYG_jL6awQCT$sZ@*ZhJe=r&>Qj;AklAd(7fF$^sC@Yq?;6u;j6N_{>x
zzmOsp1;DD%V%fu}(7z2IK0I}ybT3TDuSzQLo1wdaD=cQh0ft>LS%hyE-Lj+(?~Pwr
z_m@!c@FxttQ<uf!g+eP155DFanP0#V{Bmg7a&&B)M|hzi9{3g3f7qL$BgGpZSc6N<
zrNY*i;sCS#Sn6W#jw#H%<iLbqmH4MlohoeO5=~&LF@OGileOWJQdfmB;TNL9+Z>p+
zSRAust;B!<1FACV`l~m7Nw%s)Rk5|houO{1jgoqchYiDol$SR+ztHo~9<S$@V{o55
zBFrbhqLr#`+qPIbioKbz_Ex!$RZ{0GVK57at^>1$wl*S+=2>}c&aX-mLxv22ft<<m
zt^)@S%$PC5sfk@ZH4OPxi59Dp;gb+`BlU9*)PtQy-@bk8<<seTKm3Bv4J?AgtHb0E
z?ucif8}+n>6$iHYPR=cU#iDiBRhRq%!usi$A?MSUBP)JIYd9Xcv4<nJ>%wyvx-4vi
zD+d<(H<-ll*|P_0QSo-e-1TcTW4gz-_*F?4uY}-53Z~ImYb@DC8lx>x58b|t-NfWl
zSm9Tg9NZD(p&jLd<)rdC2h+tcWyAn~;>3xWJivt6_QS6*IUeXLKz@N=_-p@V4drrZ
z%aI3u#TCSJ8vF}kTltwYXD(j67_Oo)r-Tno^>B>M7IA*quwgI-cm13e&s)M7yZow3
z2!$OpW(=0_z}^fV6rl$G#WB`F!^f1}?Zc{)*7|CfU(uuibkqt=u|fn?gVn27uUoec
z2k_#Eu{_rB=BF}{U(p+v!(;NR!ms1D9A|0VpMU;jzHB-2$uA8-^Ayx6zw%Vjq`bJ}
zS5m4u`;Gj{*$t`A4*6B#7yjM2u)ww)<X3ggHuz3{K|JycB9LDO&B({4<X6Zq9LyOX
zyz5;WvR{8yUTitYFOA!#3QB%KA@U0%kYB2{lJW24SCn5kzUF%xcLcDzBOiV_$S;lC
zrV2`aK_T)BB9LFIwvzGh<X08H@D-ac%RkuG8H>o`k$65se#vi{G9>v0iO4UAKz=D3
zOSS>XuQ+H@*m69XwO<bM%VIkszaS?01rf+Ei_OYKRODBjUpRBzmg55&dVlplG9H4F
zUmABy6_osfLgW`jAiq>?CF9@8ubTYA$+;8sY&iyfKTCv>Ultn@`2{h_FNi>XS!`A=
zq9VWQ@eAh%=y-aDEywK>Gea2pWwCXTUl5c0f(Yc7#b)IqD)K9VU-;?kIvdnyXv;x<
zS!^BT7sMpLAOiViv01r@$}_*376<p;U8KL2bAyk6L__$j_E;gmG;WeADES42$S;UM
zeyQ3@#=m>!SBsBkTwV{!XJX4iep$S;<QK#wzaRqnWwBYgh>HBOuIg#0W$+e^{IYl-
z$uEdWenABC%VM)~5f%AmT~+eSx}=^XB)=dy`2`WkFV9U+H#zc4S21OH@=GaE&I6EN
zxIyF>L?FL%-c-pi>o<t}vM#CT2+1!9PJTfI^2>A6(@l>2(p5|up8Qful=A@O7j6*w
z1rf-voHteS%lZu>zpP8@IYROaf|Fkmf&B8^^mLOWzjPH-h9|$266HJq`Gp%qenABC
zE9Xs>{IY(7$S>=XdXA9%g5cyAL?FLBH$C0t$S+;Rl;O!Qr9?RoKz`u{kzWvj{K|P#
zCBLlSAo9z)q@E)rzaTjI1rf+E&rMG^InVsMYf3PCeEI*9eFD4qmHsz$Ykop_@(bdS
zUl4)(N@yl|_{lTBTy))x6AF-D7F!ef1u@Alh(LZ>Y*sF!BEQOkKl00B>ma`%Ciw*s
z$S;e{%0*P<7y0F)UKKh{@(Z_*{DKJNSI!$U`9*%^yo&nI-q4{#cc?zwwr%sDF`p?e
zU%p(W!H)U!=ljf(|Fjk_UaS;h#*7*MGsYAv3Xosq7uy0ApaN8&hzgKj<W~{vE%QtT
zr~nlpzsN7P0xCcSs6Y`FAiv13BGy~xnF>$=DnNdbUu*?bfC^B7A}T<BkzYlux6CsY
zpaN8Y{35^D3a9`TpaMlyfczrAidb)%XDUDir~vszez6r$0V+TRil_kjMSc~r-ZIZr
zfC^B7nPY--bl?qM3i|J5Tc!e3pwSeVIE4Hvg8~~DHCoMOd8q&uXmkaJ{-6xKcY_bU
zQ2Z6M8@(p8{8WGnG@1fkJCa{zPyqA5{7?ZZKm{62fyY*sp#yL5Ay|)#8?D;1yi|Y+
zP=R3Xc=D^*3Ou@k)tCxU0V>dl3bgusuyaGPJMab{e2wVWi1n6brUF!e3P6FIN047d
zRRETU&6=?mQvoVK1sYTVbbv5mYw%G_5sSZlZP4L@2CcL#HWi=(RG^~3r#~I6yORhj
zk^)bx3A%lg^_L1z0V+TRg68iH?wAxj+f<}JyoiG)D|v2O9JK#3D=ihE0#twsoK)bu
zorAUWf<2_zrkrwo>xy9bHGJoFvc~d=3Qz$m5LKYfzX#+0Cs;E5_@v_Idx9-X`In^v
z_um~Xn-yS@GS_)UYblSZ02QDDRDcRl0V+TRr~nn90#twsPys4H1*iZOpaN8Y3Qz$m
zKn17(6`%rCfC^9nDnJFO02QDDRDcRl0V+TRr~nn90#twsPys4H1*iZOpaN8Y3Qz$m
zKn17(6`%rCfC^9nDnJFO02QDDRDcRl0V+TRr~nn90#twsPys4H1*iZOpaN8Y3Qz$m
zKn17(6`%rCfC^9nDnJFO02QDDRDcRl0V+TRr~nn90#twsPys4H1*iZOpaN8Y3Qz$m
OKn17(6`%sH75HD%d~?wN

literal 0
HcmV?d00001

diff --git a/patches/edk2-0003-boot-delay.patch b/patches/edk2-0003-boot-delay.patch
new file mode 100644
index 0000000..7ac01f8
--- /dev/null
+++ b/patches/edk2-0003-boot-delay.patch
@@ -0,0 +1,29 @@
+From ee3d02a41cdad0c2dac00a2f8114d8d24d022e33 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
+Date: Thu, 20 Aug 2020 16:40:47 -0400
+Subject: [PATCH] X64: Bump boot delay to 3s
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ OvmfPkg/OvmfPkgX64.dsc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index b80710fbdc..74b6647209 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -597,7 +597,7 @@
+   gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Size|0x800000000
+ !endif
+ 
+-  gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|0
++  gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|3
+ 
+   # Set video resolution for text setup.
+   gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoHorizontalResolution|640
+-- 
+2.27.0
+
diff --git a/patches/edk2-0004-gcc-errors.patch b/patches/edk2-0004-gcc-errors.patch
new file mode 100644
index 0000000..8c6488a
--- /dev/null
+++ b/patches/edk2-0004-gcc-errors.patch
@@ -0,0 +1,26 @@
+From 64d00c06e8b66402c109f6a251876256915f2049 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
+Date: Thu, 4 Mar 2021 19:38:13 -0500
+Subject: [PATCH] GCC: Disable maybe-uninitialized errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ BaseTools/Conf/tools_def.template | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
+index 933b3160fd..cba2cf19a8 100755
+--- a/BaseTools/Conf/tools_def.template
++++ b/BaseTools/Conf/tools_def.template
+@@ -739,7 +739,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG     = --a
+ *_*_*_DTCPP_PATH                   = DEF(DTCPP_BIN)
+ *_*_*_DTC_PATH                     = DEF(DTC_BIN)
+ 
+-DEFINE GCC_ALL_CC_FLAGS            = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
++DEFINE GCC_ALL_CC_FLAGS            = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common -Wno-maybe-uninitialized
+ DEFINE GCC_ARM_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie
+ DEFINE GCC_LOONGARCH64_CC_FLAGS    = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -fno-plt -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections
+ DEFINE GCC_ARM_CC_XIPFLAGS         = -mno-unaligned-access
diff --git a/patches/edk2-0005-disable-EFI-memory-attributes-protocol.patch b/patches/edk2-0005-disable-EFI-memory-attributes-protocol.patch
new file mode 100644
index 0000000..e9078b2
--- /dev/null
+++ b/patches/edk2-0005-disable-EFI-memory-attributes-protocol.patch
@@ -0,0 +1,29 @@
+From cb5e0080ffd3f522f83b8e9273eac10e132ce7c7 Mon Sep 17 00:00:00 2001
+From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
+Date: Thu, 7 Sep 2023 09:07:08 +0200
+Subject: [PATCH] edk2: disable EFI memory attributes protocol
+
+https://github.com/canonical/lxd/issues/12211
+
+Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
+---
+ ArmPkg/Drivers/CpuDxe/CpuDxe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ArmPkg/Drivers/CpuDxe/CpuDxe.c b/ArmPkg/Drivers/CpuDxe/CpuDxe.c
+index d04958e79e..c01d571379 100644
+--- a/ArmPkg/Drivers/CpuDxe/CpuDxe.c
++++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.c
+@@ -244,8 +244,8 @@ CpuDxeInitialize (
+                   &mCpuHandle,
+                   &gEfiCpuArchProtocolGuid,
+                   &mCpu,
+-                  &gEfiMemoryAttributeProtocolGuid,
+-                  &mMemoryAttribute,
++//                  &gEfiMemoryAttributeProtocolGuid,
++//                  &mMemoryAttribute,
+                   NULL
+                   );
+ 
+-- 
+2.34.1
diff --git a/patches/lxcfs-0001-hook.patch b/patches/lxcfs-0001-hook.patch
new file mode 100644
index 0000000..ee70664
--- /dev/null
+++ b/patches/lxcfs-0001-hook.patch
@@ -0,0 +1,20 @@
+--- /opt/incus/share/lxcfs/lxc.mount.hook	2023-09-11 18:08:27.114252754 +0000
++++ ../lxc.mount.hook	2023-09-11 18:16:42.535196861 +0000
+@@ -38,9 +38,17 @@ fi
+ 
+ # Allow nesting lxcfs
+ if [ -d "${LXC_ROOTFS_MOUNT}/var/lib/incus-lxcfs/" ]; then
++    rm -Rf "${LXC_ROOTFS_MOUNT}/var/lib/incus-lxcfs"
++    mkdir -p "${LXC_ROOTFS_MOUNT}/var/lib/incus-lxcfs"
+     mount -n --bind /var/lib/incus-lxcfs "${LXC_ROOTFS_MOUNT}/var/lib/incus-lxcfs/"
+ fi
+ 
++if [ -d "${LXC_ROOTFS_MOUNT}/var/lib/lxcfs/" ]; then
++    rm -Rf "${LXC_ROOTFS_MOUNT}/var/lib/lxcfs"
++    mkdir -p "${LXC_ROOTFS_MOUNT}/var/lib/lxcfs"
++    mount -n --bind /var/lib/incus-lxcfs "${LXC_ROOTFS_MOUNT}/var/lib/lxcfs/"
++fi
++
+ # no need for lxcfs cgroups if we have cgroup namespaces
+ [ -n "$LXC_CGNS_AWARE" ] && [ -f /proc/self/ns/cgroup ] && exit 0
+ 
diff --git a/patches/nasm-0000-disable-manpages.patch b/patches/nasm-0000-disable-manpages.patch
new file mode 100644
index 0000000..831cc54
--- /dev/null
+++ b/patches/nasm-0000-disable-manpages.patch
@@ -0,0 +1,14 @@
+diff --git a/Makefile.in b/Makefile.in
+index 860d4d26..a6337256 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -365,9 +365,6 @@ manpages: nasm.1 ndisasm.1
+ install: $(PROGS)
+ 	$(MKDIR_P) $(DESTDIR)$(bindir)
+ 	$(INSTALL_PROGRAM) $(PROGS) $(DESTDIR)$(bindir)/
+-	$(MKDIR_P) $(DESTDIR)$(mandir)/man1
+-	$(INSTALL_DATA) $(srcdir)/nasm.1 $(DESTDIR)$(mandir)/man1/nasm.1
+-	$(INSTALL_DATA) $(srcdir)/ndisasm.1 $(DESTDIR)$(mandir)/man1/ndisasm.1
+ 
+ clean:
+ 	for d in . $(SUBDIRS) $(XSUBDIRS); do \
diff --git a/patches/nasm-0001-old-autoconf.patch b/patches/nasm-0001-old-autoconf.patch
new file mode 100644
index 0000000..dbd20af
--- /dev/null
+++ b/patches/nasm-0001-old-autoconf.patch
@@ -0,0 +1,21 @@
+diff --git a/configure.ac b/configure.ac
+index 42cd198..54d62b9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,6 +1,6 @@
+ dnl Process this file with autoconf 2.69 or later to produce
+ dnl a configure script.
+-AC_PREREQ([2.71])
++AC_PREREQ([2.69])
+ AC_INIT
+ AC_CONFIG_SRCDIR([config/config.h.in])
+ AC_CONFIG_HEADERS([config/config.h])
+@@ -175,8 +175,6 @@ AC_C_INLINE
+ AC_C_RESTRICT
+ 
+ dnl Checks for header files.
+-AC_CHECK_INCLUDES_DEFAULT
+-
+ PA_ADD_HEADERS(string.h)
+ PA_ADD_HEADERS(stdarg.h)
+ AC_CHECK_HEADERS(inttypes.h)
diff --git a/patches/nvidia-0001-Fix-for-22.04-build.patch b/patches/nvidia-0001-Fix-for-22.04-build.patch
new file mode 100644
index 0000000..76006e3
--- /dev/null
+++ b/patches/nvidia-0001-Fix-for-22.04-build.patch
@@ -0,0 +1,36 @@
+From 93866d1908e963d73af829c37e1c99d12ae661eb Mon Sep 17 00:00:00 2001
+From: Stéphane Graber <stgraber@ubuntu.com>
+Date: Tue, 28 Feb 2023 01:16:25 +0000
+Subject: [PATCH] Fix for 22.04 build
+
+Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ Makefile | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 00d561e..8710bfd 100644
+--- a/Makefile
++++ b/Makefile
+@@ -18,7 +18,7 @@
+ ##### Global variables #####
+ 
+ WITH_NVCGO   ?= yes
+-WITH_LIBELF  ?= no
++WITH_LIBELF  ?= yes
+ WITH_TIRPC   ?= no
+ WITH_SECCOMP ?= yes
+ 
+@@ -168,6 +168,9 @@ ifeq ($(WITH_TIRPC), yes)
+ LIB_CPPFLAGS       += -isystem $(DEPS_DIR)$(includedir)/tirpc -DWITH_TIRPC
+ LIB_LDLIBS_STATIC  += -l:libtirpc.a
+ LIB_LDLIBS_SHARED  += -lpthread
++else
++LIB_CPPFLAGS       += $(shell pkg-config --cflags libtirpc)
++LIB_LDLIBS_SHARED  += $(shell pkg-config --libs libtirpc)
+ endif
+ ifeq ($(WITH_SECCOMP), yes)
+ LIB_CPPFLAGS       += -DWITH_SECCOMP $(shell pkg-config --cflags libseccomp)
+-- 
+2.34.1
+
diff --git a/patches/nvidia-0002-pre-load-libdl.patch b/patches/nvidia-0002-pre-load-libdl.patch
new file mode 100644
index 0000000..edaafe4
--- /dev/null
+++ b/patches/nvidia-0002-pre-load-libdl.patch
@@ -0,0 +1,29 @@
+From cc121b63d1d010e91ef113db12c91141d98fb7b0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
+Date: Mon, 20 Mar 2023 13:36:31 -0400
+Subject: [PATCH] driver: Pre-load libdl.so.2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ src/driver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/driver.c b/src/driver.c
+index 706f141a..73881978 100644
+--- a/src/driver.c
++++ b/src/driver.c
+@@ -122,6 +122,8 @@ driver_init_1_svc(ptr_t ctxptr, driver_init_res *res, maybe_unused struct svc_re
+ 
+         /* Preload glibc libraries to avoid symbols mismatch after changing root. */
+         if (!str_equal(ctx->root, "/")) {
++                if (xdlopen(err, "libdl.so.2", RTLD_NOW) == NULL)
++                        goto fail;
+                 if (xdlopen(err, "libm.so.6", RTLD_NOW) == NULL)
+                         goto fail;
+                 if (xdlopen(err, "librt.so.1", RTLD_NOW) == NULL)
+-- 
+2.37.2
+
diff --git a/patches/seabios-0001-CSM-memory.patch b/patches/seabios-0001-CSM-memory.patch
new file mode 100644
index 0000000..96d2f88
--- /dev/null
+++ b/patches/seabios-0001-CSM-memory.patch
@@ -0,0 +1,58 @@
+From f6c665e25660aac8f9d5f9d7826549bb58f9b0b8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
+Date: Wed, 7 Jun 2023 22:53:58 -0400
+Subject: [PATCH] malloc_high() cannot allocate any memory in CSM mode due to
+ an empty ZoneHigh. SeaBIOS cannot find any disk to boot from because device
+ initialization fails.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The bug was introduced in 1.16.1 (commit dc88f9b) when the meaning of
+BUILD_MAX_HIGHTABLE changed but CSM code was not updated. This patch
+reverts to the previous behavior by using BUILD_MIN_HIGHTABLE in CSM
+methods.
+
+Signed-off-by: José Martínez xose@google.com
+---
+ src/fw/csm.c | 4 ++--
+ src/malloc.c | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/fw/csm.c b/src/fw/csm.c
+index bc14a92..579debd 100644
+--- a/src/fw/csm.c
++++ b/src/fw/csm.c
+@@ -150,9 +150,9 @@ handle_csm_0002(struct bregs *regs)
+     for (i=0; i < csm_compat_table.E820Length / sizeof(struct e820entry); i++)
+         e820_add(p[i].start, p[i].size, p[i].type);
+ 
+-    if (csm_init_table->HiPmmMemorySizeInBytes > BUILD_MAX_HIGHTABLE) {
++    if (csm_init_table->HiPmmMemorySizeInBytes > BUILD_MIN_HIGHTABLE) {
+         u32 hi_pmm_end = csm_init_table->HiPmmMemory + csm_init_table->HiPmmMemorySizeInBytes;
+-        e820_add(hi_pmm_end - BUILD_MAX_HIGHTABLE, BUILD_MAX_HIGHTABLE, E820_RESERVED);
++        e820_add(hi_pmm_end - BUILD_MIN_HIGHTABLE, BUILD_MIN_HIGHTABLE, E820_RESERVED);
+     }
+ 
+     // For PCIBIOS 1ab10e
+diff --git a/src/malloc.c b/src/malloc.c
+index da84098..30b2c92 100644
+--- a/src/malloc.c
++++ b/src/malloc.c
+@@ -460,10 +460,10 @@ malloc_csm_preinit(u32 low_pmm, u32 low_pmm_size, u32 hi_pmm, u32 hi_pmm_size)
+ {
+     ASSERT32FLAT();
+ 
+-    if (hi_pmm_size > BUILD_MAX_HIGHTABLE) {
++    if (hi_pmm_size > BUILD_MIN_HIGHTABLE) {
+         u32 hi_pmm_end = hi_pmm + hi_pmm_size;
+-        alloc_add(&ZoneTmpHigh, hi_pmm, hi_pmm_end - BUILD_MAX_HIGHTABLE);
+-        alloc_add(&ZoneHigh, hi_pmm_end - BUILD_MAX_HIGHTABLE, hi_pmm_end);
++        alloc_add(&ZoneTmpHigh, hi_pmm, hi_pmm_end - BUILD_MIN_HIGHTABLE);
++        alloc_add(&ZoneHigh, hi_pmm_end - BUILD_MIN_HIGHTABLE, hi_pmm_end);
+     } else {
+         alloc_add(&ZoneTmpHigh, hi_pmm, hi_pmm + hi_pmm_size);
+     }
+-- 
+2.39.2
+
diff --git a/systemd/incus-lxcfs.service b/systemd/incus-lxcfs.service
new file mode 100644
index 0000000..297e9c6
--- /dev/null
+++ b/systemd/incus-lxcfs.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Incus - LXCFS daemon
+ConditionVirtualization=!container
+Before=incus.service
+
+[Service]
+Environment=LD_LIBRARY_PATH=/opt/incus/lib/
+OOMScoreAdjust=-1000
+ExecStartPre=-/usr/bin/mkdir -p /var/lib/incus-lxcfs
+ExecStart=/opt/incus/bin/lxcfs /var/lib/incus-lxcfs
+KillMode=process
+Restart=on-failure
+ExecStopPost=-/bin/fusermount -u /var/lib/incus-lxcfs
+Delegate=yes
+ExecReload=/bin/kill -USR1 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/systemd/incus-startup.service b/systemd/incus-startup.service
new file mode 100644
index 0000000..3a5bc23
--- /dev/null
+++ b/systemd/incus-startup.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Incus - Startup check
+After=incus.socket incus.service
+Requires=incus.socket
+
+[Service]
+Type=oneshot
+Environment=LD_LIBRARY_PATH=/opt/incus/lib/
+ExecStart=/opt/incus/bin/incusd activateifneeded
+ExecStop=/opt/incus/bin/incusd shutdown
+TimeoutStartSec=600s
+TimeoutStopSec=600s
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/systemd/incus.service b/systemd/incus.service
new file mode 100644
index 0000000..b029159
--- /dev/null
+++ b/systemd/incus.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=Incus - Daemon
+After=network-online.target openvswitch-switch.service incus-lxcfs.service incus.socket
+Requires=network-online.target incus-lxcfs.service incus.socket
+
+[Service]
+EnvironmentFile=-/etc/environment
+EnvironmentFile=-/etc/default/incus
+Environment=PATH=/opt/incus/bin/:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+Environment=INCUS_OVMF_PATH=/opt/incus/share/qemu/
+Environment=LD_LIBRARY_PATH=/opt/incus/lib/
+Environment=INCUS_LXC_TEMPLATE_CONFIG=/opt/incus/share/lxc/config/
+ExecStart=/opt/incus/bin/incusd --group incus $INCUS_OPTS --logfile /var/log/incus/incusd.log
+ExecStartPost=/opt/incus/bin/incusd waitready --timeout=600
+KillMode=process
+TimeoutStartSec=600s
+TimeoutStopSec=30s
+Restart=on-failure
+Delegate=yes
+LimitNOFILE=1048576
+LimitNPROC=infinity
+TasksMax=infinity
+
+[Install]
+Also=incus-startup.service incus.socket
diff --git a/systemd/incus.socket b/systemd/incus.socket
new file mode 100644
index 0000000..f5d0d68
--- /dev/null
+++ b/systemd/incus.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Incus - Daemon (unix socket)
+
+[Socket]
+ListenStream=/var/lib/incus/unix.socket
+SocketGroup=incus
+SocketMode=0660
+Service=incus.service
+
+[Install]
+WantedBy=sockets.target
diff --git a/zabbly-sb.oem.crt b/zabbly-sb.oem.crt
new file mode 100644
index 0000000..8a6b5eb
--- /dev/null
+++ b/zabbly-sb.oem.crt
@@ -0,0 +1 @@
+4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIFnzCCA4egAwIBAgIUAeYyA6cyifOqrF7/WnP1j1RIlEUwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwIU2hlZmZvcmQxDzANBgNVBAoMBlphYmJseTEbMBkGA1UEAwwSWmFiYmx5IFNlY3VyZSBCb290MB4XDTIzMDkxMjE1MzcxOFoXDTIzMTAxMjE1MzcxOFowXzELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwIU2hlZmZvcmQxDzANBgNVBAoMBlphYmJseTEbMBkGA1UEAwwSWmFiYmx5IFNlY3VyZSBCb290MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwJo3bRQ531vaf5hMFJvU4VILbBeymBfKgCf7nt4ElpYtnA1IdXslAL+mhaGIUZ7U5mkpJksGtgIUyxeEuDzbA0XzygXhqJycXil8xbXQsjY8S8HtzCDhi9TtPcxxLz/WLDLq6IVy02J3qut9pbLABZhBBXKUwCnigzaT0CIu6WZKOkFDFocNwny2ym0nY0Mf7h6sP4+RQzHYx15JmzFhEaksKFCUP1S/4kG3yyaRibNLW2eT7NiS4IR9slu0il+kbCW+a29PAQxCWlF/Cc3omeBXIoYoy851Y/34jSDDp5PUgX1Znv6M9Lpn1Tbatq+xD+ilP6u/2IHqc0wuZGHtMwP3ttYX0P2uO3q9Z1zqLOsNDC1VruwFTOfYTILbTX56fBnDiYNaa2UpPc/ZRgOpH//NyT3qvdZA+Tvr11F9xFJxieEDgd/ZLEKvLN9222N2yUgNzUHLZNDV1bAple/CRN89kO/drWxu/0A/djWfJm+wY6AI3/m5HBp1d2C2W70JsrIby0wBg8wgrMG76JxDWzAR0HY5EOh7LYOC4PZ0D2NXl0+2EBWfYh1CcnBJ/sD3TUsCUef8Rn/lpBkIKqXoj0Ei3KJPSOqTez+h0CSvPws7QwdyEm237mfgMnF9W4OlfT+NqQwzxxQGE5sCkW2RvUm5rwgw3P9eZpjtn1voe3sCAwEAAaNTMFEwHQYDVR0OBBYEFCvDxYtUk2IBJWwQUcObcRQinATgMB8GA1UdIwQYMBaAFCvDxYtUk2IBJWwQUcObcRQinATgMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBALrCyXZPnDd1Sd2UhOV7nlXv6b3jrM5JX6FCkO3Xsd46Ppb9jyBSmbZKuFYek4WWZOmkVgUc8QWgLZ8YMgI+jm4yYrcqXW6MkA+TtC89bxAnjSc3ppW0NlPzgGMCLibDXDS7VR1RtEyqiEKOyEdgk59osyRcVobDcuWdzzKBk0EbMUCydVkbrkunwRombiY83VY8IvyZ/Tuz7TF3eFwhZcQo8X4+6/mCMy05n4nKygbJuVNFt4wsi+CA4XiD+rbMFFzcfCH6vm+kdbrUMzEHtYpmYRp0R1U+Xy4BaC44QmWr26HN6eAp1PWVHG75sp0AV4QC7so/wRly4IWj8wNuFu8pMVT5fl6SwwRgvy4UMdsS88RGWH0R458Y8j7x0Zlljpdb/CZFJULG4WFN01F579fE2tRJJmF2cz1sf/fvzahbyxb813s7T1ITRphUveuiHVEv/+EY2LCqqGZWBbkwQOaWjqYybrd3ef/FLjz9IYLh8Jpoikf+dSG00SuTaFxTadcSKfaeDPfkHyeWGWciGsIE9fVN/pHVEP5YiUlabOhOvpp2TKUhmELvlsTGNJpQIriAebnV1+LomBs82M1qiBUo4QB6CFCMf+4W7Ed2P6cR7tBUuDZRTlJFnWKLaRUoZdI/EYD6p5t1PZL+VNZOlOSyPdgufFJ9FPfcIIiYjYZm