From 1feb956e3095d80e1b268236fe37cc140607a906 Mon Sep 17 00:00:00 2001
From: Mikhail Chusavitin <mchusavitin@mchusmbp.local>
Date: Sat, 7 Mar 2026 11:28:14 +0300
Subject: [PATCH] Fix: use dl-cdn.alpinelinux.org everywhere for consistent
 package resolution

Both build-nvidia-module.sh (apk add) and mkimage.sh (--repository) now
explicitly use dl-cdn. Local builder mirror config is ignored.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 bible-local/architecture/runtime-flows.md |  9 +++++----
 iso/builder/build-nvidia-module.sh        | 20 +++++++++++++-------
 iso/builder/build.sh                      |  6 +++---
 3 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/bible-local/architecture/runtime-flows.md b/bible-local/architecture/runtime-flows.md
index 40e1af1..86d0bd9 100644
--- a/bible-local/architecture/runtime-flows.md
+++ b/bible-local/architecture/runtime-flows.md
@@ -73,10 +73,11 @@ build.sh [--authorized-keys /path/to/keys]
   When Alpine releases a new linux-lts patch (e.g. r0 → r1), update KERNEL_PKG_VERSION
   in VERSIONS — that's the only place to change. The build will fail loudly if the pin
   doesn't match the installed headers, so stale pins are caught immediately.
-- **All three must use the same APK mirror.** `build-nvidia-module.sh` and `mkimage.sh`
-  both read `/etc/apk/repositories` from the builder. Never hardcode `dl-cdn.alpinelinux.org`
-  in `build.sh` — it may serve a different package state than the builder's configured mirror,
-  causing "unable to select package" failures even when the pin is correct.
+- **All three must use the same APK mirror: `dl-cdn.alpinelinux.org`.** Both
+  `build-nvidia-module.sh` (apk add) and `mkimage.sh` (--repository) explicitly use
+  `https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main|community`.
+  Never use the builder's local `/etc/apk/repositories` — its mirror may serve
+  a different package state, causing "unable to select package" failures.
 - `linux-lts-dev` is always installed (not conditional) — stale 6.6.x headers on the
   builder would cause modules to be built for the wrong kernel and never load at runtime.
 - NVIDIA modules go to `overlay/usr/local/lib/nvidia/` — NOT `lib/modules/<kver>/extra/`.
diff --git a/iso/builder/build-nvidia-module.sh b/iso/builder/build-nvidia-module.sh
index 0ec0695..6124ad0 100644
--- a/iso/builder/build-nvidia-module.sh
+++ b/iso/builder/build-nvidia-module.sh
@@ -17,15 +17,19 @@ set -e
 NVIDIA_VERSION="$1"
 DIST_DIR="$2"
 KERNEL_PKG_VERSION="$3"
+ALPINE_VERSION="$4"
 
-[ -n "$NVIDIA_VERSION" ] || { echo "usage: $0 <nvidia-version> <dist-dir> <kernel-pkg-version>"; exit 1; }
-[ -n "$DIST_DIR" ]       || { echo "usage: $0 <nvidia-version> <dist-dir> <kernel-pkg-version>"; exit 1; }
-[ -n "$KERNEL_PKG_VERSION" ] || { echo "usage: $0 <nvidia-version> <dist-dir> <kernel-pkg-version>"; exit 1; }
+[ -n "$NVIDIA_VERSION" ]    || { echo "usage: $0 <nvidia-version> <dist-dir> <kernel-pkg-version> <alpine-version>"; exit 1; }
+[ -n "$DIST_DIR" ]          || { echo "usage: $0 <nvidia-version> <dist-dir> <kernel-pkg-version> <alpine-version>"; exit 1; }
+[ -n "$KERNEL_PKG_VERSION" ] || { echo "usage: $0 <nvidia-version> <dist-dir> <kernel-pkg-version> <alpine-version>"; exit 1; }
+[ -n "$ALPINE_VERSION" ]    || { echo "usage: $0 <nvidia-version> <dist-dir> <kernel-pkg-version> <alpine-version>"; exit 1; }
 
 # Install the EXACT pinned linux-lts-dev version so builder headers always match ISO kernel.
-# If this version is unavailable, apk will fail loudly — do NOT use a floating version here.
+# Use dl-cdn.alpinelinux.org — same source as mkimage. If unavailable, apk fails loudly.
 echo "=== installing linux-lts-dev=${KERNEL_PKG_VERSION} ==="
-apk add --quiet "linux-lts-dev=${KERNEL_PKG_VERSION}"
+apk add --quiet \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
+    "linux-lts-dev=${KERNEL_PKG_VERSION}"
 
 # Detect kernel version from installed headers (pick highest version if multiple).
 detect_kver() {
@@ -48,8 +52,10 @@ if [ -d "$CACHE_DIR/modules" ] && [ -f "$CACHE_DIR/bin/nvidia-smi" ]; then
     exit 0
 fi
 
-# Install build dependencies (linux-lts-dev pinned to same version as initial install above)
-apk add --quiet gcc make perl "linux-lts-dev=${KERNEL_PKG_VERSION}" wget
+# Install build dependencies (linux-lts-dev pinned, same dl-cdn source)
+apk add --quiet \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
+    gcc make perl "linux-lts-dev=${KERNEL_PKG_VERSION}" wget
 
 # Download official NVIDIA .run installer (proprietary) with sha256 verification
 BASE_URL="https://download.nvidia.com/XFree86/Linux-x86_64/${NVIDIA_VERSION}"
diff --git a/iso/builder/build.sh b/iso/builder/build.sh
index f94ab30..9e80dd6 100755
--- a/iso/builder/build.sh
+++ b/iso/builder/build.sh
@@ -113,7 +113,7 @@ done
 # --- build NVIDIA kernel modules and inject into overlay ---
 echo ""
 echo "=== building NVIDIA ${NVIDIA_DRIVER_VERSION} modules ==="
-sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}" "${KERNEL_PKG_VERSION}"
+sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}" "${KERNEL_PKG_VERSION}" "${ALPINE_VERSION}"
 
 # Determine kernel version from installed headers
 KVER=$(ls /usr/src/ 2>/dev/null | grep '^linux-headers-' | sed 's/linux-headers-//' | sort -V | tail -1)
@@ -199,8 +199,8 @@ sh /usr/share/aports/scripts/mkimage.sh \
     --tag "v${ALPINE_VERSION}" \
     --outdir "${DIST_DIR}" \
     --arch x86_64 \
-    --repository "$(sed -n '2p' /etc/apk/repositories)" \
-    --repository "$(sed -n '3p' /etc/apk/repositories)" \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/community" \
     --workdir /var/tmp/bee-iso-work \
     --profile bee