From 0e76b77adc3301f5df19a02b62f71860a537068f Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 8 Dec 2025 15:38:56 -0500
Subject: [PATCH] Set username explicitly

---
 .github/workflows/cicd.yml                 | 12 ++---
 clients/permissions/permissions_freebsd.go | 57 ++++++++++++++++++++++
 2 files changed, 63 insertions(+), 6 deletions(-)
 create mode 100644 clients/permissions/permissions_freebsd.go

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 90ed7e8..f7a2fe0 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -85,7 +85,7 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 120
     env:
-      DOCKERHUB_IMAGE: docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/${{ github.event.repository.name }}
+      DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
       GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
 
     steps:
@@ -108,7 +108,7 @@ jobs:
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: docker.io
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          username: fosrl
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Log in to GHCR
@@ -247,7 +247,7 @@ jobs:
         run: |
           set -euo pipefail
           images="${GHCR_IMAGE}"
-          if [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ] && [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]; then
+          if [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ] && [ -n "fosrl" ]; then
             images="${images}\n${DOCKERHUB_IMAGE}"
           fi
           {
@@ -290,7 +290,7 @@ jobs:
           IMAGE_LICENSE:      ${{ env.IMAGE_LICENSE }}
           DOCKERHUB_IMAGE:    ${{ env.DOCKERHUB_IMAGE }}
           GHCR_IMAGE:         ${{ env.GHCR_IMAGE }}
-          DOCKER_HUB_USER:    ${{ secrets.DOCKER_HUB_USERNAME }}
+          DOCKER_HUB_USER:    fosrl
           REPO:               ${{ github.repository }}
           OWNER:              ${{ github.repository_owner }}
           WORKFLOW_REF:       ${{ github.workflow_ref }}
@@ -311,7 +311,7 @@ jobs:
           echo "=== Images ==="
           echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE}"
           echo "GHCR_IMAGE=${GHCR_IMAGE}"
-          echo "DOCKER_HUB_USERNAME=${DOCKER_HUB_USER}"
+          echo "DOCKER_HUB_USERNAME=fosrl
           echo
           echo "=== GitHub Kontext ==="
           echo "repository=${REPO}"
@@ -364,7 +364,7 @@ jobs:
         id: attest-dh
         uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
-          subject-name: index.docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/${{ github.event.repository.name }}
+          subject-name: index.docker.io/fosrl/${{ github.event.repository.name }}
           subject-digest: ${{ steps.build.outputs.digest }}
           push-to-registry: true
           show-summary: true
diff --git a/clients/permissions/permissions_freebsd.go b/clients/permissions/permissions_freebsd.go
new file mode 100644
index 0000000..1225502
--- /dev/null
+++ b/clients/permissions/permissions_freebsd.go
@@ -0,0 +1,57 @@
+//go:build freebsd
+
+package permissions
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/fosrl/newt/logger"
+)
+
+const (
+	// TUN device on FreeBSD
+	tunDevice = "/dev/tun"
+	ifnamsiz  = 16
+	iffTun    = 0x0001
+	iffNoPi   = 0x1000
+)
+
+// ifReq is the structure for TUN interface configuration
+type ifReq struct {
+	Name  [ifnamsiz]byte
+	Flags uint16
+	_     [22]byte // padding to match kernel structure
+}
+
+// CheckNativeInterfacePermissions checks if the process has sufficient
+// permissions to create a native TUN interface on FreeBSD.
+// This requires root privileges (UID 0).
+func CheckNativeInterfacePermissions() error {
+	logger.Debug("Checking native interface permissions on FreeBSD")
+
+	// Check if running as root
+	if os.Geteuid() == 0 {
+		logger.Debug("Running as root, sufficient permissions for native TUN interface")
+		return nil
+	}
+
+	// On FreeBSD, only root can create TUN interfaces
+	// Try to open the TUN device to verify
+	return tryOpenTunDevice()
+}
+
+// tryOpenTunDevice attempts to open the TUN device to verify permissions.
+// On FreeBSD, /dev/tun is a cloning device that creates a new interface
+// when opened.
+func tryOpenTunDevice() error {
+	// Try opening /dev/tun (cloning device)
+	f, err := os.OpenFile(tunDevice, os.O_RDWR, 0)
+	if err != nil {
+		return fmt.Errorf("cannot open %s: %v (need root privileges)", tunDevice, err)
+	}
+	defer f.Close()
+
+	logger.Debug("Successfully opened TUN device, sufficient permissions for native TUN interface")
+	return nil
+}