diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml index efdf852..6a26172 100644 --- a/.gitea/workflows/build.yml +++ b/.gitea/workflows/build.yml @@ -5,7 +5,7 @@ on: branches: - main schedule: - - cron: "05 10 * * *" # 10:05am UTC everyday + - cron: "05 4 */3 * *" # 4:05am every three days. push: branches: - main @@ -73,10 +73,10 @@ jobs: with: # This generates all the tags for your image, you can add custom tags here too! tags: | - type=sha - type=raw,value=latest,enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - type=raw,value=${{ env.FEDORA_BASE }},enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}},enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=sha,enable=${{ github.event_name == 'pull_request' }} + type=raw,value=latest + type=raw,value=${{ env.FEDORA_BASE }} + type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}} type=ref,event=pr labels: | io.artifacthub.package.readme-url=${{ env.README_URL }} diff --git a/Containerfile b/Containerfile index b902555..588b154 100644 --- a/Containerfile +++ b/Containerfile @@ -4,6 +4,7 @@ ARG FEDORA_BASE=42 FROM scratch AS ctx COPY build_files / COPY /sys_files /sys_files +COPY cosign.pub /cosign.pub # Base Image FROM quay.io/fedora-ostree-desktops/silverblue:$FEDORA_BASE @@ -27,7 +28,7 @@ RUN --mount=type=bind,from=ctx,source=/,target=/ctx \ --mount=type=cache,dst=/var/cache \ --mount=type=cache,dst=/var/log \ --mount=type=tmpfs,dst=/tmp \ - /ctx/build.sh + /ctx/build.sh && /ctx/cleanup.sh ### LINTING ## Verify final image and contents are correct. diff --git a/build_files/build.sh b/build_files/build.sh index ccabdc0..7cc2158 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -5,6 +5,10 @@ set -ouex pipefail # Copy System Files onto root rsync -rvK /ctx/sys_files/ / +# Copy cosign.pub key into the right location +mkdir -p /etc/pki/containers +cp /ctx/cosign.pub /etc/pki/containers/davejansen.pub + ### Install packages # Packages can be installed from any enabled yum repo on the image. @@ -27,8 +31,9 @@ fi # Set higher priority dnf5 config-manager setopt fedora-multimedia.priority=90 -# Remove system-installed Firefox as I prefer to use the Flatpak version -dnf5 remove -y firefox firefox-langpacks fedora-flathub-remote +# Remove Fedora's package that enforces their own (filtered) version of the +# flathub repo is present, as-well as the system-installed Firefox as I prefer to use the Flatpak version +dnf5 remove -y fedora-flathub-remote firefox firefox-langpacks # Add Flathub to the image for eventual application mkdir -p /etc/flatpak/remotes.d/ @@ -55,12 +60,15 @@ dnf5 distro-sync --skip-unavailable -y --repo='fedora-multimedia' "${OVERRIDES[@ dnf5 versionlock add "${OVERRIDES[@]}" # Remove additional repositories Fedora comes with out of the box +# And don't raise an error if any of these files does not exist when attempting +# to delete them. rm \ /etc/yum.repos.d/fedora-cisco-openh264.repo \ /etc/yum.repos.d/google-chrome.repo \ /etc/yum.repos.d/rpmfusion-nonfree-nvidia-driver.repo \ /etc/yum.repos.d/rpmfusion-nonfree-steam.repo \ - /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:phracek:PyCharm.repo + /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:phracek:PyCharm.repo \ + 2>&1 # Add country query to all repo metalinks # shellcheck disable=SC2016 @@ -82,6 +90,7 @@ sh -c 'echo -e "[tailscale-stable]\nname=Tailscale stable\nbaseurl=https://pkgs. # Install my own layered packages dnf5 install -y \ + fish \ gvfs-nfs \ openssl \ wl-clipboard \ @@ -90,7 +99,9 @@ dnf5 install -y \ libcamera libcamera-gstreamer libcamera-ipa libcamera-tools pipewire-plugin-libcamera \ gnome-shell-extension-appindicator \ 1password 1password-cli \ - tailscale + tailscale \ + waypipe \ + htop # Install Niri, the scrollable-tiling window compositor # https://yalter.github.io/niri/ @@ -105,12 +116,14 @@ dnf5 -y copr disable avengemedia/dms ## CLEANUP # Delete 1Password and Tailscale repos once packages are installed -# so they don't end up in the final image. +# so they don't end up in the final image, and don't raise an error if any of +# these files does not exist when attempting to delete them. rm \ /etc/yum.repos.d/1password.repo \ /etc/yum.repos.d/tailscale.repo \ /etc/pki/rpm-gpg/1password.asc \ - /etc/pki/rpm-gpg/tailscale.gpg + /etc/pki/rpm-gpg/tailscale.gpg \ + 2>&1 # Or just disable: # dnf5 config-manager setopt 1password.enabled=0 tailscale-stable.enabled=0 diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh new file mode 100755 index 0000000..5828eec --- /dev/null +++ b/build_files/cleanup.sh @@ -0,0 +1,73 @@ +#!/bin/bash + +set -ouex pipefail + +## Handle files that rpm-ostree would normally remove +## Adapted from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 + +# if [ -f /etc/passwd ]; then +# out="$(grep -v 'root' /etc/passwd)" +# +# if [[ ! -z "$out" ]]; then +# echo +# echo Appending the following passwd users to /usr/lib/passwd +# echo "${out}" +# echo "$out" >>/usr/lib/passwd +# fi +# fi + +if [ -f /etc/group ]; then + out="$(grep -v 'root\|wheel' /etc/group)" + + if [[ ! -z "$out" ]]; then + echo + echo Appending the following group entries to /usr/lib/group + echo "$out" + echo "$out" >>/usr/lib/group + fi +fi + +if [ -f /etc/passwd ] || [ -f /etc/group ]; then + echo + echo "Warning: Make sure processed users and groups are from installed programs!" +fi + +# # Create defaults for /etc/passwd, /etc/group +# cat </etc/passwd +# root:x:0:0:root:/root:/bin/bash +# EOT +# cat </etc/group +# root:x:0: +# wheel:x:10: +# EOT + +# Extra lock files created by container processes that might cause issues +rm -rf \ + /etc/.pwd.lock \ + /etc/passwd- \ + /etc/group- \ + /etc/shadow- \ + /etc/gshadow- \ + /etc/subuid- \ + /etc/subgid- \ + /.dockerenv + +# # Merge /usr/etc to /etc +# # OSTree will error out if both dirs exist +# # And rpm-ostree will be confused and use only one of them +# if [ -d /usr/etc ]; then +# echo +# echo WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY +# echo EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS +# echo The following files from /usr/etc will be merged to /etc: +# tree /usr/etc +# +# echo +# rsync -aAX --numeric-ids --checksum --links /usr/etc/ /etc +# rm -rf /usr/etc +# fi +# +# # Move /etc to /usr/etc +# mv /etc /usr/ + +# ...normal ublue-inspired steps continue. diff --git a/sys_files/etc/containers/policy.json b/sys_files/etc/containers/policy.json new file mode 100644 index 0000000..efb2341 --- /dev/null +++ b/sys_files/etc/containers/policy.json @@ -0,0 +1,32 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "davejansen.dev": [ + { + "type": "sigstoreSigned", + "keyPaths": ["/etc/pki/containers/davejansen.pub"], + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/sys_files/etc/containers/registries.d/davejansen.yaml b/sys_files/etc/containers/registries.d/davejansen.yaml new file mode 100644 index 0000000..ebdf467 --- /dev/null +++ b/sys_files/etc/containers/registries.d/davejansen.yaml @@ -0,0 +1,3 @@ +docker: + davejansen.dev/davejansen: + use-sigstore-attachments: true