From 011fa92cdb00295d8f7ceeefa80861b76e4ae494 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Thu, 13 Nov 2025 21:36:01 +0900 Subject: [PATCH 01/22] Update cron schedule so builds only run every three days --- .gitea/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml index efdf852..d5ee702 100644 --- a/.gitea/workflows/build.yml +++ b/.gitea/workflows/build.yml @@ -5,7 +5,7 @@ on: branches: - main schedule: - - cron: "05 10 * * *" # 10:05am UTC everyday + - cron: "05 4 */3 * *" # 4:05am every three days. push: branches: - main From 8f80e0f85b8b9b578b078edb5d8437e2f9dc3eb1 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Sun, 16 Nov 2025 14:43:10 +0900 Subject: [PATCH 02/22] Attempt: Add custom containers-policy.json --- build_files/build.sh | 4 +++ sys_files/usr/etc/containers/policy.json | 32 ++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 sys_files/usr/etc/containers/policy.json diff --git a/build_files/build.sh b/build_files/build.sh index 55eb7fa..ee24a99 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -5,6 +5,10 @@ set -ouex pipefail # Copy System Files onto root rsync -rvK /ctx/sys_files/ / +# Copy cosign.pub key into the right location +mkdir -p /etc/pki/containers +cp /ctx/cosign.pub /etc/pki/containers/davejansen.pub + ### Install packages # Packages can be installed from any enabled yum repo on the image. diff --git a/sys_files/usr/etc/containers/policy.json b/sys_files/usr/etc/containers/policy.json new file mode 100644 index 0000000..efb2341 --- /dev/null +++ b/sys_files/usr/etc/containers/policy.json @@ -0,0 +1,32 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "davejansen.dev": [ + { + "type": "sigstoreSigned", + "keyPaths": ["/etc/pki/containers/davejansen.pub"], + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} From 8d50133103258af488c5c03c0ac8c0c9236f63f7 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Sun, 16 Nov 2025 14:53:53 +0900 Subject: [PATCH 03/22] Actually copy cosign.pub into the build context --- Containerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Containerfile b/Containerfile index b902555..b99476a 100644 --- a/Containerfile +++ b/Containerfile @@ -4,6 +4,7 @@ ARG FEDORA_BASE=42 FROM scratch AS ctx COPY build_files / COPY /sys_files /sys_files +COPY cosign.pub /cosign.pub # Base Image FROM quay.io/fedora-ostree-desktops/silverblue:$FEDORA_BASE From 91d249901e5b84db819391c7c617f98439fc428c Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Sun, 16 Nov 2025 15:28:03 +0900 Subject: [PATCH 04/22] Move containers policy file to the right place Oops :D --- sys_files/{usr => }/etc/containers/policy.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sys_files/{usr => }/etc/containers/policy.json (100%) diff --git a/sys_files/usr/etc/containers/policy.json b/sys_files/etc/containers/policy.json similarity index 100% rename from sys_files/usr/etc/containers/policy.json rename to sys_files/etc/containers/policy.json From 71626ad6c9436dfcb5718659e06f09847cf1c2b8 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Sun, 16 Nov 2025 16:07:11 +0900 Subject: [PATCH 05/22] Ensure the correct tags are set with new builds --- .gitea/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml index d5ee702..6a26172 100644 --- a/.gitea/workflows/build.yml +++ b/.gitea/workflows/build.yml @@ -73,10 +73,10 @@ jobs: with: # This generates all the tags for your image, you can add custom tags here too! tags: | - type=sha - type=raw,value=latest,enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - type=raw,value=${{ env.FEDORA_BASE }},enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}},enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=sha,enable=${{ github.event_name == 'pull_request' }} + type=raw,value=latest + type=raw,value=${{ env.FEDORA_BASE }} + type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}} type=ref,event=pr labels: | io.artifacthub.package.readme-url=${{ env.README_URL }} From 02a288c2c0222b4bec3eaeb883339aeb95940747 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Sun, 16 Nov 2025 16:52:37 +0900 Subject: [PATCH 06/22] Add my own registries.d policy file, too --- sys_files/etc/containers/registries.d/davejansen.yaml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 sys_files/etc/containers/registries.d/davejansen.yaml diff --git a/sys_files/etc/containers/registries.d/davejansen.yaml b/sys_files/etc/containers/registries.d/davejansen.yaml new file mode 100644 index 0000000..ebdf467 --- /dev/null +++ b/sys_files/etc/containers/registries.d/davejansen.yaml @@ -0,0 +1,3 @@ +docker: + davejansen.dev/davejansen: + use-sigstore-attachments: true From 9e45c8ac237d6497cdf0a4448f4aabdfbc50fe6d Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 17:09:19 +0900 Subject: [PATCH 07/22] Temporarily stop removing system-installed Firefox I'm trying to debug why my system-installed-1Password-and-Firefox-flatpak "hack" doesn't work on my bootc image. --- build_files/build.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/build_files/build.sh b/build_files/build.sh index ee24a99..964b677 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -31,8 +31,9 @@ fi # Set higher priority dnf5 config-manager setopt fedora-multimedia.priority=90 -# Remove system-installed Firefox as I prefer to use the Flatpak version -dnf5 remove -y firefox firefox-langpacks fedora-flathub-remote +# Remove Fedora's package that enforces their own (filtered) version of the +# flathub repo is present, as-well as the system-installed Firefox as I prefer to use the Flatpak version +dnf5 remove -y fedora-flathub-remote # firefox firefox-langpacks # Add Flathub to the image for eventual application mkdir -p /etc/flatpak/remotes.d/ From e4afe6923ff30bf1272049941532f1a5588d1dcf Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 17:46:09 +0900 Subject: [PATCH 08/22] Borrow certain `/etc/passwd` and `/etc/group` clean-up steps from `hhd-dev/rechunk` --- build_files/build.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/build_files/build.sh b/build_files/build.sh index 964b677..a0b8332 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -122,6 +122,68 @@ systemctl enable tailscaled # Remove dnf5 versionlocks dnf5 versionlock clear +## Handle files that rpm-ostree would normally remove +## Borrowed from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 +if [ -f /etc/passwd ]; then + echo + echo Appending the following passwd users to /usr/lib/passwd + out=$(grep -v "root" /etc/passwd) + echo "$out" + echo "$out" >>/usr/lib/passwd +fi +if [ -f /etc/group ]; then + echo + echo Appending the following group entries to /usr/lib/group + out=$(grep -v "root\|wheel" /etc/group) + echo "$out" + echo "$out" >>/usr/lib/group +fi + +if [ -f /etc/passwd ] || [ -f /etc/group ]; then + echo + echo "Warning: Make sure processed users and groups are from installed programs!" +fi + +# Create defaults for /etc/passwd, /etc/group +cat </etc/passwd +root:x:0:0:root:/root:/bin/bash +EOT +cat </etc/group +root:x:0: +wheel:x:10: +EOT + +# Extra lock files created by container processes that might cause issues +rm -rf \ + /etc/.pwd.lock \ + /etc/passwd- \ + /etc/group- \ + /etc/shadow- \ + /etc/gshadow- \ + /etc/subuid- \ + /etc/subgid- \ + /.dockerenv + +# Merge /usr/etc to /etc +# OSTree will error out if both dirs exist +# And rpm-ostree will be confused and use only one of them +if [ -d /usr/etc ]; then + echo + echo WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY + echo EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS + echo The following files from /usr/etc will be merged to /etc: + tree /usr/etc + + echo + rsync -aAX --numeric-ids --checksum --links /usr/etc/ /etc + rm -rf /usr/etc +fi + +# Move /etc to /usr/etc +mv /etc /usr/ + +# ...normal ublue-inspired steps continue. + # Remove tmp files and everything in dirs that make bootc unhappy rm -rf /tmp/* || true rm -rf /usr/etc From 6328eadaffa70834960842deedb0e1278037b162 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 17:58:51 +0900 Subject: [PATCH 09/22] One step back --- build_files/build.sh | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/build_files/build.sh b/build_files/build.sh index a0b8332..aa45b4f 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -164,23 +164,23 @@ rm -rf \ /etc/subgid- \ /.dockerenv -# Merge /usr/etc to /etc -# OSTree will error out if both dirs exist -# And rpm-ostree will be confused and use only one of them -if [ -d /usr/etc ]; then - echo - echo WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY - echo EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS - echo The following files from /usr/etc will be merged to /etc: - tree /usr/etc - - echo - rsync -aAX --numeric-ids --checksum --links /usr/etc/ /etc - rm -rf /usr/etc -fi - -# Move /etc to /usr/etc -mv /etc /usr/ +# # Merge /usr/etc to /etc +# # OSTree will error out if both dirs exist +# # And rpm-ostree will be confused and use only one of them +# if [ -d /usr/etc ]; then +# echo +# echo WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY +# echo EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS +# echo The following files from /usr/etc will be merged to /etc: +# tree /usr/etc +# +# echo +# rsync -aAX --numeric-ids --checksum --links /usr/etc/ /etc +# rm -rf /usr/etc +# fi +# +# # Move /etc to /usr/etc +# mv /etc /usr/ # ...normal ublue-inspired steps continue. From 2908caaf59c6328ce610098b903aef829f3fa751 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 18:14:05 +0900 Subject: [PATCH 10/22] Further reduce. Re-remove system-installed Firefox --- build_files/build.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/build_files/build.sh b/build_files/build.sh index aa45b4f..c72181c 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -33,7 +33,7 @@ dnf5 config-manager setopt fedora-multimedia.priority=90 # Remove Fedora's package that enforces their own (filtered) version of the # flathub repo is present, as-well as the system-installed Firefox as I prefer to use the Flatpak version -dnf5 remove -y fedora-flathub-remote # firefox firefox-langpacks +dnf5 remove -y fedora-flathub-remote firefox firefox-langpacks # Add Flathub to the image for eventual application mkdir -p /etc/flatpak/remotes.d/ @@ -144,14 +144,14 @@ if [ -f /etc/passwd ] || [ -f /etc/group ]; then echo "Warning: Make sure processed users and groups are from installed programs!" fi -# Create defaults for /etc/passwd, /etc/group -cat </etc/passwd -root:x:0:0:root:/root:/bin/bash -EOT -cat </etc/group -root:x:0: -wheel:x:10: -EOT +# # Create defaults for /etc/passwd, /etc/group +# cat </etc/passwd +# root:x:0:0:root:/root:/bin/bash +# EOT +# cat </etc/group +# root:x:0: +# wheel:x:10: +# EOT # Extra lock files created by container processes that might cause issues rm -rf \ From cab4c6cdd9382b6d7e479ff83f4baf8a96f492e9 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 18:27:30 +0900 Subject: [PATCH 11/22] Attempt: Separate cleanup step --- Containerfile | 2 ++ build_files/build.sh | 62 ---------------------------------------- build_files/cleanup.sh | 65 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 62 deletions(-) create mode 100755 build_files/cleanup.sh diff --git a/Containerfile b/Containerfile index b99476a..984a7f9 100644 --- a/Containerfile +++ b/Containerfile @@ -30,6 +30,8 @@ RUN --mount=type=bind,from=ctx,source=/,target=/ctx \ --mount=type=tmpfs,dst=/tmp \ /ctx/build.sh +RUN /ctx/cleanup.sh + ### LINTING ## Verify final image and contents are correct. RUN bootc container lint diff --git a/build_files/build.sh b/build_files/build.sh index c72181c..6ed6eee 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -122,68 +122,6 @@ systemctl enable tailscaled # Remove dnf5 versionlocks dnf5 versionlock clear -## Handle files that rpm-ostree would normally remove -## Borrowed from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 -if [ -f /etc/passwd ]; then - echo - echo Appending the following passwd users to /usr/lib/passwd - out=$(grep -v "root" /etc/passwd) - echo "$out" - echo "$out" >>/usr/lib/passwd -fi -if [ -f /etc/group ]; then - echo - echo Appending the following group entries to /usr/lib/group - out=$(grep -v "root\|wheel" /etc/group) - echo "$out" - echo "$out" >>/usr/lib/group -fi - -if [ -f /etc/passwd ] || [ -f /etc/group ]; then - echo - echo "Warning: Make sure processed users and groups are from installed programs!" -fi - -# # Create defaults for /etc/passwd, /etc/group -# cat </etc/passwd -# root:x:0:0:root:/root:/bin/bash -# EOT -# cat </etc/group -# root:x:0: -# wheel:x:10: -# EOT - -# Extra lock files created by container processes that might cause issues -rm -rf \ - /etc/.pwd.lock \ - /etc/passwd- \ - /etc/group- \ - /etc/shadow- \ - /etc/gshadow- \ - /etc/subuid- \ - /etc/subgid- \ - /.dockerenv - -# # Merge /usr/etc to /etc -# # OSTree will error out if both dirs exist -# # And rpm-ostree will be confused and use only one of them -# if [ -d /usr/etc ]; then -# echo -# echo WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY -# echo EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS -# echo The following files from /usr/etc will be merged to /etc: -# tree /usr/etc -# -# echo -# rsync -aAX --numeric-ids --checksum --links /usr/etc/ /etc -# rm -rf /usr/etc -# fi -# -# # Move /etc to /usr/etc -# mv /etc /usr/ - -# ...normal ublue-inspired steps continue. - # Remove tmp files and everything in dirs that make bootc unhappy rm -rf /tmp/* || true rm -rf /usr/etc diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh new file mode 100755 index 0000000..f38b0fc --- /dev/null +++ b/build_files/cleanup.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +set -ouex pipefail + +## Handle files that rpm-ostree would normally remove +## Borrowed from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 +if [ -f /etc/passwd ]; then + echo + echo Appending the following passwd users to /usr/lib/passwd + out=$(grep -v "root" /etc/passwd) + echo "$out" + echo "$out" >>/usr/lib/passwd +fi +if [ -f /etc/group ]; then + echo + echo Appending the following group entries to /usr/lib/group + out=$(grep -v "root\|wheel" /etc/group) + echo "$out" + echo "$out" >>/usr/lib/group +fi + +if [ -f /etc/passwd ] || [ -f /etc/group ]; then + echo + echo "Warning: Make sure processed users and groups are from installed programs!" +fi + +# # Create defaults for /etc/passwd, /etc/group +# cat </etc/passwd +# root:x:0:0:root:/root:/bin/bash +# EOT +# cat </etc/group +# root:x:0: +# wheel:x:10: +# EOT + +# Extra lock files created by container processes that might cause issues +rm -rf \ + /etc/.pwd.lock \ + /etc/passwd- \ + /etc/group- \ + /etc/shadow- \ + /etc/gshadow- \ + /etc/subuid- \ + /etc/subgid- \ + /.dockerenv + +# # Merge /usr/etc to /etc +# # OSTree will error out if both dirs exist +# # And rpm-ostree will be confused and use only one of them +# if [ -d /usr/etc ]; then +# echo +# echo WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY +# echo EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS +# echo The following files from /usr/etc will be merged to /etc: +# tree /usr/etc +# +# echo +# rsync -aAX --numeric-ids --checksum --links /usr/etc/ /etc +# rm -rf /usr/etc +# fi +# +# # Move /etc to /usr/etc +# mv /etc /usr/ + +# ...normal ublue-inspired steps continue. From 8efc5f4192bc154de8fb66fc483da0ff15c84828 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 18:36:49 +0900 Subject: [PATCH 12/22] Add some debug echos, trigger cleanup while mounts are present --- Containerfile | 4 +--- build_files/cleanup.sh | 11 +++++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/Containerfile b/Containerfile index 984a7f9..588b154 100644 --- a/Containerfile +++ b/Containerfile @@ -28,9 +28,7 @@ RUN --mount=type=bind,from=ctx,source=/,target=/ctx \ --mount=type=cache,dst=/var/cache \ --mount=type=cache,dst=/var/log \ --mount=type=tmpfs,dst=/tmp \ - /ctx/build.sh - -RUN /ctx/cleanup.sh + /ctx/build.sh && /ctx/cleanup.sh ### LINTING ## Verify final image and contents are correct. diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh index f38b0fc..25b0bc3 100755 --- a/build_files/cleanup.sh +++ b/build_files/cleanup.sh @@ -2,6 +2,17 @@ set -ouex pipefail +echo "Let's see." +echo "/etc/passwd contents:" +cat /etc/passwd +echo "/usr/lib/passwd contents:" +cat /usr/lib/passwd +echo "" +echo "/etc/group contents:" +cat /etc/group +echo "/usr/lib/group contents:" +cat /usr/lib/group + ## Handle files that rpm-ostree would normally remove ## Borrowed from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 if [ -f /etc/passwd ]; then From 047419e52503567da16478e8c611e987848b2b50 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 18:54:34 +0900 Subject: [PATCH 13/22] Temporarily only look at /etc/group --- build_files/cleanup.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh index 25b0bc3..cfcca7b 100755 --- a/build_files/cleanup.sh +++ b/build_files/cleanup.sh @@ -15,13 +15,13 @@ cat /usr/lib/group ## Handle files that rpm-ostree would normally remove ## Borrowed from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 -if [ -f /etc/passwd ]; then - echo - echo Appending the following passwd users to /usr/lib/passwd - out=$(grep -v "root" /etc/passwd) - echo "$out" - echo "$out" >>/usr/lib/passwd -fi +# if [ -f /etc/passwd ]; then +# echo +# echo Appending the following passwd users to /usr/lib/passwd +# out=$(grep -v "root" /etc/passwd) +# echo "$out" +# echo "$out" >>/usr/lib/passwd +# fi if [ -f /etc/group ]; then echo echo Appending the following group entries to /usr/lib/group From 389352e2d6a29e86096e1924cad4cc36249a5c21 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 20:06:06 +0900 Subject: [PATCH 14/22] Attempt to re-add (optionally) writing `passwd` changes --- build_files/cleanup.sh | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh index cfcca7b..a5b19bf 100755 --- a/build_files/cleanup.sh +++ b/build_files/cleanup.sh @@ -14,20 +14,28 @@ echo "/usr/lib/group contents:" cat /usr/lib/group ## Handle files that rpm-ostree would normally remove -## Borrowed from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 -# if [ -f /etc/passwd ]; then -# echo -# echo Appending the following passwd users to /usr/lib/passwd -# out=$(grep -v "root" /etc/passwd) -# echo "$out" -# echo "$out" >>/usr/lib/passwd -# fi +## Adapted from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 + +if [ -f /etc/passwd ]; then + out=$(grep -v "root" /etc/passwd) + + if [ ! -z "$out" ]; then + echo + echo Appending the following passwd users to /usr/lib/passwd + echo "$out" + echo "$out" >>/usr/lib/passwd + fi +fi + if [ -f /etc/group ]; then - echo - echo Appending the following group entries to /usr/lib/group out=$(grep -v "root\|wheel" /etc/group) - echo "$out" - echo "$out" >>/usr/lib/group + + if [ ! -z "$out" ]; then + echo + echo Appending the following group entries to /usr/lib/group + echo "$out" + echo "$out" >>/usr/lib/group + fi fi if [ -f /etc/passwd ] || [ -f /etc/group ]; then From 705e83eafb858b8f779566c4a42d6431d5c9a86a Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 21:32:01 +0900 Subject: [PATCH 15/22] I always forget. --- build_files/cleanup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh index a5b19bf..e1bb758 100755 --- a/build_files/cleanup.sh +++ b/build_files/cleanup.sh @@ -19,7 +19,7 @@ cat /usr/lib/group if [ -f /etc/passwd ]; then out=$(grep -v "root" /etc/passwd) - if [ ! -z "$out" ]; then + if [[ ! -z "$out" ]]; then echo echo Appending the following passwd users to /usr/lib/passwd echo "$out" @@ -30,7 +30,7 @@ fi if [ -f /etc/group ]; then out=$(grep -v "root\|wheel" /etc/group) - if [ ! -z "$out" ]; then + if [[ ! -z "$out" ]]; then echo echo Appending the following group entries to /usr/lib/group echo "$out" From 3b46c3b939889837e03b4c5ee4cb14f122363f9f Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 21:47:25 +0900 Subject: [PATCH 16/22] Sunk cost fallacy --- build_files/cleanup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh index e1bb758..a4f4304 100755 --- a/build_files/cleanup.sh +++ b/build_files/cleanup.sh @@ -22,7 +22,7 @@ if [ -f /etc/passwd ]; then if [[ ! -z "$out" ]]; then echo echo Appending the following passwd users to /usr/lib/passwd - echo "$out" + echo "--here--${out}--here--" echo "$out" >>/usr/lib/passwd fi fi From e816126ea2a2b8e8886531adf07e4031d86c9edc Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 22:08:48 +0900 Subject: [PATCH 17/22] "Let's try this again" --- build_files/cleanup.sh | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh index a4f4304..7c0a9fb 100755 --- a/build_files/cleanup.sh +++ b/build_files/cleanup.sh @@ -2,33 +2,22 @@ set -ouex pipefail -echo "Let's see." -echo "/etc/passwd contents:" -cat /etc/passwd -echo "/usr/lib/passwd contents:" -cat /usr/lib/passwd -echo "" -echo "/etc/group contents:" -cat /etc/group -echo "/usr/lib/group contents:" -cat /usr/lib/group - ## Handle files that rpm-ostree would normally remove ## Adapted from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 if [ -f /etc/passwd ]; then - out=$(grep -v "root" /etc/passwd) + out="$(grep -v 'root' /etc/passwd)" if [[ ! -z "$out" ]]; then echo echo Appending the following passwd users to /usr/lib/passwd - echo "--here--${out}--here--" + echo "${out}" echo "$out" >>/usr/lib/passwd fi fi if [ -f /etc/group ]; then - out=$(grep -v "root\|wheel" /etc/group) + out="$(grep -v 'root\|wheel' /etc/group)" if [[ ! -z "$out" ]]; then echo From 49d1a97e2ae9ee1ff87897b799bfc45ad1f19591 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Mon, 1 Dec 2025 22:19:56 +0900 Subject: [PATCH 18/22] I give up. For now. --- build_files/cleanup.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh index 7c0a9fb..5828eec 100755 --- a/build_files/cleanup.sh +++ b/build_files/cleanup.sh @@ -5,16 +5,16 @@ set -ouex pipefail ## Handle files that rpm-ostree would normally remove ## Adapted from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 -if [ -f /etc/passwd ]; then - out="$(grep -v 'root' /etc/passwd)" - - if [[ ! -z "$out" ]]; then - echo - echo Appending the following passwd users to /usr/lib/passwd - echo "${out}" - echo "$out" >>/usr/lib/passwd - fi -fi +# if [ -f /etc/passwd ]; then +# out="$(grep -v 'root' /etc/passwd)" +# +# if [[ ! -z "$out" ]]; then +# echo +# echo Appending the following passwd users to /usr/lib/passwd +# echo "${out}" +# echo "$out" >>/usr/lib/passwd +# fi +# fi if [ -f /etc/group ]; then out="$(grep -v 'root\|wheel' /etc/group)" From 1e892056c805234986f0a2c9445f1a42d7e87796 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Wed, 3 Dec 2025 11:50:40 +0900 Subject: [PATCH 19/22] Layer `fish` shell, too. --- build_files/build.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/build_files/build.sh b/build_files/build.sh index 6ed6eee..b58d4e7 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -87,6 +87,7 @@ sh -c 'echo -e "[tailscale-stable]\nname=Tailscale stable\nbaseurl=https://pkgs. # Install my own layered packages dnf5 install -y \ + fish \ gvfs-nfs \ openssl \ wl-clipboard \ From b5992b2880020f85f80dbba4c00df69a90f4f1c5 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Fri, 5 Dec 2025 13:51:03 +0900 Subject: [PATCH 20/22] Add waypipe --- build_files/build.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build_files/build.sh b/build_files/build.sh index b58d4e7..5188004 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -96,7 +96,8 @@ dnf5 install -y \ libcamera libcamera-gstreamer libcamera-ipa libcamera-tools pipewire-plugin-libcamera \ gnome-shell-extension-appindicator \ 1password 1password-cli \ - tailscale + tailscale \ + waypipe # Delete 1Password and Tailscale repos once packages are installed # so they don't end up in the final image. From 0e39bc8924185c54961d451f5eb37b7754cfdf06 Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Wed, 17 Dec 2025 13:06:12 +0900 Subject: [PATCH 21/22] Add `htop` as a layered package. --- build_files/build.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build_files/build.sh b/build_files/build.sh index 5188004..0a4be77 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -97,7 +97,8 @@ dnf5 install -y \ gnome-shell-extension-appindicator \ 1password 1password-cli \ tailscale \ - waypipe + waypipe \ + htop # Delete 1Password and Tailscale repos once packages are installed # so they don't end up in the final image. From 79a855f6b242ae46623c2a1da3e9141760df11cd Mon Sep 17 00:00:00 2001 From: Dave Jansen Date: Wed, 17 Dec 2025 19:53:18 +0900 Subject: [PATCH 22/22] Don't raise error when attempting to delete files that don't exist --- build_files/build.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/build_files/build.sh b/build_files/build.sh index 0a4be77..6e7b38c 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -60,12 +60,15 @@ dnf5 distro-sync --skip-unavailable -y --repo='fedora-multimedia' "${OVERRIDES[@ dnf5 versionlock add "${OVERRIDES[@]}" # Remove additional repositories Fedora comes with out of the box +# And don't raise an error if any of these files does not exist when attempting +# to delete them. rm \ /etc/yum.repos.d/fedora-cisco-openh264.repo \ /etc/yum.repos.d/google-chrome.repo \ /etc/yum.repos.d/rpmfusion-nonfree-nvidia-driver.repo \ /etc/yum.repos.d/rpmfusion-nonfree-steam.repo \ - /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:phracek:PyCharm.repo + /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:phracek:PyCharm.repo \ + 2>&1 # Add country query to all repo metalinks # shellcheck disable=SC2016 @@ -101,12 +104,14 @@ dnf5 install -y \ htop # Delete 1Password and Tailscale repos once packages are installed -# so they don't end up in the final image. +# so they don't end up in the final image, and don't raise an error if any of +# these files does not exist when attempting to delete them. rm \ /etc/yum.repos.d/1password.repo \ /etc/yum.repos.d/tailscale.repo \ /etc/pki/rpm-gpg/1password.asc \ - /etc/pki/rpm-gpg/tailscale.gpg + /etc/pki/rpm-gpg/tailscale.gpg \ + 2>&1 # Or just disable: # dnf5 config-manager setopt 1password.enabled=0 tailscale-stable.enabled=0