[TEST] Set system-wide add-wants for Niri

I'm trying to debug why my
system-installed-1Password-and-Firefox-flatpak "hack" doesn't work on my
bootc image.

.gitea/workflows/build.yml

@@ -5,7 +5,7 @@ on:
     branches:
       - main
   schedule:
-    - cron: "05 10 * * *" # 10:05am UTC everyday
+    - cron: "05 4 */3 * *" # 4:05am every three days.
   push:
     branches:
       - main
@@ -73,10 +73,10 @@ jobs:
         with:
           # This generates all the tags for your image, you can add custom tags here too!
           tags: |
-            type=sha
-            type=raw,value=latest,enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
-            type=raw,value=${{ env.FEDORA_BASE }},enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
-            type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}},enable=${{ github.event_name != 'pull_request' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+            type=sha,enable=${{ github.event_name == 'pull_request' }}
+            type=raw,value=latest
+            type=raw,value=${{ env.FEDORA_BASE }}
+            type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}}
             type=ref,event=pr
           labels: |
             io.artifacthub.package.readme-url=${{ env.README_URL }}

Containerfile

@@ -4,6 +4,7 @@ ARG FEDORA_BASE=42
 FROM scratch AS ctx
 COPY build_files /
 COPY /sys_files /sys_files
+COPY cosign.pub /cosign.pub
 
 # Base Image
 FROM quay.io/fedora-ostree-desktops/silverblue:$FEDORA_BASE
@@ -27,7 +28,7 @@ RUN --mount=type=bind,from=ctx,source=/,target=/ctx \
   --mount=type=cache,dst=/var/cache \
   --mount=type=cache,dst=/var/log \
   --mount=type=tmpfs,dst=/tmp \
-  /ctx/build.sh
+  /ctx/build.sh && /ctx/cleanup.sh
 
 ### LINTING
 ## Verify final image and contents are correct.

build_files/build.sh

@@ -5,6 +5,10 @@ set -ouex pipefail
 # Copy System Files onto root
 rsync -rvK /ctx/sys_files/ /
 
+# Copy cosign.pub key into the right location
+mkdir -p /etc/pki/containers
+cp /ctx/cosign.pub /etc/pki/containers/davejansen.pub
+
 ### Install packages
 
 # Packages can be installed from any enabled yum repo on the image.
@@ -27,8 +31,9 @@ fi
 # Set higher priority
 dnf5 config-manager setopt fedora-multimedia.priority=90
 
-# Remove system-installed Firefox as I prefer to use the Flatpak version
-dnf5 remove -y firefox firefox-langpacks fedora-flathub-remote
+# Remove Fedora's package that enforces their own (filtered) version of the
+# flathub repo is present, as-well as the system-installed Firefox as I prefer to use the Flatpak version
+dnf5 remove -y fedora-flathub-remote firefox firefox-langpacks
 
 # Add Flathub to the image for eventual application
 mkdir -p /etc/flatpak/remotes.d/
@@ -55,12 +60,15 @@ dnf5 distro-sync --skip-unavailable -y --repo='fedora-multimedia' "${OVERRIDES[@
 dnf5 versionlock add "${OVERRIDES[@]}"
 
 # Remove additional repositories Fedora comes with out of the box
+# And don't raise an error if any of these files does not exist when attempting
+# to delete them.
 rm \
   /etc/yum.repos.d/fedora-cisco-openh264.repo \
   /etc/yum.repos.d/google-chrome.repo \
   /etc/yum.repos.d/rpmfusion-nonfree-nvidia-driver.repo \
   /etc/yum.repos.d/rpmfusion-nonfree-steam.repo \
-  /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:phracek:PyCharm.repo
+  /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:phracek:PyCharm.repo \
+  2>&1
 
 # Add country query to all repo metalinks
 # shellcheck disable=SC2016
@@ -82,6 +90,7 @@ sh -c 'echo -e "[tailscale-stable]\nname=Tailscale stable\nbaseurl=https://pkgs.
 
 # Install my own layered packages
 dnf5 install -y \
+  fish \
   gvfs-nfs \
   openssl \
   wl-clipboard \
@@ -90,7 +99,9 @@ dnf5 install -y \
   libcamera libcamera-gstreamer libcamera-ipa libcamera-tools pipewire-plugin-libcamera \
   gnome-shell-extension-appindicator \
   1password 1password-cli \
-  tailscale
+  tailscale \
+  waypipe \
+  htop
 
 # Install Niri, the scrollable-tiling window compositor
 # https://yalter.github.io/niri/
@@ -98,19 +109,19 @@ dnf5 -y copr enable avengemedia/dms
 dnf5 -y install niri dms
 dnf5 -y copr disable avengemedia/dms
 
-# systemctl enable niri.service
-#systemctl enable --user niri.service
-#systemctl add-wants --user niri.service dms
+systemctl add-wants niri.service dms
 
 ## CLEANUP
 
 # Delete 1Password and Tailscale repos once packages are installed
-# so they don't end up in the final image.
+# so they don't end up in the final image, and don't raise an error if any of
+# these files does not exist when attempting to delete them.
 rm \
   /etc/yum.repos.d/1password.repo \
   /etc/yum.repos.d/tailscale.repo \
   /etc/pki/rpm-gpg/1password.asc \
-  /etc/pki/rpm-gpg/tailscale.gpg
+  /etc/pki/rpm-gpg/tailscale.gpg \
+  2>&1
 
 # Or just disable:
 # dnf5 config-manager setopt 1password.enabled=0 tailscale-stable.enabled=0

build_files/cleanup.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -ouex pipefail
+
+## Handle files that rpm-ostree would normally remove
+## Adapted from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33
+
+# if [ -f /etc/passwd ]; then
+#   out="$(grep -v 'root' /etc/passwd)"
+#
+#   if [[ ! -z "$out" ]]; then
+#     echo
+#     echo Appending the following passwd users to /usr/lib/passwd
+#     echo "${out}"
+#     echo "$out" >>/usr/lib/passwd
+#   fi
+# fi
+
+if [ -f /etc/group ]; then
+  out="$(grep -v 'root\|wheel' /etc/group)"
+
+  if [[ ! -z "$out" ]]; then
+    echo
+    echo Appending the following group entries to /usr/lib/group
+    echo "$out"
+    echo "$out" >>/usr/lib/group
+  fi
+fi
+
+if [ -f /etc/passwd ] || [ -f /etc/group ]; then
+  echo
+  echo "Warning: Make sure processed users and groups are from installed programs!"
+fi
+
+# # Create defaults for /etc/passwd, /etc/group
+# cat <<EOT >/etc/passwd
+# root:x:0:0:root:/root:/bin/bash
+# EOT
+# cat <<EOT >/etc/group
+# root:x:0:
+# wheel:x:10:
+# EOT
+
+# Extra lock files created by container processes that might cause issues
+rm -rf \
+  /etc/.pwd.lock \
+  /etc/passwd- \
+  /etc/group- \
+  /etc/shadow- \
+  /etc/gshadow- \
+  /etc/subuid- \
+  /etc/subgid- \
+  /.dockerenv
+
+# # Merge /usr/etc to /etc
+# # OSTree will error out if both dirs exist
+# # And rpm-ostree will be confused and use only one of them
+# if [ -d /usr/etc ]; then
+#   echo
+#   echo WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY
+#   echo EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS
+#   echo The following files from /usr/etc will be merged to /etc:
+#   tree /usr/etc
+#
+#   echo
+#   rsync -aAX --numeric-ids --checksum --links /usr/etc/ /etc
+#   rm -rf /usr/etc
+# fi
+#
+# # Move /etc to /usr/etc
+# mv /etc /usr/
+
+# ...normal ublue-inspired steps continue.

sys_files/etc/containers/policy.json

@@ -0,0 +1,32 @@
+{
+  "default": [
+    {
+      "type": "reject"
+    }
+  ],
+  "transports": {
+    "docker": {
+      "davejansen.dev": [
+        {
+          "type": "sigstoreSigned",
+          "keyPaths": ["/etc/pki/containers/davejansen.pub"],
+          "signedIdentity": {
+            "type": "matchRepository"
+          }
+        }
+      ],
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    }
+  }
+}

sys_files/etc/containers/registries.d/davejansen.yaml

@@ -0,0 +1,3 @@
+docker:
+  davejansen.dev/davejansen:
+    use-sigstore-attachments: true