diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml index aeedc91..6a26172 100644 --- a/.gitea/workflows/build.yml +++ b/.gitea/workflows/build.yml @@ -5,7 +5,7 @@ on: branches: - main schedule: - - cron: "05 10 * * *" # 10:05am UTC everyday + - cron: "05 4 */3 * *" # 4:05am every three days. push: branches: - main @@ -50,16 +50,6 @@ jobs: echo "IMAGE_REGISTRY=${IMAGE_REGISTRY,,}" >> ${GITHUB_ENV} echo "IMAGE_NAME=${IMAGE_NAME,,}" >> ${GITHUB_ENV} - # Pre-create Podman's auth file directory and file, this is somehow needed here. - #mkdir -p /tmp/podman-run-0/containers - #echo "{}" > /tmp/podman-run-0/containers/auth.json - - # Pre-create docker config file - #mkdir -p ~/.docker - #echo "{}" > ~/.docker/config.json - - #touch /tmp/podman-run-0/containers/auth.json - # These stage versions are pinned by https://github.com/renovatebot/renovate - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 @@ -83,11 +73,10 @@ jobs: with: # This generates all the tags for your image, you can add custom tags here too! tags: | - # set latest tag for main branch - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} + type=sha,enable=${{ github.event_name == 'pull_request' }} + type=raw,value=latest type=raw,value=${{ env.FEDORA_BASE }} type=raw,value=${{ env.FEDORA_BASE }}-{{date 'YYYYMMDD'}} - type=sha,enable=${{ github.event_name == 'pull_request' }} type=ref,event=pr labels: | io.artifacthub.package.readme-url=${{ env.README_URL }} @@ -123,6 +112,7 @@ jobs: image: ${{ env.IMAGE_NAME }} tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} + #labels: "localhost/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE }}" extra-args: --isolation=chroot oci: false @@ -132,25 +122,21 @@ jobs: # You can enable it by uncommenting the following lines: # - name: Run Rechunker # id: rechunk - # uses: hhd-dev/rechunk@f153348d8100c1f504dec435460a0d7baf11a9d2 # v1.1.1 + # uses: hhd-dev/rechunk@v1.2.4 # with: - # rechunk: 'ghcr.io/hhd-dev/rechunk:v1.0.1' - # ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" - # prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DEFAULT_TAG }}" + # rechunk: "ghcr.io/hhd-dev/rechunk:v1.2.4" + # ref: "localhost/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE }}" + # prev-ref: + # "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.FEDORA_BASE + # }}" # skip_compression: true - # version: ${{ env.CENTOS_VERSION }} + # version: ${{ env.FEDORA_BASE }} # labels: ${{ steps.metadata.outputs.labels }} # Rechunk strips out all the labels during build, this needs to be reapplied here with newline separator - # This is necessary so that the podman socket can find the rechunked image on its storage - # - name: Load in podman and tag - # run: | - # IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }}) - # sudo rm -rf ${{ steps.rechunk.outputs.output }} - # for tag in ${{ steps.metadata.outputs.tags }}; do - # podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag - # done - - name: Login to Container Registry + if: + github.event_name != 'pull_request' && github.ref == + format('refs/heads/{0}', github.event.repository.default_branch) run: | podman login \ --verbose \ diff --git a/Containerfile b/Containerfile index 29ab4c3..588b154 100644 --- a/Containerfile +++ b/Containerfile @@ -3,18 +3,11 @@ ARG FEDORA_BASE=42 # Allow build scripts to be referenced without being copied into the final image FROM scratch AS ctx COPY build_files / +COPY /sys_files /sys_files +COPY cosign.pub /cosign.pub # Base Image -FROM ghcr.io/ublue-os/silverblue-main:$FEDORA_BASE - -## Other possible base images include: -# FROM ghcr.io/ublue-os/bazzite:latest -# FROM ghcr.io/ublue-os/bluefin-nvidia:stable -# -# ... and so on, here are more base images -# Universal Blue Images: https://github.com/orgs/ublue-os/packages -# Fedora base image: quay.io/fedora/fedora-bootc:41 -# CentOS base images: quay.io/centos-bootc/centos-bootc:stream10 +FROM quay.io/fedora-ostree-desktops/silverblue:$FEDORA_BASE ### [IM]MUTABLE /opt ## Some bootable images, like Fedora, have /opt symlinked to /var/opt, in order to @@ -35,7 +28,7 @@ RUN --mount=type=bind,from=ctx,source=/,target=/ctx \ --mount=type=cache,dst=/var/cache \ --mount=type=cache,dst=/var/log \ --mount=type=tmpfs,dst=/tmp \ - /ctx/build.sh + /ctx/build.sh && /ctx/cleanup.sh ### LINTING ## Verify final image and contents are correct. diff --git a/build_files/build.sh b/build_files/build.sh index c4840db..6ed6eee 100755 --- a/build_files/build.sh +++ b/build_files/build.sh @@ -2,6 +2,13 @@ set -ouex pipefail +# Copy System Files onto root +rsync -rvK /ctx/sys_files/ / + +# Copy cosign.pub key into the right location +mkdir -p /etc/pki/containers +cp /ctx/cosign.pub /etc/pki/containers/davejansen.pub + ### Install packages # Packages can be installed from any enabled yum repo on the image. @@ -9,8 +16,48 @@ set -ouex pipefail # List of rpmfusion packages can be found here: # https://mirrors.rpmfusion.org/mirrorlist?path=free/fedora/updates/39/x86_64/repoview/index.html&protocol=https&redirect=1 -# Remove system-installed Firefox as I prefer to use the Flatpak version -dnf5 remove -y firefox firefox-langpacks +# Install RPMFusion and enable fedora-multimedia with a higher priority than default +if ! grep -q fedora-multimedia <(dnf5 repolist); then + # Enable or Install Repofile + #dnf5 install \ + # https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \ + # https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm + + # Enable fedora-multimedia + dnf5 config-manager setopt fedora-multimedia.enabled=1 || + dnf5 config-manager addrepo --from-repofile="https://negativo17.org/repos/fedora-multimedia.repo" +fi + +# Set higher priority +dnf5 config-manager setopt fedora-multimedia.priority=90 + +# Remove Fedora's package that enforces their own (filtered) version of the +# flathub repo is present, as-well as the system-installed Firefox as I prefer to use the Flatpak version +dnf5 remove -y fedora-flathub-remote firefox firefox-langpacks + +# Add Flathub to the image for eventual application +mkdir -p /etc/flatpak/remotes.d/ +curl --retry 3 -Lo /etc/flatpak/remotes.d/flathub.flatpakrepo https://dl.flathub.org/repo/flathub.flatpakrepo + +# use override to replace mesa and others with less crippled versions +OVERRIDES=( + "intel-gmmlib" + "intel-mediasdk" + "intel-vpl-gpu-rt" + "libheif" + "libva" + "libva-intel-media-driver" + "mesa-dri-drivers" + "mesa-filesystem" + "mesa-libEGL" + "mesa-libGL" + "mesa-libgbm" + "mesa-va-drivers" + "mesa-vulkan-drivers" +) + +dnf5 distro-sync --skip-unavailable -y --repo='fedora-multimedia' "${OVERRIDES[@]}" +dnf5 versionlock add "${OVERRIDES[@]}" # Remove additional repositories Fedora comes with out of the box rm \ @@ -26,10 +73,10 @@ sed -i -e '/^metalink\=/s/\$releasever\&arch\=\$basearch$/\$releasever\&arch\=\$ # Add 1Password repo #rpmkeys --import https://downloads.1password.com/linux/keys/1password.asc -cp /ctx/rpm-keys/1password.asc /etc/pki/rpm-gpg/1password.asc +cp /ctx/rpm-keys/1password.asc /etc/pki/rpm-gpg/1password.asc sh -c 'echo -e "[1password]\nname=1Password Stable Channel\nbaseurl=https://downloads.1password.com/linux/rpm/stable/\$basearch\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=\"file:///etc/pki/rpm-gpg/1password.asc\"" > /etc/yum.repos.d/1password.repo' -# Add Tailscale repo +# Add Tailscale repo #rpmkeys --import https://pkgs.tailscale.com/stable/fedora/repo.gpg #dnf5 config-manager addrepo --from-repofile=https://pkgs.tailscale.com/stable/fedora/tailscale.repo cp /ctx/rpm-keys/tailscale.gpg /etc/pki/rpm-gpg/tailscale.gpg @@ -42,6 +89,10 @@ sh -c 'echo -e "[tailscale-stable]\nname=Tailscale stable\nbaseurl=https://pkgs. dnf5 install -y \ gvfs-nfs \ openssl \ + wl-clipboard \ + ffmpeg ffmpeg-libs ffmpegthumbnailer \ + heif-pixbuf-loader intel-vaapi-driver libavcodec libheif \ + libcamera libcamera-gstreamer libcamera-ipa libcamera-tools pipewire-plugin-libcamera \ gnome-shell-extension-appindicator \ 1password 1password-cli \ tailscale @@ -58,34 +109,29 @@ rm \ # dnf5 config-manager setopt 1password.enabled=0 tailscale-stable.enabled=0 # sed -i 's/enabled=1/enabled=0/' \ # /etc/yum.repos.d/1password.repo \ -# /etc/yum.repos.d/tailscale.repo +# /etc/yum.repos.d/tailscale.repo \ -# Add Flathub -#flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo -#flatpak remote-modify --enable --no-filter flathub +# Fedora Flatpak service is a part of the flatpak package, ensure it's overridden by moving to replace it at the end of the build. +mv -f /usr/lib/systemd/system/flatpak-add-flathub-repos.service /usr/lib/systemd/system/flatpak-add-fedora-repos.service -# Re-install all pre-installed (GNOME) applications from Flathub -#flatpak install --reinstall flathub "$(flatpak list --app-runtime=org.fedoraproject.Platform --columns=application | tail -n +1 )" - -# ...and remove the fedora flatpak remotes -#flatpak remote-delete --force fedora -#flatpak remote-delete --force fedora-testing - - -# TODO: Add flathub remove, enable, and remove filter -# TODO: Install core GNOME Flatpak apps -# TODO: Install my own commonly used Flatpak apps -# IDEA: Can I set certain dconf settings, like Ptyxis config, temperature settings, etc? -# IDEA: Can I set certain Flatpak system defaults (ie. no read/write anywhere by default) - -# Use a COPR Example: -# -# dnf5 -y copr enable ublue-os/staging -# dnf5 -y install package -# Disable COPRs so they don't end up enabled on the final image: -# dnf5 -y copr disable ublue-os/staging - -#### Example for enabling a System Unit File - -# systemctl enable podman.socket +# Enable Tailscale systemctl enable tailscaled + +# Cleanup + +# Remove dnf5 versionlocks +dnf5 versionlock clear + +# Remove tmp files and everything in dirs that make bootc unhappy +rm -rf /tmp/* || true +rm -rf /usr/etc +rm -rf /boot && mkdir /boot +# Preserve cache mounts +find /var/* -maxdepth 0 -type d \! -name cache \! -name log -exec rm -rf {} \; +find /var/cache/* -maxdepth 0 -type d \! -name libdnf5 -exec rm -rf {} \; + +# Make sure /var/tmp is properly created +mkdir -p /var/tmp +chmod -R 1777 /var/tmp + +echo "Done." diff --git a/build_files/cleanup.sh b/build_files/cleanup.sh new file mode 100755 index 0000000..5828eec --- /dev/null +++ b/build_files/cleanup.sh @@ -0,0 +1,73 @@ +#!/bin/bash + +set -ouex pipefail + +## Handle files that rpm-ostree would normally remove +## Adapted from: https://github.com/hhd-dev/rechunk/blob/master/1_prune.sh#L33 + +# if [ -f /etc/passwd ]; then +# out="$(grep -v 'root' /etc/passwd)" +# +# if [[ ! -z "$out" ]]; then +# echo +# echo Appending the following passwd users to /usr/lib/passwd +# echo "${out}" +# echo "$out" >>/usr/lib/passwd +# fi +# fi + +if [ -f /etc/group ]; then + out="$(grep -v 'root\|wheel' /etc/group)" + + if [[ ! -z "$out" ]]; then + echo + echo Appending the following group entries to /usr/lib/group + echo "$out" + echo "$out" >>/usr/lib/group + fi +fi + +if [ -f /etc/passwd ] || [ -f /etc/group ]; then + echo + echo "Warning: Make sure processed users and groups are from installed programs!" +fi + +# # Create defaults for /etc/passwd, /etc/group +# cat </etc/passwd +# root:x:0:0:root:/root:/bin/bash +# EOT +# cat </etc/group +# root:x:0: +# wheel:x:10: +# EOT + +# Extra lock files created by container processes that might cause issues +rm -rf \ + /etc/.pwd.lock \ + /etc/passwd- \ + /etc/group- \ + /etc/shadow- \ + /etc/gshadow- \ + /etc/subuid- \ + /etc/subgid- \ + /.dockerenv + +# # Merge /usr/etc to /etc +# # OSTree will error out if both dirs exist +# # And rpm-ostree will be confused and use only one of them +# if [ -d /usr/etc ]; then +# echo +# echo WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY +# echo EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS +# echo The following files from /usr/etc will be merged to /etc: +# tree /usr/etc +# +# echo +# rsync -aAX --numeric-ids --checksum --links /usr/etc/ /etc +# rm -rf /usr/etc +# fi +# +# # Move /etc to /usr/etc +# mv /etc /usr/ + +# ...normal ublue-inspired steps continue. diff --git a/sys_files/etc/containers/policy.json b/sys_files/etc/containers/policy.json new file mode 100644 index 0000000..efb2341 --- /dev/null +++ b/sys_files/etc/containers/policy.json @@ -0,0 +1,32 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "davejansen.dev": [ + { + "type": "sigstoreSigned", + "keyPaths": ["/etc/pki/containers/davejansen.pub"], + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/sys_files/etc/containers/registries.d/davejansen.yaml b/sys_files/etc/containers/registries.d/davejansen.yaml new file mode 100644 index 0000000..ebdf467 --- /dev/null +++ b/sys_files/etc/containers/registries.d/davejansen.yaml @@ -0,0 +1,3 @@ +docker: + davejansen.dev/davejansen: + use-sigstore-attachments: true diff --git a/sys_files/usr/lib/systemd/system/flatpak-add-flathub-repos.service b/sys_files/usr/lib/systemd/system/flatpak-add-flathub-repos.service new file mode 100644 index 0000000..80dcd89 --- /dev/null +++ b/sys_files/usr/lib/systemd/system/flatpak-add-flathub-repos.service @@ -0,0 +1,15 @@ +[Unit] +Description=Add Flathub flatpak repositories. This replaces a service included by Fedora that normally installs their repo. +ConditionPathExists=!/var/lib/flatpak/.ublue-initialized +Before=flatpak-system-helper.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/flatpak remote-add --system --if-not-exists flathub /etc/flatpak/remotes.d/flathub.flatpakrepo +ExecStart=/usr/bin/flatpak remote-add --system --if-not-exists --disable --title "Fedora Flatpaks" fedora oci+https://registry.fedoraproject.org +ExecStart=/usr/bin/flatpak remote-add --system --if-not-exists --disable --title "Fedora Flatpaks (testing)" fedora-testing oci+https://registry.fedoraproject.org#testing +ExecStartPost=/usr/bin/touch /var/lib/flatpak/.ublue-initialized + +[Install] +WantedBy=multi-user.target