diff --git a/.github/pull.yml b/.github/pull.yml index 75cb88407c9..28c1d64f3af 100644 --- a/.github/pull.yml +++ b/.github/pull.yml @@ -1,6 +1,12 @@ version: "1" rules: - - base: main + - base: bluefin-main upstream: ublue-os:main + mergeMethod: hardreset + mergeUnstable: false + - base: main + upstream: bluefin-main mergeMethod: merge mergeUnstable: false +label: ":arrow_heading_down: pull" +conflictLabel: "merge-conflict" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ae939e15fb..c9c5d6b3cc8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,11 +1,13 @@ name: Build and Push Image on: schedule: - - cron: '15 09 * * *' # 9:15am everyday - merge_group: + - cron: '00 08 * * *' # 8:00am everyday + push: + branches: + - live pull_request: branches: - - main + - live paths-ignore: - '**.md' workflow_dispatch: @@ -123,6 +125,13 @@ jobs: io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/bluefin/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 + - name: Get Pragmata Pro zip file + run: | + curl "$(curl -q \ + 'https://ckdatabasews.icloud.com/database/1/com.apple.cloudkit/production/public/records/resolve' \ + --data-raw '{"shortGUIDs":[{"value":"${{ secrets.PRAGMATAPRO_ICLOUD_ID }}"}]}' --compressed | \ + jq -r '.results[0].rootRecord.fields.fileContent.value.downloadURL')" -L > /tmp/pragmatapro.zip + # Build image using Buildah action - name: Build Image id: build_image diff --git a/Containerfile b/Containerfile index 0d0a0f0e5e4..bf02f741bcd 100644 --- a/Containerfile +++ b/Containerfile @@ -31,6 +31,7 @@ COPY just /tmp/just COPY etc/yum.repos.d/ /etc/yum.repos.d/ COPY packages.json /tmp/packages.json COPY build.sh /tmp/build.sh + COPY image-info.sh /tmp/image-info.sh # Copy ublue-update.toml to tmp first, to avoid being overwritten. COPY usr/etc/ublue-update/ublue-update.toml /tmp/ublue-update.toml @@ -111,7 +112,7 @@ COPY workarounds.sh \ packages.json \ build.sh \ image-info.sh \ - /tmp + /tmp/ # Apply IP Forwarding before installing Docker to prevent messing with LXC networking RUN sysctl -p @@ -151,7 +152,7 @@ RUN rpm-ostree install $(curl https://api.github.com/repos/charmbracelet/vhs/rel wget https://github.com/tsl0922/ttyd/releases/latest/download/ttyd.x86_64 -O /tmp/ttyd && \ install -c -m 0755 /tmp/ttyd /usr/bin/ttyd -# Install Charm gum +# Install Charm gum RUN rpm-ostree install $(curl https://api.github.com/repos/charmbracelet/gum/releases/latest | jq -r '.assets[] | select(.name| test(".*.x86_64.rpm$")).browser_download_url') # Set up services @@ -161,6 +162,33 @@ RUN systemctl enable podman.socket && \ RUN /tmp/workarounds.sh +### BEGIN bri +# Add custom scripts +ADD --chmod=0755 scripts/* /tmp/ + +### add bat +RUN /tmp/bat.sh + +### add delta +RUN /tmp/delta.sh + +### add 1password +COPY --from=ghcr.io/ublue-os/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh +RUN chmod +x /tmp/1password.sh && \ + ONEPASSWORD_RELEASE_CHANNEL=beta \ + GID_ONEPASSWORD=1500 \ + GID_ONEPASSWORDCLI=1600 \ + /tmp/1password.sh + +### add appimagelauncher +RUN rpm-ostree install "https://github.com/TheAssassin/AppImageLauncher/releases/download/continuous/appimagelauncher-2.2.0-gha111.d9d4c73.x86_64.rpm" + +### more +RUN /tmp/more.sh + +### END bri + + # Clean up repos, everything is on the image so we don't need them RUN rm -f /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo && \ rm -f /etc/yum.repos.d/ganto-lxc4-fedora-"${FEDORA_MAJOR_VERSION}".repo && \ diff --git a/README.md b/README.md index d298abca90b..10ea80598ca 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ -# bluefin +# bri's bluefin spin -**This image is considered Beta** +**a personal fork of Universal Blue's Bluefin{,-DX} spin on Fedora Silverblue** -## [Download the test ISO](https://github.com/ublue-os/bluefin/releases/) -## [projectbluefin.io](https://projectbluefin.io) -## [Announcement Blog Post](https://www.ypsidanger.com/announcing-project-bluefin/) +==== BASE ==== +[![Bluefin Build](https://github.com/ublue-os/bluefin/actions/workflows/build.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build.yml) + +[![Ubuntu Toolbox Build](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml) +==== BASE ==== A familiar(ish) Ubuntu desktop for Fedora Silverblue. It strives to cover these three use cases: - For end users it provides a system as reliable as a Chromebook with near-zero maintainance, with the power of Ubuntu and Fedora fused together diff --git a/cosign.pub b/cosign.pub index f9482c42af9..eb884d96c8a 100644 --- a/cosign.pub +++ b/cosign.pub @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA -cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz+XNZtY2K17rapUcSQ5+rwxKOr/D +AWE55K7g0eWAXQcJLKYF0v6jtcyyQc4iSFxDAcxACo4eUyzLSr8RUq93hg== -----END PUBLIC KEY----- diff --git a/just/custom.just b/just/custom.just index a2f30dd4ec5..7c868a3b27f 100644 --- a/just/custom.just +++ b/just/custom.just @@ -23,6 +23,10 @@ aqua: printf '\n export PATH="${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH"\n' printf '\n=> see https://aquaproj.github.io/docs/tutorial for more info\n' +# Set shell (back) to bash +bash: + ujust chsh /bin/bash + # Install Homebrew for Linux brew: echo "Installing homebrew ..." @@ -118,8 +122,7 @@ distrobox-universal: # Switch to the fish shell fish: - sudo usermod $USER --shell /usr/bin/fish - printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')" + ujust chsh /usr/bin/fish # Install recommended GNOME extensions gnome-extensions: @@ -170,12 +173,12 @@ nix-devbox-global: # Enable podmansh as user shell (EXPERIMENTAL) podmansh: + #!/usr/bin/env bash sudo mkdir -p /etc/containers/systemd/users/${UID} sudo cp /usr/share/ublue-os/quadlets/podmansh.container /etc/containers/systemd/users/${UID}/podmansh.container - sudo usermod $USER --shell /usr/bin/podmansh - printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')" + ujust chsh /usr/bin/podmansh podman pull ghcr.io/ublue-os/ubuntu-toolbox:latest - + systemctl --user daemon-reload systemctl --user stop podmansh.service systemctl --user start podmansh.service @@ -202,7 +205,7 @@ pytorch: --no-browser --allow-root" # Run Tensorflow -tensorflow: +tensorflow: echo 'Follow the prompts and check the tutorial: https://www.tensorflow.org/tutorials/quickstart/beginner' podman pull docker.io/tensorflow/tensorflow:latest podman run -it -p 8888:8888 docker.io/tensorflow/tensorflow:latest-jupyter # Start Jupyter server @@ -233,8 +236,7 @@ yafti: # Switch to the zsh shell zsh: - sudo usermod $USER --shell /usr/bin/zsh - printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')" + ujust chsh /usr/bin/zsh docker: sudo systemctl enable --now docker diff --git a/packages.json b/packages.json index dad9be3ef17..34bded6f424 100644 --- a/packages.json +++ b/packages.json @@ -2,6 +2,7 @@ "all": { "include": { "bluefin": [ + "chromium", "fedora-chromium-config", "fedora-chromium-config-gnome", "fedora-chromium-config-gssapi", "bash-color-prompt", "cockpit-bridge", "ddccontrol-db", @@ -9,6 +10,8 @@ "ddccontrol", "evtest", "fish", + "freerdp", + "gdisk", "gnome-shell-extension-appindicator", "gnome-shell-extension-blur-my-shell", "gnome-shell-extension-dash-to-dock", @@ -21,6 +24,7 @@ "libxcrypt-compat", "mesa-libGLU", "nautilus-gsconnect", + "neovim", "neovim-qt", "pulseaudio-utils", "python3-pip", "samba-dcerpc", @@ -36,7 +40,7 @@ "wireguard-tools", "xprop", "yaru-theme", - "wl-clipboard", + "wl-clipboard", "zsh" ], "bluefin-dx": [ @@ -58,7 +62,7 @@ "docker-buildx-plugin", "docker-compose-plugin", "edk2-ovmf", - "edk2-ovmf", + "gcc", "gcc-c++", "genisoimage", "google-droid-sans-mono-fonts", "google-go-mono-fonts", @@ -89,13 +93,12 @@ "qemu", "ubuntu-nerd-fonts", "ubuntumono-nerd-fonts", - "virt-manager" + "virt-manager", + "virt-viewer" ] }, "exclude": { "bluefin": [ - "firefox-langpacks", - "firefox", "gnome-extensions-app", "gnome-software-rpm-ostree", "gnome-tour", @@ -120,7 +123,6 @@ "39": { "include": { "bluefin": [ - "input-leap" ], "bluefin-dx": [], "bluefin-framework": [] diff --git a/scripts/1password.sh b/scripts/1password.sh new file mode 100755 index 00000000000..943b2f569a2 --- /dev/null +++ b/scripts/1password.sh @@ -0,0 +1,118 @@ +#!/usr/bin/env bash + +set -ouex pipefail + +#### Variables + +# Can be "beta" or "stable" +RELEASE_CHANNEL="${ONEPASSWORD_RELEASE_CHANNEL:-stable}" + +# Must be over 1000 +GID_ONEPASSWORD="${GID_ONEPASSWORD:-1500}" + +# Must be over 1000 +GID_ONEPASSWORDCLI="${GID_ONEPASSWORDCLI:-1600}" + +echo "Installing 1Password" + +# On libostree systems, /opt is a symlink to /var/opt, +# which actually only exists on the live system. /var is +# a separate mutable, stateful FS that's overlaid onto +# the ostree rootfs. Therefore we need to install it into +# /usr/lib/1Password instead, and dynamically create a +# symbolic link /opt/1Password => /usr/lib/1Password upon +# boot. + +# Prepare staging directory +mkdir -p /var/opt # -p just in case it exists +# for some reason... + +# Setup repo +cat << EOF > /etc/yum.repos.d/1password.repo +[1password] +name=1Password ${RELEASE_CHANNEL^} Channel +baseurl=https://downloads.1password.com/linux/rpm/${RELEASE_CHANNEL}/\$basearch +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://downloads.1password.com/linux/keys/1password.asc +EOF + +# Import signing key +rpm --import https://downloads.1password.com/linux/keys/1password.asc + +# Now let's install the packages. +rpm-ostree install 1password 1password-cli + +# Clean up the yum repo (updates are baked into new images) +rm /etc/yum.repos.d/1password.repo -f + +# And then we do the hacky dance! +mv /var/opt/1Password /usr/lib/1Password # move this over here + +# Create a symlink /usr/bin/1password => /opt/1Password/1password +rm /usr/bin/1password +ln -s /opt/1Password/1password /usr/bin/1password + +##### +# The following is a bastardization of "after-install.sh" +# which is normally packaged with 1password. You can compare with +# /usr/lib/1Password/after-install.sh if you want to see. + +cd /usr/lib/1Password + +# chrome-sandbox requires the setuid bit to be specifically set. +# See https://github.com/electron/electron/issues/17972 +chmod 4755 /usr/lib/1Password/chrome-sandbox + +# Normally, after-install.sh would create a group, +# "onepassword", right about now. But if we do that during +# the ostree build it'll disappear from the running system! +# I'm going to work around that by hardcoding GIDs and +# crossing my fingers that nothing else steps on them. +# These numbers _should_ be okay under normal use, but +# if there's a more specific range that I should use here +# please submit a PR! + +# Specifically, GID must be > 1000, and absolutely must not +# conflict with any real groups on the deployed system. +# Normal user group GIDs on Fedora are sequential starting +# at 1000, so let's skip ahead and set to something higher. + +HELPER_PATH="/usr/lib/1Password/1Password-KeyringHelper" +BROWSER_SUPPORT_PATH="/usr/lib/1Password/1Password-BrowserSupport" + +# Setup the Core App Integration helper binaries with the correct permissions and group +chgrp "${GID_ONEPASSWORD}" "${HELPER_PATH}" +# The binary requires setuid so it may interact with the Kernel keyring facilities +chmod u+s "${HELPER_PATH}" +chmod g+s "${HELPER_PATH}" + +# BrowserSupport binary needs setgid. This gives no extra permissions to the binary. +# It only hardens it against environmental tampering. +chgrp "${GID_ONEPASSWORD}" "${BROWSER_SUPPORT_PATH}" +chmod g+s "${BROWSER_SUPPORT_PATH}" + +# onepassword-cli also needs its own group and setgid, like the other helpers. +chgrp "${GID_ONEPASSWORDCLI}" /usr/bin/op +chmod g+s /usr/bin/op + +# Dynamically create the required groups via sysusers.d +# and set the GID based on the files we just chgrp'd +cat >/usr/lib/sysusers.d/onepassword.conf </usr/lib/sysusers.d/onepassword-cli.conf </usr/lib/tmpfiles.d/onepassword.conf < /usr/share/man/man1/bat.1.gz + +mv bat /usr/bin/bat + +#rm /usr/bin/cat +#ln /usr/bin/bat /usr/bin/cat +# +#cat --version diff --git a/scripts/delta.sh b/scripts/delta.sh new file mode 100755 index 00000000000..7d7eb97cbd2 --- /dev/null +++ b/scripts/delta.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env sh + +set -e + +echo "Installing Delta" + +cd "$(mktemp -d)" + +wget -q https://github.com/dandavison/delta/releases/download/0.15.1/delta-0.15.1-x86_64-unknown-linux-musl.tar.gz + +tar --strip-components=1 -xf delta-0.15.1-x86_64-unknown-linux-musl.tar.gz + +mkdir -p /usr/share/doc/delta-musl + +mv LICENSE /usr/share/doc/delta-musl/ +mv README.md /usr/share/doc/delta-musl/ + +mv delta /usr/bin/delta + +delta --version diff --git a/scripts/more.sh b/scripts/more.sh new file mode 100755 index 00000000000..c8dbff82af5 --- /dev/null +++ b/scripts/more.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +wget 'https://github.com/neovim/neovim/releases/download/nightly/nvim.appimage' -Lo /usr/bin/nvim.appimage +#wget 'https://download.beeper.com/linux/appImage/x64' -Lo /usr/bin/beeper.appimage diff --git a/scripts/pragmatapro.sh b/scripts/pragmatapro.sh new file mode 100644 index 00000000000..f47ca609fed --- /dev/null +++ b/scripts/pragmatapro.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# This font is not free or open-source, so I'm hiding the script to download the zip in gh secrets. +# Sorry... I don't want to get in trouble. +# +# To run this locally, you should have a /tmp/pragmatapro.zip + +set -euxo pipefail + +mkdir /usr/share/fonts/pragmatapro -p +cd /usr/share/fonts/pragmatapro +unzip /tmp/pragmatapro.zip +fc-cache -f "${PWD}" \ No newline at end of file diff --git a/usr/etc/flatpak/user/install b/usr/etc/flatpak/user/install index 31c93a60b86..3194475379b 100644 --- a/usr/etc/flatpak/user/install +++ b/usr/etc/flatpak/user/install @@ -1,4 +1,3 @@ -org.mozilla.firefox org.freedesktop.Platform.ffmpeg-full//22.08 com.raggesilver.BlackBox org.gnome.Calculator diff --git a/usr/lib64/firefox/distribution/policies.json b/usr/lib64/firefox/distribution/policies.json new file mode 100644 index 00000000000..2346bb66251 --- /dev/null +++ b/usr/lib64/firefox/distribution/policies.json @@ -0,0 +1,13 @@ +{ + "policies": { + "DisablePocket": true, + "FirefoxHome": { + "SponsoredTopSites": false, + "Highlights": false, + "Pocket": false, + "SponsoredPocket": false, + "Snippets": false, + "Locked": false + } + } +} \ No newline at end of file diff --git a/usr/share/ublue-os/just/00-default.just b/usr/share/ublue-os/just/00-default.just new file mode 100644 index 00000000000..d2d2b3e6818 --- /dev/null +++ b/usr/share/ublue-os/just/00-default.just @@ -0,0 +1,29 @@ +# vim: set ft=make : + +set allow-duplicate-recipes +set ignore-comments + +_default: + @just --unstable --list --list-heading $'Available commands:\n' --list-prefix $' - ' + +# Boot into this device's BIOS/UEFI screen +bios: + systemctl reboot --firmware-setup + +# Regenerate GRUB config, useful in dual-boot scenarios where a second operating system isn't listed +regenerate-grub: + #!/usr/bin/env bash + if [ -d /sys/firmware/efi ]; then + sudo grub2-mkconfig -o /etc/grub2-efi.cfg + else + sudo grub2-mkconfig -o /etc/grub2.cfg + fi + +# Show the changelog +changelogs: + rpm-ostree db diff --changelogs + +# Enroll Nvidia driver & KMOD signing key for secure boot - Enter password "ublue-os" if prompted +enroll-secure-boot-key: + sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der + echo 'Enter password "ublue-os" if prompted'