From 30ccd9b3af1cda7c578b78261988e999c88b122e Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Sun, 29 Oct 2023 22:36:30 -0400 Subject: [PATCH 01/23] Update pull.yml --- .github/pull.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/pull.yml b/.github/pull.yml index 75cb88407c9..28c1d64f3af 100644 --- a/.github/pull.yml +++ b/.github/pull.yml @@ -1,6 +1,12 @@ version: "1" rules: - - base: main + - base: bluefin-main upstream: ublue-os:main + mergeMethod: hardreset + mergeUnstable: false + - base: main + upstream: bluefin-main mergeMethod: merge mergeUnstable: false +label: ":arrow_heading_down: pull" +conflictLabel: "merge-conflict" From 3d5b2c89d6482da7879fb34cf1fb5445a86833f1 Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Sun, 29 Oct 2023 22:55:38 -0400 Subject: [PATCH 02/23] Update Containerfile --- Containerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Containerfile b/Containerfile index a87758db60a..62f4929ff6f 100644 --- a/Containerfile +++ b/Containerfile @@ -26,6 +26,11 @@ RUN wget https://copr.fedorainfracloud.org/coprs/rhcontainerbot/bootc/repo/fedor RUN rpm-ostree install bootc RUN rm -f /etc/yum.repos.d/bootc-"${FEDORA_MAJOR_VERSION}".repo +## Achillobator +## Larger than Bluefin. When having an official package is preferred. + +RUN rpm-ostree install -y https://zoom.us/client/latest/zoom_x86_64.rpm + RUN /tmp/build.sh && \ pip install --prefix=/usr yafti && \ systemctl enable rpm-ostree-countme.service && \ From 4c15d07736519c0803ceadc547a366379a518865 Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Sun, 29 Oct 2023 22:56:27 -0400 Subject: [PATCH 03/23] Update build.yml --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cb73522db3c..57b316efe0d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,7 +2,8 @@ name: Build and Push Image on: schedule: - cron: '00 08 * * *' # 8:00am everyday - merge_group: + push: + - branches: main pull_request: workflow_dispatch: env: From ef6b2315eb2570e3ffeca4e3264955142f2711d8 Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Sun, 29 Oct 2023 23:03:57 -0400 Subject: [PATCH 04/23] Update Containerfile --- Containerfile | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/Containerfile b/Containerfile index 62f4929ff6f..db0d4f6fe60 100644 --- a/Containerfile +++ b/Containerfile @@ -31,6 +31,56 @@ RUN rm -f /etc/yum.repos.d/bootc-"${FEDORA_MAJOR_VERSION}".repo RUN rpm-ostree install -y https://zoom.us/client/latest/zoom_x86_64.rpm +RUN rpm-ostree install \ + vulkan-loader.i686 \ + alsa-lib.i686 \ + fontconfig.i686 \ + gtk2.i686 \ + libICE.i686 \ + libnsl.i686 \ + libxcrypt-compat.i686 \ + libpng12.i686 \ + libXext.i686 \ + libXinerama.i686 \ + libXtst.i686 \ + libXScrnSaver.i686 \ + NetworkManager-libnm.i686 \ + nss.i686 \ + pulseaudio-libs.i686 \ + libcurl.i686 \ + systemd-libs.i686 \ + libva.i686 \ + libvdpau.i686 \ + libdbusmenu-gtk3.i686 \ + libatomic.i686 \ + pipewire-alsa.i686 \ + clinfo && \ + sed -i '0,/enabled=0/s//enabled=1/' /etc/yum.repos.d/rpmfusion-nonfree-steam.repo && \ + sed -i '0,/enabled=1/s//enabled=0/' /etc/yum.repos.d/rpmfusion-nonfree.repo && \ + sed -i '0,/enabled=1/s//enabled=0/' /etc/yum.repos.d/rpmfusion-nonfree-updates.repo && \ + sed -i '0,/enabled=1/s//enabled=0/' /etc/yum.repos.d/fedora-updates.repo && \ + rpm-ostree install \ + steam && \ + sed -i '0,/enabled=1/s//enabled=0/' /etc/yum.repos.d/rpmfusion-nonfree-steam.repo && \ + sed -i '0,/enabled=0/s//enabled=1/' /etc/yum.repos.d/rpmfusion-nonfree.repo && \ + sed -i '0,/enabled=0/s//enabled=1/' /etc/yum.repos.d/rpmfusion-nonfree-updates.repo && \ + sed -i '0,/enabled=0/s//enabled=1/' /etc/yum.repos.d/fedora-updates.repo && \ + rpm-ostree install \ + lutris \ + wxGTK \ + libFAudio \ + wine-core \ + winetricks \ + protontricks \ + latencyflex-vulkan-layer \ + vkBasalt.x86_64 \ + vkBasalt.i686 \ + mangohud.x86_64 \ + mangohud.i686 \ + obs-vkcapture.x86_64 \ + obs-vkcapture.i686 \ + gperftools-libs.i686 \ + RUN /tmp/build.sh && \ pip install --prefix=/usr yafti && \ systemctl enable rpm-ostree-countme.service && \ From 157d8b953e73aa58a54c725091578a4940778886 Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Sun, 29 Oct 2023 23:08:01 -0400 Subject: [PATCH 05/23] Update build.yml --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 57b316efe0d..beb9622a09d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,7 +3,8 @@ on: schedule: - cron: '00 08 * * *' # 8:00am everyday push: - - branches: main + - branches: + - main pull_request: workflow_dispatch: env: From 50213e85c2cab1100935ec41e9ea118df04afd73 Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Sun, 29 Oct 2023 23:09:08 -0400 Subject: [PATCH 06/23] Update build.yml --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index beb9622a09d..50cbea2a49f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,8 +3,8 @@ on: schedule: - cron: '00 08 * * *' # 8:00am everyday push: - - branches: - - main + branches: + - main pull_request: workflow_dispatch: env: From 4a028148da81dd652576c5cb4e3b07805d7312b7 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Fri, 20 Oct 2023 20:11:11 -0400 Subject: [PATCH 07/23] manual merge :( --- Containerfile | 22 ++++ README.md | 12 ++- cosign.pub | 4 +- just/custom.just | 18 ++-- packages.json | 11 +- scripts/1password.sh | 106 +++++++++++++++++++ scripts/bat.sh | 35 ++++++ scripts/delta.sh | 20 ++++ scripts/more.sh | 4 + usr/etc/flatpak/user/install | 1 - usr/lib64/firefox/distribution/policies.json | 13 +++ usr/share/ublue-os/just/00-default.just | 29 +++++ 12 files changed, 254 insertions(+), 21 deletions(-) create mode 100755 scripts/1password.sh create mode 100755 scripts/bat.sh create mode 100755 scripts/delta.sh create mode 100755 scripts/more.sh create mode 100644 usr/lib64/firefox/distribution/policies.json create mode 100644 usr/share/ublue-os/just/00-default.just diff --git a/Containerfile b/Containerfile index b37891b0d37..f92779035aa 100644 --- a/Containerfile +++ b/Containerfile @@ -162,6 +162,28 @@ RUN systemctl enable podman.socket && \ RUN /tmp/workarounds.sh +### BEGIN bri +# Add custom scripts +ADD --chmod=0755 scripts/* /tmp/ + +### add bat +RUN /tmp/bat.sh + +### add delta +RUN /tmp/delta.sh + +### add 1password +RUN /tmp/1password.sh + +### add appimagelauncher +RUN rpm-ostree install "https://github.com/TheAssassin/AppImageLauncher/releases/download/continuous/appimagelauncher-2.2.0-gha111.d9d4c73.x86_64.rpm" + +### more +RUN /tmp/more.sh + +### END bri + + # Clean up repos, everything is on the image so we don't need them RUN rm -f /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo && \ rm -f /etc/yum.repos.d/ganto-lxc4-fedora-"${FEDORA_MAJOR_VERSION}".repo && \ diff --git a/README.md b/README.md index d298abca90b..f21350ee9f7 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ -# bluefin +# bri's bluefin spin -**This image is considered Beta** +**a personal fork of Universal Blue's Bluefin{,-DX} spin on Fedora Sivlerblue** -## [Download the test ISO](https://github.com/ublue-os/bluefin/releases/) -## [projectbluefin.io](https://projectbluefin.io) -## [Announcement Blog Post](https://www.ypsidanger.com/announcing-project-bluefin/) +==== BASE ==== +[![Bluefin Build](https://github.com/ublue-os/bluefin/actions/workflows/build.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build.yml) + +[![Ubuntu Toolbox Build](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml) +==== BASE ==== A familiar(ish) Ubuntu desktop for Fedora Silverblue. It strives to cover these three use cases: - For end users it provides a system as reliable as a Chromebook with near-zero maintainance, with the power of Ubuntu and Fedora fused together diff --git a/cosign.pub b/cosign.pub index f9482c42af9..e796445cef4 100644 --- a/cosign.pub +++ b/cosign.pub @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA -cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErkV7sE8v9DtKVnsPba9SNdzR05D5 +VJFVzOLPU7XV3RpmPXu0ICCP5YCf76NKmghoQLGTnNyOtWLoZI0/K6cPhA== -----END PUBLIC KEY----- diff --git a/just/custom.just b/just/custom.just index a2f30dd4ec5..7c868a3b27f 100644 --- a/just/custom.just +++ b/just/custom.just @@ -23,6 +23,10 @@ aqua: printf '\n export PATH="${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH"\n' printf '\n=> see https://aquaproj.github.io/docs/tutorial for more info\n' +# Set shell (back) to bash +bash: + ujust chsh /bin/bash + # Install Homebrew for Linux brew: echo "Installing homebrew ..." @@ -118,8 +122,7 @@ distrobox-universal: # Switch to the fish shell fish: - sudo usermod $USER --shell /usr/bin/fish - printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')" + ujust chsh /usr/bin/fish # Install recommended GNOME extensions gnome-extensions: @@ -170,12 +173,12 @@ nix-devbox-global: # Enable podmansh as user shell (EXPERIMENTAL) podmansh: + #!/usr/bin/env bash sudo mkdir -p /etc/containers/systemd/users/${UID} sudo cp /usr/share/ublue-os/quadlets/podmansh.container /etc/containers/systemd/users/${UID}/podmansh.container - sudo usermod $USER --shell /usr/bin/podmansh - printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')" + ujust chsh /usr/bin/podmansh podman pull ghcr.io/ublue-os/ubuntu-toolbox:latest - + systemctl --user daemon-reload systemctl --user stop podmansh.service systemctl --user start podmansh.service @@ -202,7 +205,7 @@ pytorch: --no-browser --allow-root" # Run Tensorflow -tensorflow: +tensorflow: echo 'Follow the prompts and check the tutorial: https://www.tensorflow.org/tutorials/quickstart/beginner' podman pull docker.io/tensorflow/tensorflow:latest podman run -it -p 8888:8888 docker.io/tensorflow/tensorflow:latest-jupyter # Start Jupyter server @@ -233,8 +236,7 @@ yafti: # Switch to the zsh shell zsh: - sudo usermod $USER --shell /usr/bin/zsh - printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')" + ujust chsh /usr/bin/zsh docker: sudo systemctl enable --now docker diff --git a/packages.json b/packages.json index dad9be3ef17..e2fc9cbdf97 100644 --- a/packages.json +++ b/packages.json @@ -2,6 +2,7 @@ "all": { "include": { "bluefin": [ + "chromium", "fedora-chromium-config", "fedora-chromium-config-gnome", "fedora-chromium-config-gssapi", "bash-color-prompt", "cockpit-bridge", "ddccontrol-db", @@ -9,6 +10,7 @@ "ddccontrol", "evtest", "fish", + "freerdp", "gnome-shell-extension-appindicator", "gnome-shell-extension-blur-my-shell", "gnome-shell-extension-dash-to-dock", @@ -36,7 +38,7 @@ "wireguard-tools", "xprop", "yaru-theme", - "wl-clipboard", + "wl-clipboard", "zsh" ], "bluefin-dx": [ @@ -89,13 +91,12 @@ "qemu", "ubuntu-nerd-fonts", "ubuntumono-nerd-fonts", - "virt-manager" + "virt-manager", + "virt-viewer" ] }, "exclude": { "bluefin": [ - "firefox-langpacks", - "firefox", "gnome-extensions-app", "gnome-software-rpm-ostree", "gnome-tour", @@ -120,7 +121,7 @@ "39": { "include": { "bluefin": [ - "input-leap" + "input-leap" ], "bluefin-dx": [], "bluefin-framework": [] diff --git a/scripts/1password.sh b/scripts/1password.sh new file mode 100755 index 00000000000..1e418f8b426 --- /dev/null +++ b/scripts/1password.sh @@ -0,0 +1,106 @@ +#!/usr/bin/env sh + +set -e + +echo "Installing 1Password" + +# On libostree systems, /opt is a symlink to /var/opt, +# which actually only exists on the live system. /var is +# a separate mutable, stateful FS that's overlaid onto +# the ostree rootfs. Therefore we need to install it into +# /usr/lib/1Password instead, and dynamically create a +# symbolic link /opt/1Password => /usr/lib/1Password upon +# boot. + +ONEPASSWORD_RPM='https://downloads.1password.com/linux/rpm/beta/x86_64/1password-latest.rpm' + +# Prepare staging directory +mkdir -p /var/opt # -p just in case it exists +# for some reason... + +# Now let's install the package. +rpm-ostree install "${ONEPASSWORD_RPM}" + +# Clean up the yum repo (updates are baked into new images) +rm /etc/yum.repos.d/1password.repo -f + +# And then we do the hacky dance! +mv /var/opt/1Password /usr/lib/1Password # move this over here + +# Create a symlink /usr/bin/1password => /opt/1Password/1password +rm /usr/bin/1password +ln -s /opt/1Password/1password /usr/bin/1password + +##### +# The following is a bastardization of "after-install.sh" +# which is normally packaged with 1password. You can compare with +# /usr/lib/1Password/after-install.sh if you want to see. + +cd /usr/lib/1Password + +# chrome-sandbox requires the setuid bit to be specifically set. +# See https://github.com/electron/electron/issues/17972 +chmod 4755 /usr/lib/1Password/chrome-sandbox + +# Normally, after-install.sh would create a group, +# "onepassword", right about now. But if we do that during +# the ostree build it'll disappear from the running system! +# I'm going to work around that by hardcoding GIDs and +# crossing my fingers that nothing else steps on them. +# These numbers _should_ be okay under normal use, but +# if there's a more specific range that I should use here +# please submit a PR! + +# Specifically, GID must be > 1000, and absolutely must not +# conflict with any real groups on the deployed system. +# Normal user group GIDs on Fedora are sequential starting +# at 1000, so let's skip ahead and set to something higher. +GID_ONEPASSWORD="1500" +GID_ONEPASSWORDCLI="1600" + +HELPER_PATH="/usr/lib/1Password/1Password-KeyringHelper" +BROWSER_SUPPORT_PATH="/usr/lib/1Password/1Password-BrowserSupport" + +# Setup the Core App Integration helper binaries with the correct permissions and group +chgrp "${GID_ONEPASSWORD}" "${HELPER_PATH}" +# The binary requires setuid so it may interact with the Kernel keyring facilities +chmod u+s "${HELPER_PATH}" +chmod g+s "${HELPER_PATH}" + +# BrowserSupport binary needs setgid. This gives no extra permissions to the binary. +# It only hardens it against environmental tampering. +chgrp "${GID_ONEPASSWORD}" "${BROWSER_SUPPORT_PATH}" +chmod g+s "${BROWSER_SUPPORT_PATH}" + +# Dynamically create the required group via sysusers.d +# and set the GID based on the files we just chgrp'd +cat >/usr/lib/sysusers.d/onepassword.conf </usr/lib/tmpfiles.d/onepassword.conf </usr/lib/sysusers.d/onepassword.conf < /usr/share/man/man1/bat.1.gz + +mv bat /usr/bin/bat + +#rm /usr/bin/cat +#ln /usr/bin/bat /usr/bin/cat +# +#cat --version diff --git a/scripts/delta.sh b/scripts/delta.sh new file mode 100755 index 00000000000..7d7eb97cbd2 --- /dev/null +++ b/scripts/delta.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env sh + +set -e + +echo "Installing Delta" + +cd "$(mktemp -d)" + +wget -q https://github.com/dandavison/delta/releases/download/0.15.1/delta-0.15.1-x86_64-unknown-linux-musl.tar.gz + +tar --strip-components=1 -xf delta-0.15.1-x86_64-unknown-linux-musl.tar.gz + +mkdir -p /usr/share/doc/delta-musl + +mv LICENSE /usr/share/doc/delta-musl/ +mv README.md /usr/share/doc/delta-musl/ + +mv delta /usr/bin/delta + +delta --version diff --git a/scripts/more.sh b/scripts/more.sh new file mode 100755 index 00000000000..c8dbff82af5 --- /dev/null +++ b/scripts/more.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +wget 'https://github.com/neovim/neovim/releases/download/nightly/nvim.appimage' -Lo /usr/bin/nvim.appimage +#wget 'https://download.beeper.com/linux/appImage/x64' -Lo /usr/bin/beeper.appimage diff --git a/usr/etc/flatpak/user/install b/usr/etc/flatpak/user/install index 31c93a60b86..3194475379b 100644 --- a/usr/etc/flatpak/user/install +++ b/usr/etc/flatpak/user/install @@ -1,4 +1,3 @@ -org.mozilla.firefox org.freedesktop.Platform.ffmpeg-full//22.08 com.raggesilver.BlackBox org.gnome.Calculator diff --git a/usr/lib64/firefox/distribution/policies.json b/usr/lib64/firefox/distribution/policies.json new file mode 100644 index 00000000000..2346bb66251 --- /dev/null +++ b/usr/lib64/firefox/distribution/policies.json @@ -0,0 +1,13 @@ +{ + "policies": { + "DisablePocket": true, + "FirefoxHome": { + "SponsoredTopSites": false, + "Highlights": false, + "Pocket": false, + "SponsoredPocket": false, + "Snippets": false, + "Locked": false + } + } +} \ No newline at end of file diff --git a/usr/share/ublue-os/just/00-default.just b/usr/share/ublue-os/just/00-default.just new file mode 100644 index 00000000000..d2d2b3e6818 --- /dev/null +++ b/usr/share/ublue-os/just/00-default.just @@ -0,0 +1,29 @@ +# vim: set ft=make : + +set allow-duplicate-recipes +set ignore-comments + +_default: + @just --unstable --list --list-heading $'Available commands:\n' --list-prefix $' - ' + +# Boot into this device's BIOS/UEFI screen +bios: + systemctl reboot --firmware-setup + +# Regenerate GRUB config, useful in dual-boot scenarios where a second operating system isn't listed +regenerate-grub: + #!/usr/bin/env bash + if [ -d /sys/firmware/efi ]; then + sudo grub2-mkconfig -o /etc/grub2-efi.cfg + else + sudo grub2-mkconfig -o /etc/grub2.cfg + fi + +# Show the changelog +changelogs: + rpm-ostree db diff --changelogs + +# Enroll Nvidia driver & KMOD signing key for secure boot - Enter password "ublue-os" if prompted +enroll-secure-boot-key: + sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der + echo 'Enter password "ublue-os" if prompted' From 9ce732f0f9847297fad74bd616cd74bea7b8c8b7 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Fri, 20 Oct 2023 21:31:16 -0400 Subject: [PATCH 08/23] fix: add gcc, remove duplicate edk2-ovmf, remove input-leap --- packages.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages.json b/packages.json index e2fc9cbdf97..e49e015de3c 100644 --- a/packages.json +++ b/packages.json @@ -60,7 +60,7 @@ "docker-buildx-plugin", "docker-compose-plugin", "edk2-ovmf", - "edk2-ovmf", + "gcc", "genisoimage", "google-droid-sans-mono-fonts", "google-go-mono-fonts", @@ -121,7 +121,6 @@ "39": { "include": { "bluefin": [ - "input-leap" ], "bluefin-dx": [], "bluefin-framework": [] From 09fb75b4304456e1e1b0d43f031948716d98c0b1 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Fri, 20 Oct 2023 21:33:55 -0400 Subject: [PATCH 09/23] add neovim, neovim-qt --- Containerfile | 4 ++-- packages.json | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Containerfile b/Containerfile index f92779035aa..3419607007d 100644 --- a/Containerfile +++ b/Containerfile @@ -112,7 +112,7 @@ COPY workarounds.sh \ packages.json \ build.sh \ image-info.sh \ - /tmp + /tmp/ # Apply IP Forwarding before installing Docker to prevent messing with LXC networking RUN sysctl -p @@ -152,7 +152,7 @@ RUN rpm-ostree install $(curl https://api.github.com/repos/charmbracelet/vhs/rel wget https://github.com/tsl0922/ttyd/releases/latest/download/ttyd.x86_64 -O /tmp/ttyd && \ install -c -m 0755 /tmp/ttyd /usr/bin/ttyd -# Install Charm gum +# Install Charm gum RUN rpm-ostree install $(curl https://api.github.com/repos/charmbracelet/gum/releases/latest | jq -r '.assets[] | select(.name| test(".*.x86_64.rpm$")).browser_download_url') # Set up services diff --git a/packages.json b/packages.json index e49e015de3c..c7126db8fc2 100644 --- a/packages.json +++ b/packages.json @@ -23,6 +23,7 @@ "libxcrypt-compat", "mesa-libGLU", "nautilus-gsconnect", + "neovim", "neovim-qt", "pulseaudio-utils", "python3-pip", "samba-dcerpc", From 383b6c6fcb3124e3ee56fcddc18ea6a181c283c1 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Fri, 20 Oct 2023 21:40:44 -0400 Subject: [PATCH 10/23] Update build.yml --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9d12f74db2f..c4ffde0b9e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,6 +11,7 @@ on: paths-ignore: - '**.md' workflow_dispatch: + push: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} From b5ba88e6caf987c21ded07cb598e4d88212b3dd2 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Fri, 20 Oct 2023 22:05:15 -0400 Subject: [PATCH 11/23] feat: add gdisk (required for bootc install) --- packages.json | 1 + 1 file changed, 1 insertion(+) diff --git a/packages.json b/packages.json index c7126db8fc2..d36df56b875 100644 --- a/packages.json +++ b/packages.json @@ -11,6 +11,7 @@ "evtest", "fish", "freerdp", + "gdisk", "gnome-shell-extension-appindicator", "gnome-shell-extension-blur-my-shell", "gnome-shell-extension-dash-to-dock", From 58606414fa00c65f68627d4ebb4d19a7993de974 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Fri, 20 Oct 2023 23:38:54 -0400 Subject: [PATCH 12/23] feat: add gcc-g++ --- packages.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages.json b/packages.json index d36df56b875..34bded6f424 100644 --- a/packages.json +++ b/packages.json @@ -62,7 +62,7 @@ "docker-buildx-plugin", "docker-compose-plugin", "edk2-ovmf", - "gcc", + "gcc", "gcc-c++", "genisoimage", "google-droid-sans-mono-fonts", "google-go-mono-fonts", From 6dae5244d98bbf0197864094e978ffea4342b9f2 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Tue, 24 Oct 2023 02:19:31 -0400 Subject: [PATCH 13/23] fix(1password): sysusers.d units --- scripts/1password.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/1password.sh b/scripts/1password.sh index 1e418f8b426..c01f0da1ddd 100755 --- a/scripts/1password.sh +++ b/scripts/1password.sh @@ -75,8 +75,11 @@ chmod g+s "${BROWSER_SUPPORT_PATH}" # Dynamically create the required group via sysusers.d # and set the GID based on the files we just chgrp'd cat >/usr/lib/sysusers.d/onepassword.conf </usr/lib/sysusers.d/onepassword.conf </usr/lib/sysusers.d/onepassword-cli.conf < Date: Tue, 24 Oct 2023 03:24:18 -0400 Subject: [PATCH 14/23] fix(1password): round 2, fix gid via explicit declaration for some reason, it seems that in systemd-sysusers.d, specifying a GID based on a file path (to get the GID from the file) is broken? --- scripts/1password.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/1password.sh b/scripts/1password.sh index c01f0da1ddd..81864cc5423 100755 --- a/scripts/1password.sh +++ b/scripts/1password.sh @@ -75,7 +75,7 @@ chmod g+s "${BROWSER_SUPPORT_PATH}" # Dynamically create the required group via sysusers.d # and set the GID based on the files we just chgrp'd cat >/usr/lib/sysusers.d/onepassword.conf </usr/lib/sysusers.d/onepassword-cli.conf < Date: Tue, 24 Oct 2023 19:14:21 -0400 Subject: [PATCH 15/23] chore(cosign): Rotate signing secrets Migrate to repository-scoped SIGNING_SECRET --- cosign.pub | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cosign.pub b/cosign.pub index e796445cef4..eb884d96c8a 100644 --- a/cosign.pub +++ b/cosign.pub @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErkV7sE8v9DtKVnsPba9SNdzR05D5 -VJFVzOLPU7XV3RpmPXu0ICCP5YCf76NKmghoQLGTnNyOtWLoZI0/K6cPhA== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz+XNZtY2K17rapUcSQ5+rwxKOr/D +AWE55K7g0eWAXQcJLKYF0v6jtcyyQc4iSFxDAcxACo4eUyzLSr8RUq93hg== -----END PUBLIC KEY----- From 37a9c00552e22ae9a3660f723633d039b2a73284 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Tue, 24 Oct 2023 21:02:21 -0400 Subject: [PATCH 16/23] feat(1password): add from bling --- Containerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Containerfile b/Containerfile index 3419607007d..7a56e6c2c86 100644 --- a/Containerfile +++ b/Containerfile @@ -173,7 +173,9 @@ RUN /tmp/bat.sh RUN /tmp/delta.sh ### add 1password -RUN /tmp/1password.sh +COPY --from=ghcr.io/briorg/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh +RUN chmod +x /tmp/1password.sh && \ + /tmp/1password.sh ### add appimagelauncher RUN rpm-ostree install "https://github.com/TheAssassin/AppImageLauncher/releases/download/continuous/appimagelauncher-2.2.0-gha111.d9d4c73.x86_64.rpm" From 4f4074f440405952bbeb4d9e95d34076c437c6df Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Tue, 24 Oct 2023 21:31:20 -0400 Subject: [PATCH 17/23] feat(1password):specify release_channel & gids --- Containerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Containerfile b/Containerfile index 7a56e6c2c86..500db9eeb46 100644 --- a/Containerfile +++ b/Containerfile @@ -175,7 +175,10 @@ RUN /tmp/delta.sh ### add 1password COPY --from=ghcr.io/briorg/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh RUN chmod +x /tmp/1password.sh && \ - /tmp/1password.sh + ONEPASSWORD_RELEASE_CHANNEL=beta \ + GID_ONEPASSWORD=1500 \ + GID_ONEPASSWORDCLI=1600 \ + /tmp/1password.sh ### add appimagelauncher RUN rpm-ostree install "https://github.com/TheAssassin/AppImageLauncher/releases/download/continuous/appimagelauncher-2.2.0-gha111.d9d4c73.x86_64.rpm" From d52a41b2ae4d46a05337729638bfa59d620cdca9 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Sun, 29 Oct 2023 14:44:14 -0400 Subject: [PATCH 18/23] update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f21350ee9f7..10ea80598ca 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # bri's bluefin spin -**a personal fork of Universal Blue's Bluefin{,-DX} spin on Fedora Sivlerblue** +**a personal fork of Universal Blue's Bluefin{,-DX} spin on Fedora Silverblue** ==== BASE ==== [![Bluefin Build](https://github.com/ublue-os/bluefin/actions/workflows/build.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build.yml) From 9b42bc726f0cce70778f33a91a8a1761eb8d762c Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Sun, 29 Oct 2023 15:35:19 -0400 Subject: [PATCH 19/23] feat: add pragmata pro font --- .github/workflows/build.yml | 7 +++++++ scripts/pragmatapro.sh | 12 ++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 scripts/pragmatapro.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c4ffde0b9e2..9cf6e6791a0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -126,6 +126,13 @@ jobs: io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/bluefin/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 + - name: Get Pragmata Pro zip file + run: | + curl "$(curl -q \ + 'https://ckdatabasews.icloud.com/database/1/com.apple.cloudkit/production/public/records/resolve' \ + --data-raw '{"shortGUIDs":[{"value":"${{ secrets.PRAGMATAPRO_ICLOUD_ID }}"}]}' --compressed | \ + jq -r '.results[0].rootRecord.fields.fileContent.value.downloadURL')" -L > /tmp/pragmatapro.zip + # Build image using Buildah action - name: Build Image id: build_image diff --git a/scripts/pragmatapro.sh b/scripts/pragmatapro.sh new file mode 100644 index 00000000000..f47ca609fed --- /dev/null +++ b/scripts/pragmatapro.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# This font is not free or open-source, so I'm hiding the script to download the zip in gh secrets. +# Sorry... I don't want to get in trouble. +# +# To run this locally, you should have a /tmp/pragmatapro.zip + +set -euxo pipefail + +mkdir /usr/share/fonts/pragmatapro -p +cd /usr/share/fonts/pragmatapro +unzip /tmp/pragmatapro.zip +fc-cache -f "${PWD}" \ No newline at end of file From 233739c081c7b3535c0e78f5231dd235a8c2a1df Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Sun, 29 Oct 2023 23:25:32 -0400 Subject: [PATCH 20/23] switch to live --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9cf6e6791a0..cbeb32ff4d6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,10 +4,10 @@ on: - cron: '00 08 * * *' # 8:00am everyday push: branches: - - main + - live pull_request: branches: - - main + - live paths-ignore: - '**.md' workflow_dispatch: From c62c30a04d42fd959ea770722c6b51216b4ec45b Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Sun, 29 Oct 2023 23:32:30 -0400 Subject: [PATCH 21/23] feat(1password): update local copy of script --- Containerfile | 2 +- scripts/1password.sh | 75 +++++++++++++++++++++++++------------------- 2 files changed, 43 insertions(+), 34 deletions(-) diff --git a/Containerfile b/Containerfile index 500db9eeb46..d47e011624d 100644 --- a/Containerfile +++ b/Containerfile @@ -173,7 +173,7 @@ RUN /tmp/bat.sh RUN /tmp/delta.sh ### add 1password -COPY --from=ghcr.io/briorg/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh +#COPY --from=ghcr.io/briorg/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh RUN chmod +x /tmp/1password.sh && \ ONEPASSWORD_RELEASE_CHANNEL=beta \ GID_ONEPASSWORD=1500 \ diff --git a/scripts/1password.sh b/scripts/1password.sh index 81864cc5423..943b2f569a2 100755 --- a/scripts/1password.sh +++ b/scripts/1password.sh @@ -1,6 +1,17 @@ -#!/usr/bin/env sh +#!/usr/bin/env bash -set -e +set -ouex pipefail + +#### Variables + +# Can be "beta" or "stable" +RELEASE_CHANNEL="${ONEPASSWORD_RELEASE_CHANNEL:-stable}" + +# Must be over 1000 +GID_ONEPASSWORD="${GID_ONEPASSWORD:-1500}" + +# Must be over 1000 +GID_ONEPASSWORDCLI="${GID_ONEPASSWORDCLI:-1600}" echo "Installing 1Password" @@ -12,14 +23,26 @@ echo "Installing 1Password" # symbolic link /opt/1Password => /usr/lib/1Password upon # boot. -ONEPASSWORD_RPM='https://downloads.1password.com/linux/rpm/beta/x86_64/1password-latest.rpm' - # Prepare staging directory mkdir -p /var/opt # -p just in case it exists # for some reason... -# Now let's install the package. -rpm-ostree install "${ONEPASSWORD_RPM}" +# Setup repo +cat << EOF > /etc/yum.repos.d/1password.repo +[1password] +name=1Password ${RELEASE_CHANNEL^} Channel +baseurl=https://downloads.1password.com/linux/rpm/${RELEASE_CHANNEL}/\$basearch +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://downloads.1password.com/linux/keys/1password.asc +EOF + +# Import signing key +rpm --import https://downloads.1password.com/linux/keys/1password.asc + +# Now let's install the packages. +rpm-ostree install 1password 1password-cli # Clean up the yum repo (updates are baked into new images) rm /etc/yum.repos.d/1password.repo -f @@ -55,8 +78,6 @@ chmod 4755 /usr/lib/1Password/chrome-sandbox # conflict with any real groups on the deployed system. # Normal user group GIDs on Fedora are sequential starting # at 1000, so let's skip ahead and set to something higher. -GID_ONEPASSWORD="1500" -GID_ONEPASSWORDCLI="1600" HELPER_PATH="/usr/lib/1Password/1Password-KeyringHelper" BROWSER_SUPPORT_PATH="/usr/lib/1Password/1Password-BrowserSupport" @@ -72,38 +93,26 @@ chmod g+s "${HELPER_PATH}" chgrp "${GID_ONEPASSWORD}" "${BROWSER_SUPPORT_PATH}" chmod g+s "${BROWSER_SUPPORT_PATH}" -# Dynamically create the required group via sysusers.d +# onepassword-cli also needs its own group and setgid, like the other helpers. +chgrp "${GID_ONEPASSWORDCLI}" /usr/bin/op +chmod g+s /usr/bin/op + +# Dynamically create the required groups via sysusers.d # and set the GID based on the files we just chgrp'd cat >/usr/lib/sysusers.d/onepassword.conf </usr/lib/sysusers.d/onepassword-cli.conf </usr/lib/tmpfiles.d/onepassword.conf </usr/lib/sysusers.d/onepassword-cli.conf < Date: Sun, 29 Oct 2023 23:35:33 -0400 Subject: [PATCH 22/23] fix(build action): remove duplicate `push:` --- .github/workflows/build.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cbeb32ff4d6..c9c5d6b3cc8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,7 +3,7 @@ on: schedule: - cron: '00 08 * * *' # 8:00am everyday push: - branches: + branches: - live pull_request: branches: @@ -11,7 +11,6 @@ on: paths-ignore: - '**.md' workflow_dispatch: - push: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} From f125881ba5d98d76f9b0fc36bdcd358d9e8584c6 Mon Sep 17 00:00:00 2001 From: bri <284789+b-@users.noreply.github.com> Date: Mon, 30 Oct 2023 16:30:02 -0400 Subject: [PATCH 23/23] chore(1password): switch to pulling the script from Bling --- Containerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containerfile b/Containerfile index d47e011624d..bf02f741bcd 100644 --- a/Containerfile +++ b/Containerfile @@ -173,7 +173,7 @@ RUN /tmp/bat.sh RUN /tmp/delta.sh ### add 1password -#COPY --from=ghcr.io/briorg/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh +COPY --from=ghcr.io/ublue-os/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh RUN chmod +x /tmp/1password.sh && \ ONEPASSWORD_RELEASE_CHANNEL=beta \ GID_ONEPASSWORD=1500 \