chore(1password): switch to pulling the script from Bling

.github/pull.yml

@@ -1,6 +1,12 @@
 version: "1"
 rules:
-  - base: main
+  - base: bluefin-main
     upstream: ublue-os:main
+    mergeMethod: hardreset
+    mergeUnstable: false
+  - base: main
+    upstream: bluefin-main
     mergeMethod: merge
     mergeUnstable: false
+label: ":arrow_heading_down: pull"
+conflictLabel: "merge-conflict"

.github/workflows/build.yml

@@ -1,11 +1,13 @@
 name: Build and Push Image
 on:
   schedule:
-    - cron: '15 09 * * *'  # 9:15am everyday
-  merge_group:
+    - cron: '00 08 * * *'  # 8:00am everyday
+  push:
+    branches:
+      - live
   pull_request:
     branches:
-      - main
+      - live
     paths-ignore:
       - '**.md'
   workflow_dispatch:
@@ -123,6 +125,13 @@ jobs:
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/bluefin/bluefin/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
 
+      - name: Get Pragmata Pro zip file
+        run: |
+          curl "$(curl -q \
+          'https://ckdatabasews.icloud.com/database/1/com.apple.cloudkit/production/public/records/resolve' \
+            --data-raw '{"shortGUIDs":[{"value":"${{ secrets.PRAGMATAPRO_ICLOUD_ID }}"}]}' --compressed | \
+              jq -r '.results[0].rootRecord.fields.fileContent.value.downloadURL')" -L > /tmp/pragmatapro.zip
+
       # Build image using Buildah action
       - name: Build Image
         id: build_image

Containerfile

@@ -31,6 +31,7 @@ COPY just /tmp/just
 COPY etc/yum.repos.d/ /etc/yum.repos.d/
 COPY packages.json /tmp/packages.json
 COPY build.sh /tmp/build.sh
+
 COPY image-info.sh /tmp/image-info.sh
 # Copy ublue-update.toml to tmp first, to avoid being overwritten.
 COPY usr/etc/ublue-update/ublue-update.toml /tmp/ublue-update.toml
@@ -111,7 +112,7 @@ COPY workarounds.sh \
      packages.json \
      build.sh \
      image-info.sh \
-    /tmp
+    /tmp/
 
 # Apply IP Forwarding before installing Docker to prevent messing with LXC networking
 RUN sysctl -p
@@ -151,7 +152,7 @@ RUN rpm-ostree install $(curl https://api.github.com/repos/charmbracelet/vhs/rel
     wget https://github.com/tsl0922/ttyd/releases/latest/download/ttyd.x86_64 -O /tmp/ttyd && \
     install -c -m 0755 /tmp/ttyd /usr/bin/ttyd
 
-# Install Charm gum 
+# Install Charm gum
 RUN rpm-ostree install $(curl https://api.github.com/repos/charmbracelet/gum/releases/latest | jq -r '.assets[] | select(.name| test(".*.x86_64.rpm$")).browser_download_url') 
 
 # Set up services
@@ -161,6 +162,33 @@ RUN systemctl enable podman.socket && \
 
 RUN /tmp/workarounds.sh
 
+### BEGIN bri
+# Add custom scripts
+ADD --chmod=0755 scripts/* /tmp/
+
+### add bat
+RUN /tmp/bat.sh
+
+### add delta
+RUN /tmp/delta.sh
+
+### add 1password
+COPY --from=ghcr.io/ublue-os/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh
+RUN chmod +x /tmp/1password.sh && \
+    ONEPASSWORD_RELEASE_CHANNEL=beta \
+    GID_ONEPASSWORD=1500 \
+    GID_ONEPASSWORDCLI=1600 \
+        /tmp/1password.sh
+
+### add appimagelauncher
+RUN rpm-ostree install "https://github.com/TheAssassin/AppImageLauncher/releases/download/continuous/appimagelauncher-2.2.0-gha111.d9d4c73.x86_64.rpm"
+
+### more
+RUN /tmp/more.sh
+
+### END bri
+
+
 # Clean up repos, everything is on the image so we don't need them
 RUN rm -f /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo && \
     rm -f /etc/yum.repos.d/ganto-lxc4-fedora-"${FEDORA_MAJOR_VERSION}".repo && \

README.md

@@ -1,10 +1,12 @@
-# bluefin
+# bri's bluefin spin
 
-**This image is considered Beta** 
+**a personal fork of Universal Blue's Bluefin{,-DX} spin on Fedora Silverblue** 
 
-## [Download the test ISO](https://github.com/ublue-os/bluefin/releases/)
-## [projectbluefin.io](https://projectbluefin.io)
-## [Announcement Blog Post](https://www.ypsidanger.com/announcing-project-bluefin/)
+==== BASE ====
+[![Bluefin Build](https://github.com/ublue-os/bluefin/actions/workflows/build.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build.yml)
+
+[![Ubuntu Toolbox Build](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml)
+==== BASE ====
 
 A familiar(ish) Ubuntu desktop for Fedora Silverblue. It strives to cover these three use cases:
 - For end users it provides a system as reliable as a Chromebook with near-zero maintainance, with the power of Ubuntu and Fedora fused together

cosign.pub

@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
-cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz+XNZtY2K17rapUcSQ5+rwxKOr/D
+AWE55K7g0eWAXQcJLKYF0v6jtcyyQc4iSFxDAcxACo4eUyzLSr8RUq93hg==
 -----END PUBLIC KEY-----

just/custom.just

@@ -23,6 +23,10 @@ aqua:
   printf '\n    export PATH="${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH"\n'
   printf '\n=> see https://aquaproj.github.io/docs/tutorial for more info\n'
 
+# Set shell (back) to bash
+bash:
+  ujust chsh /bin/bash
+
 # Install Homebrew for Linux
 brew:
   echo "Installing homebrew ..."
@@ -118,8 +122,7 @@ distrobox-universal:
 
 # Switch to the fish shell
 fish:
-  sudo usermod $USER --shell /usr/bin/fish 
-  printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')"
+  ujust chsh /usr/bin/fish
 
 # Install recommended GNOME extensions
 gnome-extensions:
@@ -170,12 +173,12 @@ nix-devbox-global:
 
 # Enable podmansh as user shell (EXPERIMENTAL)
 podmansh:
+  #!/usr/bin/env bash
   sudo mkdir -p /etc/containers/systemd/users/${UID}
   sudo cp /usr/share/ublue-os/quadlets/podmansh.container /etc/containers/systemd/users/${UID}/podmansh.container
-  sudo usermod $USER --shell /usr/bin/podmansh
-  printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')"
+  ujust chsh /usr/bin/podmansh
   podman pull ghcr.io/ublue-os/ubuntu-toolbox:latest
-  
+
   systemctl --user daemon-reload
   systemctl --user stop podmansh.service
   systemctl --user start podmansh.service
@@ -202,7 +205,7 @@ pytorch:
   --no-browser --allow-root"
 
 # Run Tensorflow
-tensorflow: 
+tensorflow:
   echo 'Follow the prompts and check the tutorial: https://www.tensorflow.org/tutorials/quickstart/beginner'
   podman pull docker.io/tensorflow/tensorflow:latest
   podman run -it -p 8888:8888 docker.io/tensorflow/tensorflow:latest-jupyter  # Start Jupyter server
@@ -233,8 +236,7 @@ yafti:
 
 # Switch to the zsh shell
 zsh:
-  sudo usermod $USER --shell /usr/bin/zsh 
-  printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')"
+  ujust chsh /usr/bin/zsh
 
 docker:
   sudo systemctl enable --now docker

packages.json

@@ -2,13 +2,16 @@
 	"all": {
 		"include": {
 			"bluefin": [
+				"chromium", "fedora-chromium-config", "fedora-chromium-config-gnome", "fedora-chromium-config-gssapi",
 				"bash-color-prompt",
 				"cockpit-bridge",
 				"ddccontrol-db",
 				"ddccontrol-gtk",
 				"ddccontrol",
 				"evtest",
 				"fish",
+				"freerdp",
+				"gdisk",
 				"gnome-shell-extension-appindicator",
 				"gnome-shell-extension-blur-my-shell",
 				"gnome-shell-extension-dash-to-dock",
@@ -21,6 +24,7 @@
 				"libxcrypt-compat",
 				"mesa-libGLU",
 				"nautilus-gsconnect",
+				"neovim", "neovim-qt",
 				"pulseaudio-utils",
 				"python3-pip",
 				"samba-dcerpc",
@@ -36,7 +40,7 @@
 				"wireguard-tools",
 				"xprop",
 				"yaru-theme",
-				"wl-clipboard", 
+				"wl-clipboard",
 				"zsh"
 			],
 			"bluefin-dx": [
@@ -58,7 +62,7 @@
 				"docker-buildx-plugin",
 				"docker-compose-plugin",
 				"edk2-ovmf",
-				"edk2-ovmf",
+				"gcc", "gcc-c++",
 				"genisoimage",
 				"google-droid-sans-mono-fonts",
 				"google-go-mono-fonts",
@@ -89,13 +93,12 @@
 				"qemu",
 				"ubuntu-nerd-fonts",
 				"ubuntumono-nerd-fonts",
-				"virt-manager"
+				"virt-manager",
+				"virt-viewer"
 			]
 		},
 		"exclude": {
 			"bluefin": [
-				"firefox-langpacks",
-				"firefox",
 				"gnome-extensions-app",
 				"gnome-software-rpm-ostree",
 				"gnome-tour",
@@ -120,7 +123,6 @@
 	"39": {
 		"include": {
 			"bluefin": [
-				"input-leap"	
 			],
 			"bluefin-dx": [],
 			"bluefin-framework": []

scripts/1password.sh

@@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+
+set -ouex pipefail
+
+#### Variables
+
+# Can be "beta" or "stable"
+RELEASE_CHANNEL="${ONEPASSWORD_RELEASE_CHANNEL:-stable}"
+
+# Must be over 1000
+GID_ONEPASSWORD="${GID_ONEPASSWORD:-1500}"
+
+# Must be over 1000
+GID_ONEPASSWORDCLI="${GID_ONEPASSWORDCLI:-1600}"
+
+echo "Installing 1Password"
+
+# On libostree systems, /opt is a symlink to /var/opt,
+# which actually only exists on the live system. /var is
+# a separate mutable, stateful FS that's overlaid onto
+# the ostree rootfs. Therefore we need to install it into
+# /usr/lib/1Password instead, and dynamically create a
+# symbolic link /opt/1Password => /usr/lib/1Password upon
+# boot.
+
+# Prepare staging directory
+mkdir -p /var/opt # -p just in case it exists
+# for some reason...
+
+# Setup repo
+cat << EOF > /etc/yum.repos.d/1password.repo
+[1password]
+name=1Password ${RELEASE_CHANNEL^} Channel
+baseurl=https://downloads.1password.com/linux/rpm/${RELEASE_CHANNEL}/\$basearch
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://downloads.1password.com/linux/keys/1password.asc
+EOF
+
+# Import signing key
+rpm --import https://downloads.1password.com/linux/keys/1password.asc
+
+# Now let's install the packages.
+rpm-ostree install 1password 1password-cli
+
+# Clean up the yum repo (updates are baked into new images)
+rm /etc/yum.repos.d/1password.repo -f
+
+# And then we do the hacky dance!
+mv /var/opt/1Password /usr/lib/1Password # move this over here
+
+# Create a symlink /usr/bin/1password => /opt/1Password/1password
+rm /usr/bin/1password
+ln -s /opt/1Password/1password /usr/bin/1password
+
+#####
+# The following is a bastardization of "after-install.sh"
+# which is normally packaged with 1password. You can compare with
+# /usr/lib/1Password/after-install.sh if you want to see.
+
+cd /usr/lib/1Password
+
+# chrome-sandbox requires the setuid bit to be specifically set.
+# See https://github.com/electron/electron/issues/17972
+chmod 4755 /usr/lib/1Password/chrome-sandbox
+
+# Normally, after-install.sh would create a group,
+# "onepassword", right about now. But if we do that during
+# the ostree build it'll disappear from the running system!
+# I'm going to work around that by hardcoding GIDs and
+# crossing my fingers that nothing else steps on them.
+# These numbers _should_ be okay under normal use, but
+# if there's a more specific range that I should use here
+# please submit a PR!
+
+# Specifically, GID must be > 1000, and absolutely must not
+# conflict with any real groups on the deployed system.
+# Normal user group GIDs on Fedora are sequential starting
+# at 1000, so let's skip ahead and set to something higher.
+
+HELPER_PATH="/usr/lib/1Password/1Password-KeyringHelper"
+BROWSER_SUPPORT_PATH="/usr/lib/1Password/1Password-BrowserSupport"
+
+# Setup the Core App Integration helper binaries with the correct permissions and group
+chgrp "${GID_ONEPASSWORD}" "${HELPER_PATH}"
+# The binary requires setuid so it may interact with the Kernel keyring facilities
+chmod u+s "${HELPER_PATH}"
+chmod g+s "${HELPER_PATH}"
+
+# BrowserSupport binary needs setgid. This gives no extra permissions to the binary.
+# It only hardens it against environmental tampering.
+chgrp "${GID_ONEPASSWORD}" "${BROWSER_SUPPORT_PATH}"
+chmod g+s "${BROWSER_SUPPORT_PATH}"
+
+# onepassword-cli also needs its own group and setgid, like the other helpers.
+chgrp "${GID_ONEPASSWORDCLI}" /usr/bin/op
+chmod g+s /usr/bin/op
+
+# Dynamically create the required groups via sysusers.d
+# and set the GID based on the files we just chgrp'd
+cat >/usr/lib/sysusers.d/onepassword.conf <<EOF
+g onepassword ${GID_ONEPASSWORD}
+EOF
+cat >/usr/lib/sysusers.d/onepassword-cli.conf <<EOF
+g onepassword-cli ${GID_ONEPASSWORDCLI}
+EOF
+
+# remove the sysusers.d entries created by onepassword RPMs.
+# They don't magically set the GID like we need them to.
+rm -f /usr/lib/sysusers.d/30-rpmostree-pkg-group-onepassword.conf
+rm -f /usr/lib/sysusers.d/30-rpmostree-pkg-group-onepassword-cli.conf
+
+# Register path symlink
+# We do this via tmpfiles.d so that it is created by the live system.
+cat >/usr/lib/tmpfiles.d/onepassword.conf <<EOF
+L  /opt/1Password  -  -  -  -  /usr/lib/1Password
+EOF