Define tree for pitti's workstation

Also add helper script for running the ostree build.

.github/workflows/build.yml

@@ -0,0 +1,28 @@
+name: build
+on:
+  schedule:
+    - cron: 0 2 * * 6
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    timeout-minutes: 40
+    container:
+      image: docker.io/fedora:latest
+      # Fix SELinux for the built OSTree: https://github.com/coreos/rpm-ostree/issues/1943
+      options: --privileged --security-opt label:disable
+    steps:
+      - name: Install dependencies
+        run: dnf install -y rpm-ostree selinux-policy selinux-policy-targeted policycoreutils podman
+
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Log into container registry
+        run: podman login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io
+
+      - name: Build OSTree and push it to registry
+        run: ./compose.sh registry

2015-RH-IT-Root-CA.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENDCCAxygAwIBAgIJANunI0D662cnMA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQgSVQx
+GzAZBgNVBAMMElJlZCBIYXQgSVQgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5m
+b3NlY0ByZWRoYXQuY29tMCAXDTE1MDcwNjE3MzgxMVoYDzIwNTUwNjI2MTczODEx
+WjCBpTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
+VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApS
+ZWQgSGF0IElUMRswGQYDVQQDDBJSZWQgSGF0IElUIFJvb3QgQ0ExITAfBgkqhkiG
+9w0BCQEWEmluZm9zZWNAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALQt9OJQh6GC5LT1g80qNh0u50BQ4sZ/yZ8aETxt+5lnPVX6MHKz
+bfwI6nO1aMG6j9bSw+6UUyPBHP796+FT/pTS+K0wsDV7c9XvHoxJBJJU38cdLkI2
+c/i7lDqTfTcfLL2nyUBd2fQDk1B0fxrskhGIIZ3ifP1Ps4ltTkv8hRSob3VtNqSo
+GxkKfvD2PKjTPxDPWYyruy9irLZioMffi3i/gCut0ZWtAyO3MVH5qWF/enKwgPES
+X9po+TdCvRB/RUObBaM761EcrLSM1GqHNueSfqnho3AjLQ6dBnPWlo638Zm1VebK
+BELyhkLWMSFkKwDmne0jQ02Y4g075vCKvCsCAwEAAaNjMGEwHQYDVR0OBBYEFH7R
+4yC+UehIIPeuL8Zqw3PzbgcZMB8GA1UdIwQYMBaAFH7R4yC+UehIIPeuL8Zqw3Pz
+bgcZMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
+CwUAA4IBAQBDNvD2Vm9sA5A9AlOJR8+en5Xz9hXcxJB5phxcZQ8jFoG04Vshvd0e
+LEnUrMcfFgIZ4njMKTQCM4ZFUPAieyLx4f52HuDopp3e5JyIMfW+KFcNIpKwCsak
+oSoKtIUOsUJK7qBVZxcrIyeQV2qcYOeZhtS5wBqIwOAhFwlCET7Ze58QHmS48slj
+S9K0JAcps2xdnGu0fkzhSQxY8GPQNFTlr6rYld5+ID/hHeS76gq0YG3q6RLWRkHf
+4eTkRjivAlExrFzKcljC4axKQlnOvVAzz+Gm32U0xPBF4ByePVxCJUHw1TsyTmel
+RxNEp7yHoXcwn+fXna+t5JWh1gxUZty3
+-----END CERTIFICATE-----

2022-RH-IT-Root-CA.pem

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGXjCCBEagAwIBAgIEeIXl3TANBgkqhkiG9w0BAQwFADCBozELMAkGA1UEBhMC
+VVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYw
+FAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApSZWQgSGF0IElUMRkwFwYD
+VQQDDBBJbnRlcm5hbCBSb290IENBMSEwHwYJKoZIhvcNAQkBFhJpbmZvc2VjQHJl
+ZGhhdC5jb20wIBcNMjIwNDEwMTMxNzE4WhgPMjA1MjA0MDIxMzE3MThaMIGjMQsw
+CQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1Jh
+bGVpZ2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQg
+SVQxGTAXBgNVBAMMEEludGVybmFsIFJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEmlu
+Zm9zZWNAcmVkaGF0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+ALG6WgRWCXNZdn0UUVQ5JV2lEgHaNblgGnCAx6bZ89l5Ygi+tVDo8v1c16cM5e4E
+dtKEP88CnGL+6NJnI4iMuw2HtYM77Q2qmR9PIH3BRgCHHcZMgZjvlFKjJnLXIptk
+NMq/6tJ+6L0iWy0AzPovc5AtkRL3MBgrwgKINTBN41nuq4Dqp/QpqbYvK4Fz9uUE
+jtYUs4YZZjXfk/U5RcmCclSwyGdgxOC9lDInY/t4tCmJHxM6vlkjoJhqmLIbrgue
+Sv+uwAuNLGhSjT1hqLUJU7rpUUn9eAw23ebNC0sMw9eIpS7CwGyC+jhC8uORdgiK
+L79hDJBrKmwpy0byZ58qRNPWREMqPgs11NFGB3m1yj5vj47/i6m3yYizHX61t0ws
+0YTPcmp3SyPwWXhHO6z5b56fNeYx9kfzpfptTm0y+564V3ktX4z1fOWKxxoRAwoR
+DsILvaV2s4rYrXYaNvtu7x0qr5pKU25Yr4bPU29vBiloIFinQmivK8cSrmOsIs+V
+OS4lDcdpoB/7gtoGbyej3ErZVsN/qX/se1vkjkucABmLT/lPMfTs2Eegh4xKZMQR
+rTuL+LmVuEzapvHql8u6SDbgcsIpN2LgWjr8mo9Yfr/d4jnk2yhZKagN1OIuDi/U
+b+uBRWvY3oXfoZNgwaqIhO+93hCbeL1c5NC+zHxEnHglAgMBAAGjgZUwgZIwHQYD
+VR0OBBYEFLX6jeUKeKEJldtNIYaVallPSciLMB8GA1UdIwQYMBaAFLX6jeUKeKEJ
+ldtNIYaVallPSciLMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMC8G
+A1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9vc2NwLnJlZGhhdC5jb20vY3JsLnBlbTAN
+BgkqhkiG9w0BAQwFAAOCAgEAr4RGb1FvUb0kqCbwNlEUwC0vqcdG/uJA38UL4vNa
+RgrUZOz8LlE1UywZacvLxpYY5G6duJgB6X6NxN98PV8ei5eYRp5pEyUXIaAl0vvT
+WQ+mr+nizbGCeRjnk1rAI9s9P/ho/uRq06l9upEJvgIotOb9+KY1ljBxstl00Egb
+4B+gjR6wDHwaHb9wKgNB7xgSRBqwJ84eLtK1UoXtYpVTDe9nHiqzVb9JfYA8rscM
+quPqLXeqKDJ/SP72vlM3BocY6HqQ7l9kV8Bbk0BmnBwHTPe1uiuiW61oRYT0dv8L
+RLoswGZGSar14HId8tZ3EGTNfGvrTkhBI6bjjSGs+0MDcv6ARAZF0JSH6YWTRRGK
+oGV5x2vE6zPXvaejzNzN5aTK9qspOK4QM/bM+DFxl3HvKWsm5urJZnCCrf+pSRC2
+crzoBtmKR6TQIzYbMSu6jfc8xOKCR30LJ+wlZ/LuEZmroSp5xc6Ixeg5FV6w4h4m
+eNlQFU9n5AJyCG3ThQBhahfK4vtOtjYZXrtJ5VFaMlG26xzavVDRppYp3taLtiNi
+qChV/dbSdc7HqYQOnDglUF5mRiu78uZ9+fl5OgE4PjHVG/exyqi6OQZeujPzBXL7
+gZ1WEVt+fV8FWaH/NaEvVu5EFhISI/2dM+y/nuRQ4n2IwauEAWCQ+o6Qdq8TXytp
+70A=
+-----END CERTIFICATE-----

README.md

@@ -1,3 +1,42 @@
+Martin Pitt's desktop
+=====================
+
+This is an [rpm-ostree](https://coreos.github.io/rpm-ostree/) based minimal
+[Fedora](https://getfedora.org/) developer desktop with the [sway window manager](https://swaywm.org/) and [podman](https://podman.io/)/[toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) for doing development and running less common graphical applications.
+
+It gets [automatically built](.github/workflows/build.yml) every week and [published as container image](https://github.com/martinpitt/ostree-pitti-workstation/pkgs/container/workstation-ostree-config), for using with [ostree native containers](https://coreos.github.io/rpm-ostree/container/).
+
+To use it from an existing OSTree based system like [Fedora CoreOS](https://getfedora.org/coreos) or [Fedora Silverblue](https://docs.fedoraproject.org/en-US/fedora-silverblue/), rebase your tree to it:
+
+```sh
+sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/martinpitt/workstation-ostree-config
+```
+
+After that, you can install weekly updates with
+
+```
+sudo rpm-ostree upgrade
+```
+
+If anything goes wrong, you can go back to the previous version with `sudo rpm-ostree rollback`.
+
+Login
+-----
+
+There is no graphical login manager. I log in on VT1, and my `.bashrc`
+automatically starts the GNOME SSH agent and sway:
+
+```sh
+if [ "$(tty)" = "/dev/tty1" ]; then
+    export `gnome-keyring-daemon --start --components=ssh`
+    export BROWSER=firefox-wayland
+    export XDG_CURRENT_DESKTOP=sway
+    exec sway > $XDG_RUNTIME_DIR/sway.log 2>&1
+fi
+```
+
+Original README for [workstation-ostree-config](https://pagure.io/workstation-ostree-config)
+=============================================
 # Manifests for rpm-ostree based Fedora variants
 
 This is the configuration needed to create

compose.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+set -eu
+CACHE=/var/cache/ostree
+REPO=/var/tmp/repo
+# default to storing locally; can also be "registry:" to directly push
+SKOPEO_TARGET="${1:-containers-storage}"
+
+mkdir -p $CACHE
+
+if [ ! -d $REPO/objects ]; then
+    ostree --repo=$REPO init --mode=archive-z2
+fi
+
+rpm-ostree compose tree --unified-core --cachedir=$CACHE --repo=$REPO pitti-desktop.yaml
+# HACK: networking in GitHub is a bit flaky, retry a few times
+for retry in $(seq 3); do
+    rpm-ostree compose container-encapsulate --repo=$REPO pitti-desktop ${SKOPEO_TARGET}:ghcr.io/martinpitt/workstation-ostree-config:latest && exit 0
+    [ "$SKOPEO_TARGET" = registry ] || break
+    sleep 30
+done
+exit 1

fedora-39-updates.repo

@@ -4,3 +4,10 @@ mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f39&
 enabled=1
 gpgcheck=1
 metadata_expire=1d
+
+[fedora-39-updates-testing]
+name=Fedora 39 $basearch Updates
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f39&arch=$basearch
+enabled=1
+gpgcheck=1
+metadata_expire=1d

fedora-common-ostree.yaml

@@ -7,8 +7,6 @@ mutate-os-release: "39"
 container-cmd:
   - /usr/bin/bash
 
-include: fedora-common-ostree-pkgs.yaml
-
 # See https://github.com/coreos/bootupd
 # TODO: Disabled until we use use unified-core or native container flow
 # for the main build

pitti-desktop.yaml

@@ -0,0 +1,139 @@
+include: fedora-common-ostree.yaml
+
+ref: pitti-desktop
+rojig:
+  name: pitti-desktop
+  summary: "Pitti Desktop"
+  license: MIT
+
+repos:
+  - fedora-39
+  - fedora-39-updates
+  - fedora-39-updates-testing
+  - rpmfusion-free
+  - rpmfusion-free-updates
+
+packages:
+# hardware/drivers
+  - kernel
+  - kernel-modules-extra
+  - iwl6000g2a-firmware
+  - iwl7260-firmware
+  - alsa-sof-firmware
+  - NetworkManager-wifi
+  - NetworkManager-openvpn-gnome
+  - powertop
+  - wpa_supplicant
+# basic system
+  - acl
+  - attr
+  - basesystem
+  - cryptsetup
+  - dnsmasq
+  - fedora-workstation-backgrounds
+  - filesystem
+  - glibc-langpack-de
+  - glibc-langpack-en
+  - hostname
+  - iproute
+  - kbd
+  - nss-altfiles
+  - pciutils
+  # don't care, but rpm-ostree build fails otherwise
+  - selinux-policy-targeted
+  - sudo
+  - usbutils
+# shell tools and development
+  - bash-completion
+  - bc
+  - bzip2
+  - cockpit-system
+  - cockpit-ws
+  # authenticate to gmail
+  - cyrus-sasl-plain
+  - fpaste
+  - git
+  - gnupg2
+  - isync
+  - krb5-workstation
+  - lsof
+  - man-db
+  - mtr
+  - mutt
+  - neovim
+  - nmap-ncat
+  - openssh-server
+  - openvpn
+  - restic
+  - rsync
+  - strace
+  - syncthing
+  - systemd-container
+  - tree
+  - w3m
+  - weechat
+  - wget
+
+# desktop plumbing/apps
+  - dejavu-sans-fonts
+  - dejavu-serif-fonts
+  - dejavu-sans-mono-fonts
+  - fontawesome-fonts
+  - google-noto-emoji-color-fonts
+
+  - gvfs-mtp
+  - pulseaudio-utils
+  - alsa-plugins-pulseaudio
+  - gstreamer1-plugins-good
+  - gstreamer1-plugins-ugly
+  - gstreamer1-libav
+  # for wf-recorder
+  - libavdevice
+  - xdg-desktop-portal-gtk
+
+  - pavucontrol
+  - pcmanfm
+  - nm-connection-editor
+  - eog
+  - evince
+  - rhythmbox
+  - gnome-keyring
+  - pinentry-gnome3
+  - mate-polkit
+  - lxterminal
+  - gnome-disk-utility
+  - rofimoji
+
+# sway/wayland desktop
+  - sway
+  - swayidle
+  - swaylock
+  - kanshi
+  - mako
+  - waybar
+  - slurp
+  - grim
+  - xorg-x11-server-Xwayland
+  - firefox-wayland
+  - wofi
+  - brightnessctl
+  - wl-clipboard
+
+exclude-packages:
+  # recommended by sway
+  - alacritty
+  - brltty
+  - glibc-all-langpacks
+  # recommended by gtk3
+  - tracker
+  - tracker-miners
+  # does not work
+  - xdg-desktop-portal-wlr
+  # recommended by containers-common-extra
+  - qemu-user-static
+
+add-files:
+  - ["2015-RH-IT-Root-CA.pem", "/etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem"]
+  - ["2022-RH-IT-Root-CA.pem", "/etc/pki/ca-trust/source/anchors/2022-RH-IT-Root-CA.pem"]
+
+postprocess-script: pitti-post.sh

pitti-post.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -xeuo pipefail
+
+# Enable SysRQ
+echo 'kernel.sysrq = 1' > /usr/lib/sysctl.d/90-sysrq.conf
+
+# power saving
+echo 'blacklist e1000e' > /usr/lib/modprobe.d/blacklist-local.conf
+
+# NetworkManager config
+cat <<EOF > /usr/lib/NetworkManager/conf.d/local.conf
+[main]
+plugins=
+
+[device]
+#wifi.backend=iwd
+EOF
+#ln -sfn ../iwd.service /usr/lib/systemd/system/multi-user.target.wants/iwd.service
+
+ln -sfn /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+# set up PAM for systemd-homed
+authselect enable-feature with-systemd-homed
+
+# homed is missing a lot of SELinux policy (https://bugzilla.redhat.com/show_bug.cgi?id=1809878)
+# "disabled" breaks rpm-ostree (https://bugzilla.redhat.com/show_bug.cgi?id=1882933), so just use permissive
+sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
+
+# enable other units
+mkdir -p /usr/lib/systemd/system/getty.target.wants
+ln -s ../[email protected] /usr/lib/systemd/system/getty.target.wants/[email protected]
+ln -s ../systemd-timesyncd.service /usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
+ln -s ../systemd-resolved.service /usr/lib/systemd/system/multi-user.target.wants/systemd-resolved.service
+ln -s ../systemd-homed.service /usr/lib/systemd/system/multi-user.target.wants/systemd-homed.service
+ln -s ../cockpit.socket /usr/lib/systemd/system/sockets.target.wants/cockpit.socket
+ln -s ../sshd.socket /usr/lib/systemd/system/sockets.target.wants/sshd.socket
+
+# disable unwanted services
+ln -sfn /dev/null /usr/lib/systemd/user/at-spi-dbus-bus.service
+
+# move OS systemd unit defaults to /usr
+cp -a --verbose /etc/systemd/system /etc/systemd/user /usr/lib/systemd/
+rm -r /etc/systemd/system /etc/systemd/user
+
+# scanner permissions without scanner packages
+echo 'ACTION=="add|change", ENV{DEVTYPE}=="usb_device", ENV{ID_MODEL}=="CanoScan", MODE="666"' > /usr/lib/udev/rules.d/canoscan.rules
+
+# update for Red Hat certificate
+ln -s /etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem /etc/pki/tls/certs/2015-RH-IT-Root-CA.pem
+ln -s /etc/pki/ca-trust/source/anchors/2022-RH-IT-Root-CA.pem /etc/pki/tls/certs/2022-RH-IT-Root-CA.pem
+update-ca-trust

rpmfusion.repo

@@ -0,0 +1,18 @@
+[rpmfusion-free]
+name=RPM Fusion for Fedora $releasever - Free
+#baseurl=http://download1.rpmfusion.org/free/fedora/releases/$releasever/Everything/$basearch/os/
+metalink=https://mirrors.rpmfusion.org/metalink?repo=free-fedora-39&arch=$basearch
+enabled=1
+metadata_expire=14d
+type=rpm-md
+gpgcheck=0
+
+[rpmfusion-free-updates]
+name=RPM Fusion for Fedora $releasever - Free - Updates
+#baseurl=http://download1.rpmfusion.org/free/fedora/updates/$releasever/$basearch/
+metalink=https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-39&arch=$basearch
+enabled=1
+enabled_metadata=1
+type=rpm-md
+gpgcheck=0
+repo_gpgcheck=0