From 6d912649d591e0a1dd05471e2a8225139a1f6788 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Fri, 22 Nov 2024 10:53:40 +0100 Subject: [PATCH] Define tree for pitti's workstation Also add helper script for running the ostree build. --- .github/workflows/build.yml | 28 +++++++ 2015-RH-IT-Root-CA.pem | 25 ++++++ 2022-RH-IT-Root-CA.pem | 37 +++++++++ README.md | 40 ++++++++++ common.yaml | 8 +- compose.sh | 21 +++++ fedora-41-updates.repo | 7 ++ fedora-cisco-openh264.repo | 9 +++ pitti-desktop.yaml | 154 ++++++++++++++++++++++++++++++++++++ pitti-post.sh | 53 +++++++++++++ rpmfusion.repo | 18 +++++ 11 files changed, 395 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/build.yml create mode 100644 2015-RH-IT-Root-CA.pem create mode 100644 2022-RH-IT-Root-CA.pem create mode 100755 compose.sh create mode 100644 fedora-cisco-openh264.repo create mode 100644 pitti-desktop.yaml create mode 100755 pitti-post.sh create mode 100644 rpmfusion.repo diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..09e0053 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,28 @@ +name: build +on: + schedule: + - cron: 0 2 * * 6 + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + timeout-minutes: 40 + container: + image: docker.io/fedora:latest + # Fix SELinux for the built OSTree: https://github.com/coreos/rpm-ostree/issues/1943 + options: --privileged --security-opt label:disable + steps: + - name: Install dependencies + run: dnf install -y rpm-ostree selinux-policy selinux-policy-targeted policycoreutils podman overlayfs-tools fuse-overlayfs + + - name: Clone repository + uses: actions/checkout@v4 + + - name: Log into container registry + run: podman login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io + + - name: Build OSTree and push it to registry + run: ./compose.sh registry diff --git a/2015-RH-IT-Root-CA.pem b/2015-RH-IT-Root-CA.pem new file mode 100644 index 0000000..f306f00 --- /dev/null +++ b/2015-RH-IT-Root-CA.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIJANunI0D662cnMA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD +VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp +Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQgSVQx +GzAZBgNVBAMMElJlZCBIYXQgSVQgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5m +b3NlY0ByZWRoYXQuY29tMCAXDTE1MDcwNjE3MzgxMVoYDzIwNTUwNjI2MTczODEx +WjCBpTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD +VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApS +ZWQgSGF0IElUMRswGQYDVQQDDBJSZWQgSGF0IElUIFJvb3QgQ0ExITAfBgkqhkiG +9w0BCQEWEmluZm9zZWNAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALQt9OJQh6GC5LT1g80qNh0u50BQ4sZ/yZ8aETxt+5lnPVX6MHKz +bfwI6nO1aMG6j9bSw+6UUyPBHP796+FT/pTS+K0wsDV7c9XvHoxJBJJU38cdLkI2 +c/i7lDqTfTcfLL2nyUBd2fQDk1B0fxrskhGIIZ3ifP1Ps4ltTkv8hRSob3VtNqSo +GxkKfvD2PKjTPxDPWYyruy9irLZioMffi3i/gCut0ZWtAyO3MVH5qWF/enKwgPES +X9po+TdCvRB/RUObBaM761EcrLSM1GqHNueSfqnho3AjLQ6dBnPWlo638Zm1VebK +BELyhkLWMSFkKwDmne0jQ02Y4g075vCKvCsCAwEAAaNjMGEwHQYDVR0OBBYEFH7R +4yC+UehIIPeuL8Zqw3PzbgcZMB8GA1UdIwQYMBaAFH7R4yC+UehIIPeuL8Zqw3Pz +bgcZMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQBDNvD2Vm9sA5A9AlOJR8+en5Xz9hXcxJB5phxcZQ8jFoG04Vshvd0e +LEnUrMcfFgIZ4njMKTQCM4ZFUPAieyLx4f52HuDopp3e5JyIMfW+KFcNIpKwCsak +oSoKtIUOsUJK7qBVZxcrIyeQV2qcYOeZhtS5wBqIwOAhFwlCET7Ze58QHmS48slj +S9K0JAcps2xdnGu0fkzhSQxY8GPQNFTlr6rYld5+ID/hHeS76gq0YG3q6RLWRkHf +4eTkRjivAlExrFzKcljC4axKQlnOvVAzz+Gm32U0xPBF4ByePVxCJUHw1TsyTmel +RxNEp7yHoXcwn+fXna+t5JWh1gxUZty3 +-----END CERTIFICATE----- diff --git a/2022-RH-IT-Root-CA.pem b/2022-RH-IT-Root-CA.pem new file mode 100644 index 0000000..f2d8b8a --- /dev/null +++ b/2022-RH-IT-Root-CA.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIGXjCCBEagAwIBAgIEeIXl3TANBgkqhkiG9w0BAQwFADCBozELMAkGA1UEBhMC +VVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYw +FAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApSZWQgSGF0IElUMRkwFwYD +VQQDDBBJbnRlcm5hbCBSb290IENBMSEwHwYJKoZIhvcNAQkBFhJpbmZvc2VjQHJl +ZGhhdC5jb20wIBcNMjIwNDEwMTMxNzE4WhgPMjA1MjA0MDIxMzE3MThaMIGjMQsw +CQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1Jh +bGVpZ2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQg +SVQxGTAXBgNVBAMMEEludGVybmFsIFJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEmlu +Zm9zZWNAcmVkaGF0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +ALG6WgRWCXNZdn0UUVQ5JV2lEgHaNblgGnCAx6bZ89l5Ygi+tVDo8v1c16cM5e4E +dtKEP88CnGL+6NJnI4iMuw2HtYM77Q2qmR9PIH3BRgCHHcZMgZjvlFKjJnLXIptk +NMq/6tJ+6L0iWy0AzPovc5AtkRL3MBgrwgKINTBN41nuq4Dqp/QpqbYvK4Fz9uUE +jtYUs4YZZjXfk/U5RcmCclSwyGdgxOC9lDInY/t4tCmJHxM6vlkjoJhqmLIbrgue +Sv+uwAuNLGhSjT1hqLUJU7rpUUn9eAw23ebNC0sMw9eIpS7CwGyC+jhC8uORdgiK +L79hDJBrKmwpy0byZ58qRNPWREMqPgs11NFGB3m1yj5vj47/i6m3yYizHX61t0ws +0YTPcmp3SyPwWXhHO6z5b56fNeYx9kfzpfptTm0y+564V3ktX4z1fOWKxxoRAwoR +DsILvaV2s4rYrXYaNvtu7x0qr5pKU25Yr4bPU29vBiloIFinQmivK8cSrmOsIs+V +OS4lDcdpoB/7gtoGbyej3ErZVsN/qX/se1vkjkucABmLT/lPMfTs2Eegh4xKZMQR +rTuL+LmVuEzapvHql8u6SDbgcsIpN2LgWjr8mo9Yfr/d4jnk2yhZKagN1OIuDi/U +b+uBRWvY3oXfoZNgwaqIhO+93hCbeL1c5NC+zHxEnHglAgMBAAGjgZUwgZIwHQYD +VR0OBBYEFLX6jeUKeKEJldtNIYaVallPSciLMB8GA1UdIwQYMBaAFLX6jeUKeKEJ +ldtNIYaVallPSciLMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMC8G +A1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9vc2NwLnJlZGhhdC5jb20vY3JsLnBlbTAN +BgkqhkiG9w0BAQwFAAOCAgEAr4RGb1FvUb0kqCbwNlEUwC0vqcdG/uJA38UL4vNa +RgrUZOz8LlE1UywZacvLxpYY5G6duJgB6X6NxN98PV8ei5eYRp5pEyUXIaAl0vvT +WQ+mr+nizbGCeRjnk1rAI9s9P/ho/uRq06l9upEJvgIotOb9+KY1ljBxstl00Egb +4B+gjR6wDHwaHb9wKgNB7xgSRBqwJ84eLtK1UoXtYpVTDe9nHiqzVb9JfYA8rscM +quPqLXeqKDJ/SP72vlM3BocY6HqQ7l9kV8Bbk0BmnBwHTPe1uiuiW61oRYT0dv8L +RLoswGZGSar14HId8tZ3EGTNfGvrTkhBI6bjjSGs+0MDcv6ARAZF0JSH6YWTRRGK +oGV5x2vE6zPXvaejzNzN5aTK9qspOK4QM/bM+DFxl3HvKWsm5urJZnCCrf+pSRC2 +crzoBtmKR6TQIzYbMSu6jfc8xOKCR30LJ+wlZ/LuEZmroSp5xc6Ixeg5FV6w4h4m +eNlQFU9n5AJyCG3ThQBhahfK4vtOtjYZXrtJ5VFaMlG26xzavVDRppYp3taLtiNi +qChV/dbSdc7HqYQOnDglUF5mRiu78uZ9+fl5OgE4PjHVG/exyqi6OQZeujPzBXL7 +gZ1WEVt+fV8FWaH/NaEvVu5EFhISI/2dM+y/nuRQ4n2IwauEAWCQ+o6Qdq8TXytp +70A= +-----END CERTIFICATE----- diff --git a/README.md b/README.md index 3919ad4..dad5eed 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,43 @@ +Martin Pitt's desktop +===================== + +This is an [rpm-ostree](https://coreos.github.io/rpm-ostree/) based minimal +[Fedora](https://getfedora.org/) developer desktop with the [sway window manager](https://swaywm.org/) and [podman](https://podman.io/)/[toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) for doing development and running less common graphical applications. + +It gets [automatically built](.github/workflows/build.yml) every week and [published as container image](https://github.com/martinpitt/ostree-pitti-workstation/pkgs/container/workstation-ostree-config), for using with [ostree native containers](https://coreos.github.io/rpm-ostree/container/). + +To use it from an existing OSTree based system like [Fedora CoreOS](https://getfedora.org/coreos) or [Fedora Silverblue](https://docs.fedoraproject.org/en-US/fedora-silverblue/), rebase your tree to it: + +```sh +sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/martinpitt/workstation-ostree-config +``` + +After that, you can install weekly updates with + +``` +sudo rpm-ostree upgrade +``` + +If anything goes wrong, you can go back to the previous version with `sudo rpm-ostree rollback`. + +Login +----- + +There is no graphical login manager. I log in on VT1, and my `.bashrc` +automatically starts the GNOME SSH agent and sway: + +```sh +if [ "$(tty)" = "/dev/tty1" ]; then + export `gnome-keyring-daemon --start --components=ssh` + export BROWSER=firefox-wayland + export XDG_CURRENT_DESKTOP=sway + exec sway > $XDG_RUNTIME_DIR/sway.log 2>&1 +fi +``` + +Original README for [workstation-ostree-config](https://pagure.io/workstation-ostree-config) +============================================= + # Manifests for Fedora Atomic Desktops variants This is the configuration needed to create diff --git a/common.yaml b/common.yaml index a903e1d..a4af15e 100644 --- a/common.yaml +++ b/common.yaml @@ -7,8 +7,6 @@ container-cmd: - /usr/bin/bash include: - # Packages common to all variants - - common-packages.yaml # See: https://gitlab.com/fedora/ostree/sig/-/issues/1 - bootupd.yaml # Dracut configuration for the initramfs @@ -104,9 +102,9 @@ packages-x86_64: exclude-packages: - PackageKit # We can not include openh264. See https://fedoraproject.org/wiki/OpenH264 - - gstreamer1-plugin-openh264 - - mozilla-openh264 - - openh264 + # - gstreamer1-plugin-openh264 + # - mozilla-openh264 + # - openh264 # Do not include dnf4. Classic ostree also exclude dnf5 in another manifest - dnf - dnf-plugins-core diff --git a/compose.sh b/compose.sh new file mode 100755 index 0000000..354e389 --- /dev/null +++ b/compose.sh @@ -0,0 +1,21 @@ +#!/bin/sh +set -eu +CACHE=/var/cache/ostree +REPO=/var/tmp/repo +# default to storing locally; can also be "registry:" to directly push +SKOPEO_TARGET="${1:-containers-storage}" + +mkdir -p $CACHE + +if [ ! -d $REPO/objects ]; then + ostree --repo=$REPO init --mode=archive-z2 +fi + +rpm-ostree compose tree --unified-core --cachedir=$CACHE --repo=$REPO pitti-desktop.yaml +# HACK: networking in GitHub is a bit flaky, retry a few times +for retry in $(seq 3); do + rpm-ostree compose container-encapsulate --repo=$REPO pitti-desktop ${SKOPEO_TARGET}:ghcr.io/martinpitt/workstation-ostree-config:latest && exit 0 + [ "$SKOPEO_TARGET" = registry ] || break + sleep 30 +done +exit 1 diff --git a/fedora-41-updates.repo b/fedora-41-updates.repo index 717965b..195b45e 100644 --- a/fedora-41-updates.repo +++ b/fedora-41-updates.repo @@ -4,3 +4,10 @@ mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f41& enabled=1 gpgcheck=1 metadata_expire=1d + +[fedora-41-updates-testing] +name=Fedora 41 $basearch Updates +mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f41&arch=$basearch +enabled=1 +gpgcheck=1 +metadata_expire=1d diff --git a/fedora-cisco-openh264.repo b/fedora-cisco-openh264.repo new file mode 100644 index 0000000..19a43d8 --- /dev/null +++ b/fedora-cisco-openh264.repo @@ -0,0 +1,9 @@ +[fedora-cisco-openh264] +name=Fedora 41 openh264 (From Cisco) - $basearch +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-41&arch=$basearch +type=rpm +enabled=1 +metadata_expire=14d +repo_gpgcheck=0 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-41-$basearch diff --git a/pitti-desktop.yaml b/pitti-desktop.yaml new file mode 100644 index 0000000..fa68a47 --- /dev/null +++ b/pitti-desktop.yaml @@ -0,0 +1,154 @@ +variables: + bootable_container: false + +include: common.yaml + +ref: pitti-desktop +rojig: + name: pitti-desktop + summary: "Pitti Desktop" + license: MIT + +repos: + - fedora-41 + - fedora-41-updates + - fedora-cisco-openh264 + - rpmfusion-free + - rpmfusion-free-updates + +packages: +# hardware/drivers + - kernel + - kernel-modules-extra + - iwlwifi-mvm-firmware + - alsa-sof-firmware + - NetworkManager-wifi + - NetworkManager-openvpn-gnome + - powertop + - wpa_supplicant + - bluez + - bluez-tools +# basic system + - acl + - attr + - basesystem + - cryptsetup + - dnsmasq + - fedora-workstation-backgrounds + - filesystem + - glibc-langpack-de + - glibc-langpack-en + - hostname + - iproute + - kbd + - nss-altfiles + - pciutils + - rpm-ostree + # don't care, but rpm-ostree build fails otherwise + - selinux-policy-targeted + - sudo + - usbutils +# shell tools and development + - bash-completion + - bc + - bzip2 + # authenticate to gmail + - cyrus-sasl-plain + - fpaste + - git + - gnupg2 + - isync + - krb5-workstation + - lsof + - man-db + - mtr + - mutt + - neovim + - nmap-ncat + - openssh-server + - openvpn + - podman + - restic + - rsync + - strace + - syncthing + - systemd-container + - toolbox + - tree + - w3m + - weechat + - wget + +# desktop plumbing/apps + - dejavu-sans-fonts + - dejavu-serif-fonts + - dejavu-sans-mono-fonts + - fontawesome-fonts + - google-noto-emoji-color-fonts + + - gvfs-mtp + - pulseaudio-utils + - alsa-plugins-pulseaudio + - gstreamer1-plugins-good + - gstreamer1-plugins-bad-free + - gstreamer1-plugin-openh264 + - gstreamer1-libav + # for wf-recorder + - libavdevice + - xdg-desktop-portal-gtk + + - pavucontrol + - pcmanfm + - nm-connection-editor + - blueman + - eog + - evince + - rhythmbox + - gnome-keyring + - pinentry-gnome3 + - mate-polkit + - lxterminal + - gnome-disk-utility + - rofimoji + +# sway/wayland desktop + - sway + - swayidle + - swaylock + - kanshi + - mako + - waybar + - slurp + - grim + - xorg-x11-server-Xwayland + - firefox + - wofi + - brightnessctl + - wl-clipboard + +exclude-packages: + # recommended by sway + - alacritty + - brltty + - glibc-all-langpacks + # recommended by gtk3 + - tracker + - tracker-miners + # recommended by toolbox + - subscription-manager + # recommended by udisks + - exfatprogs + - f2fs-tools + - btrfs-progs + - nilfs-utils + - udftools + # does not work + - xdg-desktop-portal-wlr + # recommended by containers-common-extra + - qemu-user-static + +add-files: + - ["2015-RH-IT-Root-CA.pem", "/etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem"] + - ["2022-RH-IT-Root-CA.pem", "/etc/pki/ca-trust/source/anchors/2022-RH-IT-Root-CA.pem"] + +postprocess-script: pitti-post.sh diff --git a/pitti-post.sh b/pitti-post.sh new file mode 100755 index 0000000..85c2cbf --- /dev/null +++ b/pitti-post.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash +set -xeuo pipefail + +# Enable SysRQ +echo 'kernel.sysrq = 1' > /usr/lib/sysctl.d/90-sysrq.conf + +# power saving +echo 'blacklist e1000e' > /usr/lib/modprobe.d/blacklist-local.conf + +# NetworkManager config +cat < /usr/lib/NetworkManager/conf.d/local.conf +[main] +plugins= + +[device] +#wifi.backend=iwd +EOF +#ln -sfn ../iwd.service /usr/lib/systemd/system/multi-user.target.wants/iwd.service + +ln -sfn /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf + +# set up PAM for systemd-homed +authselect enable-feature with-systemd-homed + +# homed is missing a lot of SELinux policy (https://bugzilla.redhat.com/show_bug.cgi?id=1809878) +# "disabled" breaks rpm-ostree (https://bugzilla.redhat.com/show_bug.cgi?id=1882933), so just use permissive +sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config + +# enable other units +mkdir -p /usr/lib/systemd/system/getty.target.wants +ln -s ../getty@.service /usr/lib/systemd/system/getty.target.wants/getty@tty1.service +ln -s ../systemd-timesyncd.service /usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service +ln -s ../systemd-resolved.service /usr/lib/systemd/system/multi-user.target.wants/systemd-resolved.service +ln -s ../systemd-homed.service /usr/lib/systemd/system/multi-user.target.wants/systemd-homed.service +ln -s ../sshd.socket /usr/lib/systemd/system/sockets.target.wants/sshd.socket + +# disable unwanted services +ln -sfn /dev/null /usr/lib/systemd/user/at-spi-dbus-bus.service + +# move OS systemd unit defaults to /usr +cp -a --verbose /etc/systemd/system /etc/systemd/user /usr/lib/systemd/ +rm -r /etc/systemd/system /etc/systemd/user + +# scanner permissions without scanner packages +echo 'ACTION=="add|change", ENV{DEVTYPE}=="usb_device", ENV{ID_MODEL}=="CanoScan", MODE="666"' > /usr/lib/udev/rules.d/canoscan.rules + +# battery health +echo 'ACTION=="add|change", ATTR{type}=="Battery", ATTR{charge_stop_threshold}="80"' > /usr/lib/udev/rules.d/80-battery-health.rules + +# update for Red Hat certificate +ln -s /etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem /etc/pki/tls/certs/2015-RH-IT-Root-CA.pem +ln -s /etc/pki/ca-trust/source/anchors/2022-RH-IT-Root-CA.pem /etc/pki/tls/certs/2022-RH-IT-Root-CA.pem +update-ca-trust diff --git a/rpmfusion.repo b/rpmfusion.repo new file mode 100644 index 0000000..343cc8d --- /dev/null +++ b/rpmfusion.repo @@ -0,0 +1,18 @@ +[rpmfusion-free] +name=RPM Fusion for Fedora $releasever - Free +#baseurl=http://download1.rpmfusion.org/free/fedora/releases/$releasever/Everything/$basearch/os/ +metalink=https://mirrors.rpmfusion.org/metalink?repo=free-fedora-41&arch=$basearch +enabled=1 +metadata_expire=14d +type=rpm-md +gpgcheck=0 + +[rpmfusion-free-updates] +name=RPM Fusion for Fedora $releasever - Free - Updates +#baseurl=http://download1.rpmfusion.org/free/fedora/updates/$releasever/$basearch/ +metalink=https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-41&arch=$basearch +enabled=1 +enabled_metadata=1 +type=rpm-md +gpgcheck=0 +repo_gpgcheck=0