feat: add OSTree to try out

because why not, immutable router without Nix abstractions!
2026-01-27 10:18:27 +00:00 · 2024-04-24 01:43:46 +08:00
parent eab36fc78e
commit e2d7bf15fd
5 changed files with 169 additions and 0 deletions
--- a/ostree/build.sh
+++ b/ostree/build.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -eu
+CACHE=/var/cache/ostree
+REPO=/var/tmp/repo
+# default to storing locally; can also be "registry:" to directly push
+SKOPEO_TARGET="${1:-containers-storage}"
+
+mkdir -p $CACHE
+
+if [ ! -d $REPO/objects ]; then
+    ostree --repo=$REPO init --mode=archive-z2
+fi
+
+rpm-ostree compose tree --unified-core --cachedir=$CACHE --repo=$REPO ${BUILD}.yaml
+# HACK: networking in GitHub is a bit flaky, retry a few times
+for retry in $(seq 3); do
+    rpm-ostree compose container-encapsulate --repo=$REPO ${BUILD} ${SKOPEO_TARGET}:ghcr.io/${USER}/fedora-ostree-${BUILD}:latest && exit 0
+    [ "$SKOPEO_TARGET" = registry ] || break
+    sleep 30
+done
+exit 1
--- a/ostree/repos.repo
+++ b/ostree/repos.repo
@@ -0,0 +1,21 @@
+[fedora-40]
+name=Fedora 40 $basearch
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-40&arch=$basearch
+enabled=1
+gpgcheck=1
+metadata_expire=1d
+
+[fedora-40-updates]
+name=Fedora 40 $basearch Updates
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f40&arch=$basearch
+enabled=1
+gpgcheck=1
+metadata_expire=1d
+
+[1password]
+name=1Password Stable Channel
+baseurl=https://downloads.1password.com/linux/rpm/stable/$basearch
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://downloads.1password.com/linux/keys/1password.asc
--- a/ostree/repos.sh
+++ b/ostree/repos.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+curl -v -o ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo" | wget -O ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo"
--- a/ostree/router.yaml
+++ b/ostree/router.yaml
@@ -0,0 +1,72 @@
+---
+ref: fedora-ostree-router
+rojig:
+  name: biohazard-router
+  summary: "JJGadgets Biohazard Router"
+  license: "Apache 2.0"
+
+releasever: 40
+selinux: false
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"
+tmp-is-dir: true
+
+repos:
+  - fedora-40
+  - fedora-40-updates
+  # - fedora-40-updates-testing
+  - rpmfusion-free
+  - rpmfusion-free-updates
+  - copr:copr.fedorainfracloud.org:wezfurlong:wezterm-nightly
+  - copr:copr.fedorainfracloud.org:atim:i3status-rust
+
+packages:
+  # base
+  - fedora-release-server
+  - fedora-release-identity-server
+  - nftables
+  - wireguard-tools
+  - tailscale
+  - podman
+  - 'bird >= 2.15.1-1.fc40'
+  - 'kea = 2.4.1-5.fc40'
+  - dnsdist
+  - bind
+  - unbound
+  - openssh
+  - openssh-server
+  - openssh-clients
+  - 1password-cli
+  - git-core
+  - age
+  - gnupg2
+  - pam_duo
+  - pam_yubico
+  - chrony
+  - node-exporter
+  - haproxy
+  - mdns-repeater
+  - lldpd
+  - iperf
+  - iperf3
+  - radvd
+  - tayga
+  # missing: blocky, sops
+
+exclude-packages:
+  # remove Fedora specifics
+  - firewalld
+  - selinux-policy
+  - selinux-policy-targeted
+
+units:
+  - nftables.service
+  - tailscaled.service
+  - named.service
+  - unbound.service
+  - chronyd.service
+  - sshd.service
+  - node_exporter.service
+  - openvpn-server@.service
+  - mdns-repeater.service
+  - lldpd.service