feat: numerous fixes and improvements (#580)

docs/FAQ.md

@@ -98,7 +98,7 @@ For more technical detail, see [#268](https://github.com/secureblue/secureblue/i
 
 The DNSSEC setting we set in `/etc/systemd/resolved.conf.d/securedns.conf` causes known issues with network connectivity when secureblue is used in a VM. To fix it, comment out `DNSSEC=allow-downgrade` in that file and manually set a dns provider in network settings.
 
-#### How do I get notified of secureblue changes?
+#### Release notifications
 
 On the secureblue github page, click "Watch", and then "Custom", and select Releases like so:
 

docs/POSTINSTALL-README.md

@@ -4,7 +4,7 @@ After rebasing to secureblue, follow the following steps in order.
 
 ## Subscribe to secureblue release notifications
 
-[FAQ](FAQ.md#how-do-i-get-notified-of-secureblue-changes)
+[FAQ](FAQ.md#release-notifications)
 
 ## Nvidia
 If you are using an nvidia image, run this after installation:

files/justfiles/brew.just

@@ -1,6 +1,6 @@
 alias brew := install-brew
 
-# Install Homebrew | https://brew.sh
+# Install Homebrew (Brew is now included by default. This command remains included for utility.)
 install-brew:
     #!/usr/bin/env bash
     source /usr/lib/ujust/ujust.sh
@@ -18,7 +18,16 @@ install-brew:
         fi
     fi
 
-# Removes homebrew from system
+# Removes Homebrew from system. Warning! This will break MOTD and profile.d!
 remove-brew:
-    echo "Removing homebrew ..."
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
+    #!/usr/bin/env bash
+    echo "Removing Homebrew is NOT supported."
+    echo "Doing so will break MOTD and profile.d!"
+    echo "Do you understand?"
+    echo "Please type in \"YES I UNDERSTAND\" and press enter"
+    read ACCEPT
+    if [ "$ACCEPT" = "YES I UNDERSTAND" ]; then
+      /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
+    else
+      echo "Capitalization matters when you type \"YES I UNDERSTAND\""
+    fi

files/scripts/enablesecurebluefirstrun.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+systemctl enable securebluefirstrun.service
+systemctl enable securebluecleanup.service

files/system/usr/bin/securebluecleanup

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Remove vestigial authselect overrides from Anaconda
+cp /usr/etc/authselect/system-auth /etc/authselect/system-auth
+cp /usr/etc/authselect/fingerprint-auth /etc/authselect/fingerprint-auth
+cp /usr/etc/authselect/dconf-db /etc/authselect/dconf-db
+cp /usr/etc/authselect/authselect.conf /etc/authselect/authselect.conf
+
+# Ensure we are on signed
+RPM_OSTREE_STATUS=$(rpm-ostree status --json --booted)
+IMAGE_REF_NAME=$(echo $RPM_OSTREE_STATUS | jq -r '.deployments[0]."container-image-reference" // empty | split("/")[-1]')
+rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_REF_NAME
+

files/system/usr/bin/securebluefirstrun

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+[[ -d /home/linuxbrew/.linuxbrew && $- == *i* ]] && eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+
+# Install required brew packages
+/home/linuxbrew/.linuxbrew/bin/brew install fzf gum glow
+

files/system/usr/lib/systemd/system/securebluecleanup.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Secureblue Cleanup
+After=local-fs.target network-online.target
+Requires=local-fs.target network-online.target
+Before=graphical-session-pre.target
+ConditionPathExists=!/var/lib/secureblue-cleanup.stamp
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/securebluecleanup
+ExecStartPost=/usr/bin/touch /var/lib/secureblue-cleanup.stamp
+
+[Install]
+WantedBy=multi-user.target

files/system/usr/lib/systemd/system/securebluefirstrun.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Secureblue Firstrun
+After=brew-setup.service
+Requires=brew-setup.service
+ConditionPathExists=!/home/linuxbrew/secureblue-firstrun.stamp
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/securebluefirstrun
+ExecStartPost=/usr/bin/touch /home/linuxbrew/secureblue-firstrun.stamp
+User=1000
+
+[Install]
+WantedBy=multi-user.target

files/system/usr/libexec/ublue-motd

@@ -23,16 +23,14 @@ done
 
 
 if $isDeprecated; then
-    TIP='~~~ NOTICE: You are on a deprecated image, please rebase. ~~~\n~~~ For more information, visit https://github.com/secureblue/secureblue/blob/live/files/system/usr/libexec/deprecated-images.json.md ~~~'
+    TIP='**You are on a deprecated image,** [rebase:](https://github.com/secureblue/secureblue/blob/live/files/system/usr/libexec/deprecated-images.json.md)'
 elif [ "$IMAGE_TAG" != "latest" ]; then
-    TIP='~~~ NOTICE: You are on a specific tag, which is unsupported by secureblue. Rebase to the `latest` tag to ensure you continue to receive updates. ~~~'
+    TIP='**You are on a specific tag, which is unsupported by secureblue. Rebase to the `latest` tag to ensure you continue to receive updates.**'
 elif [ "$DIFFERENCE" -ge "$WEEK" ]; then
-    TIP='~~~ NOTICE: Your current image is over 1 week old, run `ujust update`. ~~~'
+    TIP='**Your current image is over 1 week old, run `ujust update`.**'
 else
-    TIP='~~~ NOTICE: Subscribe to secureblue release notifications: https://github.com/secureblue/secureblue/blob/live/FAQ.md#how-do-i-get-notified-of-secureblue-changes ~~~'
+    TIP='**For secureblue release notifications,** [subscribe:](https://github.com/secureblue/secureblue/blob/live/FAQ.md#release-notifications)'
 fi
 
-TIP_OUTPUT=$(sed -e "s/%IMAGE_REF_NAME%/$IMAGE_REF_NAME/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG/g" -e "s|%TIP%|$TIP|g" /usr/share/ublue-os/motd/secureblue.txt)
-while IFS= read -r line; do
-    echo "$line"
-done <<< $TIP_OUTPUT
+sed -e "s/%IMAGE_REF_NAME%/$IMAGE_REF_NAME/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG/g" -e "s|%TIP%|$TIP|g" /usr/share/ublue-os/motd/secureblue.md | tr '~' '\n' | glow -s auto -w 78 -
+

files/system/usr/share/ublue-os/firstboot/yafti.yml

@@ -86,7 +86,7 @@ screens:
       title: "Yafti run complete!"
       icon: "/path/to/icon"
       links:
-        - "POSTINSTALL-README":
-            run: /usr/bin/xdg-open https://github.com/secureblue/secureblue/blob/live/POSTINSTALL-README.md
+        - "Post-install README":
+            run: /usr/bin/xdg-open https://github.com/secureblue/secureblue/blob/live/docs/POSTINSTALL-README.md
       description: |
-        Complete your secureblue installation by following the POSTINSTALL-README.
+        Complete your secureblue installation by following the Post-install README.

files/system/usr/share/ublue-os/motd/secureblue.md

@@ -0,0 +1,14 @@
+# Welcome to secureblue!
+Your image is: `%IMAGE_REF_NAME%`
+
+| Command | Description |
+| ------- | ----------- |
+| `ujust --choose`  | List all available commands |
+| `ujust toggle-user-motd` | Toggle this banner on/off |
+
+%TIP%
+
+- [Report an issue](https://github.com/secureblue/secureblue/issues)
+- [FAQ](https://github.com/secureblue/secureblue/blob/live/docs/FAQ.md)
+- [Donate](https://github.com/secureblue/secureblue/blob/live/docs/DONATE.md)
+- [Discord](https://discord.gg/qMTv5cKfbF)

files/system/usr/share/ublue-os/motd/secureblue.txt

@@ -1,14 +0,0 @@
-Welcome to secureblue!
-Your image is: %IMAGE_REF_NAME%
-
-Commands:
-| `ujust`  | List all available commands |
-| `ujust toggle-user-motd` | Toggle this banner on/off |
-
-%TIP%
-
-To report an issue: https://github.com/secureblue/secureblue/issues
-FAQ: https://github.com/secureblue/secureblue/blob/live/FAQ.md
-Donate: https://github.com/secureblue/secureblue/blob/live/DONATE.md
-Discord: https://discord.gg/qMTv5cKfbF
-

recipes/common/common-scripts.yml

@@ -8,3 +8,4 @@ scripts:
   - removesuid.sh
   - disablegeoclue.sh
   - hardencontainerpolicy.sh
+  - enablesecurebluefirstrun.sh