From 150b2c2b25d1645f4cf344e4100eaf1e13783171 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Fri, 15 Nov 2024 12:13:44 -0800
Subject: [PATCH] feat: numerous fixes and improvements  (#580)

---
 docs/FAQ.md                                     |  2 +-
 docs/POSTINSTALL-README.md                      |  2 +-
 files/justfiles/brew.just                       | 17 +++++++++++++----
 files/scripts/enablesecurebluefirstrun.sh       |  7 +++++++
 files/system/usr/bin/securebluecleanup          | 14 ++++++++++++++
 files/system/usr/bin/securebluefirstrun         |  8 ++++++++
 .../systemd/system/securebluecleanup.service    | 14 ++++++++++++++
 .../systemd/system/securebluefirstrun.service   | 14 ++++++++++++++
 files/system/usr/libexec/ublue-motd             | 14 ++++++--------
 .../usr/share/ublue-os/firstboot/yafti.yml      |  6 +++---
 .../usr/share/ublue-os/motd/secureblue.md       | 14 ++++++++++++++
 .../usr/share/ublue-os/motd/secureblue.txt      | 14 --------------
 recipes/common/common-scripts.yml               |  1 +
 13 files changed, 96 insertions(+), 31 deletions(-)
 create mode 100644 files/scripts/enablesecurebluefirstrun.sh
 create mode 100755 files/system/usr/bin/securebluecleanup
 create mode 100755 files/system/usr/bin/securebluefirstrun
 create mode 100644 files/system/usr/lib/systemd/system/securebluecleanup.service
 create mode 100644 files/system/usr/lib/systemd/system/securebluefirstrun.service
 create mode 100644 files/system/usr/share/ublue-os/motd/secureblue.md
 delete mode 100644 files/system/usr/share/ublue-os/motd/secureblue.txt

diff --git a/docs/FAQ.md b/docs/FAQ.md
index 5a4009d..2b0babf 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -98,7 +98,7 @@ For more technical detail, see [#268](https://github.com/secureblue/secureblue/i
 
 The DNSSEC setting we set in `/etc/systemd/resolved.conf.d/securedns.conf` causes known issues with network connectivity when secureblue is used in a VM. To fix it, comment out `DNSSEC=allow-downgrade` in that file and manually set a dns provider in network settings.
 
-#### How do I get notified of secureblue changes?
+#### Release notifications
 
 On the secureblue github page, click "Watch", and then "Custom", and select Releases like so:
 
diff --git a/docs/POSTINSTALL-README.md b/docs/POSTINSTALL-README.md
index 8509d70..a81d93b 100644
--- a/docs/POSTINSTALL-README.md
+++ b/docs/POSTINSTALL-README.md
@@ -4,7 +4,7 @@ After rebasing to secureblue, follow the following steps in order.
 
 ## Subscribe to secureblue release notifications
 
-[FAQ](FAQ.md#how-do-i-get-notified-of-secureblue-changes)
+[FAQ](FAQ.md#release-notifications)
 
 ## Nvidia
 If you are using an nvidia image, run this after installation:
diff --git a/files/justfiles/brew.just b/files/justfiles/brew.just
index 9c7a3da..a2f090f 100644
--- a/files/justfiles/brew.just
+++ b/files/justfiles/brew.just
@@ -1,6 +1,6 @@
 alias brew := install-brew
 
-# Install Homebrew | https://brew.sh
+# Install Homebrew (Brew is now included by default. This command remains included for utility.)
 install-brew:
     #!/usr/bin/env bash
     source /usr/lib/ujust/ujust.sh
@@ -18,7 +18,16 @@ install-brew:
         fi
     fi
 
-# Removes homebrew from system
+# Removes Homebrew from system. Warning! This will break MOTD and profile.d!
 remove-brew:
-    echo "Removing homebrew ..."
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
+    #!/usr/bin/env bash
+    echo "Removing Homebrew is NOT supported."
+    echo "Doing so will break MOTD and profile.d!"
+    echo "Do you understand?"
+    echo "Please type in \"YES I UNDERSTAND\" and press enter"
+    read ACCEPT
+    if [ "$ACCEPT" = "YES I UNDERSTAND" ]; then
+      /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
+    else
+      echo "Capitalization matters when you type \"YES I UNDERSTAND\""
+    fi
diff --git a/files/scripts/enablesecurebluefirstrun.sh b/files/scripts/enablesecurebluefirstrun.sh
new file mode 100644
index 0000000..4288df2
--- /dev/null
+++ b/files/scripts/enablesecurebluefirstrun.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+systemctl enable securebluefirstrun.service
+systemctl enable securebluecleanup.service
\ No newline at end of file
diff --git a/files/system/usr/bin/securebluecleanup b/files/system/usr/bin/securebluecleanup
new file mode 100755
index 0000000..0171eb8
--- /dev/null
+++ b/files/system/usr/bin/securebluecleanup
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Remove vestigial authselect overrides from Anaconda
+cp /usr/etc/authselect/system-auth /etc/authselect/system-auth
+cp /usr/etc/authselect/fingerprint-auth /etc/authselect/fingerprint-auth
+cp /usr/etc/authselect/dconf-db /etc/authselect/dconf-db
+cp /usr/etc/authselect/authselect.conf /etc/authselect/authselect.conf
+
+# Ensure we are on signed
+RPM_OSTREE_STATUS=$(rpm-ostree status --json --booted)
+IMAGE_REF_NAME=$(echo $RPM_OSTREE_STATUS | jq -r '.deployments[0]."container-image-reference" // empty | split("/")[-1]')
+rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_REF_NAME
+
diff --git a/files/system/usr/bin/securebluefirstrun b/files/system/usr/bin/securebluefirstrun
new file mode 100755
index 0000000..e18c338
--- /dev/null
+++ b/files/system/usr/bin/securebluefirstrun
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+[[ -d /home/linuxbrew/.linuxbrew && $- == *i* ]] && eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+
+# Install required brew packages
+/home/linuxbrew/.linuxbrew/bin/brew install fzf gum glow
+
diff --git a/files/system/usr/lib/systemd/system/securebluecleanup.service b/files/system/usr/lib/systemd/system/securebluecleanup.service
new file mode 100644
index 0000000..156b54a
--- /dev/null
+++ b/files/system/usr/lib/systemd/system/securebluecleanup.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Secureblue Cleanup
+After=local-fs.target network-online.target
+Requires=local-fs.target network-online.target
+Before=graphical-session-pre.target
+ConditionPathExists=!/var/lib/secureblue-cleanup.stamp
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/securebluecleanup
+ExecStartPost=/usr/bin/touch /var/lib/secureblue-cleanup.stamp
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/files/system/usr/lib/systemd/system/securebluefirstrun.service b/files/system/usr/lib/systemd/system/securebluefirstrun.service
new file mode 100644
index 0000000..fc318bf
--- /dev/null
+++ b/files/system/usr/lib/systemd/system/securebluefirstrun.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Secureblue Firstrun
+After=brew-setup.service
+Requires=brew-setup.service
+ConditionPathExists=!/home/linuxbrew/secureblue-firstrun.stamp
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/securebluefirstrun
+ExecStartPost=/usr/bin/touch /home/linuxbrew/secureblue-firstrun.stamp
+User=1000
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/system/usr/libexec/ublue-motd b/files/system/usr/libexec/ublue-motd
index a77ba32..63ade9b 100755
--- a/files/system/usr/libexec/ublue-motd
+++ b/files/system/usr/libexec/ublue-motd
@@ -23,16 +23,14 @@ done
 
 
 if $isDeprecated; then
-    TIP='~~~ NOTICE: You are on a deprecated image, please rebase. ~~~\n~~~ For more information, visit https://github.com/secureblue/secureblue/blob/live/files/system/usr/libexec/deprecated-images.json.md ~~~'
+    TIP='**You are on a deprecated image,** [rebase:](https://github.com/secureblue/secureblue/blob/live/files/system/usr/libexec/deprecated-images.json.md)'
 elif [ "$IMAGE_TAG" != "latest" ]; then
-    TIP='~~~ NOTICE: You are on a specific tag, which is unsupported by secureblue. Rebase to the `latest` tag to ensure you continue to receive updates. ~~~'
+    TIP='**You are on a specific tag, which is unsupported by secureblue. Rebase to the `latest` tag to ensure you continue to receive updates.**'
 elif [ "$DIFFERENCE" -ge "$WEEK" ]; then
-    TIP='~~~ NOTICE: Your current image is over 1 week old, run `ujust update`. ~~~'
+    TIP='**Your current image is over 1 week old, run `ujust update`.**'
 else
-    TIP='~~~ NOTICE: Subscribe to secureblue release notifications: https://github.com/secureblue/secureblue/blob/live/FAQ.md#how-do-i-get-notified-of-secureblue-changes ~~~'
+    TIP='**For secureblue release notifications,** [subscribe:](https://github.com/secureblue/secureblue/blob/live/FAQ.md#release-notifications)'
 fi
 
-TIP_OUTPUT=$(sed -e "s/%IMAGE_REF_NAME%/$IMAGE_REF_NAME/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG/g" -e "s|%TIP%|$TIP|g" /usr/share/ublue-os/motd/secureblue.txt)
-while IFS= read -r line; do
-    echo "$line"
-done <<< $TIP_OUTPUT
+sed -e "s/%IMAGE_REF_NAME%/$IMAGE_REF_NAME/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG/g" -e "s|%TIP%|$TIP|g" /usr/share/ublue-os/motd/secureblue.md | tr '~' '\n' | glow -s auto -w 78 -
+
diff --git a/files/system/usr/share/ublue-os/firstboot/yafti.yml b/files/system/usr/share/ublue-os/firstboot/yafti.yml
index d30704a..c67f990 100644
--- a/files/system/usr/share/ublue-os/firstboot/yafti.yml
+++ b/files/system/usr/share/ublue-os/firstboot/yafti.yml
@@ -86,7 +86,7 @@ screens:
       title: "Yafti run complete!"
       icon: "/path/to/icon"
       links:
-        - "POSTINSTALL-README":
-            run: /usr/bin/xdg-open https://github.com/secureblue/secureblue/blob/live/POSTINSTALL-README.md
+        - "Post-install README":
+            run: /usr/bin/xdg-open https://github.com/secureblue/secureblue/blob/live/docs/POSTINSTALL-README.md
       description: |
-        Complete your secureblue installation by following the POSTINSTALL-README.
+        Complete your secureblue installation by following the Post-install README.
diff --git a/files/system/usr/share/ublue-os/motd/secureblue.md b/files/system/usr/share/ublue-os/motd/secureblue.md
new file mode 100644
index 0000000..3136645
--- /dev/null
+++ b/files/system/usr/share/ublue-os/motd/secureblue.md
@@ -0,0 +1,14 @@
+# Welcome to secureblue!
+Your image is: `%IMAGE_REF_NAME%`
+
+| Command | Description |
+| ------- | ----------- |
+| `ujust --choose`  | List all available commands |
+| `ujust toggle-user-motd` | Toggle this banner on/off |
+
+%TIP%
+
+- [Report an issue](https://github.com/secureblue/secureblue/issues)
+- [FAQ](https://github.com/secureblue/secureblue/blob/live/docs/FAQ.md)
+- [Donate](https://github.com/secureblue/secureblue/blob/live/docs/DONATE.md)
+- [Discord](https://discord.gg/qMTv5cKfbF)
diff --git a/files/system/usr/share/ublue-os/motd/secureblue.txt b/files/system/usr/share/ublue-os/motd/secureblue.txt
deleted file mode 100644
index 154cbf7..0000000
--- a/files/system/usr/share/ublue-os/motd/secureblue.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-Welcome to secureblue!
-Your image is: %IMAGE_REF_NAME%
-
-Commands:
-| `ujust`  | List all available commands |
-| `ujust toggle-user-motd` | Toggle this banner on/off |
-
-%TIP%
-
-To report an issue: https://github.com/secureblue/secureblue/issues
-FAQ: https://github.com/secureblue/secureblue/blob/live/FAQ.md
-Donate: https://github.com/secureblue/secureblue/blob/live/DONATE.md
-Discord: https://discord.gg/qMTv5cKfbF
-
diff --git a/recipes/common/common-scripts.yml b/recipes/common/common-scripts.yml
index fd578bf..7bd80e0 100644
--- a/recipes/common/common-scripts.yml
+++ b/recipes/common/common-scripts.yml
@@ -8,3 +8,4 @@ scripts:
   - removesuid.sh
   - disablegeoclue.sh
   - hardencontainerpolicy.sh
+  - enablesecurebluefirstrun.sh