diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0a1b083..2f569e9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,6 +24,10 @@ jobs: recipe: # non-userns # general + - recipes/general/recipe-aurora-main.yml + - recipes/general/recipe-aurora-nvidia.yml + - recipes/general/recipe-aurora-surface.yml + - recipes/general/recipe-aurora-surface-nvidia.yml - recipes/general/recipe-silverblue-main.yml - recipes/general/recipe-silverblue-nvidia.yml - recipes/general/recipe-kinoite-main.yml @@ -52,6 +56,14 @@ jobs: - recipes/server/recipe-server-nvidia.yml # userns # general + - recipes/general/recipe-aurora-surface-userns.yml + - recipes/general/recipe-aurora-surface-nvidia-userns.yml + - recipes/general/recipe-aurora-dx-main-userns.yml + - recipes/general/recipe-aurora-dx-nvidia-userns.yml + - recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml + - recipes/general/recipe-aurora-dx-surface-userns.yml + - recipes/general/recipe-aurora-main-userns.yml + - recipes/general/recipe-aurora-nvidia-userns.yml - recipes/general/recipe-silverblue-main-userns.yml - recipes/general/recipe-silverblue-nvidia-userns.yml - recipes/general/recipe-kinoite-main-userns.yml @@ -96,7 +108,7 @@ jobs: echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV - name: Verify base image - if: ${{ ! contains(env.IMAGE_NAME, 'wayblue') }} + if: ${{ !contains(env.IMAGE_NAME, 'aurora') && !contains(env.IMAGE_NAME, 'wayblue') }} uses: EyeCantCU/cosign-action/verify@v0.2.2 with: containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} @@ -109,6 +121,14 @@ jobs: registry: 'ghcr.io/wayblueorg' pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub' + - name: Verify base image + if: ${{ contains(env.IMAGE_NAME, 'aurora') }} + uses: EyeCantCU/cosign-action/verify@v0.2.2 + with: + containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} + registry: 'ghcr.io/NiHaiden' + pubkey: 'https://raw.githubusercontent.com/NiHaiden/aurora/main/cosign.pub' + - name: Build secureblue uses: blue-build/github-action@v1.2.0 with: diff --git a/config/common/aurora-packages.yml b/config/common/aurora-packages.yml new file mode 100644 index 0000000..daa9740 --- /dev/null +++ b/config/common/aurora-packages.yml @@ -0,0 +1,9 @@ +type: rpm-ostree +remove: + - samba-common-tools + - samba-dcerpc + - samba-ldb-ldap-modules + - samba-winbind + - samba-winbind-clients + - samba-winbind-modules + - samba diff --git a/config/recipes/general/recipe-aurora-dx-main-userns.yml b/config/recipes/general/recipe-aurora-dx-main-userns.yml new file mode 100644 index 0000000..6853498 --- /dev/null +++ b/config/recipes/general/recipe-aurora-dx-main-userns.yml @@ -0,0 +1,23 @@ +# image will be published to ghcr.io// +name: aurora-dx-main-userns-hardened +# description will be included in the image's metadata +description: "Aurora-dx main with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-dx +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-dx-nvidia-userns.yml b/config/recipes/general/recipe-aurora-dx-nvidia-userns.yml new file mode 100644 index 0000000..2c8be7c --- /dev/null +++ b/config/recipes/general/recipe-aurora-dx-nvidia-userns.yml @@ -0,0 +1,23 @@ +# image will be published to ghcr.io// +name: aurora-dx-nvidia-userns-hardened +# description will be included in the image's metadata +description: "Aurora-dx nvidia with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-dx-nvidia +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml b/config/recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml new file mode 100644 index 0000000..2793b9a --- /dev/null +++ b/config/recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml @@ -0,0 +1,23 @@ +# image will be published to ghcr.io// +name: aurora-dx-surface-nvidia-userns-hardened +# description will be included in the image's metadata +description: "Aurora-dx surface nvidia with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-dx-surface-nvidia +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-dx-surface-userns.yml b/config/recipes/general/recipe-aurora-dx-surface-userns.yml new file mode 100644 index 0000000..cdba47a --- /dev/null +++ b/config/recipes/general/recipe-aurora-dx-surface-userns.yml @@ -0,0 +1,23 @@ +# image will be published to ghcr.io// +name: aurora-dx-surface-userns-hardened +# description will be included in the image's metadata +description: "Aurora-dx surface with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-dx-surface +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-main-userns.yml b/config/recipes/general/recipe-aurora-main-userns.yml new file mode 100644 index 0000000..bbe07a5 --- /dev/null +++ b/config/recipes/general/recipe-aurora-main-userns.yml @@ -0,0 +1,23 @@ +# image will be published to ghcr.io// +name: aurora-main-userns-hardened +# description will be included in the image's metadata +description: "Aurora main with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-main.yml b/config/recipes/general/recipe-aurora-main.yml new file mode 100644 index 0000000..d097086 --- /dev/null +++ b/config/recipes/general/recipe-aurora-main.yml @@ -0,0 +1,25 @@ +# image will be published to ghcr.io// +name: aurora-main-hardened +# description will be included in the image's metadata +description: "Aurora main with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/disableuserns-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - from-file: common/disableuserns-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-nvidia-userns.yml b/config/recipes/general/recipe-aurora-nvidia-userns.yml new file mode 100644 index 0000000..cff501c --- /dev/null +++ b/config/recipes/general/recipe-aurora-nvidia-userns.yml @@ -0,0 +1,23 @@ +# image will be published to ghcr.io// +name: aurora-nvidia-userns-hardened +# description will be included in the image's metadata +description: "Aurora nvidia with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-nvidia +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-nvidia.yml b/config/recipes/general/recipe-aurora-nvidia.yml new file mode 100644 index 0000000..765db9b --- /dev/null +++ b/config/recipes/general/recipe-aurora-nvidia.yml @@ -0,0 +1,25 @@ +# image will be published to ghcr.io// +name: aurora-nvidia-hardened +# description will be included in the image's metadata +description: "Aurora nvidia with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-nvidia +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/disableuserns-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - from-file: common/disableuserns-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-surface-nvidia-userns.yml b/config/recipes/general/recipe-aurora-surface-nvidia-userns.yml new file mode 100644 index 0000000..866b539 --- /dev/null +++ b/config/recipes/general/recipe-aurora-surface-nvidia-userns.yml @@ -0,0 +1,23 @@ +# image will be published to ghcr.io// +name: aurora-surface-nvidia-userns-hardened +# description will be included in the image's metadata +description: "Aurora surface nvidia with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-surface-nvidia +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-surface-nvidia.yml b/config/recipes/general/recipe-aurora-surface-nvidia.yml new file mode 100644 index 0000000..2a060ec --- /dev/null +++ b/config/recipes/general/recipe-aurora-surface-nvidia.yml @@ -0,0 +1,25 @@ +# image will be published to ghcr.io// +name: aurora-surface-nvidia-hardened +# description will be included in the image's metadata +description: "Aurora surface nvidia with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-surface-nvidia +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/disableuserns-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - from-file: common/disableuserns-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-surface-userns.yml b/config/recipes/general/recipe-aurora-surface-userns.yml new file mode 100644 index 0000000..de39577 --- /dev/null +++ b/config/recipes/general/recipe-aurora-surface-userns.yml @@ -0,0 +1,23 @@ +# image will be published to ghcr.io// +name: aurora-surface-userns-hardened +# description will be included in the image's metadata +description: "Aurora surface with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-surface +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - type: signing + - type: yafti diff --git a/config/recipes/general/recipe-aurora-surface.yml b/config/recipes/general/recipe-aurora-surface.yml new file mode 100644 index 0000000..79868ee --- /dev/null +++ b/config/recipes/general/recipe-aurora-surface.yml @@ -0,0 +1,25 @@ +# image will be published to ghcr.io// +name: aurora-surface-hardened +# description will be included in the image's metadata +description: "Aurora surface with some hardening applied" + +# the base image to build on top of (FROM) and the version tag to use +base-image: ghcr.io/nihaiden/aurora-surface +image-version: 39 + +# list of modules, executed in order +# you can include multiple instances of the same module +modules: + - from-file: common/kinoite-packages.yml + - from-file: common/aurora-packages.yml + - from-file: common/gui-packages.yml + - from-file: common/common-packages.yml + - from-file: common/disableuserns-packages.yml + - from-file: common/gui-scripts.yml + - from-file: common/bluefin-scripts.yml + - from-file: common/kinoite-files.yml + - from-file: common/common-files.yml + - from-file: common/common-scripts.yml + - from-file: common/disableuserns-scripts.yml + - type: signing + - type: yafti