add: Aurora images to secureblue (#249)

.github/workflows/build.yml

@@ -24,6 +24,10 @@ jobs:
         recipe:
           # non-userns
           # general
+          - recipes/general/recipe-aurora-main.yml
+          - recipes/general/recipe-aurora-nvidia.yml
+          - recipes/general/recipe-aurora-surface.yml
+          - recipes/general/recipe-aurora-surface-nvidia.yml
           - recipes/general/recipe-silverblue-main.yml
           - recipes/general/recipe-silverblue-nvidia.yml
           - recipes/general/recipe-kinoite-main.yml
@@ -52,6 +56,14 @@ jobs:
           - recipes/server/recipe-server-nvidia.yml
           # userns
           # general
+          - recipes/general/recipe-aurora-surface-userns.yml
+          - recipes/general/recipe-aurora-surface-nvidia-userns.yml
+          - recipes/general/recipe-aurora-dx-main-userns.yml
+          - recipes/general/recipe-aurora-dx-nvidia-userns.yml
+          - recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml
+          - recipes/general/recipe-aurora-dx-surface-userns.yml
+          - recipes/general/recipe-aurora-main-userns.yml
+          - recipes/general/recipe-aurora-nvidia-userns.yml
           - recipes/general/recipe-silverblue-main-userns.yml
           - recipes/general/recipe-silverblue-nvidia-userns.yml
           - recipes/general/recipe-kinoite-main-userns.yml
@@ -96,7 +108,7 @@ jobs:
           echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
 
       - name: Verify base image
-        if: ${{ ! contains(env.IMAGE_NAME, 'wayblue') }}
+        if: ${{ !contains(env.IMAGE_NAME, 'aurora') && !contains(env.IMAGE_NAME, 'wayblue') }}
         uses: EyeCantCU/cosign-action/verify@v0.2.2
         with:
           containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
@@ -109,6 +121,14 @@ jobs:
           registry: 'ghcr.io/wayblueorg'
           pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub'
 
+      - name: Verify base image
+        if: ${{ contains(env.IMAGE_NAME, 'aurora') }}
+        uses: EyeCantCU/cosign-action/verify@v0.2.2
+        with:
+          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
+          registry: 'ghcr.io/NiHaiden'
+          pubkey: 'https://raw.githubusercontent.com/NiHaiden/aurora/main/cosign.pub'
+
       - name: Build secureblue
         uses: blue-build/github-action@v1.2.0
         with:

config/common/aurora-packages.yml

@@ -0,0 +1,9 @@
+type: rpm-ostree
+remove:
+  - samba-common-tools
+  - samba-dcerpc
+  - samba-ldb-ldap-modules
+  - samba-winbind
+  - samba-winbind-clients
+  - samba-winbind-modules
+  - samba

config/recipes/general/recipe-aurora-dx-main-userns.yml

@@ -0,0 +1,23 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-dx-main-userns-hardened
+# description will be included in the image's metadata
+description: "Aurora-dx main with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-dx
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-dx-nvidia-userns.yml

@@ -0,0 +1,23 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-dx-nvidia-userns-hardened
+# description will be included in the image's metadata
+description: "Aurora-dx nvidia with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-dx-nvidia
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml

@@ -0,0 +1,23 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-dx-surface-nvidia-userns-hardened
+# description will be included in the image's metadata
+description: "Aurora-dx surface nvidia with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-dx-surface-nvidia
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-dx-surface-userns.yml

@@ -0,0 +1,23 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-dx-surface-userns-hardened
+# description will be included in the image's metadata
+description: "Aurora-dx surface with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-dx-surface
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-main-userns.yml

@@ -0,0 +1,23 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-main-userns-hardened
+# description will be included in the image's metadata
+description: "Aurora main with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-main.yml

@@ -0,0 +1,25 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-main-hardened
+# description will be included in the image's metadata
+description: "Aurora main with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/disableuserns-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - from-file: common/disableuserns-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-nvidia-userns.yml

@@ -0,0 +1,23 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-nvidia-userns-hardened
+# description will be included in the image's metadata
+description: "Aurora nvidia with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-nvidia
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-nvidia.yml

@@ -0,0 +1,25 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-nvidia-hardened
+# description will be included in the image's metadata
+description: "Aurora nvidia with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-nvidia
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/disableuserns-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - from-file: common/disableuserns-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-surface-nvidia-userns.yml

@@ -0,0 +1,23 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-surface-nvidia-userns-hardened
+# description will be included in the image's metadata
+description: "Aurora surface nvidia with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-surface-nvidia
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-surface-nvidia.yml

@@ -0,0 +1,25 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-surface-nvidia-hardened
+# description will be included in the image's metadata
+description: "Aurora surface nvidia with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-surface-nvidia
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/disableuserns-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - from-file: common/disableuserns-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-surface-userns.yml

@@ -0,0 +1,23 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-surface-userns-hardened
+# description will be included in the image's metadata
+description: "Aurora surface with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-surface
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - type: signing
+  - type: yafti 

config/recipes/general/recipe-aurora-surface.yml

@@ -0,0 +1,25 @@
+# image will be published to ghcr.io/<user>/<name>
+name: aurora-surface-hardened
+# description will be included in the image's metadata
+description: "Aurora surface with some hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/nihaiden/aurora-surface
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+  - from-file: common/kinoite-packages.yml
+  - from-file: common/aurora-packages.yml
+  - from-file: common/gui-packages.yml
+  - from-file: common/common-packages.yml
+  - from-file: common/disableuserns-packages.yml
+  - from-file: common/gui-scripts.yml
+  - from-file: common/bluefin-scripts.yml
+  - from-file: common/kinoite-files.yml
+  - from-file: common/common-files.yml
+  - from-file: common/common-scripts.yml
+  - from-file: common/disableuserns-scripts.yml
+  - type: signing
+  - type: yafti