From e86816d0526d78449bd9775d82f9989b520f441c Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Mon, 11 Nov 2024 16:11:37 -0800
Subject: [PATCH] chore: switch to bluebuild's justfile module with validation
 (#556)

---
 .../just/70-secureblue.just.readme.md => docs/KARGS.md |  0
 docs/POSTINSTALL-README.md                             |  2 +-
 docs/README.md                                         |  2 +-
 .../ublue-os/just/50-brew.just => justfiles/brew.just} |  4 ++--
 .../70-secureblue.just => justfiles/secureblue.just}   |  8 ++------
 files/scripts/addbrewjustimport.sh                     | 10 ----------
 files/scripts/addjustconfig.sh                         |  9 ---------
 recipes/common/common-modules.yml                      |  2 ++
 recipes/common/common-scripts.yml                      |  2 --
 9 files changed, 8 insertions(+), 31 deletions(-)
 rename files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md => docs/KARGS.md (100%)
 rename files/{system/usr/share/ublue-os/just/50-brew.just => justfiles/brew.just} (96%)
 rename files/{system/usr/share/ublue-os/just/70-secureblue.just => justfiles/secureblue.just} (99%)
 delete mode 100644 files/scripts/addbrewjustimport.sh
 delete mode 100644 files/scripts/addjustconfig.sh

diff --git a/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md b/docs/KARGS.md
similarity index 100%
rename from files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md
rename to docs/KARGS.md
diff --git a/docs/POSTINSTALL-README.md b/docs/POSTINSTALL-README.md
index 6d93c13..52ff081 100644
--- a/docs/POSTINSTALL-README.md
+++ b/docs/POSTINSTALL-README.md
@@ -39,7 +39,7 @@ ujust enroll-secure-boot-key
 ## Set hardened kargs
 
 > [!NOTE]
-> Learn about the hardening applied by the kargs set by the command below [here](/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md).
+> Learn about the hardening applied by the kargs set by the command below [here](KARGS.md).
 
 ```
 ujust set-kargs-hardening
diff --git a/docs/README.md b/docs/README.md
index 73c92d7..e1db63b 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -37,7 +37,7 @@ The following are not in scope:
 - Adds per-network MAC randomization
 - Blacklisting numerous unused kernel modules to reduce attack surface <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf)</sup>
 - Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default
-- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md)</sup>
+- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](KARGS.md)</sup>
 - Reduce the sudo timeout to 1 minute
 - Require wheel user authentication via polkit for `rpm-ostree install` <sup>[why?](https://github.com/rohanssrao/silverblue-privesc)
 - Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
diff --git a/files/system/usr/share/ublue-os/just/50-brew.just b/files/justfiles/brew.just
similarity index 96%
rename from files/system/usr/share/ublue-os/just/50-brew.just
rename to files/justfiles/brew.just
index af36147..9c7a3da 100644
--- a/files/system/usr/share/ublue-os/just/50-brew.just
+++ b/files/justfiles/brew.just
@@ -17,8 +17,8 @@ install-brew:
           echo "Capitalization matters when you type \"YES I UNDERSTAND\""
         fi
     fi
-    
+
 # Removes homebrew from system
 remove-brew:
     echo "Removing homebrew ..."
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
\ No newline at end of file
+    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
diff --git a/files/system/usr/share/ublue-os/just/70-secureblue.just b/files/justfiles/secureblue.just
similarity index 99%
rename from files/system/usr/share/ublue-os/just/70-secureblue.just
rename to files/justfiles/secureblue.just
index 29703af..be37a6a 100644
--- a/files/system/usr/share/ublue-os/just/70-secureblue.just
+++ b/files/justfiles/secureblue.just
@@ -160,7 +160,7 @@ override-enable-module mod_name:
       sudo chmod 644 $MOD_FILE
       echo "Override created to enable $MOD_NAME module. Reboot to take effect."
     fi
-  
+
 # reset the override by `just override-enable-module`, i.e. disable the module again (requires restart)
 override-reset-module mod_name:
     #!/usr/bin/pkexec /usr/bin/bash
@@ -173,7 +173,6 @@ override-reset-module mod_name:
       echo "No override found for $MOD_NAME module."
     fi
 
-
 # Setup USBGuard
 setup-usbguard:
     #!/usr/bin/bash
@@ -193,7 +192,6 @@ setup-usbguard:
 rerun-yafti:
     yafti -f /usr/share/ublue-os/firstboot/yafti.yml
 
-
 # Toggle anticheat support by changing ptrace scope (requires restart)
 toggle-anticheat-support:
     #!/usr/bin/pkexec /usr/bin/bash
@@ -495,7 +493,6 @@ audit-secureblue:
         print_status "$USBGUARD_TEST_STRING" "$STATUS_FAILURE"
     fi
 
-
     CHRONYD_TEST_STRING="Ensuring chronyd is active"
     if systemctl is-active --quiet chronyd; then
         print_status "$CHRONYD_TEST_STRING" "$STATUS_SUCCESS"
@@ -620,7 +617,7 @@ audit-secureblue:
                 print_status "$remote_string" "$STATUS_SUCCESS"
             fi
         done <<< "$remotes"
-        
+
         declare -A flatpaks
         while read -r ref version; do
             flatpaks+=(["${ref}"]="${ref}//${version}")
@@ -671,4 +668,3 @@ audit-secureblue:
             done
         done
     fi
-
diff --git a/files/scripts/addbrewjustimport.sh b/files/scripts/addbrewjustimport.sh
deleted file mode 100644
index bacc9b4..0000000
--- a/files/scripts/addbrewjustimport.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell build process to exit if there are any errors.
-set -oue pipefail
-
-brewimport='import "/usr/share/ublue-os/just/50-brew.just"'
-
-if ! grep -qF "$brewimport" /usr/share/ublue-os/justfile; then
-    echo "$brewimport" >> /usr/share/ublue-os/justfile
-fi
diff --git a/files/scripts/addjustconfig.sh b/files/scripts/addjustconfig.sh
deleted file mode 100644
index 344712f..0000000
--- a/files/scripts/addjustconfig.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell this script to exit if there are any errors.
-# You should have this in every custom script, to ensure that your completed
-# builds actually ran successfully without any errors!
-set -oue pipefail
-
-# add our just config
-echo 'import "/usr/share/ublue-os/just/70-secureblue.just"' >> /usr/share/ublue-os/justfile
diff --git a/recipes/common/common-modules.yml b/recipes/common/common-modules.yml
index 695c942..0f926b0 100644
--- a/recipes/common/common-modules.yml
+++ b/recipes/common/common-modules.yml
@@ -1,4 +1,6 @@
 modules:
+    - type: justfiles
+      validate: true
     - type: script
       scripts:
         - createautostartdir.sh
diff --git a/recipes/common/common-scripts.yml b/recipes/common/common-scripts.yml
index e27ef53..fd578bf 100644
--- a/recipes/common/common-scripts.yml
+++ b/recipes/common/common-scripts.yml
@@ -7,6 +7,4 @@ scripts:
   - createmissingdirectories.sh
   - removesuid.sh
   - disablegeoclue.sh
-  - addjustconfig.sh
-  - addbrewjustimport.sh
   - hardencontainerpolicy.sh