chore: switch to bluebuild's justfile module with validation (#556)

docs/POSTINSTALL-README.md

@@ -39,7 +39,7 @@ ujust enroll-secure-boot-key
 ## Set hardened kargs
 
 > [!NOTE]
-> Learn about the hardening applied by the kargs set by the command below [here](/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md).
+> Learn about the hardening applied by the kargs set by the command below [here](KARGS.md).
 
 ```
 ujust set-kargs-hardening

docs/README.md

@@ -37,7 +37,7 @@ The following are not in scope:
 - Adds per-network MAC randomization
 - Blacklisting numerous unused kernel modules to reduce attack surface <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf)</sup>
 - Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default
-- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](https://github.com/secureblue/secureblue/blob/live/files/system/usr/share/ublue-os/just/70-secureblue.just.readme.md)</sup>
+- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) <sup>[details](KARGS.md)</sup>
 - Reduce the sudo timeout to 1 minute
 - Require wheel user authentication via polkit for `rpm-ostree install` <sup>[why?](https://github.com/rohanssrao/silverblue-privesc)
 - Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions

files/justfiles/secureblue.just

@@ -173,7 +173,6 @@ override-reset-module mod_name:
       echo "No override found for $MOD_NAME module."
     fi
 
-
 # Setup USBGuard
 setup-usbguard:
     #!/usr/bin/bash
@@ -193,7 +192,6 @@ setup-usbguard:
 rerun-yafti:
     yafti -f /usr/share/ublue-os/firstboot/yafti.yml
 
-
 # Toggle anticheat support by changing ptrace scope (requires restart)
 toggle-anticheat-support:
     #!/usr/bin/pkexec /usr/bin/bash
@@ -495,7 +493,6 @@ audit-secureblue:
         print_status "$USBGUARD_TEST_STRING" "$STATUS_FAILURE"
     fi
 
-
     CHRONYD_TEST_STRING="Ensuring chronyd is active"
     if systemctl is-active --quiet chronyd; then
         print_status "$CHRONYD_TEST_STRING" "$STATUS_SUCCESS"
@@ -671,4 +668,3 @@ audit-secureblue:
             done
         done
     fi
-

files/scripts/addbrewjustimport.sh

@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell build process to exit if there are any errors.
-set -oue pipefail
-
-brewimport='import "/usr/share/ublue-os/just/50-brew.just"'
-
-if ! grep -qF "$brewimport" /usr/share/ublue-os/justfile; then
-    echo "$brewimport" >> /usr/share/ublue-os/justfile
-fi

files/scripts/addjustconfig.sh

@@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell this script to exit if there are any errors.
-# You should have this in every custom script, to ensure that your completed
-# builds actually ran successfully without any errors!
-set -oue pipefail
-
-# add our just config
-echo 'import "/usr/share/ublue-os/just/70-secureblue.just"' >> /usr/share/ublue-os/justfile

recipes/common/common-modules.yml

@@ -1,4 +1,6 @@
 modules:
+    - type: justfiles
+      validate: true
     - type: script
       scripts:
         - createautostartdir.sh

recipes/common/common-scripts.yml

@@ -7,6 +7,4 @@ scripts:
   - createmissingdirectories.sh
   - removesuid.sh
   - disablegeoclue.sh
-  - addjustconfig.sh
-  - addbrewjustimport.sh
   - hardencontainerpolicy.sh