feat: nvidia-open images, major streamlining, bugfixes, and polish (#461)

files/scripts/addchromiumdesktopfile.sh

@@ -4,4 +4,4 @@
 # Tell build process to exit if there are any errors.
 set -oue pipefail
 
-sed -i 's/firefox/chromium-browser/' /usr/share/wayfire/wf-shell.ini 
+sed -i 's/org.mozilla.firefox/chromium-browser/' /usr/share/wayfire/wf-shell.ini 

files/scripts/addtailscalerepo.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# Tell this script to exit if there are any errors.
+# You should have this in every custom script, to ensure that your completed
+# builds actually ran successfully without any errors!
+set -oue pipefail
+
+curl -L https://pkgs.tailscale.com/stable/fedora/tailscale.repo -o /etc/yum.repos.d/tailscale.repo

files/scripts/disableuserns.sh

@@ -42,7 +42,7 @@ chmod u+s /usr/bin/bwrap
 echo "
 
 
-module chrome_sandbox 1.0;
+module chrome_sandbox_secureblue 1.0;
 
 require {
 	type chrome_sandbox_home_t;
@@ -54,12 +54,12 @@ require {
 
 allow chrome_sandbox_t chrome_sandbox_home_t:file map;
 
-" > chrome_sandbox.te
+" > chrome_sandbox_secureblue.te
 
-checkmodule -M -m -o chrome_sandbox.mod chrome_sandbox.te
-semodule_package -o chrome_sandbox.pp -m chrome_sandbox.mod
-semodule -i chrome_sandbox.pp
+checkmodule -M -m -o chrome_sandbox_secureblue.mod chrome_sandbox_secureblue.te
+semodule_package -o chrome_sandbox_secureblue.pp -m chrome_sandbox_secureblue.mod
+semodule -i chrome_sandbox_secureblue.pp
 
-rm chrome_sandbox.te
-rm chrome_sandbox.mod
-rm chrome_sandbox.pp
+rm chrome_sandbox_secureblue.te
+rm chrome_sandbox_secureblue.mod
+rm chrome_sandbox_secureblue.pp

files/scripts/excludepcsc.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+sed -i 's/add_dracutmodules+=" fido2 tpm2-tss pkcs11 pcsc "/add_dracutmodules+=" fido2 tpm2-tss pkcs11 "/' /usr/lib/dracut/dracut.conf.d/90-ublue-luks.conf

files/scripts/excludezfs.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+echo '
+
+omit_dracutmodules+=" zfs "
+
+' > /usr/lib/dracut/dracut.conf.d/99-omit-zfs.conf

files/scripts/hardencontainerpolicy.sh

@@ -3,11 +3,16 @@
 # Tell build process to exit if there are any errors.
 set -oue pipefail
 
-sed -i 's/insecureAcceptAnything/reject/' /usr/etc/containers/policy.json
+POLICY_FILE="/usr/etc/containers/policy.json"
+
+if [[ ! -f "$POLICY_FILE" ]]; then
+    echo "Error: $POLICY_FILE does not exist."
+    exit 1
+fi
+
+sed -i 's/insecureAcceptAnything/reject/' "$POLICY_FILE"
 
 
-# Exception for build-container-installer to allow the ISO generation script to work
-# https://github.com/JasonN3/build-container-installer/issues/123
 yq -i -o=j '.transports.docker |=
     {"ghcr.io/jasonn3": [
         {
@@ -19,7 +24,7 @@ yq -i -o=j '.transports.docker |=
         }
       ]
     }
-+ .' /usr/etc/containers/policy.json
++ .' "$POLICY_FILE"
 
 yq -i -o=j '.transports.docker |=
     {"ghcr.io/zelikos": [
@@ -32,4 +37,17 @@ yq -i -o=j '.transports.docker |=
         }
       ]
     }
-+ .' /usr/etc/containers/policy.json
++ .' "$POLICY_FILE"
+
+yq -i -o=j '.transports.docker |=
+    {"ghcr.io/wayblueorg": [
+        {
+          "type": "sigstoreSigned",
+          "keyPath": "/usr/etc/pki/containers/wayblue.pub",
+          "signedIdentity": {
+            "type": "matchRepository"
+          }
+        }
+      ]
+    }
++ .' "$POLICY_FILE"

files/scripts/hardenrechunkedcontainerpolicy.sh

@@ -1,35 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell build process to exit if there are any errors.
-set -oue pipefail
-
-sed -i 's/insecureAcceptAnything/reject/' /etc/containers/policy.json
-
-
-# Exception for build-container-installer to allow the ISO generation script to work
-# https://github.com/JasonN3/build-container-installer/issues/123
-yq -i -o=j '.transports.docker |=
-    {"ghcr.io/jasonn3": [
-        {
-          "type": "sigstoreSigned",
-          "keyPath": "/etc/pki/containers/build-container-installer.pub",
-          "signedIdentity": {
-            "type": "matchRepository"
-          }
-        }
-      ]
-    }
-+ .' /etc/containers/policy.json
-
-yq -i -o=j '.transports.docker |=
-    {"ghcr.io/zelikos": [
-        {
-          "type": "sigstoreSigned",
-          "keyPath": "/etc/pki/containers/davincibox.pub",
-          "signedIdentity": {
-            "type": "matchRepository"
-          }
-        }
-      ]
-    }
-+ .' /etc/containers/policy.json

files/scripts/installandroidudev.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+curl -Lo /etc/yum.repos.d/_copr_ublue-os_staging.repo https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${OS_VERSION}"/ublue-os-staging-fedora-"${OS_VERSION}".repo
+rpm-ostree install android-udev-rules
+rm /etc/yum.repos.d/_copr_ublue-os_staging.repo

files/scripts/installnvidiatoolkitpolicy.sh

@@ -3,4 +3,4 @@
 # Tell build process to exit if there are any errors.
 set -oue pipefail
 
-rm /usr/share/xsessions/*
+semodule --verbose --install /usr/share/selinux/packages/nvidia-container.pp

files/scripts/installrpmfusion.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+rpm -q rpmfusion-free-release || rpm-ostree install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-${OS_VERSION}.noarch.rpm
+rpm -q rpmfusion-nonfree-release || rpm-ostree install https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-${OS_VERSION}.noarch.rpm

files/scripts/installsignedkernel.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+find /tmp/rpms
+
+rpm-ostree cliwrap install-to-root /
+
+QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')"
+INCOMING_KERNEL_VERSION="$(basename -s .rpm $(ls /tmp/rpms/kernel/kernel-[0-9]*.rpm 2>/dev/null | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//'))"
+
+echo "Qualified kernel: $QUALIFIED_KERNEL"
+echo "Incoming kernel version: $INCOMING_KERNEL_VERSION"
+
+
+if [[ "$INCOMING_KERNEL_VERSION" != "$QUALIFIED_KERNEL" ]]; then
+    echo "Installing kernel rpm from kernel-cache."
+    rpm-ostree override replace \
+        --experimental \
+        --install=zstd \
+        /tmp/rpms/kernel/kernel-[0-9]*.rpm \
+        /tmp/rpms/kernel/kernel-core-*.rpm \
+        /tmp/rpms/kernel/kernel-modules-*.rpm
+else
+    echo "Installing kernel files from kernel-cache."
+    cd /tmp
+    rpm2cpio /tmp/rpms/kernel/kernel-core-*.rpm | cpio -idmv
+    cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
+    cd /
+fi

files/scripts/regenerateinitramfs.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+
+rpm-ostree cliwrap install-to-root /
+
+QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')"
+/usr/libexec/rpm-ostree/wrapped/dracut --no-hostonly --kver "$QUALIFIED_KERNEL" --reproducible -v --add ostree -f "/lib/modules/$QUALIFIED_KERNEL/initramfs.img"
+chmod 0600 "/lib/modules/$QUALIFIED_KERNEL/initramfs.img"

files/scripts/removebluefinfirstboot.sh

@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell build process to exit if there are any errors.
-set -oue pipefail
-
-rm /etc/skel/.config/autostart/bluefin-firstboot.desktop
-rm /etc/profile.d/bluefin-firstboot.sh

files/scripts/removeunusedrepos.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+rm -f /etc/yum.repos.d/negativo17-fedora-nvidia.repo
+rm -f /etc/yum.repos.d/negativo17-fedora-multimedia.repo
+rm -f /etc/yum.repos.d/eyecantcu-supergfxctl.repo
+rm -f /etc/yum.repos.d/_copr_ublue-os-akmods.repo
+rm -f /etc/yum.repos.d/nvidia-container-toolkit.repo

files/scripts/setdrmvariables.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+
+echo '
+
+# Nvidia modesetting support. Set to 0 or comment to disable kernel modesetting
+# support. This must be disabled in case of SLI Mosaic.
+
+options nvidia-drm modeset=1 fbdev=1
+
+' > /usr/lib/modprobe.d/nvidia-modeset.conf
+
+cp /usr/lib/modprobe.d/nvidia-modeset.conf /etc/modprobe.d/nvidia-modeset.conf

files/scripts/setearlyloading.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+sed -i 's@omit_drivers@force_drivers@g' /usr/lib/dracut/dracut.conf.d/99-nvidia-dracut.conf
+sed -i 's@ nvidia @ i915 amdgpu nvidia @g' /usr/lib/dracut/dracut.conf.d/99-nvidia-dracut.conf

files/scripts/setswaynvidiaenvironment.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+rm /etc/sway/environment
+
+echo '
+
+# This file is a part of Fedora configuration for Sway and will be sourced
+# from /usr/bin/start-sway script for all users of the system.
+# User-specific variables should be placed in $XDG_CONFIG_HOME/sway/environment
+#
+# vim: set ft=sh:
+
+## Pass extra arguments to the /usr/bin/sway executable
+
+#SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --unsupported-gpu"
+SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --unsupported-gpu -D noscanout"
+#SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --debug"
+
+## Set environment variables
+
+# Useful variables for wlroots:
+# https://gitlab.freedesktop.org/wlroots/wlroots/-/blob/master/docs/env_vars.md
+WLR_NO_HARDWARE_CURSORS=1
+# Setting renderer to Vulkan may fix flickering but needs the following extensions:
+# - VK_EXT_image_drm_format_modifier
+# - VK_EXT_physical_device_drm
+#
+# Source: https://gitlab.freedesktop.org/wlroots/wlroots/-/commit/8e346922508aa3eaccd6e12f2917f6574f349843
+WLR_RENDERER=vulkan
+
+# Java Application compatibility
+# Source: https://github.com/swaywm/wlroots/issues/1464
+_JAVA_AWT_WM_NONREPARENTING=1
+
+' > /etc/sway/environment