mirror of
https://github.com/optim-enterprises-bv/secureblue.git
synced 2025-11-05 04:48:19 +00:00
139 lines
4.8 KiB
Bash
139 lines
4.8 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Tell build process to exit if there are any errors.
|
|
set -oue pipefail
|
|
|
|
# Helper functions.
|
|
RECIPE_FILE="/usr/share/ublue-os/recipe.yml"
|
|
get_yaml_array() {
|
|
mapfile -t "${1}" < <(yq -- "${2}" "${RECIPE_FILE}")
|
|
}
|
|
get_yaml_string() {
|
|
yq -- "${1}" "${RECIPE_FILE}"
|
|
}
|
|
|
|
# Automatically determine which Fedora version we're building.
|
|
FEDORA_VERSION="$(cat /usr/lib/os-release | grep -Po '(?<=VERSION_ID=)\d+')"
|
|
|
|
# Read configuration variables.
|
|
BASE_IMAGE="$(get_yaml_string '.base-image')"
|
|
YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')"
|
|
|
|
# Welcome.
|
|
echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"."
|
|
|
|
# Add custom repos.
|
|
get_yaml_array repos '.rpm.repos[]'
|
|
if [[ ${#repos[@]} -gt 0 ]]; then
|
|
echo "-- Adding repos defined in recipe.yml --"
|
|
for repo in "${repos[@]}"; do
|
|
repo="${repo//%FEDORA_VERSION%/${FEDORA_VERSION}}"
|
|
wget "${repo}" -P "/etc/yum.repos.d/"
|
|
done
|
|
echo "---"
|
|
fi
|
|
|
|
# Ensure that all script files are executable.
|
|
find /tmp/scripts -type f -exec chmod +x {} \;
|
|
|
|
# Run "pre" scripts.
|
|
run_scripts() {
|
|
script_mode="$1"
|
|
get_yaml_array buildscripts ".scripts.${script_mode}[]"
|
|
if [[ ${#buildscripts[@]} -gt 0 ]]; then
|
|
echo "-- Running [${script_mode}] scripts defined in recipe.yml --"
|
|
for script in "${buildscripts[@]}"; do
|
|
echo "Running [${script_mode}]: ${script}"
|
|
"/tmp/scripts/${script}" "${script_mode}"
|
|
done
|
|
echo "---"
|
|
fi
|
|
}
|
|
run_scripts "pre"
|
|
|
|
# Install RPMs.
|
|
get_yaml_array install_rpms '.rpm.install[]'
|
|
if [[ ${#install_rpms[@]} -gt 0 ]]; then
|
|
echo "-- Installing RPMs defined in recipe.yml --"
|
|
echo "Installing: ${install_rpms[@]}"
|
|
rpm-ostree install "${install_rpms[@]}"
|
|
echo "---"
|
|
fi
|
|
|
|
# Remove RPMs.
|
|
get_yaml_array remove_rpms '.rpm.remove[]'
|
|
if [[ ${#remove_rpms[@]} -gt 0 ]]; then
|
|
echo "-- Removing RPMs defined in recipe.yml --"
|
|
echo "Removing: ${remove_rpms[@]}"
|
|
rpm-ostree override remove "${remove_rpms[@]}"
|
|
echo "---"
|
|
fi
|
|
|
|
# Toggle yafti, which provides the "first boot" experience, https://github.com/ublue-os/yafti.
|
|
FIRSTBOOT_DATA="/usr/share/ublue-os/firstboot"
|
|
FIRSTBOOT_LINK="/usr/etc/profile.d/ublue-firstboot.sh"
|
|
if [[ "${YAFTI_ENABLED}" == "true" ]]; then
|
|
echo "-- firstboot: Installing and enabling \"yafti\" --"
|
|
pip install --prefix=/usr yafti
|
|
# Create symlink to our profile script, which creates the per-user "autorun yafti" links.
|
|
mkdir -p "$(dirname "${FIRSTBOOT_LINK}")"
|
|
ln -s "${FIRSTBOOT_DATA}/launcher/login-profile.sh" "${FIRSTBOOT_LINK}"
|
|
else
|
|
echo "-- firstboot: Removing all \"firstboot\" components --"
|
|
# Removes the script symlink that creates the per-user autostart symlinks.
|
|
# We must forcibly remove this here, in case it was added by an upstream image.
|
|
rm -f "${FIRSTBOOT_LINK}"
|
|
# Remove all of the launcher-scripts and yafti config, to de-clutter image and
|
|
# ensure it can't run by accident due to lingering symlinks or upstream image.
|
|
rm -rf "${FIRSTBOOT_DATA}"
|
|
fi
|
|
|
|
# Add a new yafti "package group" called Custom, for the packages defined in recipe.yml.
|
|
# Only adds the package group if yafti is enabled and Flatpaks are defined in the recipe.
|
|
if [[ "${YAFTI_ENABLED}" == "true" ]]; then
|
|
YAFTI_FILE="${FIRSTBOOT_DATA}/yafti.yml"
|
|
get_yaml_array flatpaks '.firstboot.flatpaks[]'
|
|
if [[ ${#flatpaks[@]} -gt 0 ]]; then
|
|
echo "-- yafti: Adding Flatpaks defined in recipe.yml --"
|
|
yq -i '.screens.applications.values.groups.Custom.description = "Flatpaks suggested by the image maintainer."' "${YAFTI_FILE}"
|
|
yq -i '.screens.applications.values.groups.Custom.default = true' "${YAFTI_FILE}"
|
|
for pkg in "${flatpaks[@]}"; do
|
|
echo "Adding to yafti: ${pkg}"
|
|
yq -i ".screens.applications.values.groups.Custom.packages += [{\"${pkg}\": \"${pkg}\"}]" "${YAFTI_FILE}"
|
|
done
|
|
echo "---"
|
|
fi
|
|
fi
|
|
|
|
# Setup container signing
|
|
echo "Setup container signing in policy.json and cosign.yaml"
|
|
echo "Registry to write: $IMAGE_REGISTRY"
|
|
|
|
# Copy Name
|
|
NAME=$(get_yaml_string '.name')
|
|
cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$NAME".pub
|
|
|
|
# Work around the fact that jq doesn't have an "inplace" option
|
|
FILE=/usr/etc/containers/policy.json
|
|
TMP=/tmp/policy.json
|
|
|
|
jq '.transports.docker |=
|
|
{"'"$IMAGE_REGISTRY"'": [
|
|
{
|
|
"type": "sigstoreSigned",
|
|
"keyPath": "/usr/etc/pki/containers/'"$NAME"'.pub",
|
|
"signedIdentity": {
|
|
"type": "matchRepository"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
+ .' $FILE > $TMP
|
|
mv -f $TMP $FILE
|
|
|
|
cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$NAME".yaml
|
|
sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/"$NAME".yaml
|
|
|
|
# Run "post" scripts.
|
|
run_scripts "post"
|