Merge branch 'bri'

.github/workflows/build.yml

@@ -1,7 +1,8 @@
 name: Build and Push Image
 on:
- # schedule:
- #   - cron: '15 09 * * *'  # 9:15am everyday
+  push:
+  schedule:
+    - cron: '15 09 * * *'  # 9:15am everyday
   merge_group:
   pull_request:
   workflow_dispatch:
@@ -49,13 +50,6 @@ jobs:
           else
               echo "IMAGE_NAME=${{ format('{0}-{1}', matrix.base_name, matrix.image_flavor) }}" >> $GITHUB_ENV
           fi
-          if [[ "${{ matrix.image_flavor }}" =~ "asus" ]]; then
-              echo "AKMODS_FLAVOR=asus" >> $GITHUB_ENV
-          elif [[ "${{ matrix.image_flavor }}" =~ "surface" ]]; then
-              echo "AKMODS_FLAVOR=surface" >> $GITHUB_ENV
-          else
-              echo "AKMODS_FLAVOR=main" >> $GITHUB_ENV
-          fi
 
       - name: Generate tags
         id: generate-tags
@@ -133,7 +127,6 @@ jobs:
             IMAGE_FLAVOR=${{ matrix.image_flavor }}
             FEDORA_MAJOR_VERSION=${{ matrix.major_version }}
             TARGET_BASE=${{ matrix.target_base }}
-            AKMODS_FLAVOR=${{ env.AKMODS_FLAVOR }}
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
           # TODO(GH-280)

Containerfile

@@ -14,6 +14,7 @@ ARG IMAGE_VENDOR="ublue-os"
 ARG IMAGE_FLAVOR="${IMAGE_FLAVOR}"
 ARG AKMODS_FLAVOR="${AKMODS_FLAVOR}"
 ARG BASE_IMAGE_NAME="${BASE_IMAGE_NAME}"
+ARG IMAGE_FLAVOR="${IMAGE_FLAVOR}"
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION}"
 ARG PACKAGE_LIST="bluefin"
 
@@ -62,7 +63,6 @@ RUN curl -Lo /tmp/starship.tar.gz "https://github.com/starship/starship/releases
   echo 'eval "$(starship init bash)"' >> /etc/bashrc
 
 RUN wget https://copr.fedorainfracloud.org/coprs/ublue-os/bling/repo/fedora-$(rpm -E %fedora)/ublue-os-bling-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_ublue-os-bling.repo && \
-    wget https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${FEDORA_MAJOR_VERSION}"/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo -O /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo && \
     /tmp/build.sh && \
     /tmp/image-info.sh && \
     pip install --prefix=/usr yafti && \
@@ -86,7 +86,6 @@ RUN wget https://copr.fedorainfracloud.org/coprs/ublue-os/bling/repo/fedora-$(rp
     find /tmp/just -iname '*.just' -exec printf "\n\n" \; -exec cat {} \; >> /usr/share/ublue-os/just/60-custom.just && \
     rm -f /etc/yum.repos.d/tailscale.repo && \
     rm -f /etc/yum.repos.d/_copr_ublue-os-bling.repo && \
-    rm -f /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo && \
     rm -f /usr/share/applications/fish.desktop && \
     rm -f /usr/share/applications/htop.desktop && \
     rm -f /usr/share/applications/nvtop.desktop && \
@@ -166,9 +165,12 @@ RUN /tmp/bat.sh
 ### add delta
 RUN /tmp/delta.sh
 
-### add 1password stubs
+### add 1password
 RUN /tmp/1password.sh
 
+### add Google Chrome
+RUN rpm-ostree install https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
+
 ### END bri
 
 

README.md

@@ -1,10 +1,14 @@
-# bluefin
+# bri's bluefin spin
 
-**This image is considered Beta** 
+**a personal fork of Universal Blue's Bluefin{,-DX} spin on Fedora Sivlerblue** 
 
-[![Bluefin Build](https://github.com/ublue-os/bluefin/actions/workflows/build.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build.yml)
+Probably the most important and notable changes from stock _Bluefin DX_ are Firefox and Chromium installed on the system (as in, not via Flatpaks), and [1Password installed systemwide](scripts/1password.sh). I actually really like Flatpaks, but unfortunately 1Password's browser integration just doesn't really work with them...
 
-[![Ubuntu Toolbox Build](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml)
+Please don't directly use this, because I will absolutely push breaking changes without any notice!
+
+[![Bluefin Build](https://github.com/briorg/bluefin/actions/workflows/build.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build.yml)
+
+[![Ubuntu Toolbox Build](https://github.com/briorg/bluefin/actions/workflows/build-ubuntu-toolbox.yml/badge.svg)](https://github.com/ublue-os/bluefin/actions/workflows/build-ubuntu-toolbox.yml)
 
 A familiar(ish) Ubuntu desktop for Fedora Silverblue. It strives to cover these three use cases:
 - For end users it provides a system as reliable as a Chromebook with near-zero maintainance, with the power of Ubuntu and Fedora fused together

just/custom.just

@@ -23,6 +23,10 @@ aqua:
   printf '\n    export PATH="${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH"\n'
   printf '\n=> see https://aquaproj.github.io/docs/tutorial for more info\n'
 
+# Set shell (back) to bash
+bash:
+  ujust chsh /bin/bash
+
 # Install Homebrew for Linux
 brew:
   echo "Installing homebrew ..."
@@ -38,14 +42,14 @@ brew-shell:
   if grep -q "linuxbrew" $HOME/.zprofile
   then
     echo "Brew configuration already present in .zprofile"
-  else 
+  else
     echo "Adding Brew configuration to .zprofile"
     echo 'eval "$(/var/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> $HOME/.zprofile
   fi
   if grep -q "linuxbrew" $HOME/.bash_profile
   then
     echo "Brew configuration already present in .bash_profile"
-  else 
+  else
     echo "Adding Brew configuration to .bash_profile"
     echo 'eval "$(/var/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> $HOME/.bash_profile
   fi
@@ -107,8 +111,7 @@ distrobox-universal:
 
 # Switch to the fish shell
 fish:
-  sudo usermod $USER --shell /usr/bin/fish 
-  printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')"
+  ujust chsh /usr/bin/fish
 
 # Install recommended GNOME extensions
 gnome-extensions:
@@ -154,12 +157,12 @@ nix-devbox-global:
 
 # Enable podmansh as user shell (EXPERIMENTAL)
 podmansh:
+  #!/usr/bin/env bash
   sudo mkdir -p /etc/containers/systemd/users/${UID}
   sudo cp /usr/share/ublue-os/quadlets/podmansh.container /etc/containers/systemd/users/${UID}/podmansh.container
-  sudo usermod $USER --shell /usr/bin/podmansh
-  printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')"
+  ujust chsh /usr/bin/podmansh
   podman pull ghcr.io/ublue-os/ubuntu-toolbox:latest
-  
+
   systemctl --user daemon-reload
   systemctl --user stop podmansh.service
   systemctl --user start podmansh.service
@@ -186,7 +189,7 @@ pytorch:
   --no-browser --allow-root"
 
 # Run Tensorflow
-tensorflow: 
+tensorflow:
   echo 'Follow the prompts and check the tutorial: https://www.tensorflow.org/tutorials/quickstart/beginner'
   podman pull docker.io/tensorflow/tensorflow:latest
   podman run -it -p 8888:8888 docker.io/tensorflow/tensorflow:latest-jupyter  # Start Jupyter server
@@ -217,8 +220,7 @@ yafti:
 
 # Switch to the zsh shell
 zsh:
-  sudo usermod $USER --shell /usr/bin/zsh 
-  printf "${USER}'s shell is now %s." "$(cat /etc/passwd | grep ":$UID:" | cut '-d:' '-f7')"
+  ujust chsh /usr/bin/zsh
 
 docker:
   sudo systemctl enable --now docker

packages.json

@@ -3,6 +3,7 @@
 		"include": {
 			"bluefin": [
 				"chromium", "fedora-chromium-config", "fedora-chromium-config-gnome", "fedora-chromium-config-gssapi",
+				"util-linux-user",
 				"bash-color-prompt",
 				"cockpit-bridge",
 				"ddccontrol-db",
@@ -90,7 +91,8 @@
 				"qemu",
 				"ubuntu-nerd-fonts",
 				"ubuntumono-nerd-fonts",
-				"virt-manager"
+				"virt-manager",
+				"virt-viewer"
 			]
 		},
 		"exclude": {

scripts/1password.sh

@@ -3,44 +3,101 @@
 set -e
 
 echo "Installing 1Password"
-cd /usr/lib
-wget -qO- https://downloads.1password.com/linux/tar/stable/x86_64/1password-latest.tar.gz | tar -zxv
-ln -s 1Password 1password-*
-cd "$(mktemp -d)"
 
-mkdir /var/opt
-rpm-ostree install https://downloads.1password.com/linux/rpm/stable/x86_64/1password-latest.rpm
+# On libostree systems, /opt is a symlink to /var/opt,
+# which actually only exists on the live system. /var is
+# a separate mutable, stateful FS that's overlaid onto
+# the ostree rootfs. Therefore we need to install it into
+# /usr/lib/1Password instead, and dynamically create a
+# symbolic link /opt/1Password => /usr/lib/1Password upon
+# boot.
+
+ONEPASSWORD_RPM='https://downloads.1password.com/linux/rpm/stable/x86_64/1password-latest.rpm'
+
+# Prepare staging directory
+mkdir -p /var/opt # -p just in case it exists
+# for some reason...
+
+# Now let's install the package.
+rpm-ostree install "${ONEPASSWORD_RPM}"
+
+# And then we do the hacky dance!
+mv /var/opt/1Password /usr/lib/1Password # move this over here
+
+# Create a symlink /usr/bin/1password => /opt/1Password/1password
+rm /usr/bin/1password
+ln -s /opt/1Password/1password /usr/bin/1password
+
+#####
+# The following is a bastardization of "after-install.sh"
+# which is normally packaged with 1password. You can compare with
+# /usr/lib/1Password/after-install.sh if you want to see.
+
+cd /usr/lib/1Password
+
+# chrome-sandbox requires the setuid bit to be specifically set.
+# See https://github.com/electron/electron/issues/17972
+chmod 4755 /usr/lib/1Password/chrome-sandbox
 
-# rpm -ivh ./1password-latest.rpm
+# Normally, after-install.sh would create a group,
+# "onepassword", right about now. But if we do that during
+# the ostree build it'll disappear from the running system!
+# I'm going to work around that by hardcoding GIDs and
+# crossing my fingers that nothing else steps on them.
+# These numbers _should_ be okay under normal use, but
+# if there's a more specific range that I should use here
+# please submit a PR!
 
-# This is where the mess starts. 1Password is installed to /opt/1Password with
-# No way to change it. RIP. So we kinda _hack_ it and hope nothing is hard set
-# in the compiled code :(
-mv /var/opt/1Password /usr/lib/1Password
-cat > /usr/bin/install-1password <<EOF
-#!/bin/bash
-ln -s /usr/lib/1Password /opt/1Password
+# Specifically, GID must be > 1000, and absolutely must not
+# conflict with any real groups on the deployed system.
+# Normal user group GIDs on Fedora are sequential starting
+# at 1000, so let's skip ahead and set to something higher.
+GID_ONEPASSWORD="1500"
+GID_ONEPASSWORDCLI="1600"
+
+HELPER_PATH="/usr/lib/1Password/1Password-KeyringHelper"
+BROWSER_SUPPORT_PATH="/usr/lib/1Password/1Password-BrowserSupport"
+
+# Setup the Core App Integration helper binaries with the correct permissions and group
+chgrp "${GID_ONEPASSWORD}" "${HELPER_PATH}"
+# The binary requires setuid so it may interact with the Kernel keyring facilities
+chmod u+s "${HELPER_PATH}"
+chmod g+s "${HELPER_PATH}"
+
+# BrowserSupport binary needs setgid. This gives no extra permissions to the binary.
+# It only hardens it against environmental tampering.
+chgrp "${GID_ONEPASSWORD}" "${BROWSER_SUPPORT_PATH}"
+chmod g+s "${BROWSER_SUPPORT_PATH}"
+
+# Dynamically create the required group via sysusers.d
+# and set the GID based on the files we just chgrp'd
+cat >/usr/lib/sysusers.d/onepassword.conf <<EOF
+g     onepassword ${HELPER_PATH}
 EOF
-chmod +x /usr/bin/install-1password
 
-# # Rewrite some hard set paths here
-# grep -rl "/opt/1Password" /usr/lib/1Password | xargs sed -i 's/\/opt\/1Password/\/usr\/lib\/1Password/g'
-# grep -rl "/opt/1Password" /usr/share/applications | xargs sed -i 's/\/opt\/1Password/\/usr\/lib\/1Password/g'
-# 
-# # And redo the binary link
-# rm /usr/bin/1password
-# ln -s /usr/lib/1Password/1password /usr/bin/1password
+# Register path symlink
+# We do this via tmpfiles.d so that it is created by the live system.
+cat >/usr/lib/tmpfiles.d/onepassword.conf <<EOF
+L  /opt/1Password  -  -  -  -  /usr/lib/1Password
+EOF
 
 # Then we install the 1password CLI binary as well
 
+cd "$(mktemp -d)"
 wget -q https://cache.agilebits.com/dist/1P/op2/pkg/v2.14.0/op_linux_amd64_v2.14.0.zip
-
 unzip op_linux_amd64_v2.14.0.zip
 
 mv op /usr/bin
 
-groupadd onepassword-cli
-chown root:onepassword-cli /usr/bin/op
+# it needs its own group and needs setgid, like the other helpers.
+#groupadd -g ${GID_ONEPASSWORDCLI} onepassword-cli
+chown root:${GID_ONEPASSWORDCLI} /usr/bin/op
 chmod g+s /usr/bin/op
 
+# Dynamically create the required group via sysusers.d
+# and set the GID based on the files we just chgrp'd
+cat >/usr/lib/sysusers.d/onepassword.conf <<EOF
+g     onepassword-cli /usr/bin/op
+EOF
+
 op --version

usr/bin/ujust

@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/bin/just --unstable --justfile /usr/share/ublue-os/justfile "${@}"

usr/etc/flatpak/user/install

@@ -1,4 +1,3 @@
-org.mozilla.firefox
 org.freedesktop.Platform.ffmpeg-full//22.08
 com.raggesilver.BlackBox
 org.gnome.Calculator

usr/lib64/firefox/distribution/policies.json

@@ -0,0 +1,5 @@
+{
+  "policies": {
+    "DisablePocket": true
+  }
+}

usr/share/ublue-os/just/00-default.just

@@ -0,0 +1,44 @@
+# vim: set ft=make :
+
+set allow-duplicate-recipes
+set ignore-comments
+
+_default:
+  @just --unstable --list --list-heading $'Available commands:\n' --list-prefix $' - '
+
+# Boot into this device's BIOS/UEFI screen
+bios:
+  systemctl reboot --firmware-setup
+
+# Change the user's shell
+chsh new_shell:
+  #!/usr/bin/env bash
+  set -euo pipefail
+  if [ "{{shell}}" = "{{new_shell}}" ] ; then
+    printf "Your shell is already set to %s.\n" "{{new_shell}}"
+  else
+    if [ -x "{{new_shell}}" ] ; then
+      sudo usermod $USER --shell "{{new_shell}}"
+      printf "%s's shell is now %s.\n" "$USER" "{{new_shell}}"
+    else
+      echo "{{new_shell}} does not exist or is not executable!"
+    fi
+  fi
+
+# Regenerate GRUB config, useful in dual-boot scenarios where a second operating system isn't listed
+regenerate-grub:
+  #!/usr/bin/env bash
+  if [ -d /sys/firmware/efi ]; then
+    sudo grub2-mkconfig -o /etc/grub2-efi.cfg
+  else
+    sudo grub2-mkconfig -o /etc/grub2.cfg
+  fi
+
+# Show the changelog
+changelogs:
+  rpm-ostree db diff --changelogs
+
+# Enroll Nvidia driver & KMOD signing key for secure boot - Enter password "ublue-os" if prompted
+enroll-secure-boot-key:
+  sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
+  echo 'Enter password "ublue-os" if prompted'