From 290a84e86b2f2c3cb1403f94eff416e74d536abd Mon Sep 17 00:00:00 2001 From: seth Date: Fri, 19 Jan 2024 22:17:31 -0500 Subject: initial commit --- .github/dependabot.yml | 8 + .github/workflows/autobot.yaml | 27 ++++ .github/workflows/build.yaml | 305 +++++++++++++++++++++++++++++++++++++ Containerfile | 11 ++ LICENSE | 21 +++ README.md | 3 + akmods/Containerfile | 21 +++ akmods/NOTICE.md | 209 +++++++++++++++++++++++++ akmods/akmods-cert.spec | 25 +++ akmods/build_cert.sh | 8 + akmods/build_nvidia.sh | 28 ++++ akmods/certs/private_key.priv.test | 52 +++++++ akmods/certs/public_key.der | Bin 0 -> 1458 bytes akmods/certs/public_key.der.test | Bin 0 -> 1556 bytes akmods/install.sh | 7 + akmods/prep.sh | 27 ++++ initial_setup.sh | 25 +++ nvidia/Containerfile | 13 ++ nvidia/install.sh | 16 ++ override.sh | 39 +++++ 20 files changed, 845 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/autobot.yaml create mode 100644 .github/workflows/build.yaml create mode 100644 Containerfile create mode 100644 LICENSE create mode 100644 README.md create mode 100644 akmods/Containerfile create mode 100644 akmods/NOTICE.md create mode 100644 akmods/akmods-cert.spec create mode 100755 akmods/build_cert.sh create mode 100755 akmods/build_nvidia.sh create mode 100644 akmods/certs/private_key.priv.test create mode 100644 akmods/certs/public_key.der create mode 100644 akmods/certs/public_key.der.test create mode 100755 akmods/install.sh create mode 100755 akmods/prep.sh create mode 100755 initial_setup.sh create mode 100644 nvidia/Containerfile create mode 100644 nvidia/install.sh create mode 100755 override.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8db6eb5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "deps(actions)" diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml new file mode 100644 index 0000000..e0e4ccf --- /dev/null +++ b/.github/workflows/autobot.yaml @@ -0,0 +1,27 @@ +name: Auto-merge Dependabot + +on: pull_request + +jobs: + automerge: + name: Check and merge PR + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + + if: github.actor == 'dependabot[bot]' + + steps: + - uses: dependabot/fetch-metadata@v1 + id: metadata + with: + github-token: ${{ github.token }} + + - name: Enable auto-merge + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr merge --auto --rebase "$PR" + env: + GH_TOKEN: ${{ github.token }} + PR: ${{ github.event.pull_request.html_url }} diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..d1ea842 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,305 @@ +name: Build Images + +on: + push: + branches: [main] + schedule: + - cron: "0 0 * * *" + pull_request: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + +jobs: + akmods: + name: Akmods Image + runs-on: ubuntu-latest + + permissions: + contents: read + id-token: write + packages: write + + env: + IMAGE_NAME: akmods + FEDORA_VERSION: 39 + NVIDIA_VERSION: 535 + + steps: + - uses: actions/checkout@v4 + + - name: Extract metadata + id: metadata + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.IMAGE_NAME }} + tags: | + type=sha + type=ref,event=branch + type=ref,event=pr + type=schedule,pattern={{date 'YYYYMMDD'}} + + - name: Generate extra tags + id: extra-tags + run: | + timestamp="$(date +%Y%m%d)" + tag="$IMAGE_NAME:$FEDORA_VERSION-$NVIDIA_VERSION" + tags=("$tag" "$tag-$timestamp") + echo "tags=${tags[*]}" >> "$GITHUB_OUTPUT" + + - name: Get akmods signing key + if: github.event_name != 'pull_request' + env: + AKMODS_KEY: ${{ secrets.AKMODS_KEY }} + run: | + echo "$AKMODS_KEY" > akmods/certs/private_key.priv + + - name: Build image + id: build + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: | + ./akmods/Containerfile + image: ${{ env.IMAGE_NAME }} + context: ./akmods + tags: | + ${{ steps.metadata.outputs.tags }} + ${{ steps.extra-tags.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} + build-args: | + FEDORA_VERSION=${{ env.FEDORA_VERSION }} + NVIDIA_VERSION=${{ env.NVIDIA_VERSION }} + + - name: Push to registry + id: push + if: github.event_name != 'pull_request' + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build.outputs.image }} + tags: ${{ steps.build.outputs.tags }} + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ github.token }} + extra-args: | + --disable-content-trust + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Install cosign + if: github.event_name == 'pull_request' + uses: sigstore/cosign-installer@v3 + + - name: Sign image + if: github.event_name == 'pull_request' + env: + DIGEST: ${{ steps.push.outputs.digest }} + TAGS: ${{ steps.build.outputs.tags }} + run: | + images=() + for tag in "${TAGS[@]}"; do + images+=("$tag@$DIGEST") + done + cosign sign --yes "${images[@]}" + + base: + name: Base Image + runs-on: ubuntu-latest + + permissions: + contents: read + id-token: write + packages: write + + strategy: + fail-fast: false + matrix: + include: + - image_name: getchblue + fedora_version: 39 + image_flavor: silverblue + + steps: + - uses: actions/checkout@v4 + + - name: Extract metadata + id: metadata + uses: docker/metadata-action@v5 + with: + images: | + ${{ matrix.image_name }} + tags: | + type=sha + type=ref,event=branch + type=ref,event=pr + type=schedule,pattern={{date 'YYYYMMDD'}} + + - name: Generate extra tags + id: extra-tags + env: + IMAGE_NAME: ${{ matrix.image_name }} + FEDORA_VERSION: ${{ matrix.fedora_version }} + run: | + timestamp="$(date +%Y%m%d)" + tag="$IMAGE_NAME:$FEDORA_VERSION" + tags=("$tag" "$tag-$timestamp") + echo "tags=${tags[*]}" >> "$GITHUB_OUTPUT" + + - name: Build image + id: build + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: | + ./Containerfile + image: ${{ matrix.image_name }} + context: . + tags: | + ${{ steps.metadata.outputs.tags }} + ${{ steps.extra-tags.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} + build-args: | + FEDORA_VERSION=${{ matrix.fedora_version }} + IMAGE_FLAVOR=${{ matrix.image_flavor }} + + - name: Push to registry + id: push + if: github.event_name != 'pull_request' + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build.outputs.image }} + tags: ${{ steps.build.outputs.tags }} + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ github.token }} + extra-args: | + --disable-content-trust + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Install cosign + if: github.event_name == 'pull_request' + uses: sigstore/cosign-installer@v3 + + - name: Sign image + if: github.event_name == 'pull_request' + env: + DIGEST: ${{ steps.push.outputs.digest }} + TAGS: ${{ steps.build.outputs.tags }} + run: | + images=() + for tag in "${TAGS[@]}"; do + images+=("$tag@$DIGEST") + done + cosign sign --yes "${images[@]}" + + nvidia: + name: NVIDIA Image + runs-on: ubuntu-latest + needs: [akmods, base] + + strategy: + fail-fast: false + matrix: + include: + - image_name: getchblue-nvidia + fedora_version: 39 + image_flavor: getchblue + nvidia_version: 535 + + permissions: + contents: read + id-token: write + packages: write + + steps: + - uses: actions/checkout@v4 + + - name: Extract metadata + id: metadata + uses: docker/metadata-action@v5 + with: + images: | + ${{ matrix.image_name }} + tags: | + type=sha + type=ref,event=branch + type=ref,event=pr + type=schedule,pattern={{date 'YYYYMMDD'}} + + - name: Generate extra tags + id: extra-tags + env: + IMAGE_NAME: ${{ matrix.image_name }} + FEDORA_VERSION: ${{ matrix.fedora_version }} + NVIDIA_VERSION: ${{ matrix.nvidia_version }} + run: | + timestamp="$(date +%Y%m%d)" + tag="$IMAGE_NAME:$FEDORA_VERSION-$NVIDIA_VERSION" + tags=("$tag" "$tag-$timestamp") + echo "tags=${tags[*]}" >> "$GITHUB_OUTPUT" + + - name: Build image + id: build + uses: redhat-actions/buildah-build@v2 + with: + containerfiles: | + ./nvidia/Containerfile + image: ${{ matrix.image_name }} + context: ./nvidia + tags: | + ${{ steps.metadata.outputs.tags }} + ${{ steps.extra-tags.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} + build-args: | + FEDORA_VERSION=${{ matrix.fedora_version }} + IMAGE_FLAVOR=${{ matrix.image_flavor }} + + - name: Push to registry + id: push + if: github.event_name != 'pull_request' + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build.outputs.image }} + tags: ${{ steps.build.outputs.tags }} + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ github.token }} + extra-args: | + --disable-content-trust + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Install cosign + if: github.event_name == 'pull_request' + uses: sigstore/cosign-installer@v3 + + - name: Sign image + if: github.event_name == 'pull_request' + env: + DIGEST: ${{ steps.push.outputs.digest }} + TAGS: ${{ steps.build.outputs.tags }} + run: | + images=() + for tag in "${TAGS[@]}"; do + images+=("$tag@$DIGEST") + done + cosign sign --yes "${images[@]}" diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..c5f7c39 --- /dev/null +++ b/Containerfile @@ -0,0 +1,11 @@ +ARG IMAGE_FLAVOR="${IMAGE_FLAVOR:-silverblue}" +ARG BASE_IMAGE="quay.io/fedora-ostree-desktops/${IMAGE_FLAVOR}" +ARG FEDORA_VERSION="${FEDORA_VERSION:-39}" + +FROM ${BASE_IMAGE}:${FEDORA_VERSION} as builder + +COPY initial_setup.sh /usr/local/bin/initial_setup.sh +COPY override.sh /tmp/override.sh + +RUN /tmp/override.sh && rpm-ostree cleanup -m && \ + rm -rf /tmp/* /var/* && ostree container commit diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4a1e9b2 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 seth + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..9e10cf6 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# fedora-oci-images + +my custom oci images, but as close to upstream as possible. if you want something more usable ootb, you're probably looking for [ublue](https://github.com/ublue-os) diff --git a/akmods/Containerfile b/akmods/Containerfile new file mode 100644 index 0000000..5d2c892 --- /dev/null +++ b/akmods/Containerfile @@ -0,0 +1,21 @@ +ARG BASE_IMAGE="quay.io/fedora-ostree-desktops/base" +ARG FEDORA_VERSION="${FEDORA_VERSION:-39}" + +FROM ${BASE_IMAGE}:${FEDORA_VERSION} as builder +ARG NVIDIA_VERSION="${NVIDIA_VERSION:-535}" + +COPY prep.sh /tmp/prep.sh +COPY build_*.sh /tmp +COPY install.sh /tmp/install.sh +COPY certs /tmp/certs +COPY akmods-cert.spec /tmp/akmods-cert/akmods-cert.spec + +RUN /tmp/prep.sh + +RUN /tmp/build_nvidia.sh ${NVIDIA_VERSION} +RUN /tmp/build_cert.sh + +RUN /tmp/install.sh + +FROM scratch +COPY --from=builder /var/cache/rpms /rpms diff --git a/akmods/NOTICE.md b/akmods/NOTICE.md new file mode 100644 index 0000000..99e8f10 --- /dev/null +++ b/akmods/NOTICE.md @@ -0,0 +1,209 @@ +# ublue-os/akmods + +The section uses code derived from ublue-os' [akmods](https://github.com/ublue-os/akmods) repository. +Specifically `build-ublue-os-akmods-addons.sh`, `ublue-os-akmods-addons.spec`, `build-prep.sh`, and +`build-kmod-nvidia.sh` were modified + +``` + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +``` diff --git a/akmods/akmods-cert.spec b/akmods/akmods-cert.spec new file mode 100644 index 0000000..3512f76 --- /dev/null +++ b/akmods/akmods-cert.spec @@ -0,0 +1,25 @@ +Name: getchoo-akmods-cert +Version: 0.1 +Release: %autorelease +Summary: getchoo's public certificate for signed akmods +License: MIT +URL: https://github.com/getchoo/fedora-oci-images +BuildArch: noarch +Supplements: mokutil policycoreutils + +Source0: public_key.der + +%description +getchoo's public certificate for enabling secure boot with applicable signed akmods + +%prep +%autosetup -c -T + +%install +install -Dm644 %{SOURCE0} %{buildroot}%{_sysconfdir}/pki/akmods/certs/akmods-getchoo.der + +%files +%attr(0644,root,root) %{_sysconfdir}/pki/akmods/certs/akmods-getchoo.der + +%changelog +%autochangelog diff --git a/akmods/build_cert.sh b/akmods/build_cert.sh new file mode 100755 index 0000000..65e60e7 --- /dev/null +++ b/akmods/build_cert.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -euxo pipefail + +install -D /etc/pki/akmods/certs/public_key.der /tmp/akmods-cert/rpmbuild/SOURCES/public_key.der +rpmbuild -ba \ + --define '_topdir /tmp/akmods-cert/rpmbuild' \ + --define '%_tmppath %{_topdir}/tmp' \ + /tmp/akmods-cert/akmods-cert.spec diff --git a/akmods/build_nvidia.sh b/akmods/build_nvidia.sh new file mode 100755 index 0000000..1931149 --- /dev/null +++ b/akmods/build_nvidia.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +set -euxo pipefail + +_usage=" +usage: ./build_nvidia.sh nvidia_driver_version +" + +if [ $# -lt 1 ]; then + echo "$_usage" + exit 1 +fi + +NVIDIA_VERSION="$1" +release="$(rpm -E '%fedora.%_arch')" + +rpm-ostree install \ + akmod-nvidia-"$NVIDIA_VERSION"* \ + xorg-x11-drv-nvidia-{cuda,power}-"$NVIDIA_VERSION"* \ + +# Either successfully build and install the kernel modules, or fail early with debug output +kernel_version="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" +akmod_version="$(basename "$(rpm -q akmod-nvidia --queryformat '%{VERSION}-%{RELEASE}')" ".fc${release%%.*}")" + +akmods --force --kernels "$kernel_version" --kmod nvidia + +if ! modinfo /usr/lib/modules/"$kernel_version"/extra/nvidia/nvidia{,-drm,-modeset,-peermem,-uvm}.ko.xz &> /dev/null; then + cat /var/cache/akmods/nvidia/"$akmod_version"-for-"$kernel_version".failed.log && exit 1 +fi diff --git a/akmods/certs/private_key.priv.test b/akmods/certs/private_key.priv.test new file mode 100644 index 0000000..7eaeb62 --- /dev/null +++ b/akmods/certs/private_key.priv.test @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCnhbl1MBCEH530 +8yr+Hz0pnp4If2+fUX2p2fEdEYYhKCPV35PnICTkMxQQn/ZFSb+XN12e96ljgjne +mt7O87xrzaGKr6COEHiq7oT+y8gl3QOP4nJaufDQSOFpI+RIgNH40Kids1KJe82z +kAjSXIAeCX2P1CxvE1PFUN7QlsEm/6iVyGb6g6WmQ4mETBHJqJO0uKvj1+SmPo5p +QE1zixHJganmqwurpFdbpuj6Ss2HUtyEzFq7b7wFJiOiVQW70ihErUAHh+Kvy5cO +jjGvpOdkbvxJEQG/G9TkaUBwO/a+u1HSGVMEpQcVTJwgHWBd59ueTApm1bNQDFM4 +RsxoltFe1x0NLpbBDgHouTz+6JIIn4qC/ALWA54pQsjBhzEk49maZdgztyGYYGuE +TkSwIBPud+13syY38FgbOQwCCYz4JN00Q0BPmkBhKdvxcbwTR/s/QXUssinjR5JS +Ynp1keKXx7ITLT+N9euVhMGBt1WPFNSYaFQ575yOKPSQ627ioJDvFByJGlew5hOI +sRjIRsifu7uncSaOb1PqMwHVqWqSfQOrh7qvNUuTyTojsWpeS1PB5qAE8D7NWzhl +fUvJyIaYqt4APj3vrBOcdRD4humDJQ2ezuaAOg9DtqqdQ0sI1yMG/eV+BlP9a987 +VTO2DqjGwQeLdy78biY5WUqftmyTaQIDAQABAoICAAy/HnKJ4NXWzIdq+cBaiuY3 +7x0lKi6AjjvebQvZzZ+H/PsM7yVw0xHIh6wwqbXRs9nrEOzzugAr9GCJXu73CYUX +4UTq0mAA5ZeW/Mhg49aqs5bPA4W+/HFyvDEKdbglEiT5Jn1SW9NBd/BD40HzXx25 ++eN34NYmTbNXsQ6EzAdeQFr+Q8Snv/LP1H68JYXXNX70psKYRqn2HFKqnYIPSMAR +BUcbiHCr2WhMQdGqn6sebVBO9s/og3FOWruDNeOZzO3V02eHScK3zmOBgwsS9HbW +QYzDNiNvGBK1pf0sON0AJoyCmAgkUO7IVKBWb+LRTasErO1wcPuEJpBjhbHnGODb +cqxXOUJFESxkJpeWwmGVJ3IF8tF0j2jTsPpSCCB9doqog5tK5w8J7ZP2SflfZ8RC +U+JBJzBSu5IefoUgvCpxwBBGPX7ctWPoffDu68t9FVeD8Htucvj8tlN4g6U2C38r +IeamGl2eeMnQE7HCUJGAJcvuCasG+zmd2VO3oUV2ApI4YTTkO5F6VRPry2kGcFx0 +c6gj7X4+LIkAOWUvEy3cEuePzNIiKZS2b9tlwemSy8r39SPNXjxJgk0XdGCXW1ua +opjaD+kY9G2IfnfMHTXbVSjbRUA3ovXnLe0B5NBTIHbKwZW0XDBokh/fXewyFD8G +tkBCqDcoL8H6VGatvV0RAoIBAQDmUo/PaBDlel6oOKQL9xkoKOEUMZGpl/LyhDIy +LnaNdn/pd9sJF/i5TbfYCunTCyayERM0twN1OueyXavxIsTcIV0otAbMP9hU8Nbw +bCYFmDJiB9qSfGUMyPJwnq/EKZ3jAd/Lz5mgfZzGo/P4KM680heriHNGu1zxiRVl +O3pHgRvmFUU1ZVhTHVs+Rd6liz45A2iEm7lIHAPvNF4pC6/JE6zjp6a7+C28heSf +rOKViC+Hb8CApczo5B7VDTEYHUYXhF5wDEPqnKKwMxPXCk8/AJSKbVWcfV3iJpoR +lExJRqUpfm7tg9LJx+j/qM6+J2A+QEHZOgzKjNZJrN7s4pg5AoIBAQC6MtZYPYS+ +BtNxZbQwnSaqPGkCjZcP9TZkTKUZPmKcOtyR9oL37raLI1K1l5DnSHFrLdQeXAgf +gg+hrWMAAhQ6tjr6S1ZhHZDxUM5+lGIij1//xq4Xd/opSklH9ufc0WHr+YCcaq/3 +lvZ1aJkZKKQY4BIge00ph+e6zswvDMPjHNcGtS6hhghdVkFSl7rc5KZYJh9IdHdq +XbuGqxuLhJOx0AsHQ5uorgwp2Oc+l9RfMIhDyBwcLC2KUYY4DGLc2/yKfzfS/lGo +weJEVlkJ8V1jy2H+ZHCMlLnILYZw39PH6jwMBSKRxpj7dHGra9QVBxpkgDms0fc1 +vd3UaUeMA/SxAoIBAAao5n2hzbNE+Y21rZCnAXQ20mNKF6MmwKCgj+8Bhu4KOiKf +E5dMuSVqiOFXV3GBxgmqErsYe6IdJOv0Z29eiQCwekgeBIBNbEzwddaX2fWZdAN/ +pKNNs4JOISx+eiia53TT7guvogqQ90KLJRfM3kV5cbPFC0hFTKezRgoaUSvWIN9j +SBAGMSqeE7BWRtzUjOULIy+KbS4XmUmGYx6etuOCjSI8C8ctouzrljPDxP175Zvt +8EwH/0fQqM+SRRQkbI1rh2uH/0K+arnbkDxMkQQKWUEzbiFLQrayVQwjFJ2dzFLJ +1B1MDYFGJYeW8vtumgrSwtSsKAiHT/7rX7rLxokCggEAPMb7UDJEcgKoYgtglb22 +MTsmy76L4JmZ94NNIMBMT9KmzL46YdN5olEVXlDq65Op8eIzqvU/cYlysMN33TjQ +gZmaBrkwqOKNvTczL/4fSkiifUrM6Lww2+lzohnl9R4jaHM4l9X7OkX8jLZnwt6R +Mc1yHUgiF7xU15VI8NKp3ig7x+S8I90sPcs550u/ovq/kWZgL7ZUhFO0MnEHvLK5 +wwC1mNlopdaqAb7bPIMyvx+IWxemlUuWUd/qf8ELRCxKcqqz/hslbIBc6xGEXsp6 +QWjRw8flNP4W5lB14cItzsOWdhX3Ar5gkTOhJuM7huGaq9NvAApJNzGShxMWV42z +AQKCAQEA2MYJY/MDQErTLj9KDHY9/z+WQCzFJhqTUGabiTgKCW7kKo3amnkMHUT6 +Rrs+bGtBc5pE8w8lfTNNrt2uI8O5dKAymc+ZUFMozwp3y80tJsYxHFm+I85siu5p +OEsYgBe1NM9zkB2JhuC80G/4J/EPjEpbUcYBqutTNPMGh0TGMGotDSfWGlen/N+2 +pWRib9UosuHO32jgke8CmyffOmYsSIJtedofn8wWOCh0qcFhILkL665Y6t5MQ2ag +7C0nihqnxnH8mXRRgXEBajfsep4idNu3dmuGpSFWqNqLUEpo6f27UE4xnlNgOBu0 +zZ2p5aYoccVEV0+x6AvPPwe3Gc9vvw== +-----END PRIVATE KEY----- diff --git a/akmods/certs/public_key.der b/akmods/certs/public_key.der new file mode 100644 index 0000000..52c36da Binary files /dev/null and b/akmods/certs/public_key.der differ diff --git a/akmods/certs/public_key.der.test b/akmods/certs/public_key.der.test new file mode 100644 index 0000000..73af0d3 Binary files /dev/null and b/akmods/certs/public_key.der.test differ diff --git a/akmods/install.sh b/akmods/install.sh new file mode 100755 index 0000000..d8d1a87 --- /dev/null +++ b/akmods/install.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +set -euxo pipefail + +cp /tmp/akmods-cert/rpmbuild/RPMS/noarch/getchoo-akmods-cert*.rpm /var/cache/rpms/akmods-cert/ +find /var/cache/akmods -type f -name \*.rpm | while read -r rpm; do + cp "$rpm" /var/cache/rpms/kmods/ +done diff --git a/akmods/prep.sh b/akmods/prep.sh new file mode 100755 index 0000000..b7ee4ae --- /dev/null +++ b/akmods/prep.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +set -euxo pipefail + +# enable alternatives (for ld to be available) +mkdir -p /var/lib/alternatives + +# install rpmfusion +release=$(rpm -E %fedora) +rpm-ostree install \ + "https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$release.noarch.rpm" \ + "https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$release.noarch.rpm" + +rpm-ostree install akmods mock + +if [ ! -e /tmp/certs/private_key.priv ]; then + echo "WARNING: Using test signing key." >> "${GITHUB_OUTPUT:-/dev/stdout}" + cp /tmp/certs/private_key.priv{.test,} + cp /tmp/certs/public_key.der{.test,} +fi + +install -Dm644 {/tmp/certs,/etc/pki/akmods/certs}/public_key.der +install -Dm644 {/tmp/certs,/etc/pki/akmods/private}/private_key.priv + +# directory for signed artifacts +mkdir -p /var/cache/rpms/kmods +# directory for akmods public cert +mkdir -p /var/cache/rpms/akmods-cert diff --git a/initial_setup.sh b/initial_setup.sh new file mode 100755 index 0000000..0d60ddc --- /dev/null +++ b/initial_setup.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +set -euxo pipefail + +# make sure we're using the right flathub +flatpak remote-delete flathub --force +flatpak remote-add --system --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + +# add all of our stuff :) +to_install=( + "com.raggesilver.BlackBox" + "io.github.celluloid_player.Celluloid" + "com.spotify.Client" + "com.discordapp.Discord" + "com.mattjakeman.ExtensionManager" + "org.mozilla.firefox" + "com.github.tchx84.Flatseal" + "org.freedesktop.Platform.VulkanLayer.MangoHud" + "org.prismlauncher.PrismLauncher" + "io.github.flattool.Warehouse" +) + +for id in "${to_install[@]}"; do + flatpak install --user --noninteractive flathub "$id" +done diff --git a/nvidia/Containerfile b/nvidia/Containerfile new file mode 100644 index 0000000..7396539 --- /dev/null +++ b/nvidia/Containerfile @@ -0,0 +1,13 @@ +ARG IMAGE_FLAVOR="${IMAGE_FLAVOR:-getchblue}" +ARG BASE_IMAGE="ghcr.io/getchoo/${IMAGE_FLAVOR}" +ARG FEDORA_VERSION="${FEDORA_VERSION:-39}" + +FROM ${BASE_IMAGE}:${FEDORA_VERSION} as nvidia +ARG FEDORA_VERSION="${FEDORA_VERSION:-39}" +ARG NVIDIA_VERSION="${NVIDIA_VERSION:-535}" + +COPY install.sh /tmp/install.sh +COPY --from ghcr.io/getchoo/akmods:${FEDORA_VERSION}-${NVIDIA_VERSION} /rpms /tmp/akmods + +RUN /tmp/install.sh ${NVIDIA_VERSION} && rpm-ostree cleanup -m && \ + rm -rf /tmp/* /var/* && ostree container commit diff --git a/nvidia/install.sh b/nvidia/install.sh new file mode 100644 index 0000000..f3c577f --- /dev/null +++ b/nvidia/install.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -euxo pipefail + +NVIDIA_VERSION="${1:-}" + +if [ -z "${NVIDIA_VERSION}" ]; then + echo "I need a major version of a NVIDIA driver! (i.e., 535)" + exit 1 +fi + +rpm-ostree install /tmp/akmods/akmods-cert/getchoo-akmods-cert*.rpm + +rpm-ostree install \ + xorg-x11-drv-nvidia-{cuda,power}-"$NVIDIA_VERSION"* \ + nvidia-vaapi-driver \ + /tmp/akmods/kmods/kmod-nvidia-*.rpm diff --git a/override.sh b/override.sh new file mode 100755 index 0000000..4d3597a --- /dev/null +++ b/override.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +set -euxo pipefail + +to_add=( + "chromium" + "fish" # > bash + + # gnome stuff + "adw-gtk3-theme" + "gnome-tweaks" + "gnome-shell-extension-caffeine" + qadwaitadecorations-qt{5,6} + + # maybe one day these will be good on flatpak :p + "lutris" + "mangohud" + "steam" +) + +# remove non-flatpak firefox +rpm-ostree override remove firefox firefox-langpacks + +# install rpm fusion +release=$(rpm -E %fedora) +rpm-ostree install \ + "https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$release.noarch.rpm" \ + "https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$release.noarch.rpm" + +# install hardware codecs +rpm-ostree override remove mesa-va-drivers --install mesa-va-drivers-freeworld +rpm-ostree install mesa-vdpau-drivers-freeworld + +# install software codecs +## i have no idea why i have to do this just for ffmpeg +rpm-ostree override remove libavcodec-free libavfilter-free libavformat-free libavutil-free libpostproc-free libswresample-free libswscale-free --install ffmpeg +rpm-ostree install gstreamer1-plugin-libav gstreamer1-plugins-bad-free-extras gstreamer1-plugins-bad-freeworld gstreamer1-plugins-ugly gstreamer1-vaapi + +# install extra packages +rpm-ostree install "${to_add[@]}" -- cgit v1.2.3