feat: add greetd SELinux support and Nvidia Images (#39)

* feat: add greetd SELinux support and Nvidia Images * fix: missing fi * fix: rawhide vs numbered version * chore(ci): remove qemu * chore(ci): update cosign public key * chore(ci): use lists instead of brackets
ublue-os · Jul 16, 2024 · 2ac8dd9 · 2ac8dd9
1 parent 56255b8
commit 2ac8dd9
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 29 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,15 +4,15 @@ on:
   pull_request:
   merge_group:
   schedule:
-    - cron: '0 15 * * *'  # 3pm UTC everyday (timed against official fedora container pushes)
+    - cron: "0 15 * * *" # 3pm UTC everyday (timed against official fedora container pushes)
   workflow_dispatch:
 
 env:
   IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
 
 jobs:
   build:
-    name: Build 
+    name: Build
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -21,9 +21,27 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: [amd64]
-        version: [39, 40, rawhide]
-        flavor: [base, silverblue, kinoite]
+        arch:
+          - amd64
+        version:
+          - 39
+          - 40
+          - rawhide
+        flavor:
+          - base
+          - base-nvidia
+          - silverblue
+          - silverblue-nvidia
+          - kinoite
+          - kinoite-nvidia
+        exclude:
+          - version: rawhide
+            flavor: base-nvidia
+          - version: rawhide
+            flavor: silverblue-nvidia
+          - version: rawhide
+            flavor: kinoite-nvidia
+
     steps:
       # Checkout push-to-registry action GitHub repository
       - name: Checkout Push to Registry action
@@ -50,7 +68,7 @@ jobs:
             BUILD_TAGS+=("${TIMESTAMP}")
             BUILD_TAGS+=("latest-${{ matrix.arch }}")
           fi
-          
+
           alias_tags=("${BUILD_TAGS[@]}")
           echo "Generated the following build tags: "
           for TAG in "${BUILD_TAGS[@]}"; do
@@ -72,17 +90,16 @@ jobs:
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
 
-      - name: Install qemu dependency
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y qemu-user-static
-     
       # Create Variables. Use UBlue images for amd64, fedora-ostree desktop for arm64
       - name: matrix-variables
         run: |
           if [[ ${{ matrix.arch }} = "amd64" && ${{ matrix.version }} != "rawhide" ]]; then
             echo "SOURCE_ORG=ghcr.io/ublue-os" >> $GITHUB_ENV
-            echo "SOURCE_IMAGE=${{ matrix.flavor }}-main" >> $GITHUB_ENV
+            if [[ "${{ matrix.flavor }}" =~ "nvidia" ]]; then
+              echo "SOURCE_IMAGE=${{ matrix.flavor }}" >> $GITHUB_ENV
+            else
+              echo "SOURCE_IMAGE=${{ matrix.flavor }}-main" >> $GITHUB_ENV
+            fi
           else
             echo "SOURCE_ORG=quay.io/fedora-ostree-desktops" >> $GITHUB_ENV
             echo "SOURCE_IMAGE=${{ matrix.flavor }}" >> $GITHUB_ENV

diff --git a/Containerfile b/Containerfile
@@ -4,21 +4,24 @@ ARG BASE_IMAGE="${SOURCE_ORG}/${SOURCE_IMAGE}"
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 
 FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION}
+ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 
-# Setup Copr repo
-RUN wget https://copr.fedorainfracloud.org/coprs/ryanabx/cosmic-epoch/repo/fedora-40/ryanabx-cosmic-epoch-fedora-$(rpm -E %fedora).repo -O /etc/yum.repos.d/_copr_ryanabx-cosmic.repo
-
-# Install cosmic desktop environment
-RUN rpm-ostree install cosmic-desktop
-
-# Install extras (currently just a power manager and a libsecret manager)
-RUN rpm-ostree install \
-    tuned \
-    gnome-keyring
-
-# Set up display manager
-RUN rm -f /etc/systemd/system/display-manager.service && \
-    ln -s /usr/lib/systemd/system/cosmic-greeter.service /etc/systemd/system/display-manager.service
+COPY greetd-workaround.service /usr/lib/systemd/system/greetd-workaround.service
 
-RUN ostree container commit && \
+# Build in one step
+RUN bash -c "if [[ ${FEDORA_MAJOR_VERSION} == "rawhide" ]]; then \
+        curl -Lo /etc/yum.repos.d/_copr_ryanabx-cosmic.repo \
+            https://copr.fedorainfracloud.org/coprs/ryanabx/cosmic-epoch/repo/fedora-rawhide/ryanabx-cosmic-epoch-fedora-rawhide.repo \
+        ;else curl -Lo /etc/yum.repos.d/_copr_ryanabx-cosmic.repo \
+                https://copr.fedorainfracloud.org/coprs/ryanabx/cosmic-epoch/repo/fedora-$(rpm -E %fedora)/ryanabx-cosmic-epoch-fedora-$(rpm -E %fedora).repo \
+        ; fi" && \
+    rpm-ostree install \
+        cosmic-desktop && \
+    rpm-ostree install \
+        tuned \
+        gnome-keyring && \
+    rm -f /etc/systemd/system/display-manager.service && \
+    ln -s /usr/lib/systemd/system/cosmic-greeter.service /etc/systemd/system/display-manager.service && \
+    ln -s /usr/lib/systemd/system/greetd-workaround.service /etc/systemd/system/multi-user.target.wants/greetd-workaround.service && \
+    ostree container commit && \
     mkdir -p /var/tmp && chmod -R 1777 /var/tmp
diff --git a/cosign.pub b/cosign.pub
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
-cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHLRpBfPRYiMl9wb7s6fx47PzzNWu
+3zyJgXhWEvxoOgwv9CpwjbvUwR9qHxNMWkJhuGE6cjDA2hpy1I6NbA+24Q==
 -----END PUBLIC KEY-----
diff --git a/greetd-workaround.service b/greetd-workaround.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Workaround for SELinux issues for greetd
+ConditionFileIsExecutable=/usr/bin/greetd
+After=local-fs.target
+
+[Service]
+Type=oneshot
+# Copy if it doesn't exist
+ExecStartPre=/usr/bin/mkdir -p /usr/local/bin/overrides
+ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/overrides/greetd ] || /usr/bin/cp /usr/bin/greetd /usr/local/bin/overrides/greetd"
+# This is faster than using .mount unit. Also allows for the previous line/cleanup
+ExecStartPre=/usr/bin/bash -c "/usr/bin/mount --bind /usr/local/bin/overrides/greetd /usr/bin/greetd"
+# Fix caps
+ExecStart=/usr/bin/bash -c "/usr/sbin/restorecon -rv /usr/bin/greetd"
+# Clean-up after ourselves
+ExecStop=/usr/bin/umount /usr/bin/greetd
+ExecStop=/usr/bin/rm /usr/local/bin/overrides/greetd
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target