From 7df9dc08f49edf5213ae2a2ce7e50cea8f27b411 Mon Sep 17 00:00:00 2001 From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com> Date: Thu, 7 May 2026 04:54:09 +0100 Subject: [PATCH] =?UTF-8?q?bluebuild(recipe):=20swap=20type:script=20+=20t?= =?UTF-8?q?ype:systemd=20=E2=86=92=20type:containerfile?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both bluebuild module types ship a helper (script.nu / systemd.nu) inside their bind-mounted module image at /tmp/modules. The first thing run_module.sh does is chmod +x the helper, which fails 'Operation not permitted' under podman/buildah privileged in our runner — same root cause as the type:files chmod we already worked around with type:copy. Raw `type: containerfile` (RUN block) bypasses bluebuild's module helpers entirely. Move our brand+chmod+fc-cache+os-release sed + brand-leak guard into one RUN line, and the systemctl enable/disable into another. This should clear the last bluebuild module-helper blocker. Co-Authored-By: Claude Opus 4.7 --- bluebuild/recipe.yml | 89 ++++++++++++++++++-------------------------- 1 file changed, 37 insertions(+), 52 deletions(-) diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml index 4a3d3a1..cad5e62 100644 --- a/bluebuild/recipe.yml +++ b/bluebuild/recipe.yml @@ -41,40 +41,33 @@ modules: destination: /usr/share/veilor-os/scripts # ── 2. Branding overrides at build time ───────────────────────── - - type: script + # Use raw `type: containerfile` (RUN line) instead of `type: script` + # — bluebuild's script-module helper script.nu fails 'chmod: + # Operation not permitted' on its own bind-mounted layer under + # podman/buildah privileged. Raw RUN bypasses the helper. + - type: containerfile snippets: - | - # os-release brand - sed -i \ - -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \ - /etc/default/grub 2>/dev/null || true - # Apply our kde-theme + plymouth in build - bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true - bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true - plymouth-set-default-theme details 2>/dev/null || true - # Mark all our shipped scripts + CLIs executable. cp -a from the - # repo preserves perms but BlueBuild's `type: files` sometimes - # drops the +x bit on the way through; belt-and-braces here. - chmod +x /usr/share/veilor-os/scripts/*.sh \ - /usr/share/veilor-os/scripts/selinux/*.sh \ - /usr/local/bin/veilor-* 2>/dev/null || true - # Refresh fontconfig cache so Fira Code is picked up by KDE - fc-cache -f 2>/dev/null || true - # os-release brand override (atomic /etc is r/w; safe to overwrite) - if [ -f /etc/os-release ]; then - sed -i \ - -e 's|^NAME=.*|NAME="veilor-os"|' \ - -e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \ - -e 's|^ID=.*|ID=veilor|' \ - -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \ - /etc/os-release || true - fi - # Sanity: brand-leak check, fail build if any onyx/personal data slipped in - if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \ - /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then - echo "[ERR] brand leak detected in shipped state" - exit 1 - fi + RUN sed -i -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' /etc/default/grub 2>/dev/null || true ; \ + bash /usr/share/veilor-os/scripts/kde-theme-apply.sh 2>/dev/null || true ; \ + bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true ; \ + plymouth-set-default-theme details 2>/dev/null || true ; \ + chmod +x /usr/share/veilor-os/scripts/*.sh \ + /usr/share/veilor-os/scripts/selinux/*.sh \ + /usr/local/bin/veilor-* 2>/dev/null || true ; \ + fc-cache -f 2>/dev/null || true ; \ + if [ -f /etc/os-release ]; then \ + sed -i \ + -e 's|^NAME=.*|NAME="veilor-os"|' \ + -e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \ + -e 's|^ID=.*|ID=veilor|' \ + -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \ + /etc/os-release || true ; \ + fi ; \ + if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \ + /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then \ + echo "[ERR] brand leak detected" ; exit 1 ; \ + fi # ── 3. Override secureblue's run0-only — restore sudo ─────────── # secureblue removes sudo + replaces with run0. Too disruptive for @@ -127,26 +120,18 @@ modules: source: config/just destination: /usr/share/ublue-os/just - # ── 8. Service tuning: tailscale pre-disabled, yggdrasil idle ─── - - type: systemd - system: - enabled: - - yggdrasil.service # idle warm-fallback (config = empty Listen[]) - disabled: - - tailscaled.service # awaits first-boot prompt for join - # secureblue parents already enable: sshd, fail2ban, usbguard, - # auditd, firewalld, chronyd, sddm — no re-enable needed. - - # ── 9. veilor-os specific systemd units ───────────────────────── - # All veilor-* units come in via overlay/etc/systemd/system/ — - # explicit enable here since they aren't part of secureblue's set. - - type: systemd - system: - enabled: - - veilor-firstboot.service - - veilor-modules-lock.service - - veilor-postinstall.service - - veilor-doctor.timer + # ── 8 + 9. systemd unit enables/disables ──────────────────────── + # Same chmod-permitted blocker on `type: systemd` helper. Use raw + # RUN systemctl preset/enable/disable instead. + - type: containerfile + snippets: + - | + RUN systemctl enable yggdrasil.service 2>/dev/null || true ; \ + systemctl disable tailscaled.service 2>/dev/null || true ; \ + systemctl enable veilor-firstboot.service 2>/dev/null || true ; \ + systemctl enable veilor-modules-lock.service 2>/dev/null || true ; \ + systemctl enable veilor-postinstall.service 2>/dev/null || true ; \ + systemctl enable veilor-doctor.timer 2>/dev/null || true # ── 10. signing config ────────────────────────────────────────── # cosign.pub committed alongside this recipe; cosign.key kept off