bluebuild(recipe): swap type:script + type:systemd → type:containerfile

Both bluebuild module types ship a helper (script.nu / systemd.nu)
inside their bind-mounted module image at /tmp/modules. The first
thing run_module.sh does is chmod +x the helper, which fails
'Operation not permitted' under podman/buildah privileged in our
runner — same root cause as the type:files chmod we already worked
around with type:copy.

Raw `type: containerfile` (RUN block) bypasses bluebuild's module
helpers entirely. Move our brand+chmod+fc-cache+os-release sed +
brand-leak guard into one RUN line, and the systemctl
enable/disable into another.

This should clear the last bluebuild module-helper blocker.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

bluebuild/recipe.yml

@@ -41,40 +41,33 @@ modules:
     destination: /usr/share/veilor-os/scripts
 
   # ── 2. Branding overrides at build time ─────────────────────────
-  - type: script
+  # Use raw `type: containerfile` (RUN line) instead of `type: script`
+  # — bluebuild's script-module helper script.nu fails 'chmod:
+  # Operation not permitted' on its own bind-mounted layer under
+  # podman/buildah privileged. Raw RUN bypasses the helper.
+  - type: containerfile
     snippets:
       - |
-        # os-release brand
+        RUN sed -i -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' /etc/default/grub 2>/dev/null || true ; \
-        sed -i \
+            bash /usr/share/veilor-os/scripts/kde-theme-apply.sh 2>/dev/null || true ; \
-          -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \
+            bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true ; \
-          /etc/default/grub 2>/dev/null || true
+            plymouth-set-default-theme details 2>/dev/null || true ; \
-        # Apply our kde-theme + plymouth in build
+            chmod +x /usr/share/veilor-os/scripts/*.sh \
-        bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true
+                     /usr/share/veilor-os/scripts/selinux/*.sh \
-        bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true
+                     /usr/local/bin/veilor-* 2>/dev/null || true ; \
-        plymouth-set-default-theme details 2>/dev/null || true
+            fc-cache -f 2>/dev/null || true ; \
-        # Mark all our shipped scripts + CLIs executable. cp -a from the
+            if [ -f /etc/os-release ]; then \
-        # repo preserves perms but BlueBuild's `type: files` sometimes
+              sed -i \
-        # drops the +x bit on the way through; belt-and-braces here.
+                -e 's|^NAME=.*|NAME="veilor-os"|' \
-        chmod +x /usr/share/veilor-os/scripts/*.sh \
+                -e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \
-                 /usr/share/veilor-os/scripts/selinux/*.sh \
+                -e 's|^ID=.*|ID=veilor|' \
-                 /usr/local/bin/veilor-* 2>/dev/null || true
+                -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
-        # Refresh fontconfig cache so Fira Code is picked up by KDE
+                /etc/os-release || true ; \
-        fc-cache -f 2>/dev/null || true
+            fi ; \
-        # os-release brand override (atomic /etc is r/w; safe to overwrite)
+            if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
-        if [ -f /etc/os-release ]; then
+                /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then \
-          sed -i \
+              echo "[ERR] brand leak detected" ; exit 1 ; \
-            -e 's|^NAME=.*|NAME="veilor-os"|' \
+            fi
-            -e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \
-            -e 's|^ID=.*|ID=veilor|' \
-            -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
-            /etc/os-release || true
-        fi
-        # Sanity: brand-leak check, fail build if any onyx/personal data slipped in
-        if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
-            /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then
-          echo "[ERR] brand leak detected in shipped state"
-          exit 1
-        fi
 
   # ── 3. Override secureblue's run0-only — restore sudo ───────────
   # secureblue removes sudo + replaces with run0. Too disruptive for
@@ -127,26 +120,18 @@ modules:
     source: config/just
     destination: /usr/share/ublue-os/just
 
-  # ── 8. Service tuning: tailscale pre-disabled, yggdrasil idle ───
+  # ── 8 + 9. systemd unit enables/disables ────────────────────────
-  - type: systemd
+  # Same chmod-permitted blocker on `type: systemd` helper. Use raw
-    system:
+  # RUN systemctl preset/enable/disable instead.
-      enabled:
+  - type: containerfile
-        - yggdrasil.service        # idle warm-fallback (config = empty Listen[])
+    snippets:
-      disabled:
+      - |
-        - tailscaled.service       # awaits first-boot prompt for join
+        RUN systemctl enable yggdrasil.service 2>/dev/null || true ; \
-        # secureblue parents already enable: sshd, fail2ban, usbguard,
+            systemctl disable tailscaled.service 2>/dev/null || true ; \
-        # auditd, firewalld, chronyd, sddm — no re-enable needed.
+            systemctl enable veilor-firstboot.service 2>/dev/null || true ; \
-
+            systemctl enable veilor-modules-lock.service 2>/dev/null || true ; \
-  # ── 9. veilor-os specific systemd units ─────────────────────────
+            systemctl enable veilor-postinstall.service 2>/dev/null || true ; \
-  # All veilor-* units come in via overlay/etc/systemd/system/ —
+            systemctl enable veilor-doctor.timer 2>/dev/null || true
-  # explicit enable here since they aren't part of secureblue's set.
-  - type: systemd
-    system:
-      enabled:
-        - veilor-firstboot.service
-        - veilor-modules-lock.service
-        - veilor-postinstall.service
-        - veilor-doctor.timer
 
   # ── 10. signing config ──────────────────────────────────────────
   # cosign.pub committed alongside this recipe; cosign.key kept off