bluebuild(recipe): reconcile kickstart %post into BlueBuild modules (A2)
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 18s
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 18s
Walk every action in kickstart/veilor-os.ks %post and map to its v0.7 atomic equivalent: Build-time script additions: - chmod +x /usr/share/veilor-os/scripts/* + /usr/local/bin/veilor-* (BlueBuild type:files sometimes drops perms) - fc-cache -f after Fira Code stamping - os-release brand override (NAME=veilor-os, ID=veilor, ID_LIKE) - brand-leak guard: fail the image build if any onyx/personal data slipped through into shipped state Layered packages: - zram-generator (memory hygiene; replaces dnf install in kickstart) - jq (used by veilor-doctor for `bootc status --json`) - vim-enhanced + tmux + htop (admin essentials, parity with v0.5.x) Systemd unit enables added: - veilor-postinstall.service (first-login TUI; new in A3) - veilor-doctor.timer (weekly drift check; new in A3) Dropped: anaconda transaction_progress.py patch (build-time CI work, not image content); SDDM display-manager symlink (kinoite ships sddm.service already); SELinux module build (secureblue has its own); systemctl set-default multi-user.target (kinoite is graphical.target by design). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot
parent
6fcdd7e04c
commit
ebf61ab93b
1 changed files with 40 additions and 2 deletions
|
|
@ -52,6 +52,29 @@ modules:
|
||||||
bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true
|
bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true
|
||||||
bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true
|
bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true
|
||||||
plymouth-set-default-theme details 2>/dev/null || true
|
plymouth-set-default-theme details 2>/dev/null || true
|
||||||
|
# Mark all our shipped scripts + CLIs executable. cp -a from the
|
||||||
|
# repo preserves perms but BlueBuild's `type: files` sometimes
|
||||||
|
# drops the +x bit on the way through; belt-and-braces here.
|
||||||
|
chmod +x /usr/share/veilor-os/scripts/*.sh \
|
||||||
|
/usr/share/veilor-os/scripts/selinux/*.sh \
|
||||||
|
/usr/local/bin/veilor-* 2>/dev/null || true
|
||||||
|
# Refresh fontconfig cache so Fira Code is picked up by KDE
|
||||||
|
fc-cache -f 2>/dev/null || true
|
||||||
|
# os-release brand override (atomic /etc is r/w; safe to overwrite)
|
||||||
|
if [ -f /etc/os-release ]; then
|
||||||
|
sed -i \
|
||||||
|
-e 's|^NAME=.*|NAME="veilor-os"|' \
|
||||||
|
-e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \
|
||||||
|
-e 's|^ID=.*|ID=veilor|' \
|
||||||
|
-e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
|
||||||
|
/etc/os-release || true
|
||||||
|
fi
|
||||||
|
# Sanity: brand-leak check, fail build if any onyx/personal data slipped in
|
||||||
|
if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
|
||||||
|
/etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then
|
||||||
|
echo "[ERR] brand leak detected in shipped state"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# ── 3. Override secureblue's run0-only — restore sudo ───────────
|
# ── 3. Override secureblue's run0-only — restore sudo ───────────
|
||||||
# secureblue removes sudo + replaces with run0. Too disruptive for
|
# secureblue removes sudo + replaces with run0. Too disruptive for
|
||||||
|
|
@ -86,6 +109,19 @@ modules:
|
||||||
- tailscale
|
- tailscale
|
||||||
- yggdrasil
|
- yggdrasil
|
||||||
|
|
||||||
|
# ── 6b. Memory hygiene + ergonomic deps ─────────────────────────
|
||||||
|
# zram-generator gives us zram swap (no disk swap, no cold-boot
|
||||||
|
# leak). gum is the TUI primitive used by veilor-postinstall +
|
||||||
|
# veilor-update + veilor-doctor — vendor binary at build time so
|
||||||
|
# post-install layering doesn't need it.
|
||||||
|
- type: rpm-ostree
|
||||||
|
install:
|
||||||
|
- zram-generator
|
||||||
|
- jq
|
||||||
|
- vim-enhanced
|
||||||
|
- tmux
|
||||||
|
- htop
|
||||||
|
|
||||||
# ── 7. ujust recipes for opt-in components ──────────────────────
|
# ── 7. ujust recipes for opt-in components ──────────────────────
|
||||||
- type: files
|
- type: files
|
||||||
files:
|
files:
|
||||||
|
|
@ -103,13 +139,15 @@ modules:
|
||||||
# auditd, firewalld, chronyd, sddm — no re-enable needed.
|
# auditd, firewalld, chronyd, sddm — no re-enable needed.
|
||||||
|
|
||||||
# ── 9. veilor-os specific systemd units ─────────────────────────
|
# ── 9. veilor-os specific systemd units ─────────────────────────
|
||||||
# veilor-firstboot.service comes in via overlay/etc/systemd/system/
|
# All veilor-* units come in via overlay/etc/systemd/system/ —
|
||||||
# — needs explicit enable since it's not part of secureblue's set.
|
# explicit enable here since they aren't part of secureblue's set.
|
||||||
- type: systemd
|
- type: systemd
|
||||||
system:
|
system:
|
||||||
enabled:
|
enabled:
|
||||||
- veilor-firstboot.service
|
- veilor-firstboot.service
|
||||||
- veilor-modules-lock.service
|
- veilor-modules-lock.service
|
||||||
|
- veilor-postinstall.service
|
||||||
|
- veilor-doctor.timer
|
||||||
|
|
||||||
# ── 10. signing config ──────────────────────────────────────────
|
# ── 10. signing config ──────────────────────────────────────────
|
||||||
# bluebuild emits cosign.pub at root; CI uses the pinned key
|
# bluebuild emits cosign.pub at root; CI uses the pinned key
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue