feat: add OSTree to try out

because why not, immutable router without Nix abstractions!
JJGadgets · Apr 23, 2024 · e2d7bf1 · e2d7bf1
1 parent eab36fc
commit e2d7bf1
Show file tree

Hide file tree

Showing 5 changed files with 169 additions and 0 deletions.
diff --git a/.github/workflows/ostree-build.yaml b/.github/workflows/ostree-build.yaml
@@ -0,0 +1,53 @@
+---
+name: OSTree Build
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: 0 13 * * 5 # Friday 9pm in SGT/GMT+8, Friday 1pm in UTC
+  push:
+    branches: ["main"]
+    paths:
+      - "ostree/**"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    timeout-minutes: 40
+    container:
+      image: public.ecr.aws/docker/library/fedora:39@sha256:06df381d697d14940c886fda8e94a4fdc838df74e93f65111ed3ea04f7a7d6e0
+      # Fix SELinux for the built OSTree: https://github.com/coreos/rpm-ostree/issues/1943
+      options: --privileged --security-opt label:disable
+    strategy:
+      matrix:
+        build: ["router"]
+    steps:
+      - name: Install dependencies
+        run: dnf install -y rpm-ostree selinux-policy selinux-policy-targeted policycoreutils podman
+
+      - name: "Generate Short Lived OAuth App Token (ghs_*)"
+        uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
+        id: oauth-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}" # $BOT_APP_ID is found in GitHub App main settings page
+          private-key: "${{ secrets.BOT_JWT_PRIVATE_KEY }}" # $BOT_JWT_PRIVATE_KEY is generated in GitHub App main settings page, uses the X.509 private key format
+
+      - name: Checkout
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+        with:
+          token: "${{ steps.oauth-token.outputs.token }}"
+
+      - name: Log into container registry
+        run: podman login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io
+
+      - name: Download RPM repo files from upstream
+        run: "./ostree/repos.sh"
+
+      - name: Build OSTree and push it to registry
+        env:
+          USER: "${{ github.repository_owner }}"
+          BUILD: "${{ matrix.build }}"
+        run: "cd ./ostree && ./build.sh registry"
+        # TODO: add secrets and push to private R2/Wasabi/etc
diff --git a/ostree/build.sh b/ostree/build.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -eu
+CACHE=/var/cache/ostree
+REPO=/var/tmp/repo
+# default to storing locally; can also be "registry:" to directly push
+SKOPEO_TARGET="${1:-containers-storage}"
+
+mkdir -p $CACHE
+
+if [ ! -d $REPO/objects ]; then
+    ostree --repo=$REPO init --mode=archive-z2
+fi
+
+rpm-ostree compose tree --unified-core --cachedir=$CACHE --repo=$REPO ${BUILD}.yaml
+# HACK: networking in GitHub is a bit flaky, retry a few times
+for retry in $(seq 3); do
+    rpm-ostree compose container-encapsulate --repo=$REPO ${BUILD} ${SKOPEO_TARGET}:ghcr.io/${USER}/fedora-ostree-${BUILD}:latest && exit 0
+    [ "$SKOPEO_TARGET" = registry ] || break
+    sleep 30
+done
+exit 1
diff --git a/ostree/repos.repo b/ostree/repos.repo
@@ -0,0 +1,21 @@
+[fedora-40]
+name=Fedora 40 $basearch
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-40&arch=$basearch
+enabled=1
+gpgcheck=1
+metadata_expire=1d
+
+[fedora-40-updates]
+name=Fedora 40 $basearch Updates
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f40&arch=$basearch
+enabled=1
+gpgcheck=1
+metadata_expire=1d
+
+[1password]
+name=1Password Stable Channel
+baseurl=https://downloads.1password.com/linux/rpm/stable/$basearch
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://downloads.1password.com/linux/keys/1password.asc
diff --git a/ostree/repos.sh b/ostree/repos.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+curl -v -o ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo" | wget -O ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo"
diff --git a/ostree/router.yaml b/ostree/router.yaml
@@ -0,0 +1,72 @@
+---
+ref: fedora-ostree-router
+rojig:
+  name: biohazard-router
+  summary: "JJGadgets Biohazard Router"
+  license: "Apache 2.0"
+
+releasever: 40
+selinux: false
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"
+tmp-is-dir: true
+
+repos:
+  - fedora-40
+  - fedora-40-updates
+  # - fedora-40-updates-testing
+  - rpmfusion-free
+  - rpmfusion-free-updates
+  - copr:copr.fedorainfracloud.org:wezfurlong:wezterm-nightly
+  - copr:copr.fedorainfracloud.org:atim:i3status-rust
+
+packages:
+  # base
+  - fedora-release-server
+  - fedora-release-identity-server
+  - nftables
+  - wireguard-tools
+  - tailscale
+  - podman
+  - 'bird >= 2.15.1-1.fc40'
+  - 'kea = 2.4.1-5.fc40'
+  - dnsdist
+  - bind
+  - unbound
+  - openssh
+  - openssh-server
+  - openssh-clients
+  - 1password-cli
+  - git-core
+  - age
+  - gnupg2
+  - pam_duo
+  - pam_yubico
+  - chrony
+  - node-exporter
+  - haproxy
+  - mdns-repeater
+  - lldpd
+  - iperf
+  - iperf3
+  - radvd
+  - tayga
+  # missing: blocky, sops
+
+exclude-packages:
+  # remove Fedora specifics
+  - firewalld
+  - selinux-policy
+  - selinux-policy-targeted
+
+units:
+  - nftables.service
+  - tailscaled.service
+  - named.service
+  - unbound.service
+  - chronyd.service
+  - sshd.service
+  - node_exporter.service
+  - [email protected]
+  - mdns-repeater.service
+  - lldpd.service
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#!/bin/sh
		curl -v -o ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo" \| wget -O ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo"