diff --git a/.github/workflows/ostree-build.yaml b/.github/workflows/ostree-build.yaml new file mode 100644 index 0000000000..ecfa8d6970 --- /dev/null +++ b/.github/workflows/ostree-build.yaml @@ -0,0 +1,53 @@ +--- +name: OSTree Build +on: + workflow_dispatch: + schedule: + - cron: 0 13 * * 5 # Friday 9pm in SGT/GMT+8, Friday 1pm in UTC + push: + branches: ["main"] + paths: + - "ostree/**" + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + timeout-minutes: 40 + container: + image: public.ecr.aws/docker/library/fedora:39@sha256:06df381d697d14940c886fda8e94a4fdc838df74e93f65111ed3ea04f7a7d6e0 + # Fix SELinux for the built OSTree: https://github.com/coreos/rpm-ostree/issues/1943 + options: --privileged --security-opt label:disable + strategy: + matrix: + build: ["router"] + steps: + - name: Install dependencies + run: dnf install -y rpm-ostree selinux-policy selinux-policy-targeted policycoreutils podman + + - name: "Generate Short Lived OAuth App Token (ghs_*)" + uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3 + id: oauth-token + with: + app-id: "${{ secrets.BOT_APP_ID }}" # $BOT_APP_ID is found in GitHub App main settings page + private-key: "${{ secrets.BOT_JWT_PRIVATE_KEY }}" # $BOT_JWT_PRIVATE_KEY is generated in GitHub App main settings page, uses the X.509 private key format + + - name: Checkout + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + with: + token: "${{ steps.oauth-token.outputs.token }}" + + - name: Log into container registry + run: podman login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io + + - name: Download RPM repo files from upstream + run: "./ostree/repos.sh" + + - name: Build OSTree and push it to registry + env: + USER: "${{ github.repository_owner }}" + BUILD: "${{ matrix.build }}" + run: "cd ./ostree && ./build.sh registry" + # TODO: add secrets and push to private R2/Wasabi/etc \ No newline at end of file diff --git a/ostree/build.sh b/ostree/build.sh new file mode 100755 index 0000000000..31dc78a4f4 --- /dev/null +++ b/ostree/build.sh @@ -0,0 +1,21 @@ +#!/bin/sh +set -eu +CACHE=/var/cache/ostree +REPO=/var/tmp/repo +# default to storing locally; can also be "registry:" to directly push +SKOPEO_TARGET="${1:-containers-storage}" + +mkdir -p $CACHE + +if [ ! -d $REPO/objects ]; then + ostree --repo=$REPO init --mode=archive-z2 +fi + +rpm-ostree compose tree --unified-core --cachedir=$CACHE --repo=$REPO ${BUILD}.yaml +# HACK: networking in GitHub is a bit flaky, retry a few times +for retry in $(seq 3); do + rpm-ostree compose container-encapsulate --repo=$REPO ${BUILD} ${SKOPEO_TARGET}:ghcr.io/${USER}/fedora-ostree-${BUILD}:latest && exit 0 + [ "$SKOPEO_TARGET" = registry ] || break + sleep 30 +done +exit 1 diff --git a/ostree/repos.repo b/ostree/repos.repo new file mode 100644 index 0000000000..0c73d5b02a --- /dev/null +++ b/ostree/repos.repo @@ -0,0 +1,21 @@ +[fedora-40] +name=Fedora 40 $basearch +mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-40&arch=$basearch +enabled=1 +gpgcheck=1 +metadata_expire=1d + +[fedora-40-updates] +name=Fedora 40 $basearch Updates +mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f40&arch=$basearch +enabled=1 +gpgcheck=1 +metadata_expire=1d + +[1password] +name=1Password Stable Channel +baseurl=https://downloads.1password.com/linux/rpm/stable/$basearch +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://downloads.1password.com/linux/keys/1password.asc \ No newline at end of file diff --git a/ostree/repos.sh b/ostree/repos.sh new file mode 100755 index 0000000000..c7fe369bfe --- /dev/null +++ b/ostree/repos.sh @@ -0,0 +1,2 @@ +#!/bin/sh +curl -v -o ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo" | wget -O ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo" \ No newline at end of file diff --git a/ostree/router.yaml b/ostree/router.yaml new file mode 100644 index 0000000000..b329d1b419 --- /dev/null +++ b/ostree/router.yaml @@ -0,0 +1,72 @@ +--- +ref: fedora-ostree-router +rojig: + name: biohazard-router + summary: "JJGadgets Biohazard Router" + license: "Apache 2.0" + +releasever: 40 +selinux: false +automatic-version-prefix: "${releasever}." +mutate-os-release: "${releasever}" +tmp-is-dir: true + +repos: + - fedora-40 + - fedora-40-updates + # - fedora-40-updates-testing + - rpmfusion-free + - rpmfusion-free-updates + - copr:copr.fedorainfracloud.org:wezfurlong:wezterm-nightly + - copr:copr.fedorainfracloud.org:atim:i3status-rust + +packages: + # base + - fedora-release-server + - fedora-release-identity-server + - nftables + - wireguard-tools + - tailscale + - podman + - 'bird >= 2.15.1-1.fc40' + - 'kea = 2.4.1-5.fc40' + - dnsdist + - bind + - unbound + - openssh + - openssh-server + - openssh-clients + - 1password-cli + - git-core + - age + - gnupg2 + - pam_duo + - pam_yubico + - chrony + - node-exporter + - haproxy + - mdns-repeater + - lldpd + - iperf + - iperf3 + - radvd + - tayga + # missing: blocky, sops + +exclude-packages: + # remove Fedora specifics + - firewalld + - selinux-policy + - selinux-policy-targeted + +units: + - nftables.service + - tailscaled.service + - named.service + - unbound.service + - chronyd.service + - sshd.service + - node_exporter.service + - openvpn-server@.service + - mdns-repeater.service + - lldpd.service \ No newline at end of file