From b61906e4d7eb5d05560b72b15f224c4412c477c4 Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Tue, 2 Dec 2025 14:13:26 -0300 Subject: [PATCH] Initial commit of OS --- .github/workflows/os.yml | 114 +++++++++++++++++++++ Dockerfile | 59 +++++++++++ bin/set_next_version.sh | 48 +++++++++ etc/chromium/chromium.conf | 76 ++++++++++++++ etc/environment | 12 +++ etc/systemd/zram-generator.conf | 9 ++ repo/andersrh-my-ostree-os.repo | 10 ++ repo/andersrh-myostree-os-rhel+epel.repo | 11 ++ repo/epel-next-minor.repo | 36 +++++++ repo/nvidia-container-toolkit.repo | 19 ++++ usr/lib/udev/rules.d/60-ioschedulers.rules | 8 ++ 11 files changed, 402 insertions(+) create mode 100644 .github/workflows/os.yml create mode 100644 Dockerfile create mode 100755 bin/set_next_version.sh create mode 100644 etc/chromium/chromium.conf create mode 100644 etc/environment create mode 100644 etc/systemd/zram-generator.conf create mode 100644 repo/andersrh-my-ostree-os.repo create mode 100644 repo/andersrh-myostree-os-rhel+epel.repo create mode 100644 repo/epel-next-minor.repo create mode 100644 repo/nvidia-container-toolkit.repo create mode 100644 usr/lib/udev/rules.d/60-ioschedulers.rules diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml new file mode 100644 index 0000000..cf2932a --- /dev/null +++ b/.github/workflows/os.yml @@ -0,0 +1,114 @@ +name: os + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + schedule: + - cron: '0 5 * * *' # 5 am every day + push: + paths: + - 'Dockerfile' + - 'etc/**' + - 'usr/**' + - 'repo/**' + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Maximize build space + uses: AdityaGarg8/remove-unwanted-software@v1 + with: + remove-dotnet: 'true' + remove-android: 'true' + remove-haskell: 'true' + + - name: Get current date + id: date + run: echo "::set-output name=date::$(date +'%Y%m%d')" + + - name: Test with environment variables + run: echo $DATE + env: + DATE: ${{ steps.date.outputs.date }} + + - name: Checkout repository + uses: actions/checkout@v3 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }}, ${{ steps.meta.outputs.tags }}-10, ${{ steps.meta.outputs.tags }}-10.${{ steps.date.outputs.date }} + # labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..79ea6c1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,59 @@ +FROM quay.io/almalinuxorg/atomic-desktop-kde:10 +ARG CACHEBUST=1 + +# Get list of kernels from my repo. If the list has been updated, then the image will be rebuilt. If it hasn't been updated, then caching of the previous build will be used. +ADD "https://copr.fedorainfracloud.org/api_3/build/list?ownername=andersrh&projectname=my-ostree-os&packagename=kernel" /tmp/builds.txt + +RUN echo 'omit_drivers+=" nouveau "' | tee /etc/dracut.conf.d/blacklist-nouveau.conf + +COPY bin/set_next_version.sh /tmp +RUN /tmp/set_next_version.sh + +COPY repo/*.repo /etc/yum.repos.d/ +RUN dnf config-manager --add-repo=https://negativo17.org/repos/epel-nvidia.repo -y + +RUN dnf install -y $( \ + dnf list --available kernel\* --disablerepo='*' --enablerepo=my-ostree-os-rhel-epel 2>/dev/null \ + | grep 'andersdsrhcustom' \ + | awk '{print $1 "-" $2}' \ + | sort -V \ + | tail -1 \ + | sed 's/\.src//g' \ + | sed 's/\.x86_64//g' \ + ) + +RUN dnf install --nogpgcheck -y https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-$(rpm -E %rhel).noarch.rpm https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-$(rpm -E %rhel).noarch.rpm + +RUN dnf install -y fish distrobox nvtop intel-media-driver libva-intel-driver +RUN dnf install -y https://github.com/TheAssassin/AppImageLauncher/releases/download/v2.2.0/appimagelauncher-2.2.0-travis995.0f91801.x86_64.rpm + +# Install Negativo17 Nvidia driver +RUN dnf install -y dkms-nvidia nvidia-driver nvidia-persistenced opencl-filesystem libva-nvidia-driver kernel-devel-matched +RUN dkms install nvidia/$(ls /usr/src/ | grep nvidia- | cut -d- -f2-) -k $(rpm -q --queryformat "%{VERSION}-%{RELEASE}.%{ARCH}\n" kernel) + +# Remove plocate to avoid updatedb going crazy with scanning the file system once a day +RUN dnf remove -y plocate + +# Install libheif-freeworld to show thumbnails in Dolphin +RUN dnf install libheif-freeworld -y + +# Install proprietary codecs +RUN dnf swap libavcodec-free libavcodec-freeworld --allowerasing -y + +RUN dnf -y install gwenview haruna kalk okular +RUN dnf -y install chromium firefox +# Delete default Chromium config so it can be replaced by my own +RUN rm -f /etc/chromium/chromium.conf + +# Add rule to SELinux allowing modules to be loaded into custom kernel +RUN setsebool -P domain_kernel_load_modules on + +COPY etc /etc +COPY usr /usr + +RUN systemctl enable waydroid-choose-intel-gpu.service + +RUN cd /usr/bin && wget https://raw.githubusercontent.com/CachyOS/CachyOS-Settings/refs/heads/master/usr/bin/kerver && chmod +x kerver + +RUN rm -rf /tmp/* /var/* && mkdir -p /var/tmp && chmod -R 1777 /var/tmp && \ +bootc container lint diff --git a/bin/set_next_version.sh b/bin/set_next_version.sh new file mode 100755 index 0000000..0801688 --- /dev/null +++ b/bin/set_next_version.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# ----------------------------------------------------------- +# Script til beregning af AlmaLinux's næste minor version +# og lagring af værdien som en DNF variabel. +# ----------------------------------------------------------- + +VAR_FILE="/etc/dnf/vars/epel_next_releasever" +VERSION_FILE="/etc/os-release" + +# 1. Hent den fulde version (f.eks. "10.1") +# Vi bruger VERSION_ID fra /etc/os-release, da den er standardiseret. +if [ ! -f "$VERSION_FILE" ]; then + echo "Fejl: OS-versionsfil ($VERSION_FILE) ikke fundet." >&2 + exit 1 +fi + +# Henter strengen (f.eks. 10.1) +FULL_VERSION=$(grep '^VERSION_ID=' "$VERSION_FILE" | cut -d'"' -f2) + +if [[ ! "$FULL_VERSION" =~ ^[0-9]+\.[0-9]+$ ]]; then + echo "Fejl: Ugyldig versionsformat fundet i $VERSION_FILE: $FULL_VERSION" >&2 + exit 1 +fi + +# 2. Opdel i Major (10) og Minor (1) +MAJOR_VERSION=$(echo "$FULL_VERSION" | cut -d. -f1) +CURRENT_MINOR=$(echo "$FULL_VERSION" | cut -d. -f2) + +# 3. Udfør aritmetik: Minor + 1 +NEXT_MINOR=$((CURRENT_MINOR + 1)) + +# 4. Sammensæt den næste version streng (f.eks. 10.2) +NEXT_VERSION="${MAJOR_VERSION}.${NEXT_MINOR}" + +# 5. Opret DNF vars mappen, hvis den ikke findes +mkdir -p /etc/dnf/vars + +# 6. Skriv den beregnede værdi til DNF variabelfilen +echo "$NEXT_VERSION" | tee "$VAR_FILE" + +# Output til log (nyttigt i en Dockerfil) +echo "---------------------------------------------------------" +echo "Nuværende AlmaLinux version: $FULL_VERSION" +echo "Næste version beregnet: $NEXT_VERSION" +echo "Værdien '$NEXT_VERSION' er gemt i $VAR_FILE." +echo "---------------------------------------------------------" + +exit 0 diff --git a/etc/chromium/chromium.conf b/etc/chromium/chromium.conf new file mode 100644 index 0000000..f6cbbbc --- /dev/null +++ b/etc/chromium/chromium.conf @@ -0,0 +1,76 @@ +# system wide chromium flags + +ARCH="$(arch)" +MODE="$(systemd-detect-virt)" + +# GRAPHIC_DRIVER=[amd|intel|nvidia|default] +GRAPHIC_DRIVER=intel + +# WEB_DARKMODE=[on|off] +WEB_DARKMODE=off + +# NATIVE_WAYLAND=[on|off] +# chromium >=141 switched to --ozone-platform-hint=auto +if [ ! -z "$WAYLAND_DISPLAY" ]; then + NATIVE_WAYLAND=on +else + NATIVE_WAYLAND=off +fi + +DISABLE_FEATURES="LensOverlay,ExtensionManifestV2Unsupported,ExtensionManifestV2Disabled" +ENABLE_FEATURES="AllowQt" +CHROMIUM_FLAGS=" --enable-chrome-browser-cloud-management" +if [ "$NATIVE_WAYLAND" == "on" ] ; then + ENABLE_FEATURES+=",WaylandLinuxDrmSyncobj,WaylandPerSurfaceScale,WaylandUiScale" + CHROMIUM_FLAGS+=" --ozone-platform=wayland" +else + CHROMIUM_FLAGS+=" --enable-gpu-memory-buffer-video-frames" + CHROMIUM_FLAGS+=" --enable-zero-copy" + CHROMIUM_FLAGS+=" --ignore-gpu-blocklist --disable-gpu-driver-bug-workaround" + CHROMIUM_FLAGS+=" --enable-gpu-rasterization" +fi + +ENABLE_FEATURES+=",AcceleratedVideoDecodeLinuxGL,AcceleratedVideoDecodeLinuxZeroCopyGL" + +case "$GRAPHIC_DRIVER" in + amd|intel) + # Need new mesa with AMD multi planes support, is supported in fedora >= 40 (mesa-24.1.1 or newer) + # see https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/26165 + CHROMIUM_FLAGS+=" --enable-accelerated-video-decode" + ENABLE_FEATURES+=",VaapiIgnoreDriverChecks,UseMultiPlaneFormatForHardwareVideo" + ;; + nvidia) + # The NVIDIA VaAPI drivers are known to not support Chromium + # see https://crbug.com/1492880. This feature switch is + # provided for developers to test VaAPI drivers on NVIDIA GPUs + ENABLE_FEATURES+=",VaapiOnNvidiaGPUs" + export CUDA_DISABLE_PERF_BOOST=1 + ;; + *) + ENABLE_FEATURES+=",AcceleratedVideoEncoder" + ;; +esac + +if [ "$MODE" != "none" ] ; then + # chromium in VM, running with standard setting + CHROMIUM_FLAGS="" + DISABLE_FEATURES="" + ENABLE_FEATURES="" +fi + +# Set gtk version to 3 by default +# todo: switch to gtk4 in the future +CHROMIUM_FLAGS+=" --gtk-version=3" + +# Web Dark mode +if [ "$WEB_DARKMODE" == "on" ] ; then + darktype="WebContentsForceDark:inversion_method/cielab_based/image_behavior/none/foreground_lightness_threshold/150/background_lightness_threshold/205" + if [ -z "$ENABLE_FEATURES" ] ; then + ENABLE_FEATURES+="$darktype" + else + ENABLE_FEATURES+=",$darktype" + fi +fi + +[ -z "$DISABLE_FEATURES" ] || CHROMIUM_FLAGS+=" --disable-features=$DISABLE_FEATURES" +[ -z "$ENABLE_FEATURES" ] || CHROMIUM_FLAGS+=" --enable-features=$ENABLE_FEATURES" diff --git a/etc/environment b/etc/environment new file mode 100644 index 0000000..70db5ae --- /dev/null +++ b/etc/environment @@ -0,0 +1,12 @@ +QT_QPA_PLATFORM=wayland +#CLUTTER_PAINT=disable-dynamic-max-render-time +#MUTTER_DEBUG_ENABLE_ATOMIC_KMS=0 +#MUTTER_DEBUG_TRIPLE_BUFFERING=never + +# Nvidia: +#__NV_PRIME_RENDER_OFFLOAD=1 +#__GLX_VENDOR_LIBRARY_NAME=nvidia + +ELECTRON_OZONE_PLATFORM_HINT=wayland + +#GSK_RENDERER=gl diff --git a/etc/systemd/zram-generator.conf b/etc/systemd/zram-generator.conf new file mode 100644 index 0000000..8879dac --- /dev/null +++ b/etc/systemd/zram-generator.conf @@ -0,0 +1,9 @@ +# This config file enables a /dev/zram0 device with the default settings: +# — size — same as available RAM or 30GB, whichever is less +# — compression — most likely lzo-rle +# +# To disable, create empty +# /etc/systemd/zram-generator.conf file. +[zram0] +zram-size = min(ram, 30720) +compression-algorithm = zstd diff --git a/repo/andersrh-my-ostree-os.repo b/repo/andersrh-my-ostree-os.repo new file mode 100644 index 0000000..3305e37 --- /dev/null +++ b/repo/andersrh-my-ostree-os.repo @@ -0,0 +1,10 @@ +[my-ostree-os-epel] +name=Copr repo for my-ostree-os owned by andersrh +baseurl=https://download.copr.fedorainfracloud.org/results/andersrh/my-ostree-os/epel-10-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://download.copr.fedorainfracloud.org/results/andersrh/my-ostree-os/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 diff --git a/repo/andersrh-myostree-os-rhel+epel.repo b/repo/andersrh-myostree-os-rhel+epel.repo new file mode 100644 index 0000000..0c5b27a --- /dev/null +++ b/repo/andersrh-myostree-os-rhel+epel.repo @@ -0,0 +1,11 @@ +[my-ostree-os-rhel-epel] +name=Copr repo for my-ostree-os owned by andersrh for RHEL+EPEL +baseurl=https://download.copr.fedorainfracloud.org/results/andersrh/my-ostree-os/rhel+epel-10-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://download.copr.fedorainfracloud.org/results/andersrh/my-ostree-os/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 +priority=98 diff --git a/repo/epel-next-minor.repo b/repo/epel-next-minor.repo new file mode 100644 index 0000000..443a2bc --- /dev/null +++ b/repo/epel-next-minor.repo @@ -0,0 +1,36 @@ +[epel-next-minor] +name=Extra Packages for Enterprise Linux $epel_next_releasever - $basearch +# It is much more secure to use the metalink, but if you wish to use a local mirror +# place its address here. +#baseurl=https://download.example/pub/epel/$releasever${releasever_minor:+z}/Everything/$basearch/ +metalink=https://mirrors.fedoraproject.org/metalink?repo=epel${releasever_minor:+-z}-$epel_next_releasever&arch=$basearch +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever_major +gpgcheck=1 +repo_gpgcheck=0 +metadata_expire=24h +countme=1 +enabled=0 + +[epel-next-minor-debuginfo] +name=Extra Packages for Enterprise Linux $epel_next_releasever - $basearch - Debug +# It is much more secure to use the metalink, but if you wish to use a local mirror +# place its address here. +#baseurl=https://download.example/pub/epel/$releasever${releasever_minor:+z}/Everything/$basearch/debug/ +metalink=https://mirrors.fedoraproject.org/metalink?repo=epel${releasever_minor:+-z}-debug-$epel_next_releasever&arch=$basearch +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever_major +gpgcheck=1 +repo_gpgcheck=0 +metadata_expire=24h +enabled=0 + +[epel-next-minor-source] +name=Extra Packages for Enterprise Linux $epel_next_releasever - $basearch - Source +# It is much more secure to use the metalink, but if you wish to use a local mirror +# place its address here. +#baseurl=https://download.example/pub/epel/$releasever${releasever_minor:+z}/Everything/source/tree/ +metalink=https://mirrors.fedoraproject.org/metalink?repo=epel${releasever_minor:+-z}-source-$epel_next_releasever&arch=source +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever_major +gpgcheck=1 +repo_gpgcheck=0 +metadata_expire=24h +enabled=0 diff --git a/repo/nvidia-container-toolkit.repo b/repo/nvidia-container-toolkit.repo new file mode 100644 index 0000000..5dcd37c --- /dev/null +++ b/repo/nvidia-container-toolkit.repo @@ -0,0 +1,19 @@ +[nvidia-container-toolkit] +name=nvidia-container-toolkit +baseurl=https://nvidia.github.io/libnvidia-container/stable/rpm/$basearch +repo_gpgcheck=1 +gpgcheck=0 +enabled=1 +gpgkey=https://nvidia.github.io/libnvidia-container/gpgkey +sslverify=1 +sslcacert=/etc/pki/tls/certs/ca-bundle.crt + +[nvidia-container-toolkit-experimental] +name=nvidia-container-toolkit-experimental +baseurl=https://nvidia.github.io/libnvidia-container/experimental/rpm/$basearch +repo_gpgcheck=1 +gpgcheck=0 +enabled=0 +gpgkey=https://nvidia.github.io/libnvidia-container/gpgkey +sslverify=1 +sslcacert=/etc/pki/tls/certs/ca-bundle.crt diff --git a/usr/lib/udev/rules.d/60-ioschedulers.rules b/usr/lib/udev/rules.d/60-ioschedulers.rules new file mode 100644 index 0000000..506f3cc --- /dev/null +++ b/usr/lib/udev/rules.d/60-ioschedulers.rules @@ -0,0 +1,8 @@ +# HDD +ACTION=="add|change", KERNEL=="sd[a-z]*", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq" + +# SSD +ACTION=="add|change", KERNEL=="sd[a-z]*|mmcblk[0-9]*", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="mq-deadline" + +# NVMe SSD +ACTION=="add|change", KERNEL=="nvme[0-9]*", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="mq-deadline"