Initial commit of OS

.github/workflows/os.yml

@@ -0,0 +1,114 @@
+name: os
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  schedule:
+    - cron: '0 5 * * *'  # 5 am every day
+  push:
+    paths:
+        - 'Dockerfile'
+        - 'etc/**'
+        - 'usr/**'
+        - 'repo/**'
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Maximize build space
+        uses: AdityaGarg8/remove-unwanted-software@v1
+        with:
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y%m%d')"
+
+      - name: Test with environment variables
+        run: echo $DATE
+        env:
+          DATE: ${{ steps.date.outputs.date }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
+        with:
+          cosign-release: 'v2.1.1'
+
+      # Workaround: https://github.com/docker/build-push-action/issues/461
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}, ${{ steps.meta.outputs.tags }}-10, ${{ steps.meta.outputs.tags }}-10.${{ steps.date.outputs.date }}
+       #   labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

Dockerfile

@@ -0,0 +1,59 @@
+FROM quay.io/almalinuxorg/atomic-desktop-kde:10
+ARG CACHEBUST=1
+
+# Get list of kernels from my repo. If the list has been updated, then the image will be rebuilt. If it hasn't been updated, then caching of the previous build will be used.
+ADD "https://copr.fedorainfracloud.org/api_3/build/list?ownername=andersrh&projectname=my-ostree-os&packagename=kernel" /tmp/builds.txt
+
+RUN echo 'omit_drivers+=" nouveau "' | tee /etc/dracut.conf.d/blacklist-nouveau.conf
+
+COPY bin/set_next_version.sh /tmp
+RUN /tmp/set_next_version.sh
+
+COPY repo/*.repo /etc/yum.repos.d/
+RUN dnf config-manager --add-repo=https://negativo17.org/repos/epel-nvidia.repo -y
+
+RUN dnf install -y $( \
+                                                                              dnf list --available kernel\* --disablerepo='*' --enablerepo=my-ostree-os-rhel-epel 2>/dev/null \
+                                                                              | grep 'andersdsrhcustom' \
+                                                                              | awk '{print $1 "-" $2}' \
+                                                                              | sort -V \
+                                                                              | tail -1 \
+                                                                              | sed 's/\.src//g' \
+                                                                              | sed 's/\.x86_64//g' \
+                                                                  )
+
+RUN dnf install --nogpgcheck -y https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-$(rpm -E %rhel).noarch.rpm https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-$(rpm -E %rhel).noarch.rpm
+
+RUN dnf install -y fish distrobox nvtop intel-media-driver libva-intel-driver
+RUN dnf install -y https://github.com/TheAssassin/AppImageLauncher/releases/download/v2.2.0/appimagelauncher-2.2.0-travis995.0f91801.x86_64.rpm
+
+# Install Negativo17 Nvidia driver
+RUN dnf install -y dkms-nvidia nvidia-driver nvidia-persistenced opencl-filesystem libva-nvidia-driver kernel-devel-matched
+RUN dkms install nvidia/$(ls /usr/src/ | grep nvidia- | cut -d- -f2-) -k $(rpm -q --queryformat "%{VERSION}-%{RELEASE}.%{ARCH}\n" kernel)
+
+# Remove plocate to avoid updatedb going crazy with scanning the file system once a day
+RUN dnf remove -y plocate
+
+# Install libheif-freeworld to show thumbnails in Dolphin
+RUN dnf install libheif-freeworld -y
+
+# Install proprietary codecs
+RUN dnf swap libavcodec-free libavcodec-freeworld --allowerasing -y
+
+RUN dnf -y install gwenview haruna kalk okular
+RUN dnf -y install chromium firefox
+# Delete default Chromium config so it can be replaced by my own
+RUN rm -f /etc/chromium/chromium.conf
+
+# Add rule to SELinux allowing modules to be loaded into custom kernel
+RUN setsebool -P domain_kernel_load_modules on
+
+COPY etc /etc
+COPY usr /usr
+
+RUN systemctl enable waydroid-choose-intel-gpu.service
+
+RUN cd /usr/bin && wget https://raw.githubusercontent.com/CachyOS/CachyOS-Settings/refs/heads/master/usr/bin/kerver && chmod +x kerver
+
+RUN rm -rf /tmp/* /var/* && mkdir -p /var/tmp && chmod -R 1777 /var/tmp && \
+bootc container lint

bin/set_next_version.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# -----------------------------------------------------------
+# Script til beregning af AlmaLinux's næste minor version
+# og lagring af værdien som en DNF variabel.
+# -----------------------------------------------------------
+
+VAR_FILE="/etc/dnf/vars/epel_next_releasever"
+VERSION_FILE="/etc/os-release"
+
+# 1. Hent den fulde version (f.eks. "10.1")
+# Vi bruger VERSION_ID fra /etc/os-release, da den er standardiseret.
+if [ ! -f "$VERSION_FILE" ]; then
+    echo "Fejl: OS-versionsfil ($VERSION_FILE) ikke fundet." >&2
+    exit 1
+fi
+
+# Henter strengen (f.eks. 10.1)
+FULL_VERSION=$(grep '^VERSION_ID=' "$VERSION_FILE" | cut -d'"' -f2)
+
+if [[ ! "$FULL_VERSION" =~ ^[0-9]+\.[0-9]+$ ]]; then
+    echo "Fejl: Ugyldig versionsformat fundet i $VERSION_FILE: $FULL_VERSION" >&2
+    exit 1
+fi
+
+# 2. Opdel i Major (10) og Minor (1)
+MAJOR_VERSION=$(echo "$FULL_VERSION" | cut -d. -f1)
+CURRENT_MINOR=$(echo "$FULL_VERSION" | cut -d. -f2)
+
+# 3. Udfør aritmetik: Minor + 1
+NEXT_MINOR=$((CURRENT_MINOR + 1))
+
+# 4. Sammensæt den næste version streng (f.eks. 10.2)
+NEXT_VERSION="${MAJOR_VERSION}.${NEXT_MINOR}"
+
+# 5. Opret DNF vars mappen, hvis den ikke findes
+mkdir -p /etc/dnf/vars
+
+# 6. Skriv den beregnede værdi til DNF variabelfilen
+echo "$NEXT_VERSION" | tee "$VAR_FILE"
+
+# Output til log (nyttigt i en Dockerfil)
+echo "---------------------------------------------------------"
+echo "Nuværende AlmaLinux version: $FULL_VERSION"
+echo "Næste version beregnet: $NEXT_VERSION"
+echo "Værdien '$NEXT_VERSION' er gemt i $VAR_FILE."
+echo "---------------------------------------------------------"
+
+exit 0

etc/chromium/chromium.conf

@@ -0,0 +1,76 @@
+# system wide chromium flags
+
+ARCH="$(arch)"
+MODE="$(systemd-detect-virt)"
+
+# GRAPHIC_DRIVER=[amd|intel|nvidia|default]
+GRAPHIC_DRIVER=intel
+
+# WEB_DARKMODE=[on|off]
+WEB_DARKMODE=off
+
+# NATIVE_WAYLAND=[on|off]
+# chromium >=141 switched to --ozone-platform-hint=auto
+if [ ! -z "$WAYLAND_DISPLAY" ]; then
+   NATIVE_WAYLAND=on
+else
+   NATIVE_WAYLAND=off
+fi
+
+DISABLE_FEATURES="LensOverlay,ExtensionManifestV2Unsupported,ExtensionManifestV2Disabled"
+ENABLE_FEATURES="AllowQt"
+CHROMIUM_FLAGS=" --enable-chrome-browser-cloud-management"
+if [ "$NATIVE_WAYLAND" == "on" ] ; then
+   ENABLE_FEATURES+=",WaylandLinuxDrmSyncobj,WaylandPerSurfaceScale,WaylandUiScale"
+   CHROMIUM_FLAGS+=" --ozone-platform=wayland"
+else
+   CHROMIUM_FLAGS+=" --enable-gpu-memory-buffer-video-frames"
+   CHROMIUM_FLAGS+=" --enable-zero-copy"
+   CHROMIUM_FLAGS+=" --ignore-gpu-blocklist --disable-gpu-driver-bug-workaround"
+   CHROMIUM_FLAGS+=" --enable-gpu-rasterization"
+fi
+
+ENABLE_FEATURES+=",AcceleratedVideoDecodeLinuxGL,AcceleratedVideoDecodeLinuxZeroCopyGL"
+
+case "$GRAPHIC_DRIVER" in
+   amd|intel)
+      # Need new mesa with AMD multi planes support, is supported in fedora >= 40 (mesa-24.1.1 or newer)
+      # see https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/26165
+      CHROMIUM_FLAGS+=" --enable-accelerated-video-decode"
+      ENABLE_FEATURES+=",VaapiIgnoreDriverChecks,UseMultiPlaneFormatForHardwareVideo"
+      ;;
+   nvidia)
+      # The NVIDIA VaAPI drivers are known to not support Chromium
+      # see https://crbug.com/1492880. This feature switch is
+      # provided for developers to test VaAPI drivers on NVIDIA GPUs
+      ENABLE_FEATURES+=",VaapiOnNvidiaGPUs"
+      export CUDA_DISABLE_PERF_BOOST=1
+      ;;
+   *)
+      ENABLE_FEATURES+=",AcceleratedVideoEncoder"
+      ;;
+esac
+
+if [ "$MODE" != "none" ] ; then
+   # chromium in VM, running with standard setting
+   CHROMIUM_FLAGS=""
+   DISABLE_FEATURES=""
+   ENABLE_FEATURES=""
+fi
+
+# Set gtk version to 3 by default
+# todo: switch to gtk4 in the future
+CHROMIUM_FLAGS+=" --gtk-version=3"
+
+# Web Dark mode
+if [ "$WEB_DARKMODE" == "on" ] ; then
+   darktype="WebContentsForceDark:inversion_method/cielab_based/image_behavior/none/foreground_lightness_threshold/150/background_lightness_threshold/205"
+   if [ -z "$ENABLE_FEATURES" ] ; then
+       ENABLE_FEATURES+="$darktype"
+   else
+       ENABLE_FEATURES+=",$darktype"
+   fi
+fi
+
+[ -z "$DISABLE_FEATURES" ] || CHROMIUM_FLAGS+=" --disable-features=$DISABLE_FEATURES"
+[ -z "$ENABLE_FEATURES" ] || CHROMIUM_FLAGS+=" --enable-features=$ENABLE_FEATURES"

etc/environment

@@ -0,0 +1,12 @@
+QT_QPA_PLATFORM=wayland
+#CLUTTER_PAINT=disable-dynamic-max-render-time
+#MUTTER_DEBUG_ENABLE_ATOMIC_KMS=0
+#MUTTER_DEBUG_TRIPLE_BUFFERING=never
+
+# Nvidia:
+#__NV_PRIME_RENDER_OFFLOAD=1
+#__GLX_VENDOR_LIBRARY_NAME=nvidia
+
+ELECTRON_OZONE_PLATFORM_HINT=wayland
+
+#GSK_RENDERER=gl

etc/systemd/zram-generator.conf

@@ -0,0 +1,9 @@
+# This config file enables a /dev/zram0 device with the default settings:
+# — size — same as available RAM or 30GB, whichever is less
+# — compression — most likely lzo-rle
+#
+# To disable, create empty
+# /etc/systemd/zram-generator.conf file.
+[zram0]
+zram-size = min(ram, 30720)
+compression-algorithm = zstd

repo/andersrh-my-ostree-os.repo

@@ -0,0 +1,10 @@
+[my-ostree-os-epel]
+name=Copr repo for my-ostree-os owned by andersrh
+baseurl=https://download.copr.fedorainfracloud.org/results/andersrh/my-ostree-os/epel-10-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://download.copr.fedorainfracloud.org/results/andersrh/my-ostree-os/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1

repo/andersrh-myostree-os-rhel+epel.repo

@@ -0,0 +1,11 @@
+[my-ostree-os-rhel-epel]
+name=Copr repo for my-ostree-os owned by andersrh for RHEL+EPEL
+baseurl=https://download.copr.fedorainfracloud.org/results/andersrh/my-ostree-os/rhel+epel-10-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://download.copr.fedorainfracloud.org/results/andersrh/my-ostree-os/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
+priority=98

repo/epel-next-minor.repo

@@ -0,0 +1,36 @@
+[epel-next-minor]
+name=Extra Packages for Enterprise Linux $epel_next_releasever - $basearch
+# It is much more secure to use the metalink, but if you wish to use a local mirror
+# place its address here.
+#baseurl=https://download.example/pub/epel/$releasever${releasever_minor:+z}/Everything/$basearch/
+metalink=https://mirrors.fedoraproject.org/metalink?repo=epel${releasever_minor:+-z}-$epel_next_releasever&arch=$basearch
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever_major
+gpgcheck=1
+repo_gpgcheck=0
+metadata_expire=24h
+countme=1
+enabled=0
+
+[epel-next-minor-debuginfo]
+name=Extra Packages for Enterprise Linux $epel_next_releasever - $basearch - Debug
+# It is much more secure to use the metalink, but if you wish to use a local mirror
+# place its address here.
+#baseurl=https://download.example/pub/epel/$releasever${releasever_minor:+z}/Everything/$basearch/debug/
+metalink=https://mirrors.fedoraproject.org/metalink?repo=epel${releasever_minor:+-z}-debug-$epel_next_releasever&arch=$basearch
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever_major
+gpgcheck=1
+repo_gpgcheck=0
+metadata_expire=24h
+enabled=0
+
+[epel-next-minor-source]
+name=Extra Packages for Enterprise Linux $epel_next_releasever - $basearch - Source
+# It is much more secure to use the metalink, but if you wish to use a local mirror
+# place its address here.
+#baseurl=https://download.example/pub/epel/$releasever${releasever_minor:+z}/Everything/source/tree/
+metalink=https://mirrors.fedoraproject.org/metalink?repo=epel${releasever_minor:+-z}-source-$epel_next_releasever&arch=source
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever_major
+gpgcheck=1
+repo_gpgcheck=0
+metadata_expire=24h
+enabled=0

repo/nvidia-container-toolkit.repo

@@ -0,0 +1,19 @@
+[nvidia-container-toolkit]
+name=nvidia-container-toolkit
+baseurl=https://nvidia.github.io/libnvidia-container/stable/rpm/$basearch
+repo_gpgcheck=1
+gpgcheck=0
+enabled=1
+gpgkey=https://nvidia.github.io/libnvidia-container/gpgkey
+sslverify=1
+sslcacert=/etc/pki/tls/certs/ca-bundle.crt
+
+[nvidia-container-toolkit-experimental]
+name=nvidia-container-toolkit-experimental
+baseurl=https://nvidia.github.io/libnvidia-container/experimental/rpm/$basearch
+repo_gpgcheck=1
+gpgcheck=0
+enabled=0
+gpgkey=https://nvidia.github.io/libnvidia-container/gpgkey
+sslverify=1
+sslcacert=/etc/pki/tls/certs/ca-bundle.crt

usr/lib/udev/rules.d/60-ioschedulers.rules

@@ -0,0 +1,8 @@
+# HDD
+ACTION=="add|change", KERNEL=="sd[a-z]*", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq"
+
+# SSD
+ACTION=="add|change", KERNEL=="sd[a-z]*|mmcblk[0-9]*", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="mq-deadline"
+
+# NVMe SSD
+ACTION=="add|change", KERNEL=="nvme[0-9]*", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="mq-deadline"