├── .github ├── dependabot.yml └── workflows │ ├── fedora-kinoite-calamares.yml │ ├── fedora-kinoite-live.yml │ ├── fedora-kinoite-testing.yml │ └── fedora-kinoite.yml ├── LICENSE ├── README.md ├── fedora-kinoite-calamares ├── Containerfile ├── group_asahi-fedora-remix-scripts.gpg └── group_asahi-fedora-remix-scripts.repo ├── fedora-kinoite-live └── Containerfile ├── fedora-kinoite ├── Containerfile ├── Containerfile.testing └── etc │ ├── containers │ ├── policy.json │ └── registries.d │ │ ├── ghcr.io-travier.yaml │ │ ├── quay.io-toolbx-images.yaml │ │ ├── quay.io-travier-fedora-kinoite.yaml │ │ └── quay.io-travier.yaml │ └── pki │ └── containers │ ├── fulcio_v1.crt.pem │ ├── quay.io-toolbx-images.pub │ ├── quay.io-travier-containers.pub │ ├── quay.io-travier-fedora-kinoite.pub │ └── rekor.pub └── quay.io-travier-fedora-kinoite.pub /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "weekly" 7 | -------------------------------------------------------------------------------- /.github/workflows/fedora-kinoite-calamares.yml: -------------------------------------------------------------------------------- 1 | name: "Build Fedora Kinoite Calamares image" 2 | 3 | env: 4 | NAME: "fedora-kinoite-calamares" 5 | REGISTRY: "quay.io/travier" 6 | BASEIMAGE: "quay.io/fedora-ostree-desktops/kinoite:rawhide" 7 | 8 | on: 9 | pull_request: 10 | branches: 11 | - main 12 | paths: 13 | - 'fedora-kinoite-calamares/**' 14 | - '.github/workflows/fedora-kinoite-calamares.yml' 15 | push: 16 | branches: 17 | - main 18 | paths: 19 | - 'fedora-kinoite-calamares/**' 20 | - '.github/workflows/fedora-kinoite-calamares.yml' 21 | # schedule: 22 | # - cron: '0 4 * * *' 23 | workflow_dispatch: 24 | inputs: 25 | version: 26 | description: 'Override version label (org.opencontainers.image.version)' 27 | required: false 28 | default: '' 29 | 30 | permissions: read-all 31 | 32 | # Prevent multiple workflow runs from racing to ensure that pushes are made 33 | # sequentialy for the main branch. Also cancel in progress workflow runs for 34 | # pull requests only. 35 | concurrency: 36 | group: ${{ github.workflow }}-${{ github.ref }} 37 | cancel-in-progress: ${{ github.event_name == 'pull_request' }} 38 | 39 | jobs: 40 | build-push-image: 41 | runs-on: ubuntu-24.04 42 | steps: 43 | - name: Checkout repo 44 | uses: actions/checkout@v4 45 | 46 | - name: Figure out version 47 | id: version 48 | run: | 49 | set -exo pipefail 50 | if [[ -n ${VERSION} ]]; then 51 | version="${VERSION}" 52 | else 53 | version_base="$(skopeo inspect docker://${BASEIMAGE} | jq -r '.Labels."org.opencontainers.image.version"')" 54 | version_derived="$(skopeo inspect docker://${REGISTRY}/${NAME} | jq -r '.Labels."org.opencontainers.image.version"' || true)" 55 | if [[ -z "${version_derived}" ]]; then 56 | version="${version_base}" 57 | elif [[ "${version_base}" == "${version_derived}" ]]; then 58 | patch="${version_base##*\.}" 59 | ((patch++)) || true 60 | version="${version_base%\.*}.${patch}" 61 | else 62 | version="${version_base}" 63 | fi 64 | fi 65 | echo "Using version: ${version}" 66 | echo "version=${version}" >> "$GITHUB_OUTPUT" 67 | env: 68 | VERSION: ${{ inputs.version }} 69 | 70 | - name: Build container image 71 | uses: redhat-actions/buildah-build@v2 72 | with: 73 | image: ${{ env.NAME }} 74 | tags: latest 75 | containerfiles: ${{ env.NAME }}/Containerfile 76 | context: ${{ env.NAME }} 77 | layers: false 78 | oci: true 79 | labels: org.opencontainers.image.version=${{ steps.version.outputs.version }} 80 | 81 | - name: Push to Container Registry 82 | uses: redhat-actions/push-to-registry@v2 83 | id: push 84 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 85 | with: 86 | username: ${{ secrets.BOT_USERNAME }} 87 | password: ${{ secrets.BOT_SECRET }} 88 | image: ${{ env.NAME }} 89 | registry: ${{ env.REGISTRY }} 90 | tags: latest 91 | 92 | - name: Login to Container Registry 93 | uses: redhat-actions/podman-login@v1 94 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 95 | with: 96 | registry: ${{ env.REGISTRY }} 97 | username: ${{ secrets.BOT_USERNAME }} 98 | password: ${{ secrets.BOT_SECRET }} 99 | 100 | - uses: sigstore/cosign-installer@v3.8.2 101 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 102 | 103 | - name: Sign container image 104 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 105 | run: | 106 | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.NAME }}@${{ steps.push.outputs.digest }} 107 | env: 108 | COSIGN_EXPERIMENTAL: false 109 | COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} 110 | -------------------------------------------------------------------------------- /.github/workflows/fedora-kinoite-live.yml: -------------------------------------------------------------------------------- 1 | name: "Build Fedora Kinoite Live ISO image" 2 | 3 | env: 4 | NAME: "fedora-kinoite-live" 5 | REGISTRY: "quay.io/travier" 6 | BASEIMAGE: "quay.io/fedora-ostree-desktops/kinoite:rawhide" 7 | 8 | on: 9 | pull_request: 10 | branches: 11 | - main 12 | paths: 13 | - 'fedora-kinoite-live/**' 14 | - '.github/workflows/fedora-kinoite-live.yml' 15 | push: 16 | branches: 17 | - main 18 | paths: 19 | - 'fedora-kinoite-live/**' 20 | - '.github/workflows/fedora-kinoite-live.yml' 21 | # schedule: 22 | # - cron: '0 4 * * *' 23 | workflow_dispatch: 24 | inputs: 25 | version: 26 | description: 'Override version label (org.opencontainers.image.version)' 27 | required: false 28 | default: '' 29 | 30 | permissions: read-all 31 | 32 | # Prevent multiple workflow runs from racing to ensure that pushes are made 33 | # sequentialy for the main branch. Also cancel in progress workflow runs for 34 | # pull requests only. 35 | concurrency: 36 | group: ${{ github.workflow }}-${{ github.ref }} 37 | cancel-in-progress: ${{ github.event_name == 'pull_request' }} 38 | 39 | jobs: 40 | build-push-image: 41 | runs-on: ubuntu-24.04 42 | steps: 43 | - name: Checkout repo 44 | uses: actions/checkout@v4 45 | 46 | - name: Figure out version 47 | id: version 48 | run: | 49 | set -exo pipefail 50 | if [[ -n ${VERSION} ]]; then 51 | version="${VERSION}" 52 | else 53 | version_base="$(skopeo inspect docker://${BASEIMAGE} | jq -r '.Labels."org.opencontainers.image.version"')" 54 | version_derived="$(skopeo inspect docker://${REGISTRY}/${NAME} | jq -r '.Labels."org.opencontainers.image.version"' || true)" 55 | if [[ -z "${version_derived}" ]]; then 56 | version="${version_base}" 57 | elif [[ "${version_base}" == "${version_derived}" ]]; then 58 | patch="${version_base##*\.}" 59 | ((patch++)) || true 60 | version="${version_base%\.*}.${patch}" 61 | else 62 | version="${version_base}" 63 | fi 64 | fi 65 | echo "Using version: ${version}" 66 | echo "version=${version}" >> "$GITHUB_OUTPUT" 67 | env: 68 | VERSION: ${{ inputs.version }} 69 | 70 | - name: Build container image 71 | uses: redhat-actions/buildah-build@v2 72 | with: 73 | image: ${{ env.NAME }} 74 | tags: latest 75 | containerfiles: ${{ env.NAME }}/Containerfile 76 | context: ${{ env.NAME }} 77 | layers: false 78 | oci: true 79 | labels: org.opencontainers.image.version=${{ steps.version.outputs.version }} 80 | 81 | - name: Push to Container Registry 82 | uses: redhat-actions/push-to-registry@v2 83 | id: push 84 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 85 | with: 86 | username: ${{ secrets.BOT_USERNAME }} 87 | password: ${{ secrets.BOT_SECRET }} 88 | image: ${{ env.NAME }} 89 | registry: ${{ env.REGISTRY }} 90 | tags: latest 91 | 92 | - name: Login to Container Registry 93 | uses: redhat-actions/podman-login@v1 94 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 95 | with: 96 | registry: ${{ env.REGISTRY }} 97 | username: ${{ secrets.BOT_USERNAME }} 98 | password: ${{ secrets.BOT_SECRET }} 99 | 100 | - uses: sigstore/cosign-installer@v3.8.2 101 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 102 | 103 | - name: Sign container image 104 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 105 | run: | 106 | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.NAME }}@${{ steps.push.outputs.digest }} 107 | env: 108 | COSIGN_EXPERIMENTAL: false 109 | COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} 110 | -------------------------------------------------------------------------------- /.github/workflows/fedora-kinoite-testing.yml: -------------------------------------------------------------------------------- 1 | name: "Build Fedora Kinoite 42 image" 2 | 3 | env: 4 | NAME: "fedora-kinoite" 5 | REGISTRY: "quay.io/travier" 6 | BASEIMAGE: "quay.io/fedora-ostree-desktops/kinoite:42" 7 | 8 | on: 9 | # pull_request: 10 | # branches: 11 | # - main 12 | # paths: 13 | # - 'fedora-kinoite/**' 14 | # - '.github/workflows/fedora-kinoite-testing.yml' 15 | # push: 16 | # branches: 17 | # - main 18 | # paths: 19 | # - 'fedora-kinoite/**' 20 | # - '.github/workflows/fedora-kinoite-testing.yml' 21 | # schedule: 22 | # - cron: '0 4 * * *' 23 | workflow_dispatch: 24 | inputs: 25 | version: 26 | description: 'Override version label (org.opencontainers.image.version)' 27 | required: false 28 | default: '' 29 | 30 | permissions: read-all 31 | 32 | # Prevent multiple workflow runs from racing to ensure that pushes are made 33 | # sequentialy for the main branch. Also cancel in progress workflow runs for 34 | # pull requests only. 35 | concurrency: 36 | group: ${{ github.workflow }}-${{ github.ref }} 37 | # cancel-in-progress: ${{ github.event_name == 'pull_request' }} 38 | cancel-in-progress: true 39 | 40 | jobs: 41 | build-push-image: 42 | runs-on: ubuntu-24.04 43 | container: 44 | image: quay.io/travier/podman-action 45 | options: "--security-opt=label=disable --privileged --user 0:0 --device=/dev/kvm --device=/dev/fuse --volume /:/run/host:rw --volume /var/run/docker.sock:/var/run/docker.sock" 46 | steps: 47 | - name: Reclaim disk space 48 | run: | 49 | set -euxo pipefail 50 | rm -rf "/run/host/usr/local/lib/android" 51 | 52 | - name: Fixup GitHub homedir 53 | run: | 54 | mkdir -p /github/home/.docker/ 55 | 56 | - name: Login to Container Registry 57 | uses: redhat-actions/podman-login@v1 58 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 59 | with: 60 | registry: ${{ env.REGISTRY }} 61 | username: ${{ secrets.BOT_USERNAME }} 62 | password: ${{ secrets.BOT_SECRET }} 63 | auth_file_path: /tmp/auth.json 64 | 65 | - name: Install tools 66 | run: | 67 | set -euxo pipefail 68 | dnf install -y git-core jq rpm-ostree 69 | dnf upgrade -y --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-4b9488bb4d 70 | 71 | - name: Checkout repo 72 | uses: actions/checkout@v4 73 | 74 | - name: Figure out version 75 | id: version 76 | run: | 77 | set -exo pipefail 78 | if [[ -n ${VERSION} ]]; then 79 | version="${VERSION}" 80 | else 81 | version_base="$(skopeo inspect docker://${BASEIMAGE} | jq -r '.Labels."org.opencontainers.image.version"')" 82 | version_derived="$(skopeo inspect docker://${REGISTRY}/${NAME}:testing | jq -r '.Labels."org.opencontainers.image.version"' || true)" 83 | if [[ -z "${version_derived}" ]]; then 84 | version="${version_base}" 85 | elif [[ "${version_base}" == "${version_derived}" ]]; then 86 | patch="${version_base##*\.}" 87 | ((patch++)) || true 88 | version="${version_base%\.*}.${patch}" 89 | else 90 | version="${version_base}" 91 | fi 92 | fi 93 | echo "Using version: ${version}" 94 | echo "version=${version}" >> "$GITHUB_OUTPUT" 95 | env: 96 | VERSION: ${{ inputs.version }} 97 | 98 | - name: Get kmod signing key 99 | run: | 100 | echo "${KMOD_KEY}" > key 101 | echo "${KMOD_CERT}" | base64 --decode > cert 102 | env: 103 | KMOD_KEY: ${{ secrets.KMOD_KEY }} 104 | KMOD_CERT: ${{ secrets.KMOD_CERT }} 105 | 106 | - name: Build container image 107 | uses: redhat-actions/buildah-build@v2 108 | with: 109 | image: ${{ env.NAME }} 110 | tags: build.testing 111 | containerfiles: ${{ env.NAME }}/Containerfile.testing 112 | context: ${{ env.NAME }} 113 | layers: false 114 | oci: true 115 | extra-args: | 116 | --secret=id=key,src=key 117 | --secret=id=cert,src=cert 118 | 119 | - name: Rechunk container image 120 | run: | 121 | rpm-ostree experimental compose build-chunked-oci \ 122 | --bootc --format-version=1 \ 123 | --from localhost/${NAME}:build.testing \ 124 | --output containers-storage:localhost/${NAME}:rechunked.testing 125 | 126 | - name: Write NOP Containerfile 127 | run: | 128 | echo "FROM localhost/${NAME}:rechunked.testing" > ${NAME}/Containerfile.testing.labels 129 | 130 | - name: Add labels to container image 131 | uses: redhat-actions/buildah-build@v2 132 | with: 133 | image: ${{ env.NAME }} 134 | tags: testing 135 | containerfiles: ${{ env.NAME }}/Containerfile.testing.labels 136 | context: ${{ env.NAME }} 137 | layers: false 138 | oci: true 139 | labels: | 140 | org.opencontainers.image.version=${{ steps.version.outputs.version }} 141 | org.opencontainers.image.title=Fedora Kinoite 142 | org.opencontainers.image.description=Customized image of Fedora Kinoite 143 | org.opencontainers.image.source=https://github.com/travier/fedora-kinoite 144 | org.opencontainers.image.licenses=MIT 145 | 146 | - uses: sigstore/cosign-installer@v3.8.2 147 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 148 | 149 | - name: Push to Container Registry 150 | uses: redhat-actions/push-to-registry@v2 151 | id: push 152 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 153 | with: 154 | username: ${{ secrets.BOT_USERNAME }} 155 | password: ${{ secrets.BOT_SECRET }} 156 | image: ${{ env.NAME }} 157 | registry: ${{ env.REGISTRY }} 158 | tags: testing 159 | extra-args: | 160 | --compression-format=zstd 161 | --compression-level=19 162 | 163 | - name: Sign container image 164 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 165 | run: | 166 | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.NAME }}@${{ steps.push.outputs.digest }} 167 | env: 168 | COSIGN_EXPERIMENTAL: false 169 | COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} 170 | -------------------------------------------------------------------------------- /.github/workflows/fedora-kinoite.yml: -------------------------------------------------------------------------------- 1 | name: "Build Fedora Kinoite image" 2 | 3 | env: 4 | NAME: "fedora-kinoite" 5 | REGISTRY: "quay.io/travier" 6 | BASEIMAGE: "quay.io/fedora-ostree-desktops/kinoite:42" 7 | 8 | on: 9 | pull_request: 10 | branches: 11 | - main 12 | paths: 13 | - 'fedora-kinoite/**' 14 | - '.github/workflows/fedora-kinoite.yml' 15 | push: 16 | branches: 17 | - main 18 | paths: 19 | - 'fedora-kinoite/**' 20 | - '.github/workflows/fedora-kinoite.yml' 21 | schedule: 22 | - cron: '0 4 * * *' 23 | workflow_dispatch: 24 | inputs: 25 | version: 26 | description: 'Override version label (org.opencontainers.image.version)' 27 | required: false 28 | default: '' 29 | 30 | permissions: read-all 31 | 32 | # Prevent multiple workflow runs from racing to ensure that pushes are made 33 | # sequentialy for the main branch. Also cancel in progress workflow runs for 34 | # pull requests only. 35 | concurrency: 36 | group: ${{ github.workflow }}-${{ github.ref }} 37 | # cancel-in-progress: ${{ github.event_name == 'pull_request' }} 38 | cancel-in-progress: true 39 | 40 | jobs: 41 | build-push-image: 42 | runs-on: ubuntu-24.04 43 | container: 44 | image: quay.io/travier/podman-action 45 | options: "--security-opt=label=disable --privileged --user 0:0 --device=/dev/kvm --device=/dev/fuse --volume /:/run/host:rw --volume /var/run/docker.sock:/var/run/docker.sock" 46 | steps: 47 | - name: Reclaim disk space 48 | run: | 49 | set -euxo pipefail 50 | rm -rf "/run/host/usr/local/lib/android" 51 | 52 | - name: Fixup GitHub homedir 53 | run: | 54 | mkdir -p /github/home/.docker/ 55 | 56 | - name: Login to Container Registry 57 | uses: redhat-actions/podman-login@v1 58 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 59 | with: 60 | registry: ${{ env.REGISTRY }} 61 | username: ${{ secrets.BOT_USERNAME }} 62 | password: ${{ secrets.BOT_SECRET }} 63 | auth_file_path: /tmp/auth.json 64 | 65 | - name: Install tools 66 | run: | 67 | set -euxo pipefail 68 | dnf install -y git-core jq rpm-ostree 69 | dnf upgrade -y --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-4b9488bb4d 70 | 71 | - name: Checkout repo 72 | uses: actions/checkout@v4 73 | 74 | - name: Figure out version 75 | id: version 76 | run: | 77 | set -exo pipefail 78 | if [[ -n ${VERSION} ]]; then 79 | version="${VERSION}" 80 | else 81 | version_base="$(skopeo inspect docker://${BASEIMAGE} | jq -r '.Labels."org.opencontainers.image.version"')" 82 | version_derived="$(skopeo inspect docker://${REGISTRY}/${NAME} | jq -r '.Labels."org.opencontainers.image.version"' || true)" 83 | if [[ -z "${version_derived}" ]]; then 84 | version="${version_base}" 85 | elif [[ "${version_base}" == "${version_derived}" ]]; then 86 | patch="${version_base##*\.}" 87 | ((patch++)) || true 88 | version="${version_base%\.*}.${patch}" 89 | else 90 | version="${version_base}" 91 | fi 92 | fi 93 | echo "Using version: ${version}" 94 | echo "version=${version}" >> "$GITHUB_OUTPUT" 95 | env: 96 | VERSION: ${{ inputs.version }} 97 | 98 | - name: Get kmod signing key 99 | run: | 100 | echo "${KMOD_KEY}" > key 101 | echo "${KMOD_CERT}" | base64 --decode > cert 102 | env: 103 | KMOD_KEY: ${{ secrets.KMOD_KEY }} 104 | KMOD_CERT: ${{ secrets.KMOD_CERT }} 105 | 106 | - name: Build container image 107 | uses: redhat-actions/buildah-build@v2 108 | with: 109 | image: ${{ env.NAME }} 110 | tags: build 111 | containerfiles: ${{ env.NAME }}/Containerfile 112 | context: ${{ env.NAME }} 113 | layers: false 114 | oci: true 115 | extra-args: | 116 | --secret=id=key,src=key 117 | --secret=id=cert,src=cert 118 | 119 | - name: Rechunk container image 120 | run: | 121 | rpm-ostree experimental compose build-chunked-oci \ 122 | --bootc --format-version=1 \ 123 | --max-layers 96 \ 124 | --from localhost/${NAME}:build \ 125 | --output containers-storage:localhost/${NAME}:rechunked 126 | 127 | - name: Write NOP Containerfile 128 | run: | 129 | echo "FROM localhost/${NAME}:rechunked" > ${NAME}/Containerfile.labels 130 | 131 | - name: Add labels to container image 132 | uses: redhat-actions/buildah-build@v2 133 | with: 134 | image: ${{ env.NAME }} 135 | tags: latest 136 | containerfiles: ${{ env.NAME }}/Containerfile.labels 137 | context: ${{ env.NAME }} 138 | layers: false 139 | oci: true 140 | labels: | 141 | org.opencontainers.image.version=${{ steps.version.outputs.version }} 142 | org.opencontainers.image.title=Fedora Kinoite 143 | org.opencontainers.image.description=Customized image of Fedora Kinoite 144 | org.opencontainers.image.source=https://github.com/travier/fedora-kinoite 145 | org.opencontainers.image.licenses=MIT 146 | 147 | - uses: sigstore/cosign-installer@v3.8.2 148 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 149 | 150 | - name: Push to Container Registry 151 | uses: redhat-actions/push-to-registry@v2 152 | id: push 153 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 154 | with: 155 | username: ${{ secrets.BOT_USERNAME }} 156 | password: ${{ secrets.BOT_SECRET }} 157 | image: ${{ env.NAME }} 158 | registry: ${{ env.REGISTRY }} 159 | tags: latest 160 | extra-args: | 161 | --compression-format=zstd 162 | 163 | - name: Sign container image 164 | if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' 165 | run: | 166 | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.NAME }}@${{ steps.push.outputs.digest }} 167 | env: 168 | COSIGN_EXPERIMENTAL: false 169 | COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} 170 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy 4 | of this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 7 | copies of the Software, and to permit persons to whom the Software is furnished 8 | to do so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice (including the next 11 | paragraph) shall be included in all copies or substantial portions of the 12 | Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 16 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS 17 | OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 18 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF 19 | OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Custom Fedora Kinoite images 2 | 3 | This repository hosts Containerfiles and GitHub workflows to create custom 4 | Fedora Kinoite images for my own usage. 5 | 6 | The main image (`fedora-kinoite`, pushed to 7 | `quay.io/travier/fedora-kinoite:latest`) is based on Fedora Kinoite Bootable 8 | Container images with the following changes: 9 | 10 | - [xpadneo](https://atar-axis.github.io/xpadneo/) out of tree kernel module for 11 | Xbox Wireless Controller support. The kmod are packaged by 12 | [negativo17](https://negativo17.org) and signed with a MOK user key (public 13 | key included in the image). 14 | - Default `/etc/containers/policy.json` config to setup signature verification 15 | for those images and other containers from my namespace on 16 | [quay.io](https://quay.io/user/travier/). 17 | - `openh264` and `mozilla-openh264` installed by default. 18 | - `steam-devices` installed by default but Steam Input support. 19 | - SetUID bit removed from selected binaires. 20 | 21 | This images used to include other packages, that I have now moved to 22 | [systemd system extensions](https://github.com/travier/fedora-sysexts) instead. 23 | 24 | The others images are currently used for testing various in progress changes 25 | for Fedora Kinoite. 26 | 27 | ## How to use 28 | 29 | - Install Fedora Kinoite, update to the latest version and reboot. 30 | 31 | - Setup the key to validate container image signatures: 32 | 33 | ``` 34 | # Install public key 35 | $ sudo mkdir /etc/pki/containers 36 | $ curl -O "https://raw.githubusercontent.com/travier/fedora-kinoite/main/quay.io-travier-fedora-kinoite.pub" 37 | $ sudo cp quay.io-travier-fedora-kinoite.pub /etc/pki/containers/ 38 | $ sudo restorecon -RFv /etc/pki/containers 39 | 40 | # Configure registry to get sigstore signatures 41 | $ cat /etc/containers/registries.d/quay.io-travier-fedora-kinoite.yaml 42 | docker: 43 | quay.io/travier/fedora-kinoite: 44 | use-sigstore-attachments: true 45 | $ sudo restorecon -RFv /etc/containers/registries.d/quay.io-travier-fedora-kinoite.yaml 46 | 47 | # Setup the policy 48 | $ sudo cp etc/containers/policy.json /etc/containers/policy.json 49 | $ cat /etc/containers/policy.json 50 | { 51 | "default": [ 52 | { 53 | "type": "reject" 54 | } 55 | ], 56 | "transports": { 57 | "docker": { 58 | ... 59 | "quay.io/travier/fedora-kinoite": [ 60 | { 61 | "type": "sigstoreSigned", 62 | "keyPath": "/etc/pki/containers/quay.io-travier-fedora-kinoite.pub", 63 | "signedIdentity": { 64 | "type": "matchRepository" 65 | } 66 | } 67 | ], 68 | ... 69 | "": [ 70 | { 71 | "type": "insecureAcceptAnything" 72 | } 73 | ] 74 | }, 75 | ... 76 | } 77 | } 78 | ``` 79 | 80 | - Then rebase to this image: 81 | 82 | ``` 83 | $ rpm-ostree rebase ostree-image-signed:registry:quay.io/travier/fedora-kinoite:latest 84 | ``` 85 | 86 | Then update normally using `rpm-ostree update` or Discover. 87 | 88 | ## Important notes 89 | 90 | - The base images are not yet official Fedora images. The location will change. 91 | - The images are only available for `x86_64` for now. 92 | 93 | ## License 94 | 95 | See [LICENSE](LICENSE) or [CC0](https://creativecommons.org/public-domain/cc0/). 96 | -------------------------------------------------------------------------------- /fedora-kinoite-calamares/Containerfile: -------------------------------------------------------------------------------- 1 | # Location not final and subject to change! 2 | FROM quay.io/fedora-ostree-desktops/kinoite:40 3 | 4 | LABEL org.opencontainers.image.title="Fedora Kinoite Calamares" 5 | LABEL org.opencontainers.image.description="Fedora Kinoite Calamares (First Boot)" 6 | LABEL org.opencontainers.image.source="https://github.com/travier/fedora-kinoite" 7 | LABEL org.opencontainers.image.licenses="MIT" 8 | LABEL quay.expires-after="" 9 | 10 | ADD group_asahi-fedora-remix-scripts.repo /etc/yum.repos.d/ 11 | ADD group_asahi-fedora-remix-scripts.gpg /etc/pki/rpm-gpg/RPM-GPG-KEY-group_asahi-fedora-remix-scripts 12 | 13 | RUN rpm-ostree install \ 14 | calamares-firstboot-config \ 15 | && \ 16 | systemctl enable calamares-firstboot.service \ 17 | && \ 18 | ostree container commit 19 | -------------------------------------------------------------------------------- /fedora-kinoite-calamares/group_asahi-fedora-remix-scripts.gpg: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mQENBGT3QxgBCADY3oDVLpYDZ/Q2Fv6YSS6vygXBa2HIZE3jTft93ctKf+xjshJ7 4 | cmH2kfAeyjQmHEaz10zdef+ooYfBFKlW7jm7cPCm+xrnn0HE2Vp8bE3WmUbf/sp2 5 | 1SOoypPwvMmlvbkibUZYay/uRaT7NAK2yhZAYxh8jiND0r1D2L10ZvtU9FUwt4Cp 6 | m5wGRa04cjE5UrOVJbsLokigawftde6zhegUQbqVUv3lrRRGWQcPTQX8tdzryRRZ 7 | qg+0svfDTNQzf2CEYUYmu+AutphH7yY5d0eBktHqesStRus6Ug1bSfmIoklXeGD9 8 | 9o6sqgbgF2sJFLFPkOpXoZ9xfDPfRlVlrkJFABEBAAG0VkBhc2FoaV9mZWRvcmEt 9 | cmVtaXgtc2NyaXB0cyAoTm9uZSkgPEBhc2FoaSNmZWRvcmEtcmVtaXgtc2NyaXB0 10 | c0Bjb3ByLmZlZG9yYWhvc3RlZC5vcmc+iQFXBBMBCABBFiEEswf6Oj1BnTvCXSio 11 | IkDK2j2nNjcFAmT3QxgCGy8FCQlmAYAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcC 12 | F4AACgkQIkDK2j2nNjceRAgApidmxhwrYVHKD+beQV1nRX/4vuN4bDGcCVz31CA0 13 | oEqZLoQ1D+N/C+makhVg3y+SMBgsKUigBaETrZZThSFlp0ZOcrlbKVKHCmz6Mt4M 14 | DKf35g1qaIrz9fgs9TLGk7c+gJM5pNEuk2xus0E4ueTpHM054jYAUoLDH+Dm4NFy 15 | Qk4KKFiG73KpK8nLSq+Z1/FqUpYYnIaLcujc0jyZMiIPR1teeHvRYAKWuj+IxakJ 16 | grjrBFNmx0FzE6YKcTfEZIBU8+oM4DXjVdMPwK09iIPUu1i/xHLl4ulcPwlpLf4I 17 | STxCLDLpBMpBJRxCNviFe8NPK5J2Q9UXqA6+lyj4n1w+Ag== 18 | =Cehw 19 | -----END PGP PUBLIC KEY BLOCK----- 20 | -------------------------------------------------------------------------------- /fedora-kinoite-calamares/group_asahi-fedora-remix-scripts.repo: -------------------------------------------------------------------------------- 1 | [copr:copr.fedorainfracloud.org:group_asahi:fedora-remix-scripts] 2 | name=Copr repo for fedora-remix-scripts owned by @asahi 3 | baseurl=https://download.copr.fedorainfracloud.org/results/@asahi/fedora-remix-scripts/fedora-$releasever-$basearch/ 4 | type=rpm-md 5 | skip_if_unavailable=False 6 | gpgcheck=1 7 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-group_asahi-fedora-remix-scripts 8 | repo_gpgcheck=0 9 | enabled=1 10 | enabled_metadata=1 11 | priority=5 12 | -------------------------------------------------------------------------------- /fedora-kinoite-live/Containerfile: -------------------------------------------------------------------------------- 1 | # Location not final and subject to change! 2 | FROM quay.io/fedora-ostree-desktops/kinoite:41 3 | 4 | LABEL org.opencontainers.image.title="Fedora Kinoite" 5 | LABEL org.opencontainers.image.description="Fedora Kinoite Live ISO" 6 | LABEL org.opencontainers.image.source="https://github.com/travier/fedora-kinoite" 7 | LABEL org.opencontainers.image.licenses="MIT" 8 | LABEL quay.expires-after="" 9 | 10 | # - Install Anaconda installer 11 | # - Install GRUB cdboot bootloader 12 | # - Install and enable livesys-scripts to start a live KDE session on boot 13 | # - Install dracut-live dracut module for LiveISO support 14 | # - Rebuild initramfs with LiveISO support 15 | RUN rpm-ostree install \ 16 | anaconda \ 17 | anaconda-install-env-deps \ 18 | anaconda-live \ 19 | dracut-live \ 20 | grub2-efi-x64-cdboot \ 21 | livesys-scripts \ 22 | && \ 23 | install -dm 0755 -o 0 -g 0 /usr/lib/dracut/dracut.conf.d && \ 24 | echo -e "# Add Live ISO (squashfs image) support\nadd_dracutmodules+=\" dmsquash-live \"" > /usr/lib/dracut/dracut.conf.d/20-atomic-liveiso.conf \ 25 | && \ 26 | export KERNEL_VERSION="$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" && \ 27 | stock_arguments=$(lsinitrd "/lib/modules/${KERNEL_VERSION}/initramfs.img" | grep '^Arguments: ' | sed 's/^Arguments: //') && \ 28 | mkdir -p /tmp/dracut /var/roothome && \ 29 | bash <(/usr/bin/echo "dracut $stock_arguments") && \ 30 | rm -rf /var/* /tmp/* && \ 31 | mv -v /boot/initramfs*.img "/lib/modules/${KERNEL_VERSION}/initramfs.img" \ 32 | && \ 33 | systemctl enable livesys.service livesys-late.service \ 34 | && \ 35 | sed -i 's/^livesys_session=.*/livesys_session="kde"/' /etc/sysconfig/livesys \ 36 | && \ 37 | ostree container commit 38 | -------------------------------------------------------------------------------- /fedora-kinoite/Containerfile: -------------------------------------------------------------------------------- 1 | # Location not final and subject to change! 2 | FROM quay.io/fedora-ostree-desktops/kinoite:42 as builder 3 | 4 | # Build xpadneo kernel module 5 | RUN --mount=type=secret,id=key \ 6 | --mount=type=secret,id=cert \ 7 | < /dev/null \ 22 | || (find /var/cache/akmods/xpadneo/ -name \*.log -print -exec cat {} \; && exit 1) 23 | rm -rf /etc/pki/akmods/private 24 | cp -a /usr/lib/modules/${KERNEL}/extra/ /extra 25 | EORUN 26 | 27 | # Location not final and subject to change! 28 | FROM quay.io/fedora-ostree-desktops/kinoite:42 29 | 30 | LABEL org.opencontainers.image.title="Fedora Kinoite" 31 | LABEL org.opencontainers.image.description="Customized image of Fedora Kinoite" 32 | LABEL org.opencontainers.image.source="https://github.com/travier/fedora-kinoite" 33 | LABEL org.opencontainers.image.licenses="MIT" 34 | LABEL quay.expires-after="" 35 | 36 | # Copy custom config to /etc 37 | COPY etc etc 38 | COPY --from=builder /extra /usr/lib/modules/extra 39 | 40 | # - Setup xpadneo kernel module 41 | # - Replace noopenh264 with openh264 42 | # - Remove SetUID/SetGID bits 43 | RUN --mount=type=secret,id=cert \ 44 | < /dev/null \ 22 | || (find /var/cache/akmods/xpadneo/ -name \*.log -print -exec cat {} \; && exit 1) 23 | rm -rf /etc/pki/akmods/private 24 | cp -a /usr/lib/modules/${KERNEL}/extra/ /extra 25 | EORUN 26 | 27 | # Location not final and subject to change! 28 | FROM quay.io/fedora-ostree-desktops/kinoite:42 29 | 30 | LABEL org.opencontainers.image.title="Fedora Kinoite" 31 | LABEL org.opencontainers.image.description="Customized image of Fedora Kinoite" 32 | LABEL org.opencontainers.image.source="https://github.com/travier/fedora-kinoite" 33 | LABEL org.opencontainers.image.licenses="MIT" 34 | LABEL quay.expires-after="" 35 | 36 | # Copy custom config to /etc 37 | COPY etc etc 38 | COPY --from=builder /extra /usr/lib/modules/extra 39 | 40 | # - Setup xpadneo kernel module 41 | # - Replace noopenh264 with openh264 42 | # - Remove SetUID/SetGID bits 43 | RUN --mount=type=secret,id=cert \ 44 | <