Optimize repository

containers/Dockerfile.gnome

@@ -0,0 +1,57 @@
+FROM quay.io/fedora-ostree-desktops/silverblue:42 AS mpv-build
+
+RUN dnf5 -y install --setopt install_weak_deps=false git-core meson g++ autoconf cmake automake libtool freetype-devel fribidi-devel nasm pipewire-devel wayland-devel wayland-protocols-devel libshaderc-devel libxkbcommon-devel vulkan-loader-devel compat-lua-devel libva-devel openssl-devel
+
+RUN mkdir /build && cd /build && git clone https://github.com/mpv-player/mpv-build.git
+
+COPY ./mpv_options /build/mpv-build/mpv_options
+
+RUN cd /build/mpv-build && ./rebuild -j$(nproc)
+
+
+FROM quay.io/fedora-ostree-desktops/silverblue:42
+
+COPY --from=mpv-build /build/mpv-build/mpv/build/mpv /bin/mpv
+
+# dnf configuration has to be in effect during build
+COPY etc/dnf /etc/dnf
+
+# Add rpmfusion repositories
+RUN dnf5 -y install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
+
+# Install ffmpeg (removing all the -free replacements is required)
+RUN dnf5 -y install --allowerasing ffmpeg
+
+# Install hardware codecs
+RUN dnf5 -y install intel-media-driver
+
+# Install gpu utilities
+RUN dnf5 -y install igt-gpu-tools
+
+# Install openh264
+RUN dnf5 -y swap noopenh264 openh264 && dnf5 -y install mozilla-openh264
+
+# Bulk of layered packages
+RUN dnf5 -y install vim bat btop pv restic zstd nmap-ncat yt-dlp
+
+# Set vim as default editor
+RUN dnf5 -y swap nano-default-editor vim-default-editor
+
+# Remove default color prompt (is replaced with a custom one)
+RUN dnf5 -y remove bash-color-prompt
+
+# Apply configuration
+COPY etc /etc
+COPY usr /usr
+
+# Apply hardened firewall configuration
+RUN firewall-offline-cmd --set-default-zone public
+RUN firewall-offline-cmd --remove-service ssh
+
+# Restrict permissions on quadlet directory
+RUN chmod 700 /etc/containers/systemd
+
+# https://github.com/ostreedev/ostree-rs-ext/issues/159
+RUN ostree container commit
+
+LABEL quay.expires-after=""

containers/Dockerfile.gnome-nvidia

@@ -0,0 +1,22 @@
+ARG REGISTRY_DOMAIN
+
+ARG NAMESPACE
+
+FROM ${REGISTRY_DOMAIN}/${NAMESPACE}/onc-gnome:main
+
+# Install nvidia drivers
+RUN dnf5 -y install akmod-nvidia xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda && \
+    akmods --force --kernels $(rpm -qa kernel | sed 's/kernel-//g') && \
+    rpm -e akmod-nvidia && \
+    dnf5 -y autoremove
+
+# Apply configuration
+COPY usr.nvidia /usr
+
+# Enables nvidia persistenced, required for programs that don't/can't activate the nvidia driver (steam flatpak)
+RUN systemctl enable nvidia-persistenced.service
+
+# https://github.com/ostreedev/ostree-rs-ext/issues/159
+RUN ostree container commit
+
+LABEL quay.expires-after=""

containers/Dockerfile.kde

@@ -0,0 +1,57 @@
+FROM quay.io/fedora-ostree-desktops/kinoite:42 AS mpv-build
+
+RUN dnf5 -y install --setopt install_weak_deps=false git-core meson g++ autoconf cmake automake libtool freetype-devel fribidi-devel nasm pipewire-devel wayland-devel wayland-protocols-devel libshaderc-devel libxkbcommon-devel vulkan-loader-devel compat-lua-devel libva-devel openssl-devel
+
+RUN mkdir /build && cd /build && git clone https://github.com/mpv-player/mpv-build.git
+
+COPY ./mpv_options /build/mpv-build/mpv_options
+
+RUN cd /build/mpv-build && ./rebuild -j$(nproc)
+
+
+FROM quay.io/fedora-ostree-desktops/kinoite:42
+
+COPY --from=mpv-build /build/mpv-build/mpv/build/mpv /bin/mpv
+
+# dnf configuration has to be in effect during build
+COPY etc/dnf /etc/dnf
+
+# Add rpmfusion repositories
+RUN dnf5 -y install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
+
+# Install ffmpeg (removing all the -free replacements is required)
+RUN dnf5 -y install --allowerasing ffmpeg
+
+# Install hardware codecs
+RUN dnf5 -y install intel-media-driver
+
+# Install gpu utilities
+RUN dnf5 -y install igt-gpu-tools
+
+# Install openh264
+RUN dnf5 -y swap noopenh264 openh264 && dnf5 -y install mozilla-openh264
+
+# Bulk of layered packages
+RUN dnf5 -y install vim bat btop pv restic zstd nmap-ncat yt-dlp
+
+# Set vim as default editor
+RUN dnf5 -y swap nano-default-editor vim-default-editor
+
+# Remove default color prompt (is replaced with a custom one)
+RUN dnf5 -y remove bash-color-prompt
+
+# Apply configuration
+COPY etc /etc
+COPY usr /usr
+
+# Apply hardened firewall configuration
+RUN firewall-offline-cmd --set-default-zone public
+RUN firewall-offline-cmd --remove-service ssh
+
+# Restrict permissions on quadlet directory
+RUN chmod 700 /etc/containers/systemd
+
+# https://github.com/ostreedev/ostree-rs-ext/issues/159
+RUN ostree container commit
+
+LABEL quay.expires-after=""

containers/Dockerfile.kde-nvidia

@@ -0,0 +1,22 @@
+ARG REGISTRY_DOMAIN
+
+ARG NAMESPACE
+
+FROM ${REGISTRY_DOMAIN}/${NAMESPACE}/onc-kde:main
+
+# Install nvidia drivers
+RUN dnf5 -y install akmod-nvidia xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda && \
+    akmods --force --kernels $(rpm -qa kernel | sed 's/kernel-//g') && \
+    rpm -e akmod-nvidia && \
+    dnf5 -y autoremove
+
+# Apply configuration
+COPY usr.nvidia /usr
+
+# Enables nvidia persistenced, required for programs that don't/can't activate the nvidia driver (steam flatpak)
+RUN systemctl enable nvidia-persistenced.service
+
+# https://github.com/ostreedev/ostree-rs-ext/issues/159
+RUN ostree container commit
+
+LABEL quay.expires-after=""

containers/Dockerfile.kde-nvidia-ver4a

@@ -0,0 +1,32 @@
+ARG REGISTRY_DOMAIN
+
+ARG NAMESPACE
+
+FROM ${REGISTRY_DOMAIN}/${NAMESPACE}/onc-kde:main-nvidia
+
+# Install virtualization tools
+RUN dnf5 -y install libvirt libvirt-daemon-kvm virt-manager
+
+# Install general utilities
+RUN dnf5 -y install croc solaar openrgb
+
+# Install general purpose development tools
+RUN dnf5 -y install codium neovim wl-clipboard ansible python3-ansible-lint uv butane coreos-installer
+
+# Remove unwanted packages
+RUN dnf5 -y remove kde-connect plasma-discover plasma-discover-libs
+
+# Remove Firefox rpm (superseded by flatpak Firefox)
+RUN dnf5 -y remove firefox firefox-langpacks
+
+# Remove unneeded packages (currently doesn't actually reduce space, but reduces clutter)
+RUN dnf5 -y autoremove
+
+# Remove setuid/setgid binaries
+# Except for polkit-agent-helper-1, it's currently required for interactive authentication with polkit.
+RUN find /usr -mindepth 1 -type f -perm /6000 -regextype posix-extended -not -regex '^/usr/lib/polkit-1/polkit-agent-helper-1$|^/usr/s?bin/unix_chkpwd$|^/usr/s?bin/fusermount[0-9]?$' -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \;
+
+# https://github.com/ostreedev/ostree-rs-ext/issues/159
+RUN ostree container commit
+
+LABEL quay.expires-after=""

containers/Dockerfile.kde-ver4a

@@ -0,0 +1,32 @@
+ARG REGISTRY_DOMAIN
+
+ARG NAMESPACE
+
+FROM ${REGISTRY_DOMAIN}/${NAMESPACE}/onc-kde:main
+
+# Install virtualization tools
+RUN dnf5 -y install libvirt libvirt-daemon-kvm virt-manager
+
+# Install general utilities
+RUN dnf5 -y install croc solaar openrgb
+
+# Install general purpose development tools
+RUN dnf5 -y install codium neovim wl-clipboard ansible python3-ansible-lint uv butane coreos-installer
+
+# Remove unwanted packages
+RUN dnf5 -y remove kde-connect plasma-discover plasma-discover-libs
+
+# Remove Firefox rpm (superseded by flatpak Firefox)
+RUN dnf5 -y remove firefox firefox-langpacks
+
+# Remove unneeded packages (currently doesn't actually reduce space, but reduces clutter)
+RUN dnf5 -y autoremove
+
+# Remove setuid/setgid binaries
+# Except for polkit-agent-helper-1, it's currently required for interactive authentication with polkit.
+RUN find /usr -mindepth 1 -type f -perm /6000 -regextype posix-extended -not -regex '^/usr/lib/polkit-1/polkit-agent-helper-1$|^/usr/s?bin/unix_chkpwd$|^/usr/s?bin/fusermount[0-9]?$' -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \;
+
+# https://github.com/ostreedev/ostree-rs-ext/issues/159
+RUN ostree container commit
+
+LABEL quay.expires-after=""

containers/etc/dnf/dnf.conf

@@ -0,0 +1,3 @@
+[main]
+install_weak_deps=False
+exclude=mpv

containers/etc/polkit-1/rules.d/80-libvirt-manage.rules

@@ -0,0 +1,7 @@
+// https://goldmann.pl/blog/2012/12/03/configuring-polkit-in-fedora-18-to-access-virt-manager/
+
+polkit.addRule(function(action, subject) {
+  if (action.id == "org.libvirt.unix.manage" && subject.local && subject.active && subject.isInGroup("wheel")) {
+      return polkit.Result.YES;
+  }
+});

containers/etc/polkit-1/rules.d/80-rpm-ostree.rules

@@ -0,0 +1,25 @@
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.projectatomic.rpmostree1.repo-refresh" &&
+        subject.active == true && subject.local == true) {
+            return polkit.Result.YES;
+    }
+
+    if ((action.id == "org.projectatomic.rpmostree1.install-uninstall-packages" ||
+         action.id == "org.projectatomic.rpmostree1.install-local-packages" ||
+         action.id == "org.projectatomic.rpmostree1.override" ||
+         action.id == "org.projectatomic.rpmostree1.deploy" ||
+         action.id == "org.projectatomic.rpmostree1.upgrade" ||
+         action.id == "org.projectatomic.rpmostree1.rebase" ||
+         action.id == "org.projectatomic.rpmostree1.rollback" ||
+         action.id == "org.projectatomic.rpmostree1.bootconfig" ||
+         action.id == "org.projectatomic.rpmostree1.reload-daemon" ||
+         action.id == "org.projectatomic.rpmostree1.cancel" ||
+         action.id == "org.projectatomic.rpmostree1.cleanup" ||
+         action.id == "org.projectatomic.rpmostree1.client-management") &&
+        subject.active == true &&
+        subject.local == true &&
+        subject.isInGroup("wheel")) {
+            return polkit.Result.YES;
+    }
+});
+

containers/etc/polkit-1/rules.d/80-systemd-unit-manage.rules

@@ -0,0 +1,5 @@
+polkit.addRule(function(action, subject) {
+  if (action.id == "org.freedesktop.systemd1.manage-units" && subject.local && subject.active && subject.isInGroup("wheel")) {
+      return polkit.Result.YES;
+  }
+});

containers/etc/profile.d/20-bat-manpager.sh

@@ -0,0 +1,2 @@
+export MANPAGER="sh -c 'col -bx | LESS="RKCM" bat -l man --decorations=never --paging=always'"
+export MANROFFOPT="-c"

containers/etc/profile.d/20-less.sh

@@ -0,0 +1 @@
+export LESS=RSMK

containers/etc/profile.d/20-systemd-less.sh

@@ -0,0 +1 @@
+export SYSTEMD_LESS=FRSMK

containers/etc/profile.d/bash-color-prompt.sh

@@ -0,0 +1,147 @@
+# see /usr/share/doc/bash-color-prompt/README.md
+
+## to truncate \w dirpath set:
+# PROMPT_DIRTRIM=3
+
+# only for bash
+if [ -n "${BASH_VERSION}" -a -z "${bash_prompt_color_disable}" ]; then
+
+    # enable only in interactive shell
+    case $- in
+        *i*) ;;
+        *) return;;
+    esac
+
+    # defines PS1 for color prompt
+    prompt_setup_color_ps1() {
+        local colorpre='\[\e['
+        local colorsuf='m\]'
+        local colorreset="${colorpre}0${colorsuf}"
+        PS1='${PROMPT_START@P}'"${colorpre}"'${PROMPT_COLOR}${PROMPT_HIGHLIGHT:+;$PROMPT_HIGHLIGHT}'"${colorsuf}"'${PROMPT_USERHOST@P}'"${colorreset}"'${PROMPT_SEPARATOR@P}'"${colorpre}"'${PROMPT_DIR_COLOR-${PROMPT_COLOR}}${PROMPT_HIGHLIGHT:+;$PROMPT_HIGHLIGHT}'"${colorsuf}"'${PROMPT_DIRECTORY@P}'"${colorreset}"'${PROMPT_END@P}\$'"${colorreset} "
+    }
+
+    # sets default color or $1 can override
+    prompt_color() {
+        if [ -n "${1:+1}" ]; then
+            PROMPT_COLOR="$1"
+        else
+            if [ "$USER" = "root" ]; then
+                PROMPT_COLOR="93;1"
+            else
+                PROMPT_COLOR="93"
+            fi
+        fi
+    }
+
+    # sets prompt highlighting
+    prompt_highlight() {
+        PROMPT_HIGHLIGHT=${1:-1}
+    }
+
+    prompt_default_highlight() {
+        if [ "$DESKTOP_SESSION" = "gnome" ]; then
+            prompt_highlight "${1:-1}"
+        else
+            unset PROMPT_HIGHLIGHT
+        fi
+    }
+
+    prompt_default_color() {
+        prompt_color "$1"
+        prompt_default_highlight
+        unset PROMPT_DIR_COLOR
+    }
+
+    prompt_dir_color() {
+        if [ -n "${1:+1}" ]; then
+            PROMPT_DIR_COLOR="$1"
+        else
+            unset PROMPT_DIR_COLOR
+        fi
+    }
+
+    # only activate for color terminals and if PS1 unchanged from bash or fedora defaults
+    if [ '(' "${TERM: -5}" = "color" -o "${TERM}" = "linux" ')' \
+             -o -n "${bash_prompt_color_force}" ]; then
+        prompt_color "$PROMPT_COLOR"
+        prompt_default_highlight "$PROMPT_HIGHLIGHT"
+        prompt_dir_color "$PROMPT_DIR_COLOR"
+        PROMPT_USERHOST="${PROMPT_USERHOST-${container:+⬢ }\u@\h}"
+        PROMPT_SEPARATOR="${PROMPT_SEPARATOR-:}"
+        PROMPT_DIRECTORY="${PROMPT_DIRECTORY-\w}"
+        prompt_setup_color_ps1
+    fi
+
+    # sets default prompt format
+    prompt_default_format() {
+        PROMPT_USERHOST='\u@\h'
+        PROMPT_SEPARATOR=':'
+        PROMPT_DIRECTORY='\w'
+        PROMPT_START=''
+        PROMPT_END=''
+    }
+
+    # sets default prompt color and format
+    prompt_default() {
+        prompt_default_color "$1"
+        prompt_default_format
+    }
+
+    # sets color to OS ANSI_COLOR
+    # $1 is appended to the (foreground) color
+    prompt_os_color() {
+        if [ -z "$ANSI_COLOR" ]; then
+            eval local $(grep ANSI_COLOR /etc/os-release)
+        fi
+            PROMPT_COLOR="$ANSI_COLOR${1:+;$1}"
+    }
+
+    prompt_container() {
+        if [ -n "$container" ]; then
+            eval local $(grep "\(^ID=\|VERSION_ID\|VARIANT_ID\)" /etc/os-release)
+            PROMPT_USERHOST="⬢ $ID-$VARIANT_ID$VERSION_ID"
+        else
+            if [ "$HOSTNAME" = "fedora" -a "$1" = "$USER" ]; then
+                unset PROMPT_USERHOST
+            fi
+        fi
+        }
+
+    # unsets colors
+    prompt_no_color() {
+        unset PROMPT_COLOR
+        unset PROMPT_DIR_COLOR
+    }
+
+    # unsets highlighting
+    prompt_no_highlight() {
+        unset PROMPT_HIGHLIGHT
+    }
+
+    # unsets color and highlighting
+    prompt_plain() {
+        prompt_no_color
+        prompt_no_highlight
+    }
+
+    # sets traditional Red Hat prompt style format
+    prompt_traditional_format() {
+        PROMPT_USERHOST='\u@\h'
+        PROMPT_SEPARATOR=' '
+        PROMPT_DIRECTORY='\W'
+        PROMPT_START='['
+        PROMPT_END=']'
+    }
+
+    # sets traditional Red Hat prompt style without color
+    prompt_traditional() {
+        prompt_plain
+        prompt_traditional_format
+    }
+
+    # revert to traditional Red Hat prompt
+    prompt_reset_traditional_ps1() {
+        PS1="[\u@\h \W]\\$ "
+    }
+
+fi

containers/etc/ssh/sshd_config.d/20-disable-gssapi.conf

@@ -0,0 +1 @@
+GSSAPIAuthentication no

containers/etc/ssh/sshd_config.d/20-disable-passwords.conf

@@ -0,0 +1 @@
+PasswordAuthentication no

containers/etc/sysctl.d/20-high-swappines.conf

@@ -0,0 +1 @@
+vm.swappiness=180

containers/etc/sysctl.d/20-no-page-cluster.conf

@@ -0,0 +1 @@
+vm.page-cluster=0

containers/etc/systemd/resolved.conf

@@ -0,0 +1,5 @@
+[Resolve]
+DNS=1.1.1.1 1.0.0.1
+FallbackDNS=
+Domains=~.
+DNSOverTLS=yes

containers/etc/systemd/zram-generator.conf

@@ -0,0 +1,4 @@
+# /etc/systemd/zram-generator.conf
+[zram0]
+zram-size = ram * 2
+compression-algorithm=zstd

containers/etc/vimrc.local

@@ -0,0 +1,3 @@
+au BufRead,BufNewFile *.container set filetype=systemd
+au BufRead,BufNewFile *.container.disabled set filetype=systemd
+colorscheme retrobox

containers/etc/yum.repos.d/vscodium.repo

@@ -0,0 +1,8 @@
+[gitlab.com_paulcarroty_vscodium_repo]
+name=download.vscodium.com
+baseurl=https://download.vscodium.com/rpms/
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg
+metadata_expire=1h

containers/mpv_options

@@ -0,0 +1,6 @@
+-Dpipewire=enabled
+-Dwayland=enabled
+-Dlua=enabled
+-Dvulkan=enabled
+-Dvaapi=enabled
+-Dlibmpv=false

containers/usr.nvidia/lib/bootc/kargs.d/10-nvidia-drivers.toml

@@ -0,0 +1 @@
+kargs = ["rd.driver.blacklist=nouveau","modprobe.blacklist=nouveau","nvidia-drm.modeset=1"]

containers/usr/lib/bootc/kargs.d/10-luks-discard.toml

@@ -0,0 +1 @@
+kargs = ["rd.luks.options=discard"]