Upgrade to 42

2025-05-17 19:25:52 +01:00 · 2025-05-17 19:25:52 +01:00 · 9fdc969fa2
commit 9fdc969fa2
parent 6a44899aff
4 changed files with 177 additions and 69 deletions
--- a/workstation-nvidia/Containerfile
+++ b/workstation-nvidia/Containerfile
@ -1,81 +1,87 @@
-FROM ghcr.io/ublue-os/silverblue-nvidia:41
+FROM ghcr.io/ublue-os/silverblue-nvidia:42

 COPY etc /etc

 RUN dnf install -y https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm && \
-    dnf install -y https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm && \
-    dnf clean all
+  dnf install -y https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm && \
+  dnf clean all

 RUN dnf remove -y \
-        ptyxis \
-        gnome-software \
-        htop \
-        gnome-classic-session \
-        gnome-shell-extension-apps-menu \
-        gnome-shell-extension-background-logo \
-        gnome-shell-extension-launch-new-instance \
-        gnome-shell-extension-places-menu \
-        gnome-shell-extension-window-list \
-        open-vm-tools \
-        open-vm-tools-desktop \
-        qemu-guest-agent \
-        spice-vdagent \
-        spice-webdavd \
-        virtualbox-guest-additions && \
-    dnf swap -y ffmpeg-free ffmpeg --allowerasing && \
-    dnf swap -y libavcodec-free libavcodec-freeworld --allowerasing && \
-    dnf group install -y multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin && \
-    dnf copr enable -y alternateved/eza && \
-    dnf install -y \
-        acpi \
-        akmod-v4l2loopback \
-        btop \
-        direnv \
-        distrobox \
-        eza \
-        git \
-        gnome-boxes \
-        gstreamer1-vaapi \
-        helm \
-        kubectl \
-        util-linux \
-        lm_sensors \
-        ncdu \
-        pavucontrol \
-        qemu-guest-agent \
-        sysstat \
-        tailscale \
-        vdpauinfo \
-        vulkan-tools \
-        zsh \
-        zsh-syntax-highlighting && \
-    # Clean up
-    dnf clean all
+  ptyxis \
+  gnome-software \
+  htop \
+  gnome-classic-session \
+  gnome-shell-extension-apps-menu \
+  gnome-shell-extension-background-logo \
+  gnome-shell-extension-launch-new-instance \
+  gnome-shell-extension-places-menu \
+  gnome-shell-extension-window-list \
+  open-vm-tools \
+  open-vm-tools-desktop \
+  qemu-guest-agent \
+  spice-vdagent \
+  spice-webdavd \
+  virtualbox-guest-additions && \
+  dnf swap -y ffmpeg-free ffmpeg --allowerasing && \
+  dnf swap -y libavcodec-free libavcodec-freeworld --allowerasing && \
+  dnf remove -y pipewire-libs-extra && \
+  dnf group install -y multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin --allowerasing && \
+  dnf copr enable -y alternateved/eza && \
+  dnf copr enable -y pgdev/ghostty && \
+  dnf install -y \
+  acpi \
+  akmod-v4l2loopback \
+  btop \
+  direnv \
+  dmidecode \
+  eza \
+  ffmpegthumbnailer \
+  ghostty \
+  git \
+  gnome-boxes \
+  gstreamer1-vaapi \
+  helm \
+  kubectl \
+  lm_sensors \
+  lshw \
+  nmcli \
+  mpv \
+  ncdu \
+  pavucontrol \
+  sysstat \
+  tailscale \
+  vdpauinfo \
+  vulkan-tools \
+  zsh \
+  zsh-syntax-highlighting && \
+  # Clean up
+  dnf clean all
+
+
+# Setup watercooling
+RUN dnf copr enable -y codifryed/CoolerControl && \
+  dnf install -y coolercontrol && \
+  systemctl enable coolercontrold

 # Remove btop and nvtop shortcuts
 RUN rm /usr/share/applications/btop.desktop /usr/share/applications/nvtop.desktop

-# Don't use the ghostty copr for now, it's broken on 42. Download the appimage in userland.
-# Todo: Try again when 42 is final.
-# RUN dnf copr enable -y pgdev/ghostty && \
-#   dnf install -y ghostty
-
 # Don't install 1password, the browser integration breaks because 1Password uses /opt.
 # I think this is polkit related.
 # RUN mkdir -p /var/opt
 # COPY scripts/1password.sh /tmp/1password.sh
 # RUN /bin/sh /tmp/1password.sh

-RUN authselect enable-feature with-fingerprint
+# RUN authselect enable-feature with-fingerprint

 LABEL org.opencontainers.image.description="Built on ublue-os/silverblue-main, adding more batteries" \
-    org.opencontainers.image.source="https://cremin.dev/jonathan/bootc" \
-    org.opencontainers.image.title="ublue-silverblue-nvidia" \
-    org.opencontainers.image.url="https://cremin.dev/jonathan/bootc" \
-    org.opencontainers.image.created="" \
-    org.opencontainers.image.licenses="Unlicensed" \
-    org.opencontainers.image.revision="" \
-    org.opencontainers.image.version=""
+  org.opencontainers.image.source="https://cremin.dev/jonathan/bootc" \
+  org.opencontainers.image.title="ublue-silverblue-nvidia" \
+  org.opencontainers.image.url="https://cremin.dev/jonathan/bootc" \
+  org.opencontainers.image.created="" \
+  org.opencontainers.image.licenses="Unlicensed" \
+  org.opencontainers.image.revision="" \
+  org.opencontainers.image.version=""



@ -84,7 +90,7 @@ LABEL org.opencontainers.image.description="Built on ublue-os/silverblue-main, a

 # RUN echo "blacklist nouveau" > /etc/modprobe.d/blacklist_nouveau.conf

-# RUN dnf install -y --allowerasing \   
+# RUN dnf install -y --allowerasing \
 #     akmod-nvidia \
 #     libva-nvidia-driver \
 #     nvidia-container-toolkit \
--- a/workstation-nvidia/build-push.sh
+++ b/workstation-nvidia/build-push.sh
@ -6,17 +6,17 @@ set -e
 cd "$(dirname "$0")"

 DATE_TAG=$(date "+%Y%m%d-%H%M%S")
-CURRENT_IMAGE_ID=$(sudo podman images --format "{{.ID}}" cremin.dev/jonathan/ublue-silverblue-main:42)
+CURRENT_IMAGE_ID=$(podman images --format "{{.ID}}" cremin.dev/jonathan/ublue-silverblue-nvidia:42)


 echo "Pulling base image"
 # ensure the base image is up to date
-sudo -E podman pull ghcr.io/ublue-os/silverblue-main:42
+podman pull ghcr.io/ublue-os/silverblue-nvidia:42

 echo "Starting build"
-sudo -E podman build -t cremin.dev/jonathan/ublue-silverblue-main:42 .
+podman build -t cremin.dev/jonathan/ublue-silverblue-nvidia:42 .

-NEW_IMAGE_ID=$(sudo podman images --format "{{.ID}}" cremin.dev/jonathan/ublue-silverblue-main:42)
+NEW_IMAGE_ID=$(podman images --format "{{.ID}}" cremin.dev/jonathan/ublue-silverblue-nvidia:42)


 # Start build and check if any layers were changed (looking for "Using cache" messages)
@ -25,9 +25,9 @@ if [ "$CURRENT_IMAGE_ID" = "$NEW_IMAGE_ID" ]; then
 else
    echo "Image updated, pushing to registry"
    # Add the tags
-    sudo -E podman tag cremin.dev/jonathan/ublue-silverblue-main:42 cremin.dev/jonathan/ublue-silverblue-main:42-${DATE_TAG} cremin.dev/jonathan/ublue-silverblue-main:latest
+    podman tag cremin.dev/jonathan/ublue-silverblue-nvidia:42 cremin.dev/jonathan/ublue-silverblue-nvidia:42-${DATE_TAG} cremin.dev/jonathan/ublue-silverblue-nvidia:latest
    # Push the image
-    sudo -E podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-main:42-${DATE_TAG}
-    sudo -E podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-main:42
-    sudo -E podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-main:latest
+    podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-nvidia:42-${DATE_TAG}
+    podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-nvidia:42
+    podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-nvidia:latest
 fi
--- a/workstation-nvidia/scripts/1password.sh
+++ b/workstation-nvidia/scripts/1password.sh
@ -0,0 +1,76 @@
+#!/usr/bin/env sh
+
+# Thanks to bri for the inspiration! My script is mostly based on this example:
+# https://github.com/briorg/bluefin/blob/c62c30a04d42fd959ea770722c6b51216b4ec45b/scripts/1password.sh
+
+set -ouex pipefail
+
+echo "Installing 1Password"
+
+# On libostree systems, /opt is a symlink to /var/opt,
+# which actually only exists on the live system. /var is
+# a separate mutable, stateful FS that's overlaid onto
+# the ostree rootfs. Therefore we need to install it into
+# /usr/lib/1Password instead, and dynamically create a
+# symbolic link /opt/1Password => /usr/lib/1Password upon
+# boot.
+
+# Prepare staging directory
+mkdir -p /var/opt # -p just in case it exists
+# for some reason...
+
+# Setup repo
+cat << EOF > /etc/yum.repos.d/1password.repo
+[1password]
+name=1Password Stable Channel
+baseurl=https://downloads.1password.com/linux/rpm/stable/\$basearch
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://downloads.1password.com/linux/keys/1password.asc
+EOF
+
+# Import signing key
+rpm --import https://downloads.1password.com/linux/keys/1password.asc
+
+# Prepare 1Password groups
+# Normally, when after dnf installs the 1password RPM, an
+# 'after-install.sh' script runs to cofigure several things, including
+# the creation of a group. Under rpm-ostree, this didn't work quite as
+# expected, thus several steps were done to hack around and fix things.
+# Now with dnf5, there is a problem where 'after-install.sh' creates
+# groups which conflict with default user's GID. This now pre-creates
+# the groups, rather than fixing after RPM installation.
+
+# I hardcode GIDs and cross fingers that nothing else steps on them.
+# These numbers _should_ be okay under normal use, but
+# if there's a more specific range that I should use here
+# please submit a PR!
+
+# Specifically, GID must be > 1000, and absolutely must not
+# conflict with any real groups on the deployed system.
+# Normal user group GIDs on Fedora are sequential starting
+# at 1000, so let's skip ahead and set to something higher.
+GID_ONEPASSWORD="1790"
+GID_ONEPASSWORDCLI="1791"
+groupadd -g ${GID_ONEPASSWORD} onepassword
+groupadd -g ${GID_ONEPASSWORDCLI} onepassword-cli
+
+# Now let's install the packages.
+dnf5 install -y 1password 1password-cli
+
+# This places the 1Password contents in an image safe location
+mv /var/opt/1Password /usr/lib/1Password # move this over here
+
+# Register path symlink
+# We do this via tmpfiles.d so that it is created by the live system.
+cat >/usr/lib/tmpfiles.d/onepassword.conf <<EOF
+L  /opt/1Password  -  -  -  -  /usr/lib/1Password
+EOF
+
+# No further hack SHOULD be needed since dnf5 does run the script
+# after-install.sh as expected and uses our pre-set groups.
+
+# Clean up the yum repo (updates are baked into new images)
+rm /etc/yum.repos.d/1password.repo -f
+
--- a/workstation-nvidia/scripts/kraken.patch
+++ b/workstation-nvidia/scripts/kraken.patch
@ -0,0 +1,26 @@
+--- /usr/lib/python3.13/site-packages/liquidctl/driver/kraken3.py       2025-04-07 15:54:42.399225195 +0100
+++ kraken3.py  2025-04-07 15:53:59.676402140 +0100
+@@ -594,6 +594,18 @@
+                 "lcd_resolution": (240, 240),
+             },
+         ),
+        (
+            0x1E71,
+            0x3012,
+            "NZXT Kraken 2024 Elite RGB",
+            {
+                "speed_channels": _SPEED_CHANNELS_KRAKEN2023,
+                "color_channels": _COLOR_CHANNELS_KRAKEN2023,
+                "hwmon_ctrl_mapping": _HWMON_CTRL_MAPPING_KRAKENZ,
+                "bulk_buffer_size": 1024 * 1024 * 2,  # 2 MB
+                "lcd_resolution": (640, 640),
+            },
+        ),
+     ]
+
+     def __init__(
+@@ -1154,3 +1166,4 @@
+             ]
+         )
+         return response[14] == 0x1
+