diff --git a/workstation-nvidia/Containerfile b/workstation-nvidia/Containerfile index 452f65a..f2fcac0 100755 --- a/workstation-nvidia/Containerfile +++ b/workstation-nvidia/Containerfile @@ -1,81 +1,87 @@ -FROM ghcr.io/ublue-os/silverblue-nvidia:41 +FROM ghcr.io/ublue-os/silverblue-nvidia:42 COPY etc /etc RUN dnf install -y https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm && \ - dnf install -y https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm && \ - dnf clean all + dnf install -y https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm && \ + dnf clean all RUN dnf remove -y \ - ptyxis \ - gnome-software \ - htop \ - gnome-classic-session \ - gnome-shell-extension-apps-menu \ - gnome-shell-extension-background-logo \ - gnome-shell-extension-launch-new-instance \ - gnome-shell-extension-places-menu \ - gnome-shell-extension-window-list \ - open-vm-tools \ - open-vm-tools-desktop \ - qemu-guest-agent \ - spice-vdagent \ - spice-webdavd \ - virtualbox-guest-additions && \ - dnf swap -y ffmpeg-free ffmpeg --allowerasing && \ - dnf swap -y libavcodec-free libavcodec-freeworld --allowerasing && \ - dnf group install -y multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin && \ - dnf copr enable -y alternateved/eza && \ - dnf install -y \ - acpi \ - akmod-v4l2loopback \ - btop \ - direnv \ - distrobox \ - eza \ - git \ - gnome-boxes \ - gstreamer1-vaapi \ - helm \ - kubectl \ - util-linux \ - lm_sensors \ - ncdu \ - pavucontrol \ - qemu-guest-agent \ - sysstat \ - tailscale \ - vdpauinfo \ - vulkan-tools \ - zsh \ - zsh-syntax-highlighting && \ - # Clean up - dnf clean all + ptyxis \ + gnome-software \ + htop \ + gnome-classic-session \ + gnome-shell-extension-apps-menu \ + gnome-shell-extension-background-logo \ + gnome-shell-extension-launch-new-instance \ + gnome-shell-extension-places-menu \ + gnome-shell-extension-window-list \ + open-vm-tools \ + open-vm-tools-desktop \ + qemu-guest-agent \ + spice-vdagent \ + spice-webdavd \ + virtualbox-guest-additions && \ + dnf swap -y ffmpeg-free ffmpeg --allowerasing && \ + dnf swap -y libavcodec-free libavcodec-freeworld --allowerasing && \ + dnf remove -y pipewire-libs-extra && \ + dnf group install -y multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin --allowerasing && \ + dnf copr enable -y alternateved/eza && \ + dnf copr enable -y pgdev/ghostty && \ + dnf install -y \ + acpi \ + akmod-v4l2loopback \ + btop \ + direnv \ + dmidecode \ + eza \ + ffmpegthumbnailer \ + ghostty \ + git \ + gnome-boxes \ + gstreamer1-vaapi \ + helm \ + kubectl \ + lm_sensors \ + lshw \ + nmcli \ + mpv \ + ncdu \ + pavucontrol \ + sysstat \ + tailscale \ + vdpauinfo \ + vulkan-tools \ + zsh \ + zsh-syntax-highlighting && \ + # Clean up + dnf clean all + + +# Setup watercooling +RUN dnf copr enable -y codifryed/CoolerControl && \ + dnf install -y coolercontrol && \ + systemctl enable coolercontrold # Remove btop and nvtop shortcuts RUN rm /usr/share/applications/btop.desktop /usr/share/applications/nvtop.desktop -# Don't use the ghostty copr for now, it's broken on 42. Download the appimage in userland. -# Todo: Try again when 42 is final. -# RUN dnf copr enable -y pgdev/ghostty && \ -# dnf install -y ghostty - # Don't install 1password, the browser integration breaks because 1Password uses /opt. # I think this is polkit related. # RUN mkdir -p /var/opt # COPY scripts/1password.sh /tmp/1password.sh # RUN /bin/sh /tmp/1password.sh -RUN authselect enable-feature with-fingerprint +# RUN authselect enable-feature with-fingerprint LABEL org.opencontainers.image.description="Built on ublue-os/silverblue-main, adding more batteries" \ - org.opencontainers.image.source="https://cremin.dev/jonathan/bootc" \ - org.opencontainers.image.title="ublue-silverblue-nvidia" \ - org.opencontainers.image.url="https://cremin.dev/jonathan/bootc" \ - org.opencontainers.image.created="" \ - org.opencontainers.image.licenses="Unlicensed" \ - org.opencontainers.image.revision="" \ - org.opencontainers.image.version="" + org.opencontainers.image.source="https://cremin.dev/jonathan/bootc" \ + org.opencontainers.image.title="ublue-silverblue-nvidia" \ + org.opencontainers.image.url="https://cremin.dev/jonathan/bootc" \ + org.opencontainers.image.created="" \ + org.opencontainers.image.licenses="Unlicensed" \ + org.opencontainers.image.revision="" \ + org.opencontainers.image.version="" @@ -84,7 +90,7 @@ LABEL org.opencontainers.image.description="Built on ublue-os/silverblue-main, a # RUN echo "blacklist nouveau" > /etc/modprobe.d/blacklist_nouveau.conf -# RUN dnf install -y --allowerasing \ +# RUN dnf install -y --allowerasing \ # akmod-nvidia \ # libva-nvidia-driver \ # nvidia-container-toolkit \ diff --git a/workstation-nvidia/build-push.sh b/workstation-nvidia/build-push.sh index 96db3b5..552cf98 100755 --- a/workstation-nvidia/build-push.sh +++ b/workstation-nvidia/build-push.sh @@ -6,17 +6,17 @@ set -e cd "$(dirname "$0")" DATE_TAG=$(date "+%Y%m%d-%H%M%S") -CURRENT_IMAGE_ID=$(sudo podman images --format "{{.ID}}" cremin.dev/jonathan/ublue-silverblue-main:42) +CURRENT_IMAGE_ID=$(podman images --format "{{.ID}}" cremin.dev/jonathan/ublue-silverblue-nvidia:42) echo "Pulling base image" # ensure the base image is up to date -sudo -E podman pull ghcr.io/ublue-os/silverblue-main:42 +podman pull ghcr.io/ublue-os/silverblue-nvidia:42 echo "Starting build" -sudo -E podman build -t cremin.dev/jonathan/ublue-silverblue-main:42 . +podman build -t cremin.dev/jonathan/ublue-silverblue-nvidia:42 . -NEW_IMAGE_ID=$(sudo podman images --format "{{.ID}}" cremin.dev/jonathan/ublue-silverblue-main:42) +NEW_IMAGE_ID=$(podman images --format "{{.ID}}" cremin.dev/jonathan/ublue-silverblue-nvidia:42) # Start build and check if any layers were changed (looking for "Using cache" messages) @@ -25,9 +25,9 @@ if [ "$CURRENT_IMAGE_ID" = "$NEW_IMAGE_ID" ]; then else echo "Image updated, pushing to registry" # Add the tags - sudo -E podman tag cremin.dev/jonathan/ublue-silverblue-main:42 cremin.dev/jonathan/ublue-silverblue-main:42-${DATE_TAG} cremin.dev/jonathan/ublue-silverblue-main:latest + podman tag cremin.dev/jonathan/ublue-silverblue-nvidia:42 cremin.dev/jonathan/ublue-silverblue-nvidia:42-${DATE_TAG} cremin.dev/jonathan/ublue-silverblue-nvidia:latest # Push the image - sudo -E podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-main:42-${DATE_TAG} - sudo -E podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-main:42 - sudo -E podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-main:latest + podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-nvidia:42-${DATE_TAG} + podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-nvidia:42 + podman push --authfile ~/.config/containers/auth.json cremin.dev/jonathan/ublue-silverblue-nvidia:latest fi \ No newline at end of file diff --git a/workstation-nvidia/scripts/1password.sh b/workstation-nvidia/scripts/1password.sh new file mode 100755 index 0000000..765ea8e --- /dev/null +++ b/workstation-nvidia/scripts/1password.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env sh + +# Thanks to bri for the inspiration! My script is mostly based on this example: +# https://github.com/briorg/bluefin/blob/c62c30a04d42fd959ea770722c6b51216b4ec45b/scripts/1password.sh + +set -ouex pipefail + +echo "Installing 1Password" + +# On libostree systems, /opt is a symlink to /var/opt, +# which actually only exists on the live system. /var is +# a separate mutable, stateful FS that's overlaid onto +# the ostree rootfs. Therefore we need to install it into +# /usr/lib/1Password instead, and dynamically create a +# symbolic link /opt/1Password => /usr/lib/1Password upon +# boot. + +# Prepare staging directory +mkdir -p /var/opt # -p just in case it exists +# for some reason... + +# Setup repo +cat << EOF > /etc/yum.repos.d/1password.repo +[1password] +name=1Password Stable Channel +baseurl=https://downloads.1password.com/linux/rpm/stable/\$basearch +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://downloads.1password.com/linux/keys/1password.asc +EOF + +# Import signing key +rpm --import https://downloads.1password.com/linux/keys/1password.asc + +# Prepare 1Password groups +# Normally, when after dnf installs the 1password RPM, an +# 'after-install.sh' script runs to cofigure several things, including +# the creation of a group. Under rpm-ostree, this didn't work quite as +# expected, thus several steps were done to hack around and fix things. +# Now with dnf5, there is a problem where 'after-install.sh' creates +# groups which conflict with default user's GID. This now pre-creates +# the groups, rather than fixing after RPM installation. + +# I hardcode GIDs and cross fingers that nothing else steps on them. +# These numbers _should_ be okay under normal use, but +# if there's a more specific range that I should use here +# please submit a PR! + +# Specifically, GID must be > 1000, and absolutely must not +# conflict with any real groups on the deployed system. +# Normal user group GIDs on Fedora are sequential starting +# at 1000, so let's skip ahead and set to something higher. +GID_ONEPASSWORD="1790" +GID_ONEPASSWORDCLI="1791" +groupadd -g ${GID_ONEPASSWORD} onepassword +groupadd -g ${GID_ONEPASSWORDCLI} onepassword-cli + +# Now let's install the packages. +dnf5 install -y 1password 1password-cli + +# This places the 1Password contents in an image safe location +mv /var/opt/1Password /usr/lib/1Password # move this over here + +# Register path symlink +# We do this via tmpfiles.d so that it is created by the live system. +cat >/usr/lib/tmpfiles.d/onepassword.conf <