Define tree for pitti's workstation

Also add helper script for running the ostree build.

2015-RH-IT-Root-CA.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENDCCAxygAwIBAgIJANunI0D662cnMA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQgSVQx
+GzAZBgNVBAMMElJlZCBIYXQgSVQgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5m
+b3NlY0ByZWRoYXQuY29tMCAXDTE1MDcwNjE3MzgxMVoYDzIwNTUwNjI2MTczODEx
+WjCBpTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
+VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApS
+ZWQgSGF0IElUMRswGQYDVQQDDBJSZWQgSGF0IElUIFJvb3QgQ0ExITAfBgkqhkiG
+9w0BCQEWEmluZm9zZWNAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALQt9OJQh6GC5LT1g80qNh0u50BQ4sZ/yZ8aETxt+5lnPVX6MHKz
+bfwI6nO1aMG6j9bSw+6UUyPBHP796+FT/pTS+K0wsDV7c9XvHoxJBJJU38cdLkI2
+c/i7lDqTfTcfLL2nyUBd2fQDk1B0fxrskhGIIZ3ifP1Ps4ltTkv8hRSob3VtNqSo
+GxkKfvD2PKjTPxDPWYyruy9irLZioMffi3i/gCut0ZWtAyO3MVH5qWF/enKwgPES
+X9po+TdCvRB/RUObBaM761EcrLSM1GqHNueSfqnho3AjLQ6dBnPWlo638Zm1VebK
+BELyhkLWMSFkKwDmne0jQ02Y4g075vCKvCsCAwEAAaNjMGEwHQYDVR0OBBYEFH7R
+4yC+UehIIPeuL8Zqw3PzbgcZMB8GA1UdIwQYMBaAFH7R4yC+UehIIPeuL8Zqw3Pz
+bgcZMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
+CwUAA4IBAQBDNvD2Vm9sA5A9AlOJR8+en5Xz9hXcxJB5phxcZQ8jFoG04Vshvd0e
+LEnUrMcfFgIZ4njMKTQCM4ZFUPAieyLx4f52HuDopp3e5JyIMfW+KFcNIpKwCsak
+oSoKtIUOsUJK7qBVZxcrIyeQV2qcYOeZhtS5wBqIwOAhFwlCET7Ze58QHmS48slj
+S9K0JAcps2xdnGu0fkzhSQxY8GPQNFTlr6rYld5+ID/hHeS76gq0YG3q6RLWRkHf
+4eTkRjivAlExrFzKcljC4axKQlnOvVAzz+Gm32U0xPBF4ByePVxCJUHw1TsyTmel
+RxNEp7yHoXcwn+fXna+t5JWh1gxUZty3
+-----END CERTIFICATE-----

README.md

@@ -1,75 +1,29 @@
-# Manifests for rpm-ostree based Fedora variants
+Martin Pitt's desktop
+=====================
 
-This is the configuration needed to create
+This is an [rpm-ostree](https://coreos.github.io/rpm-ostree/) based minimal
-[rpm-ostree](https://coreos.github.io/rpm-ostree/) based variants of Fedora.
+[Fedora](https://getfedora.org/) developer desktop with the [sway window manager](https://swaywm.org/) and [podman](https://podman.io/)/[toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) for doing development and running less common graphical applications.
-Each variant is described in a YAML
-[treefile](https://coreos.github.io/rpm-ostree/treefile/) which is then used by
-rpm-ostree to compose an ostree commit with the package requested.
 
-In the Fedora infrastructure, this happens via
+It gets [automatically built](.github/workflows/build.yml) every week and [published to my server](https://piware.de/ostree/pitti-workstation/).
-[pungi](https://pagure.io/pungi-fedora) with
-[Lorax](https://github.com/weldr/lorax)
-([templates](https://pagure.io/fedora-lorax-templates)).
 
-## Fedora Silverblue
+To use it from an existing OSTree based system like [Fedora CoreOS](https://getfedora.org/coreos) or [Fedora Silverblue](https://docs.fedoraproject.org/en-US/fedora-silverblue/), add my server URL as new remote and rebase your tree to it:
 
-- Website: https://silverblue.fedoraproject.org/ ([sources](https://github.com/fedora-silverblue/silverblue-site))
+```sh
-- Documentation: https://docs.fedoraproject.org/en-US/fedora-silverblue/ ([sources](https://github.com/fedora-silverblue/silverblue-docs))
+sudo ostree remote add --no-gpg-verify piware https://piware.de/ostree/pitti-workstation/
-- Issue tracker: https://github.com/fedora-silverblue/issue-tracker/issues
+sudo rpm-ostree rebase piware:pitti-desktop
-
-## Fedora Kinoite
-
-- Website: https://kinoite.fedoraproject.org/ ([sources](https://pagure.io/fedora-kde/kinoite-site))
-- Documentation: https://docs.fedoraproject.org/en-US/fedora-kinoite/ ([sources](https://pagure.io/fedora-kde/kinoite-docs))
-- Issue tracker: https://pagure.io/fedora-kde/SIG/issues
-
-## Building
-
-Instructions to perform a local build of Silverblue:
-
-```
-# Clone the config
-git clone https://pagure.io/workstation-ostree-config && cd workstation-ostree-config
-
-# Prepare repo & cache
-mkdir -p repo cache && ostree --repo=repo init --mode=archive
-
-# Build (compose) the variant of your choice
-sudo rpm-ostree compose tree --repo=repo --cachedir=cache fedora-silverblue.yaml
-
-# Update summary file
-ostree summary --repo=repo --update
 ```
 
-## Testing
+After that, you can install weekly updates with
-
-Instructions to test the resulting build:
-
-- First, serve the ostree repo using an HTTP server.
-- Then, on an already installed Silverblue system:
 
 ```
-# Add an ostree remote
+sudo rpm-ostree upgrade
-sudo ostree remote add testremote http://<IP_ADDRESS>/repo
-
-# Pin the currently deployed (and probably working) version
-sudo ostree admin pin 0
-
-# List refs from variant remote
-sudo ostree remote refs testremote
-
-# Switch to your variant
-sudo rpm-ostree rebase testremote:fedora/35/x86_64/silverblue
 ```
 
-## Historical references
+If anything goes wrong, you can go back to the previous version with `sudo rpm-ostree rollback`.
 
-Building and testing instructions:
 
-- https://dustymabe.com/2017/10/05/setting-up-an-atomic-host-build-server/
+Original README for [workstation-ostree-config](https://pagure.io/workstation-ostree-config)
-- https://dustymabe.com/2017/08/08/how-do-we-create-ostree-repos-and-artifacts-in-fedora/
+=============================================
-- https://www.projectatomic.io/blog/2017/12/compose-custom-ostree/
-- https://www.projectatomic.io/docs/compose-your-own-tree/
 
 For some background, see:
 

compose.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -eu
+CACHE=/var/cache/ostree
+REPO=/var/tmp/repo
+
+mkdir -p $CACHE
+
+if [ ! -d $REPO/objects ]; then
+    ostree --repo=$REPO init --mode=archive-z2
+fi
+
+rpm-ostree compose tree --unified-core --cachedir=$CACHE --repo=$REPO pitti-desktop.yaml

fedora-34-updates.repo

@@ -4,3 +4,10 @@ mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f34&
 enabled=0
 gpgcheck=1
 metadata_expire=1d
+
+[fedora-34-updates-testing]
+name=Fedora 34 $basearch Updates
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f34&arch=$basearch
+enabled=0
+gpgcheck=1
+metadata_expire=1d

fedora-common-ostree.yaml

@@ -3,8 +3,6 @@ ref: fedora/34/${basearch}/ostree-base
 automatic_version_prefix: "36"
 mutate-os-release: "36"
 
-include: fedora-common-ostree-pkgs.yaml
-
 packages:
   - git-core
   - rpm-ostree

pitti-desktop.yaml

@@ -0,0 +1,142 @@
+include: fedora-common-ostree.yaml
+
+ref: pitti-desktop
+rojig:
+  name: pitti-desktop
+  summary: "Pitti Desktop"
+  license: MIT
+
+repos:
+  - fedora-34
+  - fedora-34-updates
+  - fedora-34-updates-testing
+  - rpmfusion-free
+  - rpmfusion-free-updates
+
+packages:
+# hardware/drivers
+  - kernel
+  - kernel-modules-extra
+  - iwl6000g2a-firmware
+  - iwl7260-firmware
+  - alsa-sof-firmware
+  - NetworkManager-wifi
+  - NetworkManager-openvpn-gnome
+  - sane-backends
+  - sane-backends-drivers-scanners
+  - powertop
+  - iwd
+  - udisks2-lvm2
+  - opensc
+# basic system
+  - acl
+  - attr
+  - basesystem
+  - cryptsetup
+  - dnsmasq
+  - fedora-workstation-backgrounds
+  - filesystem
+  - glibc-langpack-de
+  - glibc-langpack-en
+  - hostname
+  - iproute
+  - kbd
+  - nss-altfiles
+  - pciutils
+  - sudo
+  - usbutils
+# shell tools and development
+  - bc
+  - gnupg2
+  - fpaste
+  - lsof
+  - man-db
+  - mtr
+  - tree
+  - bzip2
+  - zip
+  - unzip
+  - vim-enhanced
+  - ranger
+  - bash-completion
+  - fish
+  - qemu-system-x86-core
+  - qemu-ui-sdl
+  - qemu-img
+  - openvpn
+  - mutt
+  - nmap-ncat
+  - isync
+  - weechat
+  - duplicity
+  - openssh-server
+  - systemd-container
+  - git
+  - patchutils
+  - make
+  - strace
+  - wget
+  - w3m
+  - cockpit-system
+  - cockpit-ws
+  - syncthing
+  - krb5-workstation
+
+# desktop plumbing/apps
+  - dejavu-sans-fonts
+  - dejavu-serif-fonts
+  - dejavu-sans-mono-fonts
+  - fontawesome-fonts
+  - google-noto-emoji-color-fonts
+
+  - gvfs-mtp
+  - pulseaudio-utils
+  - alsa-plugins-pulseaudio
+  - gstreamer1-plugins-good
+  - gstreamer1-plugins-ugly
+  - gstreamer1-libav
+  # for wf-recorder
+  - libavdevice
+
+  - pavucontrol
+  - pcmanfm
+  - simple-scan
+  - nm-connection-editor
+  - eog
+  - evince
+  - rhythmbox
+  - gnome-keyring
+  - pinentry-gnome3
+  - lxpolkit
+  - lxterminal
+  - gnome-disk-utility
+  - gtimelog
+
+# sway/wayland desktop
+  - sway
+  - swayidle
+  - swaylock
+  - kanshi
+  - mako
+  - waybar
+  - slurp
+  - grim
+  - xorg-x11-server-Xwayland
+  - firefox-wayland
+  - wofi
+  - brightnessctl
+  - wl-clipboard
+
+exclude-packages:
+  # recommended by sway
+  - alacritty
+  - brltty
+  - glibc-all-langpacks
+  - xdg-desktop-portal-wlr
+  # recommended by gtimelog
+  - yelp
+
+add-files:
+  - ["2015-RH-IT-Root-CA.pem", "/etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem"]
+
+postprocess-script: pitti-post.sh

pitti-post.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -xeuo pipefail
+
+# Enable SysRQ
+echo 'kernel.sysrq = 1' > /usr/lib/sysctl.d/90-sysrq.conf
+
+# power saving
+echo 'blacklist e1000e' > /usr/lib/modprobe.d/blacklist-local.conf
+
+# NetworkManager config
+cat <<EOF > /usr/lib/NetworkManager/conf.d/local.conf
+[main]
+plugins=
+
+[device]
+wifi.backend=iwd
+EOF
+ln -sfn ../iwd.service /usr/lib/systemd/system/multi-user.target.wants/iwd.service
+ln -sfn /run/NetworkManager/resolv.conf /etc/resolv.conf
+
+# enable other units
+mkdir -p /usr/lib/systemd/system/getty.target.wants
+ln -s ../getty@.service /usr/lib/systemd/system/getty.target.wants/getty@tty1.service
+ln -s ../systemd-timesyncd.service /usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
+ln -s ../cockpit.socket /usr/lib/systemd/system/sockets.target.wants/cockpit.socket
+ln -s ../sshd.socket /usr/lib/systemd/system/sockets.target.wants/sshd.socket
+
+# disable unwanted services
+ln -sfn /dev/null /usr/lib/systemd/user/at-spi-dbus-bus.service
+
+# move OS systemd unit defaults to /usr
+cp -a --verbose /etc/systemd/system /etc/systemd/user /usr/lib/systemd/
+rm -r /etc/systemd/system /etc/systemd/user
+
+# avoid LVM spew in /etc
+sed -i 's/backup = 1/backup = 0/; s/archive = 1/archive = 0/' /etc/lvm/lvm.conf
+
+# update for Red Hat certificate
+ln -s /etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.pem /etc/pki/tls/certs/2015-RH-IT-Root-CA.pem
+update-ca-trust

rpmfusion.repo

@@ -0,0 +1,18 @@
+[rpmfusion-free]
+name=RPM Fusion for Fedora $releasever - Free
+#baseurl=http://download1.rpmfusion.org/free/fedora/releases/$releasever/Everything/$basearch/os/
+metalink=https://mirrors.rpmfusion.org/metalink?repo=free-fedora-34&arch=$basearch
+enabled=1
+metadata_expire=14d
+type=rpm-md
+gpgcheck=0
+
+[rpmfusion-free-updates]
+name=RPM Fusion for Fedora $releasever - Free - Updates
+#baseurl=http://download1.rpmfusion.org/free/fedora/updates/$releasever/$basearch/
+metalink=https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-34&arch=$basearch
+enabled=1
+enabled_metadata=1
+type=rpm-md
+gpgcheck=0
+repo_gpgcheck=0