Miscellaneous tweaks that I don't plan to upstream

             @@ -10,3 +10,6 @@    10     10[*.conf]    11     11indent_style = space    12     12indent_size = 4           13           14[mkosi.passphrase]           15insert_final_newline = false

             @@ -15,7 +15,7 @@    15     15image.    16     16    17     17The ParticleOS image is built using [mkosi](https://github.com/systemd/mkosi).    18       You will need to install the current main branch of mkosi to build current            18You will need to install the current main branch of mkosi to build current    19     19ParticleOS images.    20     20    21     21First, configure the variant you'd like to build in `mkosi.local.conf`. For a

             @@ -5,6 +5,7 @@     5      5     6      6[Build]     7      7ToolsTree=default            8ToolsTreeProfiles=misc,runtime,gui     8      9History=yes     9     10CacheDirectory=mkosi.cache    10     11Incremental=yes             @@ -106,7 +107,6 @@   106    107RAM=4G   107    108CPUs=4   108    109Ephemeral=yes   109       RuntimeScratch=no   110    110Credentials=   111    111        passwd.plaintext-password.root=particleos   112    112        tty.serial.hvc0.agetty.autologin=particleos

             @@ -0,0 +1,13 @@            1rebuild:            2  steps:            3    - trigger_services:            4        project: system:systemd            5        package: particleos-debian            6    - trigger_services:            7        project: system:systemd            8        package: particleos-fedora            9  filters:           10    event: push           11    branches:           12      only:           13        - obs

             @@ -0,0 +1,9 @@            1#!/bin/bash            2# SPDX-License-Identifier: LGPL-2.1-or-later            3set -e            4            5# Debian/Ubuntu PAM patches break /usr/lib/pam.d/ so copy to factory            6# TODO: drop after https://salsa.debian.org/vorlon/pam/-/merge_requests/26 is merged            7if [[ -f /usr/lib/tmpfiles.d/debian.conf ]]; then            8    sed -i '/\/etc\/pam.d/d' /usr/lib/tmpfiles.d/debian.conf            9fi

             @@ -10,6 +10,9 @@    10     10Packages=    11     11        bash-color-prompt    12     12        bpftool           13        # cryptsetup luksAddKey --token-type systemd-tpm2 /dev/<device> fails           14        # for me otherwise           15        cracklib-dicts    13     16        cryptsetup    14     17        distribution-gpg-keys    15     18        dnf5

             @@ -2,6 +2,7 @@     2      2     3      3[Content]     4      4Packages=            5        bluez     5      6        bolt     6      7        desktop-file-utils     7      8        pax-utils             @@ -8,6 +9,7 @@     8      9        pgpdump     9     10        pipewire    10     11        pipewire-alsa           12        qemu-guest-agent    11     13        wireless-regdb    12     14        xdg-desktop-portal    13     15

             @@ -0,0 +1,9 @@            1# SPDX-License-Identifier: LGPL-2.1-or-later            2            3[systemd]            4name=systemd packages built from upstream main (Fedora_Rawhide)            5type=rpm-md            6baseurl=https://download.opensuse.org/repositories/system:/systemd/Fedora_Rawhide/            7gpgcheck=1            8gpgkey=file:///usr/share/pki/rpm-gpg/systemd.gpg            9enabled=1

             @@ -1,9 +0,0 @@     1       # SPDX-License-Identifier: LGPL-2.1-or-later     2            3       [systemd]     4       name=systemd packages built from upstream main (Fedora_42)     5       type=rpm-md     6       baseurl=https://download.opensuse.org/repositories/system:/systemd/Fedora_42/     7       gpgcheck=1     8       gpgkey=file:///usr/share/pki/rpm-gpg/systemd.gpg     9       enabled=1

             @@ -1,9 +0,0 @@     1       # SPDX-License-Identifier: LGPL-2.1-or-later     2            3       [systemd]     4       name=systemd packages built from upstream main (Fedora_Rawhide)     5       type=rpm-md     6       baseurl=https://download.opensuse.org/repositories/system:/systemd/Fedora_Rawhide/     7       gpgcheck=1     8       gpgkey=file:///usr/share/pki/rpm-gpg/systemd.gpg     9       enabled=1

             @@ -6,4 +6,4 @@     6      6     7      7[Build]     8      8ToolsTreeSandboxTrees=systemd.gpg:/usr/share/pki/rpm-gpg/systemd.gpg     9                             fedora43.repo:/etc/yum.repos.d/systemd.repo            9                      fedora.repo:/etc/yum.repos.d/systemd.repo

             @@ -2,7 +2,8 @@     2      2     3      3[Match]     4      4Distribution=fedora            5Release=rawhide     5      6     6      7[Build]     7      8SandboxTrees=systemd.gpg:/usr/share/pki/rpm-gpg/systemd.gpg     8                    fedora%r.repo:/etc/yum.repos.d/systemd.repo            9             fedora.repo:/etc/yum.repos.d/systemd.repo

             @@ -3,6 +3,7 @@     3      3# This overrides the same file from systemd since we want to symlink everything     4      4# into /etc instead of copying so updates to /usr propagate properly.     5      5L /etc/os-release - - - - ../usr/lib/os-release            6L /etc/mkosi-manifest - - - - ../usr/lib/mkosi-manifest     6      7L+ /etc/mtab - - - - ../proc/self/mounts     7      8# Contains the default systemd locale     8      9L /etc/locale.conf             @@ -15,6 +16,9 @@    15     16L? /etc/bashrc    16     17L? /etc/bash.bashrc    17     18L? /etc/bash.bash_logout           19# TODO: drop once https://github.com/scop/bash-completion/pull/1399 is merged,           20# needed for shell completion of sd-run/run0           21L? /etc/bash_completion.d    18     22# Canonical location to look for certificates    19     23L? /etc/ca-certificates    20     24L? /etc/crypto-policies             @@ -45,6 +49,8 @@    45     49L? /etc/tuned    46     50# Required by gdm    47     51L? /etc/gdm           52# Required by sdm           53L? /etc/sddm    48     54# Required by geoclue    49     55L? /etc/geoclue    50     56# Required by fwupd             @@ -51,12 +57,25 @@    51     57L /etc/fwupd    52     58# Required by gnome    53     59L? /etc/dconf    54       # Required by a bunch of binary symlinks in fedora           60L? /etc/skel           61# CUPS is pulled in by GNOME, and fails if the configs are not there           62L? /etc/cups           63# On some distributions various binaries in /usr/bin are managed via           64# /etc/alternatives.    55     65L? /etc/alternatives           66# PackageKit does not run without /etc/PackageKit/ and GNOME stalls           67# logout/reboot if it doesn't run.           68L? /etc/PackageKit           69# ModemManager needds its dbus policy file           70L? /etc/dbus1/systemd.d/org.freedesktop.ModemManager1.conf           71# man fails without this in /etc/           72L? /etc/manpath.config    56     73# Required by man-db-cache-update.service    57     74L? /etc/sysconfig/man-db    58       # sddm breaks otherwise, at least with homed?    59       L? /etc/sddm           75# some programs still rely on logrotate           76L? /etc/logrotate.conf           77L? /etc/logrotate.d           78    60     79    61     80## custom    62     81C /etc/opensnitchd             @@ -77,5 +96,12 @@    77     96# cups    78     97L? /etc/cups    79     98           99# firejail          100L? /etc/firejail          101L? /etc/login.defs          102          103# OpenCL          104L? /etc/OpenCL          105    80    106# abrtd    81    107L? /etc/libreport

             @@ -7,9 +7,7 @@     7      7Packages=     8      8        gnome-browser-connector     9      9        gnome-core    10               # TODO: enable when it integrates with homed    11               # gnome-initial-setup           10        gnome-initial-setup    12     11        gnome-keyring-pkcs11    13               gnome-session-xsession    14     12        gnome-software-plugin-flatpak    15     13        gnome-software-plugin-fwupd

             @@ -5,4 +5,8 @@     5      5     6      6[Content]     7      7Packages=            8        adwaita-fonts-all     8      9        gdm           10        rsms-inter-fonts           11        rsms-inter-vf-fonts           12        default-fonts-core-emoji

             @@ -40,3 +40,8 @@    40     40    41     41# Maybe man db    42     42enable man-db-cache-update.service           43           44# Fedora 43 introduces a new authselect service in place of package scriptlets.           45# It fails and (I believe) shouldn't be needed           46# https://bugzilla.redhat.com/show_bug.cgi?id=2397255           47disable authselect-apply-changes.service

             @@ -0,0 +1,13 @@            1# SPDX-License-Identifier: LGPL-2.1-or-later            2            3[TriggerMatch]            4Distribution=debian            5Release=trixie            6            7[TriggerMatch]            8Distribution=ubuntu            9Release=|oracular           10Release=|plucky           11           12[Content]           13Packages=gnome-session-xsession

             @@ -0,0 +1,2 @@            1SELINUX=permissive            2SELINUXTYPE=targeted

             @@ -0,0 +1,60 @@            1# Authors: Jason Tang <jtang@tresys.com>            2#            3# Copyright (C) 2004-2005 Tresys Technology, LLC            4#            5#  This library is free software; you can redistribute it and/or            6#  modify it under the terms of the GNU Lesser General Public            7#  License as published by the Free Software Foundation; either            8#  version 2.1 of the License, or (at your option) any later version.            9#           10#  This library is distributed in the hope that it will be useful,           11#  but WITHOUT ANY WARRANTY; without even the implied warranty of           12#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU           13#  Lesser General Public License for more details.           14#           15#  You should have received a copy of the GNU Lesser General Public           16#  License along with this library; if not, write to the Free Software           17#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA           18#           19# Specify how libsemanage will interact with a SELinux policy manager.           20# The four options are:           21#           22#  "source"     - libsemanage manipulates a source SELinux policy           23#  "direct"     - libsemanage will write directly to a module store.           24#  /foo/bar     - Write by way of a policy management server, whose           25#                 named socket is at /foo/bar.  The path must begin           26#                 with a '/'.           27#  foo.com:4242 - Establish a TCP connection to a remote policy           28#                 management server at foo.com.  If there is a colon           29#                 then the remainder is interpreted as a port number;           30#                 otherwise default to port 4242.           31module-store = direct           32           33# When generating the final linked and expanded policy, by default           34# semanage will set the policy version to POLICYDB_VERSION_MAX, as           35# given in <sepol/policydb.h>.  Change this setting if a different           36# version is necessary.           37#policy-version = 19           38           39# expand-check check neverallow rules when executing all semanage           40# commands. There might be a penalty in execution time if this           41# option is enabled.           42expand-check=0           43           44# usepasswd check tells semanage to scan all pass word records for home directories           45# and setup the labeling correctly. If this is turned off, SELinux will label only /home           46# and home directories of users with SELinux login mappings defined, see           47# semanage login -l for the list of such users.           48# If you want to use a different home directory, you will need to use semanage fcontext command.           49# For example, if you had home dirs in /althome directory you would have to execute           50# semanage fcontext -a -e /home /althome           51usepasswd=False           52bzip-small=true           53bzip-blocksize=5           54ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var           55optimize-policy=true           56           57[sefcontext_compile]           58path = /usr/sbin/sefcontext_compile           59args = -r $@           60[end]

             @@ -1,4 +0,0 @@     1       # apt gets pulled in, but with /usr read-only doesn't make sense to run updates     2       disable apt-daily.timer     3       disable apt-daily-upgrade.timer     4       disable apt-listchanges.timer

             @@ -9,20 +9,6 @@     9      9# On Debian/Ubuntu the nftable service fails if this config is not present    10     10L? /etc/nftables.conf    11     11    12       # Very basic stuff like awk and which is managed through alternatives    13       L? /etc/alternatives    14           15       # CUPS is pulled in by GNOME, and fails if the configs are not there    16       L? /etc/cups    17           18       # Needed to create users by GNOME's GUI    19       L? /etc/skel    20     12# These can be dropped once https://bugs.debian.org/1108017 is fixed    21     13L? /etc/adduser.conf    22     14L? /etc/deluser.conf    23           24       # PackageKit does not run without /etc/PackageKit/ and GNOME stalls logout/reboot if it doesn't run    25       L? /etc/PackageKit    26           27       # TODO: drop once https://github.com/scop/bash-completion/pull/1399 is merged, needed for shell completion of sd-run/run0    28       L? /etc/bash_completion.d

             @@ -0,0 +1,3 @@            1title Debian 13 ParticleOS Current from OBS (Network Boot)            2architecture x64            3uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/debian_13_images/ParticleOS_x86-64.efi

             @@ -1,3 +0,0 @@     1       title Debian Testing ParticleOS Current from OBS (Network Boot)     2       architecture x64     3       uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/Debian_Testing_images/ParticleOS-x86-64.efi

             @@ -0,0 +1,3 @@            1title Debian Testing ParticleOS Current from OBS (Network Boot)            2architecture x64            3uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/debian_14_images/ParticleOS_x86-64.efi

             @@ -1,3 +0,0 @@     1       title Fedora 41 ParticleOS Current from OBS (Network Boot)     2       architecture x64     3       uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/Fedora_41_images/ParticleOS-x86-64.efi

             @@ -0,0 +1,3 @@            1title Fedora 42 ParticleOS Current from OBS (Network Boot)            2architecture x64            3uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/fedora_42_images/ParticleOS_x86-64.efi

             @@ -1,3 +1,3 @@     1      1title Fedora Rawhide ParticleOS Current from OBS (Network Boot)     2      2architecture x64     3       uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/Fedora_Rawhide_images/ParticleOS-x86-64.efi            3uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/fedora_44_images/ParticleOS_x86-64.efi

             @@ -0,0 +1,3 @@            1L? /etc/selinux/targeted            2C /etc/selinux/config          -    -    -     -   /usr/share/factory/etc/selinux/config            3C /etc/selinux/semanage.conf   -    -    -     -   /usr/share/factory/etc/selinux/semanage.conf

             @@ -0,0 +1,4 @@            1# apt gets pulled in, but with /usr read-only doesn't make sense to run updates            2disable apt-daily.timer            3disable apt-daily-upgrade.timer            4disable apt-listchanges.timer

             @@ -0,0 +1,14 @@            1# SPDX-License-Identifier: LGPL-2.1-or-later            2# TODO: drop once https://gitlab.freedesktop.org/accountsservice/accountsservice/-/issues/89 is fixed            3            4[Unit]            5Description=Tell the accounts service about homed users            6After=systemd-homed.service accounts-daemon.service            7Before=systemd-user-sessions.service            8            9[Service]           10Type=oneshot           11ExecStart=/bin/bash -c "for n in $$(busctl call org.freedesktop.home1 /org/freedesktop/home1 org.freedesktop.home1.Manager ListHomes --json=pretty | jq -r '.data.[].[].[0]'); do busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s $$n; done"           12           13[Install]           14WantedBy=multi-user.target