My customized ParticleOS configuration

             @@ -1,6 +1,4 @@     1      1# SPDX-License-Identifier: LGPL-2.1-or-later     2       mkosi.local/     3       mkosi.local.conf     4      2mkosi.output/     5      3mkosi.cache/     6      4mkosi.tools/             @@ -10,6 +8,5 @@    10      8mkosi.version    11      9.mkosi-private    12     10mkosi.packages/    13       keys/    14     11mkosi.profiles/custom/mkosi.extra/usr/local/bin/    15     12versions/

             @@ -1,1 +1,1 @@     1       systemd/**            1/systemd/**

             @@ -1,160 +1,55 @@     1      1# ParticleOS     2      2     3       ParticleOS is a fully customizable immutable distribution implementing the     4       concepts described in     5       [Fitting Everything Together](https://0pointer.net/blog/fitting-everything-together.html).     6            7       Note that ParticleOS is still in development, and we don't provide any backwards     8       compatibility guarantees at all.     9           10       The crucial difference that makes ParticleOS unique compared to other immutable    11       distributions is that users build the ParticleOS image themselves and sign it    12       with their own keys instead of installing vendor signed images. This allows    13       configuring the image to your liking by having full control over which    14       distribution is used as the base and which packages are installed into the    15       image.    16           17       The ParticleOS image is built using [mkosi](https://github.com/systemd/mkosi).    18       You will need to install the current main branch of mkosi to build current    19       ParticleOS images.    20           21       First, configure the variant you'd like to build in `mkosi.local.conf`. For a    22       desktop system, you'll want the `desktop` profile and either the `gnome` or the    23       `kde` profile.    24           25       ```conf    26       [Distribution]    27       Distribution=arch    28           29       [Config]    30       Profiles=desktop,kde    31       ```    32           33       To build the image, run `mkosi -B -f` from the ParticleOS repository. Currently    34       `arch`, `fedora` and `debian` are supported distributions. Implementing support for a    35       new distribution (that's already supported in mkosi) is as simple as writing the    36       necessary config files to install the required packages for that distribution.    37           38       To update the system after installation, you clone the ParticleOS repository    39       or your fork of it, make sure `mkosi.local.conf` is configured to your liking and    40       run `mkosi -B -ff sysupdate -- update --reboot` which will update the system using    41       `systemd-sysupdate` and then reboot.    42           43       ## Using the OBS profile to fetch a newer systemd    44           45       Sometimes ParticleOS adopts systemd features as soon as they get merged into    46       systemd without waiting for an official release. That's why we recommend    47       enabling the `obs` profile to enable the systemd repositories on OBS    48       (https://software.opensuse.org//download.html?project=system%3Asystemd&package=systemd)    49       containing systemd packages which are built every day from systemd's git main    50       branch.    51           52       To enable the `obs` profile, add the following to `mkosi.local.conf`:    53           54       ```conf    55       [Config]    56       Profiles=obs    57       ```    58           59       ## Building systemd from source    60           61       As an alternative to using the `obs` profile, you can build systemd from source:    62           63       ```sh    64       git clone https://github.com/systemd/systemd    65       cd systemd    66       mkosi -f sandbox -- meson setup build    67       mkosi -f sandbox -- meson compile -C build    68       mkosi -t none -f    69       ```    70           71       Then write the following to `mkosi.local.conf` in the ParticleOS repository to    72       use the artifacts from the systemd repository built by mkosi in ParticleOS:    73           74       ```conf    75       [Content]    76       VolatilePackageDirectories=../systemd/build/mkosi.builddir/<distribution>~<release>~<arch>    77           78       [Build]    79       ExtraSearchPaths=../systemd/build    80       ```    81           82       Make sure the distribution and release in `mkosi.local.conf` are identical in the    83       systemd checkout and the particleos checkout.    84           85       To build a newer systemd, run `git pull` in the systemd repository followed by    86        `mkosi -f sandbox -- meson compile -C build` and `mkosi -t none`.    87           88       ## Signing keys    89           90       ParticleOS images are signed for Secure Boot with the user's keys. To generate a new key,    91       run `mkosi genkey`. The key must be stored safely, it will be required to sign updates.    92           93       The key can be stored in a smartcard. Then you have to set the key in `mkosi.local.conf`:    94           95       ```    96       [Validation]    97       SecureBootKey=pkcs11:object=Private key 1;type=private    98       SecureBootKeySource=provider:pkcs11    99       SignExpectedPcrKey=pkcs11:object=Private key 1;type=private   100       SignExpectedPcrKeySource=provider:pkcs11   101       VerityKey=pkcs11:object=Private key 1;type=private   102       VerityKeySource=provider:pkcs11   103       ```   104          105       ## Installation   106          107       Before installing ParticleOS, make sure that Secure Boot is in setup mode on the   108       target system. The Secure Boot mode can be configured in the UEFI firmware   109       interface of the target system. If there's an existing Linux installation on the   110       target system already, run `systemctl reboot --firmware-setup` to reboot into   111       the UEFI firmware interface. At the same time, make sure the UEFI firmware   112       interface is password protected so an attacker cannot just disable Secure Boot   113       again.   114          115       To install ParticleOS with a USB drive, first build the image on an existing   116       Linux system as described above. Then, burn it to the USB drive with   117       `mkosi burn /dev/<usb>`. Once burned to the USB drive, plug the USB drive into   118       the system onto which you'd like to install ParticleOS and boot into the USB   119       drive via the firmware. Then, boot into the "Installer" UKI profile. When you   120       end up in the root shell, run   121       `systemd-repart --dry-run=no --empty=force --defer-partitions=swap,root,home /dev/<drive>`   122       to install ParticleOS to the system's drive. Finally, reboot into the target   123       drive (not the USB) and the regular profile (not the installer one) to complete   124       the installation.   125          126       ## LUKS recovery key   127          128       systemd doesn't support adding a recovery key to a partition enrolled with a token   129       only (tpm/fido2). It is possible to use cryptenroll to add a recovery password   130       to the root partition: `cryptsetup luksAddKey --token-type systemd-tpm2 /dev/<id>`   131          132       ## Firmwares   133          134       Only firmwares that are dependencies of a kernel module are included, but some   135       modules don't declare their dependencies properly. Dependencies of a module can be   136       found with `modinfo`. If you experience missing firmwares, you should report   137       this to the module maintainer. `FirmwareInclude=` can be added in `mkosi.local.conf`   138       to include the firmware regardless of whether a module depends on it.   139          140       ## Configuring systemd-homed after installation   141          142       After installing ParticleOS and logging into your systemd-homed managed user,   143       run the following to configure systemd-homed for the best experience:   144          145       ```sh   146       homectl update \   147           --auto-resize-mode=off \   148           --disk-size=max \   149           --luks-discard=on"   150       ```   151          152       Disabling the auto resize mode avoids slow system boot and shutdown. Enabling   153       LUKS discard makes sure the home directory doesn't become inaccessible because   154       systemd-homed is unable to resize the home directory.   155          156       ## Default root password and user when booting in a virtual machine   157          158       If you boot ParticleOS in a virtual machine using `mkosi vm`, the root password   159       is automatically set to `particleos` and a default user `particleos` with password   160       `particleos` is created as well.            3[ParticleOS](https://github.com/systemd/particleos) is an extremely cool            4meta-distribution from the systemd project. It's my favorite thing in software            5since getting into IPv6. Concretely, it's a configuration for systemd's [`mkosi`            6tool](https://mkosi.systemd.io/) that you use to build your own ParticleOS            7images. As described in the readme:            8            9> ParticleOS is a fully customizable immutable distribution implementing the           10concepts described in [Fitting Everything           11Together](https://0pointer.net/blog/fitting-everything-together.html).           12           13Among other things, it has the following characteristics:           14           15- OS versions are delivered as immutable `/usr` partitions           16  - A/B partitions for worry-free upgrades and rollbacks           17  - Block-level integrity provided by           18    [dm-verity](https://wiki.archlinux.org/title/Dm-verity)           19  - Authenticity provided by a signature on the dm-verity data, with signing           20    done by your own keys           21- Is easily hacked on, just like traditional mutable OSes           22  - Essentially *is* a traditional OS (one of Arch, Debian, or Fedora), built           23    from regular distro packages           24  - Hacking on `/usr` is done at image build-time, rather than during OS runtime           25- Is signed with your own SecureBoot keys           26- LUKS-encrypted root partition with TPM-bound key for automatic unlocking           27- LUKS-encrypted home directory managed by           28  [`systemd-homed`](https://systemd.io/HOME_DIRECTORY/)           29           30This here is my own customized version/soft fork of ParticleOS. It's the Fedora           31variant.           32           33See [here](https://www.cgl.sh/blog/posts/particleos.html) for my blog post on           34ParticleOS and mkosi.           35           36## Notable files/directories           37           38- [makefile](makefile)—contains most important commands. `build` and           39  `sysupdate` targets are the main ones. is also responsible for downloading           40  miscellaneous unpackaged binaries.           41- [mkosi.local.conf](mkosi.local.conf)—the linchpin that holds the custom           42  configuration together.           43- [mkosi.profiles/custom](mkosi.profiles/custom)—the custom `mkosi` profile           44  where most of my customizations live.           45  - [mkosi.conf](mkosi.profiles/custom/mkosi.conf)—contains the           46    packages I want installed.           47  - [mkosi.extra](mkosi.profiles/custom/mkosi.extra)—additional files that           48    get included in the built images.           49           50## Other changes           51           52In addition to the above customizations, there are a number of other small           53tweaks I've made, mostly to get Fedora+KDE Plasma working together. Some of them           54should probably be upstreamed to the ParticleOS project. The overall patchset           55can be seen [here on Gitpatch](https://gitpatch.com/jcgl/particleos/patch/5).

             @@ -1,9 +1,10 @@     1      1BIN_DIR := mkosi.profiles/custom/mkosi.extra/usr/local/bin     2      2PACKAGES_DIR := mkosi.profiles/custom/mkosi.packages     3      3btdu := $(BIN_DIR)/btdu            4jj := $(BIN_DIR)/jj     4      5opensnitch := $(PACKAGES_DIR)/opensnitch.rpm     5      6opensnitch_ui := $(PACKAGES_DIR)/opensnitch_ui.rpm     6       ALL := $(btdu) $(opensnitch) $(opensnitch_ui)            7ALL := $(btdu) $(jj) $(opensnitch) $(opensnitch_ui)     7      8LATEST_VERSION = $(shell mkosi summary --json | jq -r '.Images[] | select(.Image == "main") | .ImageVersion')     8      9INSTALLED_VERSION = $(shell grep IMAGE_VERSION /etc/os-release | cut -d= -f2 | tr -d \")     9     10             @@ -17,9 +18,18 @@    17     18$(BIN_DIR) $(PACKAGES_DIR):    18     19	mkdir -p $@    19     20           21$(jj): $(MAKE_TMPDIR)/jj.tar.gz           22	echo 9967a240e3294a0bce4444c55d40a35b70af44c69b558689aced95e4e497cef2 $(MAKE_TMPDIR)/jj.tar.gz | sha256sum --check           23	tar -xzf $(MAKE_TMPDIR)/jj.tar.gz -C $(MAKE_TMPDIR) --one-top-level=jj_out --overwrite           24	cp $(MAKE_TMPDIR)/jj_out/jj $@           25           26$(MAKE_TMPDIR)/jj.tar.gz:           27	wget https://github.com/jj-vcs/jj/releases/download/v0.35.0/jj-v0.35.0-x86_64-unknown-linux-musl.tar.gz -O $(MAKE_TMPDIR)/jj.tar.gz           28    20     29$(btdu): $(MAKE_TMPDIR)/btdu    21     30	echo 35b9bb752e6aa902b8281e92a5411b2f1cfb9fa251089adf909dc95efc011c48 $(MAKE_TMPDIR)/btdu | sha256sum --check    22     31	cp $(MAKE_TMPDIR)/btdu $@           32	chmod +x $@    23     33    24     34$(MAKE_TMPDIR)/btdu:    25     35	wget https://github.com/CyberShadow/btdu/releases/download/v0.6.0/btdu-static-x86_64 -O $(MAKE_TMPDIR)/btdu             @@ -45,8 +55,8 @@    45     55	ln -s ~/Vaults/particleos_keys/sbctl/var/keys/db/db.key mkosi.key    46     56    47     57.PHONY: build    48       build:    49       	mkosi build --auto-bump           58build: deps           59	mkosi build --auto-bump --cache-only never    50     60    51     61.PHONY: systemd    52     62systemd:             @@ -56,13 +66,12 @@    56     66sysupdate:    57     67	mkosi sysupdate -- update    58     68	mkdir -p versions    59       	cat mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.manifest | gzip > versions/$(LATEST_VERSION).manifest.gz    60     69	cat mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.changelog | gzip > versions/$(LATEST_VERSION).changelog.gz    61     70    62     71.PHONY: diff_changelog    63     72diff_changelog:    64       	diff --color=always -u <(gzip --decompress --to-stdout versions/$(INSTALLED_VERSION).changelog.gz) mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.changelog           73	sh -c 'diff --color=always -u <(gzip --decompress --to-stdout versions/$(INSTALLED_VERSION).changelog.gz) mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.changelog; test $$? -le 1'    65     74    66     75.PHONY: diff_manifest    67     76diff_manifest:    68       	diff --color=always -u <(gzip --decompress --to-stdout versions/$(INSTALLED_VERSION).manifest.gz) mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.manifest           77	sh -c 'diff --color=always -u /etc/mkosi-manifest mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.manifest; test $$? -le 1'

             @@ -3,9 +3,6 @@     3      3Release=43     4      4     5      5[Build]     6       ToolsTree=default     7       ToolsTreeDistribution=fedora     8       ToolsTreeProfiles=misc,runtime,gui     9      6ExtraSearchPaths=./systemd/build/mkosi.builddir/fedora~43~x86-64/    10      7    11      8[Config]             @@ -16,140 +13,3 @@    16     13    17     14[Content]    18     15VolatilePackageDirectories=./systemd/build/mkosi.builddir/fedora~43~x86-64/    19       Packages=    20               # keyrings for building other distro images    21               archlinux-keyring    22               debian-keyring    23               ansible    24               awk    25               bash    26               bash-completion    27               binutils    28               bind-utils    29               bat    30               clatd    31               clang-devel    32               cowsay    33               cmatrix    34               curl    35               debian-keyring    36               dictd    37               du-dust    38               duf    39               d2    40               emacs    41               entr    42               exfatprogs    43               exiftool    44               fastfetch    45               fcitx5-mozc    46               fcitx5-configtool    47               fcitx5-gtk    48               fcitx5-qt    49               firejail    50               fontawesome-fonts-all    51               kcm-fcitx5    52               fd-find    53               file    54               fish    55               flatpak    56               fprintd-pam    57               fortune    58               # needed for appimage    59               fuse-libs    60               fzf    61               gcc    62               git    63               git-absorb    64               git-delta    65               git-lfs    66               glances    67               # needed for geoclue?    68               glib-networking    69               guestfs-tools    70               golang    71               graphviz    72               htop    73               iio-sensor-proxy    74               ImageMagick    75               iperf3    76               java-latest-openjdk    77               katago-opencl    78               intel-opencl    79               OpenCL-ICD-Loader    80               @kde-desktop    81               kde-connect    82               kde-partitionmanager    83               kitty    84               kitty-shell-integration    85               kitty-terminfo    86               krfb    87               libfprint-tod    88               libfprint-2-tod1-broadcom    89               libfprint-tod-selinux    90               litecli    91               lm_sensors    92               lolcat    93               lshw    94               lsof    95               man    96               # include mkosi just for shell completion and man pages    97               mkosi    98               mokutil    99               mpv   100               ncdu   101               neovim   102               ninja   103               okular   104               osc   105               # needed for bell fish function   106               oxygen-sounds   107               pre-commit   108               python3-neovim   109               nmap   110               nmap-ncat   111               # for coc.nvim   112               npm   113               # needed for clatd on F43 apparently   114               perl-IPC-Cmd   115               perl-JSON   116               pipewire-utils   117               plasma-disks   118               plasma-vault   119               pnpm   120               powertop   121               proxychains-ng   122               pv   123               python3-netaddr   124               ripgrep   125               rubygem-asciidoctor   126               rustup   127               rsync   128               sbctl   129               setroubleshoot   130               sbsigntools   131               sqlite   132               stgit   133               tcpdump   134               # not yet available for fedora 43   135               terraform-ls   136               tmux   137               toolbox   138               tor   139               translate-shell   140               trash-cli   141               ttyplot   142               units   143               unrar-free   144               @virtualization   145               wget   146               whois   147               wl-clipboard   148               wireshark   149               yubikey-manager   150               kernel   151               # repository directory comes from mkosi.packages   152               repository/opensnitch_ui.rpm   153               repository/opensnitch.rpm   154               python3-grpcio+protobuf   155               python3-slugify

             @@ -1,1 +1,1 @@     1       15bd1496c9b59c1ec8ee05e78c65eeb3f148c898            12e5f717545e2664ce2ed6b2dd84744b3789156b1

             @@ -10,6 +10,8 @@    10     10Packages=    11     11        bash-color-prompt    12     12        bpftool           13        # cryptsetup luksAddKey --token-type systemd-tpm2 /dev/<device> fails           14        # for me otherwise    13     15        cracklib-dicts    14     16        cryptsetup    15     17        distribution-gpg-keys

             @@ -0,0 +1,149 @@            1[Content]            2Hostname=            3Packages=            4        # keyrings for building other distro images            5        archlinux-keyring            6        debian-keyring            7        ansible            8        ansible-collection-ansible-posix            9        ansible-collection-community-postgresql           10        ansible-collection-community-general           11        ansible-collection-community-crypto           12        python3-ansible-lint           13        asciiquarium           14        awk           15        bash           16        bash-completion           17        bat           18        binutils           19        bind-utils           20        bridge-utils           21        clatd           22        clang-devel           23        cowsay           24        cmatrix           25        curl           26        dictd           27        diffoscope           28        du-dust           29        duf           30        d2           31        emacs           32        entr           33        exfatprogs           34        exiftool           35        fastfetch           36        fcitx5-mozc           37        fcitx5-configtool           38        fcitx5-gtk           39        fcitx5-qt           40        firejail           41        kcm-fcitx5           42        fd-find           43        file           44        fish           45        flatpak           46        fprintd-pam           47        fortune           48        # needed for appimage           49        fuse-libs           50        fzf           51        gcc           52        git           53        git-absorb           54        git-delta           55        git-lfs           56        glances           57        # needed for geoclue?           58        glib-networking           59        guestfs-tools           60        golang           61        graphviz           62        htop           63        iio-sensor-proxy           64        ImageMagick           65        iperf3           66        java-latest-openjdk           67        katago-opencl           68        intel-opencl           69        OpenCL-ICD-Loader           70        @kde-desktop           71        kde-connect           72        kde-partitionmanager           73        kitty           74        kitty-shell-integration           75        kitty-terminfo           76        krfb           77        libfprint-tod           78        libfprint-2-tod1-broadcom           79        libfprint-tod-selinux           80        litecli           81        lm_sensors           82        lolcat           83        lshw           84        lsof           85        man           86        # include mkosi just for shell completion and man pages           87        mkosi           88        mokutil           89        mpv           90        ncdu           91        neovim           92        ninja           93        okular           94        opentofu           95        osc           96        # needed for bell fish function           97        ocean-sound-theme           98        oxygen-sounds           99        pre-commit          100        python3-neovim          101        nmap          102        nmap-ncat          103        # for coc.nvim          104        npm          105        # needed for clatd on F43 apparently          106        perl-IPC-Cmd          107        perl-JSON          108        pipewire-utils          109        plasma-disks          110        plasma-vault          111        pnpm          112        powertop          113        progress          114        proxychains-ng          115        pv          116        python3-netaddr          117        restic          118        autorestic          119        ripgrep          120        rubygem-asciidoctor          121        rustup          122        rsync          123        sbctl          124        setroubleshoot          125        sbsigntools          126        sqlite          127        stgit          128        tcpdump          129        terraform-ls          130        tmux          131        toolbox          132        tor          133        translate-shell          134        trash-cli          135        ttyplot          136        units          137        unrar-free          138        @virtualization          139        wget          140        whois          141        wl-clipboard          142        wireshark          143        yubikey-manager          144        gnupg2-scdaemon          145        # repository directory comes from mkosi.packages          146        repository/opensnitch_ui.rpm          147        repository/opensnitch.rpm          148        python3-grpcio+protobuf          149        python3-slugify

             @@ -1,4 +0,0 @@     1       #!/usr/bin/sh     2            3       chmod 755 /usr/bin/dumpcap     4       setcap -r /usr/bin/dumpcap

             @@ -1,10 +0,0 @@     1       [copr:copr.fedorainfracloud.org:chenxiaolong:sbctl]     2       name=Copr repo for sbctl owned by chenxiaolong     3       baseurl=https://download.copr.fedorainfracloud.org/results/chenxiaolong/sbctl/fedora-$releasever-$basearch/     4       type=rpm-md     5       skip_if_unavailable=True     6       gpgcheck=1     7       gpgkey=https://download.copr.fedorainfracloud.org/results/chenxiaolong/sbctl/pubkey.gpg     8       repo_gpgcheck=0     9       enabled=1    10       enabled_metadata=1

             @@ -1,10 +0,0 @@     1       [copr:copr.fedorainfracloud.org:grahamwhiteuk:libfprint-tod]     2       name=Copr repo for libfprint-tod owned by grahamwhiteuk     3       baseurl=https://download.copr.fedorainfracloud.org/results/grahamwhiteuk/libfprint-tod/fedora-$releasever-$basearch/     4       type=rpm-md     5       skip_if_unavailable=True     6       gpgcheck=1     7       gpgkey=https://download.copr.fedorainfracloud.org/results/grahamwhiteuk/libfprint-tod/pubkey.gpg     8       repo_gpgcheck=0     9       enabled=1    10       enabled_metadata=1

             @@ -1,13 +0,0 @@     1       [hashicorp]     2       name=Hashicorp Stable - $basearch     3       baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stable     4       enabled=1     5       gpgcheck=1     6       gpgkey=https://rpm.releases.hashicorp.com/gpg     7            8       [hashicorp-test]     9       name=Hashicorp Test - $basearch    10       baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/test    11       enabled=0    12       gpgcheck=1    13       gpgkey=https://rpm.releases.hashicorp.com/gpg

             @@ -3,6 +3,7 @@     3      3# This overrides the same file from systemd since we want to symlink everything     4      4# into /etc instead of copying so updates to /usr propagate properly.     5      5L /etc/os-release - - - - ../usr/lib/os-release            6L /etc/mkosi-manifest - - - - ../usr/lib/mkosi-manifest     6      7L+ /etc/mtab - - - - ../proc/self/mounts     7      8# Contains the default systemd locale     8      9L /etc/locale.conf             @@ -48,6 +49,8 @@    48     49L? /etc/tuned    49     50# Required by gdm    50     51L? /etc/gdm           52# Required by sdm           53L? /etc/sddm    51     54# Required by geoclue    52     55L? /etc/geoclue    53     56# Required by fwupd             @@ -65,10 +68,14 @@    65     68L? /etc/PackageKit    66     69# ModemManager needds its dbus policy file    67     70L? /etc/dbus1/systemd.d/org.freedesktop.ModemManager1.conf           71# man fails without this in /etc/           72L? /etc/manpath.config    68     73# Required by man-db-cache-update.service    69     74L? /etc/sysconfig/man-db    70       # sddm breaks otherwise, at least with homed?    71       L? /etc/sddm           75# some programs still rely on logrotate           76L? /etc/logrotate.conf           77L? /etc/logrotate.d           78    72     79    73     80## custom    74     81C /etc/opensnitchd

             @@ -9,6 +9,5 @@     9      9        gnome-core    10     10        gnome-initial-setup    11     11        gnome-keyring-pkcs11    12               gnome-session-xsession    13     12        gnome-software-plugin-flatpak    14     13        gnome-software-plugin-fwupd

             @@ -1,2 +0,0 @@     1       enable opensnitch.service     2       enable fprintd.service

             @@ -0,0 +1,10 @@            1[copr:copr.fedorainfracloud.org:chenxiaolong:sbctl]            2name=Copr repo for sbctl owned by chenxiaolong            3baseurl=https://download.copr.fedorainfracloud.org/results/chenxiaolong/sbctl/fedora-$releasever-$basearch/            4type=rpm-md            5skip_if_unavailable=True            6gpgcheck=1            7gpgkey=https://download.copr.fedorainfracloud.org/results/chenxiaolong/sbctl/pubkey.gpg            8repo_gpgcheck=0            9enabled=1           10enabled_metadata=1

             @@ -0,0 +1,10 @@            1[copr:copr.fedorainfracloud.org:grahamwhiteuk:libfprint-tod]            2name=Copr repo for libfprint-tod owned by grahamwhiteuk            3baseurl=https://download.copr.fedorainfracloud.org/results/grahamwhiteuk/libfprint-tod/fedora-$releasever-$basearch/            4type=rpm-md            5skip_if_unavailable=True            6gpgcheck=1            7gpgkey=https://download.copr.fedorainfracloud.org/results/grahamwhiteuk/libfprint-tod/pubkey.gpg            8repo_gpgcheck=0            9enabled=1           10enabled_metadata=1

             @@ -0,0 +1,13 @@            1[hashicorp]            2name=Hashicorp Stable - $basearch            3baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stable            4enabled=1            5gpgcheck=1            6gpgkey=https://rpm.releases.hashicorp.com/gpg            7            8[hashicorp-test]            9name=Hashicorp Test - $basearch           10baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/test           11enabled=0           12gpgcheck=1           13gpgkey=https://rpm.releases.hashicorp.com/gpg

             @@ -0,0 +1,13 @@            1# SPDX-License-Identifier: LGPL-2.1-or-later            2            3[TriggerMatch]            4Distribution=debian            5Release=trixie            6            7[TriggerMatch]            8Distribution=ubuntu            9Release=|oracular           10Release=|plucky           11           12[Content]           13Packages=gnome-session-xsession

             @@ -0,0 +1,2 @@            1SELINUX=permissive            2SELINUXTYPE=targeted

             @@ -0,0 +1,60 @@            1# Authors: Jason Tang <jtang@tresys.com>            2#            3# Copyright (C) 2004-2005 Tresys Technology, LLC            4#            5#  This library is free software; you can redistribute it and/or            6#  modify it under the terms of the GNU Lesser General Public            7#  License as published by the Free Software Foundation; either            8#  version 2.1 of the License, or (at your option) any later version.            9#           10#  This library is distributed in the hope that it will be useful,           11#  but WITHOUT ANY WARRANTY; without even the implied warranty of           12#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU           13#  Lesser General Public License for more details.           14#           15#  You should have received a copy of the GNU Lesser General Public           16#  License along with this library; if not, write to the Free Software           17#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA           18#           19# Specify how libsemanage will interact with a SELinux policy manager.           20# The four options are:           21#           22#  "source"     - libsemanage manipulates a source SELinux policy           23#  "direct"     - libsemanage will write directly to a module store.           24#  /foo/bar     - Write by way of a policy management server, whose           25#                 named socket is at /foo/bar.  The path must begin           26#                 with a '/'.           27#  foo.com:4242 - Establish a TCP connection to a remote policy           28#                 management server at foo.com.  If there is a colon           29#                 then the remainder is interpreted as a port number;           30#                 otherwise default to port 4242.           31module-store = direct           32           33# When generating the final linked and expanded policy, by default           34# semanage will set the policy version to POLICYDB_VERSION_MAX, as           35# given in <sepol/policydb.h>.  Change this setting if a different           36# version is necessary.           37#policy-version = 19           38           39# expand-check check neverallow rules when executing all semanage           40# commands. There might be a penalty in execution time if this           41# option is enabled.           42expand-check=0           43           44# usepasswd check tells semanage to scan all pass word records for home directories           45# and setup the labeling correctly. If this is turned off, SELinux will label only /home           46# and home directories of users with SELinux login mappings defined, see           47# semanage login -l for the list of such users.           48# If you want to use a different home directory, you will need to use semanage fcontext command.           49# For example, if you had home dirs in /althome directory you would have to execute           50# semanage fcontext -a -e /home /althome           51usepasswd=False           52bzip-small=true           53bzip-blocksize=5           54ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var           55optimize-policy=true           56           57[sefcontext_compile]           58path = /usr/sbin/sefcontext_compile           59args = -r $@           60[end]

             @@ -0,0 +1,3 @@            1L? /etc/selinux/targeted            2C /etc/selinux/config          -    -    -     -   /usr/share/factory/etc/selinux/config            3C /etc/selinux/semanage.conf   -    -    -     -   /usr/share/factory/etc/selinux/semanage.conf

             @@ -0,0 +1,3 @@            1enable opensnitch.service            2enable fprintd.service            3enable units_cur.timer

             @@ -0,0 +1,8 @@            1[Unit]            2Description=Update GNU Units currencies            3After=network-online.target            4Requires=network-online.target            5            6[Service]            7StateDirectory=units            8ExecStart=/usr/bin/units_cur

             @@ -0,0 +1,9 @@            1[Unit]            2Description=Update GNU Units currencies            3            4[Timer]            5OnCalendar=weekly            6Persistent=yes            7            8[Install]            9WantedBy=timers.target

             @@ -0,0 +1,7 @@            1[Unit]            2Description=Autorestic Backups Service            3            4[Service]            5ExecStart=/usr/bin/autorestic --ci cron            6ExecStartPost=/usr/bin/autorestic --ci forget            7Type=oneshot

             @@ -0,0 +1,9 @@            1[Unit]            2Description=Autorestic Backups Timer            3            4[Timer]            5OnCalendar=daily            6Persistent=yes            7            8[Install]            9WantedBy=timers.target

             @@ -0,0 +1,2 @@            1[Service]            2StateDirectory=logrotate