local customizations

             @@ -10,3 +10,6 @@    10     10[*.conf]    11     11indent_style = space    12     12indent_size = 4           13           14[mkosi.passphrase]           15insert_final_newline = false

             @@ -1,6 +1,4 @@     1      1# SPDX-License-Identifier: LGPL-2.1-or-later     2       mkosi.local/     3       mkosi.local.conf     4      2mkosi.output/     5      3mkosi.cache/     6      4mkosi.tools/             @@ -11,3 +9,5 @@    11      9.mkosi-private    12     10mkosi.packages/    13     11keys/           12mkosi.profiles/custom/mkosi.extra/usr/local/bin/           13versions/

             @@ -0,0 +1,1 @@            1/systemd/**

             @@ -4,157 +4,20 @@     4      4concepts described in     5      5[Fitting Everything Together](https://0pointer.net/blog/fitting-everything-together.html).     6      6     7       Note that ParticleOS is still in development, and we don't provide any backwards     8       compatibility guarantees at all.     9           10       The crucial difference that makes ParticleOS unique compared to other immutable    11       distributions is that users build the ParticleOS image themselves and sign it    12       with their own keys instead of installing vendor signed images. This allows    13       configuring the image to your liking by having full control over which    14       distribution is used as the base and which packages are installed into the    15       image.    16           17       The ParticleOS image is built using [mkosi](https://github.com/systemd/mkosi).    18       You will need to install the current main branch of mkosi to build current     19       ParticleOS images.    20           21       First, configure the variant you'd like to build in `mkosi.local.conf`. For a    22       desktop system, you'll want the `desktop` profile and either the `gnome` or the    23       `kde` profile.    24           25       ```conf    26       [Distribution]    27       Distribution=arch    28           29       [Config]    30       Profiles=desktop,kde    31       ```    32           33       To build the image, run `mkosi -B -f` from the ParticleOS repository. Currently    34       `arch`, `fedora` and `debian` are supported distributions. Implementing support for a    35       new distribution (that's already supported in mkosi) is as simple as writing the    36       necessary config files to install the required packages for that distribution.    37           38       To update the system after installation, you clone the ParticleOS repository    39       or your fork of it, make sure `mkosi.local.conf` is configured to your liking and    40       run `mkosi -B -ff sysupdate -- update --reboot` which will update the system using    41       `systemd-sysupdate` and then reboot.    42           43       ## Using the OBS profile to fetch a newer systemd    44           45       Sometimes ParticleOS adopts systemd features as soon as they get merged into    46       systemd without waiting for an official release. That's why we recommend    47       enabling the `obs` profile to enable the systemd repositories on OBS    48       (https://software.opensuse.org//download.html?project=system%3Asystemd&package=systemd)    49       containing systemd packages which are built every day from systemd's git main    50       branch.    51           52       To enable the `obs` profile, add the following to `mkosi.local.conf`:    53           54       ```conf    55       [Config]    56       Profiles=obs    57       ```    58           59       ## Building systemd from source    60           61       As an alternative to using the `obs` profile, you can build systemd from source:    62           63       ```sh    64       git clone https://github.com/systemd/systemd    65       cd systemd    66       mkosi -f sandbox -- meson setup build    67       mkosi -f sandbox -- meson compile -C build    68       mkosi -t none -f    69       ```    70           71       Then write the following to `mkosi.local.conf` in the ParticleOS repository to    72       use the artifacts from the systemd repository built by mkosi in ParticleOS:    73           74       ```conf    75       [Content]    76       VolatilePackageDirectories=../systemd/build/mkosi.builddir/<distribution>~<release>~<arch>    77           78       [Build]    79       ExtraSearchPaths=../systemd/build    80       ```    81           82       Make sure the distribution and release in `mkosi.local.conf` are identical in the    83       systemd checkout and the particleos checkout.    84           85       To build a newer systemd, run `git pull` in the systemd repository followed by    86        `mkosi -f sandbox -- meson compile -C build` and `mkosi -t none`.    87           88       ## Signing keys    89           90       ParticleOS images are signed for Secure Boot with the user's keys. To generate a new key,    91       run `mkosi genkey`. The key must be stored safely, it will be required to sign updates.    92           93       The key can be stored in a smartcard. Then you have to set the key in `mkosi.local.conf`:    94           95       ```    96       [Validation]    97       SecureBootKey=pkcs11:object=Private key 1;type=private    98       SecureBootKeySource=provider:pkcs11    99       SignExpectedPcrKey=pkcs11:object=Private key 1;type=private   100       SignExpectedPcrKeySource=provider:pkcs11   101       VerityKey=pkcs11:object=Private key 1;type=private   102       VerityKeySource=provider:pkcs11   103       ```   104          105       ## Installation   106          107       Before installing ParticleOS, make sure that Secure Boot is in setup mode on the   108       target system. The Secure Boot mode can be configured in the UEFI firmware   109       interface of the target system. If there's an existing Linux installation on the   110       target system already, run `systemctl reboot --firmware-setup` to reboot into   111       the UEFI firmware interface. At the same time, make sure the UEFI firmware   112       interface is password protected so an attacker cannot just disable Secure Boot   113       again.   114          115       To install ParticleOS with a USB drive, first build the image on an existing   116       Linux system as described above. Then, burn it to the USB drive with   117       `mkosi burn /dev/<usb>`. Once burned to the USB drive, plug the USB drive into   118       the system onto which you'd like to install ParticleOS and boot into the USB   119       drive via the firmware. Then, boot into the "Installer" UKI profile. When you   120       end up in the root shell, run   121       `systemd-repart --dry-run=no --empty=force --defer-partitions=swap,root,home /dev/<drive>`   122       to install ParticleOS to the system's drive. Finally, reboot into the target   123       drive (not the USB) and the regular profile (not the installer one) to complete   124       the installation.   125          126       ## LUKS recovery key   127          128       systemd doesn't support adding a recovery key to a partition enrolled with a token   129       only (tpm/fido2). It is possible to use cryptenroll to add a recovery password   130       to the root partition: `cryptsetup luksAddKey --token-type systemd-tpm2 /dev/<id>`   131          132       ## Firmwares   133          134       Only firmwares that are dependencies of a kernel module are included, but some   135       modules don't declare their dependencies properly. Dependencies of a module can be   136       found with `modinfo`. If you experience missing firmwares, you should report   137       this to the module maintainer. `FirmwareInclude=` can be added in `mkosi.local.conf`   138       to include the firmware regardless of whether a module depends on it.   139          140       ## Configuring systemd-homed after installation   141          142       After installing ParticleOS and logging into your systemd-homed managed user,   143       run the following to configure systemd-homed for the best experience:   144          145       ```sh   146       homectl update \   147           --auto-resize-mode=off \   148           --disk-size=max \   149           --luks-discard=on"   150       ```   151          152       Disabling the auto resize mode avoids slow system boot and shutdown. Enabling   153       LUKS discard makes sure the home directory doesn't become inaccessible because   154       systemd-homed is unable to resize the home directory.   155          156       ## Default root password and user when booting in a virtual machine   157          158       If you boot ParticleOS in a virtual machine using `mkosi vm`, the root password   159       is automatically set to `particleos` and a default user `particleos` with password   160       `particleos` is created as well.            7This is my own version/soft fork of ParticleOS. Most important commands are            8contained in the [`makefile`](makefile). Most imporant are `make build` and            9`make sysupdate`.           10           11## Notable files/directories           12           13- [makefile](makefile)—contains most imporant commands. `build` and           14  `sysupdate` targets are the main ones. is also responsible for downloading           15  miscellaneous unpackaged binaries.           16- [mkosi.local.conf](mkosi.local.conf)—the linchpin that holds my custom           17  configuration together.           18- [mkosi.profiles/custom](mkosi.profiles/custom)—the custom profile where           19  most of my additions live.           20  - [mkosi.conf](mkosi.profiles/custom/mkosi.conf)—primarily contains the           21    packages I want installed.           22  - [mkosi.extra](mkosi.profiles/custom/mkosi.extra)—additional files that           23    get included in the built images.

             @@ -0,0 +1,77 @@            1BIN_DIR := mkosi.profiles/custom/mkosi.extra/usr/local/bin            2PACKAGES_DIR := mkosi.profiles/custom/mkosi.packages            3btdu := $(BIN_DIR)/btdu            4jj := $(BIN_DIR)/jj            5opensnitch := $(PACKAGES_DIR)/opensnitch.rpm            6opensnitch_ui := $(PACKAGES_DIR)/opensnitch_ui.rpm            7ALL := $(btdu) $(jj) $(opensnitch) $(opensnitch_ui)            8LATEST_VERSION = $(shell mkosi summary --json | jq -r '.Images[] | select(.Image == "main") | .ImageVersion')            9INSTALLED_VERSION = $(shell grep IMAGE_VERSION /etc/os-release | cut -d= -f2 | tr -d \")           10           11.PHONY: deps           12deps: $(PACKAGES_DIR) $(BIN_DIR) $(ALL)           13           14.PHONY: clean           15clean:           16	rm -fv $(ALL)           17           18$(BIN_DIR) $(PACKAGES_DIR):           19	mkdir -p $@           20           21$(jj): $(MAKE_TMPDIR)/jj.tar.gz           22	echo 9967a240e3294a0bce4444c55d40a35b70af44c69b558689aced95e4e497cef2 $(MAKE_TMPDIR)/jj.tar.gz | sha256sum --check           23	tar -xzf $(MAKE_TMPDIR)/jj.tar.gz -C $(MAKE_TMPDIR) --one-top-level=jj_out --overwrite           24	cp $(MAKE_TMPDIR)/jj_out/jj $@           25           26$(MAKE_TMPDIR)/jj.tar.gz:           27	wget https://github.com/jj-vcs/jj/releases/download/v0.35.0/jj-v0.35.0-x86_64-unknown-linux-musl.tar.gz -O $(MAKE_TMPDIR)/jj.tar.gz           28           29$(btdu): $(MAKE_TMPDIR)/btdu           30	echo 35b9bb752e6aa902b8281e92a5411b2f1cfb9fa251089adf909dc95efc011c48 $(MAKE_TMPDIR)/btdu | sha256sum --check           31	cp $(MAKE_TMPDIR)/btdu $@           32	chmod +x $@           33           34$(MAKE_TMPDIR)/btdu:           35	wget https://github.com/CyberShadow/btdu/releases/download/v0.6.0/btdu-static-x86_64 -O $(MAKE_TMPDIR)/btdu           36           37$(opensnitch): $(MAKE_TMPDIR)/opensnitch.rpm           38	echo 2caf4e13ffd1b7af48306a2e9e979042f526823720b42bee4c00194f140d64dd $(MAKE_TMPDIR)/opensnitch.rpm | sha256sum --check           39	cp $(MAKE_TMPDIR)/opensnitch.rpm $@           40           41$(MAKE_TMPDIR)/opensnitch.rpm:           42		wget https://github.com/evilsocket/opensnitch/releases/download/v1.7.2/opensnitch-1.7.2-1.x86_64.rpm -O $(MAKE_TMPDIR)/opensnitch.rpm           43           44$(opensnitch_ui): $(MAKE_TMPDIR)/opensnitch_ui.rpm           45	echo b26029cbc83880ebc92170035d50237c13b17ffc0b3cf52b89fa1348edfdfb43 $(MAKE_TMPDIR)/opensnitch_ui.rpm | sha256sum --check           46	cp $(MAKE_TMPDIR)/opensnitch_ui.rpm $@           47           48$(MAKE_TMPDIR)/opensnitch_ui.rpm:           49	wget https://github.com/evilsocket/opensnitch/releases/download/v1.7.2/opensnitch-ui-1.7.2-1.noarch.rpm -O $(MAKE_TMPDIR)/opensnitch_ui.rpm           50           51mkosi.crt:           52	ln -s ~/Vaults/particleos_keys/sbctl/var/keys/db/db.pem mkosi.crt           53           54mkosi.key:           55	ln -s ~/Vaults/particleos_keys/sbctl/var/keys/db/db.key mkosi.key           56           57.PHONY: build           58build: deps           59	mkosi build --auto-bump --cache-only never           60           61.PHONY: systemd           62systemd:           63	sh -c 'cd systemd && mkosi -t none -f --distribution=fedora --release=43'           64           65.PHONY: sysupdate           66sysupdate:           67	mkosi sysupdate -- update           68	mkdir -p versions           69	cat mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.changelog | gzip > versions/$(LATEST_VERSION).changelog.gz           70           71.PHONY: diff_changelog           72diff_changelog:           73	sh -c 'diff --color=always -u <(gzip --decompress --to-stdout versions/$(INSTALLED_VERSION).changelog.gz) mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.changelog; test $$? -le 1'           74           75.PHONY: diff_manifest           76diff_manifest:           77	sh -c 'diff --color=always -u /etc/mkosi-manifest mkosi.output/ParticleOS_$(LATEST_VERSION)_x86-64.manifest; test $$? -le 1'

             @@ -5,6 +5,7 @@     5      5     6      6[Build]     7      7ToolsTree=default            8ToolsTreeProfiles=misc,runtime,gui     8      9History=yes     9     10CacheDirectory=mkosi.cache    10     11Incremental=yes             @@ -106,7 +107,6 @@   106    107RAM=4G   107    108CPUs=4   108    109Ephemeral=yes   109       RuntimeScratch=no   110    110Credentials=   111    111        passwd.plaintext-password.root=particleos   112    112        tty.serial.hvc0.agetty.autologin=particleos

             @@ -1,118 +1,15 @@     1      1[Distribution]     2      2Distribution=fedora     3       Release=42            3Release=43     4      4     5      5[Build]     6       ToolsTree=default     7       ToolsTreeDistribution=fedora     8       ToolsTreeProfiles=misc,runtime,gui     9       ExtraSearchPaths=./systemd/build/mkosi.builddir/fedora~42~x86-64/            6ExtraSearchPaths=./systemd/build/mkosi.builddir/fedora~43~x86-64/    10      7    11      8[Config]    12       Profiles=desktop,kde            9Profiles=desktop,kde,custom    13     10    14     11[Output]    15       Format=disk           12ManifestFormat=changelog    16     13    17     14[Content]    18       VolatilePackageDirectories=./systemd/build/mkosi.builddir/fedora~42~x86-64/    19       Packages=    20               ansible    21               awk    22               bash    23               bash-completion    24               binutils    25               bind-utils    26               bat    27               clatd    28               cowsay    29               cmatrix    30               curl    31               dictd    32               du-dust    33               emacs    34               exfatprogs    35               fastfetch    36               fd-find    37               file    38               fish    39               flatpak    40               fprintd-pam    41               fortune    42               # needed for appimage    43               fuse-libs    44               fzf    45               gcc    46               git    47               git-absorb    48               git-delta    49               glances    50               golang    51               htop    52               iio-sensor-proxy    53               iperf3    54               @kde-desktop    55               kde-connect    56               kde-partitionmanager    57               kitty    58               kitty-shell-integration    59               kitty-terminfo    60               krfb    61               libfprint-tod    62               libfprint-2-tod1-broadcom    63               libfprint-tod-selinux    64               lm_sensors    65               lolcat    66               lshw    67               man    68               # include mkosi just for shell completion and man pages    69               mkosi    70               mokutil    71               ncdu    72               okular    73               # needed for bell fish function    74               oxygen-sounds    75               neovim    76               python3-neovim    77               nmap-ncat    78               # for coc.nvim    79               npm    80               pipewire-utils    81               plasma-disks    82               plasma-vault    83               pnpm    84               powertop    85               proxychains-ng    86               ripgrep    87               rustup    88               rsync    89               sbctl    90               setroubleshoot    91               stgit    92               sbsigntools    93               tcpdump    94               tmux    95               toolbox    96               translate-shell    97               trash-cli    98               ttyplot    99               units   100               unrar-free   101               @virtualization   102               wget   103               whois   104               wireshark   105               yubikey-manager   106               kernel   107               repository/opensnitch-ui-1.7.1-1.noarch.rpm   108               repository/opensnitch-1.7.1-1.x86_64.rpm   109               python3-grpcio+protobuf   110               python3-slugify   111          112       [Validation]   113       SecureBootKey=./keys/sbctl/var/keys/db/db.key   114       SecureBootCertificate=./keys/sbctl/var/keys/db/db.pem   115       SignExpectedPcrKey=./keys/sbctl/var/keys/db/db.key   116       SignExpectedPcrCertificate=./keys/sbctl/var/keys/db/db.pem   117       VerityKey=./keys/sbctl/var/keys/db/db.key   118       VerityCertificate=./keys/sbctl/var/keys/db/db.pem           15VolatilePackageDirectories=./systemd/build/mkosi.builddir/fedora~43~x86-64/

             @@ -1,1 +1,1 @@     1       8a6128b68bf5573bda7499318629ecb2be666848            12e5f717545e2664ce2ed6b2dd84744b3789156b1

             @@ -0,0 +1,13 @@            1rebuild:            2  steps:            3    - trigger_services:            4        project: system:systemd            5        package: particleos-debian            6    - trigger_services:            7        project: system:systemd            8        package: particleos-fedora            9  filters:           10    event: push           11    branches:           12      only:           13        - obs

             @@ -0,0 +1,9 @@            1#!/bin/bash            2# SPDX-License-Identifier: LGPL-2.1-or-later            3set -e            4            5# Debian/Ubuntu PAM patches break /usr/lib/pam.d/ so copy to factory            6# TODO: drop after https://salsa.debian.org/vorlon/pam/-/merge_requests/26 is merged            7if [[ -f /usr/lib/tmpfiles.d/debian.conf ]]; then            8    sed -i '/\/etc\/pam.d/d' /usr/lib/tmpfiles.d/debian.conf            9fi

             @@ -0,0 +1,149 @@            1[Content]            2Packages=            3        # keyrings for building other distro images            4        archlinux-keyring            5        debian-keyring            6        ansible            7        ansible-collection-ansible-posix            8        ansible-collection-community-postgresql            9        ansible-collection-community-general           10        ansible-collection-community-crypto           11        python3-ansible-lint           12        asciiquarium           13        awk           14        bash           15        bash-completion           16        bat           17        binutils           18        bind-utils           19        bridge-utils           20        clatd           21        clang-devel           22        cowsay           23        cmatrix           24        curl           25        dictd           26        diffoscope           27        du-dust           28        duf           29        d2           30        emacs           31        entr           32        exfatprogs           33        exiftool           34        fastfetch           35        fcitx5-mozc           36        fcitx5-configtool           37        fcitx5-gtk           38        fcitx5-qt           39        firejail           40        kcm-fcitx5           41        fd-find           42        file           43        fish           44        flatpak           45        fprintd-pam           46        fortune           47        # needed for appimage           48        fuse-libs           49        fzf           50        gcc           51        git           52        git-absorb           53        git-delta           54        git-lfs           55        glances           56        # needed for geoclue?           57        glib-networking           58        guestfs-tools           59        golang           60        graphviz           61        htop           62        iio-sensor-proxy           63        ImageMagick           64        iperf3           65        java-latest-openjdk           66        katago-opencl           67        intel-opencl           68        OpenCL-ICD-Loader           69        @kde-desktop           70        kde-connect           71        kde-partitionmanager           72        kitty           73        kitty-shell-integration           74        kitty-terminfo           75        krfb           76        libfprint-tod           77        libfprint-2-tod1-broadcom           78        libfprint-tod-selinux           79        litecli           80        lm_sensors           81        lolcat           82        lshw           83        lsof           84        man           85        # include mkosi just for shell completion and man pages           86        mkosi           87        mokutil           88        mpv           89        ncdu           90        neovim           91        ninja           92        okular           93        opentofu           94        osc           95        # needed for bell fish function           96        ocean-sound-theme           97        pre-commit           98        python3-neovim           99        nmap          100        nmap-ncat          101        # for coc.nvim          102        npm          103        # needed for clatd on F43 apparently          104        perl-IPC-Cmd          105        perl-JSON          106        pipewire-utils          107        plasma-disks          108        plasma-vault          109        pnpm          110        powertop          111        progress          112        proxychains-ng          113        pv          114        python3-netaddr          115        restic          116        autorestic          117        ripgrep          118        rubygem-asciidoctor          119        rustup          120        rsync          121        sbctl          122        setroubleshoot          123        sbsigntools          124        sqlite          125        stgit          126        tcpdump          127        # not yet available for fedora 43          128        terraform-ls          129        tmux          130        toolbox          131        tor          132        translate-shell          133        trash-cli          134        ttyplot          135        units          136        unrar-free          137        @virtualization          138        wget          139        whois          140        wl-clipboard          141        wireshark          142        yubikey-manager          143        gnupg2-scdaemon          144        kernel          145        # repository directory comes from mkosi.packages          146        repository/opensnitch_ui.rpm          147        repository/opensnitch.rpm          148        python3-grpcio+protobuf          149        python3-slugify

             @@ -2,6 +2,7 @@     2      2     3      3[Content]     4      4Packages=            5        bluez     5      6        bolt     6      7        desktop-file-utils     7      8        pax-utils             @@ -8,6 +9,7 @@     8      9        pgpdump     9     10        pipewire    10     11        pipewire-alsa           12        qemu-guest-agent    11     13        wireless-regdb    12     14        xdg-desktop-portal    13     15

             @@ -9,6 +9,7 @@     9      9        bluedevil    10     10        breeze-gtk    11     11        gwenview           12        qt6-qtimageformats    12     13        kde-gtk-config    13     14        kdeplasma-addons    14     15        kgamma

             @@ -0,0 +1,9 @@            1# SPDX-License-Identifier: LGPL-2.1-or-later            2            3[systemd]            4name=systemd packages built from upstream main (Fedora_Rawhide)            5type=rpm-md            6baseurl=https://download.opensuse.org/repositories/system:/systemd/Fedora_Rawhide/            7gpgcheck=1            8gpgkey=file:///usr/share/pki/rpm-gpg/systemd.gpg            9enabled=1

             @@ -1,9 +0,0 @@     1       # SPDX-License-Identifier: LGPL-2.1-or-later     2            3       [systemd]     4       name=systemd packages built from upstream main (Fedora_42)     5       type=rpm-md     6       baseurl=https://download.opensuse.org/repositories/system:/systemd/Fedora_42/     7       gpgcheck=1     8       gpgkey=file:///usr/share/pki/rpm-gpg/systemd.gpg     9       enabled=1

             @@ -1,9 +0,0 @@     1       # SPDX-License-Identifier: LGPL-2.1-or-later     2            3       [systemd]     4       name=systemd packages built from upstream main (Fedora_Rawhide)     5       type=rpm-md     6       baseurl=https://download.opensuse.org/repositories/system:/systemd/Fedora_Rawhide/     7       gpgcheck=1     8       gpgkey=file:///usr/share/pki/rpm-gpg/systemd.gpg     9       enabled=1

             @@ -0,0 +1,4 @@            1#!/usr/bin/sh            2            3chmod 755 /usr/bin/dumpcap            4setcap -r /usr/bin/dumpcap

             @@ -6,4 +6,4 @@     6      6     7      7[Build]     8      8ToolsTreeSandboxTrees=systemd.gpg:/usr/share/pki/rpm-gpg/systemd.gpg     9                             fedora43.repo:/etc/yum.repos.d/systemd.repo            9                      fedora.repo:/etc/yum.repos.d/systemd.repo

             @@ -2,7 +2,8 @@     2      2     3      3[Match]     4      4Distribution=fedora            5Release=rawhide     5      6     6      7[Build]     7      8SandboxTrees=systemd.gpg:/usr/share/pki/rpm-gpg/systemd.gpg     8                    fedora%r.repo:/etc/yum.repos.d/systemd.repo            9             fedora.repo:/etc/yum.repos.d/systemd.repo

             @@ -1,10 +0,0 @@     1       [copr:copr.fedorainfracloud.org:chenxiaolong:sbctl]     2       name=Copr repo for sbctl owned by chenxiaolong     3       baseurl=https://download.copr.fedorainfracloud.org/results/chenxiaolong/sbctl/fedora-$releasever-$basearch/     4       type=rpm-md     5       skip_if_unavailable=True     6       gpgcheck=1     7       gpgkey=https://download.copr.fedorainfracloud.org/results/chenxiaolong/sbctl/pubkey.gpg     8       repo_gpgcheck=0     9       enabled=1    10       enabled_metadata=1

             @@ -1,10 +0,0 @@     1       [copr:copr.fedorainfracloud.org:grahamwhiteuk:libfprint-tod]     2       name=Copr repo for libfprint-tod owned by grahamwhiteuk     3       baseurl=https://download.copr.fedorainfracloud.org/results/grahamwhiteuk/libfprint-tod/fedora-$releasever-$basearch/     4       type=rpm-md     5       skip_if_unavailable=True     6       gpgcheck=1     7       gpgkey=https://download.copr.fedorainfracloud.org/results/grahamwhiteuk/libfprint-tod/pubkey.gpg     8       repo_gpgcheck=0     9       enabled=1    10       enabled_metadata=1

             @@ -3,6 +3,7 @@     3      3# This overrides the same file from systemd since we want to symlink everything     4      4# into /etc instead of copying so updates to /usr propagate properly.     5      5L /etc/os-release - - - - ../usr/lib/os-release            6L /etc/mkosi-manifest - - - - ../usr/lib/mkosi-manifest     6      7L+ /etc/mtab - - - - ../proc/self/mounts     7      8# Contains the default systemd locale     8      9L /etc/locale.conf             @@ -15,6 +16,9 @@    15     16L? /etc/bashrc    16     17L? /etc/bash.bashrc    17     18L? /etc/bash.bash_logout           19# TODO: drop once https://github.com/scop/bash-completion/pull/1399 is merged,           20# needed for shell completion of sd-run/run0           21L? /etc/bash_completion.d    18     22# Canonical location to look for certificates    19     23L? /etc/ca-certificates    20     24L? /etc/crypto-policies             @@ -45,6 +49,8 @@    45     49L? /etc/tuned    46     50# Required by gdm    47     51L? /etc/gdm           52# Required by sdm           53L? /etc/sddm    48     54# Required by geoclue    49     55L? /etc/geoclue    50     56# Required by fwupd             @@ -51,12 +57,25 @@    51     57L /etc/fwupd    52     58# Required by gnome    53     59L? /etc/dconf    54       # Required by a bunch of binary symlinks in fedora           60L? /etc/skel           61# CUPS is pulled in by GNOME, and fails if the configs are not there           62L? /etc/cups           63# On some distributions various binaries in /usr/bin are managed via           64# /etc/alternatives.    55     65L? /etc/alternatives           66# PackageKit does not run without /etc/PackageKit/ and GNOME stalls           67# logout/reboot if it doesn't run.           68L? /etc/PackageKit           69# ModemManager needds its dbus policy file           70L? /etc/dbus1/systemd.d/org.freedesktop.ModemManager1.conf           71# man fails without this in /etc/           72L? /etc/manpath.config    56     73# Required by man-db-cache-update.service    57     74L? /etc/sysconfig/man-db    58       # sddm breaks otherwise, at least with homed?    59       L? /etc/sddm           75# some programs still rely on logrotate           76L? /etc/logrotate.conf           77L? /etc/logrotate.d           78    60     79    61     80## custom    62     81C /etc/opensnitchd             @@ -65,8 +84,8 @@    65     84    66     85#firewalld    67     86# this stuff from the `setup` package in Fedora is just kinda funny...           87C+ /etc/firewalld    68     88L? /etc/protocols    69       L? /etc/firewalld    70     89L? /etc/logrotate.d/firewalld    71     90L? /etc/modprobe.d/firewalld-sysctls.conf    72     91L? /etc/sysconfig/firewalld             @@ -77,5 +96,22 @@    77     96# cups    78     97L? /etc/cups    79     98           99# firejail          100L? /etc/firejail          101L? /etc/login.defs          102          103# OpenCL          104L? /etc/OpenCL          105    80    106# abrtd    81    107L? /etc/libreport          108          109# guestfs-tools (virt-builder)          110C+ /etc/virt-builder          111          112# libvirt needs all          113C+ /etc/libvirt          114          115# miscellaneous legacy file          116L? /etc/shells          117L? /etc/hosts

             @@ -7,9 +7,7 @@     7      7Packages=     8      8        gnome-browser-connector     9      9        gnome-core    10               # TODO: enable when it integrates with homed    11               # gnome-initial-setup           10        gnome-initial-setup    12     11        gnome-keyring-pkcs11    13               gnome-session-xsession    14     12        gnome-software-plugin-flatpak    15     13        gnome-software-plugin-fwupd

             @@ -5,4 +5,8 @@     5      5     6      6[Content]     7      7Packages=            8        adwaita-fonts-all     8      9        gdm           10        rsms-inter-fonts           11        rsms-inter-vf-fonts           12        default-fonts-core-emoji

             @@ -1,2 +0,0 @@     1       enable opensnitch.service     2       enable fprintd.service

             @@ -40,3 +40,8 @@    40     40    41     41# Maybe man db    42     42enable man-db-cache-update.service           43           44# Fedora 43 introduces a new authselect service in place of package scriptlets.           45# It fails and (I believe) shouldn't be needed           46# https://bugzilla.redhat.com/show_bug.cgi?id=2397255           47disable authselect-apply-changes.service

             @@ -0,0 +1,10 @@            1[copr:copr.fedorainfracloud.org:chenxiaolong:sbctl]            2name=Copr repo for sbctl owned by chenxiaolong            3baseurl=https://download.copr.fedorainfracloud.org/results/chenxiaolong/sbctl/fedora-$releasever-$basearch/            4type=rpm-md            5skip_if_unavailable=True            6gpgcheck=1            7gpgkey=https://download.copr.fedorainfracloud.org/results/chenxiaolong/sbctl/pubkey.gpg            8repo_gpgcheck=0            9enabled=1           10enabled_metadata=1

             @@ -0,0 +1,10 @@            1[copr:copr.fedorainfracloud.org:grahamwhiteuk:libfprint-tod]            2name=Copr repo for libfprint-tod owned by grahamwhiteuk            3baseurl=https://download.copr.fedorainfracloud.org/results/grahamwhiteuk/libfprint-tod/fedora-$releasever-$basearch/            4type=rpm-md            5skip_if_unavailable=True            6gpgcheck=1            7gpgkey=https://download.copr.fedorainfracloud.org/results/grahamwhiteuk/libfprint-tod/pubkey.gpg            8repo_gpgcheck=0            9enabled=1           10enabled_metadata=1

             @@ -0,0 +1,13 @@            1[hashicorp]            2name=Hashicorp Stable - $basearch            3baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stable            4enabled=1            5gpgcheck=1            6gpgkey=https://rpm.releases.hashicorp.com/gpg            7            8[hashicorp-test]            9name=Hashicorp Test - $basearch           10baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/test           11enabled=0           12gpgcheck=1           13gpgkey=https://rpm.releases.hashicorp.com/gpg

             @@ -0,0 +1,13 @@            1# SPDX-License-Identifier: LGPL-2.1-or-later            2            3[TriggerMatch]            4Distribution=debian            5Release=trixie            6            7[TriggerMatch]            8Distribution=ubuntu            9Release=|oracular           10Release=|plucky           11           12[Content]           13Packages=gnome-session-xsession

             @@ -1,4 +0,0 @@     1       # apt gets pulled in, but with /usr read-only doesn't make sense to run updates     2       disable apt-daily.timer     3       disable apt-daily-upgrade.timer     4       disable apt-listchanges.timer

             @@ -9,20 +9,6 @@     9      9# On Debian/Ubuntu the nftable service fails if this config is not present    10     10L? /etc/nftables.conf    11     11    12       # Very basic stuff like awk and which is managed through alternatives    13       L? /etc/alternatives    14           15       # CUPS is pulled in by GNOME, and fails if the configs are not there    16       L? /etc/cups    17           18       # Needed to create users by GNOME's GUI    19       L? /etc/skel    20     12# These can be dropped once https://bugs.debian.org/1108017 is fixed    21     13L? /etc/adduser.conf    22     14L? /etc/deluser.conf    23           24       # PackageKit does not run without /etc/PackageKit/ and GNOME stalls logout/reboot if it doesn't run    25       L? /etc/PackageKit    26           27       # TODO: drop once https://github.com/scop/bash-completion/pull/1399 is merged, needed for shell completion of sd-run/run0    28       L? /etc/bash_completion.d

             @@ -0,0 +1,3 @@            1title Debian 13 ParticleOS Current from OBS (Network Boot)            2architecture x64            3uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/debian_13_images/ParticleOS_x86-64.efi

             @@ -1,3 +0,0 @@     1       title Debian Testing ParticleOS Current from OBS (Network Boot)     2       architecture x64     3       uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/Debian_Testing_images/ParticleOS-x86-64.efi

             @@ -0,0 +1,3 @@            1title Debian Testing ParticleOS Current from OBS (Network Boot)            2architecture x64            3uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/debian_14_images/ParticleOS_x86-64.efi

             @@ -1,3 +0,0 @@     1       title Fedora 41 ParticleOS Current from OBS (Network Boot)     2       architecture x64     3       uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/Fedora_41_images/ParticleOS-x86-64.efi

             @@ -0,0 +1,3 @@            1title Fedora 42 ParticleOS Current from OBS (Network Boot)            2architecture x64            3uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/fedora_42_images/ParticleOS_x86-64.efi

             @@ -1,3 +1,3 @@     1      1title Fedora Rawhide ParticleOS Current from OBS (Network Boot)     2      2architecture x64     3       uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/Fedora_Rawhide_images/ParticleOS-x86-64.efi            3uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/fedora_44_images/ParticleOS_x86-64.efi

             @@ -0,0 +1,6 @@            1<?xml version="1.0" encoding="utf-8"?>            2<service>            3  <short>Hugo</short>            4  <description>Used for running Hugo's development server</description>            5  <port protocol="tcp" port="1313"/>            6</service>

             @@ -0,0 +1,4 @@            1# apt gets pulled in, but with /usr read-only doesn't make sense to run updates            2disable apt-daily.timer            3disable apt-daily-upgrade.timer            4disable apt-listchanges.timer

             @@ -0,0 +1,14 @@            1# SPDX-License-Identifier: LGPL-2.1-or-later            2# TODO: drop once https://gitlab.freedesktop.org/accountsservice/accountsservice/-/issues/89 is fixed            3            4[Unit]            5Description=Tell the accounts service about homed users            6After=systemd-homed.service accounts-daemon.service            7Before=systemd-user-sessions.service            8            9[Service]           10Type=oneshot           11ExecStart=/bin/bash -c "for n in $$(busctl call org.freedesktop.home1 /org/freedesktop/home1 org.freedesktop.home1.Manager ListHomes --json=pretty | jq -r '.data.[].[].[0]'); do busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s $$n; done"           12           13[Install]           14WantedBy=multi-user.target

             @@ -0,0 +1,3 @@            1enable opensnitch.service            2enable fprintd.service            3enable units_cur.timer

             @@ -0,0 +1,8 @@            1[Unit]            2Description=Update GNU Units currencies            3After=network-online.target            4Requires=network-online.target            5            6[Service]            7StateDirectory=units            8ExecStart=/usr/bin/units_cur

             @@ -0,0 +1,9 @@            1[Unit]            2Description=Update GNU Units currencies            3            4[Timer]            5OnCalendar=weekly            6Persistent=yes            7            8[Install]            9WantedBy=timers.target

             @@ -0,0 +1,7 @@            1[Unit]            2Description=Autorestic Backups Service            3            4[Service]            5ExecStart=/usr/bin/autorestic --ci cron            6ExecStartPost=/usr/bin/autorestic --ci forget            7Type=oneshot

             @@ -0,0 +1,9 @@            1[Unit]            2Description=Autorestic Backups Timer            3            4[Timer]            5OnCalendar=daily            6Persistent=yes            7            8[Install]            9WantedBy=timers.target

             @@ -0,0 +1,2 @@            1[Service]            2StateDirectory=logrotate