Merge branch 'main' into add_secure_boot

2025-12-25 10:57:55 +01:00 · 2024-03-18 14:36:32 -04:00 · 2024-03-18 14:36:32 -04:00 · ec0cd1e6ee
commit ec0cd1e6ee
parent cc4cfdfcde 3d85c93010
33 changed files with 1231 additions and 171 deletions
--- a/lorax_templates/cache_copy_dnf.tmpl
+++ b/lorax_templates/cache_copy_dnf.tmpl
@ -0,0 +1,3 @@
+<%page args="dnf_cache"/>
+
+runcmd bash -c "if [[ -e ${dnf_cache}_new ]]; then cp -R ${dnf_cache}/* ${dnf_cache}_new/; fi"
--- a/lorax_templates/flatpak_set_repo.tmpl
+++ b/lorax_templates/flatpak_set_repo.tmpl
@ -0,0 +1,8 @@
+<%page args="flatpak_remote_name, _flatpak_repo_url, version"/>
+% if int(version) >= 41:
+append etc/anaconda/conf.d/anaconda.conf "flatpak_remote = ${flatpak_remote_name} ${_flatpak_repo_url}"
+% else:
+replace "flatpak_manager\.add_remote\(\".*\", \".*\"\)" "flatpak_manager.add_remote(\"${flatpak_remote_name}\", \"${_flatpak_repo_url}\")" /usr/lib64/python*/site-packages/pyanaconda/modules/payloads/payload/rpm_ostree/flatpak_installation.py
+replace "flatpak_manager\.replace_installed_refs_remote\(\".*\"\)" "flatpak_manager.replace_installed_refs_remote(\"${flatpak_remote_name}\")" /usr/lib64/python*/site-packages/pyanaconda/modules/payloads/payload/rpm_ostree/flatpak_installation.py
+% endif
+
--- a/lorax_templates/install_set_installer.tmpl
+++ b/lorax_templates/install_set_installer.tmpl
@ -0,0 +1,4 @@
+<%page args="image_name, image_tag"/>
+
+append usr/share/anaconda/interactive-defaults.ks "ostreecontainer --url=/run/install/repo/${image_name}-${image_tag} --transport=oci --no-signature-verification"
+
--- a/lorax_templates/scripts/post/flatpak_configure
+++ b/lorax_templates/scripts/post/flatpak_configure
@ -0,0 +1,16 @@
+<%page args="_flatpak_repo_gpg, flatpak_remote_name"/>
+
+if [[ -d /ostree/deploy/default/var/lib/flatpak/repo ]]
+then
+    echo ${_flatpak_repo_gpg} | base64 -d > /ostree/deploy/default/var/lib/flatpak/repo/flathub.trustedkeys.gpg
+elif [[ -d /var/lib/flatpak/repo ]]
+then
+    echo ${_flatpak_repo_gpg} | base64 -d > /var/lib/flatpak/repo/flathub.trustedkeys.gpg
+else
+    echo "Could not find Flatpaks repo"
+fi
+
+if [[ "${flatpak_remote_name}" != 'fedora' ]]
+then
+    systemctl disable flatpak-add-fedora-repos.service
+fi
--- a/lorax_templates/scripts/post/install_configure_upgrades
+++ b/lorax_templates/scripts/post/install_configure_upgrades
@ -1,7 +1,7 @@
-<%page args="image_repo, _image_repo_double_escaped, image_name, image_tag"/>
-if (which bootc &> /dev/null)
+<%page args="image_repo, _image_repo_double_escaped, image_name, image_tag, _rhel, version"/>
+if (which bootc &> /dev/null) && [ ${_rhel} == 'false' && ${version} -ge 39 ]
 then
-  bootc switch ${image_repo}/${image_name}:${image_tag}
+  bootc switch --mutate-in-place --enforce-container-sigpolicy --transport registry ${image_repo}/${image_name}:${image_tag}
 else
  sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/${_image_repo_double_escaped}\/${image_name}:${image_tag}/' /ostree/deploy/default/deploy/*.origin
 fi
--- a/lorax_templates/scripts/post/secureboot_enroll_key
+++ b/lorax_templates/scripts/post/secureboot_enroll_key
@ -0,0 +1,26 @@
+<%page args="enrollment_password"/>
+## --nochroot
+
+set -oue pipefail
+
+readonly ENROLLMENT_PASSWORD=${enrollment_password}
+readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"
+
+if [[ ! -d "/sys/firmware/efi" ]]; then
+	echo "EFI mode not detected. Skipping key enrollment."
+	exit 0
+fi
+
+if [[ ! -f "$SECUREBOOT_KEY" ]]; then
+	echo "Secure boot key not provided: $SECUREBOOT_KEY"
+	exit 0
+fi
+
+SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
+if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
+	echo "Steam Deck hardware detected. Skipping key enrollment."
+	exit 0
+fi
+
+mokutil --timeout -1 || :
+echo -e "$ENROLLMENT_PASSWORD\n$ENROLLMENT_PASSWORD" | mokutil --import "$SECUREBOOT_KEY" || :
--- a/lorax_templates/set_installer.tmpl.in
+++ b/lorax_templates/set_installer.tmpl.in
@ -1,2 +0,0 @@
-append usr/share/anaconda/interactive-defaults.ks "ostreecontainer --url=/run/install/repo/${IMAGE_NAME}-${IMAGE_TAG} --transport=oci --no-signature-verification"
-
				`@ -1,2 +0,0 @@`
				`append usr/share/anaconda/interactive-defaults.ks "ostreecontainer --url=/run/install/repo/${IMAGE_NAME}-${IMAGE_TAG} --transport=oci --no-signature-verification"`