Don't install microsoft fonts

.gitlab-ci.yml

@@ -19,8 +19,8 @@ variables:
   DOCKER_CERT_PATH: $DOCKER_TLS_CERTDIR/client
   RUST_LOG_STYLE: always
   BB_SIGNING_DRIVER: sigstore
-  BB_CACHE_LAYERS: 'true'
   BB_BUILD_PUSH: 'true'
+  BB_BUILD_CHUNKED_OCI: 'true'
   CLICOLOR_FORCE: 1
   TAG: main
 
@@ -42,8 +42,6 @@ base-images:
   extends:
     - .build
   stage: base-images
-  variables:
-    BB_BUILD_RECHUNK: 'true'
   rules:
     # Run when any of the base recipes change
     - changes:
@@ -63,10 +61,10 @@ base-images:
           # - base-nvidia.yml
           # - base-cosmic.yml
           # - base-cosmic-nvidia.yml
+          - base-kinoite.yml
+          - base-kinoite-nvidia.yml
           - base-combo.yml
           - base-combo-nvidia.yml
-          - base-kinoite.yml
-          # - base-kinoite-nvidia.yml
 
 wke-images:
   extends:
@@ -94,6 +92,18 @@ kinoite-images:
       - RECIPE:
           - cp-laptop.yml
 
+kinoite-nvidia-images:
+  extends:
+    - .build
+  stage: build
+  needs:
+    - job: 'base-images: [base-kinoite-nvidia.yml]'
+      optional: true
+  parallel:
+    matrix:
+      - RECIPE:
+          - pg-desktop-nvidia.yml
+
 combo-images:
   extends:
     - .build

files/archipelago/usr/share/applications/archipelago.desktop

@@ -0,0 +1,8 @@
+[Desktop Entry]
+Type=Application
+Name=Archipelago
+GenericName=Archipelago
+Icon=/opt/Archipelago/icon.png
+Exec=/opt/Archipelago/ArchipelagoLauncher
+Categories=Game;
+StartupNotify=false

files/base/usr/libexec/luks-disable-tpm2-autounlock

@@ -0,0 +1,95 @@
+#!/usr/bin/bash
+
+# Copyright 2025 Universal Blue
+# Copyright 2025 The BlueBuild Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+## disable auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
+set -euo pipefail
+
+[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
+
+echo "This script utilizes systemd-cryptenroll for removing tpm2 auto-unlock."
+echo "You can review systemd-cryptenroll's manpage for more information."
+echo "This will modify your system and disable TPM2 auto-unlock of your LUKS partition!"
+read -p "Are you sure are good with this and want to disable TPM2 auto-unlock? (y/N): " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+  [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+fi
+
+## Inspect Kernel Cmdline for rd.luks.uuid
+RD_LUKS_UUID="$(xargs -n1 -a /proc/cmdline | grep rd.luks.uuid | cut -d = -f 2)"
+
+# Check to make sure cmdline rd.luks.uuid exists
+if [[ -z ${RD_LUKS_UUID:-} ]]; then
+  printf "LUKS device not defined on Kernel Commandline.\n"
+  printf "This is not supported by this script.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+# Check to make sure that the specified cmdline uuid exists.
+if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
+  printf "LUKS device not listed in block devices.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+# Cut off the luks-
+LUKS_PREFIX="luks-"
+if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
+  DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
+else
+  echo "LUKS UUID format mismatch."
+  echo "Exiting..."
+  exit 1
+fi
+
+# Specify Crypt Disk by-uuid
+CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+
+# Check to make sure crypt disk exists
+if [[ ! -L "$CRYPT_DISK" ]]; then
+  printf "LUKS device not listed in block devices.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+## Restore the crypttab
+cp -a /etc/crypttab /etc/crypttab.working-before-disable-tpm2
+if [ -f /etc/crypttab.known-good ]; then
+  echo "Restoring /etc/crypttab.known-good to original /etc/crypttab"
+  mv /etc/crypttab.known-good /etc/crypttab
+fi
+
+## Wipe luks slot
+if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
+  echo "Wiping systemd-tpm2 from LUKS on $CRYPT_DISK"
+  systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
+else
+  echo "No systemd-tpm2 found in LUKS to wipe"
+fi
+
+## Disable initramfs
+if rpm-ostree initramfs | grep tpm2 > /dev/null; then
+  echo "WARNING: if you configured initramfs for anything other than TPM2, this wipes that too..."
+  echo "here's a printout:"
+  rpm-ostree initramfs
+  echo
+  echo "Disabling rpm-ostree initramfs..."
+  rpm-ostree initramfs --disable
+else
+  echo "TPM2 is not configured in 'rpm-ostree initramfs'..."
+fi
+
+echo "TPM2 auto-unlock disabled..."

files/base/usr/libexec/luks-enable-tpm2-autounlock

@@ -0,0 +1,122 @@
+#!/usr/bin/bash
+
+# Copyright 2025 Universal Blue
+# Copyright 2025 The BlueBuild Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
+set -eou pipefail
+
+[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
+
+echo "WARNING: Do NOT use this if your CPU is vulnerable to faulTPM!"
+echo "All AMD Zen2 and Zen3 Processors are known to be affected!"
+echo "All AMD Zen1 processors are also likely affected, with Zen4 unknown!"
+echo "If you have an AMD CPU, you likely shouldn't use this!"
+echo "----------------------------------------------------------------------------"
+echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
+echo "You can review systemd-cryptenroll's manpage for more information."
+echo "This script will modify your system."
+echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
+echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state."
+read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? (y/N): " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+  [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+fi
+
+## Inspect Kernel Cmdline for rd.luks.uuid
+RD_LUKS_UUID="$(xargs -n1 -a /proc/cmdline | grep rd.luks.uuid | cut -d = -f 2)"
+
+# Check to make sure cmdline rd.luks.uuid exists
+if [[ -z ${RD_LUKS_UUID:-} ]]; then
+  printf "LUKS device not defined on Kernel Commandline.\n"
+  printf "This is not supported by this script.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+# Check to make sure that the specified cmdline uuid exists.
+if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
+  printf "LUKS device not listed in block devices.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+# Cut off the luks-
+LUKS_PREFIX="luks-"
+if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
+  DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
+else
+  echo "LUKS UUID format mismatch."
+  echo "Exiting..."
+  exit 1
+fi
+
+SET_PIN_ARG=""
+read -p "Would you like to set a PIN? (y/N): " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+  SET_PIN_ARG=" --tpm2-with-pin=yes "
+fi
+
+# Specify Crypt Disk by-uuid
+CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+
+# Check to make sure crypt disk exists
+if [[ ! -L "$CRYPT_DISK" ]]; then
+  printf "LUKS device not listed in block devices.\n"
+  printf "Exiting...\n"
+  exit 1
+fi
+
+if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
+  KEYSLOT=$(cryptsetup luksDump "$CRYPT_DISK" | sed -n '/systemd-tpm2$/,/Keyslot:/p' | grep Keyslot|awk '{print $2}')
+  echo "TPM2 already present in LUKS keyslot $KEYSLOT of $CRYPT_DISK."
+  read -p "Wipe it and re-enroll? (y/N): " -n 1 -r
+  echo
+  if [[ $REPLY =~ ^[Yy]$ ]]; then
+    systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
+  else
+    echo
+    echo "Either clear the existing TPM2 keyslot before retrying, else choose 'y' next time."
+    echo "Exiting..."
+    [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
+  fi
+fi
+
+## Run crypt enroll
+echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 $SET_PIN_ARG "$CRYPT_DISK"
+
+
+if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then
+  ## add tpm2-tss to initramfs
+  if rpm-ostree initramfs | grep tpm2 > /dev/null; then
+    echo "TPM2 already present in rpm-ostree initramfs config."
+    rpm-ostree initramfs
+    echo "Re-running initramfs to pickup changes above."
+  fi
+  rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss
+else
+  ## initramfs already containts tpm2-tss
+  echo "TPM2 already present in initramfs."
+fi
+
+## Now reboot
+echo
+echo "TPM2 LUKS auto-unlock configured. Reboot now."
+
+
+# References:
+#  https://www.reddit.com/r/Fedora/comments/uo4ufq/any_way_to_get_systemdcryptenroll_working_on/
+#  https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

files/justfiles/30-secureboot.just

@@ -0,0 +1,31 @@
+# Copyright 2025 Universal Blue
+# Copyright 2025 The BlueBuild Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+# Enroll Nvidia driver & KMOD signing key for secure boot - Enter password "wunker" if prompted
+enroll-secure-boot-key:
+    #!/usr/bin/bash
+    ENROLLMENT_PASSWORD="wunker"
+    SECUREBOOT_KEY=/etc/pki/akmods/certs/akmods-wunker-bunker.der
+    sudo mokutil --timeout -1
+    echo -e "$ENROLLMENT_PASSWORD\n$ENROLLMENT_PASSWORD" | sudo mokutil --import "$SECUREBOOT_KEY"
+    echo 'At next reboot, the mokutil UEFI menu UI will be displayed (*QWERTY* keyboard input and navigation).\nThen, select "Enroll MOK", and input "wunker" as the password'
+
+# Enable automatic LUKS unlock via TPM
+setup-luks-tpm-unlock:
+    #!/usr/bin/bash
+    sudo /usr/libexec/luks-enable-tpm2-autounlock
+
+# Disable automatic LUKS unlock via TPM
+remove-luks-tpm-unlock:
+    #!/usr/bin/bash
+    sudo /usr/libexec/luks-disable-tpm2-autounlock

files/scripts/install-archipelago.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -xeuo pipefail
+
+version="0.6.4"
+name="Archipelago_${version}_linux-x86_64"
+tarball="${name}.tar.gz"
+curl -sSfL "https://github.com/ArchipelagoMW/Archipelago/releases/download/${version}/${tarball}" -o "/tmp/${tarball}"
+
+tar xvf "/tmp/${tarball}" -C /opt/
+
+rm -f "/tmp/${tarball}"

files/scripts/install-bizhawk.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -xeuo pipefail
+
+version="2.10"
+name="BizHawk-${version}-linux-x64"
+tarball="${name}.tar.gz"
+curl -sSfL "https://github.com/TASEmulators/BizHawk/releases/download/${version}/${tarball}" -o "/tmp/${tarball}"
+
+mkdir -p /opt/BizHawk/
+tar xvf "/tmp/${tarball}" -C /opt/BizHawk/
+
+rm -f "/tmp/${tarball}"

files/scripts/installnvidiakmod.sh

@@ -28,9 +28,14 @@ fi
 curl -Lo /etc/yum.repos.d/negativo17-fedora-nvidia.repo https://negativo17.org/repos/fedora-nvidia.repo
 sed -i '/^enabled=1/a\priority=90' /etc/yum.repos.d/negativo17-fedora-nvidia.repo
 
-dnf install -y "kernel-devel-matched-$(rpm -q 'kernel' --queryformat '%{VERSION}')"
+dnf install -y --setopt=install_weak_deps=False "kernel-devel-matched-$(rpm -q 'kernel' --queryformat '%{VERSION}')"
-dnf install -y "akmod-nvidia*.fc${RELEASE}"
 
+dnf install -y --setopt=install_weak_deps=False akmods
+cp /usr/sbin/akmodsbuild /usr/sbin/akmodsbuild.backup
+# TODO remove this when fixed upstream
+sed -i '/if \[\[ -w \/var \]\] ; then/,/fi/d' /usr/sbin/akmodsbuild
+dnf install -y --setopt=install_weak_deps=False nvidia-kmod-common nvidia-modprobe
+mv /usr/sbin/akmodsbuild.backup /usr/sbin/akmodsbuild
 
 echo "Setting kernel.conf to $KERNEL_MODULE_TYPE"
 sed -i --sandbox "s/^MODULE_VARIANT=.*/MODULE_VARIANT=$KERNEL_MODULE_TYPE/" /etc/nvidia/kernel.conf

recipes/base-combo-nvidia.yml

@@ -2,7 +2,7 @@
 # yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
 name: combo-nvidia
 base-image: quay.io/fedora-ostree-desktops/kinoite
-image-version: 42
+image-version: 43
 description: The base image of Wunker OS with COSMIC and Plasma for Nvidia
 modules:
   - from-file: base/common.yml

recipes/base-combo.yml

@@ -2,7 +2,7 @@
 # yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
 name: combo
 base-image: quay.io/fedora-ostree-desktops/kinoite
-image-version: 42
+image-version: 43
 description: The base image of Wunker OS with COSMIC and Plasma
 modules:
   - from-file: base/common.yml

recipes/base/common.yml

@@ -13,24 +13,25 @@ modules:
       enabled:
         - bootc-fetch-apply-updates.timer
 
+  - type: justfiles
+    source: ghcr.io/blue-build/modules:pr-498
+    validate: true
+    install: true
+    include:
+      - 30-secureboot.just
+
   - type: dnf
     repos:
       cleanup: true
       nonfree: negativo17
-      copr:
-        - ublue-os/packages
-        - ublue-os/staging
     install:
+      skip-unavailable: true
       packages:
         - bootc
-        - ublue-os-just
-        - ublue-os-luks
-        - ublue-os-udev-rules
         - fedora-repos-archive
         - zstd
         - sbsign
         - alsa-firmware
-        - android-udev-rules
         - apr
         - apr-util
         - distrobox
@@ -135,11 +136,5 @@ modules:
       - curl -sSLo ${CSFG} https://raw.githubusercontent.com/coreos/fedora-coreos-config/refs/heads/stable/overlay.d/05core/usr/lib/systemd/system-generators/coreos-sulogin-force-generator
       - chmod +x ${CSFG}
 
-      # Adjust ublue just recipes
-      - sed -i 's|rpm-ostreed-automatic\.timer|bootc-fetch-apply-updates.timer|g' /usr/share/ublue-os/just/10-update.just
-      - sed -i 's|update_command "rpm-ostree update"|update_command "sudo bootc upgrade"|g' /usr/share/ublue-os/just/10-update.just
-      - sed -i 's|/etc/pki/akmods/certs/akmods-ublue\.der|/etc/pki/akmods/certs/akmods-wunker-bunker.der|g' /usr/share/ublue-os/just/00-default.just
-      - sed -i 's|"universalblue"|"wunker"|g' /usr/share/ublue-os/just/00-default.just
-
       # Add SUDO_ASKPASS as a global environment
       - echo "SUDO_ASKPASS=/usr/libexec/openssh/ssh-askpass" >> /etc/environment

recipes/common/gaming.yml

@@ -5,12 +5,17 @@ modules:
     files:
       - source: steam-firewall
         destination: /
+      - source: archipelago
+        destination: /
   - type: dnf
     repos:
       cleanup: true
       nonfree: negativo17
     install:
       packages:
-        - https://github.com/ebkr/r2modmanPlus/releases/download/v3.2.3/r2modman-3.2.3.x86_64.rpm
+        - https://github.com/ebkr/r2modmanPlus/releases/download/v3.2.10/r2modman-3.2.10.x86_64.rpm
         - steam
         - mono-core
+  - type: script
+    scripts:
+      - install-archipelago.sh

recipes/common/jp-packages.yml

@@ -14,6 +14,7 @@ modules:
         - https://repository.mullvad.net/deb/mullvad-keyring.asc
     install:
       packages:
+        - xdg-terminal-exec
         - mullvad-vpn
         - mullvad-browser
         - borgbackup
@@ -37,9 +38,7 @@ modules:
         - nu
         - util-linux
         - carapace-bin
-        - https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
         - libreoffice
-        - https://github.com/balena-io/etcher/releases/download/v2.1.0/balena-etcher-2.1.0-1.x86_64.rpm
   - type: systemd
     system:
       enabled:

recipes/cp-laptop.yml

@@ -1,30 +1,31 @@
 ---
 # yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
 name: cp-laptop
-# base-image: ghcr.io/ublue-os/kinoite-main
 base-image: registry.gitlab.com/wunker-bunker/wunker-os/kinoite
-image-version: 42
+image-version: latest
 description: The image of Wunker OS for CP's laptop.
 modules:
+  - from-file: common/common.yml
   - type: dnf
-    # repos:
-    #   copr:
-    #     - iucar/rstudio
     install:
       packages:
+        - xdg-terminal-exec
         - borgbackup
         - vorta
         - libadwaita
         - cronie
         - fprintd
         - fprintd-pam
-        # - R
-        # - rstudio-desktop
         - libreoffice
         - https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
+        - mono-core
+  - type: files
+    files:
+      - source: archipelago
+        destination: /
+  - type: script
+    scripts:
+      - install-archipelago.sh
   - from-file: common/ms-fonts.yml
   - from-file: common/updates.yml
-  - type: copy
-    src: files/base/usr/share/plymouth
-    dest: /usr/share/plymouth
   - from-file: common/post-build.yml

recipes/jp-desktop-nvidia.yml

@@ -1,14 +1,8 @@
 ---
 # yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
 name: jp-desktop-nvidia
-# Bazzite
-# base-image: ghcr.io/ublue-os/bazzite-nvidia-open
-# image-version: "42.20250828.1"
-
-# Custom Base
 base-image: registry.gitlab.com/wunker-bunker/wunker-os/combo-nvidia
-# base-image: registry.gitlab.com/wunker-bunker/wunker-os/cosmic-nvidia
+image-version: latest
-image-version: 42
 description: The image of Wunker OS for JP's desktop gaming.
 blue-build-tag: none
 nushell-version: none

recipes/jp-laptop.yml

@@ -1,10 +1,8 @@
 ---
 # yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
 name: jp-laptop
-# base-image: ghcr.io/ublue-os/bazzite
-# image-version: "42.20250828"
 base-image: registry.gitlab.com/wunker-bunker/wunker-os/combo
-image-version: 42
+image-version: latest
 description: The image of Wunker OS for JP's Laptop.
 stages:
   - from-file: common/helix.yml

recipes/pg-desktop-nvidia.yml

@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
+name: pg-desktop-nvidia
+base-image: registry.gitlab.com/wunker-bunker/wunker-os/kinoite-nvidia
+image-version: latest
+description: The image of Wunker OS for PG's desktop gaming.
+modules:
+  - from-file: common/common.yml
+  - from-file: common/updates.yml
+  - from-file: common/ms-fonts.yml
+  - from-file: common/gaming.yml
+  - type: dnf
+    install:
+      packages:
+        - https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
+        - libadwaita
+  - from-file: common/post-build.yml

recipes/wke-fw-desktop.yml

@@ -2,7 +2,7 @@
 # yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
 name: wke
 base-image: registry.gitlab.com/wunker-bunker/wunker-os/base
-image-version: 42
+image-version: latest
 description: The image of Wunker OS for RKE2 Worker
 alt-tags:
   - fw-desktop

recipes/wke-server.yml

@@ -2,7 +2,7 @@
 # yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
 name: wke
 base-image: registry.gitlab.com/wunker-bunker/wunker-os/base
-image-version: 42
+image-version: latest
 description: The image of Wunker OS for RKE2 Server
 alt-tags:
   - server

recipes/wke-worker.yml

@@ -2,7 +2,7 @@
 # yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json
 name: wke
 base-image: registry.gitlab.com/wunker-bunker/wunker-os/base
-image-version: 42
+image-version: latest
 description: The image of Wunker OS for RKE2 Worker
 alt-tags:
   - worker