brl/citadel
1
0
Fork 2
Code Issues Pull Requests 3 Packages Projects Releases Wiki Activity

Compare commits

base: brl:master
Branches Tags
brl:master
brl:poky-zeus
..
compare: brl:poky-zeus
Branches Tags
brl:master
brl:poky-zeus

No commits in common. "master" and "poky-zeus" have entirely different histories.
master ... poky-zeus

690 changed files with 34125 additions and 22465 deletions
Show Stats Expand all files Collapse all files

2
Makefile
View File

@ -55,7 +55,7 @@ kernel-test: ## Boot kernel with Qemu ('ctrl-a x' to exit qemu)
@scripts/qemu-boot kernel
install-build-deps:
sudo apt install --no-install-recommends build-essential python3-full bzip2 cpio chrpath diffstat file texinfo inkscape libgmp-dev libmpc-dev libelf-dev gawk wget debootstrap lz4 zstd
sudo apt install --no-install-recommends build-essential python bzip2 cpio chrpath diffstat file texinfo inkscape libgmp-dev libmpc-dev libelf-dev gawk wget debootstrap
$(REALMFS_IMAGE):
@mkdir -p build/realmfs

1
docs/.gitignore vendored
View File

@ -1 +0,0 @@
pages/

25
docs/Makefile
View File

@ -1,25 +0,0 @@
DUCKFILES= $(notdir $(wildcard duck/*.duck))
PAGES= $(addprefix pages/, $(DUCKFILES:.duck=.page))
OUTDIR= pages
RECIPE_PAGES_DIR= ../meta-citadel/recipes-citadel/citadel-documentation/files/pages
.PHONY: directories clean
all: directories $(PAGES)
install: directories $(PAGES)
rm -f ${RECIPE_PAGES_DIR}/*.page
cp $(PAGES) ${RECIPE_PAGES_DIR}
clean:
rm $(PAGES)
directories: ${OUTDIR}
${OUTDIR}:
mkdir -p ${OUTDIR}
pages/%.page: duck/%.duck
ducktype -o $@ $<

26
docs/README.md
View File

@ -1,26 +0,0 @@
## Writing documentation
http://projectmallard.org/ducktype/1.0/index.html
## Building documentation
Building the documentation requires the 'ducktype' utility. The makefile will use this
command to generate a directory of .page files from the .duck files in the /duck directory.
$ sudo apt install ducktype
$ make
## Reading documentation
After generating the documentation it can be previewed by running yelp on the /pages directory:
$ yelp pages
## Installing documentation
After making changes to the documentation, run 'make install' to update the set
of .page files in the citadel-documentation recipe.
$ make install

84
docs/duck/boot.duck
View File

@ -1,84 +0,0 @@
= Booting Citadel
[topic]
@link[guide >index#internals]
== Disk Layout
When Citadel is installed two disk partitions are created on the target disk.
[screen]
sda 8:0 0 477G 0 disk
├─sda1 8:1 0 511M 0 part
└─sda2 8:2 0 476.5G 0 part
The first partition is an EFI boot partition and the second partition is LUKS encrypted
and contains multiple LVM volumes when decrypted.
[screen]
[[[
/dev/sda1 /dev/sda2
[EFI ESP Boot partition] [ LUKS encrypted partition filling remainder of disk ]
. .
. .
. | .
. | .
. V .
. .
[ rootfsA ] [ rootfsB ] [ citadel-storage ]
]]]
There are three logical volumes. Two root filesystem partitions so that one partition
can be updated while the other one is in use, and the remaining space is contained
in a volume called 'storage'.
[screen sh]
# lvs
LV VG Attr LSize
rootfsA citadel -wi-a----- 2.00g
rootfsB citadel -wi-ao---- 2.00g
storage citadel -wi-ao---- 472.43g
=== Bootloader
==== LUKS
The kernel initramfs has an /etc/crypttab file which guides the discovery of the LUKS partition.
The UUID of the LUKS partition is hardcoded to the value listed below. If citadel is installed
on more than one device on the system, the intended LUKS partition may not be chosen correctly.
This problem can be addressed by changing the UUID of other citadel LUKS partitions and passing
the UUID on kernel commandline to override /etc/crypttab. See systemd-cryptsetup-generator(8).
[screen sh]
# cat /etc/crypttab
luks UUID=683a17fc-4457-42cc-a946-cde67195a101 - discard
==== Mounting rootfs
The initramfs boot stage is orchestrated by various systemd unit files which can be found
in the citadel source tree at:
[screen]
citadel/meta-citadel/recipes-initrd/citadel-initramfs
The same kernel and initramfs is used for the installer image. One task of these unit files
is to set up a live mode boot when a certain kernel command line option is set. For a regular
boot, a pair of unit files will attempt to mount the root filesystem partition when it becomes
available:
[screen]
citadel-rootfs-mount.path
citadel-rootfs-mount.service
The .path unit triggers every time /dev/mapper changes and the corresponding .service unit is
activated only when all of the LVM volumes inside
[screen]
ConditionPathExists=/dev/mapper/citadel-rootfsA
ConditionPathExists=/dev/mapper/citadel-rootfsB
ConditionPathExists=/dev/mapper/citadel-storage

61
docs/duck/citadel.duck
View File

@ -1,61 +0,0 @@
= Subgraph Citadel
[topic]
@link[guide >index]
@desc Introduction to Subgraph Citadel
== What is Citadel?
Citadel is the core operating system of the new version of Subgraph OS.
Citadel includes the GNOME desktop session and a few basic system services and
nothing else. It is built and distributed as a single static disk image
rather than as a collection of software packages like a traditional Linux
distribution such as Ubuntu or Fedora. Citadel disk images are built entirely
from the source code of the individual software components. This gives us
complete control over what is included and how each component is configured.
[note .advanced]
Citadel is a modern desktop operating system based on the GNOME desktop, but if you
prefer we also include an tiling window manager called Sway as an alternative.
Since the Citadel root filesystem is immutable it is not possible to install
applications such as a web browser or text editor directly into Citadel.
Instead applications are run in a separate isolated environment called a Realm.
When Citadel is first installed a single primary Realm is created and while running
a single realm the system resembles and behaves similar to any other desktop Linux
system. The separation between Citadel and the realm in which user applications are
launched is mostly transparent to the user. However, a user may create as many new
realms as they like and each new realm behaves like a freshly installed Debian Linux
environment where the user may install packages and store files.
Realms are implemented in Subgraph OS as either containers or as virtual machines
running in a custom KVM hypervisor. Both approaches have advantages so the user is
free to choose either option for each realm they create.
[note .advanced]
Hypervisor isolation is stronger and more secure, but container isolation uses
less system resources and makes it possible to access hardware devices and other
system features directly. A Citadel user can decide which configuration makes
more sense for each Realm they create.
=== Stateless Foundation
In the architecture of Citadel the building blocks of the system are
immutable filesystem images rather than packages. These images are mounted
read-only and this property is enforced with a Linux kernel feature (dm-verity)
which efficiently guarantees each block loaded from disk has a valid
cryptographic checksum. This means that Citadel always loads exactly the
operating system software prepared by Subgraph and rebooting the system will
always brings the computer into a known consistent state.
When Citadel is updated an entirely new image is loaded rather than applying
a set of changes on top of an existing filesystem. By atomically updating the
entire system from one version to the next there is only ever a single software
configuration to consider and the system can never end up in an inconsistent state.
System upgrades cannot break your computer in mysterious ways and even if an
upgrade fails to boot for some reason, the system simply reverts to the
previously working version.

26
docs/duck/developer.duck
View File

@ -1,26 +0,0 @@
= Developer Guide
[topic]
@link[guide >index#internals]
== Make Root Filesystem Writable
Sometimes it can be useful to make changes directly to the citadel root filesystem to
experiment with changes or to debug a problem.
First $code(citadel.noverity) must be added to the kernel commandline. After booting with
this command line option verify that dm-verity has been disabled with the $code(dmsetup)
command.
[screen]
# dmsetup status rootfs
0 4194304 linear
If the output displays $code(verity) instead of $code(linear) then dm-verity is enabled
and the disk cannot be safely written to.
Next remount the root filesystem with read-write flag.
[screen]
# mount -oremount,rw,noatime /
== Debugging GNOME startup

198
docs/duck/disk-layout.duck
View File

@ -1,198 +0,0 @@
= Disk Layout
[topic]
@link[guide >index#internals]
@desc A Hands-on guide the Citadel Disk and Filesystem Layout
== Partitions
During installation, two partitions are created on the disk chosen as
the target of the install.
For example, if the installation disk is $code(/dev/sda):
[terms]
- $code(/dev/sda1)
* 512MB EFI System Partition
- $code(/dev/sda2)
* Remainder of the disk
The partition layout of a running system can be viewed by running the $code(lsblk) command.
[screen]
citadel:~ # lsblk /dev/sda
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 477G 0 disk
├─sda1 8:1 0 511M 0 part
└─sda2 8:2 0 476.5G 0 part
└─luks 252:0 0 476.4G 0 crypt
├─citadel-rootfsA 252:1 0 2G 0 lvm
│ └─rootfs 252:4 0 354M 1 crypt /
├─citadel-rootfsB 252:2 0 2G 0 lvm
└─citadel-storage 252:3 0 472.4G 0 lvm /storage
Several further block devices are created during boot when the main disk partition
is decrypted.
[screen]
sda
├─sda1 (a) /boot partition
└─sda2 (b) LUKS encrypted partition
└─citadel (c) LVM volume group
├─citadel-rootfsA (d1) rootfs partition A (Read Only)
│ └─rootfs (e) The dm-verity device created for rootfsA
├─citadel-rootfsB (d2) rootfs partition B (Read Only)
└─citadel-storage (f) mounted as /storage (Read/Write)
[terms]
- $code((a) /boot partition)
* EFI boot partition
- $code((b) LUKS encrypted partition)
* Remainder of disk is an encrypted volume
- $code((c) LVM volume group)
* Main partition contains several LVM volumes
- $code((d) citadel-rootfs(A/B))
* Two root partitions so one can be updated while other is in use.
- $code((e) /dev/mapper/rootfs)
* verity mapper device for mounted root partion
- $code((f) /dev/mapper/citadel-storage)
* The writable filesystem
== Citadel Filesystem Layout
[code]
/
├─ /run/citadel/images/
│ │
│ ├─ modules.mountpoint/ (modules image mounted here)
│ └─ extra.mountpoint/ (extra image mounted here)
└─ /storage
├─ resources/dev (resource images for channel 'dev')
│ │
│ ├─base-realmfs.img
│ └─main-realmfs.img
├─ /realms (/realms is a bind mount of /storage/realms)
│ ├─skel/
│ └─config
├─ /realms/realmfs-images
│ │
│ ├─citadel-kernel-5.7-dev-001.img
│ └─citadel-extra-dev-001.img
└─ /realms/realm-main
├─ home
└─ config
== Resource Image Mounts
Resource images are mounted into the system by creating loop devices. These devices can be
viewed by running the 'losetup' command inside Citadel.
[screen]
citadel:~ # losetup -ONAME,OFFSET,RO,BACK-FILE
NAME OFFSET RO BACK-FILE
/dev/loop1 4096 1 /storage/resources/dev/citadel-extra-dev-001.img
/dev/loop2 4096 1 /storage/realms/realmfs-images/main-realmfs.img
/dev/loop0 4096 1 /storage/resources/dev/citadel-kernel-5.0.6-dev-000.img
Resource image files are protected against accidental changes or malicious tampering by
using dm-verity so that the kernel verifies a cryptographic checksum of each block loaded
from the image.
You can view the verity device mapper node associated with each loop device with
the $code(lsblk) command.
[screen]
citadel:~ # lsblk /dev/loop0 /dev/loop1 /dev/loop4
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 116.9M 1 loop
└─verity-kernel 252:5 0 116M 1 crypt /run/citadel/images/kernel.mountpoint
loop1 7:1 0 938.9M 1 loop
└─verity-extra 252:6 0 931.5M 1 crypt /run/citadel/images/extra.mountpoint
loop2 7:2 0 4G 1 loop
└─verity-realmfs-main-11922f31 252:9 0 4G 1 crypt /run/citadel/realmfs/realmfs-main-11922f31.mountpoint
Parameters of each dm-verity instance can be viewed with the veritysetup command.
[screen]
citadel:~ # veritysetup status verity-kernel
/dev/mapper/verity-kernel is active and is in use.
type: VERITY
status: verified
hash type: 1
data block: 4096
hash block: 4096
hash name: sha256
salt: fa430cb7887de60dca6fd1974868036ea39cf5017eb55f02e3a76f82a12a0431
data device: /dev/loop0
data loop: /storage/resources/dev/citadel-kernel-5.0.6-dev-000.img
size: 237536 sectors
mode: readonly
hash device: /dev/loop0
hash loop: /storage/resources/dev/citadel-kernel-5.0.6-dev-000.img
hash offset: 237544 sectors
When a resource image file is mounted, a file in the root directory called 'manifest' lists
bind mounts to perform to integrate the image into the Citadel root filesystem.
Each line of this file is a directory to bind mount from the mounted image to the root
filesystem. If a directory should be mounted to a location which is different than
the source directory the source and target directories are both listed on a single
line and separated by the ':' character. In the 'extra' image below, the directory
/usr/share from the resource image is mounted to /opt/share on the Citadel filesystem.
[screen]
citadel:~ # cat /run/citadel/images/kernel.mountpoint/manifest
/usr/lib/modules
citadel:~ # cat /run/citadel/images/extra.mountpoint/manifest
/usr/lib/firmware
/usr/share:/opt/share
The citadel-image utility can be used to view the metainfo variables stored in the header
section of a resource image file.
[screen]
citadel:~ # citadel-image metainfo /storage/resources/dev/citadel-extra-dev-001.img
image-type = "extra"
channel = "dev"
version = 1
timestamp = "20190331172025"
nblocks = 195924
shasum = "04e6f58afa6f608aff2d6cbb47cbe704f8ab0995f4dfe8e1c03655dc9bb6635a"
verity-salt = "7bf3eec3c51ffd2e82329a9fc6fe42915743874d7c5af43589e589c037ae81e5"
verity-root = "b94eb3431c4fb95e5b9bd62b4505d089414ae660d75eee0fce54b8483d3f9571"
citadel:~ # citadel-image metainfo /storage/resources/dev/citadel-kernel-5.0.6-dev-000.img
image-type = "kernel"
kernel-version = "5.0.6"
kernel-id = "36b7a960dcd51d1649f83a7361f9eb5c2af5741ce6cc53689b411347aa1298b6"
channel = "dev"
version = 1
timestamp = "20190407002748"
nblocks = 29692
shasum = "c988bd7d468c409eb6cd3af8fa9e17b0a75a72d6ad765ad1749d15628a9096be"
verity-salt = "fa430cb7887de60dca6fd1974868036ea39cf5017eb55f02e3a76f82a12a0431"
verity-root = "f4c4fbaebb59d348bd44cfb1cdef54a813728aabc5acc439c2e739b63c1b8370"
RealmFS images also have a resource image header with a slightly different set of
metainfo variables.
[screen]
citadel:~ # citadel-image metainfo /storage/realms/realmfs-images/main-realmfs.img
image-type = "realmfs"
realmfs-name = "main"
nblocks = 1048575
channel = "realmfs-user"
verity-salt = "ad254e6dd385c0392ed8a6a41b849cfd4ef98ec3643e186feb011d5aa4f1d194"
verity-root = "11922f311b5a9141d65b7ef82e1c9159d75e413d1b420a7e3302ec8ec0ad8593"

11
docs/duck/index.duck
View File

@ -1,11 +0,0 @@
= Citadel Help
[guide]
== User Guide
[#user .2column]
== Citadel Internals
[#internals .2column]

13
docs/duck/kernel-cmdline.duck
View File

@ -1,13 +0,0 @@
= Kernel Command Line Options
[topic]
@link[guide >index#internals]
* citadel.noverity
* citadel.nosignatures
* citadel.install
* citadel.overlay
* citadel.channel
* citadel.verbose
* citadel.debug
* citadel.sway

88
docs/duck/realm-config.duck
View File

@ -1,88 +0,0 @@
= Configuring Realms
[topic]
@link[guide >index#user]
@desc Realm configuration file reference
Realms are usually configured with the tools for managing realms, but the configuration
is stored in a TOML file in the realm directory and can also be edited by hand.
== Options
[terms]
- $code(use-wayland)
* If 'true' access to Wayland display will be permitted in realm by
adding wayland socket /run/user/1000/wayland-0
- $code(use-x11)
* If 'true' access to X11 server will be added to realm by bind mounting directory
/tmp/.X11-unix
- $code(use-sound)
* If 'true' allows the use of sound inside realm. The following items will
be added to realm:
* /dev/snd
* /dev/shm
* /run/user/1000/pulse
- $code(use-kvm)
* If enabled, /dev/kvm will be added to the realm.
This option is only available for nspawn realms.
- $code(use-shared-dir)
* If enabled the directory /realms/Shared will be bind mounted into the home directory of the realm.
This directory is shared between all running realms that have this option enabled as a
convenient way to move files between realms.
- $code(use-ephemeral-home)
* If 'true' the home directory of this realm will be set up in ephemeral mode.
The ephemeral home directory is set up with the following steps
[steps]
* Home directory is mounted as tmpfs
* Any files in /realms/skel are copied into home directory
* Any files in /realms/realm-${name}/skel are copied into home directory
* Any directories listed in $code(ephemeral-persistent-dirs) are bind mounted
from /realms/realm-${name}/home into ephemeral home directory.
- $code(ephemeral-persistent-dirs) default: ["Documents"]
* A list of subdirectories of /realms/realm-${name}/home to bind mount into realm
home directory when $code(ephemeral-home) is enabled.
- $code(use-network)
* network
- $code(network-zone) default: "clear"
* network zone
- $code(use-gpu)
* Enables hardware graphics acceleration in relam.
if 'true' render node device /dev/dri/renderD128 will be added to realm.
- $code(use-gpu-card0)
* If 'true' and $code(use-gpu) is also enabled, privileged device /dev/dri/card0
will be added to realm.
- $code(realmfs) default: "base"
* name of realmfs image
- $code(overlay) default: "storage"
* type of overlay to use
- $code(terminal-scheme)
* terminal color scheme
- $code(extra-bindmounts)
* bind mounts
- $code(extra-bindmounts-ro)
* read-only bind mounts
- $code(system-realm) default: false
* system realm
- $code(autostart) default: false
* autostart realm

139
docs/duck/realmfs.duck
View File

@ -1,139 +0,0 @@
= RealmFS Images
[topic]
@link[guide >index#user]
@desc Realm root filesystem images
A RealmFS image contains a root filesystem for one or more realm instances.
Similar to resource images, RealmFS images are signed and mounted with dm-verity
to prevent tampering with the data on the root filesystem such as the
installation of malware or backdoors. The keys used to sign RealmFS images are
controlled by the user which makes it possible to upgrade software and install
new packages on the image.
RealmFS images are always mounted as read-only and this property is enforced
with dm-verity. Since RealmFS images are immutable a single image can be shared
between multiple running realm instances. By default, when a realm is launched a
temporary overlay is added to the root filesystem so that changes can be
performed that will last only until the realm is stopped or restarted. This
allows experimenting with the system configuration or installing new software
temporarily. The root filesystem can then be reverted to the original state by
simply restarting the realm.
== Updates
Since the root filesystem of realms are stored on read-only disk images,
packages cannot be permanently installed or upgraded in the usual way. Changes
to the root filesystem will succeed inside a realm, but these changes will be
lost as soon as the realm is stopped or restarted.
To make persistent changes to a RealmFS image, the image is first copied, then
changes are applied to the copy. After applying changes a new dm-verity hash
tree is generated for the image and the RealmFS image header is updated and
signed.
[note .advanced]
The process of generating a signature and a dm-verity hash tree for a RealmFS image
after applying some changes such as updating packages is called $em[.strong](Sealing)
the image.
=== Apt-Cacher NG Realm
Upon booting a system utility realm is started which runs an Apt-Cacher NG
instance. Each realm is configured to use this realm as a proxy for package
installation.
[code]
/etc/apt/apt.conf.d/000apt-cacher-ng-proxy
Acquire::http::Proxy "http://172.17.0.213:3142/";
The apt source lines use the special Apt-Cacher NG syntax.
[code]
/etc/apt/sources.list
deb http://HTTPS///deb.debian.org/debian bullseye main contrib non-free
Using a package cache avoids downloading and storing packages multiple times
when updating multiple RealmFS images. It also makes it possible to download and
cache packages while connected to a network before booting the system into a
safe mode without enabling the network to perform upgrades of realm packages.
=== Updates (Container method)
First the RealmFS image is copied to a temporary file. On a filesystem such as
btrfs, the image file will be cloned as a reflink rather than copying the file.
The copy of the RealmFS will then be mounted as writable so that changes can be
made. A systemd-nspawn container is launched and a root shell opened so that the
user can update packages, install new software, or perform any other
modifications to the root filesystem.
Once the shell is exited a prompt asks the user if they would like to save the
current changes or discard them. If the user chooses to save the changes, the
copied image is then sealed by generating a dm-verity hash tree and the header
of the image is signed with the user RealmFS sealing key.
=== Updates with pH Hypervisor
When a realm is launched with pH, the overlay is managed by the emulated disk
device of the hypervisor which tracks changes to blocks of the disk and stores
the changed blocks in memory. Since the hypervisor is tracking all of the
changes to the disk, it can also transparently apply the changes and generate a
new sealed RealmFS image and then discard the changed blocks and start directly
using the new image.
This process is initiated by the user when they decide they would like to commit
any changes they have made to the root filesystem in the running realm
permanently to the underlying RealmFS image.
[steps]
* The user makes changes to the root filesystem of the realm and pH tracks the blocks that have changed.
* A user request is made to pH to apply the changes to the RealmFS image.
* pH opens a prompt on the desktop to ask the user to confirm that they really did make this request.
* A copy (or reflink) of the current RealmFS is made, and pH applies the changed blocks to this copy.
* The copy is then sealed with the RealmFS key of the user.
* Now pH can quietly swap in the new version of the RealmFS image and discard all of the tracked block changes.
== Signing RealmFS Images
A secret key for signing RealmFS images is generated during installation and
stored on disk in an encrypted file called the User Keyring. During boot
when the user enters a passphrase to decrypt the disk, this passphrase is also
used to decrypt the keyring file and the public and secret key pair is
loaded into the kernel key storage.
The risk exists that an attacker who is able to compromise the kernel may
recover this secret key. This would allow the attacker to modify sealed RealmFS
images and install backdoors or other malware into realm root filesystems. Even
without obtaining the signing key an attacker who has compromised Citadel could
wait for the user to perform an update and make malicious changes at the same
time which the user will then sign.
For these reasons, it is also possible to configure the system so that only
the public key is retained in the kernel upon boot and the user must boot
into a special mode so that the private key is available to perform updates.
=== Safe Mode
If upgrades are performed in normal operating mode, an attacker who has
compromised citadel can persistently backdoor the upgraded realmfs images.
Safe mode is a way to boot citadel without starting any realms or enabling the
network device. Since the integrity of the Citadel root filesystem is enforced
by dm-verity and no realms are running, even if the system had become compromised
at some point in the past it is assumed to now be in a safe state for performing
updates and signing them with the user sealing keys.
Since the network is not available in safe mode, the packages to be installed or
upgraded must be stored somewhere. By either performing the packge updates with
the $code(--download-only) flag or installing them to the temporary overlay of a realm
the user will cause them to be stored on the Apt-Cache NG service realm so that
they are available for install in safe mode.
== Base RealmFS image
Citadel ships with a RealmFS image called $code(base-realmfs.img). There is nothing
special about this image other than that it is initially signed by Subgraph until
the user modifies or updates it. During installation, a copy of this RealmFS is
created with the name $code(main-realmfs.img) and sealed with the newly generated
user keys.

56
docs/duck/realms.duck
View File

@ -1,56 +0,0 @@
= Citadel Realms
[topic]
@link[guide >index#user]
Citadel contains only the base operating system and the GNOME desktop, it does not
include any applications. To be able to install and run applications Citadel can
create spaces which are called Realms.
A Realm is a container similar to a Docker or LXC container in which any Linux
distribution could be installed. We use a Debian based image but it would not be
difficult to create an image for another Linux distribution.
The realm containers are launched with systemd-nspawn but this is a detail of
how they are implemented and not something it is necessary to learn about in
order to use them.
== The $em(current) realm
Multiple realms may be launched at once but the GNOME Desktop is only associated with
one of the running realms. This realm is called the `current` realm.
When displaying applications available to launch from the desktop, GNOME will only
be aware of applications that are installed in the realm which is set as `current`
and any application launched from the desktop will run inside this current realm.
Setting another realm as current does not affect any applications that are already running.
Changing the current realm only means that any further applications which are launched
will now run in the newly chosen realm.
== Realm directory layout
The realms base directory is stored on the storage partition at `/storage/realms` and is bind mounted to `/realms` on the root filesystem for convenience.
[screen]
/realms
config
/Shared
/skel
/default.realm -> realm-main
/realm-main
/realm-project
/realm-testing
=== /realms/config
This is the global realm configuration file. Options set in this file apply to every realm
unless the same option has been overridden with a different value in the config file for
a realm.
=== /realms/Shared
This directory is bind mounted to `/home/user/Shared` of each running realm that has
the option `use-shared-dir` enabled. It's a convenient way to move files between
different realms and between citadel and realms.

242
docs/duck/resource-image.duck
View File

@ -1,242 +0,0 @@
= Citadel Resource Images
[topic]
@link[guide >index#internals]
Resource images are disk image files that are mounted read-only to create
the citadel filesystem. The first block (4096 bytes) of the image file
contains a header and immediately following the header is the raw disk
image contents.
The header contains information about the image including parameters for
configuring dm-verity to enforce the immutability of the image. The header
also contains a public key signature over the image information so that
the authenticity of the header information can be verified.
The root filesystem of citadel is also distributed as a resource image, and
this image will be installed to a disk partition for normal operation.
Resource images other than the root filesystem are mounted by creating loop
devices on the image file. Prior to mounting the image dm-verity is configured
on the loop device or the rootfs partition.
== Resource Image Types
Currently the following image types are defined for use in Citadel:
=== 1) Base Root Filesystem ("rootfs")
The base rootfs image is the only image type which is installed to a
partition. It is mounted as the root of the Citadel filesystem. When an
image is installed on a partition the 4906 byte header block is stored in
the last block (8 sectors) of the partition.
Citadel uses two partitions (A & B) for the root filesystem. This allows
updating one partition while the other one is being used. Then the system
can be rebooted into the updated rootfs partition. If the system fails to
boot after updating it will be reverted to use the working partition.
=== 2) Kernel Image ("kernel")
The kernel modules for the running kernel are stored in a resource image
so that the root filesystem is independent from the running kernel.
During boot, this image is mounted and the kernel modules and a bind mount
is created over /usr/lib/modules on the Citadel root filesystem.
=== 3) Extra Resource Image ("extra")
This image type contains additional directories of files which are mounted
during boot on the Citadel root filesystem. It contains files such as
firmware files and desktop icons which occupy substantial space but do not
need to be updated frequently.
By placing these files into a separate image the size of the root filesystem
image is reduced. This makes the more frequently updated rootfs image
smaller.
=== 4) Realm Filesystem Image ("realmfs")
This type of image contains the entire root filesystem for running a realm
container or VM. Unlike the other types of resource images, these images can
be modified and then signed with keys controlled by the user. This allows
updates and installation of software while still preserving the read-only
property.
=== Image Layout
Each resource image file reserves an initial 4096 byte block where a header is
stored. This is the maximum length of the header, which is generally much
smaller than this size.
Following the header is a raw disk filesystem image which may optionally be
compressed with xz compression algorithm. The disk image filesystem is ext4,
but this is an implementation detail which may change in the future. A header
flag (FLAG_DATA_COMPRESSED) indicates if an image is compressed and if so the
image must be decompressed before being used. Image updates are distributed in
compressed form and are decompressed once during installation.
When dm-verity is used a hash tree must be generated for the image. When an
image is installed it is first decompressed and then the dm-verity hash data
is generated. This hash data is stored in the image file immediately following
the image data and the flag FLAG_HASH_TREE is set to indicate this data is
present.
Image file:
[code]
[[[
[ Header ][ Ext4 Disk Image ][ dm-verity hash data ]
]]]
Partition:
[code]
[[[
[ Ext4 Disk Image ][ dm-verity hash data ][ unused space ][ Header ]
]]]
== Image Header
The image header contains the following fields.
[table]
[tr]
- Field
- Size
- Content
[tr]
* MAGIC
* 4 bytes
* ('S', 'G', 'O', 'S')
[tr]
* status
* 1 byte
* Used by images installed to partition
[tr]
* flags
* 1 byte
* Various flag values
[tr]
* metainfo-len
* 2 bytes
* 16 bit big-endian length
[tr]
* metainfo
* (metainfo-len) bytes
* TOML document containing key-value pairs
[tr]
* signature
* 64 bytes
* ed25519 signature over metainfo field
=== Header Fields
==== MAGIC
The initial 4 bytes are always set to the ascii bytes 'SGOS' so that a
valid image file can easily be identified.
==== status
The `status` field is used only on base rootfs image installed on a partition.
It must be set to 0 for all other images. The field is used to make decisions
about which parition to attempt to boot.
The status value is stored in the low nibble (4 bits) of this field and the
high nibble is reserved for counting boot attempts in `STATUS_TRY_BOOT` state.
The defined status values are:
[table]
[tr]
- status
- value
- description
[tr]
* STATUS_INVALID
* 0
* Partition does not contain a valid image
[tr]
* STATUS_NEW
* 1
* Newly written partition which has not yet been booted
[tr]
* STATUS_TRY_BOOT
* 2
* Set when booting a partition for the first time
[tr]
* STATUS_GOOD
* 3
* Partition has been successfully booted at least once
[tr]
* STATUS_FAILED
* 4
* Partition has failed to boot
[tr]
* STATUS_BAD_SIG
* 5
* Signature verification on metainfo failed
[tr]
* STATUS_BAD_META
* 6
* Parsing metainfo field failed
==== flags
[table]
[tr]
- flag
- value
- description
[tr]
* FLAG_PREFERRED_BOOT
* 0x01
* Override boot choice to boot from this partition
[tr]
* FLAG_HASH_TREE
* 0x02
* Image contains an appended dm-verity hash tree
[tr]
* FLAG_DATA_COMPRESSED
* 0x04
* Image is compressed with xz
==== metainfo-len
Length in bytes of the `metainfo` field.
Since header page has a fixed size of one block (4096 bytes), and all other
header fields have fixed sizes the maximum length of the `metainfo` field is
4096 - (4 + 2 + 2 + 64) = 4024 bytes
==== metainfo
==== signature
When the rootfs partition is chosen to mount, an attempt will be made to verify
the signature before configuring dm-verity. If this signature verification
fails, the partition status will be changed to `STATUS_BAD_SIG`
=== Booting
During boot of Citadel, the initramfs sets up the Citadel root filesystem. The
filesystem is built by locating and mounting three components:
* Base root filesystem
* Kernel modules
* Extra resources
The base root filesystem is stored on a partition unless running in certain
special modes such as installer and live disk. During installation the same
base root filesystem image is mounted from a loop mounted image file. This same
file will eventually be written to a partition during installation.
Kernel modules and extra resources are stored in file images which are
loop mounted during boot.
An additional type of resource image called a sealed application image exists
for the creation of immutable application image filesystems.
Resource images can optionally have dm-verity enabled when mounted.

247
docs/realms.md Normal file
View File

@ -0,0 +1,247 @@
Citadel Realms
--------------
Citadel contains only the base operating system and the Gnome desktop, it does not
include any applications. To be able to install and run applications Citadel can
create spaces which are called Realms.
A Realm is a container similar to a Docker or LXC container in which any Linux
distribution could be installed. We use a Debian based image but it would not be
difficult to create an image for another Linux distribution.
The realm containers are launched with systemd-nspawn but this is a detail of
how they are implemented and not something it is necessary to learn about in order to use them.
Citadel provides a command-line tool `realms` for creating, managing, and launching Realm instances.
### The `default` realm
One realm is always selected to be the `default` realm. This realm
starts automatically when the system boots. The `realms` utility can be used
to change which realm is the default realm. Switching the default realm changes
the symlink `/realm/default.realm` to point to a different realm instance directory.
citadel:~# realms default
Default Realm: main
citadel:~# realms default project
[+] default realm changed from 'main' to 'project'
citadel:~# realms default
Default Realm: project
### The `current` realm
Multiple realms may be launched at once but the Gnome Desktop is only associated with
one of the running realms. This realm is called the `current` realm.
When displaying applications available to launch from the desktop, Gnome will only
be aware of applications that are installed in the realm which is set as `current`
and any application launched from the desktop will run inside this current realm.
Setting another realm as current does not affect any applications that are already running.
Changing the current realm only means that any further applications which are launched
will now run in the newly chosen realm.
Changing or querying the current realm is done with the `realms current` command, and
if you choose a realm which is not currently running it will be automatically started.
citadel:~# realms current
Current Realm: main
citadel:~ # realms current project
[+]: Started realm 'project'
[+]: Realm 'project' set as current realm
citadel:~ # realms current
Current Realm: project
Underneath the hood, this command just changes the symlink `/run/realms/current.realm` to
point to a new realm. This directory is monitored for changes with `inotify` and when
the symlink changes a new set of `.desktop` files is swapped into a temporary directory
where Gnome will look for metadata about which applications are installed.
### Creating a new realm
New realms are created with the command `realms new <realm name>`
When a new realm is created a btrfs snapshot of some application image is created at
`/realms/realm-$name/rootfs`. By default it is the base image (`base.appimg`) which
is cloned as a snapshot. Application images are described in detail in a later section.
citadel:~ # realms new project
[+]: Populating realm home directory with files from /realms/skel
Create a snapshot of '/storage/appimg/base.appimg' in '/realms/realm-project/rootfs'
A new empty home directory is also created for the realm instance. Any file which are placed
into the `/realm/skel` directory will be copied into any newly created realm home directory.
### Realms configuration file
All of the curretly supported configuration options are listed below with their default values assigned.
use-shared-dir = true
use-sound = true
use-x11 = true
use-wayland = true
use-gpu = false
use-kvm = false
use-network = true
network-zone = "clear"
If you wish to change any of these options to something other than what is listed above add the
corresponding line to the file `/realms/realm-$name/config`
citadel:~ # echo "use-gpu = true" > /realms/realm-main/config
#### Option `use-shared-dir`
Set to `false` to disable mounting the shared directory `/realms/Shared` into this realm at
`/home/user/Shared`.
#### Option `use-sound`
Set to `false` to prevent mounting pulse audio socket and sound device into this realm.
#### Option `use-x11`
Set to `false` to prevent mounting `/tmp/.X11-unix` into the realm. This is the socket for communicating
with the `XWayland` X11 compatibility daemon.
#### Option `use-wayland`
Set to `false` to prevent mounting the wayland display server socket `/run/user/1000/wayland-0`
into the realm.
#### Option `use-gpu`
Set to `true` to mount the device `/dev/dri/renderD128` into the realm. Adding this
device will make hardware graphics acceleration available to applications running
in the realm.
#### Option `use-kvm`
Set to `true` to mount the device `/dev/kvm` into the realm. This will make it
possible to run Qemu and other KVM based tools with hardware virtualization
inside the realm.
#### Option `use-network`
Set to `false` to disable configuring the realm with access to the internet. The
realm instance will only have a localhost network interface.
#### Option `network-zone`
Setting a name here will create bridge device in citadel with the name vz-$name if
it doesn't already exist and attach this realm instance to that bridge.
### Realms base directory layout
The realms base directory is stored on the storage partition at `/storage/realms` and is bind mounted to `/realms` on the root filesystem for convenience.
/realms
config
/Shared
/skel
/default.realm -> realm-main
/realm-main
/realm-project
/realm-testing
#### File `/realms/config`
This file is a template of the configuration file for individual realms. When a new
realm is created this file in copied into the new realm instance directory. By
modifying this file, the default configuration for new realm instances can be changed.
#### Directory `/realms/Shared`
This directory is bind mounted to `/home/user/Shared` of each running realm that has
the option `use-shared-dir` enabled. It's a convenient way to move files between
different realms and between citadel and realms.
#### Directory `/realms/skel`
Files which are added to this directory will be copied into the home directory of
any newly created realm. The directory is copied as a tree of files and may contain
subdirectories.
#### Symlink `/realms/default.realm`
A symlink which points to a realm instance directory of the default realm. The
default realm is the realm which starts when the system is booted.
#### Directory `/realms/realm-$name`
This is a realm instance directory, for a realm with $name as the realm name.
/realm-main
config
/home
/rootfs
##### `config`
Configuration file for the realm instance copied from `/realms/config` or
created by the user.
##### `/home`
Home directory for this realm. It will be mounted to `/home/user` in
the realm instance.
##### `/rootfs`
The root filesystem of this realm. It is cloned from (a btrfs subvolume snapshot of)
some application image.
### Application Images
(Not to be confused with the [AppImage](https://appimage.org) packaging system)
The root filesystem for realms are called Application Images but we often use
the shorter name *appimg*.
We have created [a framework](https://github.com/subgraph/citadel/tree/master/appimg-builder)
for building a Debian based images and we use this to build the default appimg that we ship.
We also encourage users to experiment with building their own custom images.
**Tree Application Images** are the only type of application image which are currently implemented for realms.
The rootfs is a tree of files on the filesystem, and it is also a btrfs subvolume
which is cloned at zero cost (internally with `btrfs subvolume snapshot`) to use
as the root filesystem of newly created realms.
#### Block Application Images (and also Sealed Application Images)
In the future we will add another type of application image called a **Block
Application Image**. This type of image will be stored as a disk volume image file
and will be mounted with a loop device rather than existing as a tree of files on the
filesystem.
This will make it possible to enforce [dm-verity](https://www.kernel.org/doc/Documentation/device-mapper/verity.txt)
verification over the image and ensure that no malicous or unintended modifications
can be made to any of the the files on the root filesystem. Signature verification
over the dm-verity root hash is done from the citadel rootfs image which is also
secured with dm-verity. When enforcement of boot integrity is also implemented this
will create a chain of cryptographic assurances that no component of the system has
been tampered with.
Block images with signatures and dm-verify verification enabled are called **Sealed Application Images**
### Updating an Application Image
To modify or update an application image run the `realms update-appimg` command.
A container will be created for updating the image and a root shell session will
open. From this session regular package management commands can be run. Any changes
made will only affect future realms created from this appimg.
citadel:~ # realms update-appimg
[+]: Entering root shell on base appimg
root@base-appimg-update:/# apt update
[...]

12
meta-citadel/classes/citadel-image.bbclass
View File

@ -1,8 +1,8 @@
DEPENDS:append = " citadel-tools-native mtools-native cryptsetup-native coreutils-native"
DEPENDS_append = " citadel-tools-native mtools-native cryptsetup-native coreutils-native"
# Block size must be 4096 or dm-verity won't work
EXTRA_IMAGECMD:ext4 = "-i 4096 -b 4096"
EXTRA_IMAGECMD_ext4 = "-i 4096 -b 4096"
IMAGE_FSTYPES = "ext4"
IMAGE_OVERHEAD_FACTOR = "1.2"
@ -24,7 +24,7 @@ EOF
ver=$(printf "%03d" ${CITADEL_IMAGE_VERSION})
if [ "${CITADEL_IMAGE_TYPE}" = "kernel" ]; then
KERNEL_ID=$(generate_kernel_id)
KERNEL_ID=$(cat ${DEPLOY_DIR_IMAGE}/kernel.id)
echo "kernel-version = \"${CITADEL_KERNEL_VERSION}\"" >> ${B}/mkimage.conf
echo "kernel-id = \"${KERNEL_ID}\"" >> ${B}/mkimage.conf
fname="citadel-kernel-${CITADEL_KERNEL_VERSION}-${CITADEL_IMAGE_CHANNEL}-${ver}.img"
@ -41,9 +41,7 @@ do_citadel_mkimage[vardepsexclude] = "DATETIME"
IMAGE_POSTPROCESS_COMMAND += " generate_shasum_buildhistory ;"
BUILDHISTORY_CURRENT_IMAGE_DIR = "${TOPDIR}/buildhistory/images/${MACHINE_ARCH}/${TCLIBC}/${IMAGE_BASENAME}"
generate_shasum_buildhistory() {
mkdir -p ${BUILDHISTORY_CURRENT_IMAGE_DIR}
( cd ${IMAGE_ROOTFS} && find . -type f -exec sha1sum '{}' \; | sort -k2 > ${BUILDHISTORY_CURRENT_IMAGE_DIR}/image-shasums.txt )
mkdir -p ${BUILDHISTORY_DIR_IMAGE}
( cd ${IMAGE_ROOTFS} && find . -type f -exec sha1sum '{}' \; | sort -k2 > ${BUILDHISTORY_DIR_IMAGE}/image-shasums.txt )
}

33
meta-citadel/classes/external-tree.bbclass
View File

@ -1,33 +0,0 @@
S = "${WORKDIR}${@source_path(d)}"
SRC_URI = "${@source_uri(d)}"
def source_path(d):
var = d.getVar("EXTERNAL_TREE_VAR")
tree_path = d.getVar(var)
if tree_path:
return tree_path
else:
return "/git"
def source_uri(d):
var = d.getVar("EXTERNAL_TREE_VAR")
tree_path = d.getVar(var)
if tree_path:
return "file://" + tree_path
else:
return d.getVar("GIT_URI")
# Set debug build if $EXTERNAL_TREE_VAR is set for faster builds
DEBUG_BUILD = "${@debug_build(d)}"
def debug_build(d):
var = d.getVar("EXTERNAL_TREE_VAR")
tree_path = d.getVar(var)
if tree_path:
return "1"
else:
return "0"

2
meta-citadel/conf/templates/default/bblayers.conf.sample → meta-citadel/conf/bblayers.conf.sample
View File

@ -8,6 +8,8 @@ BBFILES ?= ""
BBLAYERS ?= " \
##OEROOT##/meta \
##OEROOT##/../meta-intel \
##OEROOT##/../meta-rust \
##OEROOT##/../meta-citadel \
##OEROOT##/../meta-gnome \
##OEROOT##/../meta-clang \
"

21
meta-citadel/conf/distro/citadel-distro.conf
View File

@ -2,14 +2,9 @@ DISTRO = "citadel-distro"
DISTRO_NAME = "Subgraph OS Citadel"
DISTRO_VERSION = "1.0"
CITADEL_DEFAULT_DISTRO_FEATURES = "acl alsa argp bluetooth ext2 largefile systemd usbhost wifi xattr pci x11 usrmerge wayland opengl pam polkit seccomp"
CITADEL_DEFAULT_DISTRO_FEATURES = "acl alsa argp bluetooth ext2 largefile systemd usbhost wifi xattr pci x11 usrmerge wayland opengl pam"
DISTRO_FEATURES ?= "${DISTRO_FEATURES_LIBC} ${CITADEL_DEFAULT_DISTRO_FEATURES}"
PREMIRRORS:prepend = "\
git://.*/.* https://mirror.subgraph.com/ \
ftp://.*/.* https://mirror.subgraph.com/ \
http://.*/.* https://mirror.subgraph.com/ \
https://.*/.* https://mirror.subgraph.com/"
HOSTTOOLS_NONFATAL += "inkscape"
#
@ -40,9 +35,17 @@ IMAGE_LINGUAS = "en-us"
BUILD_REPRODUCIBLE_BINARIES = "1"
INHERIT += "buildhistory"
INHERIT += "reproducible_build"
PREFERRED_RPROVIDER_libdevmapper-native = "libdevmapper-native"
# Override meta-rust dependencies.
#
# Instead of bringing in all of openembedded, we imported the two recipes
# meta-rust depends on:
#
# meta-citadel/recipes-support/libgit2/
# meta-citadel/recipes-support/libssh2/
#
LAYERDEPENDS_rust-layer = "core"
require conf/distro/include/security_flags.inc

6
meta-citadel/conf/layer.conf
View File

@ -5,16 +5,14 @@ BBPATH =. "${LAYERDIR}:"
BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
${LAYERDIR}/recipes-*/*/*.bbappend"
BBMASK += "meta-intel/dynamic-layers/clang-layer/recipes-devtools/clang/llvm-project-source.bbappend"
LICENSE_PATH += "${LAYERDIR}/licenses"
# see https://patches.openembedded.org/patch/164502/
PREFERRED_RPROVIDER_libdevmapper = "lvm2"
BBFILE_COLLECTIONS += "citadel"
BBFILE_PATTERN_citadel = "^${LAYERDIR}/"
BBFILE_PRIORITY_citadel = "5"
LAYERSERIES_COMPAT_citadel = "scarthgap"
LAYERSERIES_COMPAT_citadel = "thud warrior zeus"
# This should only be incremented on significant changes that will
# cause compatibility issues with other layers

171
meta-citadel/conf/templates/default/local.conf.sample → meta-citadel/conf/local.conf.sample
View File

@ -2,45 +2,32 @@
# This file is your local configuration file and is where all local user settings
# are placed. The comments in this file give some guide to the options a new user
# to the system might want to change but pretty much any configuration option can
# be set in this file. More adventurous users can look at
# local.conf.sample.extended which contains other examples of configuration which
# can be placed in this file but new users likely won't need any of them
# initially.
# be set in this file. More adventurous users can look at local.conf.extended
# which contains other examples of configuration which can be placed in this file
# but new users likely won't need any of them initially.
#
# Lines starting with the '#' character are commented out and in some cases the
# default values are provided as comments to show people example syntax. Enabling
# the option is a question of removing the # character and making any change to the
# variable as required.
# Distro configuration:
#
# Machine Selection
# meta-citadel-distro/conf/distro/citadel-distro.conf
#
# You need to select a specific machine to target the build with. There are a selection
# of emulated machines available which can boot and run in the QEMU emulator:
DISTRO ?= "citadel-distro"
# Machine configuration:
#
#MACHINE ?= "qemuarm"
#MACHINE ?= "qemuarm64"
#MACHINE ?= "qemumips"
#MACHINE ?= "qemumips64"
#MACHINE ?= "qemuppc"
#MACHINE ?= "qemux86"
#MACHINE ?= "qemux86-64"
# meta-intel/conf/machine/intel-corei7-64.conf
#
# There are also the following hardware board target machines included for
# demonstration purposes:
#
#MACHINE ?= "beaglebone-yocto"
#MACHINE ?= "genericx86"
#MACHINE ?= "genericx86-64"
#MACHINE ?= "edgerouter"
#
# This sets the default machine to be qemux86-64 if no other machine is selected:
#MACHINE ??= "qemux86-64"
MACHINE ?= "intel-corei7-64"
DEFAULT_TIMEZONE = "America/New_York"
DEPLOY_DIR_IMAGE = "${TOPDIR}/images"
#
#
# Where to place downloads
#
@ -82,34 +69,6 @@ DEPLOY_DIR_IMAGE = "${TOPDIR}/images"
#
#TMPDIR = "${TOPDIR}/tmp"
#
# Default policy config
#
# The distribution setting controls which policy settings are used as defaults.
# The default value is fine for general Yocto project use, at least initially.
# Ultimately when creating custom policy, people will likely end up subclassing
# these defaults.
#
DISTRO ?= "citadel-distro"
# As an example of a subclass there is a "bleeding" edge policy configuration
# where many versions are set to the absolute latest code from the upstream
# source control systems. This is just mentioned here as an example, its not
# useful to most new users.
# DISTRO ?= "poky-bleeding"
#
# Package Management configuration
#
# This variable lists which packaging formats to enable. Multiple package backends
# can be enabled at once and the first item listed in the variable will be used
# to generate the root filesystems.
# Options are:
# - 'package_deb' for debian style deb files
# - 'package_ipk' for ipk files are used by opkg (a debian style embedded package manager)
# - 'package_rpm' for rpm style packages
# E.g.: PACKAGE_CLASSES ?= "package_rpm package_deb package_ipk"
# We default to rpm:
PACKAGE_CLASSES ?= "package_deb"
#
# SDK target architecture
@ -117,7 +76,7 @@ PACKAGE_CLASSES ?= "package_deb"
# This variable specifies the architecture to build SDK items for and means
# you can build the SDK packages for architectures other than the machine you are
# running the build on (i.e. building i686 packages on an x86_64 host).
# Supported values are i686, x86_64, aarch64
# Supported values are i686 and x86_64
#SDKMACHINE ?= "i686"
#
@ -128,8 +87,6 @@ PACKAGE_CLASSES ?= "package_deb"
# variable can contain the following options:
# "dbg-pkgs" - add -dbg packages for all installed packages
# (adds symbol information for debugging/profiling)
# "src-pkgs" - add -src packages for all installed packages
# (adds source code for debugging)
# "dev-pkgs" - add -dev packages for all installed packages
# (useful if you want to develop against libs in the image)
# "ptest-pkgs" - add -ptest packages for all ptest-enabled packages
@ -153,18 +110,20 @@ EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
# enable extra features. Some available options which can be included in this variable
# are:
# - 'buildstats' collect build statistics
# - 'image-mklibs' to reduce shared library files size for an image
# - 'image-prelink' in order to prelink the filesystem image
# NOTE: if listing mklibs & prelink both, then make sure mklibs is before prelink
# NOTE: mklibs also needs to be explicitly enabled for a given image, see local.conf.extended
USER_CLASSES ?= "buildstats"
#
# Runtime testing of images
#
# The build system can test booting virtual machine images under qemu (an emulator)
# after any root filesystems are created and run tests against those images. It can also
# run tests against any SDK that are built. To enable this uncomment these lines.
# See classes/test{image,sdk}.bbclass for further details.
#IMAGE_CLASSES += "testimage testsdk"
#TESTIMAGE_AUTO:qemuall = "1"
# after any root filesystems are created and run tests against those images. To
# enable this uncomment this line. See classes/testimage(-auto).bbclass for
# further details.
#TEST_IMAGE = "1"
#
# Interactive shell configuration
#
@ -189,29 +148,29 @@ PATCHRESOLVE = "noop"
#
# Monitor the disk space during the build. If there is less that 1GB of space or less
# than 100K inodes in any key build location (TMPDIR, DL_DIR, SSTATE_DIR), gracefully
# shutdown the build. If there is less than 100MB or 1K inodes, perform a hard halt
# shutdown the build. If there is less that 100MB or 1K inodes, perform a hard abort
# of the build. The reason for this is that running completely out of space can corrupt
# files and damages the build in ways which may not be easily recoverable.
# It's necessary to monitor /tmp, if there is no space left the build will fail
# It's necesary to monitor /tmp, if there is no space left the build will fail
# with very exotic errors.
BB_DISKMON_DIRS ??= "\
BB_DISKMON_DIRS = "\
STOPTASKS,${TMPDIR},1G,100K \
STOPTASKS,${DL_DIR},1G,100K \
STOPTASKS,${SSTATE_DIR},1G,100K \
STOPTASKS,/tmp,100M,100K \
HALT,${TMPDIR},100M,1K \
HALT,${DL_DIR},100M,1K \
HALT,${SSTATE_DIR},100M,1K \
HALT,/tmp,10M,1K"
ABORT,${TMPDIR},100M,1K \
ABORT,${DL_DIR},100M,1K \
ABORT,${SSTATE_DIR},100M,1K \
ABORT,/tmp,10M,1K"
#
# Shared-state files from other locations
#
# As mentioned above, shared state files are prebuilt cache data objects which can be
# As mentioned above, shared state files are prebuilt cache data objects which can
# used to accelerate build time. This variable can be used to configure the system
# to search other mirror locations for these objects before it builds the data itself.
#
# This can be a filesystem directory, or a remote url such as https or ftp. These
# This can be a filesystem directory, or a remote url such as http or ftp. These
# would contain the sstate-cache results from previous builds (possibly from other
# machines). This variable works like fetcher MIRRORS/PREMIRRORS and points to the
# cache locations to check for the shared objects.
@ -219,65 +178,33 @@ BB_DISKMON_DIRS ??= "\
# at the end as shown in the examples below. This will be substituted with the
# correct path within the directory structure.
#SSTATE_MIRRORS ?= "\
#file://.* https://someserver.tld/share/sstate/PATH;downloadfilename=PATH \
#file://.* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
#file://.* file:///some/local/dir/sstate/PATH"
#
# Yocto Project SState Mirror
#
# The Yocto Project has prebuilt artefacts available for its releases, you can enable
# use of these by uncommenting the following lines. This will mean the build uses
# the network to check for artefacts at the start of builds, which does slow it down
# equally, it will also speed up the builds by not having to build things if they are
# present in the cache. It assumes you can download something faster than you can build it
# which will depend on your network.
# Note: For this to work you also need hash-equivalence passthrough to the matching server
#
#BB_HASHSERVE_UPSTREAM = "typhoon.yocto.io:8687"
#SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/4.0/PATH;downloadfilename=PATH"
#
# Qemu configuration
#
# By default native qemu will build with a builtin VNC server where graphical output can be
# seen. The line below enables the SDL UI frontend too.
PACKAGECONFIG:append:pn-qemu-system-native = " sdl"
# By default libsdl2-native will be built, if you want to use your host's libSDL instead of
# the minimal libsdl built by libsdl2-native then uncomment the ASSUME_PROVIDED line below.
#ASSUME_PROVIDED += "libsdl2-native"
# You can also enable the Gtk UI frontend, which takes somewhat longer to build, but adds
# a handy set of menus for controlling the emulator.
#PACKAGECONFIG:append:pn-qemu-system-native = " gtk+"
#
# Hash Equivalence
#
# Enable support for automatically running a local hash equivalence server and
# instruct bitbake to use a hash equivalence aware signature generator. Hash
# equivalence improves reuse of sstate by detecting when a given sstate
# artifact can be reused as equivalent, even if the current task hash doesn't
# match the one that generated the artifact.
#
# A shared hash equivalent server can be set with "<HOSTNAME>:<PORT>" format
#
#BB_HASHSERVE = "auto"
#BB_SIGNATURE_HANDLER = "OEEquivHash"
#
# Memory Resident Bitbake
#
# Bitbake's server component can stay in memory after the UI for the current command
# has completed. This means subsequent commands can run faster since there is no need
# for bitbake to reload cache files and so on. Number is in seconds, after which the
# server will shut down.
#
#BB_SERVER_TIMEOUT = "60"
# By default qemu will build with a builtin VNC server where graphical output can be
# seen. The two lines below enable the SDL backend too. By default libsdl-native will
# be built, if you want to use your host's libSDL instead of the minimal libsdl built
# by libsdl-native then uncomment the ASSUME_PROVIDED line below.
PACKAGECONFIG_append_pn-qemu-native = " sdl"
PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
#ASSUME_PROVIDED += "libsdl-native"
# CONF_VERSION is increased each time build/conf/ changes incompatibly and is used to
# track the version of this file when it was generated. This can safely be ignored if
# this doesn't mean anything to you.
CONF_VERSION = "2"
CONF_VERSION = "1"
INHERIT+="toaster buildhistory"
#
# Enable to build a custom kernel with options set so that powertop can be used, and
# will also build citadel-image with powertop package installed
#
# DISTROOVERRIDES = "citadel-powertop"
#
# Set to build citadel-tools recipes from a local copy on the filesystem rather than
@ -288,7 +215,3 @@ CONF_VERSION = "2"
#
# CITADEL_TOOLS_PATH = "/home/user/citadel-tools"
#
# Same as above for GNOME Shell and Mutter:
#
# CITADEL_GNOME_SHELL_PATH = "/home/user/citadel-gnome/gnome-shell"
# CITADEL_MUTTER_PATH = "/home/user/citadel-gnome/mutter"

11
meta-citadel/recipes-citadel/bbappends/bluez5_%.bbappend
View File

@ -1,11 +0,0 @@
PACKAGECONFIG = "\
readline \
systemd \
a2dp-profiles \
avrcp-profiles \
hid-profiles \
hog-profiles \
tools \
deprecated \
udev \
"

1
meta-citadel/recipes-citadel/bbappends/dbus_%.bbappend
View File

@ -1 +0,0 @@
PACKAGECONFIG:append = " user-session"

4
meta-citadel/recipes-citadel/bbappends/gdk-pixbuf_%.bbappend
View File

@ -1,4 +0,0 @@
# For blueprint-compiler-native to work
EXTRA_OEMESON:remove:class-native = "-Dintrospection=disabled"
EXTRA_OEMESON:append:class-native = " -Dintrospection=enabled"

20
meta-citadel/recipes-citadel/bbappends/gdm_%.bbappend
View File

@ -1,20 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/gdm:"
INSANE_SKIP:${PN}-src = "buildpaths"
SRC_URI += "file://gdm.conf"
DEPENDS += "plymouth"
do_install:append() {
install -d ${D}${sysconfdir}/default/volatiles
echo "d gdm gdm 755 ${localstatedir}/run/gdm/greeter none" > ${D}${sysconfdir}/default/volatiles/99_gdm
rm ${D}${sysconfdir}/gdm/custom.conf
rm ${D}${libdir}/udev/rules.d/61-gdm.rules
install -m 644 ${WORKDIR}/gdm.conf ${D}${sysconfdir}/gdm/custom.conf
}
EXTRA_OEMESON = " \
-Dplymouth=enabled \
-Ddefault-pam-config=openembedded \
-Dpam-mod-dir=${base_libdir}/security \
"

1
meta-citadel/recipes-citadel/bbappends/geoclue_%.bbappend
View File

@ -1 +0,0 @@
PACKAGECONFIG = "lib"

1
meta-citadel/recipes-citadel/bbappends/gnome-control-center_%.bbappend
View File

@ -1 +0,0 @@
INSANE_SKIP:${PN}-src = "buildpaths"

1
meta-citadel/recipes-citadel/bbappends/gnome-disk-utility_%.bbappend
View File

@ -1 +0,0 @@
INSANE_SKIP:${PN}-src = "buildpaths"

2
meta-citadel/recipes-citadel/bbappends/gnome-settings-daemon_%.bbappend
View File

@ -1,2 +0,0 @@
PACKAGECONFIG = "nm alsa gudev wayland"
EXTRA_OEMESON += " -Dwwan=false"

1
meta-citadel/recipes-citadel/bbappends/gnome-system-monitor_%.bbappend
View File

@ -1 +0,0 @@
RRECOMMENDS:${PN}:remove = "adwaita-icon-theme"

4
meta-citadel/recipes-citadel/bbappends/graphene_%.bbappend
View File

@ -1,4 +0,0 @@
# For blueprint-compiler-native to work
EXTRA_OEMESON:remove:class-native = "-Dintrospection=disabled"
EXTRA_OEMESON:append:class-native = " -Dintrospection=enabled"

1
meta-citadel/recipes-citadel/bbappends/gstreamer1.0-plugins-good_%.bbappend
View File

@ -1 +0,0 @@
PACKAGECONFIG="orc soup3 x11 asm bz2 cairo flac gdk-pixbuf gudev jpeg lame libpng mpg123 speex taglib v4l2 vpx"

6
meta-citadel/recipes-citadel/bbappends/gtk4_%.bbappend
View File

@ -1,6 +0,0 @@
# Remove this dependency so it doesn't get dragged in with gtk. These icons are in citadel-extra-image now
GTKBASE_RRECOMMENDS:remove = "adwaita-icon-theme-symbolic"
# For blueprint-compiler-native to work
EXTRA_OEMESON:remove:class-native = "-Dintrospection=disabled"
EXTRA_OEMESON:append:class-native = " -Dintrospection=enabled"

3
meta-citadel/recipes-citadel/bbappends/gvfs_%.bbappend
View File

@ -1,3 +0,0 @@
PACKAGECONFIG:remove = "libgphoto2"
EXTRA_OEMESON:append = " -Dlibusb=false"

4
meta-citadel/recipes-citadel/bbappends/harfbuzz_%.bbappend
View File

@ -1,4 +0,0 @@
# For blueprint-compiler-native to work
EXTRA_OEMESON:remove:class-native = "-Dintrospection=disabled"
EXTRA_OEMESON:append:class-native = " -Dintrospection=enabled"

9
meta-citadel/recipes-citadel/bbappends/iptables/iptables.rules
View File

@ -1,9 +0,0 @@
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -p udp -m owner --uid-owner systemd-timesync -j ACCEPT
-A OUTPUT -j LOG --log-uid --log-prefix 'iptables'
COMMIT

19
meta-citadel/recipes-citadel/bbappends/iptables/iptables.service
View File

@ -1,19 +0,0 @@
[Unit]
Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
ExecStopPost=-/sbin/iptables -P INPUT ACCEPT
ExecStopPost=-/sbin/iptables -P OUTPUT ACCEPT
ExecStopPost=/sbin/iptables -F
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

1
meta-citadel/recipes-citadel/bbappends/iptables_%.bbappend
View File

@ -1 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/iptables:"

6
meta-citadel/recipes-citadel/bbappends/libadwaita_%.bbappend
View File

@ -1,6 +0,0 @@
# For blueprint-compiler-native to work
EXTRA_OEMESON:remove:class-native = "-Dintrospection=disabled"
EXTRA_OEMESON:append:class-native = " -Dintrospection=enabled"
BBCLASSEXTEND = "native"

3
meta-citadel/recipes-citadel/bbappends/libblockdev_%.bbappend
View File

@ -1,3 +0,0 @@
PACKAGECONFIG = "fs crypto parted mdraid tools"
DEPENDS += "systemd"

1
meta-citadel/recipes-citadel/bbappends/libbytesize_%.bbappend
View File

@ -1 +0,0 @@
#PACKAGECONFIG = ""

1
meta-citadel/recipes-citadel/bbappends/libcanberra_%.bbappend
View File

@ -1 +0,0 @@
PACKAGECONFIG = "pulseaudio gtk3"

1
meta-citadel/recipes-citadel/bbappends/libdevmapper_%.bbappend
View File

@ -1 +0,0 @@
PACKAGECONFIG = "odirect"

3
meta-citadel/recipes-citadel/bbappends/libpam_%.bbappend
View File

@ -1,3 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/libpam:"
SRC_URI += "file://pam.d/common-auth"

326
meta-citadel/recipes-citadel/bbappends/lvm2/lvm.conf
View File

@ -1,326 +0,0 @@
# This is an example configuration file for the LVM2 system.
# It contains the default settings that would be used if there was no
# /etc/lvm/lvm.conf file.
#
# Refer to 'man lvm.conf' for further information including the file layout.
#
# To put this file in a different directory and override /etc/lvm set
# the environment variable LVM_SYSTEM_DIR before running the tools.
# This section allows you to configure which block devices should
# be used by the LVM system.
devices {
# Where do you want your volume groups to appear ?
dir = "/dev"
# An array of directories that contain the device nodes you wish
# to use with LVM2.
scan = [ "/dev" ]
# A filter that tells LVM2 to only use a restricted set of devices.
# The filter consists of an array of regular expressions. These
# expressions can be delimited by a character of your choice, and
# prefixed with either an 'a' (for accept) or 'r' (for reject).
# The first expression found to match a device name determines if
# the device will be accepted or rejected (ignored). Devices that
# don't match any patterns are accepted.
# Be careful if there there are symbolic links or multiple filesystem
# entries for the same device as each name is checked separately against
# the list of patterns. The effect is that if any name matches any 'a'
# pattern, the device is accepted; otherwise if any name matches any 'r'
# pattern it is rejected; otherwise it is accepted.
# Don't have more than one filter line active at once: only one gets used.
# Run vgscan after you change this parameter to ensure that
# the cache file gets regenerated (see below).
# If it doesn't do what you expect, check the output of 'vgscan -vvvv'.
# By default we accept every block device:
filter = [ "a/.*/" ]
# Exclude the cdrom drive
# filter = [ "r|/dev/cdrom|" ]
# When testing I like to work with just loopback devices:
# filter = [ "a/loop/", "r/.*/" ]
# Or maybe all loops and ide drives except hdc:
# filter =[ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
# Use anchors if you want to be really specific
# filter = [ "a|^/dev/hda8$|", "r/.*/" ]
# The results of the filtering are cached on disk to avoid
# rescanning dud devices (which can take a very long time). By
# default this cache file is hidden in the /etc/lvm directory.
# It is safe to delete this file: the tools regenerate it.
cache = "/etc/lvm/.cache"
# You can turn off writing this cache file by setting this to 0.
write_cache_state = 0
# Advanced settings.
# List of pairs of additional acceptable block device types found
# in /proc/devices with maximum (non-zero) number of partitions.
# types = [ "fd", 16 ]
# If sysfs is mounted (2.6 kernels) restrict device scanning to
# the block devices it believes are valid.
# 1 enables; 0 disables.
sysfs_scan = 1
# By default, LVM2 will ignore devices used as components of
# software RAID (md) devices by looking for md superblocks.
# 1 enables; 0 disables.
md_component_detection = 1
}
# This section that allows you to configure the nature of the
# information that LVM2 reports.
log {
# Controls the messages sent to stdout or stderr.
# There are three levels of verbosity, 3 being the most verbose.
verbose = 0
# Should we send log messages through syslog?
# 1 is yes; 0 is no.
syslog = 1
# Should we log error and debug messages to a file?
# By default there is no log file.
#file = "/var/log/lvm2.log"
# Should we overwrite the log file each time the program is run?
# By default we append.
overwrite = 0
# What level of log messages should we send to the log file and/or syslog?
# There are 6 syslog-like log levels currently in use - 2 to 7 inclusive.
# 7 is the most verbose (LOG_DEBUG).
level = 0
# Format of output messages
# Whether or not (1 or 0) to indent messages according to their severity
indent = 1
# Whether or not (1 or 0) to display the command name on each line output
command_names = 0
# A prefix to use before the message text (but after the command name,
# if selected). Default is two spaces, so you can see/grep the severity
# of each message.
prefix = " "
# To make the messages look similar to the original LVM tools use:
# indent = 0
# command_names = 1
# prefix = " -- "
# Set this if you want log messages during activation.
# Don't use this in low memory situations (can deadlock).
# activation = 0
}
# Configuration of metadata backups and archiving. In LVM2 when we
# talk about a 'backup' we mean making a copy of the metadata for the
# *current* system. The 'archive' contains old metadata configurations.
# Backups are stored in a human readeable text format.
backup {
# Should we maintain a backup of the current metadata configuration ?
# Use 1 for Yes; 0 for No.
# Think very hard before turning this off!
backup = 0
# Where shall we keep it ?
# Remember to back up this directory regularly!
backup_dir = "/etc/lvm/backup"
# Should we maintain an archive of old metadata configurations.
# Use 1 for Yes; 0 for No.
# On by default. Think very hard before turning this off.
archive = 0
# Where should archived files go ?
# Remember to back up this directory regularly!
archive_dir = "/etc/lvm/archive"
# What is the minimum number of archive files you wish to keep ?
retain_min = 10
# What is the minimum time you wish to keep an archive file for ?
retain_days = 30
}
# Settings for the running LVM2 in shell (readline) mode.
shell {
# Number of lines of history to store in ~/.lvm_history
history_size = 100
}
# Miscellaneous global LVM2 settings
global {
# The file creation mask for any files and directories created.
# Interpreted as octal if the first digit is zero.
umask = 077
# Allow other users to read the files
#umask = 022
# Enabling test mode means that no changes to the on disk metadata
# will be made. Equivalent to having the -t option on every
# command. Defaults to off.
test = 0
# Whether or not to communicate with the kernel device-mapper.
# Set to 0 if you want to use the tools to manipulate LVM metadata
# without activating any logical volumes.
# If the device-mapper kernel driver is not present in your kernel
# setting this to 0 should suppress the error messages.
activation = 1
# If we can't communicate with device-mapper, should we try running
# the LVM1 tools?
# This option only applies to 2.4 kernels and is provided to help you
# switch between device-mapper kernels and LVM1 kernels.
# The LVM1 tools need to be installed with .lvm1 suffices
# e.g. vgscan.lvm1 and they will stop working after you start using
# the new lvm2 on-disk metadata format.
# The default value is set when the tools are built.
# fallback_to_lvm1 = 0
# The default metadata format that commands should use - "lvm1" or "lvm2".
# The command line override is -M1 or -M2.
# Defaults to "lvm1" if compiled in, else "lvm2".
# format = "lvm1"
# Location of proc filesystem
proc = "/proc"
# Type of locking to use. Defaults to file-based locking (1).
# Turn locking off by setting to 0 (dangerous: risks metadata corruption
# if LVM2 commands get run concurrently).
locking_type = 1
# Local non-LV directory that holds file-based locks while commands are
# in progress. A directory like /tmp that may get wiped on reboot is OK.
locking_dir = "/tmp/lock/lvm"
# Other entries can go here to allow you to load shared libraries
# e.g. if support for LVM1 metadata was compiled as a shared library use
# format_libraries = "liblvm2format1.so"
# Full pathnames can be given.
# Search this directory first for shared libraries.
# library_dir = "/lib"
}
activation {
# Device used in place of missing stripes if activating incomplete volume.
# For now, you need to set this up yourself first (e.g. with 'dmsetup')
# For example, you could make it return I/O errors using the 'error'
# target or make it return zeros.
missing_stripe_filler = "/dev/ioerror"
# Size (in KB) of each copy operation when mirroring
mirror_region_size = 512
# How much stack (in KB) to reserve for use while devices suspended
reserved_stack = 256
# How much memory (in KB) to reserve for use while devices suspended
reserved_memory = 8192
# Nice value used while devices suspended
process_priority = -18
# If volume_list is defined, each LV is only activated if there is a
# match against the list.
# "vgname" and "vgname/lvname" are matched exactly.
# "@tag" matches any tag set in the LV or VG.
# "@*" matches if any tag defined on the host is also set in the LV or VG
#
# volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
}
####################
# Advanced section #
####################
# Metadata settings
#
# metadata {
# Default number of copies of metadata to hold on each PV. 0, 1 or 2.
# You might want to override it from the command line with 0
# when running pvcreate on new PVs which are to be added to large VGs.
# pvmetadatacopies = 1
# Approximate default size of on-disk metadata areas in sectors.
# You should increase this if you have large volume groups or
# you want to retain a large on-disk history of your metadata changes.
# pvmetadatasize = 255
# List of directories holding live copies of text format metadata.
# These directories must not be on logical volumes!
# It's possible to use LVM2 with a couple of directories here,
# preferably on different (non-LV) filesystems, and with no other
# on-disk metadata (pvmetadatacopies = 0). Or this can be in
# addition to on-disk metadata areas.
# The feature was originally added to simplify testing and is not
# supported under low memory situations - the machine could lock up.
#
# Never edit any files in these directories by hand unless you
# you are absolutely sure you know what you are doing! Use
# the supplied toolset to make changes (e.g. vgcfgrestore).
# dirs = [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ]
#}
# Event daemon
#
dmeventd {
# mirror_library is the library used when monitoring a mirror device.
#
# "libdevmapper-event-lvm2mirror.so" attempts to recover from
# failures. It removes failed devices from a volume group and
# reconfigures a mirror as necessary. If no mirror library is
# provided, mirrors are not monitored through dmeventd.
mirror_library = "@libdir@/device-mapper/libdevmapper-event-lvm2mirror.so"
# snapshot_library is the library used when monitoring a snapshot device.
#
# "libdevmapper-event-lvm2snapshot.so" monitors the filling of
# snapshots and emits a warning through syslog when the use of
# the snapshot exceeds 80%. The warning is repeated when 85%, 90% and
# 95% of the snapshot is filled.
snapshot_library = "@libdir@/device-mapper/libdevmapper-event-lvm2snapshot.so"
# thin_library is the library used when monitoring a thin device.
#
# "libdevmapper-event-lvm2thin.so" monitors the filling of
# pool and emits a warning through syslog when the use of
# the pool exceeds 80%. The warning is repeated when 85%, 90% and
# 95% of the pool is filled.
thin_library = "@libdir@/device-mapper/libdevmapper-event-lvm2thin.so"
# Full path of the dmeventd binary.
#
# executable = "@DMEVENTD_PATH@"
}

2
meta-citadel/recipes-citadel/bbappends/lvm2_%.bbappend
View File

@ -1,2 +0,0 @@
# files/lvm.conf is customized to prevent writing to /etc
FILESEXTRAPATHS:prepend := "${THISDIR}/lvm2:"

4
meta-citadel/recipes-citadel/bbappends/modemmanager_%.bbappend
View File

@ -1,4 +0,0 @@
PACKAGECONFIG = "polkit systemd"
INSANE_SKIP:${PN}-src = "buildpaths"
INSANE_SKIP:${PN}-dev = "buildpaths"

1
meta-citadel/recipes-citadel/bbappends/mozjs-115_%.bbappend
View File

@ -1 +0,0 @@
INSANE_SKIP:${PN}-src = "buildpaths"

1
meta-citadel/recipes-citadel/bbappends/mutter_%.bbappend
View File

@ -1 +0,0 @@
INSANE_SKIP:${PN}-src = "buildpaths"

14
meta-citadel/recipes-citadel/bbappends/networkmanager_%.bbappend
View File

@ -1,14 +0,0 @@
# Append recipe from meta-openembedded/meta-networking
FILESEXTRAPATHS:prepend := "${THISDIR}/networkmanager:"
SRC_URI += "\
file://NetworkManager.conf \
"
SYSTEMD_SERVICE:${PN} += "watch-resolvconf.path"
do_install:append() {
install -m 0644 ${WORKDIR}/NetworkManager.conf ${D}${sysconfdir}/NetworkManager/
}
PACKAGECONFIG = "nss systemd polkit wifi iwd vala nmcli bluez5"
NETWORKMANAGER_FIREWALL_DEFAULT = "iptables"

4
meta-citadel/recipes-citadel/bbappends/pango_%.bbappend
View File

@ -1,4 +0,0 @@
# For blueprint-compiler-native to work
EXTRA_OEMESON:remove:class-native = "-Dintrospection=disabled"
EXTRA_OEMESON:append:class-native = " -Dintrospection=enabled"

42
meta-citadel/recipes-citadel/bbappends/pipewire_%.bbappend
View File

@ -1,42 +0,0 @@
PACKAGECONFIG:remove = "avahi jack libcamera webrtc-echo-cancelling libusb systemd-system-service v4l2"
FILES:${PN} += "\
${sysconfdir}/systemd/user/default.target.wants/filter-chain.service \
${sysconfdir}/systemd/user/default.target.wants/pipewire.service \
${sysconfdir}/systemd/user/sockets.target.wants/pipewire.socket \
"
FILES:${PN}-pulse += "\
${sysconfdir}/systemd/user/default.target.wants/pipewire-pulse.service \
${sysconfdir}/systemd/user/sockets.target.wants/pipewire-pulse.socket \
"
do_install:append() {
install -d ${D}${sysconfdir}/systemd/user/default.target.wants
install -d ${D}${sysconfdir}/systemd/user/sockets.target.wants
# filter-chain.service
# [Install]
# WantedBy=default.target
ln -sf ${systemd_user_unitdir}/filter-chain.service ${D}${sysconfdir}/systemd/user/default.target.wants/filter-chain.service
# pipewire.socket
# [Install]
# WantedBy=sockets.target
ln -sf ${systemd_user_unitdir}/pipewire.socket ${D}${sysconfdir}/systemd/user/sockets.target.wants/pipewire.socket
# pipewire.service
# [Install]
# WantedBy=default.target
ln -sf ${systemd_user_unitdir}/pipewire.service ${D}${sysconfdir}/systemd/user/default.target.wants/pipewire.service
# pipewire-pulse.socket
# [Install]
# WantedBy=sockets.target
ln -sf ${systemd_user_unitdir}/pipewire-pulse.socket ${D}${sysconfdir}/systemd/user/sockets.target.wants/pipewire-pulse.socket
# pipewire-pulse.service
# [Install]
# WantedBy=default.target
ln -sf ${systemd_user_unitdir}/pipewire-pulse.service ${D}${sysconfdir}/systemd/user/default.target.wants/pipewire-pulse.service
}

2
meta-citadel/recipes-citadel/bbappends/plymouth.bbappend
View File

@ -1,2 +0,0 @@
PACKAGECONFIG = "pango drm gtk"

6
meta-citadel/recipes-citadel/bbappends/pulseaudio_17.%.bbappend
View File

@ -1,6 +0,0 @@
RDEPENDS:pulseaudio-server:remove = "pulseaudio-module-console-kit"
RDEPENDS:remove = "pulseaudio-module-x11-cork-request \
pulseaudio-module-x11-publish \
pulseaudio-module-x11-xsmp \
"
PACKAGECONFIG:remove = "x11"

5
meta-citadel/recipes-citadel/bbappends/readline_%.bbappend
View File

@ -1,5 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/readline:"
SRC_URI += "\
file://inputrc \
"

245
meta-citadel/recipes-citadel/bbappends/systemd/0001-Modify-systemd-to-use-localtime-in-storage-citadel-s.patch
View File

@ -1,245 +0,0 @@
From 14cd68b1fdd3a16a3aa2892f9216096bea02173d Mon Sep 17 00:00:00 2001
From: isa <isa@subgraph.com>
Date: Thu, 11 Jul 2024 18:58:40 +0000
Subject: [PATCH] Modify systemd to use localtime in /storage/citadel-state
Upstream-Status: Inappropriate [citadel specific]
---
src/basic/time-util.c | 4 ++--
src/core/manager.c | 18 +++++++++---------
src/core/manager.h | 2 +-
src/core/unit.h | 2 +-
src/firstboot/firstboot.c | 20 ++++++++++----------
src/timedate/timedated.c | 12 ++++++------
units/systemd-timedated.service.in | 2 +-
7 files changed, 30 insertions(+), 30 deletions(-)
diff --git a/src/basic/time-util.c b/src/basic/time-util.c
index f9014dc560..bab1db4224 100644
--- a/src/basic/time-util.c
+++ b/src/basic/time-util.c
@@ -1612,7 +1612,7 @@ int get_timezone(char **ret) {
assert(ret);
- r = readlink_malloc("/etc/localtime", &t);
+ r = readlink_malloc("/storage/citadel-state/localtime", &t);
if (r == -ENOENT) {
/* If the symlink does not exist, assume "UTC", like glibc does */
z = strdup("UTC");
@@ -1625,7 +1625,7 @@ int get_timezone(char **ret) {
if (r < 0)
return r; /* returns EINVAL if not a symlink */
- e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
+ e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../../usr/share/zoneinfo/");
if (!e)
return -EINVAL;
diff --git a/src/core/manager.c b/src/core/manager.c
index 88eebfc626..59c4dbbae1 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -412,9 +412,9 @@ static int manager_read_timezone_stat(Manager *m) {
assert(m);
- /* Read the current stat() data of /etc/localtime so that we detect changes */
- if (lstat("/etc/localtime", &st) < 0) {
- log_debug_errno(errno, "Failed to stat /etc/localtime, ignoring: %m");
+ /* Read the current stat() data of /storage/citadel-state/localtime so that we detect changes */
+ if (lstat("/storage/citadel-state/localtime", &st) < 0) {
+ log_debug_errno(errno, "Failed to stat /storage/citadel-state/localtime, ignoring: %m");
changed = m->etc_localtime_accessible;
m->etc_localtime_accessible = false;
} else {
@@ -439,7 +439,7 @@ static int manager_setup_timezone_change(Manager *m) {
if (MANAGER_IS_TEST_RUN(m))
return 0;
- /* We watch /etc/localtime for three events: change of the link count (which might mean removal from /etc even
+ /* We watch /storage/citadel-state/localtime for three events: change of the link count (which might mean removal from /etc even
* though another link might be kept), renames, and file close operations after writing. Note we don't bother
* with IN_DELETE_SELF, as that would just report when the inode is removed entirely, i.e. after the link count
* went to zero and all fds to it are closed.
@@ -450,14 +450,14 @@ static int manager_setup_timezone_change(Manager *m) {
* Note that we create the new event source first here, before releasing the old one. This should optimize
* behaviour as this way sd-event can reuse the old watch in case the inode didn't change. */
- r = sd_event_add_inotify(m->event, &new_event, "/etc/localtime",
+ r = sd_event_add_inotify(m->event, &new_event, "/storage/citadel-state/localtime",
IN_ATTRIB|IN_MOVE_SELF|IN_CLOSE_WRITE|IN_DONT_FOLLOW, manager_dispatch_timezone_change, m);
if (r == -ENOENT) {
/* If the file doesn't exist yet, subscribe to /etc instead, and wait until it is created either by
* O_CREATE or by rename() */
- log_debug_errno(r, "/etc/localtime doesn't exist yet, watching /etc instead.");
- r = sd_event_add_inotify(m->event, &new_event, "/etc",
+ log_debug_errno(r, "/storage/citadel-state/localtime doesn't exist yet, watching /storage/citadel-state instead.");
+ r = sd_event_add_inotify(m->event, &new_event, "/storage/citadel-state",
IN_CREATE|IN_MOVED_TO|IN_ONLYDIR, manager_dispatch_timezone_change, m);
}
if (r < 0)
@@ -3173,13 +3173,13 @@ static int manager_dispatch_timezone_change(
int changed;
Unit *u;
- log_debug("inotify event for /etc/localtime");
+ log_debug("inotify event for /storage/citadel-state/localtime");
changed = manager_read_timezone_stat(m);
if (changed <= 0)
return changed;
- /* Something changed, restart the watch, to ensure we watch the new /etc/localtime if it changed */
+ /* Something changed, restart the watch, to ensure we watch the new /storage/citadel-state/localtime if it changed */
(void) manager_setup_timezone_change(m);
/* Read the new timezone */
diff --git a/src/core/manager.h b/src/core/manager.h
index d96eb7b995..68066cac50 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -370,7 +370,7 @@ struct Manager {
unsigned gc_marker;
- /* The stat() data the last time we saw /etc/localtime */
+ /* The stat() data the last time we saw /storage/citadel-state/localtime */
usec_t etc_localtime_mtime;
bool etc_localtime_accessible;
diff --git a/src/core/unit.h b/src/core/unit.h
index 60bc2e3d35..c19af861f9 100644
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -713,7 +713,7 @@ typedef struct UnitVTable {
/* Called whenever CLOCK_REALTIME made a jump */
void (*time_change)(Unit *u);
- /* Called whenever /etc/localtime was modified */
+ /* Called whenever /storage/citadel-state/localtime was modified */
void (*timezone_change)(Unit *u);
/* Returns the next timeout of a unit */
diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
index d4029272de..5bc0976f63 100644
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@@ -606,15 +606,15 @@ static int process_timezone(int rfd) {
assert(rfd >= 0);
- pfd = chase_and_open_parent_at(rfd, "/etc/localtime",
+ pfd = chase_and_open_parent_at(rfd, "/storage/citadel-state/localtime",
CHASE_AT_RESOLVE_IN_ROOT|CHASE_MKDIR_0755|CHASE_WARN|CHASE_NOFOLLOW,
&f);
if (pfd < 0)
- return log_error_errno(pfd, "Failed to chase /etc/localtime: %m");
+ return log_error_errno(pfd, "Failed to chase /storage/citadel-state/localtime: %m");
r = should_configure(pfd, f);
if (r == 0)
- log_debug("Found /etc/localtime, assuming timezone has been configured.");
+ log_debug("Found /storage/citadel-state/localtime, assuming timezone has been configured.");
if (r <= 0)
return r;
@@ -625,16 +625,16 @@ static int process_timezone(int rfd) {
if (arg_copy_timezone && r == 0) {
_cleanup_free_ char *s = NULL;
- r = readlink_malloc("/etc/localtime", &s);
+ r = readlink_malloc("/storage/citadel-state/localtime", &s);
if (r != -ENOENT) {
if (r < 0)
- return log_error_errno(r, "Failed to read host's /etc/localtime: %m");
+ return log_error_errno(r, "Failed to read host's /storage/citadel-state/localtime: %m");
r = symlinkat_atomic_full(s, pfd, f, /* make_relative= */ false);
if (r < 0)
- return log_error_errno(r, "Failed to create /etc/localtime symlink: %m");
+ return log_error_errno(r, "Failed to create /storage/citadel-state/localtime symlink: %m");
- log_info("Copied host's /etc/localtime.");
+ log_info("Copied host's /storage/citadel-state/localtime.");
return 0;
}
}
@@ -650,9 +650,9 @@ static int process_timezone(int rfd) {
r = symlinkat_atomic_full(e, pfd, f, /* make_relative= */ false);
if (r < 0)
- return log_error_errno(r, "Failed to create /etc/localtime symlink: %m");
+ return log_error_errno(r, "Failed to create /storage/citadel-state/localtime symlink: %m");
- log_info("/etc/localtime written");
+ log_info("/storage/citadel-state/localtime written");
return 0;
}
@@ -1223,7 +1223,7 @@ static int process_reset(int rfd) {
"/etc/hostname",
"/etc/machine-id",
"/etc/kernel/cmdline",
- "/etc/localtime") {
+ "/storage/citadel-state/localtime") {
r = reset_one(rfd, p);
if (r < 0)
return r;
diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
index c7be30f563..334e5e251e 100644
--- a/src/timedate/timedated.c
+++ b/src/timedate/timedated.c
@@ -276,9 +276,9 @@ static int context_read_data(Context *c) {
r = get_timezone(&t);
if (r == -EINVAL)
- log_warning_errno(r, "/etc/localtime should be a symbolic link to a time zone data file in /usr/share/zoneinfo/.");
+ log_warning_errno(r, "/storage/citadel-state/localtime should be a symbolic link to a time zone data file in /usr/share/zoneinfo/.");
else if (r < 0)
- log_warning_errno(r, "Failed to get target of /etc/localtime: %m");
+ log_warning_errno(r, "Failed to get target of /storage/citadel-state/localtime: %m");
free_and_replace(c->zone, t);
@@ -302,22 +302,22 @@ static int context_write_data_timezone(Context *c) {
if (access("/usr/share/zoneinfo/UTC", F_OK) < 0) {
- if (unlink("/etc/localtime") < 0 && errno != ENOENT)
+ if (unlink("/storage/citadel-state/localtime") < 0 && errno != ENOENT)
return -errno;
return 0;
}
- source = "../usr/share/zoneinfo/UTC";
+ source = "../../usr/share/zoneinfo/UTC";
} else {
- p = path_join("../usr/share/zoneinfo", c->zone);
+ p = path_join("../../usr/share/zoneinfo", c->zone);
if (!p)
return -ENOMEM;
source = p;
}
- return symlink_atomic(source, "/etc/localtime");
+ return symlink_atomic(source, "/storage/citadel-state/localtime");
}
static int context_write_data_local_rtc(Context *c) {
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 00f6643ba7..9be4010576 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -31,7 +31,7 @@ ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
-ReadWritePaths=/etc
+ReadWritePaths=/storage/citadel-state
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes

22
meta-citadel/recipes-citadel/bbappends/systemd_%.bbappend
View File

@ -1,22 +0,0 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
RDEPENDS:${PN}:remove = "systemd-serialgetty"
RDEPENDS:${PN}:remove = "volatile-binds"
RDEPENDS:${PN}:remove = "update-rc.d"
ALTERNATIVE:${PN}:remove = "resolv-conf"
GROUPADD_PARAM:${PN} += "-r wheel; -r kvm; -r render"
PACKAGECONFIG = "\
efi acl ldconfig pam usrmerge rfkill backlight binfmt hostnamed localed logind machined myhostname \
nss polkit randomseed seccomp timedated utmp timesyncd kmod sysusers gshadow cryptsetup cgroupv2 \
"
do_install:append() {
rm -f ${D}${sysconfdir}/tmpfiles.d/00-create-volatile.conf
ln -s rescue.target ${D}${systemd_unitdir}/system/kbrequest.target
}
SRC_URI += " \
file://0001-Modify-systemd-to-use-localtime-in-storage-citadel-s.patch \
"

5
meta-citadel/recipes-citadel/bbappends/tzdata%.bbappend
View File

@ -1,5 +0,0 @@
pkg_postinst:${PN}() {
etc_lt="$D${sysconfdir}/localtime"
ln -sf ../storage/citadel-state/localtime $etc_lt
}

1
meta-citadel/recipes-citadel/bbappends/util-linux_%.bbappend
View File

@ -1 +0,0 @@
EXTRA_OECONF:append = " --disable-raw"

14
meta-citadel/recipes-citadel/bbappends/wireplumber_%.bbappend
View File

@ -1,14 +0,0 @@
PACKAGECONFIG:remove = "systemd-system-service"
do_install:append() {
install -d ${D}${sysconfdir}/systemd/user/pipewire.service.wants
# wireplumber.service
# [Install]
# WantedBy=pipewire.service
ln -sf ${systemd_user_unitdir}/wireplumber.service ${D}${sysconfdir}/systemd/user/pipewire.service.wants/wireplumber.service
# Alias=pipewire-session-manager.service
ln -sf ${systemd_user_unitdir}/wireplumber.service ${D}${sysconfdir}/systemd/user/pipewire-session-manager.service
}

15
meta-citadel/recipes-citadel/citadel-config/citadel-config-gnome.bb
View File

@ -9,30 +9,23 @@ S = "${WORKDIR}"
SRC_URI = "\
file://gsettings/90_citadel.gschema.override \
file://gsettings/com.subgraph.RealmConfig.gschema.xml \
file://dconf/build.d/realms.d/initial-realm-dconf.conf \
file://dconf/build.d/citadel.d/citadel-dconf.conf \
file://dconf/build.d/initial-realm-dconf.conf \
"
inherit allarch gsettings
# Build the binary dconf database which is installed by default into each new realm
do_compile() {
mkdir -p ${WORKDIR}/dconf-output
# Build the binary dconf database which is installed by default into each new realm
dconf compile ${WORKDIR}/dconf-output/user ${S}/dconf/build.d/realms.d/
# Build the binary dconf database which is installed by default into /home/citadel
dconf compile ${WORKDIR}/dconf-output/citadel ${S}/dconf/build.d/citadel.d/
dconf compile ${WORKDIR}/dconf-output/user ${S}/dconf/build.d
}
do_install() {
install -d ${D}${datadir}/glib-2.0/schemas
install -d ${D}${sysconfdir}/skel/.config/dconf
install -m 0755 -d ${D}${datadir}/factory/storage/citadel-state/citadel-dconf
install -m 644 ${S}/gsettings/90_citadel.gschema.override ${D}${datadir}/glib-2.0/schemas
install -m 644 ${S}/gsettings/com.subgraph.RealmConfig.gschema.xml ${D}${datadir}/glib-2.0/schemas
install -m 644 ${WORKDIR}/dconf-output/user ${D}${sysconfdir}/skel/.config/dconf
install -m 644 ${WORKDIR}/dconf-output/citadel ${D}${datadir}/factory/storage/citadel-state/citadel-dconf/user
}
FILES:${PN} = "/"
FILES_${PN} = "/"

120
meta-citadel/recipes-citadel/citadel-config/citadel-config.bb
View File

@ -8,8 +8,10 @@ DEPENDS = ""
S = "${WORKDIR}"
DEFAULT_REALM_UNITS = "\
file://systemd/citadel-launch-default-realm.path \
file://systemd/citadel-launch-default-realm.service \
file://systemd/launch-default-realm.path \
file://systemd/launch-default-realm.service \
file://systemd/watch-run-user.path \
file://systemd/watch-run-user.service \
"
MODPROBE_CONFIG = "\
@ -23,11 +25,12 @@ SYSCTL_CONFIG = "\
UDEV_RULES = "\
file://udev/citadel-network.rules \
file://udev/pci-pm.rules \
file://udev/udisks2-hide.rules \
file://udev/scsi-alpm.rules \
"
DEFAULT_PASSWORD = "\
file://citadel-setpassword.sh \
file://systemd/citadel-setpassword.service \
IPTABLES_RULES = "\
file://iptables/empty-filter.rules \
file://iptables/iptables.rules \
"
SRC_URI = "\
@ -36,49 +39,41 @@ SRC_URI = "\
file://fstab \
file://sudo-citadel \
file://citadel-ifconfig.sh \
file://citadel-setpassword.sh \
file://00-storage-tmpfiles.conf \
file://NetworkManager.conf \
file://share/dot.bashrc \
file://share/dot.profile \
file://share/dot.vimrc \
file://polkit/citadel.rules \
file://polkit/gnome-control-center.rules \
file://citadel-installer.session \
file://citadel-installer.json \
file://citadel-installer.desktop \
file://citadel-installer-ui.desktop \
file://iptables-flush.sh \
file://systemd/zram-swap.service \
file://systemd/iptables.service \
file://systemd/sway-session-switcher.service \
file://systemd/x11-session-switcher.service \
file://systemd/citadel-installer-backend.service \
file://systemd/installer-session-switcher.service \
file://systemd/user/gnome-session@citadel-installer.target.d/session.conf \
file://icons/citadel-installer.svg \
file://systemd/watch-resolvconf.service \
file://systemd/watch-resolvconf.path \
file://systemd/citadel-setpassword.service \
file://skel/profile \
file://skel/bashrc \
file://skel/vimrc \
file://skel/init.vim \
file://apt-cacher-ng/acng.conf \
file://apt-cacher-ng/security.conf \
file://iwd/main.conf \
file://pulse/cookie \
${DEFAULT_REALM_UNITS} \
${MODPROBE_CONFIG} \
${SYSCTL_CONFIG} \
${UDEV_RULES} \
${DEFAULT_PASSWORD} \
${IPTABLES_RULES} \
"
USERADD_PACKAGES = "${PN}"
USERADD_PARAM:${PN} = "-m -u 1000 -G wheel -s /bin/bash citadel"
USERADD_PARAM_${PN} = "-m -u 1000 -s /bin/bash citadel"
INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
# for citadel-ifconfig.sh
RDEPENDS:${PN} = "bash"
# for citadel-ifconfig.sh citadel-setpassword.sh
RDEPENDS_${PN} = "bash wireless-regdb-static"
inherit allarch systemd useradd
SYSTEMD_SERVICE:${PN} = "zram-swap.service citadel-launch-default-realm.path x11-session-switcher.service citadel-installer-backend.service installer-session-switcher.service citadel-setpassword.service watch-resolvconf.service watch-resolvconf.path"
SYSTEMD_SERVICE_${PN} = "zram-swap.service watch-run-user.path iptables.service sway-session-switcher.service x11-session-switcher.service citadel-setpassword.service"
do_install() {
install -m 0755 -d ${D}/storage
@ -86,104 +81,69 @@ do_install() {
install -d ${D}${libdir}/sysctl.d
install -m 0755 -d ${D}${libexecdir}
install -m 0755 -d ${D}${sysconfdir}/profile.d
install -m 0755 -d ${d}${sysconfdir}/skel
install -m 0755 -d ${D}${sysconfdir}/skel/.config
install -m 0755 -d ${D}${sysconfdir}/skel/.config/nvim
install -m 0755 -d ${D}${sysconfdir}/skel
install -m 0755 -d ${D}${sysconfdir}/tmpfiles.d
install -m 0755 -d ${D}${sysconfdir}/udev/rules.d
install -m 0755 -d ${D}${sysconfdir}/NetworkManager
install -m 0755 -d ${D}${sysconfdir}/polkit-1/rules.d
install -m 0755 -d ${D}${sysconfdir}/modprobe.d
install -m 0755 -d ${D}${sysconfdir}/sudoers.d
install -m 0755 -d ${D}${sysconfdir}/iwd
install -m 0755 -d ${D}${datadir}/factory/home/root
install -m 0755 -d ${D}${datadir}/factory/home/citadel
install -m 0755 -d ${D}${datadir}/factory/home/citadel/.local/share/applications
install -m 0755 -d ${D}${datadir}/factory/home/citadel/.config/pulse
install -m 0755 -d ${D}${datadir}/iptables
install -m 0755 -d ${D}${datadir}/factory/skel
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
install -m 0755 -d ${D}${datadir}/citadel
install -m 0755 -d ${D}${datadir}/gnome-session/sessions
install -m 0755 -d ${D}${datadir}/gnome-shell/modes
install -m 0755 -d ${D}${datadir}/applications
install -m 0755 -d ${D}${datadir}/wayland-sessions
install -m 0644 ${WORKDIR}/locale.conf ${D}${sysconfdir}/locale.conf
install -m 0644 ${WORKDIR}/environment.sh ${D}${sysconfdir}/profile.d/environment.sh
install -m 0644 ${WORKDIR}/fstab ${D}${sysconfdir}/fstab
install -m 0440 ${WORKDIR}/sudo-citadel ${D}${sysconfdir}/sudoers.d/citadel
install -m 0644 ${WORKDIR}/00-storage-tmpfiles.conf ${D}${sysconfdir}/tmpfiles.d
#install -m 0644 ${WORKDIR}/NetworkManager.conf ${D}${sysconfdir}/NetworkManager
install -m 0644 ${WORKDIR}/NetworkManager.conf ${D}${sysconfdir}/NetworkManager
install -d ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/zram-swap.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/iptables.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/sway-session-switcher.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/x11-session-switcher.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/citadel-installer-backend.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/installer-session-switcher.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/watch-resolvconf.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/watch-resolvconf.path ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/citadel-setpassword.service ${D}${systemd_system_unitdir}
install -m 0754 ${WORKDIR}/citadel-setpassword.sh ${D}${libexecdir}
install -d ${D}${systemd_user_unitdir}/gnome-session@citadel-installer.target.d
install -m 644 ${WORKDIR}/systemd/user/gnome-session@citadel-installer.target.d/session.conf ${D}${systemd_user_unitdir}/gnome-session@citadel-installer.target.d
install -m 644 ${WORKDIR}/systemd/citadel-launch-default-realm.path ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/citadel-launch-default-realm.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/watch-run-user.path ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/watch-run-user.service ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/launch-default-realm.path ${D}${systemd_system_unitdir}
install -m 644 ${WORKDIR}/systemd/launch-default-realm.service ${D}${systemd_system_unitdir}
# skel files for new realms
install -m 644 -T ${WORKDIR}/skel/profile ${D}${sysconfdir}/skel/.profile
install -m 644 -T ${WORKDIR}/skel/bashrc ${D}${sysconfdir}/skel/.bashrc
install -m 644 -T ${WORKDIR}/skel/vimrc ${D}${sysconfdir}/skel/.vimrc
install -m 644 -T ${WORKDIR}/skel/init.vim ${D}${sysconfdir}/skel/.config/nvim/init.vim
install -m 0644 ${WORKDIR}/sysctl/90-citadel-sysctl.conf ${D}${libdir}/sysctl.d/
install -m 0644 ${WORKDIR}/udev/citadel-network.rules ${D}${sysconfdir}/udev/rules.d/
install -m 0755 ${WORKDIR}/citadel-ifconfig.sh ${D}${libexecdir}
install -m 0754 ${WORKDIR}/citadel-setpassword.sh ${D}${libexecdir}
install -m 0644 ${WORKDIR}/udev/pci-pm.rules ${D}${sysconfdir}/udev/rules.d/
install -m 0644 ${WORKDIR}/udev/udisks2-hide.rules ${D}${sysconfdir}/udev/rules.d/
install -m 0644 ${WORKDIR}/udev/scsi-alpm.rules ${D}${sysconfdir}/udev/rules.d/
install -m 0644 ${WORKDIR}/citadel-installer.session ${D}${datadir}/gnome-session/sessions/
install -m 0644 ${WORKDIR}/citadel-installer.json ${D}${datadir}/gnome-shell/modes/
install -m 0644 ${WORKDIR}/citadel-installer-ui.desktop ${D}${datadir}/applications/
install -m 0644 ${WORKDIR}/citadel-installer.desktop ${D}${datadir}/wayland-sessions/
install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${datadir}/factory/home/root/.bashrc
install -m 0644 ${WORKDIR}/share/dot.profile ${D}${datadir}/factory/home/root/.profile
install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${datadir}/factory/home/root/.vimrc
install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${datadir}/factory/home/citadel/.bashrc
install -m 0644 ${WORKDIR}/share/dot.profile ${D}${datadir}/factory/home/citadel/.profile
install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${datadir}/factory/home/citadel/.vimrc
# To avoid these warnings:
#
# [pulseaudio] authkey.c: Failed to open cookie file '/home/citadel/.config/pulse/cookie': No such file or directory
#
install -m 0600 ${WORKDIR}/pulse/cookie ${D}${datadir}/factory/home/citadel/.config/pulse/cookie
install -m 0644 ${WORKDIR}/iptables/iptables.rules ${D}${datadir}/iptables/
install -m 0644 ${WORKDIR}/iptables/empty-filter.rules ${D}${datadir}/iptables/
install -m 0644 ${WORKDIR}/iptables-flush.sh ${D}${datadir}/iptables/
install -m 0644 ${WORKDIR}/share/dot.bashrc ${D}${datadir}/factory/skel/.bashrc
install -m 0644 ${WORKDIR}/share/dot.profile ${D}${datadir}/factory/skel/.profile
install -m 0644 ${WORKDIR}/share/dot.vimrc ${D}${datadir}/factory/skel/.vimrc
install -m 0644 ${WORKDIR}/polkit/citadel.rules ${D}${sysconfdir}/polkit-1/rules.d/
install -m 0644 ${WORKDIR}/polkit/gnome-control-center.rules ${D}${sysconfdir}/polkit-1/rules.d/
install -m 0644 ${WORKDIR}/modprobe.d/audio_powersave.conf ${D}${sysconfdir}/modprobe.d/
install -m 0644 ${WORKDIR}/iwd/main.conf ${D}${sysconfdir}/iwd/
install -d ${D}${datadir}/apt-cacher-ng/conf
install -m 0644 ${WORKDIR}/apt-cacher-ng/acng.conf ${D}${datadir}/apt-cacher-ng/conf/
install -m 0644 ${WORKDIR}/apt-cacher-ng/security.conf ${D}${datadir}/apt-cacher-ng/conf/
# icons
mkdir ${D}${datadir}/icons/
install -m 0644 ${WORKDIR}/icons/citadel-installer.svg ${D}${datadir}/icons/
# This probably belongs in lvm2 recipe
install -d ${D}${systemd_system_unitdir}/sysinit.target.wants
ln -s ../lvm2-lvmetad.socket ${D}${systemd_system_unitdir}/sysinit.target.wants/lvm2-lvmetad.socket
@ -200,4 +160,4 @@ do_install() {
install -d ${D}/opt/share
}
FILES:${PN} = "/"
FILES_${PN} = "/"

29
meta-citadel/recipes-citadel/citadel-config/files/00-storage-tmpfiles.conf
View File

@ -1,14 +1,19 @@
C /var/lib/AccountsService
C /var/lib/NetworkManager
C /var/lib/plymouth
C /var/lib/upower
d /storage/citadel-state 0755 root root
f /storage/citadel-state/resolv.conf 0644 root root
C /storage/citadel-state/citadel-dconf
Z /storage/citadel-state/citadel-dconf - citadel citadel
C /home
C /var/cache - - - -
C /var/lib/AccountsService - - - -
C /var/lib/NetworkManager - - - -
C /var/lib/colord - - - -
C /var/lib/dbus - - - -
C /var/lib/dhcp - - - -
C /var/lib/gdm - - - -
C /var/lib/plymouth - - - -
C /var/lib/upower - - - -
C /var/log - - - -
C /var/spool - - - -
C /home - - - -
C /home/citadel - - - -
C /home/root - - - -
d /storage/citadel-state/citadel-dconf 0755 citadel citadel
d /home/citadel/.config 0755 citadel citadel
L /home/citadel/.config/dconf - - - - /storage/citadel-state/citadel-dconf
Z /home/citadel - citadel citadel
f /storage/citadel-state/resolv.conf 0644 root root

8
meta-citadel/recipes-citadel/citadel-config/files/citadel-installer-ui.desktop
View File

@ -1,8 +0,0 @@
[Desktop Entry]
Name=Citadel Installer
Comment=This session logs you into the Citadel Installer
Exec=/usr/libexec/citadel-installer-ui
TryExec=/usr/libexec/citadel-installer-ui
Icon=/usr/share/icons/citadel-installer.svg
Type=Application

6
meta-citadel/recipes-citadel/citadel-config/files/citadel-installer.desktop
View File

@ -1,6 +0,0 @@
[Desktop Entry]
Encoding=UTF-8
Type=Application
Name=Citadel Installer sessions
Comment=Session for the Citadel Installer
Exec=gnome-session --session=citadel-installer

9
meta-citadel/recipes-citadel/citadel-config/files/citadel-installer.json
View File

@ -1,9 +0,0 @@
{
"hasWindows": true,
"components": ["networkAgent"],
"panel": { "left": [],
"center": [],
"right": ["a11yGreeter", "keyboard", "aggregateMenu"]
}
}

7
meta-citadel/recipes-citadel/citadel-config/files/citadel-installer.session
View File

@ -1,7 +0,0 @@
# /usr/share/gnome-session/sessions/citadel-installer.session
[GNOME Session]
Name=Citadel Installer
RequiredComponents=citadel-installer-ui;org.gnome.Shell;org.gnome.SettingsDaemon.A11ySettings;org.gnome.SettingsDaemon.Color;org.gnome.SettingsDaemon.Datetime;org.gnome.SettingsDaemon.Housekeeping;org.gnome.SettingsDaemon.Keyboard;org.gnome.SettingsDaemon.MediaKeys;org.gnome.SettingsDaemon.Power;org.gnome.SettingsDaemon.PrintNotifications;org.gnome.SettingsDaemon.Rfkill;org.gnome.SettingsDaemon.ScreensaverProxy;org.gnome.SettingsDaemon.Smartcard;org.gnome.SettingsDaemon.Sound;org.gnome.SettingsDaemon.Wacom;org.gnome.SettingsDaemon.XSettings;

35
meta-citadel/recipes-citadel/citadel-config/files/citadel-setpassword.sh
View File

@ -1,5 +1,36 @@
#!/bin/bash
if [ ! -f /storage/citadel-state/passwd ]; then
/usr/bin/echo -n "citadel:aadg8rGtZzOY6" > /storage/citadel-state/passwd
PF="/storage/citadel-state/passwd"
if [ -e "${PF}" ]; then
exit 0
fi
success=
for ((I = 0; I < 3; I++)); do
P1=
P2=
/usr/bin/plymouth display-message --text='Set new user password...'
/usr/bin/plymouth pause-progress
P1="$(/usr/bin/plymouth ask-for-password --prompt='Password')"
/usr/bin/plymouth unpause-progress
/usr/bin/plymouth pause-progress
P2="$(/usr/bin/plymouth ask-for-password --prompt='Confirm')"
if [ -n "${P1}" -a "${P1}" == "${P2}" ]; then
/usr/bin/plymouth unpause-progress
success=true
break;
fi
/usr/bin/plymouth display-message --text='Passwords do not match, try again...'
/usr/bin/plymouth unpause-progress
sleep 3
done
if [ -n "${success}" ]; then
crypt=$(echo -n "${P1}" | /usr/bin/mkpasswd -s -m sha-512)
echo "citadel:${crypt}" > ${PF}
chmod 444 "${PF}"
/usr/bin/plymouth display-message --text='Password set succesfully...'
else
/usr/bin/plymouth display-message --text='Failed to set password...'
fi
exit 0;

16
meta-citadel/recipes-citadel/citadel-config/files/dconf/build.d/citadel.d/citadel-dconf.conf
View File

@ -1,16 +0,0 @@
[org/gnome/desktop/interface]
cursor-theme='Paper'
[org/gnome/settings-daemon/plugins/xsettings]
antialiasing='rgba'
[org/gnome/terminal/legacy/profiles:/:b1dcc9dd-5262-4d8d-a863-c897e6d979b9]
scrollbar-policy='never'
use-theme-colors=false
bold-color-same-as-fg=true
use-system-font=false
font='DejaVu Sans Mono 13'
[org/gnome/terminal/legacy]
theme-variant='dark'
default-show-menubar=false

16
meta-citadel/recipes-citadel/citadel-config/files/dconf/build.d/realms.d/initial-realm-dconf.conf
View File

@ -1,16 +0,0 @@
[org/gnome/desktop/interface]
cursor-theme='Paper'
[org/gnome/settings-daemon/plugins/xsettings]
antialiasing='rgba'
[org/gnome/terminal/legacy/profiles:/:b1dcc9dd-5262-4d8d-a863-c897e6d979b9]
scrollbar-policy='never'
use-theme-colors=false
bold-color-same-as-fg=true
use-system-font=false
font='DejaVu Sans Mono 13'
[org/gnome/terminal/legacy]
theme-variant='dark'
default-show-menubar=false

10
meta-citadel/recipes-citadel/citadel-config/files/gsettings/90_citadel.gschema.override
View File

@ -3,8 +3,7 @@ natural-scroll=true
tap-to-click=true
[org.gnome.desktop.background]
picture-uri='file:///usr/share/backgrounds/gnome/truchet-l.jpg'
picture-uri-dark='file:///usr/share/backgrounds/gnome/truchet-d.jpg'
picture-uri='file:///usr/share/backgrounds/gnome/Icescape.jpg'
[org.gnome.desktop.screensaver]
picture-uri='file:////usr/share/gnome-control-center/pixmaps/noise-texture-light.png'
@ -19,21 +18,17 @@ autorun-x-content-start-app=[]
[org.gnome.desktop.lockdown]
disable-user-switching=true
disable-log-out=true
[org.gnome.desktop.interface]
cursor-theme='Paper'
icon-theme='Paper'
gtk-enable-primary-paste=false
clock-format='12h'
color-scheme='prefer-dark'
[org.gnome.shell]
enabled-extensions=['dash-to-panel@jderose9.github.com']
[org.gnome.settings-daemon.plugins.media-keys]
custom-keybindings=['/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/']
[org.gnome.settings-daemon.plugins.xsettings]
antialiasing='rgba'
@ -43,6 +38,7 @@ antialiasing='rgba'
[org.gnome.settings-daemon.plugins.power]
sleep-inactive-ac-timeout=0
[org.gnome.desktop.input-sources]
xkb-options=['ctrl:nocaps']

33
meta-citadel/recipes-citadel/citadel-config/files/gsettings/com.subgraph.RealmConfig.gschema.xml
View File

@ -1,33 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<schemalist>
<schema id="com.subgraph.citadel" path="/com/subgraph/citadel/">
<key name="label-color-list" type="as">
<default>[
'rgb(153,193,241)',
'rgb(143,240,164)',
'rgb(249,240,107)',
'rgb(255,190,111)',
'rgb(246,97,81)',
'rgb(220,138,221)',
'rgb(205,171,143)'
]</default>
<summary />
</key>
<key name="realm-label-colors" type="as">
<default>['main:rgb(153,193,241)']</default>
</key>
<key name="realm-label-show-citadel" type="b">
<default>true</default>
<summary>Show label on Citadel windows</summary>
</key>
<key name="realm-label-show-all" type="b">
<default>false</default>
<summary>Show labels on all windows including windows belonging to current realm context</summary>
</key>
<key name="realm-label-show-app-icons" type="b">
<default>true</default>
<summary>Display labels above application icons in overview</summary>
</key>
</schema>
</schemalist>

153
meta-citadel/recipes-citadel/citadel-config/files/icons/citadel-installer.svg
View File

@ -1,153 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
width="64"
height="64"
version="1.1"
id="svg13"
sodipodi:docname="citadel-installer.svg"
inkscape:version="1.3 (0e150ed6c4, 2023-07-21)"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<defs
id="defs13" />
<sodipodi:namedview
id="namedview13"
pagecolor="#ffffff"
bordercolor="#000000"
borderopacity="0.25"
inkscape:showpageshadow="2"
inkscape:pageopacity="0.0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#d1d1d1"
inkscape:zoom="15.0625"
inkscape:cx="31.966805"
inkscape:cy="31.966805"
inkscape:window-width="3840"
inkscape:window-height="2090"
inkscape:window-x="0"
inkscape:window-y="34"
inkscape:window-maximized="1"
inkscape:current-layer="svg13" />
<rect
style="opacity:0.2;fill:#b6150c;fill-opacity:1"
width="56"
height="17"
x="4"
y="44"
rx="2.8"
ry="2.8"
id="rect1" />
<path
style="fill:#b60c12;fill-opacity:1;opacity:0.04"
d="m 18.25,4 h 27.5 C 50.3205,4 54,7.7045 54,12.275 V 46.65 c 0,4.5705 -3.6795,8.25 -8.25,8.25 H 18.25 C 13.6795,54.9 10,51.2205 10,46.65 V 12.275 C 10,7.7045 13.6795,4 18.25,4 Z"
id="path1" />
<path
style="opacity:0.1;fill:#b60c12;fill-opacity:1"
transform="matrix(2.2773394,0,0,1.2576563,-4.4374303,-4.805362)"
d="m 10.950248,26.084524 5.049752,0 5.049752,0 -2.524876,4.373214 L 16,34.830952 13.475124,30.457738 Z"
id="path2" />
<path
style="fill:#b6150c;fill-opacity:1"
transform="matrix(2.2773394,0,0,1.2576563,-4.4374303,-5.8053658)"
d="m 10.950248,26.084524 5.049752,0 5.049752,0 -2.524876,4.373214 L 16,34.830952 13.475124,30.457738 Z"
id="path3" />
<rect
style="opacity:0.8;fill:#b6150c;fill-opacity:1"
width="6"
height="6"
x="26"
y="9"
id="rect3" />
<rect
style="opacity:0.2;fill:#b6150c;fill-opacity:1"
width="6"
height="6"
x="32"
y="9"
id="rect4" />
<rect
style="opacity:0.4;fill:#b6150c;fill-opacity:1"
width="6"
height="6"
x="26"
y="15"
id="rect5" />
<rect
style="opacity:0.9;fill:#b6150c;fill-opacity:1"
width="6"
height="6"
x="32"
y="15"
id="rect6" />
<rect
style="fill:#b6150c;fill-opacity:1"
width="6"
height="6"
x="26"
y="21"
id="rect7" />
<rect
style="opacity:0.6;fill:#b6150c;fill-opacity:1"
width="6"
height="6"
x="32"
y="21"
id="rect8" />
<rect
style="fill:#b6150c;fill-opacity:1"
width="56"
height="17"
x="4"
y="43"
rx="2.8"
ry="2.8"
id="rect9" />
<rect
style="opacity:0.2"
width="22.4"
height="1"
x="12.4"
y="53"
id="rect10" />
<path
style="opacity:0.3"
d="M 51.5 47 A 4.5 4.5 0 0 0 47.267578 50 L 32.400391 50 L 32.400391 53 L 47.267578 53 A 4.5 4.5 0 0 0 51.5 56 A 4.5 4.5 0 0 0 56 51.5 A 4.5 4.5 0 0 0 51.5 47 z"
id="path10" />
<circle
style="opacity:0.2"
cx="12.5"
cy="52.5"
r="4.5"
id="circle10" />
<circle
style="fill:#ffffff"
cx="12.5"
cy="51.5"
r="4.5"
id="circle11" />
<rect
style="fill:#ffffff"
width="22.4"
height="3"
x="12.4"
y="50"
id="rect11" />
<circle
style="opacity:0.2"
cx="31.5"
cy="52.5"
r="4.5"
id="circle12" />
<circle
style="fill:#ffffff"
cx="31.5"
cy="51.5"
r="4.5"
id="circle13" />
<path
style="fill:#ffffff;opacity:0.2"
d="M 18.25 4 C 13.6795 4 10 7.7048906 10 12.275391 L 10 13.275391 C 10 8.7048906 13.6795 5 18.25 5 L 45.75 5 C 50.3205 5 54 8.7048906 54 13.275391 L 54 12.275391 C 54 7.7048906 50.3205 4 45.75 4 L 18.25 4 z"
id="path13" />
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 3.9 KiB

19
meta-citadel/recipes-citadel/citadel-config/files/iptables-flush.sh Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
#
# Usage: iptables-flush [6]
#
iptables=ip$1tables
if ! type -p "$iptables" &>/dev/null; then
echo "error: invalid argument"
exit 1
fi
while read -r table; do
tables+=("/usr/share/iptables/empty-$table.rules")
done <"/proc/net/ip$1_tables_names"
if (( ${#tables[*]} )); then
cat "${tables[@]}" | "$iptables-restore"
fi

6
meta-citadel/recipes-citadel/citadel-config/files/iptables/empty-filter.rules Normal file
View File

@ -0,0 +1,6 @@
# Empty iptables rule file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

9
meta-citadel/recipes-citadel/citadel-config/files/iptables/iptables.rules Normal file
View File

@ -0,0 +1,9 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j DROP
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -j DROP
COMMIT

13
meta-citadel/recipes-citadel/citadel-config/files/polkit/gnome-control-center.rules
View File

@ -1,13 +0,0 @@
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.locale1.set-locale" ||
action.id == "org.freedesktop.locale1.set-keyboard" ||
action.id == "org.freedesktop.ModemManager1.Device.Control" ||
action.id == "org.freedesktop.hostname1.set-static-hostname" ||
action.id == "org.freedesktop.hostname1.set-hostname" ||
action.id == "org.gnome.controlcenter.datetime.configure") &&
subject.local &&
subject.active &&
subject.isInGroup ("citadel")) {
return polkit.Result.YES;
}
});

BIN
meta-citadel/recipes-citadel/citadel-config/files/pulse/cookie
View File

Binary file not shown.

30
meta-citadel/recipes-citadel/citadel-config/files/skel/init.vim
View File

@ -1,30 +0,0 @@
syntax on
set hidden
"
" Settings
"
set noswapfile " Don't use swapfile
set splitright " Split vertical windows right to the current windows
set splitbelow " Split horizontal windows below to the current windows
set encoding=utf-8 " Set default encoding to UTF-8
set autowrite " Automatically save before :next, :make etc.
set autoread " Automatically reread changed files without asking me anything
set lazyredraw " Wait to redraw
set ignorecase " Search case insensitive...
set smartcase " ... but not when search pattern contains upper case characters
set ttyfast
set termguicolors
let &t_8f = "\<Esc>[38;2;%lu;%lu;%lum"
let &t_8b = "\<Esc>[48;2;%lu;%lu;%lum"
set rtp+=/opt/share/vim
if filereadable(expand("~/.base16vim"))
let base16colorspace=256
source ~/.base16vim
endif

12
meta-citadel/recipes-citadel/citadel-config/files/systemd/citadel-installer-backend.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Citadel Installer Backend
ConditionKernelCommandLine=citadel.install
[Service]
ExecStart=/usr/libexec/citadel-install-backend
[Install]
WantedBy=graphical.target

11
meta-citadel/recipes-citadel/citadel-config/files/systemd/citadel-launch-default-realm.path
View File

@ -1,11 +0,0 @@
[Unit]
Description=Wait for creation of PA and Wayland sockets before launching first realm.
Wants=run-user-1000.mount
After=run-user-1000.mount
[Path]
PathChanged=/run/user/1000/pulse/native
PathChanged=/run/user/1000/wayland-0
[Install]
WantedBy=graphical.target

4
meta-citadel/recipes-citadel/citadel-config/files/systemd/citadel-setpassword.service
View File

@ -2,9 +2,7 @@
Description=Citadel Set Password
After=storage.mount
Requires=storage.mount
After=gdm.service
ConditionPathExists=!/storage/citadel-state/passwd
ConditionKernelCommandLine=citadel.install
Before=gdm.service
[Service]
Type=oneshot

15
meta-citadel/recipes-citadel/citadel-config/files/systemd/iptables.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /usr/share/iptables/iptables.rules
ExecReload=/sbin/iptables-restore /usr/share/iptables/iptables.rules
ExecStop=/bin/bash /usr/share/iptables/iptables-flush.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

5
meta-citadel/recipes-citadel/citadel-config/files/systemd/launch-default-realm.path Normal file
View File

@ -0,0 +1,5 @@
[Unit]
Description=Wait for creation of /run/user/1000/pulse/native
[Path]
PathExists=/run/user/1000/pulse/native

4
meta-citadel/recipes-citadel/citadel-config/files/systemd/citadel-launch-default-realm.service → meta-citadel/recipes-citadel/citadel-config/files/systemd/launch-default-realm.service
View File

@ -1,14 +1,10 @@
[Unit]
Description=Launch default realm
ConditionPathExists=!/run/realms
ConditionPathExists=/realms/default.realm
ConditionPathExists=/run/user/1000/pulse/native
ConditionPathExists=/run/user/1000/wayland-0
[Service]
ExecStart=/usr/libexec/citadel-boot start-realms
Type=oneshot
RemainAfterExit=yes

7
meta-citadel/recipes-citadel/citadel-config/files/systemd/installer-session-switcher.service → meta-citadel/recipes-citadel/citadel-config/files/systemd/sway-session-switcher.service
View File

@ -1,15 +1,16 @@
[Unit]
Description=Citadel Installer Session Switcher
Description=Sway Session Switcher
After=accounts-daemon.service
Wants=accounts-daemon.service
ConditionKernelCommandLine=citadel.install
ConditionKernelCommandLine=|citadel.sway
[Service]
Type=oneshot
RemainAfterExit=no
ExecStart=/usr/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User SetXSession s "citadel-installer"
ExecStartPre=-/usr/bin/plymouth message --text="Setting session to sway"
ExecStart=/usr/bin/busctl call org.freedesktop.Accounts /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User SetXSession s "sway"
[Install]
WantedBy=graphical.target

20
meta-citadel/recipes-citadel/citadel-config/files/systemd/user/gnome-session@citadel-installer.target.d/session.conf
View File

@ -1,20 +0,0 @@
[Unit]
# Must be in sync with citadel-installer.session
Wants=org.gnome.SettingsDaemon.A11ySettings.target
Wants=org.gnome.SettingsDaemon.Color.target
Wants=org.gnome.SettingsDaemon.Datetime.target
Wants=org.gnome.SettingsDaemon.Housekeeping.target
Wants=org.gnome.SettingsDaemon.Keyboard.target
Wants=org.gnome.SettingsDaemon.MediaKeys.target
Wants=org.gnome.SettingsDaemon.Power.target
Wants=org.gnome.SettingsDaemon.PrintNotifications.target
Wants=org.gnome.SettingsDaemon.Rfkill.target
Wants=org.gnome.SettingsDaemon.ScreensaverProxy.target
Wants=org.gnome.SettingsDaemon.Smartcard.target
Wants=org.gnome.SettingsDaemon.Sound.target
Wants=org.gnome.SettingsDaemon.Wacom.target
Wants=org.gnome.SettingsDaemon.XSettings.target
Requires=org.gnome.Shell.target

10
meta-citadel/recipes-citadel/citadel-config/files/systemd/watch-run-user.path Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=Watch for creation of /run/user/1000
After=run-user-1000.mount
Requires=run-user-1000.mount
[Path]
PathExists=/run/user/1000
[Install]
WantedBy=multi-user.target

6
meta-citadel/recipes-citadel/citadel-config/files/systemd/watch-run-user.service Normal file
View File

@ -0,0 +1,6 @@
[Unit]
Description=Watch run-user service
[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl --no-block start launch-default-realm.path

1
meta-citadel/recipes-citadel/citadel-config/files/udev/scsi-alpm.rules Normal file
View File

@ -0,0 +1 @@
ACTION=="add", SUBSYSTEM=="scsi_host", KERNEL=="host*", ATTR{link_power_management_policy}="med_power_with_dipm"

5
meta-citadel/recipes-citadel/citadel-config/files/udev/udisks2-hide.rules
View File

@ -1,5 +0,0 @@
KERNEL=="nbd*", ENV{UDISKS_IGNORE}="1"
KERNEL=="loop*", ENV{UDISKS_IGNORE}="1"
SYMLINK=="citadel/*", ENV{UDISKS_IGNORE}="1"
SYMLINK=="mapper/verity-*", ENV{UDISKS_IGNORE}="1"
SYMLINK=="mapper/rootfs", ENV{UDISKS_IGNORE}="1"

20
meta-citadel/recipes-citadel/citadel-documentation/citadel-documentation.bb
View File

@ -1,20 +0,0 @@
DESCRIPTION = "Citadel Yelp Documentation"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
inherit allarch
SRC_URI = "\
file://pages \
file://citadel-documentation.desktop \
"
do_install() {
install -m 0755 -d ${D}${datadir}/citadel-documentation
install -m 0755 -d ${D}${datadir}/applications
install -m 0644 ${WORKDIR}/pages/*.page ${D}${datadir}/citadel-documentation
install -m 0644 ${WORKDIR}/citadel-documentation.desktop ${D}${datadir}/applications
}
FILES:${PN} = "/"

9
meta-citadel/recipes-citadel/citadel-documentation/files/citadel-documentation.desktop
View File

@ -1,9 +0,0 @@
[Desktop Entry]
Name=Citadel Documentation
Keywords=documentation;information;manual;help;
Categories=Core;Documentation;
Icon=help-browser
Exec=/usr/libexec/citadel-run yelp /opt/share/citadel-documentation
Type=Application
Terminal=false
StartupNotify=true

66
meta-citadel/recipes-citadel/citadel-documentation/files/pages/boot.page
View File

@ -1,66 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<page xmlns="http://projectmallard.org/1.0/" type="topic" id="boot">
<info>
<link type="guide" xref="index#internals"/>
</info>
<title>Booting Citadel </title>
<section>
<title>Disk Layout</title>
<p>When Citadel is installed two disk partitions are created on the target disk.</p>
<screen>sda 8:0 0 477G 0 disk
├─sda1 8:1 0 511M 0 part
└─sda2 8:2 0 476.5G 0 part</screen>
<p>The first partition is an EFI boot partition and the second partition is LUKS encrypted
and contains multiple LVM volumes when decrypted.</p>
<screen>
/dev/sda1 /dev/sda2
[EFI ESP Boot partition] [ LUKS encrypted partition filling remainder of disk ]
. .
. .
. | .
. | .
. V .
. .
[ rootfsA ] [ rootfsB ] [ citadel-storage ]
</screen>
<p>There are three logical volumes. Two root filesystem partitions so that one partition
can be updated while the other one is in use, and the remaining space is contained
in a volume called 'storage'.</p>
<screen type="sh"># lvs
LV VG Attr LSize
rootfsA citadel -wi-a----- 2.00g
rootfsB citadel -wi-ao---- 2.00g
storage citadel -wi-ao---- 472.43g</screen>
<section>
<title>Bootloader</title>
<section>
<title>LUKS</title>
<p>The kernel initramfs has an /etc/crypttab file which guides the discovery of the LUKS partition.
The UUID of the LUKS partition is hardcoded to the value listed below. If citadel is installed
on more than one device on the system, the intended LUKS partition may not be chosen correctly.
This problem can be addressed by changing the UUID of other citadel LUKS partitions and passing
the UUID on kernel commandline to override /etc/crypttab. See systemd-cryptsetup-generator(8).</p>
<screen type="sh"># cat /etc/crypttab
luks UUID=683a17fc-4457-42cc-a946-cde67195a101 - discard</screen>
</section>
<section>
<title>Mounting rootfs</title>
<p>The initramfs boot stage is orchestrated by various systemd unit files which can be found
in the citadel source tree at:</p>
<screen>citadel/meta-citadel/recipes-initrd/citadel-initramfs</screen>
<p>The same kernel and initramfs is used for the installer image. One task of these unit files
is to set up a live mode boot when a certain kernel command line option is set. For a regular
boot, a pair of unit files will attempt to mount the root filesystem partition when it becomes
available:</p>
<screen>citadel-rootfs-mount.path
citadel-rootfs-mount.service</screen>
<p>The .path unit triggers every time /dev/mapper changes and the corresponding .service unit is
activated only when all of the LVM volumes inside</p>
<screen>ConditionPathExists=/dev/mapper/citadel-rootfsA
ConditionPathExists=/dev/mapper/citadel-rootfsB
ConditionPathExists=/dev/mapper/citadel-storage</screen>
</section>
</section>
</section>
</page>

57
meta-citadel/recipes-citadel/citadel-documentation/files/pages/citadel.page
View File

@ -1,57 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<page xmlns="http://projectmallard.org/1.0/" type="topic" id="citadel">
<info>
<link type="guide" xref="index"/>
<desc>Introduction to Subgraph Citadel</desc>
</info>
<title>Subgraph Citadel</title>
<section>
<title>What is Citadel?</title>
<p>Citadel is the base operating system of the new version of Subgraph OS.</p>
<p>Citadel runs the GNOME desktop session and a few basic system services and
nothing else. It is built and distributed as a single static disk image
rather than as a collection of software packages like a traditional Linux
distribution such as Ubuntu or Fedora. Citadel disk images are built entirely
from the source code of the individual software components. This gives us
complete control over what is included and how each component is configured.</p>
<note style="advanced">
<p>Citadel is a modern desktop operating system based on the GNOME desktop, but if you
prefer we also include an tiling window manager called Sway as an alternative.</p>
</note>
<p>Since the Citadel root filesystem is immutable it is not possible to install
applications such as a web browser or text editor directly into Citadel.
Instead applications are run in a separate isolated environment called a Realm.</p>
<p>When Citadel is first installed a single primary Realm is created and while running
a single realm the system resembles and behaves similar to any other desktop Linux
system. The separation between Citadel and the realm in which user applications are
launched is mostly transparent to the user. However, a user may create as many new
realms as they like and each new realm behaves like a freshly installed Debian Linux
environment where the user may install packages and store files.</p>
<p>Realms are implemented in Subgraph OS as either containers or as virtual machines
running in a custom KVM hypervisor. Both approaches have advantages so the user is
free to choose either option for each realm they create.</p>
<note style="advanced">
<p>Hypervisor isolation is stronger and more secure, but container isolation uses
less system resources and makes it possible to access hardware devices and other
system features directly. A Citadel user can decide which configuration makes
more sense for each Realm they create.</p>
</note>
<section>
<title>Stateless Foundation</title>
<p>In the architecture of Citadel the building blocks of the system are
immutable filesystem images rather than packages. These images are mounted
read-only and this property is enforced with a Linux kernel feature (dm-verity)
which efficiently guarantees each block loaded from disk has a valid
cryptographic checksum. This means that Citadel always loads exactly the
operating system software prepared by Subgraph and rebooting the system will
always brings the computer into a known consistent state.</p>
<p>When Citadel is updated an entirely new image is loaded rather than applying
a set of changes on top of an existing filesystem. By atomically updating the
entire system from one version to the next there is only ever a single software
configuration to consider and the system can never end up in an inconsistent state.
System upgrades cannot break your computer in mysterious ways and even if an
upgrade fails to boot for some reason, the system simply reverts to the
previously working version.</p>
</section>
</section>
</page>

24
meta-citadel/recipes-citadel/citadel-documentation/files/pages/developer.page
View File

@ -1,24 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<page xmlns="http://projectmallard.org/1.0/" type="topic" id="developer">
<info>
<link type="guide" xref="index#internals"/>
</info>
<title>Developer Guide</title>
<section>
<title>Make Root Filesystem Writable</title>
<p>Sometimes it can be useful to make changes directly to the citadel root filesystem to
experiment with changes or to debug a problem.</p>
<p>First <code>citadel.noverity</code> must be added to the kernel commandline. After booting with
this command line option verify that dm-verity has been disabled with the <code>dmsetup</code>
command.</p>
<screen># dmsetup status rootfs
0 4194304 linear</screen>
<p>If the output displays <code>verity</code> instead of <code>linear</code> then dm-verity is enabled
and the disk cannot be safely written to.</p>
<p>Next remount the root filesystem with read-write flag.</p>
<screen># mount -oremount,rw,noatime /</screen>
</section>
<section>
<title>Debugging GNOME startup</title>
</section>
</page>

184
meta-citadel/recipes-citadel/citadel-documentation/files/pages/disk-layout.page
View File

@ -1,184 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<page xmlns="http://projectmallard.org/1.0/" type="topic" id="disk-layout">
<info>
<link type="guide" xref="index#internals"/>
<desc>A Hands-on guide the Citadel Disk and Filesystem Layout</desc>
</info>
<title>Disk Layout</title>
<section>
<title>Partitions</title>
<p>During installation, two partitions are created on the disk chosen as
the target of the install.</p>
<p>For example, if the installation disk is <code>/dev/sda</code>:</p>
<terms>
<item>
<title><code>/dev/sda1</code></title>
<p>512MB EFI System Partition</p>
</item>
<item>
<title><code>/dev/sda2</code></title>
<p>Remainder of the disk</p>
</item>
</terms>
<p>The partition layout of a running system can be viewed by running the <code>lsblk</code> command.</p>
<screen>citadel:~ # lsblk /dev/sda
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 477G 0 disk
├─sda1 8:1 0 511M 0 part
└─sda2 8:2 0 476.5G 0 part
└─luks 252:0 0 476.4G 0 crypt
├─citadel-rootfsA 252:1 0 2G 0 lvm
│ └─rootfs 252:4 0 354M 1 crypt /
├─citadel-rootfsB 252:2 0 2G 0 lvm
└─citadel-storage 252:3 0 472.4G 0 lvm /storage</screen>
<p>Several further block devices are created during boot when the main disk partition
is decrypted.</p>
<screen>sda
├─sda1 (a) /boot partition
└─sda2 (b) LUKS encrypted partition
└─citadel (c) LVM volume group
├─citadel-rootfsA (d1) rootfs partition A (Read Only)
│ └─rootfs (e) The dm-verity device created for rootfsA
├─citadel-rootfsB (d2) rootfs partition B (Read Only)
└─citadel-storage (f) mounted as /storage (Read/Write)</screen>
<terms>
<item>
<title><code>(a) /boot partition</code></title>
<p>EFI boot partition</p>
</item>
<item>
<title><code>(b) LUKS encrypted partition</code></title>
<p>Remainder of disk is an encrypted volume</p>
</item>
<item>
<title><code>(c) LVM volume group</code></title>
<p>Main partition contains several LVM volumes</p>
</item>
<item>
<title><code>(d) citadel-rootfs(A/B)</code></title>
<p>Two root partitions so one can be updated while other is in use.</p>
</item>
<item>
<title><code>(e) /dev/mapper/rootfs</code></title>
<p>verity mapper device for mounted root partion</p>
</item>
<item>
<title><code>(f) /dev/mapper/citadel-storage</code></title>
<p>The writable filesystem</p>
</item>
</terms>
</section>
<section>
<title>Citadel Filesystem Layout</title>
<code>/
├─ /run/citadel/images/
│ │
│ ├─ modules.mountpoint/ (modules image mounted here)
│ └─ extra.mountpoint/ (extra image mounted here)
└─ /storage
├─ resources/dev (resource images for channel 'dev')
│ │
│ ├─base-realmfs.img
│ └─main-realmfs.img
├─ /realms (/realms is a bind mount of /storage/realms)
│ ├─skel/
│ └─config
├─ /realms/realmfs-images
│ │
│ ├─citadel-kernel-5.7-dev-001.img
│ └─citadel-extra-dev-001.img
└─ /realms/realm-main
├─ home
└─ config</code>
</section>
<section>
<title>Resource Image Mounts</title>
<p>Resource images are mounted into the system by creating loop devices. These devices can be
viewed by running the 'losetup' command inside Citadel.</p>
<screen>citadel:~ # losetup -ONAME,OFFSET,RO,BACK-FILE
NAME OFFSET RO BACK-FILE
/dev/loop1 4096 1 /storage/resources/dev/citadel-extra-dev-001.img
/dev/loop2 4096 1 /storage/realms/realmfs-images/main-realmfs.img
/dev/loop0 4096 1 /storage/resources/dev/citadel-kernel-5.0.6-dev-000.img</screen>
<p>Resource image files are protected against accidental changes or malicious tampering by
using dm-verity so that the kernel verifies a cryptographic checksum of each block loaded
from the image.</p>
<p>You can view the verity device mapper node associated with each loop device with
the <code>lsblk</code> command.</p>
<screen>citadel:~ # lsblk /dev/loop0 /dev/loop1 /dev/loop4
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 116.9M 1 loop
└─verity-kernel 252:5 0 116M 1 crypt /run/citadel/images/kernel.mountpoint
loop1 7:1 0 938.9M 1 loop
└─verity-extra 252:6 0 931.5M 1 crypt /run/citadel/images/extra.mountpoint
loop2 7:2 0 4G 1 loop
└─verity-realmfs-main-11922f31 252:9 0 4G 1 crypt /run/citadel/realmfs/realmfs-main-11922f31.mountpoint</screen>
<p>Parameters of each dm-verity instance can be viewed with the veritysetup command.</p>
<screen>citadel:~ # veritysetup status verity-kernel
/dev/mapper/verity-kernel is active and is in use.
type: VERITY
status: verified
hash type: 1
data block: 4096
hash block: 4096
hash name: sha256
salt: fa430cb7887de60dca6fd1974868036ea39cf5017eb55f02e3a76f82a12a0431
data device: /dev/loop0
data loop: /storage/resources/dev/citadel-kernel-5.0.6-dev-000.img
size: 237536 sectors
mode: readonly
hash device: /dev/loop0
hash loop: /storage/resources/dev/citadel-kernel-5.0.6-dev-000.img
hash offset: 237544 sectors</screen>
<p>When a resource image file is mounted, a file in the root directory called 'manifest' lists
bind mounts to perform to integrate the image into the Citadel root filesystem.</p>
<p>Each line of this file is a directory to bind mount from the mounted image to the root
filesystem. If a directory should be mounted to a location which is different than
the source directory the source and target directories are both listed on a single
line and separated by the ':' character. In the 'extra' image below, the directory
/usr/share from the resource image is mounted to /opt/share on the Citadel filesystem.</p>
<screen>citadel:~ # cat /run/citadel/images/kernel.mountpoint/manifest
/usr/lib/modules
citadel:~ # cat /run/citadel/images/extra.mountpoint/manifest
/usr/lib/firmware
/usr/share:/opt/share</screen>
<p>The citadel-image utility can be used to view the metainfo variables stored in the header
section of a resource image file.</p>
<screen>citadel:~ # citadel-image metainfo /storage/resources/dev/citadel-extra-dev-001.img
image-type = "extra"
channel = "dev"
version = 1
timestamp = "20190331172025"
nblocks = 195924
shasum = "04e6f58afa6f608aff2d6cbb47cbe704f8ab0995f4dfe8e1c03655dc9bb6635a"
verity-salt = "7bf3eec3c51ffd2e82329a9fc6fe42915743874d7c5af43589e589c037ae81e5"
verity-root = "b94eb3431c4fb95e5b9bd62b4505d089414ae660d75eee0fce54b8483d3f9571"
citadel:~ # citadel-image metainfo /storage/resources/dev/citadel-kernel-5.0.6-dev-000.img
image-type = "kernel"
kernel-version = "5.0.6"
kernel-id = "36b7a960dcd51d1649f83a7361f9eb5c2af5741ce6cc53689b411347aa1298b6"
channel = "dev"
version = 1
timestamp = "20190407002748"
nblocks = 29692
shasum = "c988bd7d468c409eb6cd3af8fa9e17b0a75a72d6ad765ad1749d15628a9096be"
verity-salt = "fa430cb7887de60dca6fd1974868036ea39cf5017eb55f02e3a76f82a12a0431"
verity-root = "f4c4fbaebb59d348bd44cfb1cdef54a813728aabc5acc439c2e739b63c1b8370"</screen>
<p>RealmFS images also have a resource image header with a slightly different set of
metainfo variables.</p>
<screen>citadel:~ # citadel-image metainfo /storage/realms/realmfs-images/main-realmfs.img
image-type = "realmfs"
realmfs-name = "main"
nblocks = 1048575
channel = "realmfs-user"
verity-salt = "ad254e6dd385c0392ed8a6a41b849cfd4ef98ec3643e186feb011d5aa4f1d194"
verity-root = "11922f311b5a9141d65b7ef82e1c9159d75e413d1b420a7e3302ec8ec0ad8593"</screen>
</section>
</page>

10
meta-citadel/recipes-citadel/citadel-documentation/files/pages/index.page
View File

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<page xmlns="http://projectmallard.org/1.0/" type="guide" id="index">
<title>Citadel Help</title>
<section id="user" style="2column">
<title>User Guide</title>
</section>
<section id="internals" style="2column">
<title>Citadel Internals</title>
</section>
</page>

33
meta-citadel/recipes-citadel/citadel-documentation/files/pages/kernel-cmdline.page
View File

@ -1,33 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<page xmlns="http://projectmallard.org/1.0/" type="topic" id="kernel-cmdline">
<info>
<link type="guide" xref="index#internals"/>
</info>
<title>Kernel Command Line Options</title>
<list>
<item>
<p>citadel.noverity</p>
</item>
<item>
<p>citadel.nosignatures</p>
</item>
<item>
<p>citadel.install</p>
</item>
<item>
<p>citadel.overlay</p>
</item>
<item>
<p>citadel.channel</p>
</item>
<item>
<p>citadel.verbose</p>
</item>
<item>
<p>citadel.debug</p>
</item>
<item>
<p>citadel.sway</p>
</item>
</list>
</page>

123
meta-citadel/recipes-citadel/citadel-documentation/files/pages/realm-config.page
View File

@ -1,123 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<page xmlns="http://projectmallard.org/1.0/" type="topic" id="realm-config">
<info>
<link type="guide" xref="index#user"/>
<desc>Realm configuration file reference</desc>
</info>
<title>Configuring Realms</title>
<p>Realms are usually configured with the tools for managing realms, but the configuration
is stored in a TOML file in the realm directory and can also be edited by hand.</p>
<section>
<title>Options</title>
<terms>
<item>
<title><code>use-wayland</code></title>
<p>If 'true' access to Wayland display will be permitted in realm by
adding wayland socket /run/user/1000/wayland-0</p>
</item>
<item>
<title><code>use-x11</code></title>
<p>If 'true' access to X11 server will be added to realm by bind mounting directory
/tmp/.X11-unix</p>
</item>
<item>
<title><code>use-sound</code></title>
<p>If 'true' allows the use of sound inside realm. The following items will
be added to realm:</p>
<list>
<item>
<p>/dev/snd</p>
</item>
<item>
<p>/dev/shm</p>
</item>
<item>
<p>/run/user/1000/pulse</p>
</item>
</list>
</item>
<item>
<title><code>use-kvm</code></title>
<p>If enabled, /dev/kvm will be added to the realm.
This option is only available for nspawn realms.</p>
</item>
<item>
<title><code>use-shared-dir</code></title>
<p>If enabled the directory /realms/Shared will be bind mounted into the home directory of the realm.
This directory is shared between all running realms that have this option enabled as a
convenient way to move files between realms.</p>
</item>
<item>
<title><code>use-ephemeral-home</code></title>
<p>If 'true' the home directory of this realm will be set up in ephemeral mode.
The ephemeral home directory is set up with the following steps</p>
<steps>
<item>
<p>Home directory is mounted as tmpfs</p>
</item>
<item>
<p>Any files in /realms/skel are copied into home directory</p>
</item>
<item>
<p>Any files in /realms/realm-${name}/skel are copied into home directory</p>
</item>
<item>
<p>Any directories listed in <code>ephemeral-persistent-dirs</code> are bind mounted
from /realms/realm-${name}/home into ephemeral home directory.</p>
</item>
</steps>
</item>
<item>
<title><code>ephemeral-persistent-dirs</code> default: ["Documents"]</title>
<p>A list of subdirectories of /realms/realm-${name}/home to bind mount into realm
home directory when <code>ephemeral-home</code> is enabled.</p>
</item>
<item>
<title><code>use-network</code></title>
<p>network</p>
</item>
<item>
<title><code>network-zone</code> default: "clear"</title>
<p>network zone</p>
</item>
<item>
<title><code>use-gpu</code></title>
<p>Enables hardware graphics acceleration in relam.
if 'true' render node device /dev/dri/renderD128 will be added to realm.</p>
</item>
<item>
<title><code>use-gpu-card0</code></title>
<p>If 'true' and <code>use-gpu</code> is also enabled, privileged device /dev/dri/card0
will be added to realm.</p>
</item>
<item>
<title><code>realmfs</code> default: "base"</title>
<p>name of realmfs image</p>
</item>
<item>
<title><code>overlay</code> default: "storage"</title>
<p>type of overlay to use</p>
</item>
<item>
<title><code>terminal-scheme</code></title>
<p>terminal color scheme</p>
</item>
<item>
<title><code>extra-bindmounts</code></title>
<p>bind mounts</p>
</item>
<item>
<title><code>extra-bindmounts-ro</code></title>
<p>read-only bind mounts</p>
</item>
<item>
<title><code>system-realm</code> default: false</title>
<p>system realm</p>
</item>
<item>
<title><code>autostart</code> default: false</title>
<p>autostart realm</p>
</item>
</terms>
</section>
</page>

Some files were not shown because too many files have changed in this diff Show More