From faaae6877c9c36a995def1f8dd1c2ee47e4609a4 Mon Sep 17 00:00:00 2001
From: Luke Hsiao <luke@hsiao.dev>
Date: Thu, 21 Nov 2024 09:29:46 -0700
Subject: [PATCH] feat(toolbox): move boxkit distrobox to this repo

---
 .github/dependabot.yml             |  11 +++
 .github/workflows/build-boxkit.yml | 101 ++++++++++++++++++++++++++
 toolbox/Containerfile.fedora       |  47 ++++++++++++
 toolbox/README.md                  |  63 +++++++++++++++++
 toolbox/cosign.key                 |  11 +++
 toolbox/cosign.pub                 |   4 ++
 toolbox/packages.fedora            | 110 +++++++++++++++++++++++++++++
 7 files changed, 347 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/build-boxkit.yml
 create mode 100644 toolbox/Containerfile.fedora
 create mode 100644 toolbox/README.md
 create mode 100644 toolbox/cosign.key
 create mode 100644 toolbox/cosign.pub
 create mode 100644 toolbox/packages.fedora

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..90e05c40
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/build-boxkit.yml b/.github/workflows/build-boxkit.yml
new file mode 100644
index 00000000..ee89d95c
--- /dev/null
+++ b/.github/workflows/build-boxkit.yml
@@ -0,0 +1,101 @@
+name: build-boxkit
+on:
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '0 0 * * TUE'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**/README.md'
+  workflow_dispatch:
+env:
+    IMAGE_NAME: omakase-terminal
+    IMAGE_TAGS: latest
+    IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+
+jobs:
+  push-ghcr:
+    name: Build and push image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    strategy:
+      fail-fast: false
+    steps: 
+      # Checkout push-to-registry action GitHub repository
+      - name: Checkout Push to Registry action
+        uses: actions/checkout@v4
+        
+      # Build metadata
+      - name: Image Metadata
+        uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+          labels: |
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/lukehsiao/omakase-bluefin/main/toolbox/README.md
+
+      # Build image using Buildah action
+      - name: Build Image
+        id: build_image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          containerfiles: |
+            ./toolbox/Containerfile.fedora
+          image: ${{ env.IMAGE_NAME }}
+          tags: ${{ env.IMAGE_TAGS }}
+          labels: ${{ steps.meta.outputs.labels }}
+          oci: false
+          
+      # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
+      # https://github.com/macbre/push-to-ghcr/issues/12
+      - name: Lowercase Registry
+        id: registry_case
+        uses: ASzc/change-string-case-action@v6
+        with:
+          string: ${{ env.IMAGE_REGISTRY }}
+
+      # Push the image to GHCR (Image Registry)
+      - name: Push To GHCR
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        env:
+          REGISTRY_USER: ${{ github.actor }}
+          REGISTRY_PASSWORD: ${{ github.token }}
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          tags: ${{ steps.build_image.outputs.tags }}
+          registry: ${{ steps.registry_case.outputs.lowercase }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          extra-args: |
+            --disable-content-trust
+            
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+            
+      # Sign container
+      - uses: sigstore/cosign-installer@v3.7.0
+
+      - name: Sign container image
+        if: github.event_name != 'pull_request'
+        run: |
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
+        env:
+          TAGS: ${{ steps.push.outputs.digest }}
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
+      - name: Echo outputs
+        run: |
+          echo "${{ toJSON(steps.push.outputs) }}"
diff --git a/toolbox/Containerfile.fedora b/toolbox/Containerfile.fedora
new file mode 100644
index 00000000..a58d51a7
--- /dev/null
+++ b/toolbox/Containerfile.fedora
@@ -0,0 +1,47 @@
+FROM registry.fedoraproject.org/fedora-toolbox:41 AS fedora-toolbox
+
+LABEL com.github.containers.toolbox="true" \
+      usage="This image is meant to be used with the toolbox or distrobox command" \
+      summary="Luke's personal terminal experience powered by Fedora" \
+      maintainer="Luke Hsiao <luke@hsiao.dev>"
+
+COPY ./toolbox/packages.fedora /tmp/toolbox-packages
+
+RUN dnf -y upgrade && \
+    dnf -y install $(<tmp/toolbox-packages) && \
+    dnf clean all
+
+# Set up dependencies
+RUN git clone https://github.com/89luca89/distrobox.git --single-branch /tmp/distrobox && \
+    cp /tmp/distrobox/distrobox-host-exec /usr/bin/distrobox-host-exec && \
+    wget https://github.com/1player/host-spawn/releases/download/$(cat /tmp/distrobox/distrobox-host-exec | grep host_spawn_version= | cut -d "\"" -f 2)/host-spawn-$(uname -m) -O /usr/bin/host-spawn && \
+    chmod +x /usr/bin/host-spawn && \
+    rm -drf /tmp/distrobox && \
+    dnf install -y 'dnf-command(copr)' && \
+    dnf clean all
+
+# Set up cleaner Distrobox integration
+RUN dnf copr enable -y kylegospo/distrobox-utils && \
+    dnf remove -y xdg-utils && \
+    dnf install -y \
+    xdg-utils-distrobox \
+    adw-gtk3-theme && \
+    ln -s /usr/bin/distrobox-host-exec /usr/bin/flatpak && \
+    dnf clean all
+
+# Install RPMFusion for hardware accelerated encoding/decoding
+RUN dnf install -y \
+    "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm" \
+    "https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm" && \
+    dnf install -y \
+    intel-media-driver \
+    nvidia-vaapi-driver && \
+    dnf swap -y mesa-va-drivers mesa-va-drivers-freeworld && \
+    dnf swap -y mesa-vdpau-drivers mesa-vdpau-drivers-freeworld && \
+    dnf clean all
+
+# Install chezmoi
+RUN sh -c "$(curl -fsLS get.chezmoi.io)" -- -b usr/local/bin
+
+# Cleanup
+RUN rm -rf /tmp/*
diff --git a/toolbox/README.md b/toolbox/README.md
new file mode 100644
index 00000000..5d3f8047
--- /dev/null
+++ b/toolbox/README.md
@@ -0,0 +1,63 @@
+# boxkit
+
+## Description
+
+boxkit is a set of GitHub actions and skeleton files to build toolbox and distrobox images. Basically, clone this repo, make the changes you want, and then build what you need. Some examples include:
+
+- [DaVinci Box](https://github.com/zelikos/davincibox) - Container for DaVinci Resolve installation and runtime dependencies on Linux
+- [obs-studio-portable](https://github.com/ublue-os/obs-studio-portable) - OCI container image of OBS Studio that bundles a curated collection of 3rd party plugins
+- [bazzite-arch](https://github.com/ublue-os/bazzite-arch) - A ready-to-game Arch Linux based OCI designed for use exclusively in distrobox
+
+## Boxkit Alpine Example
+
+You can use whatever distribution you want with boxkit, this is the initial example ([here are more](https://github.com/ublue-os/toolboxes/tree/main/toolboxes)):
+
+## How to use
+
+### Create Box
+
+If you use distrobox:
+
+    distrobox create -i ghcr.io/ublue-os/boxkit -n boxkit
+    distrobox enter boxkit
+    
+If you use toolbx:
+
+    toolbox create -i ghcr.io/ublue-os/boxkit -c boxkit
+    toolbox enter boxkit
+
+### Pull down your config
+
+Use `chezmoi` to pull down your dotfiles and set up git sync.
+
+### Make your own
+
+Fork and add programs to this this image - over time you'll end up with the perfect CLI for you.
+Keeping it as a pet works, though the author recommends leaving all your config in git and routinely pulling a new image.
+
+The user experience is much nicer if you [set use Ptyxis](https://flathub.org/apps/app.devsuite.Ptyxis) and is the intended experience. 
+
+## Verification
+
+These images are signed with sisgstore's [cosign](https://docs.sigstore.dev/quickstart/quickstart-cosign/). You can verify the signature by downloading the `cosign.pub` key from this repo and running the following command:
+
+    cosign verify --key cosign.pub ghcr.io/ublue-os/boxkit
+    
+If you're forking this repo you should [read the docs](https://docs.github.com/en/actions/security-guides/encrypted-secrets) on keeping secrets in github. You need to [generate a new keypair](https://docs.sigstore.dev/cosign/key_management/signing_with_self-managed_keys/) with cosign. The public key can be in your public repo (your users need it to check the signatures), and you can paste the private key in Settings -> Secrets -> Actions.
+
+## Finding Good Base Images
+
+Of course you can make this however you want, but start with the [Toolbx Community images](https://github.com/toolbx-images/images).
+These are a set of mostly-stock images with packages needed to run as a toolbox/distrobox already installed. 
+
+Try to derive your blingbox from those base images so we can all help maintain them over time, you can't have bling without good stock!
+
+Tag your image with `boxkit` to share with others!
+
+## [![Repography logo](https://images.repography.com/logo.svg)](https://repography.com) / Recent activity [![Time period](https://images.repography.com/35181738/ublue-os/boxkit/recent-activity/9_nHJKzKdmCsGzSsdjbuHqS2t9mY6ijnFHQGQSEWtW0/lgGy5XEcVYQ14vma9bwaPOYJFIxlNmj5nK3-CFQQkgc_badge.svg)](https://repography.com)
+[![Timeline graph](https://images.repography.com/35181738/ublue-os/boxkit/recent-activity/9_nHJKzKdmCsGzSsdjbuHqS2t9mY6ijnFHQGQSEWtW0/lgGy5XEcVYQ14vma9bwaPOYJFIxlNmj5nK3-CFQQkgc_timeline.svg)](https://github.com/ublue-os/boxkit/commits)
+[![Issue status graph](https://images.repography.com/35181738/ublue-os/boxkit/recent-activity/9_nHJKzKdmCsGzSsdjbuHqS2t9mY6ijnFHQGQSEWtW0/lgGy5XEcVYQ14vma9bwaPOYJFIxlNmj5nK3-CFQQkgc_issues.svg)](https://github.com/ublue-os/boxkit/issues)
+[![Pull request status graph](https://images.repography.com/35181738/ublue-os/boxkit/recent-activity/9_nHJKzKdmCsGzSsdjbuHqS2t9mY6ijnFHQGQSEWtW0/lgGy5XEcVYQ14vma9bwaPOYJFIxlNmj5nK3-CFQQkgc_prs.svg)](https://github.com/ublue-os/boxkit/pulls)
+[![Trending topics](https://images.repography.com/35181738/ublue-os/boxkit/recent-activity/9_nHJKzKdmCsGzSsdjbuHqS2t9mY6ijnFHQGQSEWtW0/lgGy5XEcVYQ14vma9bwaPOYJFIxlNmj5nK3-CFQQkgc_words.svg)](https://github.com/ublue-os/boxkit/commits)
+[![Top contributors](https://images.repography.com/35181738/ublue-os/boxkit/recent-activity/9_nHJKzKdmCsGzSsdjbuHqS2t9mY6ijnFHQGQSEWtW0/lgGy5XEcVYQ14vma9bwaPOYJFIxlNmj5nK3-CFQQkgc_users.svg)](https://github.com/ublue-os/boxkit/graphs/contributors)
+[![Activity map](https://images.repography.com/35181738/ublue-os/boxkit/recent-activity/9_nHJKzKdmCsGzSsdjbuHqS2t9mY6ijnFHQGQSEWtW0/lgGy5XEcVYQ14vma9bwaPOYJFIxlNmj5nK3-CFQQkgc_map.svg)](https://github.com/ublue-os/boxkit/commits)
diff --git a/toolbox/cosign.key b/toolbox/cosign.key
new file mode 100644
index 00000000..2e36dfa5
--- /dev/null
+++ b/toolbox/cosign.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
+OCwicCI6MX0sInNhbHQiOiJ6L3UvR3Vpd2YwNU5Sa3Irdk5MYThZSkN5emszRnB5
+SjdHNjFHNUkxa1k4PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJuN2g5VVowSlcwWVJnd3NWYlFBQWlhSXZ0b1RyU1paUSJ9LCJj
+aXBoZXJ0ZXh0IjoiTXZZanlSRS9zSVFKVXJVZncyZGJUZi9KV1d5T2xYT0lkQjBQ
+TjJ0d2RjZjNaaGtLWVpmTy9OT1BTTHFPbUVlWUJQUmpJUDBxMHV5SmxPRlFSZ3Nj
+UVpQTVEzUHEzSFg2R2tJQmh0VTZTVDI3YkdNRmc5bHVqcXB4TitiamF0cEpwcmpz
+Q0RtdWhFdnpGd3o3YXVrMy95ZElqL0JrZENVemo1UHlMclVCTk5TbGI5cEV0ZXZo
+cjZwcW5BOXNVYXAya1JtaHAyTWR1bXRNL0E9PSJ9
+-----END ENCRYPTED SIGSTORE PRIVATE KEY-----
diff --git a/toolbox/cosign.pub b/toolbox/cosign.pub
new file mode 100644
index 00000000..66c4ae20
--- /dev/null
+++ b/toolbox/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGEAcJ/JunVS31ndMtSTmgq6aJHS3
+3I6phel1o1ad2TuQJCQZWAVSWYnnX0YJnoZ6qjmoVN4ElZOkVyiP2QRo4g==
+-----END PUBLIC KEY-----
diff --git a/toolbox/packages.fedora b/toolbox/packages.fedora
new file mode 100644
index 00000000..bd893345
--- /dev/null
+++ b/toolbox/packages.fedora
@@ -0,0 +1,110 @@
+aerc
+asciinema
+bash-completion
+bc
+btop
+bzip2
+clang
+cmake
+curl
+dictd
+diffutils
+dnf-plugins-core
+dnf-utils
+dnf5
+fastfetch
+ffmpeg
+findutils
+finger
+fish
+fontconfig-devel
+freetype-devel
+fzf
+gcc-c++
+ghostscript-tools-fonts
+ghostscript-tools-printing
+git
+git-filter-repo
+git-lfs
+glibc
+glibc-all-langpacks
+glibc-locale-source
+gnupg2
+gnupg2-smime
+graphite2-devel
+helix
+hostname
+htop
+iproute
+iputils
+keyutils
+krb5-libs
+lame
+less
+libpq-devel
+libsqlite3x-devel
+libstdc++
+libxcb-devel
+livesys-scripts
+lsof
+man-db
+man-pages
+mat2
+mediawriter
+mesa-dri-drivers
+mesa-vulkan-drivers
+mold
+moreutils
+mosh
+mpv
+mtr
+ncurses
+neovim
+newsboat
+nss-mdns
+nvtop
+openssh-clients
+pam
+pandoc
+parallel
+pass
+passwd
+pcsc-tools
+perf
+perl
+pgp-tools
+pigz
+pinentry
+postgresql
+procps-ng
+protobuf-compiler
+protobuf-devel
+python3-neovim
+rr
+rsync
+shadow-utils
+ShellCheck
+speedtest-cli
+sudo
+tcpdump
+time
+traceroute
+tree
+tzdata
+units
+unzip
+util-linux
+vim
+vte-profile
+vulkan
+wget
+which
+whois
+words
+xorg-x11-xauth
+xz
+yt-dlp
+yubikey-manager
+zip
+zsh
+zstd