itsManjeet · itsManjeet · Dec 14, 2023 · Nov 27, 2023 · Nov 28, 2023 · Nov 28, 2023
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -54,3 +54,13 @@ jobs:
         run: |
           ${IGNITE} checkout installer/image.yml ${SERVER_REPO_PATH}/releases/${VERSION}/
           (cd ${SERVER_REPO_PATH}/releases/${VERSION}/; zsyncmake -b 2048 -C -u ${SERVER_REPO_URL}/releases/${VERSION}/rlxos-x86_64-${VERSION}.iso rlxos-x86_64-${VERSION}.iso)
+
+      - name: Update Extensions
+        run: |
+          for ext in elements/extensions/*.yml ; do
+            ELEMENT=${ext#*/}
+            EXT_ID=${ELEMENT#*/}
+            EXT_ID=${EXT_ID%.*}
+            ${IGNITE} build ${ELEMENT}
+            COMMIT_MESSAGE="UPDATED WITH BASE" OSTREE_BRANCH="x86_64/extension/${EXT_ID}/${VERSION}" ELEMENT_FILE=${ELEMENT} make update-ostree
+          done
diff --git a/TODO.ELEMENTS b/TODO.ELEMENTS
@@ -69,8 +69,6 @@ components/gc.yml: check patch
 components/openjdk.yml: fix update url
 components/nvidia-settings.yml: check patch
 components/udisks.yml: check update url
-components/make-ca.yml: fix certdata.txt file
-components/make-ca.yml: do we need this after ca-certificates
 components/openjdk-bin.yml: fix update url
 components/openldap.yml: fix post-script and configurations
 components/apr-util.yml: fix update url

diff --git a/elements/collections/core.yml b/elements/collections/core.yml
@@ -3,7 +3,7 @@ merge: [version.yml, elements/include/meta.yml]
 
 depends:
   - components/busybox.yml
-  - components/ca-certificates.yml
+  - components/make-ca.yml
   - components/coreutils.yml
   - components/dbus.yml
   - components/diffutils.yml

diff --git a/elements/components/at-spi2-atk.yml b/elements/components/at-spi2-atk.yml
diff --git a/elements/components/ca-certificates.yml b/elements/components/ca-certificates.yml
diff --git a/elements/components/core.yml b/elements/components/core.yml
@@ -8,7 +8,7 @@ script: |
 
 depends:
   - components/busybox.yml
-  - components/ca-certificates.yml
+  - components/make-ca.yml
   - components/coreutils.yml
   - components/dbus.yml
   - components/diffutils.yml

diff --git a/elements/components/curl.yml b/elements/components/curl.yml
@@ -7,8 +7,7 @@ sources:
 build-type: autotools
 depends:
   - components/glibc.yml
-  - components/ca-certificates.yml
 configure: >-
   --enable-threaded-resolver
-  --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
+  --with-ca-path=/etc/ssl/certs
   --with-openssl
diff --git a/elements/components/gnutls.yml b/elements/components/gnutls.yml
@@ -5,9 +5,7 @@ about:
   transport layer
 
 configure: >-
-  --disable-guile
-  --disable-rpath
-  --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt
+  --with-default-trust-store-pkcs11="pkcs11:"
 
 depends:
   - components/nettle.yml

diff --git a/elements/components/gtk.yml b/elements/components/gtk.yml
@@ -21,7 +21,7 @@ build-depends:
   - components/gtk-doc.yml
 
 depends:
-  - components/at-spi2-atk.yml
+  - components/at-spi2-core.yml
   - components/gdk-pixbuf.yml
   - components/libepoxy.yml
   - components/pango.yml

diff --git a/elements/components/libcap-ng.yml b/elements/components/libcap-ng.yml
@@ -2,6 +2,8 @@ id: libcap-ng
 version: 0.8.3
 about: A library for Linux that makes using posix capabilities easy
 
+build-type: autotools
+
 configure: >-
   --enable-static=no
   --without-python

diff --git a/elements/components/make-ca.yml b/elements/components/make-ca.yml
@@ -1,15 +1,20 @@
 id: make-ca
-version: "1.7"
+version: 1.13
 about: MakeCA
-release: 0
+
 depends:
   - components/p11-kit.yml
   - components/nss.yml
 sources:
-  - https://github.com/djlucas/make-ca/releases/download/v1.7/make-ca-1.7.tar.xz
+  - https://github.com/lfs-book/make-ca/releases/download/v%{version}/make-ca-%{version}.tar.xz
+
 script: |-
-  # install -v -D -m 0644 /files/certdata.txt -t %{install-root}%{sysconfdir}/ssl/
-  make install LIBEXECDIR=/usr/lib SBINDIR=/usr/bin DESTDIR=%{install-root}
+  make install LIBEXECDIR=%{libdir}/make-ca SBINDIR=%{bindir} DESTDIR=%{install-root}
+
+  install -vDm 0754 /dev/stdin %{install-root}%{sysconfdir}/cron.weekly/update-pki.sh << "EOF"
+  #!/bin/bash
+  %{bindir}/make-ca -g
+  EOF
 
-# TODO: fix certdata.txt file
-# TODO: do we need this after ca-certificates
+integration: |-
+  make-ca -g
diff --git a/elements/components/mercurial.yml b/elements/components/mercurial.yml
@@ -26,5 +26,5 @@ script: |-
   install -m 755 -d %{install-root}%{sysconfdir}/mercurial
   cat <<-EOF > %{install-root}%{sysconfdir}/mercurial/hgrc
     [web]
-    cacerts = %{sysconfdir}/ssl/certs/ca-certificates.crt
+    cacerts = %{sysconfdir}/pki/tls/certs/ca-bundle.crt
     EOF
diff --git a/elements/components/mono.yml b/elements/components/mono.yml
@@ -3,7 +3,6 @@ version: 6.12.0.205
 about: Free implementation of the .NET platform including runtime and compiler
 
 depends:
-  - components/ca-certificates.yml
   - components/libgdiplus.yml
   - components/python.yml
   - components/zlib.yml

diff --git a/elements/components/networkmanager-openvpn.yml b/elements/components/networkmanager-openvpn.yml
@@ -0,0 +1,26 @@
+id: networkmanager-openvpn
+version: 1.10.2
+about: NetworkManager VPN plugin for OpenVPN
+
+build-type: autotools
+
+pre-script: |-
+  autoreconf -fiv
+
+variables:
+  run-autogen: false
+  seperate-build-dir: false
+
+depends:
+  - components/libnma.yml
+  - components/libsecret.yml
+  - components/openvpn.yml
+  - components/networkmanager.yml
+
+post-script: |-
+  install -v -D -m 0644 /dev/stdin %{install-root}/%{libdir}/sysusers.d/%{id}.conf << "EOF"
+  u nm-openvpn - "NetworkManager OpenVPN"
+  EOF
+
+sources:
+  - https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/archive/%{version}/NetworkManager-openvpn-%{version}.tar.gz
diff --git a/elements/components/openvpn.yml b/elements/components/openvpn.yml
@@ -0,0 +1,47 @@
+id: openvpn
+version: 2.6.8
+about: An easy-to-use, robust and highly configurable VPN (Virtual Private Network)
+
+build-type: autotools
+
+pre-script: |-
+  sed -i '/^CONFIGURE_DEFINES=/s/set/env/g' configure.ac
+  patch -Np1 -i /patches/%{id}/0001-unprivileged.patch
+
+  autoreconf --force --install
+
+configure: >-
+  --enable-plugins
+  --enable-systemd
+  --enable-x509-alt-username
+
+post-script: |-
+  install -v -D -m 0644 /dev/stdin %{install-root}/%{libdir}/sysusers.d/%{id}.conf << "EOF"
+  u openvpn - "OpenVPN"
+  EOF
+
+  install -v -D -m 0644 /dev/stdin %{install-root}/%{libdir}/tmpfiles.d/%{id}.conf << "EOF"
+  d /etc/openvpn/client 0750 openvpn network -
+  d /etc/openvpn/server 0750 openvpn network -
+  d /run/openvpn-client 0750 openvpn network -
+  d /run/openvpn-server 0750 openvpn network -
+  EOF
+
+  for FILE in $(find contrib -type f); do
+    case "$(file --brief --mime-type --no-sandbox "${FILE}")" in
+      "text/x-shellscript")
+        install -D -m0755 ${FILE} "%{install-root}/%{datadir}/%{id}/${FILE}" ;;
+      *)
+        install -D -m0644 ${FILE} "%{install-root}/%{datadir}/%{id}/${FILE}" ;;
+    esac
+  done
+
+depends:
+  - components/lz4.yml
+  - components/lzo.yml
+  - components/openssl.yml
+  - components/libnl.yml
+  - components/libcap-ng.yml
+
+sources:
+  - https://github.com/OpenVPN/openvpn/releases/download/v%{version}/openvpn-%{version}.tar.gz
diff --git a/elements/components/p11-kit.yml b/elements/components/p11-kit.yml
@@ -1,15 +1,22 @@
 id: p11-kit
-version: 0.25.0
+version: 0.25.3
 about: |
   Provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules
 
+pre-script: |-
+  sed '20,$ d' -i trust/trust-extract-compat
+  cat >> trust/trust-extract-compat << "EOF"
+  %{libdir}/make-ca/copy-trust-modifications
+  %{bindir}/make-ca -f -g
+  EOF
+
 post-script: |-
   ln -sfv ./pkcs11/p11-kit-trust.so %{install-root}%{libdir}/libnssckbi.so
-
-build-type: autotools
+  ln -s %{libdir}/p11-kit/trust-extract-compat %{install-root}%{bindir}/update-ca-trust
 
 configure: >-
-  --with-trust-paths=%{sysconfdir}/pki/anchors
+  -D trust_paths=%{sysconfdir}/pki/anchors
+  -D module_path=%{libdir}/pkcs11
 
 depends:
   - components/libtasn1.yml

diff --git a/elements/components/qemu.yml b/elements/components/qemu.yml
@@ -13,10 +13,11 @@ post-script: |-
   # chgrp kvm %{install-root}/%{libdir}/qemu-bridge-helper
   chmod -v 4750 %{install-root}/%{libdir}/qemu-bridge-helper
 
+  rmdir %{install-root}/var/run
+
 configure: >-
   --audio-drv-list=alsa
   --smbd=/usr/bin/smbd
-  --target-list=x86_64-softmmu
   --enable-modules
   --enable-sdl
   --enable-gtk

diff --git a/elements/components/rustc.yml b/elements/components/rustc.yml
@@ -18,7 +18,6 @@ build-depends:
   - components/cmake.yml
   - components/gdb.yml
   - components/ninja.yml
-  - components/ca-certificates.yml
 
 sources:
   - https://static.rust-lang.org/dist/rustc-%{version}-src.tar.xz

diff --git a/elements/components/swupd.yml b/elements/components/swupd.yml
@@ -3,7 +3,7 @@ version: 0.1.0
 about: Software Updater Daemon
 
 variables:
-  commit: 35e069d6ee4e2df2f8c31b5a30ff86e1127a6e74
+  commit: 226c4c21b652821e073efb267bcce2ff08de6b84
 
 post-script: |-
   install -v -D -m 0755 -t %{install-root}%{bindir} target/release/%{id}

diff --git a/elements/components/wget.yml b/elements/components/wget.yml
@@ -10,7 +10,6 @@ sources:
 
 depends:
   - components/glibc.yml
-  - components/ca-certificates.yml
   - components/openssl.yml
   - components/util-linux.yml
   - components/libidn2.yml

diff --git a/elements/extensions/qemu.yml b/elements/extensions/qemu.yml
@@ -0,0 +1,8 @@
+id: qemu
+about: RLXOS QEMU Virtualization Kit
+include:
+  - components/qemu.yml
+  - components/libcacard.yml
+  - components/usbredir.yml
+
+merge: [elements/include/extension.yml]
diff --git a/elements/layers/sdk.yml → elements/extensions/sdk.yml b/elements/layers/sdk.yml → elements/extensions/sdk.yml
@@ -16,4 +16,4 @@ include:
   - components/autoconf-archive.yml
   - components/pkg-config.yml
 
-merge: [elements/include/layer.yml]
+merge: [elements/include/extension.yml]
diff --git a/elements/include/extension.yml b/elements/include/extension.yml
@@ -0,0 +1,12 @@
+merge: [version.yml, elements/include/ostree.yml]
+variables:
+  force-rebuild: true
+  include-depends: false
+  include-root: /sysroot
+  strip: false
+  extra-commands: ""
+  initial-commands: |-
+    [ -d %{include-root}/%{sysconfdir} ] && mv %{include-root}/%{sysconfdir} %{include-root}/%{prefix}/
+    %{extra-commands}
+
+  ostree-branch: x86_64/extension/%{id}/%{version}
diff --git a/elements/include/layer.yml b/elements/include/layer.yml
diff --git a/elements/system/repo.yml b/elements/system/repo.yml
@@ -128,6 +128,8 @@ include:
   - components/network-manager-applet.yml
   - components/system-config-printer.yml
 
+  - components/networkmanager-openvpn.yml
+
   - apps/firefox.yml
 
   - components/lightdm-gtk-greeter.yml

diff --git a/go.mod b/go.mod
@@ -6,5 +6,3 @@ require (
 	github.com/dustin/go-humanize v1.0.1
 	gopkg.in/yaml.v2 v2.4.0
 )
-
-require github.com/itsmanjeet/framework v0.0.0-20231010170234-a2978b10eaf1
diff --git a/go.sum b/go.sum
@@ -1,7 +1,5 @@
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/itsmanjeet/framework v0.0.0-20231010170234-a2978b10eaf1 h1:lvkd7p4mPPXC1suOm7BaYlMl9mC25h7U6b8RDPe445g=
-github.com/itsmanjeet/framework v0.0.0-20231010170234-a2978b10eaf1/go.mod h1:EwFUbJJY2SbZJFs1j/prHjCNkSEDf7ZQwePk4U7EcTo=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

diff --git a/patches/openvpn/0001-unprivileged.patch b/patches/openvpn/0001-unprivileged.patch
@@ -0,0 +1,28 @@
+diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in
+index 159fb4dc..2277a7d9 100644
+--- a/distro/systemd/openvpn-client@.service.in
++++ b/distro/systemd/openvpn-client@.service.in
+@@ -11,6 +11,9 @@ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/client
+ ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
++User=openvpn
++Group=network
++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
+diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
+index 6e8e7d94..b2814e4b 100644
+--- a/distro/systemd/openvpn-server@.service.in
++++ b/distro/systemd/openvpn-server@.service.in
+@@ -11,6 +11,9 @@ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/server
+ ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
++User=openvpn
++Group=network
++AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw