diff --git a/.gitea/workflows/arch.yml b/.gitea/workflows/arch.yml index ea496ee..f82b01b 100644 --- a/.gitea/workflows/arch.yml +++ b/.gitea/workflows/arch.yml @@ -52,9 +52,15 @@ jobs: - uses: actions/checkout@v4 + # Cache cargo's git dir too, not just the registry: the workspace includes + # clients/windows, whose windows-reactor/windows deps are git-pinned — cargo must CLONE + # them (windows-rs is huge) merely to resolve the workspace, even though nothing Windows + # is ever compiled here. Cached, that cost is paid once per runner. - uses: actions/cache@v4 with: - path: /usr/local/cargo/registry + path: | + /usr/local/cargo/registry + /usr/local/cargo/git key: cargo-home-arch-${{ hashFiles('Cargo.lock') }} restore-keys: cargo-home-arch- diff --git a/packaging/arch/README.md b/packaging/arch/README.md index 02f0d86..e3880b8 100644 --- a/packaging/arch/README.md +++ b/packaging/arch/README.md @@ -30,24 +30,33 @@ every push and publishes the packages to the **Gitea Arch package registry** — repo, so an Arch box installs and updates punktfunk with `pacman -Syu` like everything else. Two repos mirror the deb/rpm channels: `punktfunk` (release tags) and `punktfunk-canary` (rolling main-branch builds, versioned `X.Y.Z-0.` so a later release always outranks -them). Enable exactly one: +them). Enable exactly one. + +The registry **signs the repo database and every package**, so first import its key into +pacman's keyring (a one-time step — after this, packages install signature-verified): ```sh +# 1. Trust the registry signing key. +curl -fsS https://git.unom.io/api/packages/unom/arch/repository.key \ + | sudo pacman-key --add - +sudo pacman-key --lsign-key E0CA04465C99C936E0B0C6510A317015A34DDD69 + +# 2. Add the repo (pick ONE channel — punktfunk for releases, punktfunk-canary for main builds). sudo tee -a /etc/pacman.conf >/dev/null <<'EOF' [punktfunk] -SigLevel = Optional TrustAll Server = https://git.unom.io/api/packages/unom/arch/$repo/$arch EOF +# 3. Sync + install. sudo pacman -Sy punktfunk-host # gaming rig sudo pacman -Sy punktfunk-client # couch/Deck side sudo pacman -Sy punktfunk-web # optional browser management console ``` -(`SigLevel = Optional TrustAll`: the packages are unsigned; transport security comes from HTTPS -to the registry. Arch is rolling — the packages are built against current Arch sonames, so keep -the box itself updated too.) +(No `SigLevel` line needed — pacman's default `Required DatabaseOptional` verifies the signed +packages against the key you just trusted. Arch is rolling, so the packages are built against +current Arch sonames — keep the box itself updated too.) Then the same first-run steps as a source build (printed by the install scriptlet): `input` group, `host.env`, `systemctl --user enable --now punktfunk-host` — see the next section.