unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity
Files
dda-parity
punktfunk/packaging/bootc/Containerfile
T
enricobuehler 1f0dc87658
apple / swift (push) Successful in 54s
Details
ci / rust (push) Successful in 1m5s
Details
ci / web (push) Successful in 30s
Details
android / android (push) Successful in 2m2s
Details
ci / docs-site (push) Successful in 31s
Details
ci / bench (push) Successful in 1m39s
Details
decky / build-publish (push) Successful in 12s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 4s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 4s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 20s
Details
deb / build-publish (push) Successful in 3m10s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 5m19s
Details
docker / deploy-docs (push) Successful in 19s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 5m7s
Details
feat(rpm): enable gpgcheck=1 — packages are signed + verified 
The signing rollout is confirmed end to end: the latest published RPM (0.2.0-0.ci1089) carries
a header GPG signature (added by `rpm --addsign`) and passed the in-CI `rpmkeys --checksig`
self-verify before publishing (a bad/unsigned build fails that gate and never reaches the
registry). So flip every .repo snippet from gpgcheck=0 to gpgcheck=1 and add the package-signing
public key (served from the generic registry, committed at packaging/rpm/RPM-GPG-KEY-punktfunk) to
gpgkey= alongside the Gitea metadata key — dnf/rpm-ostree imports both. Covers rpm/README,
packaging/README, the bootc Containerfile, and the docs-site bazzite/fedora-kde install pages;
rpm/README's signing section reframed from "dormant/enabling" to active (+ key-rotation notes).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 15:23:57 +00:00

50 lines
2.8 KiB
Docker
Raw Permalink Blame History

# bootc / OCI image layer that bakes punktfunk into a Bazzite-based atomic image.
#
# Bazzite is already a bootc image (Fedora Atomic + gamescope + PipeWire + the NVIDIA
# stack), so we layer punktfunk on top: enable RPM Fusion (for the NVENC ffmpeg) and unom's
# Gitea RPM registry (NOT COPR — only the registry carries the punktfunk-web subpackage),
# install the packages, and pre-enable the udev rule. Build + push this image, then
# `bootc switch` (or rebase) a Bazzite host onto it for an image-based, atomic install —
# no per-host `rpm-ostree install` drift.
#
# podman build -t ghcr.io/<you>/bazzite-punktfunk -f packaging/bootc/Containerfile .
# podman push ghcr.io/<you>/bazzite-punktfunk
# # on the target Bazzite host:
# sudo bootc switch ghcr.io/<you>/bazzite-punktfunk # then reboot
#
# Pick the base tag that matches your hardware (NVIDIA shown). See ublue-os/bazzite tags.
ARG BASE_IMAGE=ghcr.io/ublue-os/bazzite-nvidia:stable
FROM ${BASE_IMAGE}
# punktfunk's RPMs come from unom's Gitea RPM registry (the recommended path — see
# packaging/rpm/README). Use it rather than COPR specifically because it carries the
# punktfunk-web management console subpackage, which COPR's mock chroot can't build (no `bun`).
# Group "bazzite" == the Fedora 43 base; override for a different base. Gitea signs the repo
# metadata (repo_gpgcheck=1) and the packages are GPG-signed (gpgcheck=1, the packages@unom.io key).
ARG PUNKTFUNK_RPM_GROUP=bazzite
# RPM Fusion nonfree provides the NVENC-capable ffmpeg-libs punktfunk records/encodes with.
# (Bazzite usually has RPM Fusion enabled already; this is belt-and-suspenders.)
RUN dnf5 -y install \
https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \
|| true
# Add the Gitea RPM repo and install the host + the web console (punktfunk-web pulls nodejs).
RUN printf '%s\n' \
'[gitea-unom-punktfunk]' \
'name=punktfunk (unom)' \
"baseurl=https://git.unom.io/api/packages/unom/rpm/${PUNKTFUNK_RPM_GROUP}" \
'enabled=1' 'gpgcheck=1' 'repo_gpgcheck=1' \
'gpgkey=https://git.unom.io/api/packages/unom/rpm/repository.key https://git.unom.io/api/packages/unom/generic/punktfunk-keys/1/RPM-GPG-KEY-punktfunk' \
> /etc/yum.repos.d/punktfunk.repo \
&& dnf5 -y install punktfunk punktfunk-web \
&& dnf5 clean all
# The udev rule + systemd *user* units ship in the RPMs; nothing else to enable at image build
# time (host + console run per-user in the graphical session, enabled after first boot with
# `systemctl --user enable --now punktfunk-host punktfunk-web`).
# bootc image hygiene: the container build must leave a clean ostree commit.
RUN ostree container commit
Reference in New Issue View Git Blame Copy Permalink