Merge branch 'main' into add-container-image

* main:
  chore: Update repo config (#9)
  chore: Updating repo config (#8)
  devcontainer: Updating devcontainer config (#7)
  chore: Moving to anselmes/devos (#6)

.github/workflows/ondemand/bot.yml → .github/workflows/bot.yml

@@ -1,4 +1,4 @@
-name: Bot
+name: Bot Workflow
 
 on:
   - workflow_call

.github/workflows/build.yml

@@ -1,4 +1,4 @@
-name: Build
+name: Build Pipeline
 
 on:
   push:
@@ -25,8 +25,9 @@ jobs:
         uses: ./.github/actions/build
         with:
           build-container-image: true
-          container-image-file: build/img/devos/Dockerfile
+          container-image-file: build/img/Dockerfile
           container-image-name: devos
+          container-image-platforms: linux/amd64,linux/arm64,linux/riscv64
           container-image-repo-password: ${{ secrets.GHCR_TOKEN }}
           container-image-repo-username: ${{ github.repository_owner }}
           push-container-image: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}

.github/workflows/cicd.yml

@@ -11,21 +11,21 @@ permissions: read-all
 
 jobs:
   bot:
-    uses: ./.github/workflows/ondemand/bot.yml
+    uses: ./.github/workflows/bot.yml
     permissions:
       issues: write
       pull-requests: write
       repository-projects: write
 
   sonarqube:
-    uses: ./.github/workflows/gate/sonarqube.yml
+    uses: ./.github/workflows/sonarqube.yml
   trivy:
-    uses: ./.github/workflows/gate/trivy.yml
-  devos:
-    uses: ./.github/workflows/gate/devos.yml
+    uses: ./.github/workflows/trivy.yml
+  # devos:
+  #   uses: ./.github/workflows/devos.yml
 
   scorecard:
-    uses: ./.github/workflows/ondemand/scorecard.yml
+    uses: ./.github/workflows/scorecard.yml
     permissions:
       contents: write
       id-token: write

.github/workflows/ondemand/cleanup.yml → .github/workflows/cleanup.yml

@@ -1,4 +1,4 @@
-name: Cleanup
+name: Cleanup OnDemand
 
 on:
   pull_request:

.github/workflows/devos.yml

@@ -0,0 +1,16 @@
+# name: DevOS Gate
+
+# on:
+#   - workflow_call
+
+# permissions: read-all
+
+# jobs:
+#   devos:
+#     runs-on: devos-latest
+#     steps:
+#       - name: Checkout code
+#         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+#       - run: |
+#           cd hack
+#           ./run

.github/workflows/review.yml

@@ -49,14 +49,14 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
-      - name: GitGuardian Scan
-        uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
-          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+      # - name: GitGuardian Scan
+      #   uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be
+      #   env:
+      #     GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      #     GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+      #     GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+      #     GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
+      #     GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
       # - name: SonarQube Scan
       #   uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # v3.0.0 https://github.com/SonarSource/sonarqube-scan-action/commit/aecaf43ae57e412bd97d70ef9ce6076e672fe0a9
       #   env:

.github/workflows/gate/trivy.yml → .github/workflows/trivy.yml

@@ -16,6 +16,6 @@ jobs:
           persist-credentials: false
       - name: Trivy Scan
         uses: ./.github/actions/trivy
-        # with:
-        #   generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
-        #   upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+        with:
+          generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+          upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}

.trunk/configs/.shellcheckrc

@@ -9,7 +9,5 @@ disable=SC2181
 disable=SC2312
 
 # If you're having issues with shellcheck following source, disable the errors via:
-
 # disable=SC1090
-
 # disable=SC1091

CONTRIBUTING.md

@@ -2,4 +2,4 @@
 
 ## To Contribute
 
-Open a PR https://github.com/labsonline/devcontainer/compare.
+Open a PR https://github.com/anselmes/devos/compare.

README.md

@@ -1,4 +1,4 @@
-# Readme
+# DevOS
 
 ---
 
@@ -7,14 +7,12 @@
 [![Review][review-badge]][review-link]
 [![Releases][releases-badge]][releases-link]
 
-[ossf-score-badge]: https://api.securityscorecards.dev/projects/github.com/labsonline/devcontainer/badge
-[ossf-score-link]: https://securityscorecards.dev/viewer/?uri=github.com/labsonline/devcontainer
-[ci-badge]: https://github.com/labsonline/devcontainer/actions/workflows/cicd.yml/badge.svg
-[ci-link]: https://github.com/labsonline/devcontainer/actions/workflows/cicd.yml
-[review-badge]: https://github.com/labsonline/devcontainer/actions/workflows/review.yml/badge.svg
-[review-link]: https://github.com/labsonline/devcontainer/actions/workflows/review.yml
-[releases-badge]: https://github.com/labsonline/devcontainer/actions/workflows/release.yml/badge.svg
-[releases-link]: https://github.com/labsonline/devcontainer/actions/workflows/release.yml
+[ossf-score-badge]: https://api.securityscorecards.dev/projects/github.com/anselmes/devos/badge
+[ossf-score-link]: https://securityscorecards.dev/viewer/?uri=github.com/anselmes/devos
+[ci-badge]: https://github.com/anselmes/devos/actions/workflows/cicd.yml/badge.svg
+[ci-link]: https://github.com/anselmes/devos/actions/workflows/cicd.yml
+[review-badge]: https://github.com/anselmes/devos/actions/workflows/review.yml/badge.svg
+[review-link]: https://github.com/anselmes/devos/actions/workflows/review.yml
 
 ---
 

SECURITY.md

@@ -2,4 +2,4 @@
 
 ## Reporting a Vulnerability
 
-[Open an Issue](https://github.com/labsonline/devcontainer/issues/new?assignees=&labels=&template=security.md&title=) to report vulnerability.
+[Open an Issue](https://github.com/anselmes/devos/issues/new?assignees=&labels=&template=security.md&title=) to report vulnerability.

build/img/Dockerfile

@@ -0,0 +1,43 @@
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV X11VNC_SKIP_DISPLAY==""
+
+RUN apt-get update -y && \
+  apt-get install --no-install-recommends -y \
+  ansible \
+  ca-certificates \
+  cron \
+  curl \
+  dbus \
+  file \
+  git \
+  git-lfs \
+  gnupg2 \
+  iproute2 \
+  libvirt-clients \
+  libvirt-daemon \
+  libvirt-daemon-system \
+  openssl \
+  protobuf-compiler \
+  protobuf-compiler-grpc \
+  python3-openstackclient \
+  software-properties-common \
+  ssh \
+  systemd \
+  unzip \
+  vim \
+  zsh && \
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/*
+
+COPY config/systemd/x11vnc.service /lib/systemd/system/x11vnc.service
+COPY config/systemd/journal-to-tty.service /lib/systemd/system/journal-to-tty.service
+
+RUN systemctl enable x11vnc.service
+RUN systemctl enable journal-to-tty.service
+RUN useradd -m devos
+
+CMD ["/sbin/init"]
+USER devos
+HEALTHCHECK NONE

config/systemd/journal-to-tty.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Journald console log streamer
+Requires=systemd-journald.service
+After=systemd-journald.service
+
+[Service]
+Restart=always
+RestartSec=0
+ExecStart=/bin/journalctl -f
+StandardOutput=tty
+
+[Install]
+WantedBy=basic.target

config/systemd/x11vnc.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=VNC Server
+
+[Service]
+Environment="HOME=/root"
+ExecStart=/usr/bin/x11vnc --create --forever --shared
+
+[Install]
+WantedBy=graphical.target

scripts/init-devos.sh

@@ -1,9 +1,9 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-3.0
 
-set -euxo pipefail
+set -eo pipefail
 
-: "${ARCH:=$(dpkg --print-architecture)}"
+# : "${ARCH:=$(dpkg --print-architecture)}"
 
 : "${CARGO_HOME:=/usr/local/rust/cargo}"
 : "${GOPATH:=/usr/local/go}"
@@ -17,41 +17,53 @@ set -euxo pipefail
 : "${CLUSTERCTL_VERSION:=1.8.3}"
 : "${COSIGN_VERSION:=2.4.0}"
 : "${GH_VERSION:=2.57.0}"
+: "${GO_VERSION:=1.23.2}"
 : "${JQ_VERSION:=1.7.1}"
 : "${K0SCTL_VERSION:=0.19.0}"
 : "${KIND_VERSION:=0.24.0}"
 : "${KUBECTL_VERSION:=v1.31.1}"
+: "${NODE_VERSION:=20.18.0}"
 : "${OP_VERSION:=2.30.0}"
 : "${SBCTL_VERSION:=0.15.4}"
 : "${SOPS_VERSION:=3.9.0}"
 : "${TRIVY_VERSION:=0.55.2}"
 : "${VAULT_VERSION:=1.17.6}"
 : "${YQ_VERSION:=4.44.3}"
 
+ARGS=${@}
 DIR="$(dirname $(realpath $(dirname $0)))"
 
-apt-get update
-apt-get install -y sudo unzip zip
+echo apt-get update -yq
+apt-get install --no-install-recommends -y ansible sudo unzip zip
 
 mkdir -p \
   "${CARGO_HOME}" \
   "${GOPATH}" \
   "${KREW_ROOT}" \
   "${RUSTUP_HOME}"
 
-# fixme: make optional via envvar
 # install docker
-[[ -z $(command -v docker) ]] && "${DIR}/scripts/install-docker.sh"
-
-# fixme: make optional via envvar
-# # install rust
-# [[ -z $(command -v rustc) ]] && {
-#   curl -fsSLo /tmp/rustup-init.sh https://sh.rustup.rs
-#   RUSTUP_HOME="${RUSTUP_HOME}" CARGO_HOME="${CARGO_HOME}" sh /tmp/rustup-init.sh -y
-# }
-
-# todo: make golang optional via envvar
-# todo: make node optional via envvar
+if [[ "${ARGS}" == *"--docker"* && -z $(command -v docker) ]]; then
+  "${DIR}/scripts/install-docker.sh"
+fi
+
+# install rust
+if [[ "${ARGS}" == *"--rust"* && -z $(command -v rustc) ]]; then
+  curl -fsSLo /tmp/rustup-init.sh https://sh.rustup.rs
+  RUSTUP_HOME="${RUSTUP_HOME}" CARGO_HOME="${CARGO_HOME}" sh /tmp/rustup-init.sh -y
+fi
+
+# install go
+if [[ "${ARGS}" == *"--go"* && -z $(command -v go) ]]; then
+  curl -fsSLo /tmp/go.tar.gz "https://golang.org/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz"
+  tar -xvf /tmp/go.tar.gz -C /usr/local/
+fi
+
+# install node
+if [[ "${ARGS}" == *"--go"* && -z $(command -v node) ]]; then
+  curl -fsSLo /tmp/node.tar.gz "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${ARCH}.tar.gz"
+  tar -xvf /tmp/node.tar.gz -C /usr/local/
+fi
 
 # install yq
 [[ -z $(command -v yq) ]] && {
@@ -84,12 +96,11 @@ mkdir -p \
   install /tmp/cilium /usr/local/bin/
 }
 
-# fixme: make optional via envvar
 # install cloudflared
-# [[ -z $(command -v cloudflared) ]] && {
-#   curl -fsSLo /tmp/cloudflared "https://github.com/cloudflare/cloudflared/releases/download/${CLOUDFLARED_VERSION}/cloudflared-linux-${ARCH}"
-#   install /tmp/cloudflared /usr/local/bin/
-# }
+if [[ "${ARGS}" == *"--cloudflared"* && -z $(command -v cloudflared) ]]; then
+  curl -fsSLo /tmp/cloudflared "https://github.com/cloudflare/cloudflared/releases/download/${CLOUDFLARED_VERSION}/cloudflared-linux-${ARCH}"
+  install /tmp/cloudflared /usr/local/bin/
+}
 
 # install clusterctl
 [[ -z $(command -v clusterctl) ]] && {
@@ -192,6 +203,19 @@ mkdir -p \
   chmod 755 "$(command -v trunk)"
 }
 
+# enable windows manager
+if [[ "${ARGS}" == *"--wm"* ]]; then
+  echo apt-get install --no-install-recommends -y \
+    icewm \
+    x11vnc \
+    xauth \
+    xinit \
+    xterm \
+    xvfb
+
+  echo "exec icewm" > ~/.xinitrc && chmod +x ~/.xinitrc
+fi
+
 # post
 groups=(
   "docker"