feature(nebula): build offsec image

.github/workflows/build.yml

@@ -16,6 +16,10 @@ on:
 env:
   IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-build
+  cancel-in-progress: true
+
 jobs:
   build-lumina:
     runs-on: ubuntu-latest
@@ -177,8 +181,162 @@ jobs:
           private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }}
           private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }}
 
+  build-nebula:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        fedora-version: [40, stable]
+        base-image: [silverblue]
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    env:
+      IMAGE_NAME: ""
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - name: Optimize GHA Storage
+        uses: rsturla/eternal-main/.github/actions/optimise-gha-storage@main
+
+      - name: Setup Environment Variables
+        env:
+          BASE_IMAGE: ${{ matrix.base-image }}
+        run: |
+          if [ "${BASE_IMAGE}" == "silverblue" ]; then
+            echo "IMAGE_NAME=eternal-linux/nebula" >> $GITHUB_ENV
+          else
+            echo "IMAGE_NAME=eternal-linux/nebula-${BASE_IMAGE}" >> $GITHUB_ENV
+          fi
+
+      - name: Generate Image Tags
+        uses: rsturla/eternal-main/.github/actions/generate-image-tags@main
+        id: generate-image-tags
+        with:
+          image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }}
+          major-version: ${{ matrix.fedora-version }}
+          is-release: ${{ github.event_name != 'pull_request' }}
+
+      - name: Build Image
+        id: build
+        uses: rsturla/eternal-main/.github/actions/build-image@main
+        with:
+          builder: docker
+          context: nebula/.
+          dockerfile: nebula/Containerfile
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tags: |
+            ${{ steps.generate-image-tags.outputs.tags }}
+          build-args: |
+            BASE_TAG=${{ matrix.fedora-version }}
+            BASE_IMAGE=${{ matrix.base-image }}
+
+      - name: Push Image
+        id: push
+        uses: rsturla/eternal-main/.github/actions/push-image@main
+        with:
+          builder: ${{ steps.build.outputs.builder }}
+          image-name: ${{ steps.build.outputs.image }}
+          image-tags: ${{ steps.build.outputs.tags }}
+          image-registry: ${{ env.IMAGE_REGISTRY }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign Image
+        uses: rsturla/eternal-main/.github/actions/sign-image@main
+        if: github.event_name != 'pull_request'
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
+          registry-provider: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          digest: ${{ steps.push.outputs.digest }}
+          private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }}
+          private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }}
+
+  build-nebula-nvidia:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        fedora-version: [40, stable]
+        base-image: [silverblue]
+        nvidia-type: [open, proprietary]
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    env:
+      IMAGE_NAME: ""
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - name: Optimize GHA Storage
+        uses: rsturla/eternal-main/.github/actions/optimise-gha-storage@main
+
+      - name: Setup Environment Variables
+        env:
+          BASE_IMAGE: ${{ matrix.base-image }}
+        run: |
+          if [ "${BASE_IMAGE}" == "silverblue" ]; then
+            echo "IMAGE_NAME=eternal-linux/nebula" >> $GITHUB_ENV
+          else
+            echo "IMAGE_NAME=eternal-linux/nebula-${BASE_IMAGE}" >> $GITHUB_ENV
+          fi
+
+      - name: Generate Image Tags
+        uses: rsturla/eternal-main/.github/actions/generate-image-tags@main
+        id: generate-image-tags
+        with:
+          image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }}
+          major-version: ${{ matrix.fedora-version }}
+          is-release: ${{ github.event_name != 'pull_request' }}
+          is-nvidia: true
+          nvidia-type: ${{ matrix.nvidia-type }}
+
+      - name: Build Image
+        id: build
+        uses: rsturla/eternal-main/.github/actions/build-image@main
+        with:
+          builder: docker
+          context: nebula/.
+          dockerfile: nebula/Containerfile
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tags: |
+            ${{ steps.generate-image-tags.outputs.tags }}
+          build-args: |
+            BASE_TAG=${{ matrix.fedora-version }}-${{ matrix.nvidia-type == 'open' && 'nvidia-open' || 'nvidia' }}
+            FEDORA_VERSION=${{ matrix.fedora-version }}
+            BASE_IMAGE=${{ matrix.base-image }}
+
+      - name: Push Image
+        id: push
+        uses: rsturla/eternal-main/.github/actions/push-image@main
+        with:
+          builder: ${{ steps.build.outputs.builder }}
+          image-name: ${{ steps.build.outputs.image }}
+          image-tags: ${{ steps.build.outputs.tags }}
+          image-registry: ${{ env.IMAGE_REGISTRY }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign Image
+        uses: rsturla/eternal-main/.github/actions/sign-image@main
+        if: github.event_name != 'pull_request'
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
+          registry-provider: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          digest: ${{ steps.push.outputs.digest }}
+          private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }}
+          private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }}
+
   check:
-    needs: [build-lumina, build-lumina-nvidia]
+    needs: [build-lumina, build-lumina-nvidia, build-nebula, build-nebula-nvidia]
     if: always()
     runs-on: ubuntu-latest
     steps:

nebula/Containerfile

@@ -0,0 +1,21 @@
+ARG BASE_IMAGE=silverblue
+ARG BASE_REGISTRY=ghcr.io/rsturla/eternal-linux/main/${BASE_IMAGE}
+ARG BASE_TAG=40
+ARG FEDORA_VERSION=${BASE_TAG}
+
+FROM ${BASE_REGISTRY}:${BASE_TAG}
+
+ARG FEDORA_VERSION
+ARG BASE_IMAGE
+
+COPY files/_base /
+COPY files/_${BASE_IMAGE} /
+COPY scripts/ /tmp/scripts/
+
+RUN chmod +x /tmp/scripts/*.sh /tmp/scripts/*.sh /tmp/scripts/_${BASE_IMAGE}/*.sh && \
+  /tmp/scripts/setup.sh --base ${BASE_IMAGE} && \
+  /tmp/scripts/cleanup.sh --base ${BASE_IMAGE} \
+  && \
+  rpm-ostree cleanup -m && \
+  rm -rf /tmp/* /var/* && \
+  ostree container commit

nebula/files/_base/etc/containers/containers.conf.d/eternal-runtimes.conf

@@ -0,0 +1,2 @@
+[engine.runtimes]
+crun-vm = ["/usr/local/bin/crun-vm"]

nebula/files/_base/etc/containers/registries.conf.d/001-zot-quadlet-mirror.conf

@@ -0,0 +1,7 @@
+[[registry]]
+location = "ghcr.io/rsturla"
+insecure = false
+
+[[registry.mirror]]
+location = "localhost:5000/rsturla"
+insecure = true

nebula/files/_base/etc/containers/registries.conf.d/002-zot-quadlet.conf

@@ -0,0 +1,3 @@
+[[registry]]
+location = "localhost:5000"
+insecure = true

nebula/files/_base/etc/containers/systemd/users/_config/glance-default.yaml

@@ -0,0 +1,70 @@
+theme:
+  background-color: 50 1 6
+  primary-color: 24 97 58
+  negative-color: 209 88 54
+
+pages:
+  - name: Home
+    columns:
+      - size: small
+        widgets:
+          - type: calendar
+
+          - type: rss
+            limit: 10
+            collapse-after: 3
+            cache: 3h
+            feeds:
+              - url: https://ciechanow.ski/atom.xml
+              - url: https://www.joshwcomeau.com/rss.xml
+                title: Josh Comeau
+              - url: https://samwho.dev/rss.xml
+              - url: https://awesomekling.github.io/feed.xml
+              - url: https://ishadeed.com/feed.xml
+                title: Ahmad Shadeed
+
+          - type: twitch-channels
+            channels:
+              - theprimeagen
+              - cohhcarnage
+              - christitustech
+              - blurbs
+              - asmongold
+              - jembawls
+
+      - size: full
+        widgets:
+          - type: hacker-news
+
+          - type: videos
+            channels:
+              - UCR-DXc1voovS8nhAvccRZhg # Jeff Geerling
+              - UCv6J_jJa8GJqFwQNgNrMuww # ServeTheHome
+              - UCOk-gHyjcWZNj3Br4oxwh0A # Techno Tim
+
+          - type: reddit
+            subreddit: selfhosted
+
+      - size: small
+        widgets:
+          - type: weather
+            location: London, United Kingdom
+
+          - type: stocks
+            stocks:
+              - symbol: SPY
+                name: S&P 500
+              - symbol: BTC-USD
+                name: Bitcoin
+              - symbol: NVDA
+                name: NVIDIA
+              - symbol: AAPL
+                name: Apple
+              - symbol: MSFT
+                name: Microsoft
+              - symbol: GOOGL
+                name: Google
+              - symbol: AMD
+                name: AMD
+              - symbol: RDDT
+                name: Reddit

nebula/files/_base/etc/containers/systemd/users/_config/grafana.ini

@@ -0,0 +1,4 @@
+org_role = Admin
+
+[auth.anonymous]
+enabled = true

nebula/files/_base/etc/containers/systemd/users/_config/milvus-etcd.yaml

@@ -0,0 +1,5 @@
+listen-client-urls: http://0.0.0.0:2379
+advertise-client-urls: http://0.0.0.0:2379
+quota-backend-bytes: 4294967296
+auto-compaction-mode: revision
+auto-compaction-retention: '1000'

nebula/files/_base/etc/containers/systemd/users/_config/prometheus.yml

@@ -0,0 +1,10 @@
+global:
+    scrape_interval: 5s
+    evaluation_interval: 5s
+
+scrape_configs:
+  - job_name: minio-job
+    metrics_path: /minio/prometheus/metrics
+    scheme: http
+    static_configs:
+        - targets: ['minio:9000']

nebula/files/_base/etc/containers/systemd/users/_config/redpanda-console.yml

@@ -0,0 +1,9 @@
+kafka:
+  brokers: ["redpanda-server:9092"]
+  schemaRegistry:
+    enabled: true
+    urls: ["http://redpanda-server:8081"]
+redpanda:
+  adminApi:
+    enabled: true
+    urls: ["http://redpanda-server:9644"]

nebula/files/_base/etc/containers/systemd/users/_config/redpanda-server.yml

@@ -0,0 +1,62 @@
+redpanda:
+    data_directory: /var/lib/redpanda/data
+    node_id: 1
+    seed_servers: []
+    rpc_server:
+        address: redpanda-server
+        port: 33145
+    kafka_api:
+        - address: 0.0.0.0
+          port: 9092
+          name: internal
+        - address: 0.0.0.0
+          port: 19092
+          name: external
+    admin:
+        - address: 0.0.0.0
+          port: 9644
+    advertised_rpc_api:
+        address: redpanda-server
+        port: 33145
+    advertised_kafka_api:
+        - address: redpanda-server
+          port: 9092
+          name: internal
+        - address: localhost
+          port: 9092
+          name: external
+    developer_mode: true
+    auto_create_topics_enabled: true
+    fetch_reads_debounce_timeout: 10
+    group_initial_rebalance_delay: 0
+    group_topic_partitions: 3
+    log_segment_size_min: 1
+    storage_min_free_bytes: 10485760
+    topic_partitions_per_shard: 1000
+rpk:
+    additional_start_flags:
+        - --smp=1
+    overprovisioned: true
+pandaproxy:
+    pandaproxy_api:
+        - address: 0.0.0.0
+          port: 8082
+          name: internal
+        - address: 0.0.0.0
+          port: 18082
+          name: external
+    advertised_pandaproxy_api:
+        - address: redpanda-server
+          port: 8082
+          name: internal
+        - address: localhost
+          port: 18082
+          name: external
+schema_registry:
+    schema_registry_api:
+        - address: 0.0.0.0
+          port: 8081
+          name: internal
+        - address: 0.0.0.0
+          port: 18081
+          name: external

nebula/files/_base/etc/containers/systemd/users/_config/zot-config.yaml

@@ -0,0 +1,20 @@
+distspecversion: 1.0.1
+http:
+  address: 0.0.0.0
+  port: 5000
+storage:
+  rootdirectory: /var/lib/zot/data
+extensions:
+  search:
+    enable: true
+    cve:
+      updateInterval: 12h
+  ui:
+    enable: true
+  sync:
+    registries:
+      - urls:
+        - https://ghcr.io
+        onDemand: true
+        content:
+          - prefix: "rsturla/**"