mios-dev
diff --git a/‎.forgejo/workflows/build-mios.yml‎
Lines changed: 114 additions & 0 deletions b/‎.forgejo/workflows/build-mios.yml‎
Lines changed: 114 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 21 additions & 0 deletions b/‎.gitignore‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎Containerfile‎
Lines changed: 13 additions & 3 deletions b/‎Containerfile‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎automation/05-enable-external-repos.sh‎
Lines changed: 46 additions & 35 deletions b/‎automation/05-enable-external-repos.sh‎
Lines changed: 46 additions & 35 deletions
diff --git a/‎automation/12-virt.sh‎
Lines changed: 7 additions & 0 deletions b/‎automation/12-virt.sh‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎automation/37-aichat.sh‎
Lines changed: 9 additions & 1 deletion b/‎automation/37-aichat.sh‎
Lines changed: 9 additions & 1 deletion
@@ -0,0 +1,114 @@
+# .forgejo/workflows/build-mios.yml
+# Self-replication loop: triggered by `git push http://localhost:3000/<admin>/mios`,
+# this workflow runs in the mios-forgejo-runner Quadlet, builds a new OCI
+# image via `podman build` against /Containerfile, and signals the host's
+# mios-bootc-switch.path watcher to stage the new image for next boot.
+#
+# Privilege boundary:
+#   - Runner container (Privileged=true, documented exception): does
+#     `podman build` and writes the build-output sentinel.
+#   - Host (mios-bootc-switch.service triggered by mios-bootc-switch.path):
+#     reads the sentinel, runs `bootc switch --transport containers-storage`.
+#   - The runner has NO access to /usr/bin/bootc; the split is intentional.
+#
+# Storage: the runner shares /var/lib/containers/storage with the host
+# (Volume= in the Quadlet). After `podman build` produces
+# `localhost/mios:latest`, the image is visible to host bootc directly.
+
+name: build-mios
+on:
+  push:
+    branches: [main]
+  workflow_dispatch: {}
+
+jobs:
+  build:
+    runs-on: mios-self-hosted
+    steps:
+      - name: Checkout (live working tree of /)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          # The repo IS the deployed root; checkout fetches the freshly
+          # pushed state into the runner's job workspace. The
+          # /Containerfile in that workspace is what podman build consumes.
+
+      - name: Resolve image tag from VERSION + commit
+        id: tag
+        run: |
+          VER="$(cat VERSION 2>/dev/null || echo 'v0.0.0')"
+          SHA="$(git rev-parse --short=12 HEAD)"
+          TS="$(date -u +%Y%m%d-%H%M%S)"
+          TAG="${VER#v}-${TS}-${SHA}"
+          echo "image_tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "Building tag: ${TAG}"
+
+      - name: Build OCI image (localhost/mios:latest + tagged)
+        run: |
+          set -euo pipefail
+          # Build args sourced from /etc/mios/install.env if present
+          # (host-mounted by the runner Quadlet for read-only access).
+          BUILD_ARGS=()
+          if [[ -r /etc/mios/install.env ]]; then
+              # shellcheck source=/dev/null
+              source /etc/mios/install.env
+              [[ -n "${MIOS_LINUX_USER:-}" ]] && BUILD_ARGS+=(--build-arg "MIOS_USER=${MIOS_LINUX_USER}")
+              [[ -n "${MIOS_HOSTNAME:-}"   ]] && BUILD_ARGS+=(--build-arg "MIOS_HOSTNAME=${MIOS_HOSTNAME}")
+              [[ -n "${MIOS_AI_MODEL:-}"   ]] && BUILD_ARGS+=(--build-arg "MIOS_AI_MODEL=${MIOS_AI_MODEL}")
+              [[ -n "${MIOS_AI_EMBED_MODEL:-}" ]] && BUILD_ARGS+=(--build-arg "MIOS_AI_EMBED_MODEL=${MIOS_AI_EMBED_MODEL}")
+              [[ -n "${MIOS_OLLAMA_BAKE_MODELS:-}" ]] && BUILD_ARGS+=(--build-arg "MIOS_OLLAMA_BAKE_MODELS=${MIOS_OLLAMA_BAKE_MODELS}")
+          fi
+          podman build \
+              "${BUILD_ARGS[@]}" \
+              -f Containerfile \
+              -t "localhost/mios:latest" \
+              -t "localhost/mios:${{ steps.tag.outputs.image_tag }}" \
+              .
+
+      - name: Verify bootc lint passes (image must be bootc-switchable)
+        run: |
+          # Containerfile already runs `bootc container lint` as the final
+          # build step (Architectural Law 4). This is a belt-and-suspenders
+          # check: confirm the freshly-built image still carries the
+          # required bootc labels before signaling the host watcher.
+          podman image inspect localhost/mios:latest \
+              --format '{{ index .Config.Labels "containers.bootc" }}' \
+              | grep -qx '1' || {
+                  echo "ERROR: built image missing containers.bootc=1 label" >&2
+                  exit 1
+              }
+          podman image inspect localhost/mios:latest \
+              --format '{{ index .Config.Labels "ostree.bootable" }}' \
+              | grep -qx '1' || {
+                  echo "ERROR: built image missing ostree.bootable=1 label" >&2
+                  exit 1
+              }
+
+      - name: Signal host -> bootc switch on next boot
+        run: |
+          # The host's mios-bootc-switch.path watches this file. Writing
+          # the timestamp + image ref triggers mios-bootc-switch.service,
+          # which validates the image exists in containers-storage and
+          # runs `bootc switch --transport containers-storage <ref>`.
+          # No reboot here; operator decides when to apply.
+          install -d -m 0755 /var/lib/mios/forge-runner
+          printf '%s %s\n' \
+              "$(date -u +%FT%TZ)" \
+              "localhost/mios:latest" \
+              > /var/lib/mios/forge-runner/last-build.txt
+          chmod 0644 /var/lib/mios/forge-runner/last-build.txt
+          echo "Build signaled. Host will stage on next boot."
+          echo "Apply now: sudo bootc upgrade --apply"
+
+      - name: Optional - mirror to GHCR
+        if: ${{ env.GHCR_TOKEN != '' }}
+        env:
+          GHCR_USER: ${{ secrets.GHCR_USER }}
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+        run: |
+          set -euo pipefail
+          podman login -u "${GHCR_USER}" -p "${GHCR_TOKEN}" ghcr.io
+          podman tag  localhost/mios:latest "ghcr.io/mios-dev/mios:latest"
+          podman tag  localhost/mios:latest "ghcr.io/mios-dev/mios:${{ steps.tag.outputs.image_tag }}"
+          podman push "ghcr.io/mios-dev/mios:latest"
+          podman push "ghcr.io/mios-dev/mios:${{ steps.tag.outputs.image_tag }}"
@@ -25,6 +25,13 @@
 !/.env.mios
 !/.github/
 !/.github/**
+# Forgejo Actions workflows (consumed by mios-forgejo-runner Quadlet
+# inside the closed self-replication loop). Forgejo Runner accepts
+# both .forgejo/workflows/ and .github/workflows/; the .forgejo/ path
+# is canonical for self-hosted-only workflows that shouldn't leak to
+# GHCR-side CI.
+!/.forgejo/
+!/.forgejo/**
 !/AGENTS.md
 !/AGREEMENTS.md
 !/AI.md
@@ -304,6 +311,8 @@ usr/lib/systemd/system/*
 !/usr/lib/systemd/system/mios-*.service
 !/usr/lib/systemd/system/mios-*.timer
 !/usr/lib/systemd/system/mios-*.target
+!/usr/lib/systemd/system/mios-*.path
+!/usr/lib/systemd/system/mios-*.socket
 !/usr/lib/systemd/system/var-*.mount
 !/usr/lib/systemd/system/*.service.d/
 !/usr/lib/systemd/system/*.service.d/**
@@ -379,6 +388,18 @@ opt/mios/*
 !/opt/mios/prompts/
 !/opt/mios/prompts/**
 
+# ─────────────────────────────────────────────────────────────────────────────
+# 9f. /var/lib/mios -- exclude runtime state written by services after boot.
+# These files are operationally produced (firstboot sentinels, build-output
+# pointers, switch history) and MUST NOT round-trip through `git push`.
+# Whitelisted directories are still tracked; only specific runtime files
+# are excluded.
+# ─────────────────────────────────────────────────────────────────────────────
+var/lib/mios/forge/.firstboot-done
+var/lib/mios/forge-runner/
+var/lib/mios/bootc-switch-history.tsv
+var/lib/mios/.wsl-firstboot-done
+
 # ─────────────────────────────────────────────────────────────────────────────
 # 10. SAFETY OVERRIDES -- sensitive, volatile, or OS-managed files
 # These exclusions always win regardless of section 9 allows above.
 
@@ -70,9 +70,19 @@ RUN --mount=type=bind,from=ctx,source=/ctx,target=/ctx,ro \
     find /run -mindepth 1 -maxdepth 1 ! -name "secrets" -exec rm -rf {} + 2>/dev/null || true
 
 RUN bootc completion bash > /etc/bash_completion.d/bootc
-RUN --mount=type=bind,from=ctx,source=/ctx/tools,target=/ctx/tools,ro \
-    install -d -m 0755 /usr/lib/extensions/source && \
-    bash /ctx/tools/mios-sysext-pack.sh /usr/lib/extensions/source || true
+# System-extension pack step: intentionally a no-op when no sysext source
+# trees are staged in the image. The pack tool at tools/mios-sysext-pack.sh
+# consolidates one-or-more `/usr/lib/extensions/source-*` trees into a single
+# monolithic SquashFS sysext (mitigation for the overlayfs stacking-depth
+# limit on bootc systems). The current build is FHS-overlay-only and stages
+# no sysext sources, so this step skips silently. To start packing sysexts:
+#   1. Have an earlier automation/*.sh phase populate
+#      /usr/lib/extensions/source-<name>/{usr,etc,...} with the files to pack.
+#   2. Re-enable the RUN below (un-comment), passing every populated source
+#      dir as a positional argument to mios-sysext-pack.sh.
+#
+# RUN --mount=type=bind,from=ctx,source=/ctx/tools,target=/ctx/tools,ro \
+#     bash /ctx/tools/mios-sysext-pack.sh /usr/lib/extensions/source-*
 RUN ostree container commit
 # bootc container lint MUST be the final instruction (ARCHITECTURAL LAW 4).
 RUN bootc container lint
@@ -25,37 +25,41 @@ source "$(dirname "$0")/lib/common.sh"
 
 REPO_DIR=/etc/yum.repos.d
 
+# Best-effort policy. Every external repo enable here is non-critical:
+# downstream installs already pass --skip-unavailable, so a missing repo
+# silently drops its packages rather than failing the build. Wrap every
+# external fetch / dnf op in warn-on-failure + clean partials, and keep
+# the script's overall exit at 0 (warnings are tracked separately by the
+# build chain summary).
+
+# Try a curl fetch into a target file. On failure: warn, delete partial,
+# return 1 so callers can short-circuit downstream key import / sed.
+try_fetch() {
+    local url="$1" out="$2" label="$3"
+    if scurl -fsSL --connect-timeout 20 --max-time 60 "$url" -o "$out" 2>/dev/null; then
+        return 0
+    fi
+    warn "${label}: fetch failed (${url}) -- skipping"
+    rm -f "$out"
+    return 1
+}
+
 # --- 1. Terra (fyralabs) ----------------------------------------------------
 # Patched WINE/Mesa/miscellaneous packages missing from Fedora + RPM Fusion.
 if [[ ! -f "${REPO_DIR}/terra.repo" ]]; then
     log "enabling Terra repo (fyralabs)"
-    if ! scurl -fsSL --connect-timeout 20 --max-time 60 \
-            https://github.com/terrapkg/subatomic-repos/raw/main/terra.repo \
-            -o "${REPO_DIR}/terra.repo" 2>/dev/null; then
-        warn "Terra repo download failed (github.com unreachable?) -- skipping Terra"
-    fi
+    try_fetch "https://github.com/terrapkg/subatomic-repos/raw/main/terra.repo" \
+              "${REPO_DIR}/terra.repo" "Terra repo" || true
 else
     log "Terra repo already present -- skipping"
 fi
 
-# --- 2. VSCodium (FOSS) ------------------------------------------------------
-if [[ ! -f "${REPO_DIR}/vscodium.repo" ]]; then
-    log "enabling VSCodium repo (FOSS)"
-    scurl -fsSL https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg -o /tmp/vscodium.gpg
-    rpm --import /tmp/vscodium.gpg && rm -f /tmp/vscodium.gpg
-    cat > "${REPO_DIR}/vscodium.repo" <<'EOF'
-[vscodium]
-name=VSCodium
-baseurl=https://download.vscodium.com/rpms/
-enabled=1
-autorefresh=1
-type=rpm-md
-gpgcheck=1
-gpgkey=https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg
-EOF
-else
-    log "VSCodium repo already present -- skipping"
-fi
+# --- 2. (removed) VSCodium ---------------------------------------------------
+# PROJECT INVARIANT: applications ship as Flatpaks, only system dependencies
+# ship as RPMs. VSCodium is an application -- it ships from Flathub via
+# MIOS_FLATPAKS / the Flatpak install path, never from an RPM repo. The
+# previous VSCodium .repo / gpg-import block was removed for this reason.
+# If any other app RPM repo creeps into this script, delete it the same way.
 
 # --- 7. Kubernetes stable v1.32 (kubectl) -----------------------------------
 # kubectl is NOT in standard Fedora repos -- must come from the Kubernetes
@@ -84,12 +88,12 @@ fi
 # Using Fedora 44 repo endpoint; COPR auto-publishes new packages as they land.
 if [[ ! -f "${REPO_DIR}/ublue-os-packages.repo" ]]; then
     log "enabling ublue-os/packages COPR (uupd + greenboot)"
-    scurl -fsSL \
-        "https://copr.fedorainfracloud.org/coprs/ublue-os/packages/repo/fedora-44/ublue-os-packages-fedora-44.repo" \
-        -o "${REPO_DIR}/ublue-os-packages.repo"
-    # Lower priority than Fedora base so Fedora wins on conflicting packages.
-    if ! grep -q '^priority=' "${REPO_DIR}/ublue-os-packages.repo"; then
-        sed -i '/^\[/a priority=75' "${REPO_DIR}/ublue-os-packages.repo"
+    if try_fetch "https://copr.fedorainfracloud.org/coprs/ublue-os/packages/repo/fedora-44/ublue-os-packages-fedora-44.repo" \
+                 "${REPO_DIR}/ublue-os-packages.repo" "ublue-os/packages COPR"; then
+        # Lower priority than Fedora base so Fedora wins on conflicting packages.
+        if ! grep -q '^priority=' "${REPO_DIR}/ublue-os-packages.repo"; then
+            sed -i '/^\[/a priority=75' "${REPO_DIR}/ublue-os-packages.repo"
+        fi
     fi
 else
     log "ublue-os/packages COPR already present -- skipping"
@@ -98,7 +102,9 @@ fi
 # ── Waydroid (Aleasto) ───────────────────────────────────────────────────
 if ! [ -f /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:aleasto:waydroid.repo ]; then
     log "enabling aleasto/waydroid COPR (GNOME 50 fix)"
-    $DNF_BIN "${DNF_SETOPT[@]}" copr enable -y aleasto/waydroid
+    if ! $DNF_BIN "${DNF_SETOPT[@]}" copr enable -y aleasto/waydroid 2>/dev/null; then
+        warn "aleasto/waydroid COPR enable failed -- skipping (GNOME 50 fix unavailable)"
+    fi
 else
     log "aleasto/waydroid COPR already present -- skipping"
 fi
@@ -108,8 +114,8 @@ fi
 # Tailscale repo keeps it at the latest stable regardless of ucore cadence.
 if [[ ! -f "${REPO_DIR}/tailscale.repo" ]]; then
     log "enabling Tailscale official repo"
-    scurl -fsSL https://pkgs.tailscale.com/stable/fedora/tailscale.repo \
-        -o "${REPO_DIR}/tailscale.repo"
+    try_fetch "https://pkgs.tailscale.com/stable/fedora/tailscale.repo" \
+              "${REPO_DIR}/tailscale.repo" "Tailscale repo" || true
 else
     log "Tailscale repo already present -- skipping"
 fi
@@ -124,13 +130,18 @@ if [[ ! -f "${REPO_DIR}/crowdsec.repo" ]]; then
     # The 'dist' query parameter pins the packagecloud distro release;
     # crowdsec ships a single fedora repo across releases (the value is
     # only used for substituting $releasever in baseurl).
-    scurl -fsSL "https://packagecloud.io/crowdsec/crowdsec/config_file.repo?os=fedora&dist=44&source=script" \
-        -o "${REPO_DIR}/crowdsec.repo"
+    try_fetch "https://packagecloud.io/crowdsec/crowdsec/config_file.repo?os=fedora&dist=44&source=script" \
+              "${REPO_DIR}/crowdsec.repo" "CrowdSec repo" || true
 else
     log "CrowdSec repo already present -- skipping"
 fi
 
 log "external repos enabled; refreshing metadata"
-$DNF_BIN "${DNF_SETOPT[@]}" makecache -y
+# makecache is best-effort: if a single repo's metadata is unreachable
+# the next dnf install in this build will retry it. Hard-failing here
+# wastes the entire build for a transient mirror hiccup.
+if ! $DNF_BIN "${DNF_SETOPT[@]}" makecache -y 2>&1 | tail -20; then
+    warn "dnf makecache returned non-zero -- continuing (downstream installs will retry per-repo)"
+fi
 
 log "05-enable-external-repos.sh complete"
@@ -26,6 +26,13 @@ install_packages "containers"
 # Extra self-build tools (image-rechunking, etc. - may be repo-dependent)
 install_packages "self-build"
 
+# ── Build toolchain (image-build only; stripped by 91-strip-build-toolchain.sh) ──
+# Required by 19-k3s-selinux.sh (SELinux module compile) and
+# 53-bake-lookingglass-client.sh (Looking Glass B7 from source). Removed
+# before image commit so the runtime carries no compilers.
+echo "[12-virt] Installing build toolchain (image-build only; will be stripped)..."
+install_packages "build-toolchain"
+
 # ── Cockpit Web Management ──────────────────────────────────────────────────
 echo "[12-virt] Installing Cockpit..."
 install_packages_strict "cockpit"
 
@@ -1,12 +1,20 @@
 #!/bin/bash
 # 37-aichat: Install AIChat and AIChat-NG Rust CLI tools
+#
+# OPEN TASK (project invariant: VM | Container | Flatpak only):
+# These are user-facing AI CLI applications. Per the project-wide
+# delivery rule, they should run inside a Distrobox container, not
+# directly on the host. The current /usr/bin install is transitional;
+# the migration is to package them as a Distrobox container with
+# wrapper scripts in /usr/bin that exec into the container. See
+# usr/share/mios/PACKAGES.md > "AI Tools" section for context.
 set -euo pipefail
 # shellcheck source=lib/common.sh
 source "$(dirname "$0")/lib/common.sh"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/lib/packages.sh"
 
-echo "[37-aichat] Installing AI-related packages (redis, sqlite)..."
+echo "[37-aichat] Resolving 'ai' package block (currently empty -- aichat/aichat-ng ship as tarballs, not RPMs)..."
 install_packages "ai"
 
 echo "[37-aichat] Installing AIChat and AIChat-NG binaries..."