From 7d0b08ac1df2402b1db42e1891e6f576a3f3e299 Mon Sep 17 00:00:00 2001 From: Breadway Date: Wed, 17 Jun 2026 18:49:55 +0800 Subject: [PATCH 1/3] Initialise the pacman keyring during install MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fresh installs couldn't update — the live medium's /etc/pacman.d/gnupg doesn't reliably carry to the target, so the first `pacman -Syu` failed with "keyring is not writable / required key missing from keyring". Run pacman-key --init + --populate archlinux in post-install so signature verification works out of the box. ([breadway] is SigLevel=Never, so no extra key needed.) Co-Authored-By: Claude Opus 4.8 --- iso/airootfs/etc/calamares/post-install.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/iso/airootfs/etc/calamares/post-install.sh b/iso/airootfs/etc/calamares/post-install.sh index e318ed1..82e7dba 100644 --- a/iso/airootfs/etc/calamares/post-install.sh +++ b/iso/airootfs/etc/calamares/post-install.sh @@ -23,6 +23,19 @@ userdel -r liveuser 2>/dev/null || true # Root used a passwordless entry on the live medium; lock it (sudo model). passwd -l root || true +# --------------------------------------------------------------------------- +# Pacman keyring. The live medium's /etc/pacman.d/gnupg doesn't reliably carry +# over to the target (unpackfs may skip it / perms differ), leaving the installed +# system unable to verify package signatures — the first `pacman -Syu` then dies +# with "keyring is not writable / required key missing". Initialise it here so a +# fresh install can update out of the box. archlinux-keyring is already present; +# [breadway] is SigLevel=Never so it needs no key. +# --------------------------------------------------------------------------- +if command -v pacman-key &>/dev/null; then + pacman-key --init || echo "WARN: pacman-key --init failed" + pacman-key --populate archlinux || echo "WARN: pacman-key --populate failed" +fi + # --------------------------------------------------------------------------- # Boot splash (Plymouth) — BOS logo + spinner instead of kernel text. Done # BEFORE grub so grub.cfg picks up the new cmdline and the rebuilt initramfs. From b5bfef04352013d569f37d620ba2f6e9239ec5f5 Mon Sep 17 00:00:00 2001 From: Breadway Date: Wed, 17 Jun 2026 22:57:58 +0800 Subject: [PATCH 2/3] ISO: microcode + plymouth hooks, PDF/VA-API packages, first-run network MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - post-install: ensure the `microcode` initramfs hook (after autodetect) so installed systems carry CPU ucode — the live ISO embeds it, so nothing is staged onto the target otherwise. Rebuild all presets with `mkinitcpio -P`. - post-install: drop the nonexistent `sd-plymouth` hook branch; only the udev `plymouth` hook exists. Set the theme then rebuild once. - packages: add zathura + zathura-pdf-mupdf (BOS had no PDF viewer) and libva-utils (`vainfo`); the Mesa VA-API backend now ships in `mesa` itself. - bos-welcome: on first run, if NetworkManager isn't fully online, open nmtui so the user connects before the first bos-update/pacman (avoids confusing DNS errors on a fresh install). Float the bos-netsetup window like bos-welcome. Co-Authored-By: Claude Opus 4.8 --- iso/airootfs/etc/calamares/post-install.sh | 47 ++++++++++++------- .../etc/skel/.config/hypr/hyprland.lua | 1 + iso/airootfs/usr/local/bin/bos-welcome | 19 ++++++++ iso/packages.x86_64 | 11 ++++- 4 files changed, 60 insertions(+), 18 deletions(-) diff --git a/iso/airootfs/etc/calamares/post-install.sh b/iso/airootfs/etc/calamares/post-install.sh index 82e7dba..ebfb24a 100644 --- a/iso/airootfs/etc/calamares/post-install.sh +++ b/iso/airootfs/etc/calamares/post-install.sh @@ -37,23 +37,33 @@ if command -v pacman-key &>/dev/null; then fi # --------------------------------------------------------------------------- -# Boot splash (Plymouth) — BOS logo + spinner instead of kernel text. Done -# BEFORE grub so grub.cfg picks up the new cmdline and the rebuilt initramfs. -# All best-effort: if anything here fails the system still boots (just without -# the splash) — the initramfs the initcpio module already built stays valid. +# Initramfs HOOKS: microcode + plymouth. Edit HOOKS first, rebuild once below. +# microcode — embeds the (autodetect-pruned) CPU microcode into the initramfs +# so it loads at early boot. The live ISO embeds ucode the same way, so the +# ISO /boot carries no separate ucode image and bos-copy-kernel stages none +# onto the target — the installed initramfs must therefore carry it itself. +# Must sit AFTER `autodetect` so it's pruned to the running CPU's microcode. +# plymouth — the BOS boot splash. Only the udev `plymouth` hook exists (there +# is NO `sd-plymouth`), so always insert it after `udev`. +# All best-effort: a failure here still leaves a bootable initramfs. +# --------------------------------------------------------------------------- +if [[ -f /etc/mkinitcpio.conf ]]; then + if ! grep -qE '^HOOKS=.*\bmicrocode\b' /etc/mkinitcpio.conf; then + sed -i 's/^\(HOOKS=.*\bautodetect\b\)/\1 microcode/' /etc/mkinitcpio.conf \ + || echo "WARN: adding microcode hook failed" + fi + if command -v plymouth-set-default-theme &>/dev/null \ + && ! grep -qE '^HOOKS=.*\bplymouth\b' /etc/mkinitcpio.conf; then + sed -i 's/^\(HOOKS=.*\budev\b\)/\1 plymouth/' /etc/mkinitcpio.conf \ + || echo "WARN: adding plymouth hook failed" + fi +fi + +# --------------------------------------------------------------------------- +# Boot splash (Plymouth) — BOS logo + spinner instead of kernel text. Set the +# theme + cmdline BEFORE grub so grub.cfg picks up the new cmdline. # --------------------------------------------------------------------------- if command -v plymouth-set-default-theme &>/dev/null; then - # Ensure the plymouth hook is in HOOKS (plymouthcfg/initcpiocfg usually add it; - # this is the belt). Handle both the udev and systemd initramfs styles. - if ! grep -q 'plymouth' /etc/mkinitcpio.conf 2>/dev/null; then - if grep -qE '^HOOKS=.*\bsystemd\b' /etc/mkinitcpio.conf; then - sed -i 's/^\(HOOKS=.*\bsystemd\b\)/\1 sd-plymouth/' /etc/mkinitcpio.conf \ - || echo "WARN: adding sd-plymouth hook failed" - else - sed -i 's/^\(HOOKS=.*\budev\b\)/\1 plymouth/' /etc/mkinitcpio.conf \ - || echo "WARN: adding plymouth hook failed" - fi - fi # Clean boot: splash activates plymouth; hiding systemd status removes the # "[ OK ] Started ..." text (what looked like kernel output) even if the # splash itself doesn't grab the display (e.g. in some VMs). @@ -61,10 +71,13 @@ if command -v plymouth-set-default-theme &>/dev/null; then sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT="\)/\1splash quiet vt.global_cursor_default=0 systemd.show_status=false rd.systemd.show_status=false rd.udev.log_level=3 /' \ /etc/default/grub || echo "WARN: adding splash cmdline failed" fi - # Set the BOS theme and rebuild the initramfs (-R) with the plymouth hook. - plymouth-set-default-theme -R bos || echo "WARN: plymouth-set-default-theme failed" + plymouth-set-default-theme bos || echo "WARN: plymouth-set-default-theme failed" fi +# Rebuild every preset (default + fallback that bos-copy-kernel wrote) so the +# microcode + plymouth HOOKS above are actually baked into the initramfs. +mkinitcpio -P || echo "WARN: mkinitcpio -P failed" + # --------------------------------------------------------------------------- # Install GRUB (UEFI). /boot now has the kernel + initramfs, and the mount # module has bind-mounted /proc /sys /dev /run + efivars into this chroot, so diff --git a/iso/airootfs/etc/skel/.config/hypr/hyprland.lua b/iso/airootfs/etc/skel/.config/hypr/hyprland.lua index dbd75a5..d9a6eb8 100644 --- a/iso/airootfs/etc/skel/.config/hypr/hyprland.lua +++ b/iso/airootfs/etc/skel/.config/hypr/hyprland.lua @@ -90,6 +90,7 @@ end -- --------------------------------------------------------------------------- hl.window_rule({ name = "bos-keybinds", match = { class = "^(bos-keybinds)$" }, float = true, size = { 760, 720 } }) hl.window_rule({ name = "bos-welcome", match = { class = "^(bos-welcome)$" }, float = true, size = { 700, 560 } }) +hl.window_rule({ name = "bos-netsetup", match = { class = "^(bos-netsetup)$" }, float = true, size = { 700, 560 } }) -- --------------------------------------------------------------------------- -- Environment (vendor-neutral; no GPU-specific vars so it works on Intel/AMD). diff --git a/iso/airootfs/usr/local/bin/bos-welcome b/iso/airootfs/usr/local/bin/bos-welcome index 413256b..ef0c2ed 100644 --- a/iso/airootfs/usr/local/bin/bos-welcome +++ b/iso/airootfs/usr/local/bin/bos-welcome @@ -10,6 +10,25 @@ set -u marker="${XDG_CONFIG_HOME:-$HOME/.config}/bos/.welcomed" [[ -f "$marker" ]] && exit 0 mkdir -p "$(dirname "$marker")" + +# First-run network check. A fresh install usually boots with no connection +# (Wi-Fi isn't configured during install), and the first `bos-update`/pacman run +# then fails with confusing DNS/"could not resolve host" errors. If +# NetworkManager reports we're not fully online, open nmtui so the user can join +# a network before anything else. Best-effort: missing nmcli/nmtui/kitty, or the +# user quitting nmtui, must never block the welcome below. +if command -v nmcli &>/dev/null; then + conn="$(nmcli networking connectivity check 2>/dev/null)" + if [[ "$conn" != "full" ]]; then + notify-send -u normal "BOS" "No internet yet — opening network setup so updates work." 2>/dev/null || true + if command -v nmtui &>/dev/null; then + kitty --class bos-netsetup --title "Connect to a network" -- nmtui connect 2>/dev/null || true + fi + fi +fi + +# Mark welcomed only now, so an interrupted/aborted network step still re-prompts +# next login rather than being suppressed forever. touch "$marker" exec kitty --class bos-welcome --title "Welcome to BOS" -- less -R /usr/share/bos/welcome.txt diff --git a/iso/packages.x86_64 b/iso/packages.x86_64 index aa033d2..ab0d1e4 100644 --- a/iso/packages.x86_64 +++ b/iso/packages.x86_64 @@ -139,10 +139,13 @@ file-roller # GUI applications a general desktop is expected to have out of the box. # gnome-text-editor: graphical editor (terminal editors aside); gnome-calculator: -# calculator; loupe: Wayland-native image viewer (default for image files). +# calculator; loupe: Wayland-native image viewer (default for image files); +# zathura(+pdf-mupdf): lightweight Wayland PDF viewer (BOS had no PDF reader). gnome-text-editor gnome-calculator loupe +zathura +zathura-pdf-mupdf # Media player — BOS ships gstreamer codecs but otherwise has no player app. vlc # Web browser (served from the [Breadway] repo; AUR zen-browser-bin republished @@ -190,6 +193,12 @@ plymouth gst-plugins-good gst-plugins-bad gst-plugins-ugly +# Hardware video acceleration (VA-API) — lets the AMD/Intel GPU decode H.264/HEVC/ +# VP9 in mpv, VLC, and browsers instead of the CPU (cooler, longer battery on +# video). The open Mesa VA-API backend (radeonsi_drv_video.so etc.) now ships in +# the `mesa` package itself (pulled in already), so only libva (deps) + the +# `vainfo` verification tool need listing here. +libva-utils # GUI audio mixer — useful when output device needs manual switching. pavucontrol From 5e043f08346d71811c9e81664f3b0a91a20fada6 Mon Sep 17 00:00:00 2001 From: Breadway Date: Wed, 17 Jun 2026 22:57:58 +0800 Subject: [PATCH 3/3] Minor cleanups: gitignore out/, expect() messages, comment wording - .gitignore: ignore the /out/ ISO build dir - bos-settings: use expect() with messages over unwrap() for piped stdio; drop a stray blank line - pacman.conf: reword the SigLevel=Never TODO as a future-improvement note Co-Authored-By: Claude Opus 4.8 --- .gitignore | 1 + bos-settings/src/ui/views/breadbar.rs | 1 - bos-settings/src/ui/views/packages.rs | 7 ++++--- iso/airootfs/etc/pacman.conf | 3 ++- iso/pacman.conf | 3 ++- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 693a6d1..25b3b3b 100644 --- a/.gitignore +++ b/.gitignore @@ -27,6 +27,7 @@ secrets/ # archiso build artifacts (these are large and reproducible) /iso-build/ /iso-out/ +/out/ *.iso *.img diff --git a/bos-settings/src/ui/views/breadbar.rs b/bos-settings/src/ui/views/breadbar.rs index dd49a52..355890a 100644 --- a/bos-settings/src/ui/views/breadbar.rs +++ b/bos-settings/src/ui/views/breadbar.rs @@ -6,7 +6,6 @@ fn css_path() -> PathBuf { crate::config::config_dir().join("breadbar/style.css") } - pub fn build() -> GBox { let path = css_path(); let existing_css = std::fs::read_to_string(&path).unwrap_or_default(); diff --git a/bos-settings/src/ui/views/packages.rs b/bos-settings/src/ui/views/packages.rs index 1281c44..feee584 100644 --- a/bos-settings/src/ui/views/packages.rs +++ b/bos-settings/src/ui/views/packages.rs @@ -50,9 +50,10 @@ fn stream_command(args: &[&str], log_buf: gtk4::TextBuffer) { } }; - // Merge stderr into the channel too - let stdout = child.stdout.take().unwrap(); - let stderr = child.stderr.take().unwrap(); + // Merge stderr into the channel too. + // Both are Some because we spawned with Stdio::piped() above. + let stdout = child.stdout.take().expect("stdout piped"); + let stderr = child.stderr.take().expect("stderr piped"); let tx2 = sender.clone(); std::thread::spawn(move || { diff --git a/iso/airootfs/etc/pacman.conf b/iso/airootfs/etc/pacman.conf index 90e4517..20c5242 100644 --- a/iso/airootfs/etc/pacman.conf +++ b/iso/airootfs/etc/pacman.conf @@ -35,7 +35,8 @@ Include = /etc/pacman.d/mirrorlist # # Forgejo signs the repo db with a key pacman can't look up, so TrustAll # fails. SigLevel = Never skips verification (acceptable for this private -# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required. +# repo over TLS). Future improvement: import Forgejo's signing key and +# switch to SigLevel = Required for full package verification. # ----------------------------------------------------------------------- # The section name must match Forgejo's served db filename # ({owner}.{group}.{domain}.db) — pacman fetches "
.db" from Server. diff --git a/iso/pacman.conf b/iso/pacman.conf index 90e4517..20c5242 100644 --- a/iso/pacman.conf +++ b/iso/pacman.conf @@ -35,7 +35,8 @@ Include = /etc/pacman.d/mirrorlist # # Forgejo signs the repo db with a key pacman can't look up, so TrustAll # fails. SigLevel = Never skips verification (acceptable for this private -# repo over TLS). TODO: import Forgejo's signing key + SigLevel = Required. +# repo over TLS). Future improvement: import Forgejo's signing key and +# switch to SigLevel = Required for full package verification. # ----------------------------------------------------------------------- # The section name must match Forgejo's served db filename # ({owner}.{group}.{domain}.db) — pacman fetches "
.db" from Server.