Symlink for systemd-resolved

mkosi.images/base/mkosi.conf

@@ -8,39 +8,43 @@ CleanPackageMetadata=no
 Packages=
 	# Minimal package set to define a basic Arch Linux installation
 	# Based on "base" group, without pacman, mkinitcpio and archlinux-keyring
+	# very very base
+	filesystem
+	gcc-libs
+	glibc
 	bash
-	bzip2
+	# POSIX tools
 	coreutils
 	file
-	filesystem
 	findutils
 	gawk
-	gcc-libs
-	gettext
-	glibc
 	grep
-	gzip
-	iproute2
-	iputils
-	licenses
-	pciutils
 	procps-ng
-	psmisc
 	sed
-	shadow
 	tar
+	# standard linux toolset
+	gettext
+	pciutils
+	psmisc
+	shadow
 	util-linux
+	bzip2
+	gzip
 	xz
-	# system and service manager
+	# distro defined requirements
+	licenses
 	systemd
-	# sysvinit compat for systemd
 	systemd-sysvcompat
+	iputils
+	iproute2
+	
 	# systemd: show QR codes (systemd-bsod)
 	qrencode
 	# systemd: unlocking LUKS2 volumes with FIDO2 token
 	libfido2
 	# systemd: unlocking LUKS2 volumes with TPM2
 	tpm2-tss
+
 	# The Linux kernel and modules
 	linux
 	# linux: firmware images needed for some devices
@@ -51,19 +55,23 @@ Packages=
 	amd-ucode
 	# Microcode update image for Intel CPUs
 	intel-ucode
+
 	# Firmware updates
 	# gnome-control-center: device security panel
 	fwupd
+
 	# Userspace utilities for linux-erofs file system
 	erofs-utils
 	# Btrfs filesystem utilities
 	btrfs-progs
 	# Ext2/3/4 filesystem utilities
 	e2fsprogs
+	
 	# Userspace components of the audit framework
 	audit
 	# Mandatory Access Control (MAC) using Linux Security Module (LSM)
 	apparmor
+	
 	# Give certain users the ability to run some commands as root
 	sudo
 	# command line tool and library for transferring data with URLs

mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/50-rafeos-base.preset

@@ -2,4 +2,8 @@
 enable apparmor.service
 
 # Displays boot-time emergency log message in full screen.
-enable systemd-bsod.service
+enable systemd-bsod.service
+
+# Populates empty /etc/ca-certificates/extracted/, /etc/ssl/certs
+# and /etc/ssl/certs/java/cacerts on new user root
+enable update-ca-certificates.service

mkosi.images/base/mkosi.extra/usr/lib/systemd/system/update-ca-certificates.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Update CA certificates
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/update-ca-trust extract
+
+[Install]
+WantedBy=multi-user.target

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-apparmor.conf

@@ -0,0 +1,13 @@
+# based on PKGBUILD of package apparmor
+
+# setup /etc
+d   /etc/apparmor.d/    0755 root root
+d   /etc/apparmor/      0755 root root
+
+# copy from factory when missing
+C+  /etc/apparmor.d/
+C   /etc/apparmor/easyprof.conf
+C   /etc/apparmor/logprof.conf
+C   /etc/apparmor/notify.conf
+C   /etc/apparmor/parser.conf
+C   /etc/apparmor/severity.db

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-audit.conf

@@ -0,0 +1,17 @@
+# based on PKGBUILD of package audit
+
+# setup /etc
+d   /etc/audit/             0755 root root
+d   /etc/audit/plugins.d/   0755 root root
+d   /etc/audit/rules.d/     0755 root root
+
+# copy from factory when missing
+C   /etc/audit/audisp-remote.conf
+C   /etc/audit/audit-stop.rules
+C   /etc/audit/auditd.conf
+C   /etc/audit/plugins.d/af_unix.conf
+C   /etc/audit/plugins.d/au-remote.conf
+C   /etc/audit/plugins.d/audispd-zos-remote.conf
+C   /etc/audit/plugins.d/syslog.conf
+C   /etc/audit/zos-remote.conf
+C   /etc/libaudit.conf

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-bash.conf

@@ -0,0 +1,11 @@
+# based on PKGBUILD of package bash
+
+# setup /etc
+d   /etc/skel/  0755 root root
+
+# copy from factory when missing
+C   /etc/bash.bash_logout
+C   /etc/bash.bashrc
+C   /etc/skel/.bash_logout
+C   /etc/skel/.bash_profile
+C   /etc/skel/.bashrc

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-ca-certificates.conf

@@ -0,0 +1,26 @@
+# based on PKGBUILD of package ca-certificates
+
+# setup /etc
+d   /etc/ca-certificates/                           0755 root root
+d   /etc/ca-certificates/update.d/                  0755 root root
+d   /etc/ca-certificates/trust-source/              0755 root root
+d   /etc/ca-certificates/trust-source/anchors/      0755 root root
+d   /etc/ca-certificates/trust-source/blocklist/    0755 root root
+d   /etc/ssl/                                       0755 root root
+d   /etc/ssl/certs/                                 0755 root root
+
+# copy from factory when missing
+C   /etc/ca-certificates.conf
+C   /etc/ca-certificates/README
+C   /etc/ca-certificates/trust-source/README
+C   /etc/ca-certificates/extracted/README
+C   /etc/ssl/README
+C   /etc/ssl/certs/java/README
+
+# Compatibility link for OpenSSL using /etc/ssl as CAdir
+# Used in preference to the individual links in /etc/ssl/certs
+L /etc/ssl/cert.pem                     - - - /etc/ca-certificates/extracted/tls-ca-bundle.pem
+# Compatibility link for legacy bundle (Debian)
+L /etc/ssl/certs/ca-certificates.crt    - - - /etc/ca-certificates/extracted/tls-ca-bundle.pem
+# Compatibility link for legacy bundle (RHEL/Fedora)
+L /etc/ssl/certs/ca-bundle.crt          - - - /etc/ca-certificates/extracted/tls-ca-bundle.pem

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-e2fsprogs.conf

@@ -0,0 +1,5 @@
+# based on PKGBUILD of package e2fsprogs
+
+# copy from factory when missing
+C   /etc/e2scrub.conf
+C   /etc/mke2fs.conf

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-filesystem.conf

@@ -0,0 +1,38 @@
+# based on PKGBUILD of package filesystem
+
+# setup root filesystem
+d   /srv/http/        0755 root root
+# vsftpd won't run with write perms on /srv/ftp
+# ftp (uid 14/gid 11)
+d   /srv/ftp/         0555 root ftp
+
+# setup /etc
+d   /etc/ld.so.conf.d/    0755 root root
+d   /etc/skel/            0755 root root
+d   /etc/profile.d/       0755 root root
+
+# copy from factory when missing
+C   /etc/profile.d/locale.sh
+C   /etc/resolv.conf
+
+# link from factory
+L+  /etc/arch-release
+L   /etc/protocols
+L   /etc/services
+
+# setup /var
+d   /var/cache/       0755 root root
+d   /var/local/       0755 root root
+d   /var/opt/         0755 root root
+d   /var/log/         0755 root root
+d   /var/lib/         0755 root root
+d   /var/lib/misc/    0755 root root
+d   /var/empty/       0755 root root
+d   /var/tmp/         1777 root root
+d   /var/spool/mail/  1777 root root
+
+# allow setgid games (gid 50) to write scores
+d   /var/games/       0775 root games
+L   /var/mail/        -   -   -           spool/mail/
+L   /var/run/         -   -   -           /run/
+L   /var/lock/        -   -   -           /run/lock/

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-fwupd.conf

@@ -0,0 +1,25 @@
+# based on PKGBUILD of package fwupd
+
+# setup /etc
+d   /etc/fwupd/                 0755 root root
+d   /etc/fwupd/bios-settings.d/ 0755 root root
+d   /etc/fwupd/remotes.d/       0755 root root
+d   /etc/grub.d/                0755 root root
+d   /etc/pki/fwupd-metadata/    0755 root root
+d   /etc/pki/fwupd/             0755 root root
+
+# copy from factory when missing
+C   /etc/fwupd/bios-settings.d/README.md
+C   /etc/fwupd/fwupd.conf
+C   /etc/fwupd/remotes.d/fwupd-tests.conf
+C   /etc/fwupd/remotes.d/lvfs-testing.conf
+C   /etc/fwupd/remotes.d/lvfs.conf
+C   /etc/fwupd/remotes.d/vendor-directory.conf
+C   /etc/fwupd/remotes.d/vendor.conf
+C   /etc/grub.d/35_fwupd
+C   /etc/pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata
+C   /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
+C   /etc/pki/fwupd-metadata/LVFS-CA.pem
+C   /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware
+C   /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service
+C   /etc/pki/fwupd/LVFS-CA.pem

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-gawk.conf

@@ -0,0 +1,8 @@
+# based on PKGBUILD of package gawk
+
+# setup /etc
+d   /etc/profile.d/  0755 root root
+
+# copy from factory when missing
+C   /etc/profile.d/gawk.csh
+C   /etc/profile.d/gawk.sh

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-glibc.conf

@@ -0,0 +1,6 @@
+# based on PKGBUILD of package glibc
+
+# copy from factory when missing
+C   /etc/gai.conf
+C   /etc/locale.gen
+C   /etc/rpc

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-gnutls.conf

@@ -0,0 +1,9 @@
+# based on PKGBUILD of package gnutls
+
+# setup /etc
+d   /etc/gnutls/            0755 root root
+d   /etc/modules-load.d/    0755 root root
+
+# copy from factory when missing
+C   /etc/gnutls/config
+C   /etc/modules-load.d/gnutls.conf

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-iptables.conf

@@ -0,0 +1,11 @@
+# based on PKGBUILD of package iptables
+
+# setup /etc
+d   /etc/iptables/  0755 root root
+
+# copy from factory when missing
+C   /etc/ethertypes
+C   /etc/iptables/empty.rules
+C   /etc/iptables/ip6tables.rules
+C   /etc/iptables/iptables.rules
+C   /etc/iptables/simple_firewall.rules

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-kbd.conf

@@ -0,0 +1,7 @@
+# based on PKGBUILD of package kbd
+
+# setup /etc
+d   /etc/pam.d/ 0755 root root
+
+# copy from factory when missing
+C   /etc/pam.d/vlock

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-kmod.conf

@@ -0,0 +1,5 @@
+# based on PKGBUILD of package kmod
+
+# setup /etc
+d   /etc/depmod.d/      0755 root root
+d   /etc/modprobe.d/    0755 root root

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-neovim.conf

@@ -0,0 +1,7 @@
+# based on PKGBUILD of package neovim
+
+# setup /etc
+d   /etc/xdg/nvim/  0755 root root
+
+# copy from factory when missing
+C   /etc/xdg/nvim/sysinit.vim

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-openssl.conf

@@ -0,0 +1,16 @@
+# based on PKGBUILD of package openssl
+
+# setup /etc
+d   /etc/ssl/           0755 root root
+d   /etc/ssl/certs/     0755 root root
+d   /etc/ssl/misc/      0755 root root
+d   /etc/ssl/private/   0755 root root
+
+# copy from factory when missing
+C   /etc/ssl/ct_log_list.cnf
+C   /etc/ssl/ct_log_list.cnf.dist
+C   /etc/ssl/misc/CA.pl
+C   /etc/ssl/misc/tsget
+C   /etc/ssl/misc/tsget.pl
+C   /etc/ssl/openssl.cnf
+C   /etc/ssl/openssl.cnf.dist

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-pam.conf

@@ -0,0 +1,26 @@
+# based on PKGBUILD of package pam/pambase
+
+# setup /etc
+# pam
+d   /etc/security/ 0755 root root
+# pambase
+d   /etc/pam.d/ 0755 root root
+
+# copy from factory when missing
+# pam
+C   /etc/security/access.conf
+C   /etc/security/faillock.conf
+C   /etc/security/group.conf
+C   /etc/security/limits.conf
+C   /etc/security/namespace.conf
+C   /etc/security/namespace.init
+C   /etc/security/pam_env.conf
+C   /etc/security/pwhistory.conf
+C   /etc/security/time.conf
+# pambase
+C   /etc/pam.d/other
+C   /etc/pam.d/system-auth
+C   /etc/pam.d/system-local-login
+C   /etc/pam.d/system-login
+C   /etc/pam.d/system-remote-login
+C   /etc/pam.d/system-services

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-polkit.conf

@@ -0,0 +1,8 @@
+# based on PKGBUILD of package polkit
+
+# setup /etc
+d   /etc/pam.d/             0755 root root
+d   /etc/polkit-1/rules.d/  0755 root root
+
+# copy from factory when missing
+C   /etc/pam.d/polit-1

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-readline.conf

@@ -0,0 +1,4 @@
+# based on PKGBUILD of package readline
+
+# copy from factory when missing
+C   /etc/inputrc

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-shadow.conf

@@ -0,0 +1,13 @@
+# based on PKGBUILD of package shadow
+
+# setup /etc
+d   /etc/default/     0755 root root
+d   /etc/pam.d/       0755 root root
+
+# copy from factory when missing
+C   /etc/login.defs
+C   /etc/default/useradd
+C   /etc/pam.d/useradd
+C   /etc/pam.d/groupmems
+C   /etc/pam.d/newusers
+C   /etc/pam.d/passwd

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-sudo.conf

@@ -0,0 +1,10 @@
+# based on PKGBUILD of package sudo
+
+# setup /etc
+d   /etc/pam.d/     0755 root root
+d   /etc/sudoers.d/ 0755 root root
+
+# copy from factory when missing
+C   /etc/pam.d/sudo
+C   /etc/sudo.conf
+C   /etc/sudo_logsrvd.conf

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-systemd.conf

@@ -0,0 +1,49 @@
+# based on PKGBUILD of package systemd
+
+# setup /etc
+d   /etc/pam.d/                   0755 root root
+d   /etc/binfmt.d/                0755 root root
+d   /etc/credstore.encrypted/     0755 root root
+d   /etc/credstore/               0755 root root
+d   /etc/kernel/                  0755 root root
+d   /etc/kernel/install.d/        0755 root root
+d   /etc/modules-load.d/          0755 root root
+d   /etc/sysctl.d/                0755 root root
+d   /etc/systemd/                 0755 root root
+d   /etc/systemd/network/         0755 root root
+d   /etc/systemd/system/          0755 root root
+d   /etc/systemd/user/            0755 root root
+d   /etc/tmpfiles.d/              0755 root root
+d   /etc/udev/                    0755 root root
+d   /etc/udev/hwdb.d/             0755 root root
+d   /etc/udev/rules.d/            0755 root root
+d   /etc/xdg/                     0755 root root
+d   /etc/xdg/systemd/             0755 root root
+d   /etc/xdg/systemd/user/        0755 root root
+
+# copy from factory when missing
+C   /etc/X11/xinit/xinitrc.d/50-systemd-user.sh
+# overwrite the systemd-user PAM configuration with our own
+C   /etc/pam.d/systemd-user
+C   /etc/systemd/coredump.conf
+C   /etc/systemd/homed.conf
+C   /etc/systemd/journal-remote.conf
+C   /etc/systemd/journal-upload.conf
+C   /etc/systemd/journald.conf
+C   /etc/systemd/logind.conf
+C   /etc/systemd/network/networkd.conf
+C   /etc/systemd/oomd.conf
+C   /etc/systemd/pstore.conf
+C   /etc/systemd/resolved.conf
+C   /etc/systemd/sleep.conf
+C   /etc/systemd/system.conf
+C   /etc/systemd/timesyncd.conf
+C   /etc/systemd/user.conf
+C   /etc/udev/iocost.conf
+C   /etc/udev/udev.conf
+
+# setup /var
+# The group 'systemd-journal' is allocated dynamically and may have varying
+# gid on different systems. Let's install with gid 0 (root), systemd-tmpfiles
+# will fix the permissions for us. (see /usr/lib/tmpfiles.d/systemd.conf)
+d   /var/log/journal            2755 root root

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-tpm2-tss.conf

@@ -0,0 +1,10 @@
+# based on PKGBUILD of package tpm2-tss
+
+# setup /etc
+d   /etc/tpm2-tss/                  0755 root root
+d   /etc/tpm2-tss/fapi-profiles/    0755 root root
+
+# copy from factory when missing
+C   /etc/tpm2-tss/fapi-config.json
+C   /etc/tpm2-tss/fapi-profiles/P_ECCP256SHA256.json
+C   /etc/tpm2-tss/fapi-profiles/P_RSA2048SHA256.json

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-util-linux.conf

@@ -0,0 +1,11 @@
+# based on PKGBUILD of package util-linux
+
+# copy from factory when missing
+C   /etc/pam.d/chfn
+C   /etc/pam.d/chsh
+C   /etc/pam.d/login
+C   /etc/pam.d/remote
+C   /etc/pam.d/runuser
+C   /etc/pam.d/runuser-l
+C   /etc/pam.d/su
+C   /etc/pam.d/su-l

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/arch-wireless-regdb.conf

@@ -0,0 +1,7 @@
+# based on PKGBUILD of package wireless-regdb
+
+# setup /etc
+d   /etc/conf.d/  0755 root root
+
+# copy from factory when missing
+C   /etc/conf.d/wireless-regdom

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/systemd-resolved.conf

@@ -0,0 +1 @@
+L+  /etc/resolv.conf - - - /run/systemd/resolve/stub-resolv.conf

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/update-ca-trust.conf

@@ -0,0 +1,5 @@
+# Create missing directories for update-ca-certificates.service
+d   /etc/ca-certificates/extracted/       0755 root root - -
+d   /etc/ca-certificates/extracted/cadir/ 0755 root root - -
+d   /etc/ssl/certs/                       0755 root root - -
+d   /etc/ssl/certs/java/                  0755 root root - -

mkosi.images/base/mkosi.postinst.chroot

@@ -0,0 +1,238 @@
+#!/bin/bash
+ETC_FACTORY_DIR=/usr/share/factory/etc
+
+# copy additional files provided by package filesystem to factory
+cp -af /etc/arch-release $ETC_FACTORY_DIR/
+cp -af /etc/resolv.conf $ETC_FACTORY_DIR/
+cp -af /etc/protocols $ETC_FACTORY_DIR/
+cp -af /etc/services $ETC_FACTORY_DIR/
+
+install -d -m0755 $ETC_FACTORY_DIR/profile.d/
+cp -af /etc/profile.d/locale.sh $ETC_FACTORY_DIR/profile.d/
+
+# copy files provided by package shadow to factory
+cp -af /etc/login.defs $ETC_FACTORY_DIR/
+
+install -d -m0755 $ETC_FACTORY_DIR/default
+cp -af /etc/default/useradd $ETC_FACTORY_DIR/default/
+
+install -d -m0755 $ETC_FACTORY_DIR/pam.d
+cp -af /etc/pam.d/chpasswd $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/groupmems $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/newusers $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/passwd $ETC_FACTORY_DIR/pam.d/
+
+# copy files provided by package systemd to factory
+install -d -m0755 $ETC_FACTORY_DIR/X11/xinit/xinitrc.d/
+cp -af /etc/X11/xinit/xinitrc.d/50-systemd-user.sh $ETC_FACTORY_DIR/X11/xinit/xinitrc.d/
+
+install -d -m0755 $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/systemd-user $ETC_FACTORY_DIR/pam.d/
+
+install -d -m0755 $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/coredump.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/homed.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/journal-remote.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/journal-upload.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/journald.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/logind.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/oomd.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/pstore.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/resovled.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/sleep.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/system.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/timesyncd.conf $ETC_FACTORY_DIR/systemd/
+cp -af /etc/systemd/user.conf $ETC_FACTORY_DIR/systemd/
+
+install -d -m0755 $ETC_FACTORY_DIR/systemd/network/
+cp -af /etc/systemd/network/networkd.conf $ETC_FACTORY_DIR/systemd/network/
+
+install -d -m0755 $ETC_FACTORY_DIR/udev/
+cp -af /etc/udev/iocost.conf $ETC_FACTORY_DIR/udev/
+cp -af /etc/udev/udev.conf $ETC_FACTORY_DIR/udev/
+
+# copy files provided by package audit to factory
+cp -af /etc/libaudit.conf $ETC_FACTORY_DIR/
+
+install -d -m0755 $ETC_FACTORY_DIR/audit/
+cp -af /etc/audit/audisp-remote.conf $ETC_FACTORY_DIR/audit/
+cp -af /etc/audit/audit-stop.rules $ETC_FACTORY_DIR/audit/
+cp -af /etc/audit/auditd.conf $ETC_FACTORY_DIR/audit/
+cp -af /etc/audit/zos-remote.conf $ETC_FACTORY_DIR/audit/
+
+install -d -m0755 $ETC_FACTORY_DIR/audit/plugins.d/
+cp -af /etc/audit/plugins.d/af_unix.conf $ETC_FACTORY_DIR/audit/plugins.d/
+cp -af /etc/audit/plugins.d/au-remote.conf $ETC_FACTORY_DIR/audit/plugins.d/
+cp -af /etc/audit/plugins.d/audispd-zos-remote.conf $ETC_FACTORY_DIR/audit/plugins.d/
+cp -af /etc/audit/plugins.d/syslog.conf $ETC_FACTORY_DIR/audit/plugins.d/
+
+# copy files provided by package apparmor to factory
+install -d -m0755 $ETC_FACTORY_DIR/apparmor.d/
+cp -af --recursive /etc/apparmor.d/ $ETC_FACTORY_DIR/apparmor.d/
+
+install -d -m0755 $ETC_FACTORY_DIR/apparmor/
+cp -af /etc/apparmor/easyprof.conf $ETC_FACTORY_DIR/apparmor/
+cp -af /etc/apparmor/logprof.conf $ETC_FACTORY_DIR/apparmor/
+cp -af /etc/apparmor/notify.conf $ETC_FACTORY_DIR/apparmor/
+cp -af /etc/apparmor/parser.conf $ETC_FACTORY_DIR/apparmor/
+cp -af /etc/apparmor/severity.db $ETC_FACTORY_DIR/apparmor/
+
+# copy files provided by package tpm2-tss to factory
+install -d -m0755 $ETC_FACTORY_DIR/tpm2-tss/
+cp -af /etc/tpm2-tss/fapi-config.json $ETC_FACTORY_DIR/tpm2-tss/
+
+install -d -m0755 $ETC_FACTORY_DIR/tpm2-tss/fapi-profiles/
+cp -af /etc/tpm2-tss/fapi-profiles/P_ECCP256SHA256.json $ETC_FACTORY_DIR/tpm2-tss/fapi-profiles/
+cp -af /etc/tpm2-tss/fapi-profiles/P_RSA2048SHA256.json $ETC_FACTORY_DIR/tpm2-tss/fapi-profiles/
+
+# copy files provided by package bash to factory
+cp -af /etc/bash.bash_logout $ETC_FACTORY_DIR/
+cp -af /etc/bash.rc $ETC_FACTORY_DIR/
+
+install -d -m0755 $ETC_FACTORY_DIR/skel/
+cp -af /etc/.bash_logout $ETC_FACTORY_DIR/skel/
+cp -af /etc/.bash_profile $ETC_FACTORY_DIR/skel/
+cp -af /etc/.bashrc $ETC_FACTORY_DIR/skel/
+
+# copy files provided by package kbd to factory
+install -d -m0755 $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/vlock $ETC_FACTORY_DIR/pam.d/
+
+# copy files provided by package pam/pambase to factory
+# pam
+install -d -m0755 $ETC_FACTORY_DIR/security/
+cp -af /etc/security/access.conf $ETC_FACTORY_DIR/security/
+cp -af /etc/security/faillock.conf $ETC_FACTORY_DIR/security/
+cp -af /etc/security/group.conf $ETC_FACTORY_DIR/security/
+cp -af /etc/security/limits.conf $ETC_FACTORY_DIR/security/
+cp -af /etc/security/namespace.conf $ETC_FACTORY_DIR/security/
+cp -af /etc/security/namespace.init $ETC_FACTORY_DIR/security/
+cp -af /etc/security/pam_env.conf $ETC_FACTORY_DIR/security/
+cp -af /etc/security/pwhistory.conf $ETC_FACTORY_DIR/security/
+cp -af /etc/security/time.conf $ETC_FACTORY_DIR/security/
+# pambase
+install -d -m0755 $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/other $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/system-auth $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/system-local-login $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/system-login $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/system-remote-login $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/system-services $ETC_FACTORY_DIR/pam.d/
+
+# copy files provided by package readline to factory
+cp -af /etc/inputrc $ETC_FACTORY_DIR/
+
+# copy files provided by package util-linux to factory
+install -d -m0755 $ETC_FACTORY_DIR/pam.d
+cp -af /etc/pam.d/chfn $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/chsh $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/login $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/remote $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/runuser $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/runuser-l $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/su $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/su-l $ETC_FACTORY_DIR/pam.d/
+
+# copy files provided by package glibc to factory
+cp -af /etc/gai.conf $ETC_FACTORY_DIR/
+cp -af /etc/locale.gen $ETC_FACTORY_DIR/
+cp -af /etc/rpc $ETC_FACTORY_DIR/
+
+# copy files provided by package openssl to factory
+install -d -m0755 $ETC_FACTORY_DIR/ssl/
+cp -af /etc/ssl/ct_log_list.cnf $ETC_FACTORY_DIR/ssl/
+cp -af /etc/ssl/ct_log_list.cnf.dist $ETC_FACTORY_DIR/ssl/
+cp -af /etc/ssl/openssl.cnf $ETC_FACTORY_DIR/ssl/
+cp -af /etc/ssl/openssl.cnf.dist $ETC_FACTORY_DIR/ssl/
+
+install -d -m0755 $ETC_FACTORY_DIR/ssl/misc/
+cp -af /etc/ssl/misc/CA.pl $ETC_FACTORY_DIR/ssl/misc/
+cp -af /etc/ssl/misc/tsget $ETC_FACTORY_DIR/ssl/misc/
+cp -af /etc/ssl/misc/tsget.pl $ETC_FACTORY_DIR/ssl/misc/
+
+# copy files provided by package ca-certificates to factory
+install -d -m0755 $ETC_FACTORY_DIR/ca-certificates/
+cp -af /etc/ca-certificates/README $ETC_FACTORY_DIR/ca-certificates/
+
+install -d -m0755 $ETC_FACTORY_DIR/ca-certificates/trust-source/
+cp -af /etc/ca-certificates/trust-source/README $ETC_FACTORY_DIR/ca-certificates/trust-source/
+
+install -d -m0755 $ETC_FACTORY_DIR/ca-certificates/extracted/
+cp -af /etc/ca-certificates/extracted/README $ETC_FACTORY_DIR/ca-certificates/extracted/
+
+install -d -m0755 $ETC_FACTORY_DIR/ssl/
+cp -af /etc/ssl/README $ETC_FACTORY_DIR/ssl/
+
+install -d -m0755 $ETC_FACTORY_DIR/ssl/certs/java/
+cp -af /etc/ssl/certs/java/README $ETC_FACTORY_DIR/ssl/certs/java/
+
+# copy files provided by package gawk to factory
+install -d -m0755 $ETC_FACTORY_DIR/profile.d/
+cp -af /etc/profile.d/gawk.csh $ETC_FACTORY_DIR/profile.d/
+cp -af /etc/profile.d/gawk.sh $ETC_FACTORY_DIR/profile.d/
+
+# copy files provided by package iptables to factory
+cp -af /etc/ethertypes $ETC_FACTORY_DIR/
+
+install -d -m0755 $ETC_FACTORY_DIR/iptables/
+cp -af /etc/iptables/empty.rules $ETC_FACTORY_DIR/iptables/
+cp -af /etc/iptables/ip6tables.rules $ETC_FACTORY_DIR/iptables/
+cp -af /etc/iptables/iptables.rules $ETC_FACTORY_DIR/iptables/
+cp -af /etc/iptables/simple_firewall.rules $ETC_FACTORY_DIR/iptables/
+
+# copy files provided by package wireless-regdb to factory
+install -d -m0755 $ETC_FACTORY_DIR/conf.d/
+cp -af /etc/conf.d/wireless-regdom $ETC_FACTORY_DIR/conf.d/
+
+# copy files provided by package fwupd to factory
+install -d -m0755 $ETC_FACTORY_DIR/fwupd/
+cp -af /etc/fwupd/fwupd.conf $ETC_FACTORY_DIR/fwupd/
+
+install -d -m0755 $ETC_FACTORY_DIR/fwupd/bios-settings.d/
+cp -af /etc/fwupd/bios-settings.d/README $ETC_FACTORY_DIR/fwupd/bios-settings.d/
+
+install -d -m0755 $ETC_FACTORY_DIR/fwupd/remotes.d/
+cp -af /etc/fwupd/remotes.d/fwupd-tests.conf $ETC_FACTORY_DIR/fwupd/remotes.d/
+cp -af /etc/fwupd/remotes.d/lvfs-testing.conf $ETC_FACTORY_DIR/fwupd/remotes.d/
+cp -af /etc/fwupd/remotes.d/lvfs.conf $ETC_FACTORY_DIR/fwupd/remotes.d/
+cp -af /etc/fwupd/remotes.d/vendor-directory.conf $ETC_FACTORY_DIR/fwupd/remotes.d/
+cp -af /etc/fwupd/remotes.d/vendor.conf $ETC_FACTORY_DIR/fwupd/remotes.d/
+
+install -d -m0755 $ETC_FACTORY_DIR/grub.d/
+cp -af /etc/grub.d/35_fwupd $ETC_FACTORY_DIR/grub.d/
+
+install -d -m0755 $ETC_FACTORY_DIR/pki/fwupd-metadata/
+cp -af /etc/pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata $ETC_FACTORY_DIR/pki/fwupd-metadata/
+cp -af /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service $ETC_FACTORY_DIR/pki/fwupd-metadata/
+cp -af /etc/pki/fwupd-metadata/LVFS-CA.pem $ETC_FACTORY_DIR/pki/fwupd-metadata/
+
+install -d -m0755 $ETC_FACTORY_DIR/pki/fwupd/
+cp -af /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Metadata $ETC_FACTORY_DIR/pki/fwupd/
+cp -af /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service $ETC_FACTORY_DIR/pki/fwupd/
+cp -af /etc/pki/fwupd/LVFS-CA.pem $ETC_FACTORY_DIR/pki/fwupd/
+
+# copy files provided by package e2fsprogs to factory
+cp -af /etc/e2scrub.conf $ETC_FACTORY_DIR/
+cp -af /etc/mke2fs.conf $ETC_FACTORY_DIR/
+
+# copy files provided by package sudo to factory
+cp -af /etc/sudo.conf $ETC_FACTORY_DIR/
+cp -af /etc/sudo_logsrvd.conf $ETC_FACTORY_DIR/
+
+install -d -m0755 $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/sudo $ETC_FACTORY_DIR/pam.d/
+
+# copy files provided by package neovim to factory
+install -d -m0755 $ETC_FACTORY_DIR/xdg/nvim/
+cp -af /etc/xdg/nvim/sysinit.vim $ETC_FACTORY_DIR/xdg/nvim/
+
+# copy files provided by package gnutls to factory
+install -d -m0755 $ETC_FACTORY_DIR/gnutls/
+cp -af /etc/gnutls/config $ETC_FACTORY_DIR/gnutls/
+
+install -d -m0755 $ETC_FACTORY_DIR/modules-load.d/
+cp -af /etc/modules-load.d/gnutls.conf $ETC_FACTORY_DIR/modules-load.d/
+
+# copy files provided by package polkit to factory
+install -d -m0755 $ETC_FACTORY_DIR/pam.d/
+cp -af /etc/pam.d/polkit-1 $ETC_FACTORY_DIR/pam.d/

mkosi.images/server/mkosi.conf

@@ -13,7 +13,6 @@ CompressOutput=xz
 [Content]
 Bootable=yes
 SourceDateEpoch=0
-Autologin=yes
 BaseTrees=../../mkosi.output/base/
 Initrds=../../mkosi.output/initrd
 CleanPackageMetadata=yes