feat: add containerfile

Containerfile

@@ -0,0 +1,15 @@
+ARG BASE_IMAGE_NAME="${BASE_IMAGE_NAME:-silverblue}"
+ARG IMAGE_FLAVOR="${IMAGE_FLAVOR}:-main"
+ARG SOURCE_IMAGE="${SOURCE_IMAGE:-${BASE_IMAGE_NAME}-${IMAGE_FLAVOR}}"
+ARG BASE_IMAGE="ghrc.io/ublue-os/${SOURCE_IMAGE}"
+ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-38}"
+
+FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} AS framework
+
+COPY usr /usr
+
+RUN rpm-ostree install tlp tlp-rdw && \
+    rpm-ostree override remove power-profiles-daemon && \
+    systemctl enable tlp && \
+    systemctl enable fprintd && \
+    ostree container commit

README.md

@@ -0,0 +1 @@
+# framework

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAED5TkvxcQ0iu31K8oqK3g7S1oyaxY
+N2R6p5lyMXTSgGVe/ENAyzppfNHg2b+fvNRwqKmXGnO1TTLK1yTKp6HV4g==
+-----END PUBLIC KEY-----

usr/etc/systemd/system/fprintd.service

@@ -0,0 +1,48 @@
+[Unit]
+Description=Fingerprint Authentication Daemon
+Documentation=man:fprintd(1)
+
+[Service]
+Type=dbus
+BusName=net.reactivated.Fprint
+ExecStart=/usr/libexec/fprintd
+
+# Filesystem lockdown
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+# This always corresponds to /var/lib/fprint
+StateDirectory=fprint
+StateDirectoryMode=0700
+ProtectHome=true
+PrivateTmp=true
+
+SystemCallFilter=@system-service
+
+# Network
+RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_NETLINK
+
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
+# Modules
+ProtectKernelModules=true
+
+# Real-time
+RestrictRealtime=true
+
+# Privilege escalation
+NoNewPrivileges=true
+
+# Protect clock, allow USB and SPI device access
+ProtectClock=yes
+DeviceAllow=char-usb_device rw
+DeviceAllow=char-spi rw
+DeviceAllow=char-hidraw rw
+
+# Allow tuning USB parameters (wakeup and persist)
+ReadWritePaths=/sys/devices
+
+[Install] 
+WantedBy=multi-user.target

usr/etc/tlp.d/50-framework.conf

@@ -0,0 +1,133 @@
+# ------------------------------------------------------------------------------
+# /etc/tlp.conf - TLP user configuration (version 1.4)
+# See full explanation: https://linrunner.de/tlp/settings
+#
+# Settings are read in the following order:
+#
+# 1. Intrinsic defaults
+# 2. /etc/tlp.d/*.conf - Drop-in customization snippets
+# 3. /etc/tlp.conf     - User configuration (this file)
+#
+# Notes:
+# - In case of identical parameters, the last occurence has precedence
+# - This also means, parameters enabled here will override anything else
+# - However you may append values to a parameter already defined as intrinsic
+#   default or in a previously read file: use PARAMETER+="add values"
+# - IMPORTANT: all parameters here are disabled; remove the leading '#' if you
+#   like to enable a feature without default or have a value different from the
+#   default
+# - Default *: intrinsic default that is effective when the parameter is missing
+#     or disabled by a leading '#'; use PARAM="" to disable an intrinsic default
+# - Default <none>: do nothing or use kernel/hardware defaults
+# -
+# ------------------------------------------------------------------------------
+# tlp - Parameters for power saving
+#
+# Settings based on Framework's guidance: https://knowledgebase.frame.work/en_us/optimizing-fedora-battery-life-r1baXZh
+
+# Select a CPU frequency scaling governor.
+# Intel processor with intel_pstate driver:
+#   performance, powersave(*).
+# Intel processor with intel_cpufreq driver (aka intel_pstate passive mode):
+#   conservative, ondemand, userspace, powersave, performance, schedutil(*).
+# Intel and other processor brands with acpi-cpufreq driver:
+#   conservative, ondemand(*), userspace, powersave, performance, schedutil(*).
+# Use tlp-stat -p to show the active driver and available governors.
+# Important:
+#   Governors marked (*) above are power efficient for *almost all* workloads
+#   and therefore kernel and most distributions have chosen them as defaults.
+#   You should have done your research about advantages/disadvantages *before*
+#   changing the governor.
+# Default: <none>
+
+CPU_SCALING_GOVERNOR_ON_AC=performance
+CPU_SCALING_GOVERNOR_ON_BAT=powersave
+
+# Set Intel CPU energy/performance policies HWP.EPP and EPB:
+#   performance, balance_performance, default, balance_power, power.
+# Values are given in order of increasing power saving.
+# Notes:
+# - HWP.EPP: requires kernel 4.10, intel_pstate scaling driver and Intel Core i
+#   6th gen. or newer CPU
+# - EPB: requires kernel 5.2 or module msr and x86_energy_perf_policy from
+#   linux-tools, intel_pstate or intel_cpufreq scaling driver and Intel Core i
+#   2nd gen. or newer CPU
+# - When HWP.EPP is available, EPB is not set
+# Default: balance_performance (AC), balance_power (BAT)
+
+CPU_ENERGY_PERF_POLICY_ON_AC=performance
+CPU_ENERGY_PERF_POLICY_ON_BAT=power
+
+# Set Intel CPU P-state performance: 0..100 (%).
+# Limit the max/min P-state to control the power dissipation of the CPU.
+# Values are stated as a percentage of the available performance.
+# Requires intel_pstate or intel_cpufreq driver and Intel Core i 2nd gen. or
+# newer CPU.
+# Default: <none>
+
+CPU_MIN_PERF_ON_AC=0
+CPU_MAX_PERF_ON_AC=100
+CPU_MIN_PERF_ON_BAT=0
+CPU_MAX_PERF_ON_BAT=30
+
+# Set the CPU "turbo boost" (Intel) or "turbo core" (AMD) feature:
+#   0=disable, 1=allow.
+# Note: a value of 1 does *not* activate boosting, it just allows it.
+# Default: <none>
+
+CPU_BOOST_ON_AC=1
+CPU_BOOST_ON_BAT=0
+
+# Set the Intel CPU HWP dynamic boost feature:
+#   0=disable, 1=enable.
+# Requires intel_pstate scaling driver in 'active' mode and Intel Core i
+# 6th gen. or newer CPU.
+# Default: <none>
+
+CPU_HWP_DYN_BOOST_ON_AC=1
+CPU_HWP_DYN_BOOST_ON_BAT=0
+
+# Select platform profile:
+#   performance, balanced, low-power.
+# Controls system operating characteristics around power/performance levels,
+# thermal and fan speed. Values are given in order of increasing power saving.
+# Note: check the output of tlp-stat -p to determine availability on your
+# hardware and additional profiles such as: balanced-performance, quiet, cool.
+# Default: <none>
+
+PLATFORM_PROFILE_ON_AC=performance
+PLATFORM_PROFILE_ON_BAT=low-power
+
+# Set the min/max/turbo frequency for the Intel GPU.
+# Possible values depend on your hardware. For available frequencies see
+# the output of tlp-stat -g.
+# Default: <none>
+
+INTEL_GPU_MIN_FREQ_ON_AC=100
+INTEL_GPU_MIN_FREQ_ON_BAT=100
+INTEL_GPU_MAX_FREQ_ON_AC=1300
+INTEL_GPU_MAX_FREQ_ON_BAT=800
+INTEL_GPU_BOOST_FREQ_ON_AC=1300
+INTEL_GPU_BOOST_FREQ_ON_BAT=1100
+
+# Wi-Fi power saving mode: on=enable, off=disable.
+# Default: off (AC), on (BAT)
+
+#WIFI_PWR_ON_AC=off
+WIFI_PWR_ON_BAT=off
+
+# PCIe Active State Power Management (ASPM):
+#   default(*), performance, powersave, powersupersave.
+# (*) keeps BIOS ASPM defaults (recommended)
+# Default: <none>
+
+#PCIE_ASPM_ON_AC=default
+PCIE_ASPM_ON_BAT=powersupersave
+
+# Exclude PCIe devices assigned to the listed drivers from Runtime PM.
+# Note: this preserves the kernel driver default, to force a certain state
+# use RUNTIME_PM_ENABLE/DISABLE instead.
+# Separate multiple drivers with spaces.
+# Default: "mei_me nouveau radeon", use "" to disable completely.
+
+RUNTIME_PM_DRIVER_DENYLIST=""