Diverging laptop/desktop images due to nvidia tweaks

.github/workflows/build.yml

@@ -9,8 +9,9 @@ on:
 env:
   REGISTRY: ghcr.io
   SERVER_IMAGE_NAME: "supermicro-x10drh"
-  LAPTOP_IMAGE_NAME: "lenovo-16arh7h"
-  DESKTOP_IMAGE_NAME: "asrock-x570"
+  WORKSTATION_BASE_IMAGE_NAME: "workstation-nvidia-base"
+  LENOVO_IMAGE_NAME: "lenovo-16arh7h"
+  ASROCK_IMAGE_NAME: "asrock-x570"
   IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
   REGISTRY_USER: ${{ github.actor }}
   REGISTRY_PASSWORD: ${{ github.token }}
@@ -41,7 +42,7 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           extra-args: |
             --disable-content-trust
-  asrock-x570:
+  workstation-nvidia-base:
     runs-on: ubuntu-latest
     steps:
       - name: Free Disk Space (Ubuntu)
@@ -66,15 +67,56 @@ jobs:
       - name: Build container image
         uses: redhat-actions/buildah-build@v2.12
         with:
-          containerfiles: Containerfile-${{ env.DESKTOP_IMAGE_NAME }}
-          image: ${{ env.DESKTOP_IMAGE_NAME }}
+          containerfiles: Containerfile-${{ env.WORKSTATION_BASE_IMAGE_NAME }}
+          image: ${{ env.WORKSTATION_BASE_IMAGE_NAME }}
           layers: false
           oci: true
 
       - name: Push to ghcr.io
         uses: redhat-actions/push-to-registry@v2.7
         with:
-          image: ${{ env.DESKTOP_IMAGE_NAME }}
+          image: ${{ env.WORKSTATION_BASE_IMAGE_NAME }}
+          tags: "latest"
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          extra-args: |
+            --disable-content-trust
+  asrock-x570:
+    needs: workstation-nvidia-base
+    runs-on: ubuntu-latest
+    steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
+        with:
+          # this might remove tools that are actually needed,
+          # if set to "true" but frees about 6 GB
+          tool-cache: false
+
+          # all of these default to true, but feel free to set to
+          # "false" if necessary for your workflow
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: false
+          swap-storage: true
+
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Build container image
+        uses: redhat-actions/buildah-build@v2.12
+        with:
+          containerfiles: Containerfile-${{ env.ASROCK_IMAGE_NAME }}
+          image: ${{ env.ASROCK_IMAGE_NAME }}
+          layers: false
+          oci: true
+
+      - name: Push to ghcr.io
+        uses: redhat-actions/push-to-registry@v2.7
+        with:
+          image: ${{ env.ASROCK_IMAGE_NAME }}
           tags: "latest"
           registry: ${{ env.IMAGE_REGISTRY }}
           username: ${{ env.REGISTRY_USER }}
@@ -82,7 +124,7 @@ jobs:
           extra-args: |
             --disable-content-trust
   lenovo-16arh7h:
-    needs: asrock-x570
+    needs: workstation-nvidia-base
     runs-on: ubuntu-latest
     steps:
       - name: Free Disk Space (Ubuntu)
@@ -107,15 +149,15 @@ jobs:
       - name: Build container image
         uses: redhat-actions/buildah-build@v2.12
         with:
-          containerfiles: Containerfile-${{ env.LAPTOP_IMAGE_NAME }}
-          image: ${{ env.LAPTOP_IMAGE_NAME }}
+          containerfiles: Containerfile-${{ env.LENOVO_IMAGE_NAME }}
+          image: ${{ env.LENOVO_IMAGE_NAME }}
           layers: false
           oci: true
 
       - name: Push to ghcr.io
         uses: redhat-actions/push-to-registry@v2.7
         with:
-          image: ${{ env.LAPTOP_IMAGE_NAME }}
+          image: ${{ env.LENOVO_IMAGE_NAME }}
           tags: "latest"
           registry: ${{ env.IMAGE_REGISTRY }}
           username: ${{ env.REGISTRY_USER }}

Containerfile-asrock-x570

@@ -1,62 +1,10 @@
-FROM quay.io/fedora/fedora-budgie-atomic:43
-
-COPY gpg-keys/* /keys/
-
-RUN wget -O /etc/udev/rules.d/42-logitech-unify-permissions.rules https://raw.githubusercontent.com/pwr-Solaar/Solaar/refs/heads/master/rules.d-uinput/42-logitech-unify-permissions.rules
-
-RUN rpm --import \
-      /keys/public_key_proton.asc \
-      /keys/RPM-GPG-KEY-rpmfusion-free-fedora-2020 \
-      /keys/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020 \
-      /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
-    rm -rf /keys && \
-    dnf5 install -y https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
-      https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \
-      https://repo.protonvpn.com/fedora-$(cat /etc/fedora-release | cut -d' ' -f 3)-stable/protonvpn-stable-release/protonvpn-stable-release-1.0.3-1.noarch.rpm && \
-    dnf5 install -y \
-      adobe-source-code-pro-fonts \
-      akmods \
-      android-tools \
-      ansible \
-      blueman \
-      blueman-nemo \
-      cinnamon \
-      distrobox \
-      fuse-sshfs \
-      geany \
-      git \
-      gnome-terminal \
-      htop \
-      iftop \
-      iotop \
-      libva-nvidia-driver \
-      libva-utils \
-      numlockx \
-      nvtop \
-      steam \
-      syncthing \
-      vdpauinfo \
-      vim \
-      virt-manager \
-      vulkan-tools && \
-    dnf5 swap -y ffmpeg-free ffmpeg --allowerasing && \
-    dnf5 swap -y mesa-va-drivers mesa-va-drivers-freeworld && \
-    dnf5 swap -y mesa-vdpau-drivers mesa-vdpau-drivers-freeworld && \
-    dnf5 clean all
-
-# TODO: Remove this `|| true` hack once post scriptlets no longer make dnf exit with non-zero
-RUN dnf5 install -y \
-      akmod-nvidia \
-      xorg-x11-drv-nvidia-cuda \
-      proton-vpn-gnome-desktop || true
-# TODO: Remove these unnecessary checks to make sure the packages above actually got installed. rpm exits non-zero if the package is not installed and aborts the Containerfile build
-RUN rpm -q akmod-nvidia && \
-    rpm -q xorg-x11-drv-nvidia-cuda && \
-    rpm -q proton-vpn-gnome-desktop
+FROM ghcr.io/benradey/workstation-nvidia-base:latest
 
+# Build nvidia akmod with flag that produces proprietary kernal driver for older hardware
+RUN sudo sh -c 'echo "%_without_kmod_nvidia_detect 1" > /etc/rpm/macros.nvidia-kmod'
 RUN /usr/sbin/akmods --force --kernels "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
 
-# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones manually imported above).
+# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones from the base image).
 # Any more than that means that dnf automatically added a new one, which is shady!
 # Then: cleanup image for linting
 # Finally: verify image is good

Containerfile-desktop-nvidia-base

@@ -0,0 +1,67 @@
+FROM quay.io/fedora/fedora-budgie-atomic:43
+
+COPY gpg-keys/* /keys/
+
+RUN wget -O /etc/udev/rules.d/42-logitech-unify-permissions.rules https://raw.githubusercontent.com/pwr-Solaar/Solaar/refs/heads/master/rules.d-uinput/42-logitech-unify-permissions.rules
+
+RUN rpm --import \
+      /keys/public_key_proton.asc \
+      /keys/RPM-GPG-KEY-rpmfusion-free-fedora-2020 \
+      /keys/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020 \
+      /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
+    rm -rf /keys && \
+    dnf5 install -y https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
+      https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \
+      https://repo.protonvpn.com/fedora-$(cat /etc/fedora-release | cut -d' ' -f 3)-stable/protonvpn-stable-release/protonvpn-stable-release-1.0.3-1.noarch.rpm && \
+    dnf5 install -y \
+      adobe-source-code-pro-fonts \
+      akmods \
+      android-tools \
+      ansible \
+      blueman \
+      blueman-nemo \
+      cinnamon \
+      distrobox \
+      fuse-sshfs \
+      geany \
+      git \
+      gnome-terminal \
+      htop \
+      iftop \
+      iotop \
+      libva-nvidia-driver \
+      libva-utils \
+      numlockx \
+      nvidia-vaapi-driver \
+      nvtop \
+      steam \
+      syncthing \
+      vdpauinfo \
+      vim \
+      virt-manager \
+      vulkan-tools && \
+    dnf5 swap -y ffmpeg-free ffmpeg --allowerasing && \
+    dnf5 swap -y mesa-va-drivers mesa-va-drivers-freeworld && \
+    dnf5 swap -y mesa-vdpau-drivers mesa-vdpau-drivers-freeworld && \
+    dnf5 clean all
+
+# TODO: Remove this `|| true` hack once post scriptlets no longer make dnf exit with non-zero
+RUN dnf5 install -y \
+      akmod-nvidia \
+      xorg-x11-drv-nvidia-cuda \
+      proton-vpn-gnome-desktop || true
+# TODO: Remove these unnecessary checks to make sure the packages above actually got installed. rpm exits non-zero if the package is not installed and aborts the Containerfile build
+RUN rpm -q akmod-nvidia && \
+    rpm -q xorg-x11-drv-nvidia-cuda && \
+    rpm -q proton-vpn-gnome-desktop
+
+RUN sudo sh -c 'echo "%_with_kmod_nvidia_open 0" > /etc/rpm/macros.nvidia-kmod'
+RUN /usr/sbin/akmods --force --kernels "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
+
+# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones manually imported above).
+# Any more than that means that dnf automatically added a new one, which is shady!
+# Then: cleanup image for linting
+# Finally: verify image is good
+RUN [[ 4 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \
+    rm -rf /var /boot && mkdir /var /boot && \
+    bootc container lint --fatal-warnings --skip baseimage-composefs

Containerfile-lenovo-16arh7h

@@ -1,4 +1,7 @@
-FROM ghcr.io/benradey/asrock-x570:latest
+FROM ghcr.io/benradey/workstation-nvidia-base:latest
+
+# Build nvidia akmod with no special arguments - defaults to open kernel driver for newer hardware
+RUN /usr/sbin/akmods --force --kernels "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
 
 RUN dnf5 install -y \
       dkms \