veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1
veilor-os/docs/STRATEGY.md

337 lines
15 KiB
Markdown
Raw Permalink Normal View History

docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
# veilor-os Strategy — Hybrid kickstart bootstrap + bootc OCI
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
Decision date: **2026-05-05** (refined same day from parent-operator
handoff, locks the `ostreecontainer` install path, mesh stack
bake-in, browser stack, Iroh seeding roadmap, and threat floor table).
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
Locked at: **v0.5.31 → v0.7 spike → v1.0**
## TL;DR
- Keep the Anaconda-driven kickstart ISO as the **bootstrap installer**
(LUKS UX is mature, single passphrase prompt, custom partitioning
works).
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- Anaconda's `ostreecontainer` directive populates the root filesystem
directly from a **veilor-os OCI image** (built via BlueBuild on top
of secureblue's `securecore-kinoite-hardened-userns`) **during the
install pass — no first-boot rebase, no mutable→atomic transition**.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
- All future updates flow through `bootc upgrade` — atomic A/B,
instant rollback, cosign-signed.
- The kickstart-driven mutable-root path is deprecated at v1.0; kept
alive as fallback through v0.7.
## Why hybrid, not pure pivot
Pure pivot to bootc-from-scratch (Agent 3's spike plan) was **1 week
to first ISO**. Pure pivot to layering on secureblue is **2 days to
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
first ISO** because the hardening work is already done. The
`ostreecontainer` refinement compresses that to **1 day** by
eliminating the first-boot rebase choreography (no
`veilor-firstboot-rebase.service`, no second reboot, no transition
window where the system is half-mutable, half-atomic).
Both pure-pivot paths require throwing away the partitioning UX we
already have working in Anaconda. Hybrid keeps it.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
Hybrid:
- **Day-zero install:** Anaconda kickstart + custom partitioning +
LUKS prompt (what we have today). User experience = unchanged.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- **End of install pass:** `ostreecontainer
--url=ghcr.io/veilor/veilor-os:43 --transport=registry` populates
`/` from the OCI image. Transition is invisible.
- **First boot:** veilor OCI tree, no rebase, no special service.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
- **Day-2:** `bootc upgrade` cadence for everything from then on.
We keep what works, pivot the part that doesn't.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
## ostreecontainer directive (refinement, locked)
Replace the `%packages` block in the install kickstart with:
```
ostreecontainer --url=ghcr.io/veilor/veilor-os:43 --transport=registry
```
Keep the existing `part`/LUKS encryption block verbatim — Anaconda
partitions before `ostreecontainer` populates root.
**Stay on `ostreecontainer` through v0.8.** Do NOT migrate to the new
`bootc` kickstart command until v1.0 — `bootc` blocks multi-disk and
authenticated registries, both of which we'll likely need.
**Do NOT use** `bootc-image-builder anaconda-iso` output —
deprecated in image-builder v44+. Produce the OCI image and the
bootstrap ISO as **separate artifacts**:
- OCI image: BlueBuild recipe → cosign-signed image at
`ghcr.io/veilor/veilor-os:43`
- Bootstrap ISO: Anaconda kickstart with `ostreecontainer` directive
pointing at the OCI image
Reference: <https://docs.fedoraproject.org/en-US/bootc/>; pykickstart
docs for `ostreecontainer`.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
## Why secureblue underneath
| Question | Answer |
|---|---|
| Maintainers | secureblue: 30 contributors, 56 commits/5wks. veilor-os: solo. |
| Hardening surface | secureblue ships sysctl + kargs + SELinux + USBGuard + hardened-malloc + DoT — far more than we'd build alone. |
| Build pipeline | BlueBuild → cosign-signed OCI in GH Actions (`build-all.yml`, `trivy.yml`). |
| Update model | bootc upgrade with A/B + instant rollback + signed image chain. |
| Variants | `kinoite-hardened-userns` is the KDE+Wayland+SELinux variant we'd want. |
| License | Apache-2.0 (compatible with our MIT). |
What we override in our recipe:
- **`run0` instead of sudo**: revert. Breaks too many workflows.
- **Xwayland disabled**: revert. Some apps still need it.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- **Veilor branding**: theme, KDE color scheme, Plymouth, SDDM, font,
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
os-release. All `overlay/*` ports verbatim from current repo.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
(Browser stack is its own section below — Trivalent is now a *kept*
default, not an override.)
## Browser stack
| Role | Pick | Source |
|---|---|---|
| **Default browser** | **Trivalent** (secureblue's hardened Chromium) | Fedora COPR `secureblue/trivalent` — tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM |
| **Anti-fingerprint companion** | **Mullvad Browser** | Clearnet, no Tor, layered alongside Trivalent for pseudonymous browsing |
| **Optional opt-in** | **Thorium** | `ujust install-thorium` only — WARN users of months-long CVE lag (LTS Chromium base, ~9 milestones behind upstream stable as of 2026-05) |
**DO NOT default to Thorium under any circumstances** — contradicts
the threat model. Trivalent's COPR keeps us inside one-hour-of-upstream
patch latency; Thorium is multi-month-stale and is a perf/media
profile choice, not a security choice.
The earlier draft of this doc treated Trivalent as an override-and-
remove. That was wrong: Trivalent is exactly the level of hardening
we want for a default browser. Keep it. Add Mullvad alongside.
Move Thorium behind an explicit opt-in.
## Mesh stack — three-layer warm-stack
Day 1 ships layers 1 (Tailscale) and 2 (Yggdrasil idle). Layer 3
(Reticulum) is opt-in via `ujust`.
### Layer 1 — Tailscale + Headscale (daily driver)
- Already running on `nullstone`, `hs.s8n.ru`. OIDC via Authentik.
- Veilor OS ships `tailscale-1.94.2+` from official Fedora repo.
- Service unit **pre-disabled** at install time.
- First-boot prompt: "join Veilor mesh? [paste / QR]". On accept:
`tailscale up --login-server=https://hs.s8n.ru` with the user's
pre-auth key.
### Layer 2 — Yggdrasil-go (warm fallback, idle by default)
- `yggdrasil-go` 0.5.13+ from COPR / dnf.
- Decentralized IPv6 in `200::/7`.
- systemd unit **enabled** but config = empty `Listen[]`, one
`Public peer` (e.g. `vpn.itrus.su` or another EU peer),
`AllowedPublicKeys` allowlist mode (no allow-all).
- WSS:443 transport for ISP DPI evasion.
- Generates ECC keypair on first boot via systemd-tmpfiles or
firstboot script.
- Survives ISP-level Tailscale block (threat floor (ii)).
### Layer 3 — Reticulum (opt-in)
- **RetiNet AGPL fork** (NOT upstream RNS — upstream has an anti-AI
license clause incompatible with our governance). Sourced from the
Codeberg AGPL fork.
- Sideband (Android/desktop messenger built on RNS).
- Install via `ujust install-reticulum`. NOT auto-started until
RetiNet stabilizes.
- Default config when enabled: `AutoInterface` (LAN multicast) +
12 TCP backbone peers.
- RNode hardware (LoRa transceiver) bundle as separate
`ujust install-reticulum-rnode`.
- Survives total internet outage (threat floor (iii)) when paired
with RNode.
## Onboarding model
Token-based (paste OR QR, user picks). Misskey signup page mints a
**reusable pre-auth key** (TTL=24h, single-use, regenerated per
signup). First boot of Veilor ISO accepts hex paste OR QR scan of
the same key.
**NOT auto-OIDC at first boot** — too much Authentik exposure for
day-zero users.
## Tier model — three-tier
- `tag:admin` — onyx + failsafe. Full mesh, `*:*`.
- `tag:infra` — nullstone, office. Mesh among themselves; admin
inbound only.
- `tag:guest` — Veilor OS users + friend. ONLY `x.veilor:443`
reachable + future seeded service hostnames whitelisted.
- **Failsafe** — pre-baked admin pre-auth key on yubikey + printed
paper + Authentik OIDC group `tailnet-admin` as second auth path.
## Threat floor table
| Floor | Attack | Day 1 (v0.7 ship) | Phase 2 (v0.8) |
|-------|--------|---|---|
| (i) | ISP blocks `s8n.ru` DNS | Tailscale dies, Yggdrasil survives | YES (documented failover) |
| (ii) | ISP blocks Tailscale protocol | Yggdrasil-WSS:443 survives | YES |
| (iii) | Internet unreachable | RNS over LoRa survives | OPT-IN (RetiNet + RNode) |
Day 1 must hold floor (i). Floors (ii) and (iii) become P2 once
Yggdrasil is promoted from idle to documented failover.
## Iroh seeding daemon (Phase 2 / v0.8)
- `veilor-seed.service` systemd unit, runs as `_veilor-seed` user.
- Watches `/var/lib/<service>/files/` blob store directories.
- BLAKE3-hashes new blobs, registers with local iroh node.
- Publishes tickets on per-service `iroh-gossip` topic.
- LRU local cache, default 10 GB.
- Sidecar mirrors service blob stores: Misskey `/files/`, Matrix
media, `dl.veilor` downloads.
- Other Veilor nodes pull lazily on cache miss.
- **DEFER DB replication forever.** Static media only.
DOCUMENT but DO NOT IMPLEMENT until **Iroh hits 1.0** (currently
0.960.98 RC season; 1.0 target Q1 2026 slipped, watching).
Reference: <https://github.com/n0-computer/iroh-blobs/blob/main/DESIGN.md>.
## External dependency — Phase 0 (NOT veilor-os scope)
Real ACL gap on nullstone Traefik right now: friend on `tag:guest`
can reach `nullstone:443` → SNI-routes to ALL Traefik vhosts
(`sys.s8n.ru`, `pihole.s8n.ru`, `hs.s8n.ru`, `auth.s8n.ru`, n8n, rc,
mx, …). Only per-vhost auth blocks them. The `no-guest@file` Traefik
middleware that should fix this is currently an `0.0.0.0/0`
allow-all stub (neutralized 2026-05-03 from XFF chain breakage).
**veilor-os does NOT fix this.** Tracked here as an external
dependency: ACL fix on nullstone Traefik **required before veilor-os
first-public-ISO ships**, otherwise `tag:guest` provisioning leaks
the full vhost surface to every veilor user. Parent operator owns it.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
## Strategic credibility win
secureblue does NOT publish a threat model. Athena OS does, and it's
their main differentiator. We've already drafted
`docs/THREAT-MODEL.md` (Agent 5 of 2026-05-05 wave). Publishing that
*before* the v0.7 launch positions veilor-os ahead of secureblue and
Athena on the one axis that matters most for a security-branded
distro: **honest, scoped, public threat model**.
## Roadmap implications
| Version | Status | Path |
|---|---|---|
| v0.5.31 | shipped | Anaconda kickstart, mutable root |
| v0.5.32 | active — top blockers from 9-agent wave | Anaconda kickstart |
| v0.5.x → v0.6 | maintenance | Anaconda kickstart, ergonomics + UX polish |
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
| **v0.7 spike** | **1-day BlueBuild prototype** (was 2 days; `ostreecontainer` removes first-boot-rebase work) | First veilor OCI image extending secureblue-kinoite-hardened |
| v0.7 ship | ISO bootstraps install, `ostreecontainer` populates from OCI in-pass | Hybrid path live |
| v0.8 | Iroh seeding (P2P static media), Yggdrasil promoted from idle to documented failover, RetiNet stabilization watch | bootc-only direction |
| **v1.0** | **bootc-only**, kickstart deprecated, possibly migrate `ostreecontainer` → new `bootc` kickstart command if multi-disk + auth-registry blockers resolved upstream | `bootc upgrade` for all updates |
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
The Containerfile-from-scratch spike plan (Agent 3 of 2026-05-05
wave) is **superseded** by this hybrid: don't build a Containerfile
from scratch on `fedora-bootc:43`. Instead, write a BlueBuild recipe
on `securecore-kinoite-hardened-userns`. With `ostreecontainer`
swap, spike compresses 1 week → 1 day.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
## Next concrete steps
### v0.5.32 — current (no strategy change)
Ship the 7 blockers from `docs/research/2026-05-05-agent-wave/`:
suspend/resume wifi fix, firstboot WantedBy, USBGuard id-rules,
firewalld tailscale0 zone, KMS modeset, /etc/skel branding, virtio-9p
log capture.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
`ostreecontainer` swap **does NOT land in v0.5.32 main.** It belongs
in the v0.7 spike branch only.
### v0.7-spike (1 day, separate branch)
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
1. New repo dir: `bluebuild/recipe.yml`.
2. `from`: `ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`.
3. Override modules:
- `type: files` — stamp our `overlay/*` tree (branding, themes,
veilor scripts, sddm theme, plymouth theme).
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- `type: rpm-ostree` — install Mullvad Browser + restore Xwayland +
re-enable sudo (revert run0).
- **Keep Trivalent** as default (was wrongly marked for removal in
the first draft of this doc).
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
- `type: brand` — PRETTY_NAME, GRUB_DISTRIBUTOR, distributor URL.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- `type: files` — pre-disabled `tailscale.service`, idle
`yggdrasil.service`, `ujust install-reticulum` and
`ujust install-thorium` recipes.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
4. `.github/workflows/build-bluebuild.yml` — pull BlueBuild action,
build + cosign sign + push to GHCR.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
5. `kickstart/install.ks` — replace `%packages` block with
`ostreecontainer --url=ghcr.io/veilor/veilor-os:43
--transport=registry`. Keep existing partitioning + LUKS block
verbatim. **Drop** all planned `veilor-firstboot-rebase.service`
work — no longer needed.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
### v1.0 — bootc-only
- Drop `kickstart/veilor-os.ks`, drop `livecd-creator` workflow.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- Bootstrap ISO is built as a **separate artifact** (NOT via
`bootc-image-builder anaconda-iso`, which was deprecated in
image-builder v44).
- The OCI image is the source of truth.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
- `veilor-update` becomes thin `bootc upgrade --apply` wrapper.
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- Migrate `ostreecontainer` directive → new `bootc` kickstart
command IF multi-disk + authenticated-registry support has landed
upstream by then.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
## Open questions
- Does secureblue accept upstream contributions? If yes, send our
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
USBGuard id-based-rules fix and our threat-model framework.
- Recovery flow when `ostreecontainer` install pass fails — Anaconda
should abort cleanly; verify in spike that no half-installed
state is bootable.
- Iroh 1.0 timing — currently 0.960.98 RC; Q1 2026 target slipped.
Re-evaluate Phase 2 schedule when 1.0 lands.
- RetiNet upstream stabilization — track Codeberg fork for releases.
If it stalls > 6 months we re-evaluate Layer 3.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
- Fedora 44 transition: secureblue tracks Fedora releases (current
`v4.9` on F44). If we follow, we get F44 for free at the same time
upstream does.
docs: STRATEGY.md — primary git host moved to git.s8n.ru (Forgejo) Self-hosted Forgejo + forgejo-runner on nullstone now primary. GitHub becomes public mirror (Forgejo push-mirrors every commit + every 8h). 0 GH Actions minutes consumed. Runner labels: ubuntu-24.04 — drop-in for existing build-iso.yml workflow nullstone — privileged Fedora 43 (opt-in via runs-on: nullstone) Deploy artifacts: ~/ai-lab/nullstone-server/forgejo/. External TODO (parent operator owns): - router port-forward 222 → nullstone:222 for public SSH push - no-guest@file allowlist update for external web UI access
2026-05-06 02:01:06 +01:00
## Self-hosted git + CI (locked 2026-05-05)
Primary git host moved off github.com. **Forgejo** runs on nullstone
at `git.s8n.ru`, with **forgejo-runner** doing the build work. GH free-
tier minute quota was hammering veilor-os iteration; we self-host now.
- Primary remote: `ssh://git@192.168.0.100:222/veilor-org/veilor-os.git`
(Forgejo, LAN-only until router port-forward 222 → nullstone:222
added — TODO; or use tailnet hostname once tailscale logged in).
- Public mirror: `https://github.com/veilor-org/veilor-os.git`. Forgejo
push-mirrors every commit + every 8h, so GH stays in sync without
consuming GH minutes.
- Runner labels: `ubuntu-24.04` (catthehacker image — works for our
current build-iso.yml unmodified) and `nullstone` (privileged Fedora
43 container — opt-in via `runs-on: nullstone`).
- Build cost: 0 GH minutes. Disk: ~80 GB workspace on /home/docker.
Deploy artifacts: `~/ai-lab/nullstone-server/forgejo/`. Runbook in same
dir.
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
## See also
- `docs/THREAT-MODEL.md` — drafted, needs publish for v0.7
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- `docs/ROADMAP.md` — updated to reflect this strategy
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) | Axis | secureblue | Athena OS | |---|---|---| | Maintainers | 30 | 8 | | MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined | | Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) | | Threat model published | No | Yes | | MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) | Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags
2026-05-05 15:05:59 +01:00
- `docs/research/2026-05-05-agent-wave/03-bootc-spike-plan.md`
superseded by this hybrid (kept as reference for the
Containerfile-from-scratch alternative)
- secureblue: <https://github.com/secureblue/secureblue>
- BlueBuild: <https://blue-build.org>
docs: refine strategy — ostreecontainer install + mesh stack + browser stack Refines docs/STRATEGY.md per parent-operator handoff (2026-05-05). Locks in five things the original draft didn't cover, and corrects one mistake. ## Refinement: ostreecontainer install path The original draft proposed a two-step install: Anaconda partitions + kickstart, then on first boot a `veilor-firstboot-rebase.service` runs `bootc rebase ghcr.io/veilor/veilor-os:43`. This commit drops that step. Anaconda's `ostreecontainer --url=... --transport=registry` directive populates the root filesystem directly from the OCI image during the install pass. No first-boot rebase, no transition window, no second reboot. Same end state, simpler path. Stay on `ostreecontainer` through v0.8. Do NOT migrate to the new `bootc` kickstart command until v1.0 — it blocks multi-disk and authenticated registries. Do NOT use `bootc-image-builder anaconda-iso` output — deprecated in image-builder v44+. Produce the OCI image and the bootstrap ISO as separate artifacts. This compresses the v0.7 BlueBuild spike from 2 days → 1 day. ## Correction: keep Trivalent as default The original strategy.md treated Trivalent (secureblue's hardened Chromium) as an override-and-remove. That was wrong: Trivalent's COPR tracks upstream M147+ within hours, ships hardened_malloc + JIT-less + Drumbrake WASM. Default browser pick. Mullvad Browser layered alongside for anti-fingerprint. Thorium remains opt-in via `ujust install-thorium` only — its CVE lag is months and contradicts the threat model. Never default. ## Mesh stack baked in Three-layer warm-stack documented in STRATEGY.md: - L3a Tailscale + Headscale (Day 1, daily driver) - L3b Yggdrasil-go (Day 1, idle warm-fallback, AllowedPublicKeys mode) - L3c Reticulum/RetiNet AGPL fork (opt-in via ujust install-reticulum) Threat floor table: ISP-DNS-block (i, Day 1), ISP-Tailscale-block (ii, Phase 2 promote Yggdrasil), internet-down (iii, opt-in RetiNet + RNode). Tier model: tag:admin / tag:infra / tag:guest with failsafe pre-auth key on yubikey + paper + Authentik OIDC group. ## Onboarding Token paste / QR (user picks). Misskey signup mints reusable 24h-TTL pre-auth key. NOT auto-OIDC at first boot. ## Iroh seeding daemon stub (v0.8 / Phase 2) `veilor-seed.service` documented but NOT implemented until Iroh hits 1.0 (current 0.96–0.98 RC, Q1 2026 target slipped). BLAKE3 + iroh-gossip per-service topic. Static media only — DEFER DB replication forever. ## External dependency tracked nullstone Traefik `no-guest@file` ACL is currently 0.0.0.0/0 allow-all (XFF chain breakage 2026-05-03). Must be fixed before veilor-os first-public-ISO ships, otherwise tag:guest provisioning leaks the full vhost surface to every veilor user. Parent operator owns the fix; explicitly out of veilor-os scope. ## Files - docs/STRATEGY.md — full refinement - docs/ROADMAP.md — v0.7 spike entry now reflects ostreecontainer + mesh stack + 1-day spike target - README.md — drops the "v0.2.5 pre-release" badge + status box (out of date), adds bootc/atomic trajectory paragraph ## What did NOT change - v0.5.x main branch is untouched. The ostreecontainer swap belongs in the v0.7 spike branch, NOT v0.5.32. - nullstone Traefik config is untouched. Out of scope. - The kickstart and overlay code is untouched.
2026-05-05 15:15:52 +01:00
- bootc / ostreecontainer docs: <https://docs.fedoraproject.org/en-US/bootc/>
- Yggdrasil: <https://github.com/yggdrasil-network/yggdrasil-go>
- Reticulum manual: <https://reticulum.network/manual/>
- Iroh blobs design: <https://github.com/n0-computer/iroh-blobs/blob/main/DESIGN.md>
Reference in a new issue Copy permalink