veilor-os/bluebuild/README.md

# bluebuild/ — v0.7 spike

This directory contains the BlueBuild recipe + supporting config that
builds the veilor-os bootable OCI image. **Active on the
`v0.7-bluebuild-spike` branch only.** Does NOT land in v0.5.x main
until the spike passes its success criteria (see
`docs/STRATEGY.md`).

## What's here

```
bluebuild/
├── recipe.yml                  # primary BlueBuild recipe
├── config/
│   └── just/
│       └── 60-veilor.just      # ujust recipes for opt-in components
└── README.md                   # this file
```

The recipe extends
`ghcr.io/secureblue/kinoite-main-hardened:latest`. We
inherit secureblue's hardening (sysctl + kargs + custom SELinux
policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS +
Trivalent browser + cosign-signed image chain). On top, we layer:

- veilor branding (overlay/, theme, plymouth, sddm, os-release)
- mullvad-browser (anti-fingerprint companion to Trivalent)
- xorg-x11-server-Xwayland (re-enable; secureblue disables it)
- sudo (re-enable; secureblue replaces with run0)
- tailscale + yggdrasil (mesh stack layer 1 + 2)
- ujust recipes for Reticulum (mesh layer 3) + Thorium (opt-in browser)

Trivalent stays as the default browser (correcting an earlier draft).

## Build locally

```bash
# Requires bluebuild CLI:
#   curl -fsSL https://raw.githubusercontent.com/blue-build/cli/main/install.sh | sh
cd bluebuild
bluebuild build recipe.yml
```

Output: `localhost/veilor-os:43` in podman storage. Push to GHCR
via the workflow.

## Test the OCI image

```bash
# Smoke-test (boots into the rootfs; no kernel, no init):
podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash

# Inside, sanity:
cat /etc/os-release        # PRETTY_NAME=veilor-os
which sudo                 # /usr/bin/sudo (re-enabled)
which trivalent            # secureblue's COPR (default browser)
which mullvad-browser      # /usr/bin/mullvad-browser
systemctl is-enabled yggdrasil    # enabled (idle)
systemctl is-enabled tailscaled   # disabled (awaits ujust veilor-mesh-join)
```

## Test the installer ISO

The installer ISO is built separately by livecd-creator (current path)
or bootc-image-builder (v1.0+). Its kickstart's `%packages` block is
replaced with:

```
ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry
```

That populates the target's `/` directly from this OCI image during
the install pass. No first-boot rebase. No transition window.

## Spike success criteria (1 day)

- [ ] `bluebuild build recipe.yml` exits 0
- [ ] `bootc container lint` exits 0 on the resulting image
- [ ] `podman run` smoke-test (commands above) all pass
- [ ] `.github/workflows/build-bluebuild.yml` builds + cosign-signs +
      pushes to `ghcr.io/veilor-org/veilor-os:43`
- [ ] An installer ISO using `ostreecontainer` against this OCI
      reaches SDDM with admin login on first boot

If all five land, merge `v0.7-bluebuild-spike` → `main` as v0.7.0.
If any fail in ways that aren't trivially fixable, file each as a GH
issue + return to v0.5.x kickstart path.

## See also

- `docs/STRATEGY.md` — the strategic decision + override list
- `docs/ROADMAP.md` v0.7 — full schedule
- `docs/THREAT-MODEL.md` — what we publish before launch
- secureblue: <https://github.com/secureblue/secureblue>
- BlueBuild: <https://blue-build.org>
- bootc / ostreecontainer: <https://docs.fedoraproject.org/en-US/bootc/>
v0.7 spike: BlueBuild recipe + ostreecontainer kickstart + cosign workflow Initial scaffold for the v0.7 hybrid path. Spike branch only — does NOT land in main until success criteria pass (see bluebuild/README.md). ## What this commits - bluebuild/recipe.yml — BlueBuild recipe extending ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest with: * veilor branding overlay (overlay/, assets/, scripts/ at /usr/share/veilor-os) * sudo restored (revert secureblue's run0-only) * Xwayland restored (some apps still need it) * mullvad-browser layered alongside Trivalent (default browser kept) * tailscale + yggdrasil packages (mesh stack layers 1 + 2) * tailscaled.service pre-disabled (awaits first-boot prompt) * yggdrasil.service enabled (idle warm-fallback per STRATEGY.md) * veilor-firstboot.service + veilor-modules-lock.service enabled * cosign signing module configured - bluebuild/config/just/60-veilor.just — ujust recipes: * install-reticulum (RetiNet AGPL fork — mesh layer 3) * install-reticulum-rnode (LoRa hardware) * install-thorium (opt-in browser with explicit CVE-lag warning) * veilor-mesh-join (token paste / QR for tailscale onboarding) - bluebuild/README.md — spike doc + smoke-test commands + 5-item success criteria checklist - kickstart/install-ostreecontainer.ks — install kickstart template for the v0.7 path. No %packages block; uses `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry` to populate / from the OCI image directly during anaconda's install pass. No first-boot rebase, no transition window. Keeps existing LUKS+btrfs partitioning verbatim. - .github/workflows/build-bluebuild.yml — GH Actions workflow: * Triggered on push to v0.7-bluebuild-spike, weekly cron, dispatch * Uses blue-build/github-action@v1 (TODO: pin to commit SHA per CI hardening agent 8 follow-up) * Builds + cosign-signs (keyless via Sigstore) + pushes to GHCR * Smoke-tests the OCI image (sudo, mullvad-browser, yggdrasil, tailscale all present) * Generates SBOM (SPDX) via anchore/sbom-action * Publishes SLSA build provenance attestation ## What this does NOT change - main branch is untouched. v0.5.x kickstart path keeps shipping. - kickstart/veilor-os.ks (the live-ISO ks) is untouched — the v0.7 hybrid uses the existing live-ISO build path; only the install-time ks (install-ostreecontainer.ks) is new. - overlay/, scripts/, assets/ are untouched on this branch — the recipe pulls them in via `type: files` modules at build time. ## Spike success criteria (reproduced from bluebuild/README.md) - [ ] `bluebuild build recipe.yml` exits 0 - [ ] `bootc container lint` exits 0 on resulting image - [ ] `podman run` smoke-test passes - [ ] CI workflow builds + cosign-signs + pushes to GHCR - [ ] Installer ISO using `ostreecontainer` against this OCI reaches SDDM with admin login on first boot If all 5 land, merge v0.7-bluebuild-spike → main as v0.7.0. ## Reference - docs/STRATEGY.md (full plan) - docs/ROADMAP.md v0.7 (schedule) - docs/THREAT-MODEL.md (publish before v0.7 ship) - secureblue: https://github.com/secureblue/secureblue - BlueBuild: https://blue-build.org - ostreecontainer: https://docs.fedoraproject.org/en-US/bootc/anaconda-install/ 2026-05-05 15:30:04 +01:00			`# bluebuild/ — v0.7 spike`

			`This directory contains the BlueBuild recipe + supporting config that`
			`builds the veilor-os bootable OCI image. **Active on the`
			`v0.7-bluebuild-spike` branch only.** Does NOT land in v0.5.x main
			`until the spike passes its success criteria (see`
			`docs/STRATEGY.md`).

			`## What's here`

			```
			`bluebuild/`
			`├── recipe.yml # primary BlueBuild recipe`
			`├── config/`
			`│ └── just/`
			`│ └── 60-veilor.just # ujust recipes for opt-in components`
			`└── README.md # this file`
			```

			`The recipe extends`
bluebuild: switch base to ghcr.io/secureblue/kinoite-main-hardened The 'securecore-kinoite-hardened-userns' image we'd been targeting does not exist in the secureblue org's package list. Their KDE Plasma (Kinoite) hardened variant is published as 'kinoite-main-hardened' (or 'kinoite-nvidia-hardened' for NV boxes). Switch the recipe + all doc references. 2026-05-06 17:15:54 +01:00			`ghcr.io/secureblue/kinoite-main-hardened:latest`. We
v0.7 spike: BlueBuild recipe + ostreecontainer kickstart + cosign workflow Initial scaffold for the v0.7 hybrid path. Spike branch only — does NOT land in main until success criteria pass (see bluebuild/README.md). ## What this commits - bluebuild/recipe.yml — BlueBuild recipe extending ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest with: * veilor branding overlay (overlay/, assets/, scripts/ at /usr/share/veilor-os) * sudo restored (revert secureblue's run0-only) * Xwayland restored (some apps still need it) * mullvad-browser layered alongside Trivalent (default browser kept) * tailscale + yggdrasil packages (mesh stack layers 1 + 2) * tailscaled.service pre-disabled (awaits first-boot prompt) * yggdrasil.service enabled (idle warm-fallback per STRATEGY.md) * veilor-firstboot.service + veilor-modules-lock.service enabled * cosign signing module configured - bluebuild/config/just/60-veilor.just — ujust recipes: * install-reticulum (RetiNet AGPL fork — mesh layer 3) * install-reticulum-rnode (LoRa hardware) * install-thorium (opt-in browser with explicit CVE-lag warning) * veilor-mesh-join (token paste / QR for tailscale onboarding) - bluebuild/README.md — spike doc + smoke-test commands + 5-item success criteria checklist - kickstart/install-ostreecontainer.ks — install kickstart template for the v0.7 path. No %packages block; uses `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry` to populate / from the OCI image directly during anaconda's install pass. No first-boot rebase, no transition window. Keeps existing LUKS+btrfs partitioning verbatim. - .github/workflows/build-bluebuild.yml — GH Actions workflow: * Triggered on push to v0.7-bluebuild-spike, weekly cron, dispatch * Uses blue-build/github-action@v1 (TODO: pin to commit SHA per CI hardening agent 8 follow-up) * Builds + cosign-signs (keyless via Sigstore) + pushes to GHCR * Smoke-tests the OCI image (sudo, mullvad-browser, yggdrasil, tailscale all present) * Generates SBOM (SPDX) via anchore/sbom-action * Publishes SLSA build provenance attestation ## What this does NOT change - main branch is untouched. v0.5.x kickstart path keeps shipping. - kickstart/veilor-os.ks (the live-ISO ks) is untouched — the v0.7 hybrid uses the existing live-ISO build path; only the install-time ks (install-ostreecontainer.ks) is new. - overlay/, scripts/, assets/ are untouched on this branch — the recipe pulls them in via `type: files` modules at build time. ## Spike success criteria (reproduced from bluebuild/README.md) - [ ] `bluebuild build recipe.yml` exits 0 - [ ] `bootc container lint` exits 0 on resulting image - [ ] `podman run` smoke-test passes - [ ] CI workflow builds + cosign-signs + pushes to GHCR - [ ] Installer ISO using `ostreecontainer` against this OCI reaches SDDM with admin login on first boot If all 5 land, merge v0.7-bluebuild-spike → main as v0.7.0. ## Reference - docs/STRATEGY.md (full plan) - docs/ROADMAP.md v0.7 (schedule) - docs/THREAT-MODEL.md (publish before v0.7 ship) - secureblue: https://github.com/secureblue/secureblue - BlueBuild: https://blue-build.org - ostreecontainer: https://docs.fedoraproject.org/en-US/bootc/anaconda-install/ 2026-05-05 15:30:04 +01:00			`inherit secureblue's hardening (sysctl + kargs + custom SELinux`
			`policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS +`
			`Trivalent browser + cosign-signed image chain). On top, we layer:`

			`- veilor branding (overlay/, theme, plymouth, sddm, os-release)`
			`- mullvad-browser (anti-fingerprint companion to Trivalent)`
			`- xorg-x11-server-Xwayland (re-enable; secureblue disables it)`
			`- sudo (re-enable; secureblue replaces with run0)`
			`- tailscale + yggdrasil (mesh stack layer 1 + 2)`
			`- ujust recipes for Reticulum (mesh layer 3) + Thorium (opt-in browser)`

			`Trivalent stays as the default browser (correcting an earlier draft).`

			`## Build locally`

			```bash
			`# Requires bluebuild CLI:`
			`# curl -fsSL https://raw.githubusercontent.com/blue-build/cli/main/install.sh \| sh`
			`cd bluebuild`
			`bluebuild build recipe.yml`
			```

			Output: `localhost/veilor-os:43` in podman storage. Push to GHCR
			`via the workflow.`

			`## Test the OCI image`

			```bash
			`# Smoke-test (boots into the rootfs; no kernel, no init):`
			`podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash`

			`# Inside, sanity:`
			`cat /etc/os-release # PRETTY_NAME=veilor-os`
			`which sudo # /usr/bin/sudo (re-enabled)`
			`which trivalent # secureblue's COPR (default browser)`
			`which mullvad-browser # /usr/bin/mullvad-browser`
			`systemctl is-enabled yggdrasil # enabled (idle)`
			`systemctl is-enabled tailscaled # disabled (awaits ujust veilor-mesh-join)`
			```

			`## Test the installer ISO`

			`The installer ISO is built separately by livecd-creator (current path)`
			or bootc-image-builder (v1.0+). Its kickstart's `%packages` block is
			`replaced with:`

			```
			`ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry`
			```

			That populates the target's `/` directly from this OCI image during
			`the install pass. No first-boot rebase. No transition window.`

			`## Spike success criteria (1 day)`

			- [ ] `bluebuild build recipe.yml` exits 0
			- [ ] `bootc container lint` exits 0 on the resulting image
			- [ ] `podman run` smoke-test (commands above) all pass
			- [ ] `.github/workflows/build-bluebuild.yml` builds + cosign-signs +
			pushes to `ghcr.io/veilor-org/veilor-os:43`
			- [ ] An installer ISO using `ostreecontainer` against this OCI
			`reaches SDDM with admin login on first boot`

			If all five land, merge `v0.7-bluebuild-spike` → `main` as v0.7.0.
			`If any fail in ways that aren't trivially fixable, file each as a GH`
			`issue + return to v0.5.x kickstart path.`

			`## See also`

			- `docs/STRATEGY.md` — the strategic decision + override list
			- `docs/ROADMAP.md` v0.7 — full schedule
			- `docs/THREAT-MODEL.md` — what we publish before launch
			`- secureblue: <https://github.com/secureblue/secureblue>`
			`- BlueBuild: <https://blue-build.org>`
			`- bootc / ostreecontainer: <https://docs.fedoraproject.org/en-US/bootc/>`