From 3c247bc60182c8cb86aa32fbcb26425096afb313 Mon Sep 17 00:00:00 2001 From: veilor-org Date: Tue, 5 May 2026 15:30:04 +0100 Subject: [PATCH] v0.7 spike: BlueBuild recipe + ostreecontainer kickstart + cosign workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Initial scaffold for the v0.7 hybrid path. Spike branch only — does NOT land in main until success criteria pass (see bluebuild/README.md). ## What this commits - bluebuild/recipe.yml — BlueBuild recipe extending ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest with: * veilor branding overlay (overlay/, assets/, scripts/ at /usr/share/veilor-os) * sudo restored (revert secureblue's run0-only) * Xwayland restored (some apps still need it) * mullvad-browser layered alongside Trivalent (default browser kept) * tailscale + yggdrasil packages (mesh stack layers 1 + 2) * tailscaled.service pre-disabled (awaits first-boot prompt) * yggdrasil.service enabled (idle warm-fallback per STRATEGY.md) * veilor-firstboot.service + veilor-modules-lock.service enabled * cosign signing module configured - bluebuild/config/just/60-veilor.just — ujust recipes: * install-reticulum (RetiNet AGPL fork — mesh layer 3) * install-reticulum-rnode (LoRa hardware) * install-thorium (opt-in browser with explicit CVE-lag warning) * veilor-mesh-join (token paste / QR for tailscale onboarding) - bluebuild/README.md — spike doc + smoke-test commands + 5-item success criteria checklist - kickstart/install-ostreecontainer.ks — install kickstart template for the v0.7 path. No %packages block; uses `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry` to populate / from the OCI image directly during anaconda's install pass. No first-boot rebase, no transition window. Keeps existing LUKS+btrfs partitioning verbatim. - .github/workflows/build-bluebuild.yml — GH Actions workflow: * Triggered on push to v0.7-bluebuild-spike, weekly cron, dispatch * Uses blue-build/github-action@v1 (TODO: pin to commit SHA per CI hardening agent 8 follow-up) * Builds + cosign-signs (keyless via Sigstore) + pushes to GHCR * Smoke-tests the OCI image (sudo, mullvad-browser, yggdrasil, tailscale all present) * Generates SBOM (SPDX) via anchore/sbom-action * Publishes SLSA build provenance attestation ## What this does NOT change - main branch is untouched. v0.5.x kickstart path keeps shipping. - kickstart/veilor-os.ks (the live-ISO ks) is untouched — the v0.7 hybrid uses the existing live-ISO build path; only the install-time ks (install-ostreecontainer.ks) is new. - overlay/, scripts/, assets/ are untouched on this branch — the recipe pulls them in via `type: files` modules at build time. ## Spike success criteria (reproduced from bluebuild/README.md) - [ ] `bluebuild build recipe.yml` exits 0 - [ ] `bootc container lint` exits 0 on resulting image - [ ] `podman run` smoke-test passes - [ ] CI workflow builds + cosign-signs + pushes to GHCR - [ ] Installer ISO using `ostreecontainer` against this OCI reaches SDDM with admin login on first boot If all 5 land, merge v0.7-bluebuild-spike → main as v0.7.0. ## Reference - docs/STRATEGY.md (full plan) - docs/ROADMAP.md v0.7 (schedule) - docs/THREAT-MODEL.md (publish before v0.7 ship) - secureblue: https://github.com/secureblue/secureblue - BlueBuild: https://blue-build.org - ostreecontainer: https://docs.fedoraproject.org/en-US/bootc/anaconda-install/ --- .github/workflows/build-bluebuild.yml | 99 +++++++++++++++++++++ bluebuild/README.md | 96 +++++++++++++++++++++ bluebuild/config/just/60-veilor.just | 73 ++++++++++++++++ bluebuild/recipe.yml | 118 ++++++++++++++++++++++++++ kickstart/install-ostreecontainer.ks | 80 +++++++++++++++++ 5 files changed, 466 insertions(+) create mode 100644 .github/workflows/build-bluebuild.yml create mode 100644 bluebuild/README.md create mode 100644 bluebuild/config/just/60-veilor.just create mode 100644 bluebuild/recipe.yml create mode 100644 kickstart/install-ostreecontainer.ks diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml new file mode 100644 index 0000000..e0e49dc --- /dev/null +++ b/.github/workflows/build-bluebuild.yml @@ -0,0 +1,99 @@ +name: Build veilor-os OCI (BlueBuild) + +# v0.7 spike — builds the bootable OCI image used by the bootstrap +# kickstart's `ostreecontainer` directive. Active only on the +# `v0.7-bluebuild-spike` branch until the spike passes success +# criteria (see bluebuild/README.md). +# +# Reference: https://blue-build.org/how-to/setup-build-action/ +# +# Security note: all `${{ }}` interpolations in this file are restricted +# to vetted GitHub-controlled values (repository_owner, run number, +# secrets, signed action outputs). No `github.event.issue.title` or +# similar untrusted-user-input is read in run blocks. + +on: + push: + branches: [v0.7-bluebuild-spike] + paths: + - 'bluebuild/**' + - 'overlay/**' + - 'assets/**' + - 'scripts/**' + - '.github/workflows/build-bluebuild.yml' + pull_request: + branches: [main, v0.7-bluebuild-spike] + schedule: + # Rebuild weekly so we pick up upstream secureblue + Fedora updates. + - cron: '0 6 * * 1' + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + name: Build + sign + push OCI + runs-on: ubuntu-24.04 + timeout-minutes: 30 + permissions: + contents: read + packages: write # push to ghcr.io/veilor-org/veilor-os + id-token: write # cosign keyless signing via Sigstore + attestations: write # SLSA build provenance + + env: + OCI_IMAGE: ghcr.io/${{ github.repository_owner }}/veilor-os + OCI_TAG: latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Free up disk + run: | + sudo rm -rf /opt/hostedtoolcache /usr/share/dotnet /usr/local/lib/android + sudo apt-get clean + df -h + + # BlueBuild action wraps: image build, cosign sign (keyless via + # Sigstore), GHCR push. To pin to a commit SHA in a follow-up + # once the workflow shape stabilises (CI hardening agent 8, + # 2026-05-05 wave). + - name: Build + push veilor-os OCI + id: bluebuild + uses: blue-build/github-action@v1 + with: + recipe: bluebuild/recipe.yml + registry_token: ${{ secrets.GITHUB_TOKEN }} + pr_event_number: ${{ github.event.number }} + maximize_build_space: true + + - name: Smoke-test OCI image + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + run: | + podman pull "$OCI_IMAGE:$OCI_TAG" + podman run --rm "$OCI_IMAGE:$OCI_TAG" /bin/bash -c ' + set -e + echo "-- os-release" + head -5 /etc/os-release + echo "-- sudo present"; which sudo + echo "-- mullvad-browser present"; which mullvad-browser + echo "-- yggdrasil present"; which yggdrasil + echo "-- tailscale present"; which tailscale + ' + + - name: SBOM (SPDX) + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + uses: anchore/sbom-action@v0 + with: + image: ${{ env.OCI_IMAGE }}:${{ env.OCI_TAG }} + format: spdx-json + output-file: veilor-os-oci.spdx.json + + - name: Build provenance attestation + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.OCI_IMAGE }} + subject-digest: ${{ steps.bluebuild.outputs.digest }} diff --git a/bluebuild/README.md b/bluebuild/README.md new file mode 100644 index 0000000..9d1c10b --- /dev/null +++ b/bluebuild/README.md @@ -0,0 +1,96 @@ +# bluebuild/ — v0.7 spike + +This directory contains the BlueBuild recipe + supporting config that +builds the veilor-os bootable OCI image. **Active on the +`v0.7-bluebuild-spike` branch only.** Does NOT land in v0.5.x main +until the spike passes its success criteria (see +`docs/STRATEGY.md`). + +## What's here + +``` +bluebuild/ +├── recipe.yml # primary BlueBuild recipe +├── config/ +│ └── just/ +│ └── 60-veilor.just # ujust recipes for opt-in components +└── README.md # this file +``` + +The recipe extends +`ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`. We +inherit secureblue's hardening (sysctl + kargs + custom SELinux +policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS + +Trivalent browser + cosign-signed image chain). On top, we layer: + +- veilor branding (overlay/, theme, plymouth, sddm, os-release) +- mullvad-browser (anti-fingerprint companion to Trivalent) +- xorg-x11-server-Xwayland (re-enable; secureblue disables it) +- sudo (re-enable; secureblue replaces with run0) +- tailscale + yggdrasil (mesh stack layer 1 + 2) +- ujust recipes for Reticulum (mesh layer 3) + Thorium (opt-in browser) + +Trivalent stays as the default browser (correcting an earlier draft). + +## Build locally + +```bash +# Requires bluebuild CLI: +# curl -fsSL https://raw.githubusercontent.com/blue-build/cli/main/install.sh | sh +cd bluebuild +bluebuild build recipe.yml +``` + +Output: `localhost/veilor-os:43` in podman storage. Push to GHCR +via the workflow. + +## Test the OCI image + +```bash +# Smoke-test (boots into the rootfs; no kernel, no init): +podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash + +# Inside, sanity: +cat /etc/os-release # PRETTY_NAME=veilor-os +which sudo # /usr/bin/sudo (re-enabled) +which trivalent # secureblue's COPR (default browser) +which mullvad-browser # /usr/bin/mullvad-browser +systemctl is-enabled yggdrasil # enabled (idle) +systemctl is-enabled tailscaled # disabled (awaits ujust veilor-mesh-join) +``` + +## Test the installer ISO + +The installer ISO is built separately by livecd-creator (current path) +or bootc-image-builder (v1.0+). Its kickstart's `%packages` block is +replaced with: + +``` +ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry +``` + +That populates the target's `/` directly from this OCI image during +the install pass. No first-boot rebase. No transition window. + +## Spike success criteria (1 day) + +- [ ] `bluebuild build recipe.yml` exits 0 +- [ ] `bootc container lint` exits 0 on the resulting image +- [ ] `podman run` smoke-test (commands above) all pass +- [ ] `.github/workflows/build-bluebuild.yml` builds + cosign-signs + + pushes to `ghcr.io/veilor-org/veilor-os:43` +- [ ] An installer ISO using `ostreecontainer` against this OCI + reaches SDDM with admin login on first boot + +If all five land, merge `v0.7-bluebuild-spike` → `main` as v0.7.0. +If any fail in ways that aren't trivially fixable, file each as a GH +issue + return to v0.5.x kickstart path. + +## See also + +- `docs/STRATEGY.md` — the strategic decision + override list +- `docs/ROADMAP.md` v0.7 — full schedule +- `docs/THREAT-MODEL.md` — what we publish before launch +- secureblue: +- BlueBuild: +- bootc / ostreecontainer: diff --git a/bluebuild/config/just/60-veilor.just b/bluebuild/config/just/60-veilor.just new file mode 100644 index 0000000..a1d056e --- /dev/null +++ b/bluebuild/config/just/60-veilor.just @@ -0,0 +1,73 @@ +# veilor-os ujust recipes — opt-in components +# Loaded into /usr/share/ublue-os/just/ at image build time; +# `ujust install-X` discovers + dispatches. + +# install Reticulum / RetiNet AGPL fork + Sideband (mesh layer 3) +install-reticulum: + #!/usr/bin/env bash + echo "═══ Reticulum (RetiNet AGPL fork) install ═══" + echo + echo "Installs RetiNet (AGPL fork — NOT upstream RNS due to anti-AI" + echo "license) plus Sideband messenger. Default config: AutoInterface" + echo "(LAN multicast) + 1-2 TCP backbone peers. RNode hardware (LoRa" + echo "transceiver) is a separate install." + echo + read -p "Proceed? [y/N]: " confirm + if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi + rpm-ostree install python3-pip + pip install --user retinet sideband-cli + echo + echo "Done. To attach an RNode (LoRa transceiver), run:" + echo " ujust install-reticulum-rnode" + +# install Reticulum RNode hardware support (LoRa transceiver) +install-reticulum-rnode: + #!/usr/bin/env bash + echo "═══ RNode (LoRa transceiver) hardware install ═══" + echo + echo "Adds RNode firmware-update tooling + udev rules for the LoRa" + echo "USB hardware. Required only if you have an RNode device." + echo + read -p "Proceed? [y/N]: " confirm + if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi + pip install --user rnodeconf + echo "Done. Plug in your RNode via USB; it will appear as a serial device." + +# install Thorium browser (OPT-IN, with explicit CVE-lag warning) +install-thorium: + #!/usr/bin/env bash + echo "═══ Thorium browser install ═══" + echo + echo "WARNING: Thorium is a perf/media-focused fork of Chromium that" + echo "uses LTS Chromium as its base. As of 2026-05 it lags upstream" + echo "stable by ~9 milestones (months of CVE backlog)." + echo + echo "veilor-os ships Trivalent (secureblue's hardened Chromium fork," + echo "tracking upstream M147+ within hours) as the default browser." + echo "Thorium is provided as an OPT-IN profile for users who" + echo "explicitly need its perf characteristics (e.g. WebGL games," + echo "media decode profiles)." + echo + echo "DO NOT use Thorium as your daily-driver browser. Use Trivalent" + echo "or Mullvad Browser for that." + echo + read -p "Acknowledge CVE-lag risk and continue? [y/N]: " confirm + if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi + flatpak install --user -y org.thorium.Thorium 2>/dev/null || \ + rpm-ostree install thorium-browser + echo "Done. Launch via Plasma menu or `flatpak run org.thorium.Thorium`." + +# join the veilor mesh (Tailscale via Headscale) +veilor-mesh-join: + #!/usr/bin/env bash + echo "═══ Join veilor mesh (Tailscale via Headscale) ═══" + echo + echo "Pre-auth keys are minted by the Misskey signup page at" + echo "x.veilor (TTL 24h, single-use). You can paste the hex key" + echo "directly OR scan the QR code shown after signup." + echo + read -p "Hex key (paste): " preauth + if [[ -z "$preauth" ]]; then echo "Empty key. Cancelled."; exit 0; fi + sudo systemctl enable --now tailscaled + sudo tailscale up --login-server=https://hs.s8n.ru --auth-key="$preauth" + echo "Done. Status: $(sudo tailscale status | head -1)" \ No newline at end of file diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml new file mode 100644 index 0000000..bdf2229 --- /dev/null +++ b/bluebuild/recipe.yml @@ -0,0 +1,118 @@ +# veilor-os — BlueBuild recipe (v0.7 spike, 1-day target) +# +# Extends secureblue's hardened Kinoite OCI image with veilor branding, +# threat-model-driven UX choices, and the three-layer mesh stack +# (Tailscale + Yggdrasil + opt-in Reticulum). This is the OCI image +# that the v0.7+ kickstart's `ostreecontainer` directive pulls into +# the target root during the install pass. +# +# Build: bluebuild build recipe.yml +# Test: podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash +# CI: .github/workflows/build-bluebuild.yml signs + pushes to GHCR. +# +# Reference: https://blue-build.org/reference/recipe/ +--- +name: veilor-os +description: Hardened security-branded Fedora KDE on top of secureblue. + +# Base image: secureblue's hardened Kinoite variant with userns sandboxing. +# That brings in: sysctl + kargs + custom SELinux policy + USBGuard + +# hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser. +base-image: ghcr.io/secureblue/securecore-kinoite-hardened-userns +image-version: latest + +modules: + # ── 1. veilor branding overlay ────────────────────────────────── + # Stamps our overlay/* tree onto the OCI image. KDE color scheme, + # Plymouth theme, SDDM theme, fontconfig, os-release. + - type: files + files: + - source: ../overlay + destination: / + + - type: files + files: + - source: ../assets + destination: /usr/share/veilor-os/assets + + - type: files + files: + - source: ../scripts + destination: /usr/share/veilor-os/scripts + + # ── 2. Branding overrides at build time ───────────────────────── + - type: script + snippets: + - | + # os-release brand + sed -i \ + -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \ + /etc/default/grub 2>/dev/null || true + # Apply our kde-theme + plymouth in build + bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true + bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true + plymouth-set-default-theme details 2>/dev/null || true + + # ── 3. Override secureblue's run0-only — restore sudo ─────────── + # secureblue removes sudo + replaces with run0. Too disruptive for + # daily-driver workflows. Restore sudo, keep run0 available. + - type: rpm-ostree + install: + - sudo + + # ── 4. Re-enable Xwayland ─────────────────────────────────────── + # secureblue disables Xwayland for attack-surface reduction. Some + # apps (Element, Slack-likes, older Qt5 tools) still need it. + # User who wants it removed back can `rpm-ostree override remove`. + - type: rpm-ostree + install: + - xorg-x11-server-Xwayland + + # ── 5. Mullvad Browser as anti-fingerprint companion ──────────── + # Layered alongside Trivalent (kept as default per STRATEGY.md). + # Trivalent for daily browsing, Mullvad for pseudonymous browsing. + # Thorium remains opt-in only via `ujust install-thorium` — see + # config/thorium.just for the warning + install logic. + - type: rpm-ostree + install: + - mullvad-browser + + # ── 6. Mesh stack packages ────────────────────────────────────── + # Layer 1 (Day 1 daily driver, service pre-disabled): Tailscale + # Layer 2 (Day 1 idle warm-fallback): Yggdrasil-go + # Layer 3 (opt-in via ujust): Reticulum / RetiNet — handled in just/ + - type: rpm-ostree + install: + - tailscale + - yggdrasil + + # ── 7. ujust recipes for opt-in components ────────────────────── + - type: files + files: + - source: config/just + destination: /usr/share/ublue-os/just + + # ── 8. Service tuning: tailscale pre-disabled, yggdrasil idle ─── + - type: systemd + system: + enabled: + - yggdrasil.service # idle warm-fallback (config = empty Listen[]) + disabled: + - tailscaled.service # awaits first-boot prompt for join + # secureblue parents already enable: sshd, fail2ban, usbguard, + # auditd, firewalld, chronyd, sddm — no re-enable needed. + + # ── 9. veilor-os specific systemd units ───────────────────────── + # veilor-firstboot.service comes in via overlay/etc/systemd/system/ + # — needs explicit enable since it's not part of secureblue's set. + - type: systemd + system: + enabled: + - veilor-firstboot.service + - veilor-modules-lock.service + + # ── 10. signing config ────────────────────────────────────────── + # bluebuild emits cosign.pub at root; CI uses the pinned key + # generated for veilor-org. signed-by reference for bootc upgrade + # signature verification. + - type: signing \ No newline at end of file diff --git a/kickstart/install-ostreecontainer.ks b/kickstart/install-ostreecontainer.ks new file mode 100644 index 0000000..084af57 --- /dev/null +++ b/kickstart/install-ostreecontainer.ks @@ -0,0 +1,80 @@ +# veilor-os install kickstart — v0.7 spike (ostreecontainer path) +# +# This is the install-time kickstart for the v0.7 hybrid path. The live +# ISO boots; the gum TUI collects user answers (disk, LUKS pw, admin pw); +# this template gets the answers substituted in and is fed to anaconda. +# +# Anaconda partitions the disk + creates LUKS + btrfs subvols + mounts +# /boot/efi + /boot, then `ostreecontainer` populates `/` directly from +# the cosign-signed veilor-os OCI image at `ghcr.io/veilor-org/veilor-os:43`. +# +# No `%packages` block. No first-boot rebase. No +# `veilor-firstboot-rebase.service`. The ostreecontainer install pass is +# the entire transition from "Fedora live ISO" to "veilor-os on disk". +# +# Reference: pykickstart docs ostreecontainer command; +# https://docs.fedoraproject.org/en-US/bootc/anaconda-install/ + +# ── Locale / keyboard / time ── +keyboard --xlayouts='us' +lang en_US.UTF-8 +timezone Europe/London --utc + +# ── Install mode / behaviour ── +firstboot --disable +eula --agreed +# SELinux state inherited from the OCI image; --enforcing is implicit +# since secureblue's image ships /etc/selinux/config = enforcing. +selinux --enforcing + +# ── Network / hostname ── +network --bootproto=dhcp --device=link --activate --hostname=__HOSTNAME__ +firewall --enabled --service=ssh + +# ── Identity (single LUKS prompt asked at install via gum TUI) ── +rootpw --lock +user --name=admin --groups=wheel --gecos="veilor admin" --password=__ADMIN_PW__ --plaintext + +# ── Bootloader ── +# fbcon=nodefer for laptop KMS handoff (real-hardware audit, agent 9 of +# 2026-05-05 wave). rd.luks.options=tries=5,timeout=0 for UX. +# rd.luks.uuid is auto-injected by anaconda based on the encrypted +# part directive below. +# +# All other hardening kargs (lockdown=integrity, slab_nomerge, etc.) +# come from /usr/lib/bootc/kargs.d/ inside the OCI image — bootc +# applies them at install time. We only add what the OCI image can't +# know (laptop-specific KMS flag). +bootloader --append="fbcon=nodefer" + +# ── Disk: LUKS2 (argon2id) + btrfs subvols ── +zerombr +clearpart --all --initlabel --drives=__DISK_BASENAME__ +part /boot/efi --fstype=efi --size=600 +part /boot --fstype=ext4 --size=1024 +part btrfs.veilor --grow --encrypted --luks-version=luks2 --pbkdf=argon2id --passphrase=__LUKS_PW__ +btrfs none --label=veilor btrfs.veilor +btrfs / --subvol --name=root LABEL=veilor +btrfs /home --subvol --name=home LABEL=veilor + +# ── ostreecontainer: populate / from the veilor-os OCI image ── +# `--transport=registry` pulls from ghcr.io directly. Authentication +# token can be supplied via /etc/ostree/auth.json baked into the live +# rootfs OR via a kickstart `--remote-token` if the registry is private. +# At v0.7 spike the OCI image is public, so no auth needed. +# +# DO NOT migrate to the new `bootc` kickstart command until v1.0 — it +# blocks multi-disk and authenticated registries (per parent-operator +# handoff 2026-05-05). +ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry + +# ── %post (chroot) — minimal; OCI image already has everything ── +# What we keep: +# - chage -d 0 admin so first SDDM login forces password change +# - hostname write (anaconda's --hostname doesn't always survive) +# - veilor-firstboot.service is enabled in the OCI image already +%post +set -uo pipefail +echo veilor > /etc/hostname +chage -d 0 admin || true +%end \ No newline at end of file