v0.7 spike: BlueBuild recipe + ostreecontainer kickstart + cosign workflow

Initial scaffold for the v0.7 hybrid path. Spike branch only — does
NOT land in main until success criteria pass (see bluebuild/README.md).

## What this commits

- bluebuild/recipe.yml — BlueBuild recipe extending
  ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest with:
  * veilor branding overlay (overlay/, assets/, scripts/ at /usr/share/veilor-os)
  * sudo restored (revert secureblue's run0-only)
  * Xwayland restored (some apps still need it)
  * mullvad-browser layered alongside Trivalent (default browser kept)
  * tailscale + yggdrasil packages (mesh stack layers 1 + 2)
  * tailscaled.service pre-disabled (awaits first-boot prompt)
  * yggdrasil.service enabled (idle warm-fallback per STRATEGY.md)
  * veilor-firstboot.service + veilor-modules-lock.service enabled
  * cosign signing module configured

- bluebuild/config/just/60-veilor.just — ujust recipes:
  * install-reticulum (RetiNet AGPL fork — mesh layer 3)
  * install-reticulum-rnode (LoRa hardware)
  * install-thorium (opt-in browser with explicit CVE-lag warning)
  * veilor-mesh-join (token paste / QR for tailscale onboarding)

- bluebuild/README.md — spike doc + smoke-test commands + 5-item
  success criteria checklist

- kickstart/install-ostreecontainer.ks — install kickstart template
  for the v0.7 path. No %packages block; uses
  `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry`
  to populate / from the OCI image directly during anaconda's install
  pass. No first-boot rebase, no transition window. Keeps existing
  LUKS+btrfs partitioning verbatim.

- .github/workflows/build-bluebuild.yml — GH Actions workflow:
  * Triggered on push to v0.7-bluebuild-spike, weekly cron, dispatch
  * Uses blue-build/github-action@v1 (TODO: pin to commit SHA per
    CI hardening agent 8 follow-up)
  * Builds + cosign-signs (keyless via Sigstore) + pushes to GHCR
  * Smoke-tests the OCI image (sudo, mullvad-browser, yggdrasil,
    tailscale all present)
  * Generates SBOM (SPDX) via anchore/sbom-action
  * Publishes SLSA build provenance attestation

## What this does NOT change

- main branch is untouched. v0.5.x kickstart path keeps shipping.
- kickstart/veilor-os.ks (the live-ISO ks) is untouched — the v0.7
  hybrid uses the existing live-ISO build path; only the install-time
  ks (install-ostreecontainer.ks) is new.
- overlay/, scripts/, assets/ are untouched on this branch — the
  recipe pulls them in via `type: files` modules at build time.

## Spike success criteria (reproduced from bluebuild/README.md)

- [ ] `bluebuild build recipe.yml` exits 0
- [ ] `bootc container lint` exits 0 on resulting image
- [ ] `podman run` smoke-test passes
- [ ] CI workflow builds + cosign-signs + pushes to GHCR
- [ ] Installer ISO using `ostreecontainer` against this OCI reaches
      SDDM with admin login on first boot

If all 5 land, merge v0.7-bluebuild-spike → main as v0.7.0.

## Reference

- docs/STRATEGY.md (full plan)
- docs/ROADMAP.md v0.7 (schedule)
- docs/THREAT-MODEL.md (publish before v0.7 ship)
- secureblue: https://github.com/secureblue/secureblue
- BlueBuild: https://blue-build.org
- ostreecontainer: https://docs.fedoraproject.org/en-US/bootc/anaconda-install/

.github/workflows/build-bluebuild.yml

@@ -0,0 +1,99 @@
+name: Build veilor-os OCI (BlueBuild)
+
+# v0.7 spike — builds the bootable OCI image used by the bootstrap
+# kickstart's `ostreecontainer` directive. Active only on the
+# `v0.7-bluebuild-spike` branch until the spike passes success
+# criteria (see bluebuild/README.md).
+#
+# Reference: https://blue-build.org/how-to/setup-build-action/
+#
+# Security note: all `${{ }}` interpolations in this file are restricted
+# to vetted GitHub-controlled values (repository_owner, run number,
+# secrets, signed action outputs). No `github.event.issue.title` or
+# similar untrusted-user-input is read in run blocks.
+
+on:
+  push:
+    branches: [v0.7-bluebuild-spike]
+    paths:
+      - 'bluebuild/**'
+      - 'overlay/**'
+      - 'assets/**'
+      - 'scripts/**'
+      - '.github/workflows/build-bluebuild.yml'
+  pull_request:
+    branches: [main, v0.7-bluebuild-spike]
+  schedule:
+    # Rebuild weekly so we pick up upstream secureblue + Fedora updates.
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build + sign + push OCI
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      packages: write           # push to ghcr.io/veilor-org/veilor-os
+      id-token: write           # cosign keyless signing via Sigstore
+      attestations: write       # SLSA build provenance
+
+    env:
+      OCI_IMAGE: ghcr.io/${{ github.repository_owner }}/veilor-os
+      OCI_TAG: latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Free up disk
+        run: |
+          sudo rm -rf /opt/hostedtoolcache /usr/share/dotnet /usr/local/lib/android
+          sudo apt-get clean
+          df -h
+
+      # BlueBuild action wraps: image build, cosign sign (keyless via
+      # Sigstore), GHCR push. To pin to a commit SHA in a follow-up
+      # once the workflow shape stabilises (CI hardening agent 8,
+      # 2026-05-05 wave).
+      - name: Build + push veilor-os OCI
+        id: bluebuild
+        uses: blue-build/github-action@v1
+        with:
+          recipe: bluebuild/recipe.yml
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_event_number: ${{ github.event.number }}
+          maximize_build_space: true
+
+      - name: Smoke-test OCI image
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: |
+          podman pull "$OCI_IMAGE:$OCI_TAG"
+          podman run --rm "$OCI_IMAGE:$OCI_TAG" /bin/bash -c '
+            set -e
+            echo "-- os-release"
+            head -5 /etc/os-release
+            echo "-- sudo present"; which sudo
+            echo "-- mullvad-browser present"; which mullvad-browser
+            echo "-- yggdrasil present"; which yggdrasil
+            echo "-- tailscale present"; which tailscale
+          '
+
+      - name: SBOM (SPDX)
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.OCI_IMAGE }}:${{ env.OCI_TAG }}
+          format: spdx-json
+          output-file: veilor-os-oci.spdx.json
+
+      - name: Build provenance attestation
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.OCI_IMAGE }}
+          subject-digest: ${{ steps.bluebuild.outputs.digest }}

bluebuild/README.md

@@ -0,0 +1,96 @@
+# bluebuild/ — v0.7 spike
+
+This directory contains the BlueBuild recipe + supporting config that
+builds the veilor-os bootable OCI image. **Active on the
+`v0.7-bluebuild-spike` branch only.** Does NOT land in v0.5.x main
+until the spike passes its success criteria (see
+`docs/STRATEGY.md`).
+
+## What's here
+
+```
+bluebuild/
+├── recipe.yml                  # primary BlueBuild recipe
+├── config/
+│   └── just/
+│       └── 60-veilor.just      # ujust recipes for opt-in components
+└── README.md                   # this file
+```
+
+The recipe extends
+`ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`. We
+inherit secureblue's hardening (sysctl + kargs + custom SELinux
+policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS +
+Trivalent browser + cosign-signed image chain). On top, we layer:
+
+- veilor branding (overlay/, theme, plymouth, sddm, os-release)
+- mullvad-browser (anti-fingerprint companion to Trivalent)
+- xorg-x11-server-Xwayland (re-enable; secureblue disables it)
+- sudo (re-enable; secureblue replaces with run0)
+- tailscale + yggdrasil (mesh stack layer 1 + 2)
+- ujust recipes for Reticulum (mesh layer 3) + Thorium (opt-in browser)
+
+Trivalent stays as the default browser (correcting an earlier draft).
+
+## Build locally
+
+```bash
+# Requires bluebuild CLI:
+#   curl -fsSL https://raw.githubusercontent.com/blue-build/cli/main/install.sh | sh
+cd bluebuild
+bluebuild build recipe.yml
+```
+
+Output: `localhost/veilor-os:43` in podman storage. Push to GHCR
+via the workflow.
+
+## Test the OCI image
+
+```bash
+# Smoke-test (boots into the rootfs; no kernel, no init):
+podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash
+
+# Inside, sanity:
+cat /etc/os-release        # PRETTY_NAME=veilor-os
+which sudo                 # /usr/bin/sudo (re-enabled)
+which trivalent            # secureblue's COPR (default browser)
+which mullvad-browser      # /usr/bin/mullvad-browser
+systemctl is-enabled yggdrasil    # enabled (idle)
+systemctl is-enabled tailscaled   # disabled (awaits ujust veilor-mesh-join)
+```
+
+## Test the installer ISO
+
+The installer ISO is built separately by livecd-creator (current path)
+or bootc-image-builder (v1.0+). Its kickstart's `%packages` block is
+replaced with:
+
+```
+ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry
+```
+
+That populates the target's `/` directly from this OCI image during
+the install pass. No first-boot rebase. No transition window.
+
+## Spike success criteria (1 day)
+
+- [ ] `bluebuild build recipe.yml` exits 0
+- [ ] `bootc container lint` exits 0 on the resulting image
+- [ ] `podman run` smoke-test (commands above) all pass
+- [ ] `.github/workflows/build-bluebuild.yml` builds + cosign-signs +
+      pushes to `ghcr.io/veilor-org/veilor-os:43`
+- [ ] An installer ISO using `ostreecontainer` against this OCI
+      reaches SDDM with admin login on first boot
+
+If all five land, merge `v0.7-bluebuild-spike` → `main` as v0.7.0.
+If any fail in ways that aren't trivially fixable, file each as a GH
+issue + return to v0.5.x kickstart path.
+
+## See also
+
+- `docs/STRATEGY.md` — the strategic decision + override list
+- `docs/ROADMAP.md` v0.7 — full schedule
+- `docs/THREAT-MODEL.md` — what we publish before launch
+- secureblue: <https://github.com/secureblue/secureblue>
+- BlueBuild: <https://blue-build.org>
+- bootc / ostreecontainer: <https://docs.fedoraproject.org/en-US/bootc/>

bluebuild/config/just/60-veilor.just

@@ -0,0 +1,73 @@
+# veilor-os ujust recipes — opt-in components
+# Loaded into /usr/share/ublue-os/just/ at image build time;
+# `ujust install-X` discovers + dispatches.
+
+# install Reticulum / RetiNet AGPL fork + Sideband (mesh layer 3)
+install-reticulum:
+    #!/usr/bin/env bash
+    echo "═══ Reticulum (RetiNet AGPL fork) install ═══"
+    echo
+    echo "Installs RetiNet (AGPL fork — NOT upstream RNS due to anti-AI"
+    echo "license) plus Sideband messenger. Default config: AutoInterface"
+    echo "(LAN multicast) + 1-2 TCP backbone peers. RNode hardware (LoRa"
+    echo "transceiver) is a separate install."
+    echo
+    read -p "Proceed? [y/N]: " confirm
+    if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi
+    rpm-ostree install python3-pip
+    pip install --user retinet sideband-cli
+    echo
+    echo "Done. To attach an RNode (LoRa transceiver), run:"
+    echo "    ujust install-reticulum-rnode"
+
+# install Reticulum RNode hardware support (LoRa transceiver)
+install-reticulum-rnode:
+    #!/usr/bin/env bash
+    echo "═══ RNode (LoRa transceiver) hardware install ═══"
+    echo
+    echo "Adds RNode firmware-update tooling + udev rules for the LoRa"
+    echo "USB hardware. Required only if you have an RNode device."
+    echo
+    read -p "Proceed? [y/N]: " confirm
+    if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi
+    pip install --user rnodeconf
+    echo "Done. Plug in your RNode via USB; it will appear as a serial device."
+
+# install Thorium browser (OPT-IN, with explicit CVE-lag warning)
+install-thorium:
+    #!/usr/bin/env bash
+    echo "═══ Thorium browser install ═══"
+    echo
+    echo "WARNING: Thorium is a perf/media-focused fork of Chromium that"
+    echo "uses LTS Chromium as its base. As of 2026-05 it lags upstream"
+    echo "stable by ~9 milestones (months of CVE backlog)."
+    echo
+    echo "veilor-os ships Trivalent (secureblue's hardened Chromium fork,"
+    echo "tracking upstream M147+ within hours) as the default browser."
+    echo "Thorium is provided as an OPT-IN profile for users who"
+    echo "explicitly need its perf characteristics (e.g. WebGL games,"
+    echo "media decode profiles)."
+    echo
+    echo "DO NOT use Thorium as your daily-driver browser. Use Trivalent"
+    echo "or Mullvad Browser for that."
+    echo
+    read -p "Acknowledge CVE-lag risk and continue? [y/N]: " confirm
+    if [[ "$confirm" != "y" ]]; then echo "Cancelled."; exit 0; fi
+    flatpak install --user -y org.thorium.Thorium 2>/dev/null || \
+        rpm-ostree install thorium-browser
+    echo "Done. Launch via Plasma menu or `flatpak run org.thorium.Thorium`."
+
+# join the veilor mesh (Tailscale via Headscale)
+veilor-mesh-join:
+    #!/usr/bin/env bash
+    echo "═══ Join veilor mesh (Tailscale via Headscale) ═══"
+    echo
+    echo "Pre-auth keys are minted by the Misskey signup page at"
+    echo "x.veilor (TTL 24h, single-use). You can paste the hex key"
+    echo "directly OR scan the QR code shown after signup."
+    echo
+    read -p "Hex key (paste): " preauth
+    if [[ -z "$preauth" ]]; then echo "Empty key. Cancelled."; exit 0; fi
+    sudo systemctl enable --now tailscaled
+    sudo tailscale up --login-server=https://hs.s8n.ru --auth-key="$preauth"
+    echo "Done. Status: $(sudo tailscale status | head -1)"

bluebuild/recipe.yml

@@ -0,0 +1,118 @@
+# veilor-os — BlueBuild recipe (v0.7 spike, 1-day target)
+#
+# Extends secureblue's hardened Kinoite OCI image with veilor branding,
+# threat-model-driven UX choices, and the three-layer mesh stack
+# (Tailscale + Yggdrasil + opt-in Reticulum). This is the OCI image
+# that the v0.7+ kickstart's `ostreecontainer` directive pulls into
+# the target root during the install pass.
+#
+# Build:    bluebuild build recipe.yml
+# Test:     podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash
+# CI:       .github/workflows/build-bluebuild.yml signs + pushes to GHCR.
+#
+# Reference: https://blue-build.org/reference/recipe/
+---
+name: veilor-os
+description: Hardened security-branded Fedora KDE on top of secureblue.
+
+# Base image: secureblue's hardened Kinoite variant with userns sandboxing.
+# That brings in: sysctl + kargs + custom SELinux policy + USBGuard +
+# hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser.
+base-image: ghcr.io/secureblue/securecore-kinoite-hardened-userns
+image-version: latest
+
+modules:
+  # ── 1. veilor branding overlay ──────────────────────────────────
+  # Stamps our overlay/* tree onto the OCI image. KDE color scheme,
+  # Plymouth theme, SDDM theme, fontconfig, os-release.
+  - type: files
+    files:
+      - source: ../overlay
+        destination: /
+
+  - type: files
+    files:
+      - source: ../assets
+        destination: /usr/share/veilor-os/assets
+
+  - type: files
+    files:
+      - source: ../scripts
+        destination: /usr/share/veilor-os/scripts
+
+  # ── 2. Branding overrides at build time ─────────────────────────
+  - type: script
+    snippets:
+      - |
+        # os-release brand
+        sed -i \
+          -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \
+          /etc/default/grub 2>/dev/null || true
+        # Apply our kde-theme + plymouth in build
+        bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true
+        bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true
+        plymouth-set-default-theme details 2>/dev/null || true
+
+  # ── 3. Override secureblue's run0-only — restore sudo ───────────
+  # secureblue removes sudo + replaces with run0. Too disruptive for
+  # daily-driver workflows. Restore sudo, keep run0 available.
+  - type: rpm-ostree
+    install:
+      - sudo
+
+  # ── 4. Re-enable Xwayland ───────────────────────────────────────
+  # secureblue disables Xwayland for attack-surface reduction. Some
+  # apps (Element, Slack-likes, older Qt5 tools) still need it.
+  # User who wants it removed back can `rpm-ostree override remove`.
+  - type: rpm-ostree
+    install:
+      - xorg-x11-server-Xwayland
+
+  # ── 5. Mullvad Browser as anti-fingerprint companion ────────────
+  # Layered alongside Trivalent (kept as default per STRATEGY.md).
+  # Trivalent for daily browsing, Mullvad for pseudonymous browsing.
+  # Thorium remains opt-in only via `ujust install-thorium` — see
+  # config/thorium.just for the warning + install logic.
+  - type: rpm-ostree
+    install:
+      - mullvad-browser
+
+  # ── 6. Mesh stack packages ──────────────────────────────────────
+  # Layer 1 (Day 1 daily driver, service pre-disabled): Tailscale
+  # Layer 2 (Day 1 idle warm-fallback): Yggdrasil-go
+  # Layer 3 (opt-in via ujust): Reticulum / RetiNet — handled in just/
+  - type: rpm-ostree
+    install:
+      - tailscale
+      - yggdrasil
+
+  # ── 7. ujust recipes for opt-in components ──────────────────────
+  - type: files
+    files:
+      - source: config/just
+        destination: /usr/share/ublue-os/just
+
+  # ── 8. Service tuning: tailscale pre-disabled, yggdrasil idle ───
+  - type: systemd
+    system:
+      enabled:
+        - yggdrasil.service        # idle warm-fallback (config = empty Listen[])
+      disabled:
+        - tailscaled.service       # awaits first-boot prompt for join
+        # secureblue parents already enable: sshd, fail2ban, usbguard,
+        # auditd, firewalld, chronyd, sddm — no re-enable needed.
+
+  # ── 9. veilor-os specific systemd units ─────────────────────────
+  # veilor-firstboot.service comes in via overlay/etc/systemd/system/
+  # — needs explicit enable since it's not part of secureblue's set.
+  - type: systemd
+    system:
+      enabled:
+        - veilor-firstboot.service
+        - veilor-modules-lock.service
+
+  # ── 10. signing config ──────────────────────────────────────────
+  # bluebuild emits cosign.pub at root; CI uses the pinned key
+  # generated for veilor-org. signed-by reference for bootc upgrade
+  # signature verification.
+  - type: signing

kickstart/install-ostreecontainer.ks

@@ -0,0 +1,80 @@
+# veilor-os install kickstart — v0.7 spike (ostreecontainer path)
+#
+# This is the install-time kickstart for the v0.7 hybrid path. The live
+# ISO boots; the gum TUI collects user answers (disk, LUKS pw, admin pw);
+# this template gets the answers substituted in and is fed to anaconda.
+#
+# Anaconda partitions the disk + creates LUKS + btrfs subvols + mounts
+# /boot/efi + /boot, then `ostreecontainer` populates `/` directly from
+# the cosign-signed veilor-os OCI image at `ghcr.io/veilor-org/veilor-os:43`.
+#
+# No `%packages` block. No first-boot rebase. No
+# `veilor-firstboot-rebase.service`. The ostreecontainer install pass is
+# the entire transition from "Fedora live ISO" to "veilor-os on disk".
+#
+# Reference: pykickstart docs ostreecontainer command;
+# https://docs.fedoraproject.org/en-US/bootc/anaconda-install/
+
+# ── Locale / keyboard / time ──
+keyboard --xlayouts='us'
+lang en_US.UTF-8
+timezone Europe/London --utc
+
+# ── Install mode / behaviour ──
+firstboot --disable
+eula --agreed
+# SELinux state inherited from the OCI image; --enforcing is implicit
+# since secureblue's image ships /etc/selinux/config = enforcing.
+selinux --enforcing
+
+# ── Network / hostname ──
+network --bootproto=dhcp --device=link --activate --hostname=__HOSTNAME__
+firewall --enabled --service=ssh
+
+# ── Identity (single LUKS prompt asked at install via gum TUI) ──
+rootpw --lock
+user --name=admin --groups=wheel --gecos="veilor admin" --password=__ADMIN_PW__ --plaintext
+
+# ── Bootloader ──
+# fbcon=nodefer for laptop KMS handoff (real-hardware audit, agent 9 of
+# 2026-05-05 wave). rd.luks.options=tries=5,timeout=0 for UX.
+# rd.luks.uuid is auto-injected by anaconda based on the encrypted
+# part directive below.
+#
+# All other hardening kargs (lockdown=integrity, slab_nomerge, etc.)
+# come from /usr/lib/bootc/kargs.d/ inside the OCI image — bootc
+# applies them at install time. We only add what the OCI image can't
+# know (laptop-specific KMS flag).
+bootloader --append="fbcon=nodefer"
+
+# ── Disk: LUKS2 (argon2id) + btrfs subvols ──
+zerombr
+clearpart --all --initlabel --drives=__DISK_BASENAME__
+part /boot/efi --fstype=efi --size=600
+part /boot     --fstype=ext4 --size=1024
+part btrfs.veilor --grow --encrypted --luks-version=luks2 --pbkdf=argon2id --passphrase=__LUKS_PW__
+btrfs none --label=veilor btrfs.veilor
+btrfs /     --subvol --name=root LABEL=veilor
+btrfs /home --subvol --name=home LABEL=veilor
+
+# ── ostreecontainer: populate / from the veilor-os OCI image ──
+# `--transport=registry` pulls from ghcr.io directly. Authentication
+# token can be supplied via /etc/ostree/auth.json baked into the live
+# rootfs OR via a kickstart `--remote-token` if the registry is private.
+# At v0.7 spike the OCI image is public, so no auth needed.
+#
+# DO NOT migrate to the new `bootc` kickstart command until v1.0 — it
+# blocks multi-disk and authenticated registries (per parent-operator
+# handoff 2026-05-05).
+ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry
+
+# ── %post (chroot) — minimal; OCI image already has everything ──
+# What we keep:
+#   - chage -d 0 admin so first SDDM login forces password change
+#   - hostname write (anaconda's --hostname doesn't always survive)
+#   - veilor-firstboot.service is enabled in the OCI image already
+%post
+set -uo pipefail
+echo veilor > /etc/hostname
+chage -d 0 admin || true
+%end