# veilor-os — BlueBuild recipe (v0.7 spike, 1-day target) # # Extends secureblue's hardened Kinoite OCI image with veilor branding, # threat-model-driven UX choices, and the three-layer mesh stack # (Tailscale + Yggdrasil + opt-in Reticulum). This is the OCI image # that the v0.7+ kickstart's `ostreecontainer` directive pulls into # the target root during the install pass. # # Build: bluebuild build recipe.yml # Test: podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash # CI: .github/workflows/build-bluebuild.yml signs + pushes to GHCR. # # Reference: https://blue-build.org/reference/recipe/ --- name: veilor-os description: Hardened security-branded Fedora KDE on top of secureblue. # Base image: secureblue's hardened Kinoite variant with userns sandboxing. # That brings in: sysctl + kargs + custom SELinux policy + USBGuard + # hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser. base-image: ghcr.io/secureblue/kinoite-main-hardened image-version: latest modules: # ── 1. veilor branding overlay ────────────────────────────────── # Stamps our overlay/* tree onto the OCI image. KDE color scheme, # Plymouth theme, SDDM theme, fontconfig, os-release. - type: files files: - source: ../overlay destination: / - type: files files: - source: ../assets destination: /usr/share/veilor-os/assets - type: files files: - source: ../scripts destination: /usr/share/veilor-os/scripts # ── 2. Branding overrides at build time ───────────────────────── - type: script snippets: - | # os-release brand sed -i \ -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \ /etc/default/grub 2>/dev/null || true # Apply our kde-theme + plymouth in build bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true plymouth-set-default-theme details 2>/dev/null || true # Mark all our shipped scripts + CLIs executable. cp -a from the # repo preserves perms but BlueBuild's `type: files` sometimes # drops the +x bit on the way through; belt-and-braces here. chmod +x /usr/share/veilor-os/scripts/*.sh \ /usr/share/veilor-os/scripts/selinux/*.sh \ /usr/local/bin/veilor-* 2>/dev/null || true # Refresh fontconfig cache so Fira Code is picked up by KDE fc-cache -f 2>/dev/null || true # os-release brand override (atomic /etc is r/w; safe to overwrite) if [ -f /etc/os-release ]; then sed -i \ -e 's|^NAME=.*|NAME="veilor-os"|' \ -e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \ -e 's|^ID=.*|ID=veilor|' \ -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \ /etc/os-release || true fi # Sanity: brand-leak check, fail build if any onyx/personal data slipped in if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \ /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then echo "[ERR] brand leak detected in shipped state" exit 1 fi # ── 3. Override secureblue's run0-only — restore sudo ─────────── # secureblue removes sudo + replaces with run0. Too disruptive for # daily-driver workflows. Restore sudo, keep run0 available. - type: rpm-ostree install: - sudo # ── 4. Re-enable Xwayland ─────────────────────────────────────── # secureblue disables Xwayland for attack-surface reduction. Some # apps (Element, Slack-likes, older Qt5 tools) still need it. # User who wants it removed back can `rpm-ostree override remove`. - type: rpm-ostree install: - xorg-x11-server-Xwayland # ── 5. Mullvad Browser as anti-fingerprint companion ──────────── # Layered alongside Trivalent (kept as default per STRATEGY.md). # Trivalent for daily browsing, Mullvad for pseudonymous browsing. # Thorium remains opt-in only via `ujust install-thorium` — see # config/thorium.just for the warning + install logic. - type: rpm-ostree install: - mullvad-browser # ── 6. Mesh stack packages ────────────────────────────────────── # Layer 1 (Day 1 daily driver, service pre-disabled): Tailscale # Layer 2 (Day 1 idle warm-fallback): Yggdrasil-go # Layer 3 (opt-in via ujust): Reticulum / RetiNet — handled in just/ - type: rpm-ostree install: - tailscale - yggdrasil # ── 6b. Memory hygiene + ergonomic deps ───────────────────────── # zram-generator gives us zram swap (no disk swap, no cold-boot # leak). gum is the TUI primitive used by veilor-postinstall + # veilor-update + veilor-doctor — vendor binary at build time so # post-install layering doesn't need it. - type: rpm-ostree install: - zram-generator - jq - vim-enhanced - tmux - htop # ── 7. ujust recipes for opt-in components ────────────────────── - type: files files: - source: config/just destination: /usr/share/ublue-os/just # ── 8. Service tuning: tailscale pre-disabled, yggdrasil idle ─── - type: systemd system: enabled: - yggdrasil.service # idle warm-fallback (config = empty Listen[]) disabled: - tailscaled.service # awaits first-boot prompt for join # secureblue parents already enable: sshd, fail2ban, usbguard, # auditd, firewalld, chronyd, sddm — no re-enable needed. # ── 9. veilor-os specific systemd units ───────────────────────── # All veilor-* units come in via overlay/etc/systemd/system/ — # explicit enable here since they aren't part of secureblue's set. - type: systemd system: enabled: - veilor-firstboot.service - veilor-modules-lock.service - veilor-postinstall.service - veilor-doctor.timer # ── 10. signing config ────────────────────────────────────────── # bluebuild emits cosign.pub at root; CI uses the pinned key # generated for veilor-org. signed-by reference for bootc upgrade # signature verification. - type: signing