# bluebuild/ — v0.7 spike This directory contains the BlueBuild recipe + supporting config that builds the veilor-os bootable OCI image. **Active on the `v0.7-bluebuild-spike` branch only.** Does NOT land in v0.5.x main until the spike passes its success criteria (see `docs/STRATEGY.md`). ## What's here ``` bluebuild/ ├── recipe.yml # primary BlueBuild recipe ├── config/ │ └── just/ │ └── 60-veilor.just # ujust recipes for opt-in components └── README.md # this file ``` The recipe extends `ghcr.io/secureblue/kinoite-main-hardened:latest`. We inherit secureblue's hardening (sysctl + kargs + custom SELinux policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser + cosign-signed image chain). On top, we layer: - veilor branding (overlay/, theme, plymouth, sddm, os-release) - mullvad-browser (anti-fingerprint companion to Trivalent) - xorg-x11-server-Xwayland (re-enable; secureblue disables it) - sudo (re-enable; secureblue replaces with run0) - tailscale + yggdrasil (mesh stack layer 1 + 2) - ujust recipes for Reticulum (mesh layer 3) + Thorium (opt-in browser) Trivalent stays as the default browser (correcting an earlier draft). ## Build locally ```bash # Requires bluebuild CLI: # curl -fsSL https://raw.githubusercontent.com/blue-build/cli/main/install.sh | sh cd bluebuild bluebuild build recipe.yml ``` Output: `localhost/veilor-os:43` in podman storage. Push to GHCR via the workflow. ## Test the OCI image ```bash # Smoke-test (boots into the rootfs; no kernel, no init): podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash # Inside, sanity: cat /etc/os-release # PRETTY_NAME=veilor-os which sudo # /usr/bin/sudo (re-enabled) which trivalent # secureblue's COPR (default browser) which mullvad-browser # /usr/bin/mullvad-browser systemctl is-enabled yggdrasil # enabled (idle) systemctl is-enabled tailscaled # disabled (awaits ujust veilor-mesh-join) ``` ## Test the installer ISO The installer ISO is built separately by livecd-creator (current path) or bootc-image-builder (v1.0+). Its kickstart's `%packages` block is replaced with: ``` ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry ``` That populates the target's `/` directly from this OCI image during the install pass. No first-boot rebase. No transition window. ## Spike success criteria (1 day) - [ ] `bluebuild build recipe.yml` exits 0 - [ ] `bootc container lint` exits 0 on the resulting image - [ ] `podman run` smoke-test (commands above) all pass - [ ] `.github/workflows/build-bluebuild.yml` builds + cosign-signs + pushes to `ghcr.io/veilor-org/veilor-os:43` - [ ] An installer ISO using `ostreecontainer` against this OCI reaches SDDM with admin login on first boot If all five land, merge `v0.7-bluebuild-spike` → `main` as v0.7.0. If any fail in ways that aren't trivially fixable, file each as a GH issue + return to v0.5.x kickstart path. ## See also - `docs/STRATEGY.md` — the strategic decision + override list - `docs/ROADMAP.md` v0.7 — full schedule - `docs/THREAT-MODEL.md` — what we publish before launch - secureblue: - BlueBuild: - bootc / ostreecontainer: