c152953089
Generated a cosign keypair for v0.7 OCI signing. - bluebuild/cosign.pub committed alongside the recipe - cosign.key stored on operator workstation only (chmod 600) - COSIGN_PRIVATE_KEY Forgejo Actions secret set to the same key - Workflow stages the secret to bluebuild/cosign.key at build time (chmod 600), where the BlueBuild signing module picks it up - .gitignore guards against any cosign.key accidental commit - Restored the type:signing module in recipe.yml The 'stage-keys' COPY step in BlueBuild's generated containerfile fails without cosign.pub adjacent to recipe.yml even when type:signing is removed; re-add the module + provide real keys. |
||
|---|---|---|
| .. | ||
| config/just | ||
| cosign.pub | ||
| README.md | ||
| recipe.yml | ||
bluebuild/ — v0.7 spike
This directory contains the BlueBuild recipe + supporting config that
builds the veilor-os bootable OCI image. Active on the
v0.7-bluebuild-spike branch only. Does NOT land in v0.5.x main
until the spike passes its success criteria (see
docs/STRATEGY.md).
What's here
bluebuild/
├── recipe.yml # primary BlueBuild recipe
├── config/
│ └── just/
│ └── 60-veilor.just # ujust recipes for opt-in components
└── README.md # this file
The recipe extends
ghcr.io/secureblue/kinoite-main-hardened:latest. We
inherit secureblue's hardening (sysctl + kargs + custom SELinux
policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS +
Trivalent browser + cosign-signed image chain). On top, we layer:
- veilor branding (overlay/, theme, plymouth, sddm, os-release)
- mullvad-browser (anti-fingerprint companion to Trivalent)
- xorg-x11-server-Xwayland (re-enable; secureblue disables it)
- sudo (re-enable; secureblue replaces with run0)
- tailscale + yggdrasil (mesh stack layer 1 + 2)
- ujust recipes for Reticulum (mesh layer 3) + Thorium (opt-in browser)
Trivalent stays as the default browser (correcting an earlier draft).
Build locally
# Requires bluebuild CLI:
# curl -fsSL https://raw.githubusercontent.com/blue-build/cli/main/install.sh | sh
cd bluebuild
bluebuild build recipe.yml
Output: localhost/veilor-os:43 in podman storage. Push to GHCR
via the workflow.
Test the OCI image
# Smoke-test (boots into the rootfs; no kernel, no init):
podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash
# Inside, sanity:
cat /etc/os-release # PRETTY_NAME=veilor-os
which sudo # /usr/bin/sudo (re-enabled)
which trivalent # secureblue's COPR (default browser)
which mullvad-browser # /usr/bin/mullvad-browser
systemctl is-enabled yggdrasil # enabled (idle)
systemctl is-enabled tailscaled # disabled (awaits ujust veilor-mesh-join)
Test the installer ISO
The installer ISO is built separately by livecd-creator (current path)
or bootc-image-builder (v1.0+). Its kickstart's %packages block is
replaced with:
ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry
That populates the target's / directly from this OCI image during
the install pass. No first-boot rebase. No transition window.
Spike success criteria (1 day)
bluebuild build recipe.ymlexits 0bootc container lintexits 0 on the resulting imagepodman runsmoke-test (commands above) all pass.github/workflows/build-bluebuild.ymlbuilds + cosign-signs + pushes toghcr.io/veilor-org/veilor-os:43- An installer ISO using
ostreecontaineragainst this OCI reaches SDDM with admin login on first boot
If all five land, merge v0.7-bluebuild-spike → main as v0.7.0.
If any fail in ways that aren't trivially fixable, file each as a GH
issue + return to v0.5.x kickstart path.
See also
docs/STRATEGY.md— the strategic decision + override listdocs/ROADMAP.mdv0.7 — full scheduledocs/THREAT-MODEL.md— what we publish before launch- secureblue: https://github.com/secureblue/secureblue
- BlueBuild: https://blue-build.org
- bootc / ostreecontainer: https://docs.fedoraproject.org/en-US/bootc/