veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/bluebuild/recipe.yml
obsidian-ai 6391b1104b bluebuild(recipe): reconcile kickstart %post into BlueBuild modules (A2) 
Walk every action in kickstart/veilor-os.ks %post and map to its
v0.7 atomic equivalent:

Build-time script additions:
- chmod +x /usr/share/veilor-os/scripts/* + /usr/local/bin/veilor-*
  (BlueBuild type:files sometimes drops perms)
- fc-cache -f after Fira Code stamping
- os-release brand override (NAME=veilor-os, ID=veilor, ID_LIKE)
- brand-leak guard: fail the image build if any onyx/personal data
  slipped through into shipped state

Layered packages:
- zram-generator (memory hygiene; replaces dnf install in kickstart)
- jq (used by veilor-doctor for `bootc status --json`)
- vim-enhanced + tmux + htop (admin essentials, parity with v0.5.x)

Systemd unit enables added:
- veilor-postinstall.service (first-login TUI; new in A3)
- veilor-doctor.timer (weekly drift check; new in A3)

Dropped: anaconda transaction_progress.py patch (build-time CI work,
not image content); SDDM display-manager symlink (kinoite ships
sddm.service already); SELinux module build (secureblue has its
own); systemctl set-default multi-user.target (kinoite is
graphical.target by design).
2026-05-06 16:50:02 +01:00

156 lines
No EOL
6.7 KiB
YAML
Raw Blame History

# veilor-os — BlueBuild recipe (v0.7 spike, 1-day target)
#
# Extends secureblue's hardened Kinoite OCI image with veilor branding,
# threat-model-driven UX choices, and the three-layer mesh stack
# (Tailscale + Yggdrasil + opt-in Reticulum). This is the OCI image
# that the v0.7+ kickstart's `ostreecontainer` directive pulls into
# the target root during the install pass.
#
# Build: bluebuild build recipe.yml
# Test: podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash
# CI: .github/workflows/build-bluebuild.yml signs + pushes to GHCR.
#
# Reference: https://blue-build.org/reference/recipe/
---
name: veilor-os
description: Hardened security-branded Fedora KDE on top of secureblue.
# Base image: secureblue's hardened Kinoite variant with userns sandboxing.
# That brings in: sysctl + kargs + custom SELinux policy + USBGuard +
# hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser.
base-image: ghcr.io/secureblue/securecore-kinoite-hardened-userns
image-version: latest
modules:
# ── 1. veilor branding overlay ──────────────────────────────────
# Stamps our overlay/* tree onto the OCI image. KDE color scheme,
# Plymouth theme, SDDM theme, fontconfig, os-release.
- type: files
files:
- source: ../overlay
destination: /
- type: files
files:
- source: ../assets
destination: /usr/share/veilor-os/assets
- type: files
files:
- source: ../scripts
destination: /usr/share/veilor-os/scripts
# ── 2. Branding overrides at build time ─────────────────────────
- type: script
snippets:
- |
# os-release brand
sed -i \
-e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \
/etc/default/grub 2>/dev/null || true
# Apply our kde-theme + plymouth in build
bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true
bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true
plymouth-set-default-theme details 2>/dev/null || true
# Mark all our shipped scripts + CLIs executable. cp -a from the
# repo preserves perms but BlueBuild's `type: files` sometimes
# drops the +x bit on the way through; belt-and-braces here.
chmod +x /usr/share/veilor-os/scripts/*.sh \
/usr/share/veilor-os/scripts/selinux/*.sh \
/usr/local/bin/veilor-* 2>/dev/null || true
# Refresh fontconfig cache so Fira Code is picked up by KDE
fc-cache -f 2>/dev/null || true
# os-release brand override (atomic /etc is r/w; safe to overwrite)
if [ -f /etc/os-release ]; then
sed -i \
-e 's|^NAME=.*|NAME="veilor-os"|' \
-e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \
-e 's|^ID=.*|ID=veilor|' \
-e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
/etc/os-release || true
fi
# Sanity: brand-leak check, fail build if any onyx/personal data slipped in
if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
/etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then
echo "[ERR] brand leak detected in shipped state"
exit 1
fi
# ── 3. Override secureblue's run0-only — restore sudo ───────────
# secureblue removes sudo + replaces with run0. Too disruptive for
# daily-driver workflows. Restore sudo, keep run0 available.
- type: rpm-ostree
install:
- sudo
# ── 4. Re-enable Xwayland ───────────────────────────────────────
# secureblue disables Xwayland for attack-surface reduction. Some
# apps (Element, Slack-likes, older Qt5 tools) still need it.
# User who wants it removed back can `rpm-ostree override remove`.
- type: rpm-ostree
install:
- xorg-x11-server-Xwayland
# ── 5. Mullvad Browser as anti-fingerprint companion ────────────
# Layered alongside Trivalent (kept as default per STRATEGY.md).
# Trivalent for daily browsing, Mullvad for pseudonymous browsing.
# Thorium remains opt-in only via `ujust install-thorium` — see
# config/thorium.just for the warning + install logic.
- type: rpm-ostree
install:
- mullvad-browser
# ── 6. Mesh stack packages ──────────────────────────────────────
# Layer 1 (Day 1 daily driver, service pre-disabled): Tailscale
# Layer 2 (Day 1 idle warm-fallback): Yggdrasil-go
# Layer 3 (opt-in via ujust): Reticulum / RetiNet — handled in just/
- type: rpm-ostree
install:
- tailscale
- yggdrasil
# ── 6b. Memory hygiene + ergonomic deps ─────────────────────────
# zram-generator gives us zram swap (no disk swap, no cold-boot
# leak). gum is the TUI primitive used by veilor-postinstall +
# veilor-update + veilor-doctor — vendor binary at build time so
# post-install layering doesn't need it.
- type: rpm-ostree
install:
- zram-generator
- jq
- vim-enhanced
- tmux
- htop
# ── 7. ujust recipes for opt-in components ──────────────────────
- type: files
files:
- source: config/just
destination: /usr/share/ublue-os/just
# ── 8. Service tuning: tailscale pre-disabled, yggdrasil idle ───
- type: systemd
system:
enabled:
- yggdrasil.service # idle warm-fallback (config = empty Listen[])
disabled:
- tailscaled.service # awaits first-boot prompt for join
# secureblue parents already enable: sshd, fail2ban, usbguard,
# auditd, firewalld, chronyd, sddm — no re-enable needed.
# ── 9. veilor-os specific systemd units ─────────────────────────
# All veilor-* units come in via overlay/etc/systemd/system/ —
# explicit enable here since they aren't part of secureblue's set.
- type: systemd
system:
enabled:
- veilor-firstboot.service
- veilor-modules-lock.service
- veilor-postinstall.service
- veilor-doctor.timer
# ── 10. signing config ──────────────────────────────────────────
# bluebuild emits cosign.pub at root; CI uses the pinned key
# generated for veilor-org. signed-by reference for bootc upgrade
# signature verification.
- type: signing
Reference in a new issue View git blame Copy permalink