veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/bluebuild/recipe.yml
s8n-ru c0ea2b3911
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + push OCI (push) Failing after 2h51m6s
Details
Build veilor-os Installer ISO / Build installer ISO (push) Failing after 27s
Details
perf(bluebuild): collapse modules to cut overlayfs commit cost 
Run 183 (2026-05-08) hit runner timeout at 3h10min not on brand-leak
grep (already moved to CI smoke-test in 7027026) but on per-layer
commit cost. Each RUN/COPY layer COMMIT under fuse-overlayfs over
secureblue's ~130-layer hardened base eats ~40min wallclock:

  STEP 10 cp keys     23:55:59 -> 00:34:02   38min
  STEP 11 cp bins     00:34:02 -> 01:16:17   42min
  STEP 12 cp nushell  01:16:17 -> 01:58:17   42min
  STEP 13 pre_build   01:58:17 -> 02:41:48   43min
  STEP 14 brand sed   02:41:48 -> killed 04:02:59 (1h21min, runner-
                                                   side timeout
                                                   below the 360min
                                                   workflow cap)

Ergo: every module saved = ~40min wallclock saved.

Collapses:
  - 5x rpm-ostree -> 1x   (-4 layers)  sudo + Xwayland + mullvad-
    browser + tailscale + yggdrasil + zram-generator + jq + vim-
    enhanced + tmux + htop now in one install: list
  - 2x containerfile -> 1x (-1 layer) brand-sed + systemctl enable/
    disable merged into one RUN snippet (BlueBuild docs: each
    snippet entry == its own layer, so single snippet stays single
    layer)
  - 4x copy -> 4x (no change) BlueBuild copy module is
    one-src/dest-per-entry per
    https://blue-build.org/reference/modules/copy/. Floor unless we
    drop down to a hand-rolled Containerfile.

Net: 12 -> 7 modules. Expected savings ~5x40min ~= 3h20min off the
~3h10min run-183 wallclock. That should land us comfortably under
the runner timeout with budget for the actual layer work.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-08 04:27:44 +01:00

136 lines
6.4 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# veilor-os — BlueBuild recipe (v0.7 spike, 1-day target)
#
# Extends secureblue's hardened Kinoite OCI image with veilor branding,
# threat-model-driven UX choices, and the three-layer mesh stack
# (Tailscale + Yggdrasil + opt-in Reticulum). This is the OCI image
# that the v0.7+ kickstart's `ostreecontainer` directive pulls into
# the target root during the install pass.
#
# Build: bluebuild build recipe.yml
# Test: podman run --rm -it ghcr.io/veilor-org/veilor-os:43 /bin/bash
# CI: .github/workflows/build-bluebuild.yml signs + pushes to GHCR.
#
# Reference: https://blue-build.org/reference/recipe/
#
# ── Module collapse history ──────────────────────────────────────
# Run 183 (2026-05-08) ate 3h10min before runner timeout: each RUN/COPY
# layer COMMIT under fuse-overlayfs over secureblue's 130-layer hardened
# base costs ~40min wallclock (STEP 10..13 each 3843min). Ergo: every
# saved module = ~40min saved. Collapsed:
# - 5× rpm-ostree → 1× (-4 layers)
# - 2× containerfile (brand sed + systemctl enable) → 1× (-1 layer)
# - 4× copy left as-is — BlueBuild copy module is one src/dest per
# entry per https://blue-build.org/reference/modules/copy/
# Net: 12 → 7 modules, ~5×40min ≈ 3h20min off wallclock budget.
---
name: veilor-os
description: Hardened security-branded Fedora KDE on top of secureblue.
# Base image: secureblue's hardened Kinoite variant with userns sandboxing.
# That brings in: sysctl + kargs + custom SELinux policy + USBGuard +
# hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser.
base-image: ghcr.io/secureblue/kinoite-main-hardened
image-version: latest
modules:
# ── 1. veilor branding overlay ──────────────────────────────────
# `type: copy` is a low-level direct COPY (no chmod, no script).
# `type: files` was failing with `chmod: Operation not permitted` on
# the BlueBuild-shipped /tmp/modules/files/files.sh under buildah +
# podman privileged in our runner — the script tries to make itself
# executable inside its own bind-mounted layer.
#
# NOTE: Each copy module = one COPY layer (~40min commit on our
# runner). BlueBuild's copy module accepts a single src/dest pair
# only, so these four entries are the floor unless we move to a
# hand-rolled Containerfile.
- type: copy
source: ../overlay
destination: /
- type: copy
source: ../assets
destination: /usr/share/veilor-os/assets
- type: copy
source: ../scripts
destination: /usr/share/veilor-os/scripts
- type: copy
source: config/just
destination: /usr/share/ublue-os/just
# ── 2. All package layering in one rpm-ostree pass ──────────────
# secureblue removes sudo + replaces with run0 (too disruptive for
# daily-driver) — restore. Xwayland was disabled for attack-surface
# reduction — restore for Element/Slack/Qt5 apps. Mullvad Browser
# layered alongside Trivalent (Trivalent default per STRATEGY.md;
# Mullvad for pseudonymous browsing). Mesh stack: Tailscale (Layer
# 1, daily driver, pre-disabled), Yggdrasil-go (Layer 2, idle warm-
# fallback). Reticulum/RetiNet stays opt-in via ujust. Memory
# hygiene + ergonomic deps for veilor-postinstall + veilor-doctor.
#
# Collapsed from 5 rpm-ostree modules → 1 to drop 4 layer commits
# (~160min wallclock on our buildah+fuse-overlayfs runner).
- type: rpm-ostree
install:
- sudo
- xorg-x11-server-Xwayland
- mullvad-browser
- tailscale
- yggdrasil
- zram-generator
- jq
- vim-enhanced
- tmux
- htop
# ── 3. Branding overrides + systemd unit toggles in one RUN ─────
# Use raw `type: containerfile` (RUN line) instead of `type: script`
# / `type: systemd` — bluebuild's helper scripts fail 'chmod:
# Operation not permitted' on their own bind-mounted layer under
# podman/buildah privileged. Raw RUN bypasses the helper.
#
# Single snippet (= single layer) merges:
# - brand sed of /etc/os-release + GRUB_DISTRIBUTOR
# - kde-theme + v03-theme apply scripts
# - plymouth default-theme
# - chmod +x on shipped veilor-* scripts/binaries
# - fc-cache rebuild
# - systemctl enable yggdrasil + veilor-{firstboot,modules-lock,
# postinstall}.service + veilor-doctor.timer
# - systemctl disable tailscaled (Day-1-disabled per threat model)
#
# brand-leak grep moved to CI smoke-test in build-bluebuild.yml
# (STEP 14 hung under buildah overlayfs, run 171 2026-05-07).
- type: containerfile
snippets:
- |
RUN sed -i -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' /etc/default/grub 2>/dev/null || true ; \
bash /usr/share/veilor-os/scripts/kde-theme-apply.sh 2>/dev/null || true ; \
bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true ; \
plymouth-set-default-theme details 2>/dev/null || true ; \
chmod +x /usr/share/veilor-os/scripts/*.sh \
/usr/share/veilor-os/scripts/selinux/*.sh \
/usr/local/bin/veilor-* 2>/dev/null || true ; \
fc-cache -f 2>/dev/null || true ; \
if [ -f /etc/os-release ]; then \
sed -i \
-e 's|^NAME=.*|NAME="veilor-os"|' \
-e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \
-e 's|^ID=.*|ID=veilor|' \
-e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
/etc/os-release || true ; \
fi ; \
systemctl enable yggdrasil.service 2>/dev/null || true ; \
systemctl disable tailscaled.service 2>/dev/null || true ; \
systemctl enable veilor-firstboot.service 2>/dev/null || true ; \
systemctl enable veilor-modules-lock.service 2>/dev/null || true ; \
systemctl enable veilor-postinstall.service 2>/dev/null || true ; \
systemctl enable veilor-doctor.timer 2>/dev/null || true
# ── 4. signing config ───────────────────────────────────────────
# cosign.pub committed alongside this recipe; cosign.key kept off
# repo and provided to CI as Forgejo secret COSIGN_PRIVATE_KEY.
# The action exports it to /tmp at build time.
- type: signing
Reference in a new issue View git blame Copy permalink