scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-02 03:18:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: improved installation mechanism (#564)

Browse Source
This commit is contained in:
RoyalOughtness
2024-11-18 09:50:57 -08:00
committed by GitHub
parent 944a9e80b9
commit 85ca395515
8 changed files with 349 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/linkspector.yml vendored
View File

@@ -1,4 +1,4 @@
name: Linkspector name: linkspector-scan
on: on:
pull_request: pull_request:
branches: branches:

26
.github/workflows/tests.yml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: run-tests
on:
pull_request:
branches:
- live
paths-ignore:
- "**.md"
workflow_dispatch: # allow manually triggering
jobs:
run_tests:
runs-on: ubuntu-latest
name: Install Bats and run tests
steps:
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Bats and bats libs
id: setup-bats
uses: bats-core/bats-action@2104b40bb7b6c2d5110b23a26b0bf265ab8027db #v3.0.0
- name: Run tests
shell: bash
env:
INSTALL_SCRIPT: install/install_secureblue.sh
run: |
bats -p -t --verbose-run .github/workflows/tests

107
.github/workflows/tests/install_script_tests.bats vendored Normal file
View File

@@ -0,0 +1,107 @@
#!/usr/bin/env bats
@test "Script exits with error if rpm-ostree is not installed" {
sudo bash -c 'rm -f /usr/bin/rpm-ostree'
run bash "$INSTALL_SCRIPT"
[ "$status" -eq 1 ]
[[ "$output" == *"This script only runs on Fedora Atomic"* ]]
}
@test "Script passes rpm-ostree check if it is installed" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash "$INSTALL_SCRIPT"
[ "$status" -eq 0 ]
[[ "$output" == *"Welcome to the secureblue interactive installer"* ]]
}
@test "Test command for silverblue-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n1\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"silverblue-main-userns-hardened"* ]]
}
@test "Test command for silverblue-nvidia-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n1\nyes\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"silverblue-nvidia-userns-hardened"* ]]
}
@test "Test command for silverblue-nvidia-open-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n1\nyes\nyes\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"silverblue-nvidia-open-userns-hardened"* ]]
}
@test "Test command for silverblue-nvidia-open-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n1\nyes\nyes\no\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"silverblue-nvidia-open-hardened"* ]]
}
@test "Test command for kinoite-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n2\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"kinoite-main-userns-hardened"* ]]
}
@test "Test command for sericea-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n3\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"sericea-main-userns-hardened"* ]]
}
@test "Test command for wayblue-wayfire-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n4\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"wayblue-wayfire-main-userns-hardened"* ]]
}
@test "Test command for wayblue-sway-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n5\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"wayblue-sway-main-userns-hardened"* ]]
}
@test "Test command for wayblue-river-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n6\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"wayblue-river-main-userns-hardened"* ]]
}
@test "Test command for wayblue-hyprland-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n7\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"wayblue-hyprland-main-userns-hardened"* ]]
}
@test "Test command for cosmic-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'no\n8\nno\nyes\nno' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"cosmic-main-userns-hardened"* ]]
}
@test "Test command for securecore-zfs-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'yes\nyes\nno\nyes\no' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"securecore-zfs-main-userns-hardened"* ]]
}
@test "Test command for securecore-main-userns-hardened" {
sudo bash -c 'echo "empty file" > /usr/bin/rpm-ostree'
run bash -c "echo -e 'yes\nno\nno\nyes\no' | bash '$INSTALL_SCRIPT'"
[ "$status" -eq 0 ]
[[ "$output" == *"securecore-main-userns-hardened"* ]]
}

4
.github/workflows/trivy.yml vendored
View File

@@ -1,4 +1,4 @@
name: trivy name: trivy-scan
on: on:
schedule: schedule:
- cron: "00 8 * * *" # build at 8:00 UTC every day - cron: "00 8 * * *" # build at 8:00 UTC every day
@@ -6,6 +6,8 @@ on:
push: push:
branches: branches:
- live - live
paths-ignore:
- "**.md"
workflow_dispatch: # allow manually triggering builds workflow_dispatch: # allow manually triggering builds
jobs: jobs:

119
docs/IMAGES.md Normal file
View File

@@ -0,0 +1,119 @@
# Images
> [!NOTE]
> Learn about unprivileged user namespaces [here](USERNS.md).
## Desktop
*`nvidia-open` images are recommended for systems with Nvidia GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from Nvidia, not Nouveau.*
*`nvidia` images are recommended for systems with Nvidia GPUs Pascal or older. These include the closed kernel modules from Nvidia.*
### Recommended <sup>[why?](RECOMMENDED.md)</sup>
#### Silverblue
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `silverblue-main-hardened` | Silverblue| No | No |
| `silverblue-nvidia-hardened` | Silverblue| Yes, closed drivers | No |
| `silverblue-nvidia-open-hardened` | Silverblue| Yes, open drivers | No |
| `silverblue-main-userns-hardened` | Silverblue| No | Yes |
| `silverblue-nvidia-userns-hardened` | Silverblue| Yes, closed drivers | Yes |
| `silverblue-nvidia-open-userns-hardened` | Silverblue| Yes, open drivers | Yes |
### Stable
#### Kinoite
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `kinoite-main-hardened` | Kinoite | No | No |
| `kinoite-nvidia-hardened` | Kinoite | Yes, closed drivers | No |
| `kinoite-nvidia-open-hardened` | Kinoite | Yes, open drivers | No |
| `kinoite-main-userns-hardened` | Kinoite | No | Yes |
| `kinoite-nvidia-userns-hardened` | Kinoite | Yes, closed drivers | Yes |
| `kinoite-nvidia-open-userns-hardened` | Kinoite | Yes, open drivers | Yes |
#### Sericea
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `sericea-main-hardened` | Sericea | No | No |
| `sericea-nvidia-hardened` | Sericea | Yes, closed drivers | No |
| `sericea-nvidia-open-hardened` | Sericea | Yes, open drivers | No |
| `sericea-main-userns-hardened` | Sericea | No | Yes |
| `sericea-nvidia-userns-hardened` | Sericea | Yes, closed drivers | Yes |
| `sericea-nvidia-open-userns-hardened` | Sericea | Yes, open drivers | Yes |
### Beta
> [!NOTE]
> Learn about wayblue [here](https://github.com/wayblueorg/wayblue).
#### Wayfire
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-wayfire-main-hardened` | Wayblue-Wayfire | No | No |
| `wayblue-wayfire-nvidia-hardened` | Wayblue-Wayfire | Yes, closed drivers | No |
| `wayblue-wayfire-nvidia-open-hardened` | Wayblue-Wayfire | Yes, open drivers | No |
| `wayblue-wayfire-main-userns-hardened` | Wayblue-Wayfire | No | Yes |
| `wayblue-wayfire-nvidia-userns-hardened` | Wayblue-Wayfire | Yes, closed drivers | Yes |
| `wayblue-wayfire-nvidia-open-userns-hardened` | Wayblue-Wayfire | Yes, open drivers | Yes |
#### Hyprland
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-hyprland-main-hardened` | Wayblue-Hyprland | No | No |
| `wayblue-hyprland-nvidia-hardened` | Wayblue-Hyprland | Yes, closed drivers | No |
| `wayblue-hyprland-nvidia-open-hardened` | Wayblue-Hyprland | Yes, open drivers | No |
| `wayblue-hyprland-main-userns-hardened` | Wayblue-Hyprland | No | Yes |
| `wayblue-hyprland-nvidia-userns-hardened`| Wayblue-Hyprland | Yes, closed drivers | Yes |
| `wayblue-hyprland-nvidia-open-userns-hardened` | Wayblue-Hyprland | Yes, open drivers | Yes |
#### River
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-river-main-hardened` | Wayblue-River | No | No |
| `wayblue-river-nvidia-hardened` | Wayblue-River | Yes, closed drivers | No |
| `wayblue-river-nvidia-open-hardened` | Wayblue-River | Yes, open drivers | No |
| `wayblue-river-main-userns-hardened` | Wayblue-River | No | Yes |
| `wayblue-river-nvidia-userns-hardened` | Wayblue-River | Yes, closed drivers | Yes |
| `wayblue-river-nvidia-open-userns-hardened` | Wayblue-River | Yes, open drivers | Yes |
#### Sway
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-sway-main-hardened` | Wayblue-Sway | No | No |
| `wayblue-sway-nvidia-hardened` | Wayblue-Sway | Yes, closed drivers | No |
| `wayblue-sway-nvidia-open-hardened` | Wayblue-Sway | Yes, open drivers | No |
| `wayblue-sway-main-userns-hardened` | Wayblue-Sway | No | Yes |
| `wayblue-sway-nvidia-userns-hardened` | Wayblue-Sway | Yes, closed drivers | Yes |
| `wayblue-sway-nvidia-open-userns-hardened` | Wayblue-Sway | Yes, open drivers | Yes |
## Server
> [!NOTE]
> After you finish setting up your [Fedora CoreOS](https://fedoraproject.org/coreos/) installation, you will need to disable `zincati.service` before rebasing to securecore.
| Name | Base | Nvidia Support | ZFS Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|-------------|------------------------------|
| `securecore-main-hardened` | CoreOS | No | No | No |
| `securecore-nvidia-hardened` | CoreOS | Yes, closed drivers | No | No |
| `securecore-nvidia-open-hardened` | CoreOS | Yes, open drivers | No | No |
| `securecore-main-userns-hardened` | CoreOS | No | No | Yes |
| `securecore-nvidia-userns-hardened` | CoreOS | Yes, closed drivers | No | Yes |
| `securecore-nvidia-open-userns-hardened` | CoreOS | Yes, open drivers | No | Yes |
| `securecore-zfs-main-hardened` | CoreOS | No | Yes | No |
| `securecore-zfs-nvidia-hardened` | CoreOS | Yes, closed drivers | Yes | No |
| `securecore-zfs-nvidia-open-hardened` | CoreOS | Yes, open drivers | Yes | No |
| `securecore-zfs-main-userns-hardened` | CoreOS | No | Yes | Yes |
| `securecore-zfs-nvidia-userns-hardened` | CoreOS | Yes, closed drivers | Yes | Yes |
| `securecore-zfs-nvidia-open-userns-hardened` | CoreOS | Yes, open drivers | Yes | Yes |
### Experimental
#### Cosmic
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `cosmic-main-hardened` | Cosmic | No | No |
| `cosmic-nvidia-hardened` | Cosmic | Yes, closed drivers | No |
| `cosmic-nvidia-open-hardened` | Cosmic | Yes, open drivers | No |
| `cosmic-main-userns-hardened` | Cosmic | No | Yes |
| `cosmic-nvidia-userns-hardened` | Cosmic | Yes, closed drivers | Yes |
| `cosmic-nvidia-open-userns-hardened` | Cosmic | Yes, open drivers | Yes |

152
docs/README.md
View File

@@ -78,160 +78,22 @@ Sponsorship options are on the [Donate](DONATE.md) page. All donations are appre
Have a look at [PREINSTALL-README](PREINSTALL-README.md) before proceeding. Have a look at [PREINSTALL-README](PREINSTALL-README.md) before proceeding.
## Rebasing (Recommended) ## Rebasing
> [!NOTE] > [!NOTE]
> If you don't already have a Fedora Atomic installation, use a Fedora Atomic ISO that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue ISO, Kinoite for Kinoite, Sericea (Sway Atomic) for Sericea and all the Wayblue images, and CoreOS for all the securecore images. > If you don't already have a Fedora Atomic installation, use a Fedora Atomic ISO that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue ISO, Kinoite for Kinoite, Sericea (Sway Atomic) for Sericea and all the Wayblue images, and CoreOS for all the securecore images.
>
> For more details on the available images, have a look at [IMAGES](IMAGES.md) before proceeding.
To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) or [Fedora CoreOS](https://fedoraproject.org/coreos/) installation, follow these steps<sup></sup>: To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) or [Fedora CoreOS](https://fedoraproject.org/coreos/) installation, download the script below:
> [!IMPORTANT] [![Download](https://shields.io/badge/-Download-blue?style=for-the-badge&logo=download&logoColor=white)](https://github.com/secureblue/secureblue/releases/latest/download/install_secureblue.sh)
> The **only** supported tag is `latest`.
- First rebase to the unsigned image, to get the proper signing keys and policies installed: Then, run it from the directory you downloaded it to:
```
rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/IMAGE_NAME:latest
```
- Reboot to complete the rebase:
```
systemctl reboot
```
- Then rebase to the signed image, like so:
```
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/IMAGE_NAME:latest
```
- Reboot again to complete the installation:
```
systemctl reboot
```
<sup>‡</sup> Replace `IMAGE_NAME` with the *full name* of your preferred image from the [list below](README.md#images).
## ISO
While it's recommended to use a Fedora Atomic ISO to install and then rebase that installation to secureblue, you can also generate an ISO and install that directly using [this script](generate_secureblue_iso.sh). Please note you should still follow the [post-install steps](README.md#post-install) when installing from a generated ISO:
``` ```
./generate_secureblue_iso.sh bash install_secureblue.sh
``` ```
# Images
> [!NOTE]
> Learn about unprivileged user namespaces [here](USERNS.md).
## Desktop
*`nvidia-open` images are recommended for systems with Nvidia GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from Nvidia, not Nouveau.*
*`nvidia` images are recommended for systems with Nvidia GPUs Pascal or older. These include the closed kernel modules from Nvidia.*
### Recommended <sup>[why?](RECOMMENDED.md)</sup>
#### Silverblue
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `silverblue-main-hardened` | Silverblue| No | No |
| `silverblue-nvidia-hardened` | Silverblue| Yes, closed drivers | No |
| `silverblue-nvidia-open-hardened` | Silverblue| Yes, open drivers | No |
| `silverblue-main-userns-hardened` | Silverblue| No | Yes |
| `silverblue-nvidia-userns-hardened` | Silverblue| Yes, closed drivers | Yes |
| `silverblue-nvidia-open-userns-hardened` | Silverblue| Yes, open drivers | Yes |
### Stable
#### Kinoite
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `kinoite-main-hardened` | Kinoite | No | No |
| `kinoite-nvidia-hardened` | Kinoite | Yes, closed drivers | No |
| `kinoite-nvidia-open-hardened` | Kinoite | Yes, open drivers | No |
| `kinoite-main-userns-hardened` | Kinoite | No | Yes |
| `kinoite-nvidia-userns-hardened` | Kinoite | Yes, closed drivers | Yes |
| `kinoite-nvidia-open-userns-hardened` | Kinoite | Yes, open drivers | Yes |
#### Sericea
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `sericea-main-hardened` | Sericea | No | No |
| `sericea-nvidia-hardened` | Sericea | Yes, closed drivers | No |
| `sericea-nvidia-open-hardened` | Sericea | Yes, open drivers | No |
| `sericea-main-userns-hardened` | Sericea | No | Yes |
| `sericea-nvidia-userns-hardened` | Sericea | Yes, closed drivers | Yes |
| `sericea-nvidia-open-userns-hardened` | Sericea | Yes, open drivers | Yes |
### Beta
> [!NOTE]
> Learn about wayblue [here](https://github.com/wayblueorg/wayblue).
#### Wayfire
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-wayfire-main-hardened` | Wayblue-Wayfire | No | No |
| `wayblue-wayfire-nvidia-hardened` | Wayblue-Wayfire | Yes, closed drivers | No |
| `wayblue-wayfire-nvidia-open-hardened` | Wayblue-Wayfire | Yes, open drivers | No |
| `wayblue-wayfire-main-userns-hardened` | Wayblue-Wayfire | No | Yes |
| `wayblue-wayfire-nvidia-userns-hardened` | Wayblue-Wayfire | Yes, closed drivers | Yes |
| `wayblue-wayfire-nvidia-open-userns-hardened` | Wayblue-Wayfire | Yes, open drivers | Yes |
#### Hyprland
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-hyprland-main-hardened` | Wayblue-Hyprland | No | No |
| `wayblue-hyprland-nvidia-hardened` | Wayblue-Hyprland | Yes, closed drivers | No |
| `wayblue-hyprland-nvidia-open-hardened` | Wayblue-Hyprland | Yes, open drivers | No |
| `wayblue-hyprland-main-userns-hardened` | Wayblue-Hyprland | No | Yes |
| `wayblue-hyprland-nvidia-userns-hardened`| Wayblue-Hyprland | Yes, closed drivers | Yes |
| `wayblue-hyprland-nvidia-open-userns-hardened` | Wayblue-Hyprland | Yes, open drivers | Yes |
#### River
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-river-main-hardened` | Wayblue-River | No | No |
| `wayblue-river-nvidia-hardened` | Wayblue-River | Yes, closed drivers | No |
| `wayblue-river-nvidia-open-hardened` | Wayblue-River | Yes, open drivers | No |
| `wayblue-river-main-userns-hardened` | Wayblue-River | No | Yes |
| `wayblue-river-nvidia-userns-hardened` | Wayblue-River | Yes, closed drivers | Yes |
| `wayblue-river-nvidia-open-userns-hardened` | Wayblue-River | Yes, open drivers | Yes |
#### Sway
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-sway-main-hardened` | Wayblue-Sway | No | No |
| `wayblue-sway-nvidia-hardened` | Wayblue-Sway | Yes, closed drivers | No |
| `wayblue-sway-nvidia-open-hardened` | Wayblue-Sway | Yes, open drivers | No |
| `wayblue-sway-main-userns-hardened` | Wayblue-Sway | No | Yes |
| `wayblue-sway-nvidia-userns-hardened` | Wayblue-Sway | Yes, closed drivers | Yes |
| `wayblue-sway-nvidia-open-userns-hardened` | Wayblue-Sway | Yes, open drivers | Yes |
## Server
> [!NOTE]
> After you finish setting up your [Fedora CoreOS](https://fedoraproject.org/coreos/) installation, you will need to disable `zincati.service` before rebasing to securecore.
| Name | Base | Nvidia Support | ZFS Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|-------------|------------------------------|
| `securecore-main-hardened` | CoreOS | No | No | No |
| `securecore-nvidia-hardened` | CoreOS | Yes, closed drivers | No | No |
| `securecore-nvidia-open-hardened` | CoreOS | Yes, open drivers | No | No |
| `securecore-main-userns-hardened` | CoreOS | No | No | Yes |
| `securecore-nvidia-userns-hardened` | CoreOS | Yes, closed drivers | No | Yes |
| `securecore-nvidia-open-userns-hardened` | CoreOS | Yes, open drivers | No | Yes |
| `securecore-zfs-main-hardened` | CoreOS | No | Yes | No |
| `securecore-zfs-nvidia-hardened` | CoreOS | Yes, closed drivers | Yes | No |
| `securecore-zfs-nvidia-open-hardened` | CoreOS | Yes, open drivers | Yes | No |
| `securecore-zfs-main-userns-hardened` | CoreOS | No | Yes | Yes |
| `securecore-zfs-nvidia-userns-hardened` | CoreOS | Yes, closed drivers | Yes | Yes |
| `securecore-zfs-nvidia-open-userns-hardened` | CoreOS | Yes, open drivers | Yes | Yes |
### Experimental
#### Cosmic
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `cosmic-main-hardened` | Cosmic | No | No |
| `cosmic-nvidia-hardened` | Cosmic | Yes, closed drivers | No |
| `cosmic-nvidia-open-hardened` | Cosmic | Yes, open drivers | No |
| `cosmic-main-userns-hardened` | Cosmic | No | Yes |
| `cosmic-nvidia-userns-hardened` | Cosmic | Yes, closed drivers | Yes |
| `cosmic-nvidia-open-userns-hardened` | Cosmic | Yes, open drivers | Yes |
# Post-install # Post-install

84
generate_secureblue_iso.sh
View File

@@ -1,84 +0,0 @@
#!/usr/bin/env bash
if ! command -v podman &> /dev/null
then
echo "Podman is not installed, install it to use this script."
exit 1
fi
function is_yes {
case $(echo "$1" | tr '[:upper:]' '[:lower:]') in
y|yes) return 0;;
*) return 1;;
esac
}
# Define image configurations
declare -A image_configs=(
["securecore"]="Server"
["securecore-zfs"]="Server"
["silverblue"]="Silverblue:asus"
["kinoite"]="Kinoite:asus"
["sericea"]="Sericea"
["wayblue-wayfire"]="Sericea"
["wayblue-sway"]="Sericea"
["wayblue-river"]="Sericea"
["wayblue-hyprland"]="Sericea"
["cinnamon"]="Silverblue"
["cosmic"]="Kinoite"
)
image_name=""
additional_params=""
variant=""
# Determine if it's a server or desktop
read -p "Is this for a server? (yes/No): " is_server
if is_yes "$is_server"; then
read -p "Do you need ZFS support? (yes/No): " use_zfs
image_name=$(is_yes "$use_zfs" && echo "securecore-zfs" || echo "securecore")
variant=${image_configs[$image_name]}
else
# For desktops, present all non-server options
desktop_options=($(for key in "${!image_configs[@]}"; do [[ $key != server* ]] && echo "$key"; done | sort))
echo "Select a desktop:"
select opt in "${desktop_options[@]}"; do
if [[ " ${desktop_options[@]} " =~ " ${opt} " ]]; then
image_name=$opt
IFS=':' read -r variant options <<< "${image_configs[$opt]}"
break
else
echo "Invalid option"
fi
done
if [[ $options == *"asus"* ]]; then
read -p "Do you use an Asus laptop? (yes/No): " is_asus
is_yes "$is_asus" && additional_params+="-asus"
fi
fi
# Ask about Nvidia for all options
read -p "Do you use Nvidia? (yes/No): " use_nvidia
is_yes "$use_nvidia" && additional_params+="-nvidia" || additional_params+="-main"
# Ask about user namespaces for all options
read -p "Do you need user namespaces? (yes/No): " use_userns
is_yes "$use_userns" && additional_params+="-userns"
image_name+="$additional_params-hardened"
command="sudo podman run --rm --privileged --volume .:/build-container-installer/build ghcr.io/jasonn3/build-container-installer:latest IMAGE_REPO=ghcr.io/secureblue IMAGE_NAME=$image_name VERSION=41 IMAGE_TAG=latest VARIANT=$variant"
echo "Command to execute:"
echo "$command"
echo ""
read -p "Generate this ISO? (yes/No): " generate_iso
if is_yes "$generate_iso"; then
$command
mv deploy.iso $image_name.iso
mv deploy.iso-CHECKSUM $image_name.iso-CHECKSUM
sed -i "s/deploy.iso/$image_name.iso/" "$image_name.iso-CHECKSUM"
fi

86
install/install_secureblue.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/usr/bin/env bash
if ! command -v rpm-ostree &> /dev/null
then
echo "This script only runs on Fedora Atomic"
exit 1
fi
function is_yes {
case $(echo "$1" | tr '[:upper:]' '[:lower:]') in
y|yes) return 0;;
*) return 1;;
esac
}
# Define image configurations
desktop_image_types=(
"silverblue"
"kinoite"
"sericea"
"wayblue-wayfire"
"wayblue-sway"
"wayblue-river"
"wayblue-hyprland"
"cosmic"
)
image_name=""
additional_params=""
echo "Welcome to the secureblue interactive installer!"
echo "After answering the following questions, your system will be rebased to secureblue."
echo "-----------------------------------------------------------------------------------"
# Determine if it's a server or desktop
read -p "Is this for a server? (yes/No): " is_server
if is_yes "$is_server"; then
read -p "Do you need ZFS support? (yes/No): " use_zfs
image_name=$(is_yes "$use_zfs" && echo "securecore-zfs" || echo "securecore")
else
echo "Select a desktop. Silverblue is recommended."
select image_name in "${desktop_image_types[@]}"; do
if [[ -n "$image_name" ]]; then
echo "Selected desktop: $image_name"
if [[ "$image_name" == "cosmic" ]]; then
echo "Warning: Cosmic images are experimental."
fi
if [[ "$image_name" == *"wayblue"* ]]; then
echo "Warning: Wayblue images are in beta."
fi
break
else
echo "Invalid option, please select a valid number."
fi
done
fi
# Ask about Nvidia for all options
read -p "Do you have Nvidia? (yes/No): " use_nvidia
if is_yes "$use_nvidia"; then
additional_params+="-nvidia"
read -p "Do you need Nvidia's open drivers? (yes/No): " use_open
is_yes "$use_open" && additional_params+="-open"
else
additional_params+="-main"
fi
# Ask about user namespaces for all options
read -p "Do you need unprivileged user namespaces? (yes/No): " use_userns
is_yes "$use_userns" && additional_params+="-userns"
image_name+="$additional_params-hardened"
rebase_command="rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/$image_name:latest"
echo "Commands to execute:"
echo "$rebase_command"
echo ""
read -p "Proceed? (yes/No): " rebase_proceed
if is_yes "$rebase_proceed"; then
$rebase_command
fi