feat: begin server->securecore migration

.github/workflows/build.yml

@@ -59,6 +59,10 @@ jobs:
           - server/recipe-server-nvidia.yml
           - server/recipe-server-zfs-main.yml
           - server/recipe-server-zfs-nvidia.yml
+          - securecore/recipe-securecore-main.yml
+          - securecore/recipe-securecore-nvidia.yml
+          - securecore/recipe-securecore-zfs-main.yml
+          - securecore/recipe-securecore-zfs-nvidia.yml
           # userns
           # general
           - general/recipe-aurora-surface-userns.yml
@@ -105,6 +109,10 @@ jobs:
           - server/recipe-server-nvidia-userns.yml
           - server/recipe-server-zfs-main-userns.yml
           - server/recipe-server-zfs-nvidia-userns.yml
+          - securecore/recipe-securecore-main-userns.yml
+          - securecore/recipe-securecore-nvidia-userns.yml
+          - securecore/recipe-securecore-zfs-main-userns.yml
+          - securecore/recipe-securecore-zfs-nvidia-userns.yml
 
     steps:
       - name: Checkout repo
@@ -121,7 +129,7 @@ jobs:
           echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
 
       - name: Verify base image
-        if: ${{ !contains(env.IMAGE_NAME, 'wayblue') && !contains(env.IMAGE_NAME, 'cinnamon') }}
+        if: ${{ !contains(env.IMAGE_NAME, 'wayblue') && !contains(env.IMAGE_NAME, 'cinnamon') && !contains(env.IMAGE_NAME, 'coreos') }}
         uses: EyeCantCU/cosign-action/verify@v0.3.0
         with:
           containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
@@ -142,10 +150,18 @@ jobs:
           registry: 'ghcr.io/legacy-images'
           pubkey: 'https://raw.githubusercontent.com/legacy-images/cinnamon/main/cosign.pub'
 
+      - name: Verify base image
+        if: ${{ contains(env.IMAGE_NAME, 'coreos') }}
+        uses: EyeCantCU/cosign-action/verify@v0.3.0
+        with:
+          containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
+          registry: 'ghcr.io/secureblue'
+          pubkey: 'https://raw.githubusercontent.com/secureblue/coreos/main/cosign.pub'
+
       - name: Build secureblue
         uses: blue-build/github-action@v1.6.1
         with:          
-          cli_version: v0.8.12
+          cli_version: v0.8.14
           recipe: ${{ matrix.recipe }}
           cosign_private_key: ${{ secrets.SIGNING_SECRET }}
           registry_token: ${{ github.token }}

README.md

@@ -181,14 +181,14 @@ While it's recommended to use a Fedora Atomic iso to install and then rebase tha
 - `aurora-dx-surface-userns-hardened`
 - `aurora-dx-surface-nvidia-userns-hardened`
 ## Server
-- `server-main-hardened`
-- `server-nvidia-hardened`
-- `server-zfs-main-hardened`
-- `server-zfs-nvidia-hardened`
-- `server-main-userns-hardened`
-- `server-nvidia-userns-hardened`
-- `server-zfs-main-userns-hardened`
-- `server-zfs-nvidia-userns-hardened`
+- `securecore-main-hardened`
+- `securecore-nvidia-hardened`
+- `securecore-zfs-main-hardened`
+- `securecore-zfs-nvidia-hardened`
+- `securecore-main-userns-hardened`
+- `securecore-nvidia-userns-hardened`
+- `securecore-zfs-main-userns-hardened`
+- `securecore-zfs-nvidia-userns-hardened`
   
 # Post-install
 

files/system/usr/libexec/deprecated-images.json

@@ -2,6 +2,7 @@
     "imageTypes": [
       "framework",
       "main-laptop",
-      "nvidia-laptop"
+      "nvidia-laptop",
+      "server"
     ]
 }

files/system/usr/libexec/deprecated-images.json.md

@@ -2,6 +2,15 @@
 
 The following image types have been deprecated:
 
+## server
+
+Rationale: Upstream decisions have required us to [fork](https://github.com/secureblue/coreos/). This brings with it the following critical migration steps *before* rebasing:
+
+- Password-based auth is no longer supported, ensure you are able to log-in using pubkey or another supported method. If you do not do this, you risk being locked out of your host.
+- Tailscale and cockpit are no longer included by default (but the tailscale repo is). If you need either, ensure you have layered them before rebooting into your new deployment.
+
+Rebase to: The equivalent image replacing `server` with `securecore`. For example, for `server-nvidia-hardened`, rebase to `securecore-nvidia-hardened`.
+
 ## framework
 
 Rationale: [Deprecated upstream](https://github.com/ublue-os/framework#this-image-is-deprecated)

recipes/securecore/recipe-securecore-main-userns.yml

@@ -0,0 +1,17 @@
+name: securecore-main-userns-hardened
+
+description: "coreos with some hardening applied"
+
+base-image: ghcr.io/secureblue/coreos
+
+image-version: testing
+
+modules:
+  - from-file: common/initialization-scripts.yml
+  - from-file: common/common-packages.yml 
+  - from-file: common/non-cosmic-scripts.yml
+  - from-file: common/server-packages.yml
+  - from-file: common/common-files.yml
+  - from-file: common/server-files.yml
+  - from-file: common/common-scripts.yml
+  - type: secureblue-signing

recipes/securecore/recipe-securecore-main.yml

@@ -0,0 +1,18 @@
+name: securecore-main-hardened
+
+description: "coreos with some hardening applied"
+
+base-image: ghcr.io/secureblue/coreos
+
+image-version: testing
+
+modules:
+  - from-file: common/initialization-scripts.yml
+  - from-file: common/common-packages.yml 
+  - from-file: common/non-cosmic-scripts.yml
+  - from-file: common/server-packages.yml
+  - from-file: common/common-files.yml  
+  - from-file: common/server-files.yml
+  - from-file: common/common-scripts.yml
+  - from-file: common/disableuserns-scripts.yml
+  - type: secureblue-signing

recipes/securecore/recipe-securecore-nvidia-userns.yml

@@ -0,0 +1,17 @@
+name: securecore-nvidia-userns-hardened
+
+description: "coreos nvidia with some hardening applied"
+
+base-image: ghcr.io/secureblue/coreos
+
+image-version: testing-nvidia
+
+modules:
+  - from-file: common/initialization-scripts.yml
+  - from-file: common/common-packages.yml 
+  - from-file: common/non-cosmic-scripts.yml
+  - from-file: common/server-packages.yml
+  - from-file: common/common-files.yml
+  - from-file: common/server-files.yml
+  - from-file: common/common-scripts.yml
+  - type: secureblue-signing

recipes/securecore/recipe-securecore-nvidia.yml

@@ -0,0 +1,18 @@
+name: securecore-nvidia-hardened
+
+description: "coreos nvidia with some hardening applied"
+
+base-image: ghcr.io/secureblue/coreos
+
+image-version: testing-nvidia
+
+modules:
+  - from-file: common/initialization-scripts.yml
+  - from-file: common/common-packages.yml 
+  - from-file: common/non-cosmic-scripts.yml
+  - from-file: common/server-packages.yml
+  - from-file: common/common-files.yml
+  - from-file: common/server-files.yml
+  - from-file: common/common-scripts.yml
+  - from-file: common/disableuserns-scripts.yml
+  - type: secureblue-signing

recipes/securecore/recipe-securecore-zfs-main-userns.yml

@@ -0,0 +1,17 @@
+name: securecore-zfs-main-userns-hardened
+
+description: "coreos zfs with some hardening applied"
+
+base-image: ghcr.io/secureblue/coreos
+
+image-version: testing-zfs
+
+modules:
+  - from-file: common/initialization-scripts.yml
+  - from-file: common/common-packages.yml 
+  - from-file: common/non-cosmic-scripts.yml
+  - from-file: common/server-packages.yml
+  - from-file: common/common-files.yml
+  - from-file: common/server-files.yml
+  - from-file: common/common-scripts.yml
+  - type: secureblue-signing

recipes/securecore/recipe-securecore-zfs-main.yml

@@ -0,0 +1,18 @@
+name: securecore-zfs-main-hardened
+
+description: "coreos zfs with some hardening applied"
+
+base-image: ghcr.io/secureblue/coreos
+
+image-version: testing-zfs
+
+modules:
+  - from-file: common/initialization-scripts.yml
+  - from-file: common/common-packages.yml 
+  - from-file: common/non-cosmic-scripts.yml
+  - from-file: common/server-packages.yml
+  - from-file: common/common-files.yml  
+  - from-file: common/server-files.yml
+  - from-file: common/common-scripts.yml
+  - from-file: common/disableuserns-scripts.yml
+  - type: secureblue-signing

recipes/securecore/recipe-securecore-zfs-nvidia-userns.yml

@@ -0,0 +1,17 @@
+name: securecore-zfs-nvidia-userns-hardened
+
+description: "coreos zfs nvidia with some hardening applied"
+
+base-image: ghcr.io/secureblue/coreos
+
+image-version: testing-nvidia-zfs
+
+modules:
+  - from-file: common/initialization-scripts.yml
+  - from-file: common/common-packages.yml 
+  - from-file: common/non-cosmic-scripts.yml
+  - from-file: common/server-packages.yml
+  - from-file: common/common-files.yml
+  - from-file: common/server-files.yml
+  - from-file: common/common-scripts.yml
+  - type: secureblue-signing

recipes/securecore/recipe-securecore-zfs-nvidia.yml

@@ -0,0 +1,18 @@
+name: securecore-zfs-nvidia-hardened
+
+description: "coreos zfs nvidia with some hardening applied"
+
+base-image: ghcr.io/secureblue/coreos
+
+image-version: testing-nvidia-zfs
+
+modules:
+  - from-file: common/initialization-scripts.yml
+  - from-file: common/common-packages.yml 
+  - from-file: common/non-cosmic-scripts.yml
+  - from-file: common/server-packages.yml
+  - from-file: common/common-files.yml
+  - from-file: common/server-files.yml
+  - from-file: common/common-scripts.yml
+  - from-file: common/disableuserns-scripts.yml
+  - type: secureblue-signing