Rebase secureblue with a new, clean commit history

.github/CODEOWNERS

@@ -1 +1 @@
-* @castrojo
+* @qoijjj

.github/workflows/build.yml

@@ -1,10 +1,10 @@
 # This workflow builds every branch of the repository daily at 16:30 UTC, one hour after ublue-os/nvidia builds.
-# The images are also built after pushing changes or pull requests.
+# The images are also built after pushuing changes or pull requests.
 # The builds can also be triggered manually in the Actions tab thanks to workflow dispatch.
 # Only the branch called `live` is published.
 
 
-name: build-ublue
+name: build-secureblue
 on: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
   schedule:
     - cron: "30 16 * * *"
@@ -39,8 +39,11 @@ jobs:
         # Add recipes for all the images you want to build here.
         # Don't add module configuration files, you will get errors.
         recipe:
-          - recipe.yml
-# !!!
+          - recipe-silverblue-main.yml
+          - recipe-silverblue-nvidia.yml
+          - recipe-kinoite-main.yml
+          - recipe-kinoite-nvidia.yml
+
 
     steps:
       - name: Maximize build space

CONTRIBUTING.md

@@ -1,4 +1,4 @@
-# Welcome to Universal Blue
+# Welcome to Secure Blue
 
 Thanks for taking the time to look into helping out!
 All contributions are appreciated! 
@@ -22,6 +22,7 @@ All types of contributions are encouraged and valued. See the [Table of Contents
 - [I Have a Question](#i-have-a-question)
 - [I Want To Contribute](#i-want-to-contribute)
 - [Reporting Bugs](#reporting-bugs)
+- [Pull Requests](#pull-requests)
 - [How to test incoming changes](#how-to-test-incoming-changes)
 - [Building Locally](#building-locally)
 - [Styleguides](#styleguides)
@@ -37,7 +38,7 @@ to jorge.castro@gmail.com
 
 ## I Have a Question
 
-> If you want to ask a question, ask in the [discussion forum](https://github.com/orgs/ublue-os/discussions)
+> If you want to ask a question, ask in [Issues](https://github.com/secureblue/secureblue/issues).
 
 ## I Want To Contribute
 
@@ -63,6 +64,17 @@ A good bug report should describe the issue in detail. Generally speaking:
 - Possibly your input and the output
 - Can you reliably reproduce the issue? And can you also reproduce it with older versions?
 
+### Pull Requests
+
+#### Before Submitting a Pull Request
+
+A good pull request should be ready for review before it is even created. For all pull requests, ensure:
+
+- Your changes are in a single commit
+- You have no unnecessary changes, including and especially whitespace changes
+- You have tested your changes
+- For substantive changes, you include evidence of proper functionality in the pull request in addition to the build results.
+
 ### How to test incoming changes
 
 One of the nice things about the image model is that we can generate an entire OS image for every change we want to commit, so this makes testing way easier than in the past. You can rebase to it, see if it works, and then move back. This also means we can increase the amount of testers! 
@@ -86,9 +98,9 @@ Here's an example: https://github.com/ublue-os/nvidia/pull/49
 The minimum tools required are git and a working machine with podman enabled and configured. 
 Building locally is much faster than building in GitHub and is a good way to move fast before pushing to a remote.
 
-### Clone the repo you want
+### Clone the repo
 
-    git clone https://github.com/ublue-os/base.git
+    git clone https://github.com/secureblue/secureblue.git
 
 ### Build the image
     

README.md

@@ -1,52 +1,66 @@
-# Starting point
+<p align="center">
+  <img src="https://github.com/secureblue/secureblue/assets/129108030/292e0ecc-50b8-4de5-a11a-bfe292489f6c" href="https://github.com/secureblue/secureblue" width=180 />
+</p>
 
-> **Warning**
-> Startingpoint was recently rewritten, and this version is considered a "1.0" *semi-*stable release.
-> There are breaking changes between this and the previous version.
-> If you are merging changes from the previous (v0) version, please refer to [the heads-up blog post](https://universal-blue.org/blog/2023/09/02/startingpoint-rewrite-heads-up-what-you-need-to-know/).
+<h1 align="center">secureblue</h1>
 
-[![build-ublue](https://github.com/ublue-os/startingpoint/actions/workflows/build.yml/badge.svg)](https://github.com/ublue-os/startingpoint/actions/workflows/build.yml)
 
-This is a constantly updating template repository for creating [a native container image](https://fedoraproject.org/wiki/Changes/OstreeNativeContainerStable) designed to be customized however you want. GitHub will build your image for you, and then host it for you on [ghcr.io](https://github.com/features/packages). You then just tell your computer to boot off of that image. GitHub keeps 90 days worth image backups for you, thanks Microsoft!
+[![secureblue](https://github.com/secureblue/secureblue/actions/workflows/build.yml/badge.svg)](https://github.com/secureblue/secureblue/actions/workflows/build.yml)
 
-For more info, check out the [uBlue homepage](https://universal-blue.org/) and the [main uBlue repo](https://github.com/ublue-os/main/)
+This repo takes the [uBlue](https://universal-blue.org/) starting point and selectively applies hardening with the following goals:
 
-## Getting started
+- Increase defenses against the exploitation of both known and unknown vulnerabilities.
+- Avoid sacrificing usability for most use cases where possible
 
-See the [Make Your Own-page in the documentation](https://universal-blue.org/tinker/make-your-own/) for quick setup instructions for setting up your own repository based on this template.
+The following are not in scope for this project:
+- Anything related to increasing "privacy", especially when at odds with improving security
+- Anything related to "degoogling"
 
-Don't worry, it only requires some basic knowledge about using the terminal and git.
+## What
 
-After setup, it is recommended you update this README to describe your custom image.
+Hardening applied:
 
-> **Note**
-> Everywhere in this repository, make sure to replace `ublue-os/startingpoint` with the details of your own repository. Unless you used one of the automatic repository setup tools in which case the previous repo identifier should already be your repo's details.
+- Setting numerous hardened sysctl values (Inspired by but not the same as Kicksecure's)
+- Disabling coredumps in limits.conf
+- Disabling all ports and services for firewalld
+- Blacklisting numerous unused kernel modules to reduce attack surface
+- Setting more restrictive file permissions (Based on recommendations from [lynis](https://cisofy.com/lynis/))
+- Installing dnf-automatic and chkrootkit
+- Disabling unprivileged user namespaces and removing flatpak
+- Sets numerous hardening kernel parameters (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html))
+- Installs and enables [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally
+- Installing Chromium from the koji updates-testing repo to always have the latest version of chromium, the stable chromium package lags behind on security patches ([Why chromium?](https://grapheneos.org/usage#web-browsing))
 
-> **Warning**
-> To start, you *must* create a branch called `live` which is exclusively for your customizations. That is the **only** branch the GitHub workflow will deploy to your container registry. Don't make any changes to the original "template" branch. It should remain untouched. By using this branch structure, you ensure a clear separation between your own "published image" branch, your development branches, and the original upstream "template" branch. Periodically sync and fast-forward the upstream "template" branch to the most recent revision. Then, simply rebase your `live` branch onto the updated template to effortlessly incorporate the latest improvements into your own repository, without the need for any messy, manual "merge commits".
+## Why
 
-## Customization
+Fedora is one of the few distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly.
 
-The easiest way to start customizing is by looking at and modifying `config/recipe.yml`. It's documented using comments and should be pretty easy to understand.
 
-If you want to add custom configuration files, you can just add them in the `/usr/etc/` directory, which is the official OSTree "configuration template" directory and will be applied to `/etc/` on boot. `config/files/usr` is copied into your image's `/usr` by default. If you need to add other directories in the root of your image, that can be done using the `files` module. Writing to `/var/` in the image builds of OSTree-based distros isn't supported and will not work, as that is a local user-managed directory!
-
-For more information about customization, see [the README in the config directory](config/README.md)
-
-Documentation around making custom images exists / should be written in two separate places:
-* [The Tinkerer's Guide on the website](https://universal-blue.org/tinker/make-your-own/) for general documentation around making custom images, best practices, tutorials, and so on.
-* Inside this repository for documentation specific to the ins and outs of the template (like module documentation), and just some essential guidance on how to make custom images.
+For more info on uBlue, check out the [uBlue homepage](https://universal-blue.org/) and the [main uBlue repo](https://github.com/ublue-os/main/)
 
 ## Installation
 
 > **Warning**
 > [This is an experimental feature](https://www.fedoraproject.org/wiki/Changes/OstreeNativeContainerStable) and should not be used in production, try it in a VM for a while!
 
+
+### Available Images
+
+> Note: gaming utilities like Steam and Lutris are not included and in my experience are largely incompatible with hardened_malloc
+
+- kinoite-main-hardened
+- kinoite-nvidia-hardened
+- silverblue-main-hardened
+- silverblue-nvidia-hardened
+
+
+### Rebasing
+
 To rebase an existing Silverblue/Kinoite installation to the latest build:
 
 - First rebase to the unsigned image, to get the proper signing keys and policies installed:
   ```
-  rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/startingpoint:latest
+  rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/$IMAGE_NAME:latest
   ```
 - Reboot to complete the rebase:
   ```
@@ -54,45 +68,24 @@ To rebase an existing Silverblue/Kinoite installation to the latest build:
   ```
 - Then rebase to the signed image, like so:
   ```
-  rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/startingpoint:latest
+  rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_NAME:latest
   ```
 - Reboot again to complete the installation
   ```
   systemctl reboot
   ```
+### Post-install
 
-This repository builds date tags as well, so if you want to rebase to a particular day's build:
+The following command is available to append kernel boot parameters that apply additional hardening (reboot required):
 
 ```
-rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/startingpoint:20230403
+just set-kargs-hardening 
 ```
 
-This repository by default also supports signing.
+## Contributing
 
-The `latest` tag will automatically point to the latest build. That build will still always use the Fedora version specified in `recipe.yml`, so you won't get accidentally updated to the next major version.
+Follow the [contributing documentation](CONTRIBUTING.md#contributing), and make sure to respect the [CoC](CODE_OF_CONDUCT.md).
 
-## ISO
+### Development
 
-This template includes a simple Github Action to build and release an ISO of your image. 
-
-To run the action, simply edit the `boot_menu.yml` by changing all the references to startingpoint to your repository. This should trigger the action automatically.
-
-The Action uses [isogenerator](https://github.com/ublue-os/isogenerator) and works in a similar manner to the official Universal Blue ISO. If you have any issues, you should first check [the documentation page on installation](https://universal-blue.org/installation/). The ISO is a netinstaller and should always pull the latest version of your image.
-
-Note that this release-iso action is not a replacement for a full-blown release automation like [release-please](https://github.com/googleapis/release-please).
-
-## `just`
-
-The [`just`](https://just.systems/) command runner is included in all `ublue-os/main`-derived images.
-
-You need to have a `~/.justfile` with the following contents and `just` aliased to `just --unstable` (default in posix-compatible shells on ublue) to get started with just locally.
-```
-!include /usr/share/ublue-os/just/main.just
-!include /usr/share/ublue-os/just/nvidia.just
-!include /usr/share/ublue-os/just/custom.just
-```
-Then type `just` to list the just recipes available.
-
-The file `/usr/share/ublue-os/just/custom.just` is intended for the custom just commands (recipes) you wish to include in your image. By default, it includes the justfiles from [`ublue-os/bling`](https://github.com/ublue-os/bling), if you wish to disable that, you need to just remove the line that includes bling.just.
-
-See [the just-page in the Universal Blue documentation](https://universal-blue.org/guide/just/) for more information.
+For local Development [building locally](CONTRIBUTING.md#building-locally) is the recommended approach.

config/common-packages.yml

@@ -0,0 +1,36 @@
+type: rpm-ostree
+repos: 
+  - https://copr.fedorainfracloud.org/coprs/qoijjj/hardened_malloc/repo/fedora-39/qoijjj-hardened_malloc-fedora-39.repo
+  - https://copr.fedorainfracloud.org/coprs/qoijjj/vscodium/repo/fedora-39/qoijjj-codium-fedora-39.repo
+install:    
+  - python3-pip
+  # GNOME's GTK4 theme, Libadwaita. Already included in Silverblue, but not
+  # other spins. You can remove if you aren't using yafti, but many native
+  # apps and binaries require it, so it's a good idea to always include it
+  # if you ever download or compile any custom software on your machine.
+  - libadwaita
+  - yt-dlp
+  - lm_sensors
+  - mediainfo
+  - lynis
+  - gnome-disk-utility
+  - headsetcontrol
+  - mpv
+  - qbittorrent
+  - gimp
+  - hardened_malloc
+  - chkrootkit
+  - koji
+  - codium
+  
+remove:
+  - firefox
+  - firefox-langpacks
+  - virtualbox-guest-additions
+  - openssh-server
+  
+
+
+
+
+

config/files/usr/etc/firewalld/zones/FedoraWorkstation.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Fedora Workstation</short>
+  <description>Overriden default config</description>
+  <forward/>
+</zone>

config/files/usr/etc/ld.so.preload

@@ -0,0 +1 @@
+/usr/lib64/libhardened_malloc.so

config/files/usr/etc/modprobe.d/blacklist.conf

@@ -0,0 +1,54 @@
+install dccp /bin/true
+install sctp /bin/true
+install rds /bin/true
+install tipc /bin/true
+install firewire-core /bin/true
+install firewire_core /bin/true
+install firewire-ohci /bin/true
+install firewire_ohci /bin/true
+install firewire_sbp2 /bin/true
+install firewire-sbp2 /bin/true
+install thunderbolt /bin/true
+install n-hdlc /bin/false
+install ax25 /bin/false
+install netrom /bin/false
+install x25 /bin/false
+install rose /bin/false
+install decnet /bin/false
+install econet /bin/false
+install af_802154 /bin/false
+install ipx /bin/false
+install appletalk /bin/false
+install psnap /bin/false
+install p8023 /bin/false
+install p8022 /bin/false
+install can /bin/false
+install atm /bin/false
+install cramfs /bin/false
+install freevxfs /bin/false
+install jffs2 /bin/false
+install hfs /bin/false
+install hfsplus /bin/false
+install squashfs /bin/false
+install udf /bin/false
+install cifs /bin/true
+install nfs /bin/true
+install nfsv3 /bin/true
+install nfsv4 /bin/true
+install ksmbd /bin/true
+install gfs2 /bin/true
+install vivid /bin/false
+install ohci1394 /bin/false
+install sbp2 /bin/false
+install dv1394 /bin/false
+install raw1394 /bin/false
+install video1394 /bin/false
+install msr /bin/true
+install vivid /bin/false
+
+
+blacklist tipc
+blacklist dccp
+blacklist sctp
+blacklist rds
+blacklist ath_pci

config/files/usr/etc/modprobe.d/nvidia.conf

@@ -0,0 +1,3 @@
+# Enable DynamicPwerManagement
+# http://download.nvidia.com/XFree86/Linux-x86_64/440.31/README/dynamicpowermanagement.html
+options nvidia NVreg_DynamicPowerManagement=0x02

config/files/usr/etc/security/limits.conf

@@ -0,0 +1,64 @@
+# /etc/security/limits.conf
+#
+#This file sets the resource limits for the users logged in via PAM.
+#It does not affect resource limits of the system services.
+#
+#Also note that configuration files in /etc/security/limits.d directory,
+#which are read in alphabetical order, override the settings in this
+#file in case the domain is the same or more specific.
+#That means, for example, that setting a limit for wildcard domain here
+#can be overridden with a wildcard setting in a config file in the
+#subdirectory, but a user specific setting here can be overridden only
+#with a user specific setting in the subdirectory.
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - a user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open file descriptors
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#@student        -       maxlogins       4
+
+* hard core 0
+* soft core 0
+
+# End of file

config/files/usr/etc/sysctl.d/hardening.conf

@@ -0,0 +1,50 @@
+# Enable IP spoofing protection, turn on source route verification
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Disable ICMP Redirect Acceptance
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+net.core.bpf_jit_harden = 2
+kernel.yama.ptrace_scope = 3
+kernel.unprivileged_bpf_disabled = 1
+kernel.sysrq = 0
+kernel.perf_event_paranoid = 3
+kernel.kptr_restrict = 2
+kernel.dmesg_restrict = 1
+fs.suid_dumpable = 0
+fs.protected_regular = 2
+fs.protected_fifos = 2
+dev.tty.ldisc_autoload = 0
+
+
+user.max_user_namespaces = 0
+kernel.unprivileged_userns_clone = 0
+
+
+
+# Swap only when necessary
+vm.swappiness = 1
+
+# Restrict userfaultfd to CAP_SYS_PTRACE
+vm.unprivileged_userfaultfd = 0
+
+## Prevent kernel info leaks in console during boot.
+## https://phabricator.whonix.org/T950
+kernel.printk = 3 3 3 3
+
+## Disables kexec which can be used to replace the running kernel.
+kernel.kexec_load_disabled=1
+
+## Disable core dump
+kernel.core_pattern=|/bin/false

config/files/usr/share/ublue-os/firstboot/yafti.yml

@@ -21,18 +21,7 @@ screens:
         - run: flatpak remote-delete --system --force fedora
         - run: flatpak remote-delete --user --force fedora
         - run: flatpak remove --system --noninteractive --all
-        - run: flatpak remote-add --if-not-exists --system flathub https://flathub.org/repo/flathub.flatpakrepo
         - run: flatpak remote-add --if-not-exists --user flathub https://flathub.org/repo/flathub.flatpakrepo
-  check-system-flathub:
-    source: yafti.screen.consent
-    values:
-      title: Missing Flathub Repository (System)
-      condition:
-        run: flatpak remotes --system --columns=name | grep flathub | wc -l | grep '^0$'
-      description: |
-        We have detected that you don't have Flathub's repository on your system. We will now add that repository to your system-wide list.
-      actions:
-        - run: flatpak remote-add --if-not-exists --system flathub https://flathub.org/repo/flathub.flatpakrepo
   check-user-flathub:
     source: yafti.screen.consent
     values:
@@ -55,7 +44,7 @@ screens:
       groups:
         Core GNOME Apps:
           description: Core system applications for the GNOME desktop environment.
-          default: true
+          default: false
           packages:
             - Calculator: org.gnome.Calculator
             - Calendar: org.gnome.Calendar
@@ -79,7 +68,7 @@ screens:
             - Weather: org.gnome.Weather
         System Apps:
           description: System applications for all desktop environments.
-          default: true
+          default: false
           packages:
             - Deja Dup Backups: org.gnome.DejaDup
             - Fedora Media Writer: org.fedoraproject.MediaWriter

config/files/usr/share/ublue-os/just/60-custom.just

@@ -1,2 +1,5 @@
-!include 100-bling.just
 # Include some of your custom scripts here!
+
+# Add additional boot parameters for hardening (requires reboot)
+set-kargs-hardening:
+    rpm-ostree kargs --append="init_on_alloc=1" --append="init_on_free=1" --append="slab_nomerge" --append="page_alloc.shuffle=1" --append="randomize_kstack_offset=on" --append="vsyscall=none" --append="debugfs=off" --append="lockdown=confidentiality" --append="random.trust_cpu=off" --append="random.trust_bootloader=off" --append="intel_iommu=on" --append="amd_iommu=on" --append="efi=disable_early_pci_dma" --append="iommu.passthrough=0" --append="iommu.strict=1" --append="nvme_core.default_ps_max_latency_us=0" --append="mitigations=auto,nosmt"

config/kinoite-packages.yml

@@ -0,0 +1,46 @@
+type: rpm-ostree
+repos:
+  # - https://blah
+install:    
+  - gwenview
+remove:
+  - kde-connect
+  - kde-connect-libs
+  - kdeconnectd
+  - kf5-akonadi-server
+  - kf5-akonadi-server-mysql
+  - kwalletmanager5
+  - flatpak
+  - flatpak-libs
+  - flatpak-selinux
+  - flatpak-kcm
+  - flatpak-session-helper
+  - fedora-flathub-remote
+  - toolbox
+  - kde-print-manager
+  - kde-print-manager-libs
+  - hplip
+  - cups
+  - gutenprint-cups
+  - cups-browsed
+  - bluez-cups
+  - cups-filters
+  - braille-printer-app
+  - libppd
+  - plasma-discover-flatpak
+  - ibus
+  - ibus-panel
+  - ibus-m17n
+  - ibus-libpinyin
+  - ibus-hangul
+  - ibus-libzhuyin
+  - ibus-qt
+  - ibus-anthy
+  - ibus-anthy-python
+  - ibus-setup
+  - ibus-typing-booster
+  - open-vm-tools
+  - open-vm-tools-desktop
+  - krfb
+  - krfb-libs
+  - qt5-qdbusviewer

config/recipe-kinoite-main.yml

@@ -0,0 +1,53 @@
+# image will be published to ghcr.io/<user>/<name>
+name: kinoite-main-hardened
+# description will be included in the image's metadata
+description: "Kinoite main with minimal hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/ublue-os/kinoite-main
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+
+  - type: files
+    files:
+      - usr: /usr # copy static configurations
+                  # configuration you wish to end up in /etc/ on the booted system should be 
+                  # added into /usr/etc/ (under /config/files) as that is the proper "distro" 
+                  # config directory on ostree read more in the files module's README
+
+  - from-file: common-packages.yml
+  - from-file: kinoite-packages.yml
+
+
+  - type: fonts
+    fonts:
+      nerd-fonts:
+        - FiraCode # don't add "Nerd Font" suffix.
+        - Hack
+        - SourceCodePro
+        - Terminus
+        - JetBrainsMono
+        - NerdFontsSymbolsOnly
+      google-fonts:
+        - Roboto
+        - Open Sans
+
+  - type: bling # configure what to pull in from ublue-os/bling
+    install:
+      - justfiles # add "!include /usr/share/ublue-os/just/bling.just"
+                  # in your custom.just (added by default) or local justfile
+      - laptop 
+
+      # - ublue-update # https://github.com/ublue-os/ublue-update
+      # - dconf-update-service # a service unit that updates the dconf db on boot
+      # - devpod # https://devpod.sh/ as an rpm
+
+  - type: script
+    scripts:
+      # this sets up the proper policy & signing files for signed images to work
+      - signing.sh
+      - cron.sh
+      - chromium.sh

config/recipe-kinoite-nvidia.yml

@@ -0,0 +1,52 @@
+# image will be published to ghcr.io/<user>/<name>
+name: kinoite-nvidia-hardened
+# description will be included in the image's metadata
+description: "Kinoite nvidia with minimal hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/ublue-os/kinoite-nvidia
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+
+  - type: files
+    files:
+      - usr: /usr # copy static configurations
+                  # configuration you wish to end up in /etc/ on the booted system should be 
+                  # added into /usr/etc/ as that is the proper "distro" config directory on ostree
+                  # read more in the files module's README
+  - from-file: common-packages.yml
+  - from-file: kinoite-packages.yml
+
+  - type: bling # configure what to pull in from ublue-os/bling
+    install:
+      - justfiles # add "!include /usr/share/ublue-os/just/bling.just"
+                  # in your custom.just (added by default) or local justfile
+      - laptop 
+      # - ublue-update # https://github.com/ublue-os/ublue-update
+      # - dconf-update-service # a service unit that updates the dconf db on boot
+      # - devpod # https://devpod.sh/ as an rpm
+
+
+  - type: fonts
+    fonts:
+      nerd-fonts:
+        - FiraCode # don't add "Nerd Font" suffix.
+        - Hack
+        - SourceCodePro
+        - Terminus
+        - JetBrainsMono
+        - NerdFontsSymbolsOnly
+      google-fonts:
+        - Roboto
+        - Open Sans
+        
+
+  - type: script
+    scripts:
+      # this sets up the proper policy & signing files for signed images to work
+      - signing.sh
+      - cron.sh
+      - chromium.sh

config/recipe-silverblue-main.yml

@@ -1,7 +1,7 @@
 # image will be published to ghcr.io/<user>/<name>
-name: startingpoint
+name: silverblue-main-hardened
 # description will be included in the image's metadata
-description: A starting point for further customization of uBlue images. Make your own! https://ublue.it/making-your-own/
+description: "Silverblue main with minimal hardening applied"
 
 # the base image to build on top of (FROM) and the version tag to use
 base-image: ghcr.io/ublue-os/silverblue-main
@@ -20,22 +20,14 @@ modules:
                   # should be added into /usr/etc/ as that is the proper "distro"
                   # config directory on ostree. Read more in the files module's README
 
-  - type: rpm-ostree
-    repos:
-      # - https://copr.fedorainfracloud.org/coprs/atim/starship/repo/fedora-%OS_VERSION%/atim-starship-fedora-%OS_VERSION%.repo
-    install:
-      # - micro
-      # - starship
-    remove:
-      - firefox # default firefox removed in favor of flatpak
-      - firefox-langpacks # langpacks needs to also be removed to prevent dependency problems
+  - from-file: common-packages.yml
+  - from-file: silverblue-packages.yml
 
   - type: bling # configure what to pull in from ublue-os/bling
     install:
       - justfiles # add "!include /usr/share/ublue-os/just/100-bling.just"
                   # in your custom.just (added by default) or local justfile
-      - nix-installer # shell shortcuts for determinate system's nix installers
-      - ublue-os-wallpapers
+      - laptop 
       # - ublue-update # https://github.com/ublue-os/ublue-update
       # - 1password # install 1Password (stable) and `op` CLI tool
       # - dconf-update-service # a service unit that updates the dconf db on boot
@@ -46,13 +38,23 @@ modules:
       # - flatpaksync # allows synchronization of user-installed flatpaks, see separate documentation section
 
 
-  - type: yafti # if included, yafti and it's dependencies (pip & libadwaita)
-                #  will be installed and set up
-    custom-flatpaks: # this section is optional
-      # - Celluloid: io.github.celluloid_player.Celluloid
-      # - Krita: org.kde.krita
+  - type: fonts
+    fonts:
+      nerd-fonts:
+        - FiraCode # don't add "Nerd Font" suffix.
+        - Hack
+        - SourceCodePro
+        - Terminus
+        - JetBrainsMono
+        - NerdFontsSymbolsOnly
+      google-fonts:
+        - Roboto
+        - Open Sans
+        
 
   - type: script
     scripts:
       # this sets up the proper policy & signing files for signed images to work
       - signing.sh
+      - cron.sh
+      - chromium.sh

config/recipe-silverblue-nvidia.yml

@@ -0,0 +1,54 @@
+# image will be published to ghcr.io/<user>/<name>
+name: silverblue-nvidia-hardened
+# description will be included in the image's metadata
+description: "Silverblue nvidia with minimal hardening applied"
+
+# the base image to build on top of (FROM) and the version tag to use
+base-image: ghcr.io/ublue-os/silverblue-nvidia
+image-version: 39
+
+# list of modules, executed in order
+# you can include multiple instances of the same module
+modules:
+
+  - type: files
+    files:
+      - usr: /usr # copy static configurations
+                  # configuration you wish to end up in /etc/ on the booted system should be 
+                  # added into /usr/etc/ as that is the proper "distro" config directory on ostree
+                  # read more in the files module's README
+
+  - from-file: common-packages.yml
+  - from-file: silverblue-packages.yml
+
+  - type: bling # configure what to pull in from ublue-os/bling
+    install:
+      - justfiles # add "!include /usr/share/ublue-os/just/bling.just"
+                  # in your custom.just (added by default) or local justfile
+      - laptop
+      # - ublue-update # https://github.com/ublue-os/ublue-update
+      # - dconf-update-service # a service unit that updates the dconf db on boot
+      # - devpod # https://devpod.sh/ as an rpm
+
+
+  - type: fonts
+    fonts:
+      nerd-fonts:
+        - FiraCode # don't add "Nerd Font" suffix.
+        - Hack
+        - SourceCodePro
+        - Terminus
+        - JetBrainsMono
+        - NerdFontsSymbolsOnly
+      google-fonts:
+        - Roboto
+        - Open Sans
+        
+
+
+  - type: script
+    scripts:
+      # this sets up the proper policy & signing files for signed images to work
+      - signing.sh
+      - cron.sh
+      - chromium.sh

config/scripts/chromium.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+# Tell this script to exit if there are any errors.
+# You should have this in every custom script, to ensure that your completed
+# builds actually ran successfully without any errors!
+set -oue pipefail
+
+echo "Installing chromium from koji updates-testing"
+koji download-build --arch=x86_64 $(koji latest-build f39-build chromium | awk 'NR==3 {print $1}')
+rm chromedriver-*.rpm
+rm chromium-headless-*.rpm
+rpm-ostree install *.rpm

config/scripts/cron.sh

@@ -5,6 +5,10 @@
 # builds actually ran successfully without any errors!
 set -oue pipefail
 
-# Your code goes here.
-echo 'This is an example shell script'
-echo 'Scripts here will run during build if specified in recipe.yml'
+# echo "Setting more restrictive file permissions..."
+# chmod 700 /etc/cron.d
+# chmod 700 /etc/cron.daily/
+# chmod 700 /etc/cron.daily
+# chmod 700 /etc/cron.hourly
+# chmod 700 /etc/cron.weekly
+# chmod 700 /etc/cron.monthly

config/silverblue-packages.yml

@@ -0,0 +1,40 @@
+type: rpm-ostree
+repos:
+  # - https://blah
+install:    
+  - gnome-shell-extension-appindicator
+  - gnome-shell-extension-pop-shell
+  - gnome-console
+  - gnome-text-editor
+  - firewall-config
+remove:
+  - gnome-terminal
+  - gnome-terminal-nautilus
+  - gnome-tour
+  - yelp
+  - gnome-user-share
+  - mod_lua
+  - httpd
+  - httpd-core
+  - mod_http2
+  - mod_dnssd
+  - gnome-remote-desktop
+  - libvncserver
+  - hplip
+  - cups
+  - gutenprint-cups
+  - cups-browsed
+  - bluez-cups
+  - cups-filters
+  - braille-printer-app
+  - libppd
+  - gnome-software
+  - gnome-software-rpm-ostree
+  - flatpak
+  - flatpak-libs
+  - flatpak-selinux
+  - flatpak-session-helper
+  - malcontent-ui-libs
+  - malcontent-control
+  - toolbox
+  - fedora-flathub-remote

cosign.pub

@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
-cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELYK0cZjzpDF+bmiOMd6D7F+mi0Hv
+MhgXMA/VJvvwWJowh3izN28j4wAIA5T6HlTNqnr8CqJRDVciNpgtv0ACFA==
 -----END PUBLIC KEY-----