scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-01 02:47:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: nvidia-open images, major streamlining, bugfixes, and polish (#461)

Browse Source
This commit is contained in:
qoijjj
2024-10-17 18:20:58 -07:00
committed by GitHub
parent 87c90393c9
commit f0bab7f5b2
161 changed files with 1203 additions and 1746 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
.github/workflows/build.yml vendored
View File

@@ -1,8 +1,7 @@
name: build-secureblue
on:
schedule:
- cron: "00 5 * * *" # build at 5:00 UTC every day
# 80 minutes after the last uBlue images start building
- cron: "00 6 * * *" # build at 6:00 UTC every day
# 60 minutes after last wayblue images start building
push:
paths-ignore: # don't rebuild if only documentation has changed
@@ -23,95 +22,77 @@ jobs:
recipe:
# non-userns
# general
- general/recipe-aurora-main.yml
- general/recipe-aurora-nvidia.yml
- general/recipe-aurora-surface.yml
- general/recipe-aurora-surface-nvidia.yml
- general/recipe-silverblue-main.yml
- general/recipe-silverblue-nvidia.yml
- general/recipe-silverblue-nvidia-open.yml
- general/recipe-kinoite-main.yml
- general/recipe-kinoite-nvidia.yml
- general/recipe-cinnamon-main.yml
- general/recipe-cinnamon-nvidia.yml
- general/recipe-bluefin-main.yml
- general/recipe-bluefin-nvidia.yml
- general/recipe-kinoite-nvidia-open.yml
- general/recipe-sericea-main.yml
- general/recipe-sericea-nvidia.yml
- general/recipe-sericea-nvidia-open.yml
- general/recipe-wayblue-wayfire-main.yml
- general/recipe-wayblue-wayfire-nvidia.yml
- general/recipe-wayblue-wayfire-nvidia-open.yml
- general/recipe-wayblue-hyprland-main.yml
- general/recipe-wayblue-hyprland-nvidia.yml
- general/recipe-wayblue-hyprland-nvidia-open.yml
- general/recipe-wayblue-river-main.yml
- general/recipe-wayblue-river-nvidia.yml
- general/recipe-wayblue-river-nvidia-open.yml
- general/recipe-wayblue-sway-main.yml
- general/recipe-wayblue-sway-nvidia.yml
- general/recipe-cosmic-main.yml
- general/recipe-cosmic-nvidia.yml
# asus
- asus/recipe-silverblue-asus.yml
- asus/recipe-silverblue-asus-nvidia.yml
- asus/recipe-kinoite-asus.yml
- asus/recipe-kinoite-asus-nvidia.yml
- asus/recipe-aurora-asus.yml
- asus/recipe-aurora-asus-nvidia.yml
- general/recipe-wayblue-sway-nvidia-open.yml
# - general/recipe-cosmic-main.yml
# - general/recipe-cosmic-nvidia.yml
# - general/recipe-cosmic-nvidia-open.yml
# server
- securecore/recipe-securecore-main.yml
- securecore/recipe-securecore-nvidia.yml
- securecore/recipe-securecore-nvidia-open.yml
- securecore/recipe-securecore-zfs-main.yml
- securecore/recipe-securecore-zfs-nvidia.yml
- securecore/recipe-securecore-zfs-nvidia-open.yml
# userns
# general
- general/recipe-aurora-surface-userns.yml
- general/recipe-aurora-surface-nvidia-userns.yml
- general/recipe-aurora-dx-main-userns.yml
- general/recipe-aurora-dx-nvidia-userns.yml
- general/recipe-aurora-dx-surface-nvidia-userns.yml
- general/recipe-aurora-dx-surface-userns.yml
- general/recipe-aurora-main-userns.yml
- general/recipe-aurora-nvidia-userns.yml
- general/recipe-silverblue-main-userns.yml
- general/recipe-silverblue-nvidia-userns.yml
- general/recipe-silverblue-nvidia-open-userns.yml
- general/recipe-kinoite-main-userns.yml
- general/recipe-kinoite-nvidia-userns.yml
- general/recipe-cinnamon-main-userns.yml
- general/recipe-cinnamon-nvidia-userns.yml
- general/recipe-bluefin-main-userns.yml
- general/recipe-bluefin-nvidia-userns.yml
- general/recipe-bluefin-dx-main-userns.yml
- general/recipe-bluefin-dx-nvidia-userns.yml
- general/recipe-kinoite-nvidia-open-userns.yml
- general/recipe-sericea-main-userns.yml
- general/recipe-sericea-nvidia-userns.yml
- general/recipe-sericea-nvidia-open-userns.yml
- general/recipe-wayblue-wayfire-main-userns.yml
- general/recipe-wayblue-wayfire-nvidia-userns.yml
- general/recipe-wayblue-wayfire-nvidia-open-userns.yml
- general/recipe-wayblue-hyprland-main-userns.yml
- general/recipe-wayblue-hyprland-nvidia-userns.yml
- general/recipe-wayblue-hyprland-nvidia-open-userns.yml
- general/recipe-wayblue-river-main-userns.yml
- general/recipe-wayblue-river-nvidia-userns.yml
- general/recipe-wayblue-river-nvidia-open-userns.yml
- general/recipe-wayblue-sway-main-userns.yml
- general/recipe-wayblue-sway-nvidia-userns.yml
- general/recipe-cosmic-main-userns.yml
- general/recipe-cosmic-nvidia-userns.yml
# asus
- asus/recipe-silverblue-asus-userns.yml
- asus/recipe-silverblue-asus-nvidia-userns.yml
- asus/recipe-kinoite-asus-userns.yml
- asus/recipe-kinoite-asus-nvidia-userns.yml
- asus/recipe-aurora-asus-userns.yml
- asus/recipe-aurora-asus-nvidia-userns.yml
- asus/recipe-aurora-dx-asus-userns.yml
- asus/recipe-aurora-dx-asus-nvidia-userns.yml
- general/recipe-wayblue-sway-nvidia-open-userns.yml
# - general/recipe-cosmic-main-userns.yml
# - general/recipe-cosmic-nvidia-userns.yml
# - general/recipe-cosmic-nvidia-open-userns.yml
# server
- securecore/recipe-securecore-main-userns.yml
- securecore/recipe-securecore-nvidia-userns.yml
- securecore/recipe-securecore-nvidia-open-userns.yml
- securecore/recipe-securecore-zfs-main-userns.yml
- securecore/recipe-securecore-zfs-nvidia-userns.yml
- securecore/recipe-securecore-zfs-nvidia-open-userns.yml
steps:
- name: Checkout repo
uses: actions/checkout@v4
- name: Add yq (for reading recipe.yml)
uses: mikefarah/yq@v4.44.2
uses: mikefarah/yq@v4.44.3
- name: Gather image data from recipe
run: |
@@ -120,12 +101,6 @@ jobs:
BASE_IMAGE=$(yq '.base-image' ./recipes/${{ matrix.recipe }})
echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
- name: Verify base image
if: ${{ !contains(env.IMAGE_NAME, 'wayblue') && !contains(env.IMAGE_NAME, 'cinnamon') && !contains(env.IMAGE_NAME, 'securecore') }}
uses: EyeCantCU/cosign-action/verify@v0.3.0
with:
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
- name: Verify base image
if: ${{ contains(env.IMAGE_NAME, 'wayblue') }}
uses: EyeCantCU/cosign-action/verify@v0.3.0
@@ -134,26 +109,43 @@ jobs:
registry: 'ghcr.io/wayblueorg'
pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub'
- name: Verify base image
if: ${{ contains(env.IMAGE_NAME, 'cinnamon') }}
uses: EyeCantCU/cosign-action/verify@v0.3.0
with:
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
registry: 'ghcr.io/legacy-images'
pubkey: 'https://raw.githubusercontent.com/legacy-images/cinnamon/main/cosign.pub'
- name: Verify base image
- name: Validate server kernel and kmod versions
if: ${{ contains(env.IMAGE_NAME, 'securecore') }}
uses: EyeCantCU/cosign-action/verify@v0.3.0
uses: Wandalen/wretry.action@v3.5.0
with:
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
registry: 'ghcr.io/secureblue'
pubkey: 'https://raw.githubusercontent.com/secureblue/coreos/main/cosign.pub'
attempt_limit: 3
attempt_delay: 15000
command: |
set -eo pipefail
linux=$(skopeo inspect docker://ghcr.io/ublue-os/coreos-testing-kernel:40 | jq -r '.Labels["ostree.linux"]')
AKMODS_KERNEL_VERSION=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:coreos-testing-40 | jq -r '.Labels["ostree.linux"]')
if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then
echo "Kernel Versions do not match between AKMODS and Cached-Kernel."
exit 1
fi
echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV
- name: Validate desktop kernel and kmod versions
if: ${{ !contains(env.IMAGE_NAME, 'securecore') }}
uses: Wandalen/wretry.action@v3.5.0
with:
attempt_limit: 3
attempt_delay: 15000
command: |
set -eo pipefail
linux=$(skopeo inspect docker://ghcr.io/ublue-os/main-kernel:40 | jq -r '.Labels["ostree.linux"]')
AKMODS_KERNEL_VERSION=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:main-40 | jq -r '.Labels["ostree.linux"]')
if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then
echo "Kernel Versions do not match between AKMODS and Cached-Kernel."
exit 1
fi
echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV
- name: Build secureblue
uses: blue-build/github-action@v1.6.1
with:
cli_version: v0.8.14
cli_version: v0.8.20
recipe: ${{ matrix.recipe }}
cosign_private_key: ${{ secrets.SIGNING_SECRET }}
registry_token: ${{ github.token }}

14
POSTINSTALL-README.md
View File

@@ -13,7 +13,14 @@ If you are using an nvidia image, run this after installation:
rpm-ostree kargs \
--append-if-missing=rd.driver.blacklist=nouveau \
--append-if-missing=modprobe.blacklist=nouveau \
--append-if-missing=nvidia-drm.modeset=1
--append-if-missing=nvidia-drm.modeset=1 \
--append-if-missing=nvidia-drm.fbdev=1
```
You may also need this (solves flickering and luks issues on some nvidia hardware):
```
rpm-ostree kargs \
--append-if-missing=initcall_blacklist=simpledrm_platform_driver_init
```
### Nvidia optimus laptop
@@ -120,6 +127,11 @@ To validate your secureblue setup, run:
```
ujust audit-secureblue
```
## Optional: `hardened-chromium` Flags
The included hardened-chromium browser has some additional settings in `chrome://flags` you *may* want to set for additional hardening, and convenience. (That can cause functionality issues in *some* cases)
You can read about these settings [here](https://github.com/secureblue/hardened-chromium?tab=readme-ov-file#post-install).
## Read the FAQ
Lots of important stuff is covered in the [FAQ](https://github.com/secureblue/secureblue/blob/live/FAQ.md). AppImage toggles, GNOME extension toggles, Xwayland toggles, etc.

3
PREINSTALL-README.md
View File

@@ -4,6 +4,9 @@ The recommended method to install secureblue is to rebase from an upstream silve
## Preinstall guide
> [!TIP]
> If you don't yet have a Fedora Atomic installation medium, you should obtain an image from the official Fedora Project website, [here](https://fedoraproject.org/atomic-desktops/). Once you have downloaded an image, it is *highly reccomended* that you [verify](https://fedoraproject.org/security) it for security and integrity.
### Fedora Installation
- Select the option to encrypt the drive you're installing to.
- Use a [strong password](https://security.harvard.edu/use-strong-passwords) when prompted.

169
README.md
View File

@@ -11,14 +11,14 @@
[![Discord](https://img.shields.io/discord/1202086019298500629?style=flat&logo=discord&logoColor=white&label=Discord&labelColor=%235F6AE9&color=%2333CB56)](https://discord.com/invite/qMTv5cKfbF)
[![Donate](https://img.shields.io/badge/Donate-blue.svg)](https://github.com/secureblue/secureblue/blob/live/DONATE.md)
This repo uses [BlueBuild](https://blue-build.org/) to generate hardened operating system images, using [uBlue](https://universal-blue.org)'s [Fedora Atomic](https://fedoraproject.org/atomic-desktops/)-based [base images](https://github.com/orgs/ublue-os/packages?repo_name=main) as a starting point.
This repo uses [BlueBuild](https://blue-build.org/) to generate hardened operating system images, using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point.
# Scope
secureblue applies hardening with the following goals in mind:
- Increase defenses against the exploitation of both known and unknown vulnerabilities.
- Avoid sacrificing usability for most use cases where possible
- Avoid sacrificing usability for most use cases where possible.
The following are not in scope:
- Anything that sacrifices security for "privacy". Fedora is already sufficiently private and "privacy" often serves as a euphemism for security theater. This is especially true when at odds with improving security.
@@ -59,7 +59,7 @@ The following are not in scope:
Fedora is one of the few distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly.
For more info on uBlue and BlueBuild, check out the [uBlue homepage](https://universal-blue.org/) and the [BlueBuild homepage](https://blue-build.org/).
For more info on BlueBuild, check out the [BlueBuild homepage](https://blue-build.org/).
# Customization
@@ -78,15 +78,17 @@ Sponsorship options are on the [Donate](DONATE.md) page. All donations are appre
Have a look at [PREINSTALL-README](PREINSTALL-README.md) before proceeding.
## Rebasing (Recommended)
*Note: if you don't already have a Fedora Atomic installation, use a Fedora Atomic iso that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue iso, Kinoite for Kinoite, and Sericea (Sway Atomic) for Sericea and all the Wayblue images.*
> [!NOTE]
> If you don't already have a Fedora Atomic installation, use a Fedora Atomic ISO that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue ISO, Kinoite for Kinoite, and Sericea (Sway Atomic) for Sericea and all the Wayblue images.
To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) installation, choose an $IMAGE_NAME from the [list below](README.md#images-userns), then follow these steps:
To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) installation, follow these steps<sup></sup>:
*(Important note: the **only** supported tag is `latest`)*
> [!IMPORTANT]
> The **only** supported tag is `latest`.
- First rebase to the unsigned image, to get the proper signing keys and policies installed:
```
rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/$IMAGE_NAME:latest
rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/IMAGE_NAME:latest
```
- Reboot to complete the rebase:
```
@@ -94,72 +96,125 @@ To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) installa
```
- Then rebase to the signed image, like so:
```
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_NAME:latest
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/IMAGE_NAME:latest
```
- Reboot again to complete the installation
- Reboot again to complete the installation:
```
systemctl reboot
```
<sup>‡</sup> Replace `IMAGE_NAME` with the *full name* of your preferred image from the [list below](README.md#images).
## ISO
While it's recommended to use a Fedora Atomic iso to install and then rebase that installation to secureblue, you can also generate an iso and install that directly using [this script](generate_secureblue_iso.sh). Please note you should still follow the [post-install steps](README.md#post-install) when installing from a generated iso:
While it's recommended to use a Fedora Atomic ISO to install and then rebase that installation to secureblue, you can also generate an ISO and install that directly using [this script](generate_secureblue_iso.sh). Please note you should still follow the [post-install steps](README.md#post-install) when installing from a generated ISO:
```
./generate_secureblue_iso.sh
```
# Images <sup>[userns?](USERNS.md)</sup>
# Images
> [!NOTE]
> Learn about unprivileged user namespaces [here](USERNS.md).
## Desktop
*`nvidia-open` images are recommended for systems with Nvidia GPUs Turing or newer.*
*`nvidia` images are recommended for systems with Nvidia GPUs Pascal or older.*
### Recommended <sup>[why?](RECOMMENDED.md)</sup>
- `silverblue-main-hardened`
- `silverblue-nvidia-hardened`
- `silverblue-main-userns-hardened`
- `silverblue-nvidia-userns-hardened`
#### Silverblue
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `silverblue-main-hardened` | Silverblue| No | No |
| `silverblue-nvidia-hardened` | Silverblue| Yes, closed drivers | No |
| `silverblue-nvidia-open-hardened` | Silverblue| Yes, open drivers | No |
| `silverblue-main-userns-hardened` | Silverblue| No | Yes |
| `silverblue-nvidia-userns-hardened` | Silverblue| Yes, closed drivers | Yes |
| `silverblue-nvidia-open-userns-hardened` | Silverblue| Yes, open drivers | Yes |
### Stable
- `kinoite-main-hardened`
- `kinoite-nvidia-hardened`
- `kinoite-main-userns-hardened`
- `kinoite-nvidia-userns-hardened`
- `sericea-main-hardened`
- `sericea-nvidia-hardened`
- `sericea-main-userns-hardened`
- `sericea-nvidia-userns-hardened`
### Beta <sup>[wayblue?](https://github.com/wayblueorg/wayblue)</sup>
- `wayblue-wayfire-main-hardened`
- `wayblue-wayfire-nvidia-hardened`
- `wayblue-wayfire-main-userns-hardened`
- `wayblue-wayfire-nvidia-userns-hardened`
- `wayblue-hyprland-main-hardened`
- `wayblue-hyprland-nvidia-hardened`
- `wayblue-hyprland-main-userns-hardened`
- `wayblue-hyprland-nvidia-userns-hardened`
- `wayblue-river-main-hardened`
- `wayblue-river-nvidia-hardened`
- `wayblue-river-main-userns-hardened`
- `wayblue-river-nvidia-userns-hardened`
- `wayblue-sway-main-hardened`
- `wayblue-sway-nvidia-hardened`
- `wayblue-sway-main-userns-hardened`
- `wayblue-sway-nvidia-userns-hardened`
### Experimental
- `cinnamon-main-hardened`
- `cinnamon-nvidia-hardened`
- `cinnamon-main-userns-hardened`
- `cinnamon-nvidia-userns-hardened`
- `cosmic-main-hardened`
- `cosmic-nvidia-hardened`
- `cosmic-main-userns-hardened`
- `cosmic-nvidia-userns-hardened`
#### Kinoite
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `kinoite-main-hardened` | Kinoite | No | No |
| `kinoite-nvidia-hardened` | Kinoite | Yes, closed drivers | No |
| `kinoite-nvidia-open-hardened` | Kinoite | Yes, open drivers | No |
| `kinoite-main-userns-hardened` | Kinoite | No | Yes |
| `kinoite-nvidia-userns-hardened` | Kinoite | Yes, closed drivers | Yes |
| `kinoite-nvidia-open-userns-hardened` | Kinoite | Yes, open drivers | Yes |
#### Sericea
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|------------------------------|
| `sericea-main-hardened` | Sericea | No | No |
| `sericea-nvidia-hardened` | Sericea | Yes, closed drivers | No |
| `sericea-nvidia-open-hardened` | Sericea | Yes, open drivers | No |
| `sericea-main-userns-hardened` | Sericea | No | Yes |
| `sericea-nvidia-userns-hardened` | Sericea | Yes, closed drivers | Yes |
| `sericea-nvidia-open-userns-hardened` | Sericea | Yes, open drivers | Yes |
### Beta
> [!NOTE]
> Learn about wayblue [here](https://github.com/wayblueorg/wayblue).
#### Wayfire
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-wayfire-main-hardened` | Wayblue-Wayfire | No | No |
| `wayblue-wayfire-nvidia-hardened` | Wayblue-Wayfire | Yes, closed drivers | No |
| `wayblue-wayfire-nvidia-open-hardened` | Wayblue-Wayfire | Yes, open drivers | No |
| `wayblue-wayfire-main-userns-hardened` | Wayblue-Wayfire | No | Yes |
| `wayblue-wayfire-nvidia-userns-hardened` | Wayblue-Wayfire | Yes, closed drivers | Yes |
| `wayblue-wayfire-nvidia-open-userns-hardened` | Wayblue-Wayfire | Yes, open drivers | Yes |
#### Hyprland
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-hyprland-main-hardened` | Wayblue-Hyprland | No | No |
| `wayblue-hyprland-nvidia-hardened` | Wayblue-Hyprland | Yes, closed drivers | No |
| `wayblue-hyprland-nvidia-open-hardened` | Wayblue-Hyprland | Yes, open drivers | No |
| `wayblue-hyprland-main-userns-hardened` | Wayblue-Hyprland | No | Yes |
| `wayblue-hyprland-nvidia-userns-hardened`| Wayblue-Hyprland | Yes, closed drivers | Yes |
| `wayblue-hyprland-nvidia-open-userns-hardened` | Wayblue-Hyprland | Yes, open drivers | Yes |
#### River
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-river-main-hardened` | Wayblue-River | No | No |
| `wayblue-river-nvidia-hardened` | Wayblue-River | Yes, closed drivers | No |
| `wayblue-river-nvidia-open-hardened` | Wayblue-River | Yes, open drivers | No |
| `wayblue-river-main-userns-hardened` | Wayblue-River | No | Yes |
| `wayblue-river-nvidia-userns-hardened` | Wayblue-River | Yes, closed drivers | Yes |
| `wayblue-river-nvidia-open-userns-hardened` | Wayblue-River | Yes, open drivers | Yes |
#### Sway
| Name | Base | Nvidia Support | Unpriv. Userns |
|-------------------------------------------|-----------------------|-------------------------|------------------------------|
| `wayblue-sway-main-hardened` | Wayblue-Sway | No | No |
| `wayblue-sway-nvidia-hardened` | Wayblue-Sway | Yes, closed drivers | No |
| `wayblue-sway-nvidia-open-hardened` | Wayblue-Sway | Yes, open drivers | No |
| `wayblue-sway-main-userns-hardened` | Wayblue-Sway | No | Yes |
| `wayblue-sway-nvidia-userns-hardened` | Wayblue-Sway | Yes, closed drivers | Yes |
| `wayblue-sway-nvidia-open-userns-hardened` | Wayblue-Sway | Yes, open drivers | Yes |
## Server
- `securecore-main-hardened`
- `securecore-nvidia-hardened`
- `securecore-main-userns-hardened`
- `securecore-nvidia-userns-hardened`
- `securecore-zfs-main-hardened`
- `securecore-zfs-nvidia-hardened`
- `securecore-zfs-main-userns-hardened`
- `securecore-zfs-nvidia-userns-hardened`
| Name | Base | Nvidia Support | ZFS Support | Unpriv. Userns |
|-------------------------------------------|-----------|-------------------------|-------------|------------------------------|
| `securecore-main-hardened` | CoreOS | No | No | No |
| `securecore-nvidia-hardened` | CoreOS | Yes, closed drivers | No | No |
| `securecore-nvidia-open-hardened` | CoreOS | Yes, open drivers | No | No |
| `securecore-main-userns-hardened` | CoreOS | No | No | Yes |
| `securecore-nvidia-userns-hardened` | CoreOS | Yes, closed drivers | No | Yes |
| `securecore-nvidia-open-userns-hardened` | CoreOS | Yes, open drivers | No | Yes |
| `securecore-zfs-main-hardened` | CoreOS | No | Yes | No |
| `securecore-zfs-nvidia-hardened` | CoreOS | Yes, closed drivers | Yes | No |
| `securecore-zfs-nvidia-open-hardened` | CoreOS | Yes, open drivers | Yes | No |
| `securecore-zfs-main-userns-hardened` | CoreOS | No | Yes | Yes |
| `securecore-zfs-nvidia-userns-hardened` | CoreOS | Yes, closed drivers | Yes | Yes |
| `securecore-zfs-nvidia-open-userns-hardened` | CoreOS | Yes, open drivers | Yes | Yes |
# Post-install

2
files/scripts/addchromiumdesktopfile.sh
View File

@@ -4,4 +4,4 @@
# Tell build process to exit if there are any errors.
set -oue pipefail
sed -i 's/firefox/chromium-browser/' /usr/share/wayfire/wf-shell.ini
sed -i 's/org.mozilla.firefox/chromium-browser/' /usr/share/wayfire/wf-shell.ini

8
files/scripts/addtailscalerepo.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/env bash
# Tell this script to exit if there are any errors.
# You should have this in every custom script, to ensure that your completed
# builds actually ran successfully without any errors!
set -oue pipefail
curl -L https://pkgs.tailscale.com/stable/fedora/tailscale.repo -o /etc/yum.repos.d/tailscale.repo

16
files/scripts/disableuserns.sh
View File

@@ -42,7 +42,7 @@ chmod u+s /usr/bin/bwrap
echo "
module chrome_sandbox 1.0;
module chrome_sandbox_secureblue 1.0;
require {
type chrome_sandbox_home_t;
@@ -54,12 +54,12 @@ require {
allow chrome_sandbox_t chrome_sandbox_home_t:file map;
" > chrome_sandbox.te
" > chrome_sandbox_secureblue.te
checkmodule -M -m -o chrome_sandbox.mod chrome_sandbox.te
semodule_package -o chrome_sandbox.pp -m chrome_sandbox.mod
semodule -i chrome_sandbox.pp
checkmodule -M -m -o chrome_sandbox_secureblue.mod chrome_sandbox_secureblue.te
semodule_package -o chrome_sandbox_secureblue.pp -m chrome_sandbox_secureblue.mod
semodule -i chrome_sandbox_secureblue.pp
rm chrome_sandbox.te
rm chrome_sandbox.mod
rm chrome_sandbox.pp
rm chrome_sandbox_secureblue.te
rm chrome_sandbox_secureblue.mod
rm chrome_sandbox_secureblue.pp

6
files/scripts/excludepcsc.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
sed -i 's/add_dracutmodules+=" fido2 tpm2-tss pkcs11 pcsc "/add_dracutmodules+=" fido2 tpm2-tss pkcs11 "/' /usr/lib/dracut/dracut.conf.d/90-ublue-luks.conf

10
files/scripts/excludezfs.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
echo '
omit_dracutmodules+=" zfs "
' > /usr/lib/dracut/dracut.conf.d/99-omit-zfs.conf

28
files/scripts/hardencontainerpolicy.sh
View File

@@ -3,11 +3,16 @@
# Tell build process to exit if there are any errors.
set -oue pipefail
sed -i 's/insecureAcceptAnything/reject/' /usr/etc/containers/policy.json
POLICY_FILE="/usr/etc/containers/policy.json"
if [[ ! -f "$POLICY_FILE" ]]; then
echo "Error: $POLICY_FILE does not exist."
exit 1
fi
sed -i 's/insecureAcceptAnything/reject/' "$POLICY_FILE"
# Exception for build-container-installer to allow the ISO generation script to work
# https://github.com/JasonN3/build-container-installer/issues/123
yq -i -o=j '.transports.docker |=
{"ghcr.io/jasonn3": [
{
@@ -19,7 +24,7 @@ yq -i -o=j '.transports.docker |=
}
]
}
+ .' /usr/etc/containers/policy.json
+ .' "$POLICY_FILE"
yq -i -o=j '.transports.docker |=
{"ghcr.io/zelikos": [
@@ -32,4 +37,17 @@ yq -i -o=j '.transports.docker |=
}
]
}
+ .' /usr/etc/containers/policy.json
+ .' "$POLICY_FILE"
yq -i -o=j '.transports.docker |=
{"ghcr.io/wayblueorg": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/wayblue.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
]
}
+ .' "$POLICY_FILE"

35
files/scripts/hardenrechunkedcontainerpolicy.sh
View File

@@ -1,35 +0,0 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
sed -i 's/insecureAcceptAnything/reject/' /etc/containers/policy.json
# Exception for build-container-installer to allow the ISO generation script to work
# https://github.com/JasonN3/build-container-installer/issues/123
yq -i -o=j '.transports.docker |=
{"ghcr.io/jasonn3": [
{
"type": "sigstoreSigned",
"keyPath": "/etc/pki/containers/build-container-installer.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
]
}
+ .' /etc/containers/policy.json
yq -i -o=j '.transports.docker |=
{"ghcr.io/zelikos": [
{
"type": "sigstoreSigned",
"keyPath": "/etc/pki/containers/davincibox.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
]
}
+ .' /etc/containers/policy.json

8
files/scripts/installandroidudev.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
curl -Lo /etc/yum.repos.d/_copr_ublue-os_staging.repo https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${OS_VERSION}"/ublue-os-staging-fedora-"${OS_VERSION}".repo
rpm-ostree install android-udev-rules
rm /etc/yum.repos.d/_copr_ublue-os_staging.repo

2
files/scripts/removecinnamonxsessions.sh → files/scripts/installnvidiatoolkitpolicy.sh
View File

@@ -3,4 +3,4 @@
# Tell build process to exit if there are any errors.
set -oue pipefail
rm /usr/share/xsessions/*
semodule --verbose --install /usr/share/selinux/packages/nvidia-container.pp

7
files/scripts/installrpmfusion.sh Normal file
View File

@@ -0,0 +1,7 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
rpm -q rpmfusion-free-release || rpm-ostree install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-${OS_VERSION}.noarch.rpm
rpm -q rpmfusion-nonfree-release || rpm-ostree install https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-${OS_VERSION}.noarch.rpm

31
files/scripts/installsignedkernel.sh Normal file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
find /tmp/rpms
rpm-ostree cliwrap install-to-root /
QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')"
INCOMING_KERNEL_VERSION="$(basename -s .rpm $(ls /tmp/rpms/kernel/kernel-[0-9]*.rpm 2>/dev/null | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//'))"
echo "Qualified kernel: $QUALIFIED_KERNEL"
echo "Incoming kernel version: $INCOMING_KERNEL_VERSION"
if [[ "$INCOMING_KERNEL_VERSION" != "$QUALIFIED_KERNEL" ]]; then
echo "Installing kernel rpm from kernel-cache."
rpm-ostree override replace \
--experimental \
--install=zstd \
/tmp/rpms/kernel/kernel-[0-9]*.rpm \
/tmp/rpms/kernel/kernel-core-*.rpm \
/tmp/rpms/kernel/kernel-modules-*.rpm
else
echo "Installing kernel files from kernel-cache."
cd /tmp
rpm2cpio /tmp/rpms/kernel/kernel-core-*.rpm | cpio -idmv
cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
cd /
fi

11
files/scripts/regenerateinitramfs.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
rpm-ostree cliwrap install-to-root /
QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')"
/usr/libexec/rpm-ostree/wrapped/dracut --no-hostonly --kver "$QUALIFIED_KERNEL" --reproducible -v --add ostree -f "/lib/modules/$QUALIFIED_KERNEL/initramfs.img"
chmod 0600 "/lib/modules/$QUALIFIED_KERNEL/initramfs.img"

7
files/scripts/removebluefinfirstboot.sh
View File

@@ -1,7 +0,0 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
rm /etc/skel/.config/autostart/bluefin-firstboot.desktop
rm /etc/profile.d/bluefin-firstboot.sh

10
files/scripts/removeunusedrepos.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
rm -f /etc/yum.repos.d/negativo17-fedora-nvidia.repo
rm -f /etc/yum.repos.d/negativo17-fedora-multimedia.repo
rm -f /etc/yum.repos.d/eyecantcu-supergfxctl.repo
rm -f /etc/yum.repos.d/_copr_ublue-os-akmods.repo
rm -f /etc/yum.repos.d/nvidia-container-toolkit.repo

16
files/scripts/setdrmvariables.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
echo '
# Nvidia modesetting support. Set to 0 or comment to disable kernel modesetting
# support. This must be disabled in case of SLI Mosaic.
options nvidia-drm modeset=1 fbdev=1
' > /usr/lib/modprobe.d/nvidia-modeset.conf
cp /usr/lib/modprobe.d/nvidia-modeset.conf /etc/modprobe.d/nvidia-modeset.conf

7
files/scripts/setearlyloading.sh Normal file
View File

@@ -0,0 +1,7 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
sed -i 's@omit_drivers@force_drivers@g' /usr/lib/dracut/dracut.conf.d/99-nvidia-dracut.conf
sed -i 's@ nvidia @ i915 amdgpu nvidia @g' /usr/lib/dracut/dracut.conf.d/99-nvidia-dracut.conf

38
files/scripts/setswaynvidiaenvironment.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/usr/bin/env bash
# Tell build process to exit if there are any errors.
set -oue pipefail
rm /etc/sway/environment
echo '
# This file is a part of Fedora configuration for Sway and will be sourced
# from /usr/bin/start-sway script for all users of the system.
# User-specific variables should be placed in $XDG_CONFIG_HOME/sway/environment
#
# vim: set ft=sh:
## Pass extra arguments to the /usr/bin/sway executable
#SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --unsupported-gpu"
SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --unsupported-gpu -D noscanout"
#SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --debug"
## Set environment variables
# Useful variables for wlroots:
# https://gitlab.freedesktop.org/wlroots/wlroots/-/blob/master/docs/env_vars.md
WLR_NO_HARDWARE_CURSORS=1
# Setting renderer to Vulkan may fix flickering but needs the following extensions:
# - VK_EXT_image_drm_format_modifier
# - VK_EXT_physical_device_drm
#
# Source: https://gitlab.freedesktop.org/wlroots/wlroots/-/commit/8e346922508aa3eaccd6e12f2917f6574f349843
WLR_RENDERER=vulkan
# Java Application compatibility
# Source: https://github.com/swaywm/wlroots/issues/1464
_JAVA_AWT_WM_NONREPARENTING=1
' > /etc/sway/environment

6
files/system/dx/etc/skel/.config/Code/User/settings.json
View File

@@ -1,6 +0,0 @@
{
"window.titleBarStyle": "custom",
"editor.fontFamily": "'Cascadia Code', 'Droid Sans Mono', 'monospace', monospace",
"telemetry.telemetryLevel": "off",
"gitlens.telemetry.enabled": false
}

3
files/system/etc/containers/registries.d/wayblue.yaml Normal file
View File

@@ -0,0 +1,3 @@
docker:
ghcr.io/wayblueorg:
use-sigstore-attachments: true

4
files/system/etc/pki/containers/wayblue.pub Normal file
View File

@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0HrfZIuVnc6fK0LjNHotudA7ym+c
xTbDVrZb1Y1SXsdbNOsVcCojMRylp9+IE0p/YSsfuGFF64juRx7ZoJ9PpA==
-----END PUBLIC KEY-----

1
files/system/usr/share/ublue-os/just/70-secureblue.just
View File

@@ -23,6 +23,7 @@ set-kargs-hardening:
--append-if-missing="spec_store_bypass_disable=on" \
--append-if-missing="l1d_flush=on" \
--append-if-missing="gather_data_sampling=force"
--append-if-missing="ia32_emulation=0"
echo "Hardening kargs set."
# Add additional (unstable) boot parameters for hardening (requires reboot)

23
recipes/asus/recipe-aurora-asus-nvidia-userns.yml
View File

@@ -1,23 +0,0 @@
name: aurora-asus-nvidia-userns-hardened
description: "Aurora asus nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-asus-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/asus/recipe-aurora-asus-nvidia.yml
View File

@@ -1,25 +0,0 @@
name: aurora-asus-nvidia-hardened
description: "Aurora asus nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-asus-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

23
recipes/asus/recipe-aurora-asus-userns.yml
View File

@@ -1,23 +0,0 @@
name: aurora-asus-userns-hardened
description: "Aurora asus with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-asus
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/asus/recipe-aurora-asus.yml
View File

@@ -1,25 +0,0 @@
name: aurora-asus-hardened
description: "Aurora asus with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-asus
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/asus/recipe-aurora-dx-asus-nvidia-userns.yml
View File

@@ -1,25 +0,0 @@
name: aurora-dx-asus-nvidia-userns-hardened
description: "Aurora asus dx nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-dx-asus-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/dx-packages.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/dx-files.yml
- from-file: common/common-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/asus/recipe-aurora-dx-asus-userns.yml
View File

@@ -1,25 +0,0 @@
name: aurora-dx-asus-userns-hardened
description: "Aurora asus dx with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-dx-asus
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/dx-packages.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/dx-files.yml
- from-file: common/common-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

22
recipes/asus/recipe-kinoite-asus-nvidia-userns.yml
View File

@@ -1,22 +0,0 @@
name: kinoite-asus-nvidia-userns-hardened
description: "Kinoite asus nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/kinoite-asus-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/remove-firefox.yml
- from-file: common/gui-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/kinoite-files.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

24
recipes/asus/recipe-kinoite-asus-nvidia.yml
View File

@@ -1,24 +0,0 @@
name: kinoite-asus-nvidia-hardened
description: "Kinoite asus nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/kinoite-asus-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/remove-firefox.yml
- from-file: common/gui-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- from-file: common/kinoite-files.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

24
recipes/asus/recipe-kinoite-asus-userns.yml
View File

@@ -1,24 +0,0 @@
name: kinoite-asus-userns-hardened
description: "Kinoite asus with some hardening applied"
base-image: ghcr.io/ublue-os/kinoite-asus
image-version: 40
# module configuration, executed in order
# you can include multiple instances of the same module
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/remove-firefox.yml
- from-file: common/gui-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/kinoite-files.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

26
recipes/asus/recipe-kinoite-asus.yml
View File

@@ -1,26 +0,0 @@
name: kinoite-asus-hardened
description: "Kinoite asus with some hardening applied"
base-image: ghcr.io/ublue-os/kinoite-asus
image-version: 40
# module configuration, executed in order
# you can include multiple instances of the same module
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/remove-firefox.yml
- from-file: common/gui-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- from-file: common/kinoite-files.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

23
recipes/asus/recipe-silverblue-asus-nvidia-userns.yml
View File

@@ -1,23 +0,0 @@
name: silverblue-asus-nvidia-userns-hardened
description: "Silverblue asus nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/silverblue-asus-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/silverblue-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/remove-firefox.yml
- from-file: common/gui-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/asus/recipe-silverblue-asus-nvidia.yml
View File

@@ -1,25 +0,0 @@
name: silverblue-asus-nvidia-hardened
description: "Silverblue asus nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/silverblue-asus-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/silverblue-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/remove-firefox.yml
- from-file: common/gui-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/asus/recipe-silverblue-asus-userns.yml
View File

@@ -1,25 +0,0 @@
name: silverblue-asus-userns-hardened
description: "Silverblue asus with some hardening applied"
base-image: ghcr.io/ublue-os/silverblue-asus
image-version: 40
# module configuration, executed in order
# you can include multiple instances of the same module
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/silverblue-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/remove-firefox.yml
- from-file: common/gui-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

27
recipes/asus/recipe-silverblue-asus.yml
View File

@@ -1,27 +0,0 @@
name: silverblue-asus-hardened
description: "Silverblue asus with some hardening applied"
base-image: ghcr.io/ublue-os/silverblue-asus
image-version: 40
# module configuration, executed in order
# you can include multiple instances of the same module
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/silverblue-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/remove-firefox.yml
- from-file: common/gui-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

12
recipes/common/aurora-packages.yml
View File

@@ -1,12 +0,0 @@
type: rpm-ostree
remove:
- samba-common-tools
- samba-dcerpc
- samba-ldb-ldap-modules
- samba-winbind
- samba-winbind-clients
- samba-winbind-modules
- samba
- samba-usershares
remove:
- ifuse

14
recipes/common/bluefin-packages.yml
View File

@@ -1,14 +0,0 @@
type: rpm-ostree
remove:
- gnome-shell-extension-gsconnect
- nautilus-gsconnect
- samba-common-tools
- samba-dcerpc
- samba-ldb-ldap-modules
- samba-winbind
- samba-winbind-clients
- samba-winbind-modules
- samba
remove:
- ifuse
- fuse-encfs

4
recipes/common/bluefin-scripts.yml
View File

@@ -1,4 +0,0 @@
type: script
scripts:
- disabletailscale.sh
- removebluefinfirstboot.sh

3
recipes/common/cinnamon-scripts.yml
View File

@@ -1,3 +0,0 @@
type: script
scripts:
- removecinnamonxsessions.sh

2
recipes/common/common-brew.yml
View File

@@ -1,2 +0,0 @@
type: brew
brew-analytics: false

6
recipes/common/common-files.yml
View File

@@ -1,6 +0,0 @@
type: files
files:
- source: system/usr
destination: /usr
- source: system/etc
destination: /etc

31
recipes/common/common-modules.yml Normal file
View File

@@ -0,0 +1,31 @@
modules:
- type: script
scripts:
- createautostartdir.sh
- type: containerfile
snippets:
- RUN rpm-ostree install just powerstat
- COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-udev-rules.noarch.rpm /
- COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-update-services.noarch.rpm /
- COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-signing.noarch.rpm /
- COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-luks.noarch.rpm /
- COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-just.noarch.rpm /
- RUN rpm -q ublue-os-udev-rules || rpm -ivh /ublue-os-udev-rules.noarch.rpm
- RUN rpm -q ublue-os-update-services || rpm -ivh /ublue-os-update-services.noarch.rpm
- RUN rpm -q ublue-os-signing || rpm -ivh /ublue-os-signing.noarch.rpm
- RUN rpm -q ublue-os-luks || rpm -ivh /ublue-os-luks.noarch.rpm
- RUN rpm -q ublue-os-just || rpm -ivh /ublue-os-just.noarch.rpm
- type: script
scripts:
- installrpmfusion.sh
- from-file: common/common-packages.yml
- type: files
files:
- source: system/usr
destination: /usr
- source: system/etc
destination: /etc
- from-file: common/common-scripts.yml
- type: brew
brew-analytics: false
- type: secureblue-signing

9
recipes/common/common-packages.yml
View File

@@ -3,7 +3,10 @@ repos:
- https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/repo/fedora-%OS_VERSION%/secureblue-hardened_malloc-fedora-%OS_VERSION%.repo
install:
- hardened_malloc
# needed for some scripts
- patch
# missing upstream
- rar
- openssl
- just
- patch
- p7zip
- unrar

1
recipes/common/common-scripts.yml
View File

@@ -9,3 +9,4 @@ scripts:
- disablegeoclue.sh
- addjustconfig.sh
- addbrewjustimport.sh
- hardencontainerpolicy.sh

9
recipes/common/cosmic-modules.yml Normal file
View File

@@ -0,0 +1,9 @@
modules:
- type: rpm-ostree
install:
- NetworkManager-tui
- NetworkManager-openvpn
- type: systemd
system:
enabled:
- cosmic-greeter

15
recipes/common/desktop-modules.yml Normal file
View File

@@ -0,0 +1,15 @@
modules:
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/akmods:main-40 /rpms /tmp/rpms
- RUN find /tmp/rpms
- RUN rpm -q ublue-os-akmods-addons || rpm-ostree install /tmp/rpms/ublue-os/ublue-os-akmods-addons*.rpm
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/main-kernel:40 /tmp/rpms /tmp/rpms/kernel
- type: script
scripts:
- installsignedkernel.sh
- from-file: common/desktop-packages.yml
- from-file: common/desktop-scripts.yml
- type: yafti

12
recipes/common/gui-packages.yml → recipes/common/desktop-packages.yml
View File

@@ -12,7 +12,19 @@ install:
- usbguard
- setroubleshoot
- setools
- fscrypt
- heif-pixbuf-loader
- vim
- alsa-firmware
# yubikey enablement
- pam-u2f
- pam_yubico
- pamu2fcfg
- yubikey-manager
remove:
- firefox
- firefox-langpacks
- fuse
- fedora-chromium-config
- fedora-flathub-remote

1
recipes/common/gui-scripts.yml → recipes/common/desktop-scripts.yml
View File

@@ -1,5 +1,6 @@
type: script
scripts:
- installandroidudev.sh
- disablecups.sh
- disablesshd.sh
- disableavahidaemon.sh

3
recipes/common/disable-gnome-extensions.yml
View File

@@ -1,3 +0,0 @@
type: gschema-overrides
include:
- zz1-secureblue.gschema.override

7
recipes/common/disableuserns-modules.yml Normal file
View File

@@ -0,0 +1,7 @@
modules:
- type: rpm-ostree
remove:
- toolbox
- type: script
scripts:
- disableuserns.sh

8
recipes/common/disableuserns-packages.yml
View File

@@ -1,8 +0,0 @@
type: rpm-ostree
remove:
- toolbox
- distrobox

3
recipes/common/disableuserns-scripts.yml
View File

@@ -1,3 +0,0 @@
type: script
scripts:
- disableuserns.sh

4
recipes/common/dx-files.yml
View File

@@ -1,4 +0,0 @@
type: files
files:
- source: system/dx
destination: /

12
recipes/common/dx-packages.yml
View File

@@ -1,12 +0,0 @@
type: rpm-ostree
remove:
- zfs-fuse
- libvirt-daemon-driver-storage-zfs
- libvirt-daemon-kvm
- libvirt-daemon-driver-storage
- libvirt
- libvirt-nss
- libguestfs
- libguestfs-xfs
- guestfs-tools
- virt-v2v

5
recipes/common/final-modules.yml Normal file
View File

@@ -0,0 +1,5 @@
modules:
- type: script
scripts:
- removeunusedrepos.sh
- regenerateinitramfs.sh

17
recipes/common/gnome-packages.yml
View File

@@ -1,17 +0,0 @@
type: rpm-ostree
install:
- firewall-config
- gnome-disk-utility
remove:
- yelp
- gnome-user-share
- mod_lua
- httpd
- httpd-core
- mod_http2
- mod_dnssd
- gnome-remote-desktop
- libvncserver
- malcontent-ui-libs
- malcontent-control
- fedora-chromium-config-gnome

3
recipes/common/initialization-scripts.yml
View File

@@ -1,3 +0,0 @@
type: script
scripts:
- createautostartdir.sh

4
recipes/common/kinoite-files.yml
View File

@@ -1,4 +0,0 @@
type: files
files:
- source: system/kinoite
destination: /

12
recipes/common/kinoite-modules.yml Normal file
View File

@@ -0,0 +1,12 @@
modules:
- type: rpm-ostree
remove:
- kde-connect
- kde-connect-libs
- kdeconnectd
- fedora-chromium-config-kde
- fuse-encfs
- type: files
files:
- source: system/kinoite
destination: /

7
recipes/common/kinoite-packages.yml
View File

@@ -1,7 +0,0 @@
type: rpm-ostree
remove:
- kde-connect
- kde-connect-libs
- kdeconnectd
- fedora-chromium-config-kde
- fuse-encfs

3
recipes/common/non-rechunked-scripts.yml
View File

@@ -1,3 +0,0 @@
type: script
scripts:
- hardencontainerpolicy.sh

13
recipes/common/nvidia-modules.yml Normal file
View File

@@ -0,0 +1,13 @@
modules:
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/akmods-nvidia:main-40 /rpms /tmp/rpms
- RUN find /tmp/rpms
- RUN rpm-ostree install /tmp/rpms/ublue-os/ublue-os-nvidia*.rpm
- RUN sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
- RUN rpm-ostree install /tmp/rpms/kmods/kmod-nvidia*.rpm nvidia-container-toolkit xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda nvidia-vaapi-driver
- type: script
scripts:
- installnvidiatoolkitpolicy.sh
- setearlyloading.sh
- setdrmvariables.sh

13
recipes/common/nvidia-open-modules.yml Normal file
View File

@@ -0,0 +1,13 @@
modules:
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/akmods-nvidia-open:main-40 /rpms /tmp/rpms
- RUN find /tmp/rpms
- RUN rpm-ostree install /tmp/rpms/ublue-os/ublue-os-nvidia*.rpm
- RUN sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
- RUN rpm-ostree install /tmp/rpms/kmods/kmod-nvidia*.rpm nvidia-container-toolkit xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda nvidia-vaapi-driver
- type: script
scripts:
- installnvidiatoolkitpolicy.sh
- setearlyloading.sh
- setdrmvariables.sh

13
recipes/common/nvidia-open-server-modules.yml Normal file
View File

@@ -0,0 +1,13 @@
modules:
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/akmods-nvidia-open:coreos-testing-40 /rpms /tmp/rpms
- RUN find /tmp/rpms
- RUN rpm-ostree install /tmp/rpms/ucore/ublue-os-ucore-nvidia*.rpm
- RUN sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
- RUN rpm-ostree install /tmp/rpms/kmods/kmod-nvidia*.rpm nvidia-container-toolkit
- type: script
scripts:
- installnvidiatoolkitpolicy.sh
- setearlyloading.sh
- setdrmvariables.sh

13
recipes/common/nvidia-server-modules.yml Normal file
View File

@@ -0,0 +1,13 @@
modules:
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/akmods-nvidia:coreos-testing-40 /rpms /tmp/rpms
- RUN find /tmp/rpms
- RUN rpm-ostree install /tmp/rpms/ucore/ublue-os-ucore-nvidia*.rpm
- RUN sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo
- RUN rpm-ostree install /tmp/rpms/kmods/kmod-nvidia*.rpm nvidia-container-toolkit
- type: script
scripts:
- installnvidiatoolkitpolicy.sh
- setearlyloading.sh
- setdrmvariables.sh

28
recipes/common/proprietary-packages.yml Normal file
View File

@@ -0,0 +1,28 @@
type: rpm-ostree
install:
- libheif-freeworld
- libheif-tools
- intel-media-driver
- gstreamer1-plugin-libav
- gstreamer1-plugins-bad-free-extras
- gstreamer1-plugins-bad-freeworld
- gstreamer1-plugins-ugly
- gstreamer1-vaapi
- ffmpeg
- ffmpeg-libs
- ffmpegthumbnailer
- pipewire-codec-aptx
- mesa-va-drivers-freeworld
- fdk-aac
remove:
- fdk-aac-free
- mesa-va-drivers
- ffmpeg-free
- libavcodec-free
- libavdevice-free
- libavfilter-free
- libavformat-free
- libavutil-free
- libpostproc-free
- libswresample-free
- libswscale-free

4
recipes/common/rechunked-scripts.yml
View File

@@ -1,4 +0,0 @@
type: script
scripts:
- hardenrechunkedcontainerpolicy.sh
- usehardenedmalloclight.sh

9
recipes/common/remove-firefox.yml
View File

@@ -1,9 +0,0 @@
type: rpm-ostree
remove:
- firefox
- firefox-langpacks

4
recipes/common/server-files.yml
View File

@@ -1,4 +0,0 @@
type: files
files:
- source: system/server
destination: /

29
recipes/common/server-modules.yml Normal file
View File

@@ -0,0 +1,29 @@
modules:
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/akmods:coreos-testing-40 /rpms /tmp/rpms
- RUN find /tmp/rpms
- RUN rpm-ostree install /tmp/rpms/ucore/ublue-os-ucore-addons*.rpm
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/coreos-testing-kernel:40 /tmp/rpms /tmp/rpms/kernel
- type: script
scripts:
- installsignedkernel.sh
- type: rpm-ostree
install:
- setools-console
- usbguard
- firewalld
- policycoreutils-python-utils
- type: files
files:
- source: system/server
destination: /
- type: script
scripts:
- addtailscalerepo.sh
- type: script
scripts:
- excludepcsc.sh

10
recipes/common/server-packages.yml
View File

@@ -1,10 +0,0 @@
type: rpm-ostree
install:
- setools-console
- usbguard

25
recipes/common/silverblue-modules.yml Normal file
View File

@@ -0,0 +1,25 @@
modules:
- type: rpm-ostree
install:
- firewall-config
- gnome-disk-utility
- adw-gtk3-theme
- gnome-epub-thumbnailer
- gnome-tweaks
remove:
- gnome-tour
- yelp
- gnome-user-share
- mod_lua
- httpd
- httpd-core
- mod_http2
- mod_dnssd
- gnome-remote-desktop
- libvncserver
- malcontent-ui-libs
- malcontent-control
- fedora-chromium-config-gnome
- type: gschema-overrides
include:
- zz1-secureblue.gschema.override

3
recipes/common/silverblue-packages.yml
View File

@@ -1,3 +0,0 @@
type: rpm-ostree
remove:
- gnome-tour

3
recipes/common/userns-packages.yml Normal file
View File

@@ -0,0 +1,3 @@
type: rpm-ostree
install:
- distrobox

9
recipes/common/zfs-modules.yml Normal file
View File

@@ -0,0 +1,9 @@
modules:
- type: containerfile
snippets:
- COPY --from=ghcr.io/ublue-os/akmods-zfs:coreos-testing-40 /rpms /tmp/rpms
- RUN find /tmp/rpms
- RUN rpm-ostree install pv /tmp/rpms/kmods/zfs/*.rpm /tmp/rpms/kmods/zfs/other/zfs-dracut-*.rpm
- type: script
scripts:
- excludezfs.sh

25
recipes/general/recipe-aurora-dx-main-userns.yml
View File

@@ -1,25 +0,0 @@
name: aurora-dx-main-userns-hardened
description: "Aurora-dx main with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-dx
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/dx-packages.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/dx-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-aurora-dx-nvidia-userns.yml
View File

@@ -1,25 +0,0 @@
name: aurora-dx-nvidia-userns-hardened
description: "Aurora-dx nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-dx-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/dx-packages.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/dx-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml
View File

@@ -1,25 +0,0 @@
name: aurora-dx-surface-nvidia-userns-hardened
description: "Aurora-dx surface nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-dx-surface-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/dx-packages.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/dx-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-aurora-dx-surface-userns.yml
View File

@@ -1,25 +0,0 @@
name: aurora-dx-surface-userns-hardened
description: "Aurora-dx surface with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-dx-surface
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/dx-packages.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/dx-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

23
recipes/general/recipe-aurora-main-userns.yml
View File

@@ -1,23 +0,0 @@
name: aurora-main-userns-hardened
description: "Aurora main with some hardening applied"
base-image: ghcr.io/ublue-os/aurora
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-aurora-main.yml
View File

@@ -1,25 +0,0 @@
name: aurora-main-hardened
description: "Aurora main with some hardening applied"
base-image: ghcr.io/ublue-os/aurora
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

23
recipes/general/recipe-aurora-nvidia-userns.yml
View File

@@ -1,23 +0,0 @@
name: aurora-nvidia-userns-hardened
description: "Aurora nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-aurora-nvidia.yml
View File

@@ -1,25 +0,0 @@
name: aurora-nvidia-hardened
description: "Aurora nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

23
recipes/general/recipe-aurora-surface-nvidia-userns.yml
View File

@@ -1,23 +0,0 @@
name: aurora-surface-nvidia-userns-hardened
description: "Aurora surface nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-surface-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-aurora-surface-nvidia.yml
View File

@@ -1,25 +0,0 @@
name: aurora-surface-nvidia-hardened
description: "Aurora surface nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-surface-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

23
recipes/general/recipe-aurora-surface-userns.yml
View File

@@ -1,23 +0,0 @@
name: aurora-surface-userns-hardened
description: "Aurora surface with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-surface
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-aurora-surface.yml
View File

@@ -1,25 +0,0 @@
name: aurora-surface-hardened
description: "Aurora surface with some hardening applied"
base-image: ghcr.io/ublue-os/aurora-surface
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/kinoite-packages.yml
- from-file: common/aurora-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/kinoite-files.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-bluefin-dx-main-userns.yml
View File

@@ -1,25 +0,0 @@
name: bluefin-dx-main-userns-hardened
description: "Bluefin-dx main with some hardening applied"
base-image: ghcr.io/ublue-os/bluefin-dx
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/dx-packages.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/bluefin-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/common-files.yml
- from-file: common/dx-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-bluefin-dx-nvidia-userns.yml
View File

@@ -1,25 +0,0 @@
name: bluefin-dx-nvidia-userns-hardened
description: "Bluefin-dx nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/bluefin-dx-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/dx-packages.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/bluefin-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/common-files.yml
- from-file: common/dx-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

23
recipes/general/recipe-bluefin-main-userns.yml
View File

@@ -1,23 +0,0 @@
name: bluefin-main-userns-hardened
description: "Bluefin main with some hardening applied"
base-image: ghcr.io/ublue-os/bluefin
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/bluefin-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-bluefin-main.yml
View File

@@ -1,25 +0,0 @@
name: bluefin-main-hardened
description: "Bluefin main with some hardening applied"
base-image: ghcr.io/ublue-os/bluefin
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/bluefin-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

23
recipes/general/recipe-bluefin-nvidia-userns.yml
View File

@@ -1,23 +0,0 @@
name: bluefin-nvidia-userns-hardened
description: "Bluefin nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/bluefin-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/bluefin-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

25
recipes/general/recipe-bluefin-nvidia.yml
View File

@@ -1,25 +0,0 @@
name: bluefin-nvidia-hardened
description: "Bluefin nvidia with some hardening applied"
base-image: ghcr.io/ublue-os/bluefin-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gnome-packages.yml
- from-file: common/disable-gnome-extensions.yml
- from-file: common/bluefin-packages.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/bluefin-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- from-file: common/rechunked-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

20
recipes/general/recipe-cinnamon-main-userns.yml
View File

@@ -1,20 +0,0 @@
name: cinnamon-main-userns-hardened
description: "Cinnamon main with some hardening applied"
base-image: ghcr.io/legacy-images/cinnamon-main
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/gui-scripts.yml
- from-file: common/cinnamon-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

22
recipes/general/recipe-cinnamon-main.yml
View File

@@ -1,22 +0,0 @@
name: cinnamon-main-hardened
description: "Cinnamon main with some hardening applied"
base-image: ghcr.io/legacy-images/cinnamon-main
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/disableuserns-packages.yml
- from-file: common/gui-scripts.yml
- from-file: common/cinnamon-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- from-file: common/disableuserns-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

20
recipes/general/recipe-cinnamon-nvidia-userns.yml
View File

@@ -1,20 +0,0 @@
name: cinnamon-nvidia-userns-hardened
description: "Cinnamon nvidia with some hardening applied"
base-image: ghcr.io/legacy-images/cinnamon-nvidia
image-version: 40
modules:
- from-file: common/initialization-scripts.yml
- from-file: common/gui-packages.yml
- from-file: common/common-packages.yml
- from-file: common/non-rechunked-scripts.yml
- from-file: common/gui-scripts.yml
- from-file: common/cinnamon-scripts.yml
- from-file: common/common-files.yml
- from-file: common/common-scripts.yml
- type: secureblue-signing
- type: yafti
- from-file: common/common-brew.yml

Some files were not shown because too many files have changed in this diff Show More