From f0bab7f5b2e9cbb7f5965e5addf25eb85627291d Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Thu, 17 Oct 2024 18:20:58 -0700 Subject: [PATCH] feat: nvidia-open images, major streamlining, bugfixes, and polish (#461) --- .github/workflows/build.yml | 122 ++++++------- POSTINSTALL-README.md | 14 +- PREINSTALL-README.md | 3 + README.md | 169 ++++++++++++------ files/scripts/addchromiumdesktopfile.sh | 2 +- files/scripts/addtailscalerepo.sh | 8 + files/scripts/disableuserns.sh | 16 +- files/scripts/excludepcsc.sh | 6 + files/scripts/excludezfs.sh | 10 ++ files/scripts/hardencontainerpolicy.sh | 28 ++- .../scripts/hardenrechunkedcontainerpolicy.sh | 35 ---- files/scripts/installandroidudev.sh | 8 + ...sions.sh => installnvidiatoolkitpolicy.sh} | 2 +- files/scripts/installrpmfusion.sh | 7 + files/scripts/installsignedkernel.sh | 31 ++++ files/scripts/regenerateinitramfs.sh | 11 ++ files/scripts/removebluefinfirstboot.sh | 7 - files/scripts/removeunusedrepos.sh | 10 ++ files/scripts/setdrmvariables.sh | 16 ++ files/scripts/setearlyloading.sh | 7 + files/scripts/setswaynvidiaenvironment.sh | 38 ++++ .../etc/skel/.config/Code/User/settings.json | 6 - .../etc/containers/registries.d/wayblue.yaml | 3 + files/system/etc/pki/containers/wayblue.pub | 4 + .../share/ublue-os/just/70-secureblue.just | 1 + .../asus/recipe-aurora-asus-nvidia-userns.yml | 23 --- recipes/asus/recipe-aurora-asus-nvidia.yml | 25 --- recipes/asus/recipe-aurora-asus-userns.yml | 23 --- recipes/asus/recipe-aurora-asus.yml | 25 --- .../recipe-aurora-dx-asus-nvidia-userns.yml | 25 --- recipes/asus/recipe-aurora-dx-asus-userns.yml | 25 --- .../recipe-kinoite-asus-nvidia-userns.yml | 22 --- recipes/asus/recipe-kinoite-asus-nvidia.yml | 24 --- recipes/asus/recipe-kinoite-asus-userns.yml | 24 --- recipes/asus/recipe-kinoite-asus.yml | 26 --- .../recipe-silverblue-asus-nvidia-userns.yml | 23 --- .../asus/recipe-silverblue-asus-nvidia.yml | 25 --- .../asus/recipe-silverblue-asus-userns.yml | 25 --- recipes/asus/recipe-silverblue-asus.yml | 27 --- recipes/common/aurora-packages.yml | 12 -- recipes/common/bluefin-packages.yml | 14 -- recipes/common/bluefin-scripts.yml | 4 - recipes/common/cinnamon-scripts.yml | 3 - recipes/common/common-brew.yml | 2 - recipes/common/common-files.yml | 6 - recipes/common/common-modules.yml | 31 ++++ recipes/common/common-packages.yml | 9 +- recipes/common/common-scripts.yml | 1 + recipes/common/cosmic-modules.yml | 9 + recipes/common/desktop-modules.yml | 15 ++ ...{gui-packages.yml => desktop-packages.yml} | 12 ++ .../{gui-scripts.yml => desktop-scripts.yml} | 1 + recipes/common/disable-gnome-extensions.yml | 3 - recipes/common/disableuserns-modules.yml | 7 + recipes/common/disableuserns-packages.yml | 8 - recipes/common/disableuserns-scripts.yml | 3 - recipes/common/dx-files.yml | 4 - recipes/common/dx-packages.yml | 12 -- recipes/common/final-modules.yml | 5 + recipes/common/gnome-packages.yml | 17 -- recipes/common/initialization-scripts.yml | 3 - recipes/common/kinoite-files.yml | 4 - recipes/common/kinoite-modules.yml | 12 ++ recipes/common/kinoite-packages.yml | 7 - recipes/common/non-rechunked-scripts.yml | 3 - recipes/common/nvidia-modules.yml | 13 ++ recipes/common/nvidia-open-modules.yml | 13 ++ recipes/common/nvidia-open-server-modules.yml | 13 ++ recipes/common/nvidia-server-modules.yml | 13 ++ recipes/common/proprietary-packages.yml | 28 +++ recipes/common/rechunked-scripts.yml | 4 - recipes/common/remove-firefox.yml | 9 - recipes/common/server-files.yml | 4 - recipes/common/server-modules.yml | 29 +++ recipes/common/server-packages.yml | 10 -- recipes/common/silverblue-modules.yml | 25 +++ recipes/common/silverblue-packages.yml | 3 - recipes/common/userns-packages.yml | 3 + recipes/common/zfs-modules.yml | 9 + .../general/recipe-aurora-dx-main-userns.yml | 25 --- .../recipe-aurora-dx-nvidia-userns.yml | 25 --- ...recipe-aurora-dx-surface-nvidia-userns.yml | 25 --- .../recipe-aurora-dx-surface-userns.yml | 25 --- recipes/general/recipe-aurora-main-userns.yml | 23 --- recipes/general/recipe-aurora-main.yml | 25 --- .../general/recipe-aurora-nvidia-userns.yml | 23 --- recipes/general/recipe-aurora-nvidia.yml | 25 --- .../recipe-aurora-surface-nvidia-userns.yml | 23 --- .../general/recipe-aurora-surface-nvidia.yml | 25 --- .../general/recipe-aurora-surface-userns.yml | 23 --- recipes/general/recipe-aurora-surface.yml | 25 --- .../general/recipe-bluefin-dx-main-userns.yml | 25 --- .../recipe-bluefin-dx-nvidia-userns.yml | 25 --- .../general/recipe-bluefin-main-userns.yml | 23 --- recipes/general/recipe-bluefin-main.yml | 25 --- .../general/recipe-bluefin-nvidia-userns.yml | 23 --- recipes/general/recipe-bluefin-nvidia.yml | 25 --- .../general/recipe-cinnamon-main-userns.yml | 20 --- recipes/general/recipe-cinnamon-main.yml | 22 --- .../general/recipe-cinnamon-nvidia-userns.yml | 20 --- recipes/general/recipe-cinnamon-nvidia.yml | 22 --- recipes/general/recipe-cosmic-main-userns.yml | 23 +-- recipes/general/recipe-cosmic-main.yml | 25 +-- .../recipe-cosmic-nvidia-open-userns.yml | 16 ++ recipes/general/recipe-cosmic-nvidia-open.yml | 16 ++ .../general/recipe-cosmic-nvidia-userns.yml | 24 ++- recipes/general/recipe-cosmic-nvidia.yml | 26 ++- .../general/recipe-kinoite-main-userns.yml | 23 +-- recipes/general/recipe-kinoite-main.yml | 25 +-- .../recipe-kinoite-nvidia-open-userns.yml | 16 ++ .../general/recipe-kinoite-nvidia-open.yml | 16 ++ .../general/recipe-kinoite-nvidia-userns.yml | 24 +-- recipes/general/recipe-kinoite-nvidia.yml | 26 +-- .../general/recipe-sericea-main-userns.yml | 20 +-- recipes/general/recipe-sericea-main.yml | 22 +-- .../recipe-sericea-nvidia-open-userns.yml | 18 ++ .../general/recipe-sericea-nvidia-open.yml | 18 ++ .../general/recipe-sericea-nvidia-userns.yml | 24 ++- recipes/general/recipe-sericea-nvidia.yml | 26 ++- .../general/recipe-silverblue-main-userns.yml | 26 +-- recipes/general/recipe-silverblue-main.yml | 28 +-- .../recipe-silverblue-nvidia-open-userns.yml | 16 ++ .../general/recipe-silverblue-nvidia-open.yml | 16 ++ .../recipe-silverblue-nvidia-userns.yml | 25 +-- recipes/general/recipe-silverblue-nvidia.yml | 27 +-- .../recipe-wayblue-hyprland-main-userns.yml | 17 +- .../general/recipe-wayblue-hyprland-main.yml | 19 +- ...pe-wayblue-hyprland-nvidia-open-userns.yml | 13 ++ .../recipe-wayblue-hyprland-nvidia-open.yml | 13 ++ .../recipe-wayblue-hyprland-nvidia-userns.yml | 17 +- .../recipe-wayblue-hyprland-nvidia.yml | 19 +- .../recipe-wayblue-river-main-userns.yml | 17 +- recipes/general/recipe-wayblue-river-main.yml | 19 +- ...ecipe-wayblue-river-nvidia-open-userns.yml | 13 ++ .../recipe-wayblue-river-nvidia-open.yml | 13 ++ .../recipe-wayblue-river-nvidia-userns.yml | 17 +- .../general/recipe-wayblue-river-nvidia.yml | 19 +- .../recipe-wayblue-sway-main-userns.yml | 17 +- recipes/general/recipe-wayblue-sway-main.yml | 19 +- ...recipe-wayblue-sway-nvidia-open-userns.yml | 13 ++ .../recipe-wayblue-sway-nvidia-open.yml | 13 ++ .../recipe-wayblue-sway-nvidia-userns.yml | 17 +- .../general/recipe-wayblue-sway-nvidia.yml | 19 +- .../recipe-wayblue-wayfire-main-userns.yml | 17 +- .../general/recipe-wayblue-wayfire-main.yml | 19 +- ...ipe-wayblue-wayfire-nvidia-open-userns.yml | 14 ++ .../recipe-wayblue-wayfire-nvidia-open.yml | 14 ++ .../recipe-wayblue-wayfire-nvidia-userns.yml | 17 +- .../general/recipe-wayblue-wayfire-nvidia.yml | 19 +- .../recipe-securecore-main-userns.yml | 17 +- recipes/securecore/recipe-securecore-main.yml | 18 +- .../recipe-securecore-nvidia-open-userns.yml | 14 ++ .../recipe-securecore-nvidia-open.yml | 14 ++ .../recipe-securecore-nvidia-userns.yml | 20 +-- .../securecore/recipe-securecore-nvidia.yml | 21 +-- .../recipe-securecore-zfs-main-userns.yml | 20 +-- .../securecore/recipe-securecore-zfs-main.yml | 21 +-- ...cipe-securecore-zfs-nvidia-open-userns.yml | 15 ++ .../recipe-securecore-zfs-nvidia-open.yml | 15 ++ .../recipe-securecore-zfs-nvidia-userns.yml | 21 +-- .../recipe-securecore-zfs-nvidia.yml | 22 +-- 161 files changed, 1203 insertions(+), 1746 deletions(-) create mode 100644 files/scripts/addtailscalerepo.sh create mode 100644 files/scripts/excludepcsc.sh create mode 100644 files/scripts/excludezfs.sh delete mode 100644 files/scripts/hardenrechunkedcontainerpolicy.sh create mode 100644 files/scripts/installandroidudev.sh rename files/scripts/{removecinnamonxsessions.sh => installnvidiatoolkitpolicy.sh} (55%) create mode 100644 files/scripts/installrpmfusion.sh create mode 100644 files/scripts/installsignedkernel.sh create mode 100644 files/scripts/regenerateinitramfs.sh delete mode 100644 files/scripts/removebluefinfirstboot.sh create mode 100644 files/scripts/removeunusedrepos.sh create mode 100644 files/scripts/setdrmvariables.sh create mode 100644 files/scripts/setearlyloading.sh create mode 100644 files/scripts/setswaynvidiaenvironment.sh delete mode 100644 files/system/dx/etc/skel/.config/Code/User/settings.json create mode 100644 files/system/etc/containers/registries.d/wayblue.yaml create mode 100644 files/system/etc/pki/containers/wayblue.pub delete mode 100644 recipes/asus/recipe-aurora-asus-nvidia-userns.yml delete mode 100644 recipes/asus/recipe-aurora-asus-nvidia.yml delete mode 100644 recipes/asus/recipe-aurora-asus-userns.yml delete mode 100644 recipes/asus/recipe-aurora-asus.yml delete mode 100644 recipes/asus/recipe-aurora-dx-asus-nvidia-userns.yml delete mode 100644 recipes/asus/recipe-aurora-dx-asus-userns.yml delete mode 100644 recipes/asus/recipe-kinoite-asus-nvidia-userns.yml delete mode 100644 recipes/asus/recipe-kinoite-asus-nvidia.yml delete mode 100644 recipes/asus/recipe-kinoite-asus-userns.yml delete mode 100644 recipes/asus/recipe-kinoite-asus.yml delete mode 100644 recipes/asus/recipe-silverblue-asus-nvidia-userns.yml delete mode 100644 recipes/asus/recipe-silverblue-asus-nvidia.yml delete mode 100644 recipes/asus/recipe-silverblue-asus-userns.yml delete mode 100644 recipes/asus/recipe-silverblue-asus.yml delete mode 100644 recipes/common/aurora-packages.yml delete mode 100644 recipes/common/bluefin-packages.yml delete mode 100644 recipes/common/bluefin-scripts.yml delete mode 100644 recipes/common/cinnamon-scripts.yml delete mode 100644 recipes/common/common-brew.yml delete mode 100644 recipes/common/common-files.yml create mode 100644 recipes/common/common-modules.yml create mode 100644 recipes/common/cosmic-modules.yml create mode 100644 recipes/common/desktop-modules.yml rename recipes/common/{gui-packages.yml => desktop-packages.yml} (78%) rename recipes/common/{gui-scripts.yml => desktop-scripts.yml} (88%) delete mode 100644 recipes/common/disable-gnome-extensions.yml create mode 100644 recipes/common/disableuserns-modules.yml delete mode 100644 recipes/common/disableuserns-packages.yml delete mode 100644 recipes/common/disableuserns-scripts.yml delete mode 100644 recipes/common/dx-files.yml delete mode 100644 recipes/common/dx-packages.yml create mode 100644 recipes/common/final-modules.yml delete mode 100644 recipes/common/gnome-packages.yml delete mode 100644 recipes/common/initialization-scripts.yml delete mode 100644 recipes/common/kinoite-files.yml create mode 100644 recipes/common/kinoite-modules.yml delete mode 100644 recipes/common/kinoite-packages.yml delete mode 100644 recipes/common/non-rechunked-scripts.yml create mode 100644 recipes/common/nvidia-modules.yml create mode 100644 recipes/common/nvidia-open-modules.yml create mode 100644 recipes/common/nvidia-open-server-modules.yml create mode 100644 recipes/common/nvidia-server-modules.yml create mode 100644 recipes/common/proprietary-packages.yml delete mode 100644 recipes/common/rechunked-scripts.yml delete mode 100644 recipes/common/remove-firefox.yml delete mode 100644 recipes/common/server-files.yml create mode 100644 recipes/common/server-modules.yml delete mode 100644 recipes/common/server-packages.yml create mode 100644 recipes/common/silverblue-modules.yml delete mode 100644 recipes/common/silverblue-packages.yml create mode 100644 recipes/common/userns-packages.yml create mode 100644 recipes/common/zfs-modules.yml delete mode 100644 recipes/general/recipe-aurora-dx-main-userns.yml delete mode 100644 recipes/general/recipe-aurora-dx-nvidia-userns.yml delete mode 100644 recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml delete mode 100644 recipes/general/recipe-aurora-dx-surface-userns.yml delete mode 100644 recipes/general/recipe-aurora-main-userns.yml delete mode 100644 recipes/general/recipe-aurora-main.yml delete mode 100644 recipes/general/recipe-aurora-nvidia-userns.yml delete mode 100644 recipes/general/recipe-aurora-nvidia.yml delete mode 100644 recipes/general/recipe-aurora-surface-nvidia-userns.yml delete mode 100644 recipes/general/recipe-aurora-surface-nvidia.yml delete mode 100644 recipes/general/recipe-aurora-surface-userns.yml delete mode 100644 recipes/general/recipe-aurora-surface.yml delete mode 100644 recipes/general/recipe-bluefin-dx-main-userns.yml delete mode 100644 recipes/general/recipe-bluefin-dx-nvidia-userns.yml delete mode 100644 recipes/general/recipe-bluefin-main-userns.yml delete mode 100644 recipes/general/recipe-bluefin-main.yml delete mode 100644 recipes/general/recipe-bluefin-nvidia-userns.yml delete mode 100644 recipes/general/recipe-bluefin-nvidia.yml delete mode 100644 recipes/general/recipe-cinnamon-main-userns.yml delete mode 100644 recipes/general/recipe-cinnamon-main.yml delete mode 100644 recipes/general/recipe-cinnamon-nvidia-userns.yml delete mode 100644 recipes/general/recipe-cinnamon-nvidia.yml create mode 100644 recipes/general/recipe-cosmic-nvidia-open-userns.yml create mode 100644 recipes/general/recipe-cosmic-nvidia-open.yml create mode 100644 recipes/general/recipe-kinoite-nvidia-open-userns.yml create mode 100644 recipes/general/recipe-kinoite-nvidia-open.yml create mode 100644 recipes/general/recipe-sericea-nvidia-open-userns.yml create mode 100644 recipes/general/recipe-sericea-nvidia-open.yml create mode 100644 recipes/general/recipe-silverblue-nvidia-open-userns.yml create mode 100644 recipes/general/recipe-silverblue-nvidia-open.yml create mode 100644 recipes/general/recipe-wayblue-hyprland-nvidia-open-userns.yml create mode 100644 recipes/general/recipe-wayblue-hyprland-nvidia-open.yml create mode 100644 recipes/general/recipe-wayblue-river-nvidia-open-userns.yml create mode 100644 recipes/general/recipe-wayblue-river-nvidia-open.yml create mode 100644 recipes/general/recipe-wayblue-sway-nvidia-open-userns.yml create mode 100644 recipes/general/recipe-wayblue-sway-nvidia-open.yml create mode 100644 recipes/general/recipe-wayblue-wayfire-nvidia-open-userns.yml create mode 100644 recipes/general/recipe-wayblue-wayfire-nvidia-open.yml create mode 100644 recipes/securecore/recipe-securecore-nvidia-open-userns.yml create mode 100644 recipes/securecore/recipe-securecore-nvidia-open.yml create mode 100644 recipes/securecore/recipe-securecore-zfs-nvidia-open-userns.yml create mode 100644 recipes/securecore/recipe-securecore-zfs-nvidia-open.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b38a60a..ff01500 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,8 +1,7 @@ name: build-secureblue on: schedule: - - cron: "00 5 * * *" # build at 5:00 UTC every day - # 80 minutes after the last uBlue images start building + - cron: "00 6 * * *" # build at 6:00 UTC every day # 60 minutes after last wayblue images start building push: paths-ignore: # don't rebuild if only documentation has changed @@ -23,95 +22,77 @@ jobs: recipe: # non-userns # general - - general/recipe-aurora-main.yml - - general/recipe-aurora-nvidia.yml - - general/recipe-aurora-surface.yml - - general/recipe-aurora-surface-nvidia.yml - general/recipe-silverblue-main.yml - general/recipe-silverblue-nvidia.yml + - general/recipe-silverblue-nvidia-open.yml - general/recipe-kinoite-main.yml - general/recipe-kinoite-nvidia.yml - - general/recipe-cinnamon-main.yml - - general/recipe-cinnamon-nvidia.yml - - general/recipe-bluefin-main.yml - - general/recipe-bluefin-nvidia.yml + - general/recipe-kinoite-nvidia-open.yml - general/recipe-sericea-main.yml - general/recipe-sericea-nvidia.yml + - general/recipe-sericea-nvidia-open.yml - general/recipe-wayblue-wayfire-main.yml - general/recipe-wayblue-wayfire-nvidia.yml + - general/recipe-wayblue-wayfire-nvidia-open.yml - general/recipe-wayblue-hyprland-main.yml - general/recipe-wayblue-hyprland-nvidia.yml + - general/recipe-wayblue-hyprland-nvidia-open.yml - general/recipe-wayblue-river-main.yml - general/recipe-wayblue-river-nvidia.yml + - general/recipe-wayblue-river-nvidia-open.yml - general/recipe-wayblue-sway-main.yml - general/recipe-wayblue-sway-nvidia.yml - - general/recipe-cosmic-main.yml - - general/recipe-cosmic-nvidia.yml - # asus - - asus/recipe-silverblue-asus.yml - - asus/recipe-silverblue-asus-nvidia.yml - - asus/recipe-kinoite-asus.yml - - asus/recipe-kinoite-asus-nvidia.yml - - asus/recipe-aurora-asus.yml - - asus/recipe-aurora-asus-nvidia.yml + - general/recipe-wayblue-sway-nvidia-open.yml + # - general/recipe-cosmic-main.yml + # - general/recipe-cosmic-nvidia.yml + # - general/recipe-cosmic-nvidia-open.yml # server - securecore/recipe-securecore-main.yml - securecore/recipe-securecore-nvidia.yml + - securecore/recipe-securecore-nvidia-open.yml - securecore/recipe-securecore-zfs-main.yml - securecore/recipe-securecore-zfs-nvidia.yml + - securecore/recipe-securecore-zfs-nvidia-open.yml # userns # general - - general/recipe-aurora-surface-userns.yml - - general/recipe-aurora-surface-nvidia-userns.yml - - general/recipe-aurora-dx-main-userns.yml - - general/recipe-aurora-dx-nvidia-userns.yml - - general/recipe-aurora-dx-surface-nvidia-userns.yml - - general/recipe-aurora-dx-surface-userns.yml - - general/recipe-aurora-main-userns.yml - - general/recipe-aurora-nvidia-userns.yml - general/recipe-silverblue-main-userns.yml - general/recipe-silverblue-nvidia-userns.yml + - general/recipe-silverblue-nvidia-open-userns.yml - general/recipe-kinoite-main-userns.yml - general/recipe-kinoite-nvidia-userns.yml - - general/recipe-cinnamon-main-userns.yml - - general/recipe-cinnamon-nvidia-userns.yml - - general/recipe-bluefin-main-userns.yml - - general/recipe-bluefin-nvidia-userns.yml - - general/recipe-bluefin-dx-main-userns.yml - - general/recipe-bluefin-dx-nvidia-userns.yml + - general/recipe-kinoite-nvidia-open-userns.yml - general/recipe-sericea-main-userns.yml - general/recipe-sericea-nvidia-userns.yml + - general/recipe-sericea-nvidia-open-userns.yml - general/recipe-wayblue-wayfire-main-userns.yml - general/recipe-wayblue-wayfire-nvidia-userns.yml + - general/recipe-wayblue-wayfire-nvidia-open-userns.yml - general/recipe-wayblue-hyprland-main-userns.yml - general/recipe-wayblue-hyprland-nvidia-userns.yml + - general/recipe-wayblue-hyprland-nvidia-open-userns.yml - general/recipe-wayblue-river-main-userns.yml - general/recipe-wayblue-river-nvidia-userns.yml + - general/recipe-wayblue-river-nvidia-open-userns.yml - general/recipe-wayblue-sway-main-userns.yml - general/recipe-wayblue-sway-nvidia-userns.yml - - general/recipe-cosmic-main-userns.yml - - general/recipe-cosmic-nvidia-userns.yml - # asus - - asus/recipe-silverblue-asus-userns.yml - - asus/recipe-silverblue-asus-nvidia-userns.yml - - asus/recipe-kinoite-asus-userns.yml - - asus/recipe-kinoite-asus-nvidia-userns.yml - - asus/recipe-aurora-asus-userns.yml - - asus/recipe-aurora-asus-nvidia-userns.yml - - asus/recipe-aurora-dx-asus-userns.yml - - asus/recipe-aurora-dx-asus-nvidia-userns.yml + - general/recipe-wayblue-sway-nvidia-open-userns.yml + # - general/recipe-cosmic-main-userns.yml + # - general/recipe-cosmic-nvidia-userns.yml + # - general/recipe-cosmic-nvidia-open-userns.yml # server - securecore/recipe-securecore-main-userns.yml - securecore/recipe-securecore-nvidia-userns.yml + - securecore/recipe-securecore-nvidia-open-userns.yml - securecore/recipe-securecore-zfs-main-userns.yml - securecore/recipe-securecore-zfs-nvidia-userns.yml + - securecore/recipe-securecore-zfs-nvidia-open-userns.yml steps: - name: Checkout repo uses: actions/checkout@v4 - name: Add yq (for reading recipe.yml) - uses: mikefarah/yq@v4.44.2 + uses: mikefarah/yq@v4.44.3 - name: Gather image data from recipe run: | @@ -120,12 +101,6 @@ jobs: BASE_IMAGE=$(yq '.base-image' ./recipes/${{ matrix.recipe }}) echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV - - name: Verify base image - if: ${{ !contains(env.IMAGE_NAME, 'wayblue') && !contains(env.IMAGE_NAME, 'cinnamon') && !contains(env.IMAGE_NAME, 'securecore') }} - uses: EyeCantCU/cosign-action/verify@v0.3.0 - with: - containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} - - name: Verify base image if: ${{ contains(env.IMAGE_NAME, 'wayblue') }} uses: EyeCantCU/cosign-action/verify@v0.3.0 @@ -134,26 +109,43 @@ jobs: registry: 'ghcr.io/wayblueorg' pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub' - - name: Verify base image - if: ${{ contains(env.IMAGE_NAME, 'cinnamon') }} - uses: EyeCantCU/cosign-action/verify@v0.3.0 - with: - containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} - registry: 'ghcr.io/legacy-images' - pubkey: 'https://raw.githubusercontent.com/legacy-images/cinnamon/main/cosign.pub' - - - name: Verify base image + - name: Validate server kernel and kmod versions if: ${{ contains(env.IMAGE_NAME, 'securecore') }} - uses: EyeCantCU/cosign-action/verify@v0.3.0 + uses: Wandalen/wretry.action@v3.5.0 with: - containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} - registry: 'ghcr.io/secureblue' - pubkey: 'https://raw.githubusercontent.com/secureblue/coreos/main/cosign.pub' + attempt_limit: 3 + attempt_delay: 15000 + command: | + set -eo pipefail + linux=$(skopeo inspect docker://ghcr.io/ublue-os/coreos-testing-kernel:40 | jq -r '.Labels["ostree.linux"]') + AKMODS_KERNEL_VERSION=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:coreos-testing-40 | jq -r '.Labels["ostree.linux"]') + if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then + echo "Kernel Versions do not match between AKMODS and Cached-Kernel." + exit 1 + fi + echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV + + - name: Validate desktop kernel and kmod versions + if: ${{ !contains(env.IMAGE_NAME, 'securecore') }} + uses: Wandalen/wretry.action@v3.5.0 + with: + attempt_limit: 3 + attempt_delay: 15000 + command: | + set -eo pipefail + linux=$(skopeo inspect docker://ghcr.io/ublue-os/main-kernel:40 | jq -r '.Labels["ostree.linux"]') + AKMODS_KERNEL_VERSION=$(skopeo inspect docker://ghcr.io/ublue-os/akmods:main-40 | jq -r '.Labels["ostree.linux"]') + if [[ "${linux}" != "${AKMODS_KERNEL_VERSION}" ]]; then + echo "Kernel Versions do not match between AKMODS and Cached-Kernel." + exit 1 + fi + echo "KERNEL_VERSION=$linux" >> $GITHUB_ENV + - name: Build secureblue uses: blue-build/github-action@v1.6.1 with: - cli_version: v0.8.14 + cli_version: v0.8.20 recipe: ${{ matrix.recipe }} cosign_private_key: ${{ secrets.SIGNING_SECRET }} registry_token: ${{ github.token }} diff --git a/POSTINSTALL-README.md b/POSTINSTALL-README.md index 76e59e5..6918302 100644 --- a/POSTINSTALL-README.md +++ b/POSTINSTALL-README.md @@ -13,7 +13,14 @@ If you are using an nvidia image, run this after installation: rpm-ostree kargs \ --append-if-missing=rd.driver.blacklist=nouveau \ --append-if-missing=modprobe.blacklist=nouveau \ - --append-if-missing=nvidia-drm.modeset=1 + --append-if-missing=nvidia-drm.modeset=1 \ + --append-if-missing=nvidia-drm.fbdev=1 +``` + +You may also need this (solves flickering and luks issues on some nvidia hardware): +``` +rpm-ostree kargs \ + --append-if-missing=initcall_blacklist=simpledrm_platform_driver_init ``` ### Nvidia optimus laptop @@ -120,6 +127,11 @@ To validate your secureblue setup, run: ``` ujust audit-secureblue ``` + +## Optional: `hardened-chromium` Flags +The included hardened-chromium browser has some additional settings in `chrome://flags` you *may* want to set for additional hardening, and convenience. (That can cause functionality issues in *some* cases) +You can read about these settings [here](https://github.com/secureblue/hardened-chromium?tab=readme-ov-file#post-install). + ## Read the FAQ Lots of important stuff is covered in the [FAQ](https://github.com/secureblue/secureblue/blob/live/FAQ.md). AppImage toggles, GNOME extension toggles, Xwayland toggles, etc. diff --git a/PREINSTALL-README.md b/PREINSTALL-README.md index 309d4ff..a56f4aa 100644 --- a/PREINSTALL-README.md +++ b/PREINSTALL-README.md @@ -4,6 +4,9 @@ The recommended method to install secureblue is to rebase from an upstream silve ## Preinstall guide +> [!TIP] +> If you don't yet have a Fedora Atomic installation medium, you should obtain an image from the official Fedora Project website, [here](https://fedoraproject.org/atomic-desktops/). Once you have downloaded an image, it is *highly reccomended* that you [verify](https://fedoraproject.org/security) it for security and integrity. + ### Fedora Installation - Select the option to encrypt the drive you're installing to. - Use a [strong password](https://security.harvard.edu/use-strong-passwords) when prompted. diff --git a/README.md b/README.md index 4b4d55f..a749c42 100644 --- a/README.md +++ b/README.md @@ -11,14 +11,14 @@ [![Discord](https://img.shields.io/discord/1202086019298500629?style=flat&logo=discord&logoColor=white&label=Discord&labelColor=%235F6AE9&color=%2333CB56)](https://discord.com/invite/qMTv5cKfbF) [![Donate](https://img.shields.io/badge/Donate-blue.svg)](https://github.com/secureblue/secureblue/blob/live/DONATE.md) -This repo uses [BlueBuild](https://blue-build.org/) to generate hardened operating system images, using [uBlue](https://universal-blue.org)'s [Fedora Atomic](https://fedoraproject.org/atomic-desktops/)-based [base images](https://github.com/orgs/ublue-os/packages?repo_name=main) as a starting point. +This repo uses [BlueBuild](https://blue-build.org/) to generate hardened operating system images, using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. # Scope secureblue applies hardening with the following goals in mind: - Increase defenses against the exploitation of both known and unknown vulnerabilities. -- Avoid sacrificing usability for most use cases where possible +- Avoid sacrificing usability for most use cases where possible. The following are not in scope: - Anything that sacrifices security for "privacy". Fedora is already sufficiently private and "privacy" often serves as a euphemism for security theater. This is especially true when at odds with improving security. @@ -59,7 +59,7 @@ The following are not in scope: Fedora is one of the few distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly. -For more info on uBlue and BlueBuild, check out the [uBlue homepage](https://universal-blue.org/) and the [BlueBuild homepage](https://blue-build.org/). +For more info on BlueBuild, check out the [BlueBuild homepage](https://blue-build.org/). # Customization @@ -78,15 +78,17 @@ Sponsorship options are on the [Donate](DONATE.md) page. All donations are appre Have a look at [PREINSTALL-README](PREINSTALL-README.md) before proceeding. ## Rebasing (Recommended) -*Note: if you don't already have a Fedora Atomic installation, use a Fedora Atomic iso that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue iso, Kinoite for Kinoite, and Sericea (Sway Atomic) for Sericea and all the Wayblue images.* +> [!NOTE] +> If you don't already have a Fedora Atomic installation, use a Fedora Atomic ISO that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue ISO, Kinoite for Kinoite, and Sericea (Sway Atomic) for Sericea and all the Wayblue images. -To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) installation, choose an $IMAGE_NAME from the [list below](README.md#images-userns), then follow these steps: +To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) installation, follow these steps: -*(Important note: the **only** supported tag is `latest`)* +> [!IMPORTANT] +> The **only** supported tag is `latest`. - First rebase to the unsigned image, to get the proper signing keys and policies installed: ``` - rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/$IMAGE_NAME:latest + rpm-ostree rebase ostree-unverified-registry:ghcr.io/secureblue/IMAGE_NAME:latest ``` - Reboot to complete the rebase: ``` @@ -94,72 +96,125 @@ To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) installa ``` - Then rebase to the signed image, like so: ``` - rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/$IMAGE_NAME:latest + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/IMAGE_NAME:latest ``` -- Reboot again to complete the installation +- Reboot again to complete the installation: ``` systemctl reboot ``` + Replace `IMAGE_NAME` with the *full name* of your preferred image from the [list below](README.md#images). ## ISO -While it's recommended to use a Fedora Atomic iso to install and then rebase that installation to secureblue, you can also generate an iso and install that directly using [this script](generate_secureblue_iso.sh). Please note you should still follow the [post-install steps](README.md#post-install) when installing from a generated iso: +While it's recommended to use a Fedora Atomic ISO to install and then rebase that installation to secureblue, you can also generate an ISO and install that directly using [this script](generate_secureblue_iso.sh). Please note you should still follow the [post-install steps](README.md#post-install) when installing from a generated ISO: ``` ./generate_secureblue_iso.sh ``` -# Images [userns?](USERNS.md) +# Images + +> [!NOTE] +> Learn about unprivileged user namespaces [here](USERNS.md). + ## Desktop + +*`nvidia-open` images are recommended for systems with Nvidia GPUs Turing or newer.* + +*`nvidia` images are recommended for systems with Nvidia GPUs Pascal or older.* + ### Recommended [why?](RECOMMENDED.md) -- `silverblue-main-hardened` -- `silverblue-nvidia-hardened` -- `silverblue-main-userns-hardened` -- `silverblue-nvidia-userns-hardened` +#### Silverblue +| Name | Base | Nvidia Support | Unpriv. Userns | +|-------------------------------------------|-----------|-------------------------|------------------------------| +| `silverblue-main-hardened` | Silverblue| No | No | +| `silverblue-nvidia-hardened` | Silverblue| Yes, closed drivers | No | +| `silverblue-nvidia-open-hardened` | Silverblue| Yes, open drivers | No | +| `silverblue-main-userns-hardened` | Silverblue| No | Yes | +| `silverblue-nvidia-userns-hardened` | Silverblue| Yes, closed drivers | Yes | +| `silverblue-nvidia-open-userns-hardened` | Silverblue| Yes, open drivers | Yes | + ### Stable -- `kinoite-main-hardened` -- `kinoite-nvidia-hardened` -- `kinoite-main-userns-hardened` -- `kinoite-nvidia-userns-hardened` -- `sericea-main-hardened` -- `sericea-nvidia-hardened` -- `sericea-main-userns-hardened` -- `sericea-nvidia-userns-hardened` -### Beta [wayblue?](https://github.com/wayblueorg/wayblue) -- `wayblue-wayfire-main-hardened` -- `wayblue-wayfire-nvidia-hardened` -- `wayblue-wayfire-main-userns-hardened` -- `wayblue-wayfire-nvidia-userns-hardened` -- `wayblue-hyprland-main-hardened` -- `wayblue-hyprland-nvidia-hardened` -- `wayblue-hyprland-main-userns-hardened` -- `wayblue-hyprland-nvidia-userns-hardened` -- `wayblue-river-main-hardened` -- `wayblue-river-nvidia-hardened` -- `wayblue-river-main-userns-hardened` -- `wayblue-river-nvidia-userns-hardened` -- `wayblue-sway-main-hardened` -- `wayblue-sway-nvidia-hardened` -- `wayblue-sway-main-userns-hardened` -- `wayblue-sway-nvidia-userns-hardened` -### Experimental -- `cinnamon-main-hardened` -- `cinnamon-nvidia-hardened` -- `cinnamon-main-userns-hardened` -- `cinnamon-nvidia-userns-hardened` -- `cosmic-main-hardened` -- `cosmic-nvidia-hardened` -- `cosmic-main-userns-hardened` -- `cosmic-nvidia-userns-hardened` +#### Kinoite +| Name | Base | Nvidia Support | Unpriv. Userns | +|-------------------------------------------|-----------|-------------------------|------------------------------| +| `kinoite-main-hardened` | Kinoite | No | No | +| `kinoite-nvidia-hardened` | Kinoite | Yes, closed drivers | No | +| `kinoite-nvidia-open-hardened` | Kinoite | Yes, open drivers | No | +| `kinoite-main-userns-hardened` | Kinoite | No | Yes | +| `kinoite-nvidia-userns-hardened` | Kinoite | Yes, closed drivers | Yes | +| `kinoite-nvidia-open-userns-hardened` | Kinoite | Yes, open drivers | Yes | + +#### Sericea +| Name | Base | Nvidia Support | Unpriv. Userns | +|-------------------------------------------|-----------|-------------------------|------------------------------| +| `sericea-main-hardened` | Sericea | No | No | +| `sericea-nvidia-hardened` | Sericea | Yes, closed drivers | No | +| `sericea-nvidia-open-hardened` | Sericea | Yes, open drivers | No | +| `sericea-main-userns-hardened` | Sericea | No | Yes | +| `sericea-nvidia-userns-hardened` | Sericea | Yes, closed drivers | Yes | +| `sericea-nvidia-open-userns-hardened` | Sericea | Yes, open drivers | Yes | + +### Beta +> [!NOTE] +> Learn about wayblue [here](https://github.com/wayblueorg/wayblue). + +#### Wayfire +| Name | Base | Nvidia Support | Unpriv. Userns | +|-------------------------------------------|-----------------------|-------------------------|------------------------------| +| `wayblue-wayfire-main-hardened` | Wayblue-Wayfire | No | No | +| `wayblue-wayfire-nvidia-hardened` | Wayblue-Wayfire | Yes, closed drivers | No | +| `wayblue-wayfire-nvidia-open-hardened` | Wayblue-Wayfire | Yes, open drivers | No | +| `wayblue-wayfire-main-userns-hardened` | Wayblue-Wayfire | No | Yes | +| `wayblue-wayfire-nvidia-userns-hardened` | Wayblue-Wayfire | Yes, closed drivers | Yes | +| `wayblue-wayfire-nvidia-open-userns-hardened` | Wayblue-Wayfire | Yes, open drivers | Yes | + +#### Hyprland +| Name | Base | Nvidia Support | Unpriv. Userns | +|-------------------------------------------|-----------------------|-------------------------|------------------------------| +| `wayblue-hyprland-main-hardened` | Wayblue-Hyprland | No | No | +| `wayblue-hyprland-nvidia-hardened` | Wayblue-Hyprland | Yes, closed drivers | No | +| `wayblue-hyprland-nvidia-open-hardened` | Wayblue-Hyprland | Yes, open drivers | No | +| `wayblue-hyprland-main-userns-hardened` | Wayblue-Hyprland | No | Yes | +| `wayblue-hyprland-nvidia-userns-hardened`| Wayblue-Hyprland | Yes, closed drivers | Yes | +| `wayblue-hyprland-nvidia-open-userns-hardened` | Wayblue-Hyprland | Yes, open drivers | Yes | + +#### River +| Name | Base | Nvidia Support | Unpriv. Userns | +|-------------------------------------------|-----------------------|-------------------------|------------------------------| +| `wayblue-river-main-hardened` | Wayblue-River | No | No | +| `wayblue-river-nvidia-hardened` | Wayblue-River | Yes, closed drivers | No | +| `wayblue-river-nvidia-open-hardened` | Wayblue-River | Yes, open drivers | No | +| `wayblue-river-main-userns-hardened` | Wayblue-River | No | Yes | +| `wayblue-river-nvidia-userns-hardened` | Wayblue-River | Yes, closed drivers | Yes | +| `wayblue-river-nvidia-open-userns-hardened` | Wayblue-River | Yes, open drivers | Yes | + + +#### Sway +| Name | Base | Nvidia Support | Unpriv. Userns | +|-------------------------------------------|-----------------------|-------------------------|------------------------------| +| `wayblue-sway-main-hardened` | Wayblue-Sway | No | No | +| `wayblue-sway-nvidia-hardened` | Wayblue-Sway | Yes, closed drivers | No | +| `wayblue-sway-nvidia-open-hardened` | Wayblue-Sway | Yes, open drivers | No | +| `wayblue-sway-main-userns-hardened` | Wayblue-Sway | No | Yes | +| `wayblue-sway-nvidia-userns-hardened` | Wayblue-Sway | Yes, closed drivers | Yes | +| `wayblue-sway-nvidia-open-userns-hardened` | Wayblue-Sway | Yes, open drivers | Yes | + ## Server -- `securecore-main-hardened` -- `securecore-nvidia-hardened` -- `securecore-main-userns-hardened` -- `securecore-nvidia-userns-hardened` -- `securecore-zfs-main-hardened` -- `securecore-zfs-nvidia-hardened` -- `securecore-zfs-main-userns-hardened` -- `securecore-zfs-nvidia-userns-hardened` +| Name | Base | Nvidia Support | ZFS Support | Unpriv. Userns | +|-------------------------------------------|-----------|-------------------------|-------------|------------------------------| +| `securecore-main-hardened` | CoreOS | No | No | No | +| `securecore-nvidia-hardened` | CoreOS | Yes, closed drivers | No | No | +| `securecore-nvidia-open-hardened` | CoreOS | Yes, open drivers | No | No | +| `securecore-main-userns-hardened` | CoreOS | No | No | Yes | +| `securecore-nvidia-userns-hardened` | CoreOS | Yes, closed drivers | No | Yes | +| `securecore-nvidia-open-userns-hardened` | CoreOS | Yes, open drivers | No | Yes | +| `securecore-zfs-main-hardened` | CoreOS | No | Yes | No | +| `securecore-zfs-nvidia-hardened` | CoreOS | Yes, closed drivers | Yes | No | +| `securecore-zfs-nvidia-open-hardened` | CoreOS | Yes, open drivers | Yes | No | +| `securecore-zfs-main-userns-hardened` | CoreOS | No | Yes | Yes | +| `securecore-zfs-nvidia-userns-hardened` | CoreOS | Yes, closed drivers | Yes | Yes | +| `securecore-zfs-nvidia-open-userns-hardened` | CoreOS | Yes, open drivers | Yes | Yes | # Post-install diff --git a/files/scripts/addchromiumdesktopfile.sh b/files/scripts/addchromiumdesktopfile.sh index 0faa8dc..5cf831c 100644 --- a/files/scripts/addchromiumdesktopfile.sh +++ b/files/scripts/addchromiumdesktopfile.sh @@ -4,4 +4,4 @@ # Tell build process to exit if there are any errors. set -oue pipefail -sed -i 's/firefox/chromium-browser/' /usr/share/wayfire/wf-shell.ini +sed -i 's/org.mozilla.firefox/chromium-browser/' /usr/share/wayfire/wf-shell.ini diff --git a/files/scripts/addtailscalerepo.sh b/files/scripts/addtailscalerepo.sh new file mode 100644 index 0000000..787772e --- /dev/null +++ b/files/scripts/addtailscalerepo.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +# Tell this script to exit if there are any errors. +# You should have this in every custom script, to ensure that your completed +# builds actually ran successfully without any errors! +set -oue pipefail + +curl -L https://pkgs.tailscale.com/stable/fedora/tailscale.repo -o /etc/yum.repos.d/tailscale.repo diff --git a/files/scripts/disableuserns.sh b/files/scripts/disableuserns.sh index 8c770d0..41290c1 100644 --- a/files/scripts/disableuserns.sh +++ b/files/scripts/disableuserns.sh @@ -42,7 +42,7 @@ chmod u+s /usr/bin/bwrap echo " -module chrome_sandbox 1.0; +module chrome_sandbox_secureblue 1.0; require { type chrome_sandbox_home_t; @@ -54,12 +54,12 @@ require { allow chrome_sandbox_t chrome_sandbox_home_t:file map; -" > chrome_sandbox.te +" > chrome_sandbox_secureblue.te -checkmodule -M -m -o chrome_sandbox.mod chrome_sandbox.te -semodule_package -o chrome_sandbox.pp -m chrome_sandbox.mod -semodule -i chrome_sandbox.pp +checkmodule -M -m -o chrome_sandbox_secureblue.mod chrome_sandbox_secureblue.te +semodule_package -o chrome_sandbox_secureblue.pp -m chrome_sandbox_secureblue.mod +semodule -i chrome_sandbox_secureblue.pp -rm chrome_sandbox.te -rm chrome_sandbox.mod -rm chrome_sandbox.pp +rm chrome_sandbox_secureblue.te +rm chrome_sandbox_secureblue.mod +rm chrome_sandbox_secureblue.pp diff --git a/files/scripts/excludepcsc.sh b/files/scripts/excludepcsc.sh new file mode 100644 index 0000000..0269043 --- /dev/null +++ b/files/scripts/excludepcsc.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +sed -i 's/add_dracutmodules+=" fido2 tpm2-tss pkcs11 pcsc "/add_dracutmodules+=" fido2 tpm2-tss pkcs11 "/' /usr/lib/dracut/dracut.conf.d/90-ublue-luks.conf diff --git a/files/scripts/excludezfs.sh b/files/scripts/excludezfs.sh new file mode 100644 index 0000000..8af7eb2 --- /dev/null +++ b/files/scripts/excludezfs.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +echo ' + +omit_dracutmodules+=" zfs " + +' > /usr/lib/dracut/dracut.conf.d/99-omit-zfs.conf diff --git a/files/scripts/hardencontainerpolicy.sh b/files/scripts/hardencontainerpolicy.sh index 9dd1450..415e766 100644 --- a/files/scripts/hardencontainerpolicy.sh +++ b/files/scripts/hardencontainerpolicy.sh @@ -3,11 +3,16 @@ # Tell build process to exit if there are any errors. set -oue pipefail -sed -i 's/insecureAcceptAnything/reject/' /usr/etc/containers/policy.json +POLICY_FILE="/usr/etc/containers/policy.json" + +if [[ ! -f "$POLICY_FILE" ]]; then + echo "Error: $POLICY_FILE does not exist." + exit 1 +fi + +sed -i 's/insecureAcceptAnything/reject/' "$POLICY_FILE" -# Exception for build-container-installer to allow the ISO generation script to work -# https://github.com/JasonN3/build-container-installer/issues/123 yq -i -o=j '.transports.docker |= {"ghcr.io/jasonn3": [ { @@ -19,7 +24,7 @@ yq -i -o=j '.transports.docker |= } ] } -+ .' /usr/etc/containers/policy.json ++ .' "$POLICY_FILE" yq -i -o=j '.transports.docker |= {"ghcr.io/zelikos": [ @@ -32,4 +37,17 @@ yq -i -o=j '.transports.docker |= } ] } -+ .' /usr/etc/containers/policy.json \ No newline at end of file ++ .' "$POLICY_FILE" + +yq -i -o=j '.transports.docker |= + {"ghcr.io/wayblueorg": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/wayblue.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ] + } ++ .' "$POLICY_FILE" \ No newline at end of file diff --git a/files/scripts/hardenrechunkedcontainerpolicy.sh b/files/scripts/hardenrechunkedcontainerpolicy.sh deleted file mode 100644 index 49c4c10..0000000 --- a/files/scripts/hardenrechunkedcontainerpolicy.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env bash - -# Tell build process to exit if there are any errors. -set -oue pipefail - -sed -i 's/insecureAcceptAnything/reject/' /etc/containers/policy.json - - -# Exception for build-container-installer to allow the ISO generation script to work -# https://github.com/JasonN3/build-container-installer/issues/123 -yq -i -o=j '.transports.docker |= - {"ghcr.io/jasonn3": [ - { - "type": "sigstoreSigned", - "keyPath": "/etc/pki/containers/build-container-installer.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ] - } -+ .' /etc/containers/policy.json - -yq -i -o=j '.transports.docker |= - {"ghcr.io/zelikos": [ - { - "type": "sigstoreSigned", - "keyPath": "/etc/pki/containers/davincibox.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ] - } -+ .' /etc/containers/policy.json diff --git a/files/scripts/installandroidudev.sh b/files/scripts/installandroidudev.sh new file mode 100644 index 0000000..ffc224f --- /dev/null +++ b/files/scripts/installandroidudev.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +curl -Lo /etc/yum.repos.d/_copr_ublue-os_staging.repo https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${OS_VERSION}"/ublue-os-staging-fedora-"${OS_VERSION}".repo +rpm-ostree install android-udev-rules +rm /etc/yum.repos.d/_copr_ublue-os_staging.repo \ No newline at end of file diff --git a/files/scripts/removecinnamonxsessions.sh b/files/scripts/installnvidiatoolkitpolicy.sh similarity index 55% rename from files/scripts/removecinnamonxsessions.sh rename to files/scripts/installnvidiatoolkitpolicy.sh index 4ba21cc..c55ff44 100644 --- a/files/scripts/removecinnamonxsessions.sh +++ b/files/scripts/installnvidiatoolkitpolicy.sh @@ -3,4 +3,4 @@ # Tell build process to exit if there are any errors. set -oue pipefail -rm /usr/share/xsessions/* \ No newline at end of file +semodule --verbose --install /usr/share/selinux/packages/nvidia-container.pp \ No newline at end of file diff --git a/files/scripts/installrpmfusion.sh b/files/scripts/installrpmfusion.sh new file mode 100644 index 0000000..cf0fd8f --- /dev/null +++ b/files/scripts/installrpmfusion.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +rpm -q rpmfusion-free-release || rpm-ostree install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-${OS_VERSION}.noarch.rpm +rpm -q rpmfusion-nonfree-release || rpm-ostree install https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-${OS_VERSION}.noarch.rpm diff --git a/files/scripts/installsignedkernel.sh b/files/scripts/installsignedkernel.sh new file mode 100644 index 0000000..e6e5b8e --- /dev/null +++ b/files/scripts/installsignedkernel.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +find /tmp/rpms + +rpm-ostree cliwrap install-to-root / + +QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')" +INCOMING_KERNEL_VERSION="$(basename -s .rpm $(ls /tmp/rpms/kernel/kernel-[0-9]*.rpm 2>/dev/null | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//'))" + +echo "Qualified kernel: $QUALIFIED_KERNEL" +echo "Incoming kernel version: $INCOMING_KERNEL_VERSION" + + +if [[ "$INCOMING_KERNEL_VERSION" != "$QUALIFIED_KERNEL" ]]; then + echo "Installing kernel rpm from kernel-cache." + rpm-ostree override replace \ + --experimental \ + --install=zstd \ + /tmp/rpms/kernel/kernel-[0-9]*.rpm \ + /tmp/rpms/kernel/kernel-core-*.rpm \ + /tmp/rpms/kernel/kernel-modules-*.rpm +else + echo "Installing kernel files from kernel-cache." + cd /tmp + rpm2cpio /tmp/rpms/kernel/kernel-core-*.rpm | cpio -idmv + cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz + cd / +fi \ No newline at end of file diff --git a/files/scripts/regenerateinitramfs.sh b/files/scripts/regenerateinitramfs.sh new file mode 100644 index 0000000..493804a --- /dev/null +++ b/files/scripts/regenerateinitramfs.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + + +rpm-ostree cliwrap install-to-root / + +QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')" +/usr/libexec/rpm-ostree/wrapped/dracut --no-hostonly --kver "$QUALIFIED_KERNEL" --reproducible -v --add ostree -f "/lib/modules/$QUALIFIED_KERNEL/initramfs.img" +chmod 0600 "/lib/modules/$QUALIFIED_KERNEL/initramfs.img" \ No newline at end of file diff --git a/files/scripts/removebluefinfirstboot.sh b/files/scripts/removebluefinfirstboot.sh deleted file mode 100644 index 9a6c4bd..0000000 --- a/files/scripts/removebluefinfirstboot.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash - -# Tell build process to exit if there are any errors. -set -oue pipefail - -rm /etc/skel/.config/autostart/bluefin-firstboot.desktop -rm /etc/profile.d/bluefin-firstboot.sh diff --git a/files/scripts/removeunusedrepos.sh b/files/scripts/removeunusedrepos.sh new file mode 100644 index 0000000..f64aaaf --- /dev/null +++ b/files/scripts/removeunusedrepos.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +rm -f /etc/yum.repos.d/negativo17-fedora-nvidia.repo +rm -f /etc/yum.repos.d/negativo17-fedora-multimedia.repo +rm -f /etc/yum.repos.d/eyecantcu-supergfxctl.repo +rm -f /etc/yum.repos.d/_copr_ublue-os-akmods.repo +rm -f /etc/yum.repos.d/nvidia-container-toolkit.repo diff --git a/files/scripts/setdrmvariables.sh b/files/scripts/setdrmvariables.sh new file mode 100644 index 0000000..617d940 --- /dev/null +++ b/files/scripts/setdrmvariables.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + + +echo ' + +# Nvidia modesetting support. Set to 0 or comment to disable kernel modesetting +# support. This must be disabled in case of SLI Mosaic. + +options nvidia-drm modeset=1 fbdev=1 + +' > /usr/lib/modprobe.d/nvidia-modeset.conf + +cp /usr/lib/modprobe.d/nvidia-modeset.conf /etc/modprobe.d/nvidia-modeset.conf \ No newline at end of file diff --git a/files/scripts/setearlyloading.sh b/files/scripts/setearlyloading.sh new file mode 100644 index 0000000..a0256d3 --- /dev/null +++ b/files/scripts/setearlyloading.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +sed -i 's@omit_drivers@force_drivers@g' /usr/lib/dracut/dracut.conf.d/99-nvidia-dracut.conf +sed -i 's@ nvidia @ i915 amdgpu nvidia @g' /usr/lib/dracut/dracut.conf.d/99-nvidia-dracut.conf \ No newline at end of file diff --git a/files/scripts/setswaynvidiaenvironment.sh b/files/scripts/setswaynvidiaenvironment.sh new file mode 100644 index 0000000..ee79c37 --- /dev/null +++ b/files/scripts/setswaynvidiaenvironment.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +rm /etc/sway/environment + +echo ' + +# This file is a part of Fedora configuration for Sway and will be sourced +# from /usr/bin/start-sway script for all users of the system. +# User-specific variables should be placed in $XDG_CONFIG_HOME/sway/environment +# +# vim: set ft=sh: + +## Pass extra arguments to the /usr/bin/sway executable + +#SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --unsupported-gpu" +SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --unsupported-gpu -D noscanout" +#SWAY_EXTRA_ARGS="$SWAY_EXTRA_ARGS --debug" + +## Set environment variables + +# Useful variables for wlroots: +# https://gitlab.freedesktop.org/wlroots/wlroots/-/blob/master/docs/env_vars.md +WLR_NO_HARDWARE_CURSORS=1 +# Setting renderer to Vulkan may fix flickering but needs the following extensions: +# - VK_EXT_image_drm_format_modifier +# - VK_EXT_physical_device_drm +# +# Source: https://gitlab.freedesktop.org/wlroots/wlroots/-/commit/8e346922508aa3eaccd6e12f2917f6574f349843 +WLR_RENDERER=vulkan + +# Java Application compatibility +# Source: https://github.com/swaywm/wlroots/issues/1464 +_JAVA_AWT_WM_NONREPARENTING=1 + +' > /etc/sway/environment \ No newline at end of file diff --git a/files/system/dx/etc/skel/.config/Code/User/settings.json b/files/system/dx/etc/skel/.config/Code/User/settings.json deleted file mode 100644 index a0947ec..0000000 --- a/files/system/dx/etc/skel/.config/Code/User/settings.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "window.titleBarStyle": "custom", - "editor.fontFamily": "'Cascadia Code', 'Droid Sans Mono', 'monospace', monospace", - "telemetry.telemetryLevel": "off", - "gitlens.telemetry.enabled": false -} diff --git a/files/system/etc/containers/registries.d/wayblue.yaml b/files/system/etc/containers/registries.d/wayblue.yaml new file mode 100644 index 0000000..b8677d0 --- /dev/null +++ b/files/system/etc/containers/registries.d/wayblue.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/wayblueorg: + use-sigstore-attachments: true \ No newline at end of file diff --git a/files/system/etc/pki/containers/wayblue.pub b/files/system/etc/pki/containers/wayblue.pub new file mode 100644 index 0000000..fe44a39 --- /dev/null +++ b/files/system/etc/pki/containers/wayblue.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0HrfZIuVnc6fK0LjNHotudA7ym+c +xTbDVrZb1Y1SXsdbNOsVcCojMRylp9+IE0p/YSsfuGFF64juRx7ZoJ9PpA== +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/files/system/usr/share/ublue-os/just/70-secureblue.just b/files/system/usr/share/ublue-os/just/70-secureblue.just index 5e33851..bc4eee6 100644 --- a/files/system/usr/share/ublue-os/just/70-secureblue.just +++ b/files/system/usr/share/ublue-os/just/70-secureblue.just @@ -23,6 +23,7 @@ set-kargs-hardening: --append-if-missing="spec_store_bypass_disable=on" \ --append-if-missing="l1d_flush=on" \ --append-if-missing="gather_data_sampling=force" + --append-if-missing="ia32_emulation=0" echo "Hardening kargs set." # Add additional (unstable) boot parameters for hardening (requires reboot) diff --git a/recipes/asus/recipe-aurora-asus-nvidia-userns.yml b/recipes/asus/recipe-aurora-asus-nvidia-userns.yml deleted file mode 100644 index c615d7f..0000000 --- a/recipes/asus/recipe-aurora-asus-nvidia-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: aurora-asus-nvidia-userns-hardened - -description: "Aurora asus nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-asus-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/asus/recipe-aurora-asus-nvidia.yml b/recipes/asus/recipe-aurora-asus-nvidia.yml deleted file mode 100644 index 321285f..0000000 --- a/recipes/asus/recipe-aurora-asus-nvidia.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-asus-nvidia-hardened - -description: "Aurora asus nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-asus-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/asus/recipe-aurora-asus-userns.yml b/recipes/asus/recipe-aurora-asus-userns.yml deleted file mode 100644 index bff7e08..0000000 --- a/recipes/asus/recipe-aurora-asus-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: aurora-asus-userns-hardened - -description: "Aurora asus with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-asus - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/asus/recipe-aurora-asus.yml b/recipes/asus/recipe-aurora-asus.yml deleted file mode 100644 index 7762fab..0000000 --- a/recipes/asus/recipe-aurora-asus.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-asus-hardened - -description: "Aurora asus with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-asus - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/asus/recipe-aurora-dx-asus-nvidia-userns.yml b/recipes/asus/recipe-aurora-dx-asus-nvidia-userns.yml deleted file mode 100644 index 8e3adf0..0000000 --- a/recipes/asus/recipe-aurora-dx-asus-nvidia-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-dx-asus-nvidia-userns-hardened - -description: "Aurora asus dx nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-dx-asus-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/dx-packages.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/dx-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/asus/recipe-aurora-dx-asus-userns.yml b/recipes/asus/recipe-aurora-dx-asus-userns.yml deleted file mode 100644 index c9d3cef..0000000 --- a/recipes/asus/recipe-aurora-dx-asus-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-dx-asus-userns-hardened - -description: "Aurora asus dx with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-dx-asus - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/dx-packages.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/dx-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/asus/recipe-kinoite-asus-nvidia-userns.yml b/recipes/asus/recipe-kinoite-asus-nvidia-userns.yml deleted file mode 100644 index 6acbe8e..0000000 --- a/recipes/asus/recipe-kinoite-asus-nvidia-userns.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: kinoite-asus-nvidia-userns-hardened - -description: "Kinoite asus nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/kinoite-asus-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/kinoite-files.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/asus/recipe-kinoite-asus-nvidia.yml b/recipes/asus/recipe-kinoite-asus-nvidia.yml deleted file mode 100644 index 5f0bfe7..0000000 --- a/recipes/asus/recipe-kinoite-asus-nvidia.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: kinoite-asus-nvidia-hardened - -description: "Kinoite asus nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/kinoite-asus-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - from-file: common/kinoite-files.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/asus/recipe-kinoite-asus-userns.yml b/recipes/asus/recipe-kinoite-asus-userns.yml deleted file mode 100644 index 7f4af07..0000000 --- a/recipes/asus/recipe-kinoite-asus-userns.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: kinoite-asus-userns-hardened - -description: "Kinoite asus with some hardening applied" - -base-image: ghcr.io/ublue-os/kinoite-asus - -image-version: 40 - -# module configuration, executed in order -# you can include multiple instances of the same module -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/kinoite-files.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/asus/recipe-kinoite-asus.yml b/recipes/asus/recipe-kinoite-asus.yml deleted file mode 100644 index 2df62b2..0000000 --- a/recipes/asus/recipe-kinoite-asus.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: kinoite-asus-hardened - -description: "Kinoite asus with some hardening applied" - -base-image: ghcr.io/ublue-os/kinoite-asus - -image-version: 40 - -# module configuration, executed in order -# you can include multiple instances of the same module -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - from-file: common/kinoite-files.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/asus/recipe-silverblue-asus-nvidia-userns.yml b/recipes/asus/recipe-silverblue-asus-nvidia-userns.yml deleted file mode 100644 index bcd5b09..0000000 --- a/recipes/asus/recipe-silverblue-asus-nvidia-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: silverblue-asus-nvidia-userns-hardened - -description: "Silverblue asus nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/silverblue-asus-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/silverblue-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/asus/recipe-silverblue-asus-nvidia.yml b/recipes/asus/recipe-silverblue-asus-nvidia.yml deleted file mode 100644 index 418bde1..0000000 --- a/recipes/asus/recipe-silverblue-asus-nvidia.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: silverblue-asus-nvidia-hardened - -description: "Silverblue asus nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/silverblue-asus-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/silverblue-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/asus/recipe-silverblue-asus-userns.yml b/recipes/asus/recipe-silverblue-asus-userns.yml deleted file mode 100644 index fcd7773..0000000 --- a/recipes/asus/recipe-silverblue-asus-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: silverblue-asus-userns-hardened - -description: "Silverblue asus with some hardening applied" - -base-image: ghcr.io/ublue-os/silverblue-asus - -image-version: 40 - -# module configuration, executed in order -# you can include multiple instances of the same module -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/silverblue-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/asus/recipe-silverblue-asus.yml b/recipes/asus/recipe-silverblue-asus.yml deleted file mode 100644 index d643b30..0000000 --- a/recipes/asus/recipe-silverblue-asus.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: silverblue-asus-hardened - -description: "Silverblue asus with some hardening applied" - -base-image: ghcr.io/ublue-os/silverblue-asus - -image-version: 40 - -# module configuration, executed in order -# you can include multiple instances of the same module -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/silverblue-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/common/aurora-packages.yml b/recipes/common/aurora-packages.yml deleted file mode 100644 index c8e448a..0000000 --- a/recipes/common/aurora-packages.yml +++ /dev/null @@ -1,12 +0,0 @@ -type: rpm-ostree -remove: - - samba-common-tools - - samba-dcerpc - - samba-ldb-ldap-modules - - samba-winbind - - samba-winbind-clients - - samba-winbind-modules - - samba - - samba-usershares -remove: - - ifuse \ No newline at end of file diff --git a/recipes/common/bluefin-packages.yml b/recipes/common/bluefin-packages.yml deleted file mode 100644 index 03588b0..0000000 --- a/recipes/common/bluefin-packages.yml +++ /dev/null @@ -1,14 +0,0 @@ -type: rpm-ostree -remove: - - gnome-shell-extension-gsconnect - - nautilus-gsconnect - - samba-common-tools - - samba-dcerpc - - samba-ldb-ldap-modules - - samba-winbind - - samba-winbind-clients - - samba-winbind-modules - - samba -remove: - - ifuse - - fuse-encfs \ No newline at end of file diff --git a/recipes/common/bluefin-scripts.yml b/recipes/common/bluefin-scripts.yml deleted file mode 100644 index 34ae40b..0000000 --- a/recipes/common/bluefin-scripts.yml +++ /dev/null @@ -1,4 +0,0 @@ -type: script -scripts: - - disabletailscale.sh - - removebluefinfirstboot.sh \ No newline at end of file diff --git a/recipes/common/cinnamon-scripts.yml b/recipes/common/cinnamon-scripts.yml deleted file mode 100644 index 04219fd..0000000 --- a/recipes/common/cinnamon-scripts.yml +++ /dev/null @@ -1,3 +0,0 @@ -type: script -scripts: - - removecinnamonxsessions.sh \ No newline at end of file diff --git a/recipes/common/common-brew.yml b/recipes/common/common-brew.yml deleted file mode 100644 index d86307c..0000000 --- a/recipes/common/common-brew.yml +++ /dev/null @@ -1,2 +0,0 @@ -type: brew -brew-analytics: false \ No newline at end of file diff --git a/recipes/common/common-files.yml b/recipes/common/common-files.yml deleted file mode 100644 index 4f9afd1..0000000 --- a/recipes/common/common-files.yml +++ /dev/null @@ -1,6 +0,0 @@ -type: files -files: - - source: system/usr - destination: /usr - - source: system/etc - destination: /etc diff --git a/recipes/common/common-modules.yml b/recipes/common/common-modules.yml new file mode 100644 index 0000000..62a663e --- /dev/null +++ b/recipes/common/common-modules.yml @@ -0,0 +1,31 @@ +modules: + - type: script + scripts: + - createautostartdir.sh + - type: containerfile + snippets: + - RUN rpm-ostree install just powerstat + - COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-udev-rules.noarch.rpm / + - COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-update-services.noarch.rpm / + - COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-signing.noarch.rpm / + - COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-luks.noarch.rpm / + - COPY --from=ghcr.io/ublue-os/config:latest /rpms/ublue-os-just.noarch.rpm / + - RUN rpm -q ublue-os-udev-rules || rpm -ivh /ublue-os-udev-rules.noarch.rpm + - RUN rpm -q ublue-os-update-services || rpm -ivh /ublue-os-update-services.noarch.rpm + - RUN rpm -q ublue-os-signing || rpm -ivh /ublue-os-signing.noarch.rpm + - RUN rpm -q ublue-os-luks || rpm -ivh /ublue-os-luks.noarch.rpm + - RUN rpm -q ublue-os-just || rpm -ivh /ublue-os-just.noarch.rpm + - type: script + scripts: + - installrpmfusion.sh + - from-file: common/common-packages.yml + - type: files + files: + - source: system/usr + destination: /usr + - source: system/etc + destination: /etc + - from-file: common/common-scripts.yml + - type: brew + brew-analytics: false + - type: secureblue-signing \ No newline at end of file diff --git a/recipes/common/common-packages.yml b/recipes/common/common-packages.yml index 65490a9..0184474 100644 --- a/recipes/common/common-packages.yml +++ b/recipes/common/common-packages.yml @@ -3,7 +3,10 @@ repos: - https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/repo/fedora-%OS_VERSION%/secureblue-hardened_malloc-fedora-%OS_VERSION%.repo install: - hardened_malloc - # needed for some scripts - - patch + # missing upstream - - rar \ No newline at end of file + - openssl + - just + - patch + - p7zip + - unrar diff --git a/recipes/common/common-scripts.yml b/recipes/common/common-scripts.yml index 62bcf48..e27ef53 100644 --- a/recipes/common/common-scripts.yml +++ b/recipes/common/common-scripts.yml @@ -9,3 +9,4 @@ scripts: - disablegeoclue.sh - addjustconfig.sh - addbrewjustimport.sh + - hardencontainerpolicy.sh diff --git a/recipes/common/cosmic-modules.yml b/recipes/common/cosmic-modules.yml new file mode 100644 index 0000000..e05bbda --- /dev/null +++ b/recipes/common/cosmic-modules.yml @@ -0,0 +1,9 @@ +modules: + - type: rpm-ostree + install: + - NetworkManager-tui + - NetworkManager-openvpn + - type: systemd + system: + enabled: + - cosmic-greeter \ No newline at end of file diff --git a/recipes/common/desktop-modules.yml b/recipes/common/desktop-modules.yml new file mode 100644 index 0000000..3b048bc --- /dev/null +++ b/recipes/common/desktop-modules.yml @@ -0,0 +1,15 @@ +modules: + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/akmods:main-40 /rpms /tmp/rpms + - RUN find /tmp/rpms + - RUN rpm -q ublue-os-akmods-addons || rpm-ostree install /tmp/rpms/ublue-os/ublue-os-akmods-addons*.rpm + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/main-kernel:40 /tmp/rpms /tmp/rpms/kernel + - type: script + scripts: + - installsignedkernel.sh + - from-file: common/desktop-packages.yml + - from-file: common/desktop-scripts.yml + - type: yafti \ No newline at end of file diff --git a/recipes/common/gui-packages.yml b/recipes/common/desktop-packages.yml similarity index 78% rename from recipes/common/gui-packages.yml rename to recipes/common/desktop-packages.yml index 33c9c2c..e639085 100644 --- a/recipes/common/gui-packages.yml +++ b/recipes/common/desktop-packages.yml @@ -12,7 +12,19 @@ install: - usbguard - setroubleshoot - setools + - fscrypt + - heif-pixbuf-loader + - vim + - alsa-firmware + + # yubikey enablement + - pam-u2f + - pam_yubico + - pamu2fcfg + - yubikey-manager remove: + - firefox + - firefox-langpacks - fuse - fedora-chromium-config - fedora-flathub-remote diff --git a/recipes/common/gui-scripts.yml b/recipes/common/desktop-scripts.yml similarity index 88% rename from recipes/common/gui-scripts.yml rename to recipes/common/desktop-scripts.yml index 9cf2f7d..74ccd3b 100644 --- a/recipes/common/gui-scripts.yml +++ b/recipes/common/desktop-scripts.yml @@ -1,5 +1,6 @@ type: script scripts: + - installandroidudev.sh - disablecups.sh - disablesshd.sh - disableavahidaemon.sh diff --git a/recipes/common/disable-gnome-extensions.yml b/recipes/common/disable-gnome-extensions.yml deleted file mode 100644 index dadee63..0000000 --- a/recipes/common/disable-gnome-extensions.yml +++ /dev/null @@ -1,3 +0,0 @@ -type: gschema-overrides -include: - - zz1-secureblue.gschema.override \ No newline at end of file diff --git a/recipes/common/disableuserns-modules.yml b/recipes/common/disableuserns-modules.yml new file mode 100644 index 0000000..2fa3b53 --- /dev/null +++ b/recipes/common/disableuserns-modules.yml @@ -0,0 +1,7 @@ +modules: + - type: rpm-ostree + remove: + - toolbox + - type: script + scripts: + - disableuserns.sh \ No newline at end of file diff --git a/recipes/common/disableuserns-packages.yml b/recipes/common/disableuserns-packages.yml deleted file mode 100644 index 3a7a634..0000000 --- a/recipes/common/disableuserns-packages.yml +++ /dev/null @@ -1,8 +0,0 @@ -type: rpm-ostree -remove: - - toolbox - - distrobox - - - - diff --git a/recipes/common/disableuserns-scripts.yml b/recipes/common/disableuserns-scripts.yml deleted file mode 100644 index c492678..0000000 --- a/recipes/common/disableuserns-scripts.yml +++ /dev/null @@ -1,3 +0,0 @@ -type: script -scripts: - - disableuserns.sh \ No newline at end of file diff --git a/recipes/common/dx-files.yml b/recipes/common/dx-files.yml deleted file mode 100644 index 3028c6b..0000000 --- a/recipes/common/dx-files.yml +++ /dev/null @@ -1,4 +0,0 @@ -type: files -files: - - source: system/dx - destination: / \ No newline at end of file diff --git a/recipes/common/dx-packages.yml b/recipes/common/dx-packages.yml deleted file mode 100644 index 2bb50c7..0000000 --- a/recipes/common/dx-packages.yml +++ /dev/null @@ -1,12 +0,0 @@ -type: rpm-ostree -remove: - - zfs-fuse - - libvirt-daemon-driver-storage-zfs - - libvirt-daemon-kvm - - libvirt-daemon-driver-storage - - libvirt - - libvirt-nss - - libguestfs - - libguestfs-xfs - - guestfs-tools - - virt-v2v diff --git a/recipes/common/final-modules.yml b/recipes/common/final-modules.yml new file mode 100644 index 0000000..36918fb --- /dev/null +++ b/recipes/common/final-modules.yml @@ -0,0 +1,5 @@ +modules: + - type: script + scripts: + - removeunusedrepos.sh + - regenerateinitramfs.sh \ No newline at end of file diff --git a/recipes/common/gnome-packages.yml b/recipes/common/gnome-packages.yml deleted file mode 100644 index 9e7a07d..0000000 --- a/recipes/common/gnome-packages.yml +++ /dev/null @@ -1,17 +0,0 @@ -type: rpm-ostree -install: - - firewall-config - - gnome-disk-utility -remove: - - yelp - - gnome-user-share - - mod_lua - - httpd - - httpd-core - - mod_http2 - - mod_dnssd - - gnome-remote-desktop - - libvncserver - - malcontent-ui-libs - - malcontent-control - - fedora-chromium-config-gnome \ No newline at end of file diff --git a/recipes/common/initialization-scripts.yml b/recipes/common/initialization-scripts.yml deleted file mode 100644 index 79e27aa..0000000 --- a/recipes/common/initialization-scripts.yml +++ /dev/null @@ -1,3 +0,0 @@ -type: script -scripts: - - createautostartdir.sh \ No newline at end of file diff --git a/recipes/common/kinoite-files.yml b/recipes/common/kinoite-files.yml deleted file mode 100644 index f530208..0000000 --- a/recipes/common/kinoite-files.yml +++ /dev/null @@ -1,4 +0,0 @@ -type: files -files: - - source: system/kinoite - destination: / \ No newline at end of file diff --git a/recipes/common/kinoite-modules.yml b/recipes/common/kinoite-modules.yml new file mode 100644 index 0000000..cdfb8ab --- /dev/null +++ b/recipes/common/kinoite-modules.yml @@ -0,0 +1,12 @@ +modules: + - type: rpm-ostree + remove: + - kde-connect + - kde-connect-libs + - kdeconnectd + - fedora-chromium-config-kde + - fuse-encfs + - type: files + files: + - source: system/kinoite + destination: / \ No newline at end of file diff --git a/recipes/common/kinoite-packages.yml b/recipes/common/kinoite-packages.yml deleted file mode 100644 index 2d79d81..0000000 --- a/recipes/common/kinoite-packages.yml +++ /dev/null @@ -1,7 +0,0 @@ -type: rpm-ostree -remove: - - kde-connect - - kde-connect-libs - - kdeconnectd - - fedora-chromium-config-kde - - fuse-encfs \ No newline at end of file diff --git a/recipes/common/non-rechunked-scripts.yml b/recipes/common/non-rechunked-scripts.yml deleted file mode 100644 index 8a61ff9..0000000 --- a/recipes/common/non-rechunked-scripts.yml +++ /dev/null @@ -1,3 +0,0 @@ -type: script -scripts: - - hardencontainerpolicy.sh diff --git a/recipes/common/nvidia-modules.yml b/recipes/common/nvidia-modules.yml new file mode 100644 index 0000000..5f9e66d --- /dev/null +++ b/recipes/common/nvidia-modules.yml @@ -0,0 +1,13 @@ +modules: + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/akmods-nvidia:main-40 /rpms /tmp/rpms + - RUN find /tmp/rpms + - RUN rpm-ostree install /tmp/rpms/ublue-os/ublue-os-nvidia*.rpm + - RUN sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo + - RUN rpm-ostree install /tmp/rpms/kmods/kmod-nvidia*.rpm nvidia-container-toolkit xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda nvidia-vaapi-driver + - type: script + scripts: + - installnvidiatoolkitpolicy.sh + - setearlyloading.sh + - setdrmvariables.sh \ No newline at end of file diff --git a/recipes/common/nvidia-open-modules.yml b/recipes/common/nvidia-open-modules.yml new file mode 100644 index 0000000..50e6e8d --- /dev/null +++ b/recipes/common/nvidia-open-modules.yml @@ -0,0 +1,13 @@ +modules: + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/akmods-nvidia-open:main-40 /rpms /tmp/rpms + - RUN find /tmp/rpms + - RUN rpm-ostree install /tmp/rpms/ublue-os/ublue-os-nvidia*.rpm + - RUN sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo + - RUN rpm-ostree install /tmp/rpms/kmods/kmod-nvidia*.rpm nvidia-container-toolkit xorg-x11-drv-nvidia xorg-x11-drv-nvidia-cuda nvidia-vaapi-driver + - type: script + scripts: + - installnvidiatoolkitpolicy.sh + - setearlyloading.sh + - setdrmvariables.sh \ No newline at end of file diff --git a/recipes/common/nvidia-open-server-modules.yml b/recipes/common/nvidia-open-server-modules.yml new file mode 100644 index 0000000..356bf2a --- /dev/null +++ b/recipes/common/nvidia-open-server-modules.yml @@ -0,0 +1,13 @@ +modules: + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/akmods-nvidia-open:coreos-testing-40 /rpms /tmp/rpms + - RUN find /tmp/rpms + - RUN rpm-ostree install /tmp/rpms/ucore/ublue-os-ucore-nvidia*.rpm + - RUN sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo + - RUN rpm-ostree install /tmp/rpms/kmods/kmod-nvidia*.rpm nvidia-container-toolkit + - type: script + scripts: + - installnvidiatoolkitpolicy.sh + - setearlyloading.sh + - setdrmvariables.sh \ No newline at end of file diff --git a/recipes/common/nvidia-server-modules.yml b/recipes/common/nvidia-server-modules.yml new file mode 100644 index 0000000..26aa40b --- /dev/null +++ b/recipes/common/nvidia-server-modules.yml @@ -0,0 +1,13 @@ +modules: + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/akmods-nvidia:coreos-testing-40 /rpms /tmp/rpms + - RUN find /tmp/rpms + - RUN rpm-ostree install /tmp/rpms/ucore/ublue-os-ucore-nvidia*.rpm + - RUN sed -i '0,/enabled=0/{s/enabled=0/enabled=1/}' /etc/yum.repos.d/nvidia-container-toolkit.repo + - RUN rpm-ostree install /tmp/rpms/kmods/kmod-nvidia*.rpm nvidia-container-toolkit + - type: script + scripts: + - installnvidiatoolkitpolicy.sh + - setearlyloading.sh + - setdrmvariables.sh \ No newline at end of file diff --git a/recipes/common/proprietary-packages.yml b/recipes/common/proprietary-packages.yml new file mode 100644 index 0000000..7773ae4 --- /dev/null +++ b/recipes/common/proprietary-packages.yml @@ -0,0 +1,28 @@ +type: rpm-ostree +install: + - libheif-freeworld + - libheif-tools + - intel-media-driver + - gstreamer1-plugin-libav + - gstreamer1-plugins-bad-free-extras + - gstreamer1-plugins-bad-freeworld + - gstreamer1-plugins-ugly + - gstreamer1-vaapi + - ffmpeg + - ffmpeg-libs + - ffmpegthumbnailer + - pipewire-codec-aptx + - mesa-va-drivers-freeworld + - fdk-aac +remove: + - fdk-aac-free + - mesa-va-drivers + - ffmpeg-free + - libavcodec-free + - libavdevice-free + - libavfilter-free + - libavformat-free + - libavutil-free + - libpostproc-free + - libswresample-free + - libswscale-free \ No newline at end of file diff --git a/recipes/common/rechunked-scripts.yml b/recipes/common/rechunked-scripts.yml deleted file mode 100644 index e005ea7..0000000 --- a/recipes/common/rechunked-scripts.yml +++ /dev/null @@ -1,4 +0,0 @@ -type: script -scripts: - - hardenrechunkedcontainerpolicy.sh - - usehardenedmalloclight.sh \ No newline at end of file diff --git a/recipes/common/remove-firefox.yml b/recipes/common/remove-firefox.yml deleted file mode 100644 index 8f358c6..0000000 --- a/recipes/common/remove-firefox.yml +++ /dev/null @@ -1,9 +0,0 @@ -type: rpm-ostree -remove: - - firefox - - firefox-langpacks - - - - - diff --git a/recipes/common/server-files.yml b/recipes/common/server-files.yml deleted file mode 100644 index a9a6f6b..0000000 --- a/recipes/common/server-files.yml +++ /dev/null @@ -1,4 +0,0 @@ -type: files -files: - - source: system/server - destination: / \ No newline at end of file diff --git a/recipes/common/server-modules.yml b/recipes/common/server-modules.yml new file mode 100644 index 0000000..f407085 --- /dev/null +++ b/recipes/common/server-modules.yml @@ -0,0 +1,29 @@ +modules: + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/akmods:coreos-testing-40 /rpms /tmp/rpms + - RUN find /tmp/rpms + - RUN rpm-ostree install /tmp/rpms/ucore/ublue-os-ucore-addons*.rpm + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/coreos-testing-kernel:40 /tmp/rpms /tmp/rpms/kernel + - type: script + scripts: + - installsignedkernel.sh + - type: rpm-ostree + install: + - setools-console + - usbguard + - firewalld + - policycoreutils-python-utils + + - type: files + files: + - source: system/server + destination: / + - type: script + scripts: + - addtailscalerepo.sh + - type: script + scripts: + - excludepcsc.sh \ No newline at end of file diff --git a/recipes/common/server-packages.yml b/recipes/common/server-packages.yml deleted file mode 100644 index f5ecb0a..0000000 --- a/recipes/common/server-packages.yml +++ /dev/null @@ -1,10 +0,0 @@ -type: rpm-ostree -install: - - setools-console - - usbguard - - - - - - diff --git a/recipes/common/silverblue-modules.yml b/recipes/common/silverblue-modules.yml new file mode 100644 index 0000000..860a632 --- /dev/null +++ b/recipes/common/silverblue-modules.yml @@ -0,0 +1,25 @@ +modules: + - type: rpm-ostree + install: + - firewall-config + - gnome-disk-utility + - adw-gtk3-theme + - gnome-epub-thumbnailer + - gnome-tweaks + remove: + - gnome-tour + - yelp + - gnome-user-share + - mod_lua + - httpd + - httpd-core + - mod_http2 + - mod_dnssd + - gnome-remote-desktop + - libvncserver + - malcontent-ui-libs + - malcontent-control + - fedora-chromium-config-gnome + - type: gschema-overrides + include: + - zz1-secureblue.gschema.override \ No newline at end of file diff --git a/recipes/common/silverblue-packages.yml b/recipes/common/silverblue-packages.yml deleted file mode 100644 index 83bb8a4..0000000 --- a/recipes/common/silverblue-packages.yml +++ /dev/null @@ -1,3 +0,0 @@ -type: rpm-ostree -remove: - - gnome-tour \ No newline at end of file diff --git a/recipes/common/userns-packages.yml b/recipes/common/userns-packages.yml new file mode 100644 index 0000000..dfdac4e --- /dev/null +++ b/recipes/common/userns-packages.yml @@ -0,0 +1,3 @@ +type: rpm-ostree +install: + - distrobox \ No newline at end of file diff --git a/recipes/common/zfs-modules.yml b/recipes/common/zfs-modules.yml new file mode 100644 index 0000000..7e91fff --- /dev/null +++ b/recipes/common/zfs-modules.yml @@ -0,0 +1,9 @@ +modules: + - type: containerfile + snippets: + - COPY --from=ghcr.io/ublue-os/akmods-zfs:coreos-testing-40 /rpms /tmp/rpms + - RUN find /tmp/rpms + - RUN rpm-ostree install pv /tmp/rpms/kmods/zfs/*.rpm /tmp/rpms/kmods/zfs/other/zfs-dracut-*.rpm + - type: script + scripts: + - excludezfs.sh \ No newline at end of file diff --git a/recipes/general/recipe-aurora-dx-main-userns.yml b/recipes/general/recipe-aurora-dx-main-userns.yml deleted file mode 100644 index e2cd194..0000000 --- a/recipes/general/recipe-aurora-dx-main-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-dx-main-userns-hardened - -description: "Aurora-dx main with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-dx - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/dx-packages.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/dx-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-dx-nvidia-userns.yml b/recipes/general/recipe-aurora-dx-nvidia-userns.yml deleted file mode 100644 index 81d097a..0000000 --- a/recipes/general/recipe-aurora-dx-nvidia-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-dx-nvidia-userns-hardened - -description: "Aurora-dx nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-dx-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/dx-packages.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/dx-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml b/recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml deleted file mode 100644 index 4e00e86..0000000 --- a/recipes/general/recipe-aurora-dx-surface-nvidia-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-dx-surface-nvidia-userns-hardened - -description: "Aurora-dx surface nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-dx-surface-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/dx-packages.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/dx-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-dx-surface-userns.yml b/recipes/general/recipe-aurora-dx-surface-userns.yml deleted file mode 100644 index a7b5fd3..0000000 --- a/recipes/general/recipe-aurora-dx-surface-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-dx-surface-userns-hardened - -description: "Aurora-dx surface with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-dx-surface - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/dx-packages.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/dx-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-main-userns.yml b/recipes/general/recipe-aurora-main-userns.yml deleted file mode 100644 index bf2a765..0000000 --- a/recipes/general/recipe-aurora-main-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: aurora-main-userns-hardened - -description: "Aurora main with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-main.yml b/recipes/general/recipe-aurora-main.yml deleted file mode 100644 index 2d4076c..0000000 --- a/recipes/general/recipe-aurora-main.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-main-hardened - -description: "Aurora main with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-nvidia-userns.yml b/recipes/general/recipe-aurora-nvidia-userns.yml deleted file mode 100644 index 3a0d08a..0000000 --- a/recipes/general/recipe-aurora-nvidia-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: aurora-nvidia-userns-hardened - -description: "Aurora nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-nvidia.yml b/recipes/general/recipe-aurora-nvidia.yml deleted file mode 100644 index d7797c6..0000000 --- a/recipes/general/recipe-aurora-nvidia.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-nvidia-hardened - -description: "Aurora nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-surface-nvidia-userns.yml b/recipes/general/recipe-aurora-surface-nvidia-userns.yml deleted file mode 100644 index ea69c41..0000000 --- a/recipes/general/recipe-aurora-surface-nvidia-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: aurora-surface-nvidia-userns-hardened - -description: "Aurora surface nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-surface-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-surface-nvidia.yml b/recipes/general/recipe-aurora-surface-nvidia.yml deleted file mode 100644 index 42504d7..0000000 --- a/recipes/general/recipe-aurora-surface-nvidia.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-surface-nvidia-hardened - -description: "Aurora surface nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-surface-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-surface-userns.yml b/recipes/general/recipe-aurora-surface-userns.yml deleted file mode 100644 index 34a0193..0000000 --- a/recipes/general/recipe-aurora-surface-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: aurora-surface-userns-hardened - -description: "Aurora surface with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-surface - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-aurora-surface.yml b/recipes/general/recipe-aurora-surface.yml deleted file mode 100644 index 084a17f..0000000 --- a/recipes/general/recipe-aurora-surface.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: aurora-surface-hardened - -description: "Aurora surface with some hardening applied" - -base-image: ghcr.io/ublue-os/aurora-surface - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/aurora-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml diff --git a/recipes/general/recipe-bluefin-dx-main-userns.yml b/recipes/general/recipe-bluefin-dx-main-userns.yml deleted file mode 100644 index 8efb1b3..0000000 --- a/recipes/general/recipe-bluefin-dx-main-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: bluefin-dx-main-userns-hardened - -description: "Bluefin-dx main with some hardening applied" - -base-image: ghcr.io/ublue-os/bluefin-dx - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/dx-packages.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/bluefin-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/common-files.yml - - from-file: common/dx-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-bluefin-dx-nvidia-userns.yml b/recipes/general/recipe-bluefin-dx-nvidia-userns.yml deleted file mode 100644 index 9afb3e2..0000000 --- a/recipes/general/recipe-bluefin-dx-nvidia-userns.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: bluefin-dx-nvidia-userns-hardened - -description: "Bluefin-dx nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/bluefin-dx-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/dx-packages.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/bluefin-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/common-files.yml - - from-file: common/dx-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-bluefin-main-userns.yml b/recipes/general/recipe-bluefin-main-userns.yml deleted file mode 100644 index 84a0092..0000000 --- a/recipes/general/recipe-bluefin-main-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: bluefin-main-userns-hardened - -description: "Bluefin main with some hardening applied" - -base-image: ghcr.io/ublue-os/bluefin - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/bluefin-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-bluefin-main.yml b/recipes/general/recipe-bluefin-main.yml deleted file mode 100644 index a01a576..0000000 --- a/recipes/general/recipe-bluefin-main.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: bluefin-main-hardened - -description: "Bluefin main with some hardening applied" - -base-image: ghcr.io/ublue-os/bluefin - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/bluefin-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-bluefin-nvidia-userns.yml b/recipes/general/recipe-bluefin-nvidia-userns.yml deleted file mode 100644 index 590d19b..0000000 --- a/recipes/general/recipe-bluefin-nvidia-userns.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: bluefin-nvidia-userns-hardened - -description: "Bluefin nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/bluefin-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/bluefin-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-bluefin-nvidia.yml b/recipes/general/recipe-bluefin-nvidia.yml deleted file mode 100644 index b43e94e..0000000 --- a/recipes/general/recipe-bluefin-nvidia.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: bluefin-nvidia-hardened - -description: "Bluefin nvidia with some hardening applied" - -base-image: ghcr.io/ublue-os/bluefin-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/bluefin-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/bluefin-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - from-file: common/rechunked-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-cinnamon-main-userns.yml b/recipes/general/recipe-cinnamon-main-userns.yml deleted file mode 100644 index 166127b..0000000 --- a/recipes/general/recipe-cinnamon-main-userns.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: cinnamon-main-userns-hardened - -description: "Cinnamon main with some hardening applied" - -base-image: ghcr.io/legacy-images/cinnamon-main - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/gui-scripts.yml - - from-file: common/cinnamon-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-cinnamon-main.yml b/recipes/general/recipe-cinnamon-main.yml deleted file mode 100644 index 3f651d6..0000000 --- a/recipes/general/recipe-cinnamon-main.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: cinnamon-main-hardened - -description: "Cinnamon main with some hardening applied" - -base-image: ghcr.io/legacy-images/cinnamon-main - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/cinnamon-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-cinnamon-nvidia-userns.yml b/recipes/general/recipe-cinnamon-nvidia-userns.yml deleted file mode 100644 index 8b9d5ed..0000000 --- a/recipes/general/recipe-cinnamon-nvidia-userns.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: cinnamon-nvidia-userns-hardened - -description: "Cinnamon nvidia with some hardening applied" - -base-image: ghcr.io/legacy-images/cinnamon-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/gui-scripts.yml - - from-file: common/cinnamon-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-cinnamon-nvidia.yml b/recipes/general/recipe-cinnamon-nvidia.yml deleted file mode 100644 index 4faa94a..0000000 --- a/recipes/general/recipe-cinnamon-nvidia.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: cinnamon-nvidia-hardened - -description: "Cinnamon nvidia with some hardening applied" - -base-image: ghcr.io/legacy-images/cinnamon-nvidia - -image-version: 40 - -modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/cinnamon-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file diff --git a/recipes/general/recipe-cosmic-main-userns.yml b/recipes/general/recipe-cosmic-main-userns.yml index da358e2..6682b61 100644 --- a/recipes/general/recipe-cosmic-main-userns.yml +++ b/recipes/general/recipe-cosmic-main-userns.yml @@ -1,20 +1,15 @@ name: cosmic-main-userns-hardened -description: "Cosmic main with some hardening applied" +description: "Cosmic with userns, hardened" -base-image: ghcr.io/ublue-os/cosmic +base-image: quay.io/fedora-ostree-desktops/cosmic-atomic -image-version: 40 +image-version: 41 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/cosmic-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml diff --git a/recipes/general/recipe-cosmic-main.yml b/recipes/general/recipe-cosmic-main.yml index f4630af..b9967e4 100644 --- a/recipes/general/recipe-cosmic-main.yml +++ b/recipes/general/recipe-cosmic-main.yml @@ -1,22 +1,15 @@ name: cosmic-main-hardened -description: "Cosmic main with some hardening applied" +description: "Cosmic, hardened" -base-image: ghcr.io/ublue-os/cosmic +base-image: quay.io/fedora-ostree-desktops/cosmic-atomic -image-version: 40 +image-version: 41 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/cosmic-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/general/recipe-cosmic-nvidia-open-userns.yml b/recipes/general/recipe-cosmic-nvidia-open-userns.yml new file mode 100644 index 0000000..2101e90 --- /dev/null +++ b/recipes/general/recipe-cosmic-nvidia-open-userns.yml @@ -0,0 +1,16 @@ +name: cosmic-nvidia-open-userns-hardened + +description: "Cosmic with nvidia-open and userns, hardened" + +base-image: quay.io/fedora-ostree-desktops/cosmic-atomic + +image-version: 41 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-open-modules-41.yml + - from-file: common/cosmic-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml diff --git a/recipes/general/recipe-cosmic-nvidia-open.yml b/recipes/general/recipe-cosmic-nvidia-open.yml new file mode 100644 index 0000000..279ed67 --- /dev/null +++ b/recipes/general/recipe-cosmic-nvidia-open.yml @@ -0,0 +1,16 @@ +name: cosmic-nvidia-open-hardened + +description: "Cosmic with nvidia-open, hardened" + +base-image: quay.io/fedora-ostree-desktops/cosmic-atomic + +image-version: 41 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-open-modules-41.yml + - from-file: common/cosmic-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/general/recipe-cosmic-nvidia-userns.yml b/recipes/general/recipe-cosmic-nvidia-userns.yml index c726fcf..01bcc5b 100644 --- a/recipes/general/recipe-cosmic-nvidia-userns.yml +++ b/recipes/general/recipe-cosmic-nvidia-userns.yml @@ -1,20 +1,16 @@ name: cosmic-nvidia-userns-hardened -description: "Cosmic nvidia with some hardening applied" +description: "Cosmic with nvidia and userns, hardened" -base-image: ghcr.io/ublue-os/cosmic-nvidia +base-image: quay.io/fedora-ostree-desktops/cosmic-atomic -image-version: 40 +image-version: 41 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-modules-41.yml + - from-file: common/cosmic-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml diff --git a/recipes/general/recipe-cosmic-nvidia.yml b/recipes/general/recipe-cosmic-nvidia.yml index 8f538b1..a3ebc45 100644 --- a/recipes/general/recipe-cosmic-nvidia.yml +++ b/recipes/general/recipe-cosmic-nvidia.yml @@ -1,22 +1,16 @@ name: cosmic-nvidia-hardened -description: "Cosmic nvidia with some hardening applied" +description: "Cosmic with nvidia, hardened" -base-image: ghcr.io/ublue-os/cosmic-nvidia +base-image: quay.io/fedora-ostree-desktops/cosmic-atomic -image-version: 40 +image-version: 41 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-modules-41.yml + - from-file: common/cosmic-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/general/recipe-kinoite-main-userns.yml b/recipes/general/recipe-kinoite-main-userns.yml index 759b40e..a35a7c8 100644 --- a/recipes/general/recipe-kinoite-main-userns.yml +++ b/recipes/general/recipe-kinoite-main-userns.yml @@ -1,22 +1,15 @@ name: kinoite-main-userns-hardened -description: "Kinoite main with some hardening applied" +description: "Kinoite with userns, hardened" -base-image: ghcr.io/ublue-os/kinoite-main +base-image: quay.io/fedora-ostree-desktops/kinoite image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/kinoite-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-kinoite-main.yml b/recipes/general/recipe-kinoite-main.yml index 1edd67b..3830dd6 100644 --- a/recipes/general/recipe-kinoite-main.yml +++ b/recipes/general/recipe-kinoite-main.yml @@ -1,24 +1,15 @@ name: kinoite-main-hardened -description: "Kinoite main with some hardening applied" +description: "Kinoite, hardened" -base-image: ghcr.io/ublue-os/kinoite-main +base-image: quay.io/fedora-ostree-desktops/kinoite image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/kinoite-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-kinoite-nvidia-open-userns.yml b/recipes/general/recipe-kinoite-nvidia-open-userns.yml new file mode 100644 index 0000000..b98b01f --- /dev/null +++ b/recipes/general/recipe-kinoite-nvidia-open-userns.yml @@ -0,0 +1,16 @@ +name: kinoite-nvidia-open-userns-hardened + +description: "Kinoite with nvidia-open and userns, hardened" + +base-image: quay.io/fedora-ostree-desktops/kinoite + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/kinoite-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-open-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-kinoite-nvidia-open.yml b/recipes/general/recipe-kinoite-nvidia-open.yml new file mode 100644 index 0000000..28a3656 --- /dev/null +++ b/recipes/general/recipe-kinoite-nvidia-open.yml @@ -0,0 +1,16 @@ +name: kinoite-nvidia-open-hardened + +description: "Kinoite with nvidia-open, hardened" + +base-image: quay.io/fedora-ostree-desktops/kinoite + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/kinoite-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-open-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-kinoite-nvidia-userns.yml b/recipes/general/recipe-kinoite-nvidia-userns.yml index f17fc2a..e3e3887 100644 --- a/recipes/general/recipe-kinoite-nvidia-userns.yml +++ b/recipes/general/recipe-kinoite-nvidia-userns.yml @@ -1,22 +1,16 @@ name: kinoite-nvidia-userns-hardened -description: "Kinoite nvidia with some hardening applied" +description: "Kinoite with nvidia and userns, hardened" -base-image: ghcr.io/ublue-os/kinoite-nvidia +base-image: quay.io/fedora-ostree-desktops/kinoite image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/kinoite-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-kinoite-nvidia.yml b/recipes/general/recipe-kinoite-nvidia.yml index 6e1d622..0cf2786 100644 --- a/recipes/general/recipe-kinoite-nvidia.yml +++ b/recipes/general/recipe-kinoite-nvidia.yml @@ -1,24 +1,16 @@ name: kinoite-nvidia-hardened -description: "Kinoite nvidia with some hardening applied" +description: "Kinoite with nvidia, hardened" -base-image: ghcr.io/ublue-os/kinoite-nvidia +base-image: quay.io/fedora-ostree-desktops/kinoite image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/kinoite-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/kinoite-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/kinoite-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-sericea-main-userns.yml b/recipes/general/recipe-sericea-main-userns.yml index 3718731..d1485c0 100644 --- a/recipes/general/recipe-sericea-main-userns.yml +++ b/recipes/general/recipe-sericea-main-userns.yml @@ -1,20 +1,14 @@ name: sericea-main-userns-hardened -description: "sericea main with some hardening applied" +description: "Sericea with userns, hardened" -base-image: ghcr.io/ublue-os/sericea-main +base-image: quay.io/fedora-ostree-desktops/sericea image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml diff --git a/recipes/general/recipe-sericea-main.yml b/recipes/general/recipe-sericea-main.yml index 869ac21..dbda6d8 100644 --- a/recipes/general/recipe-sericea-main.yml +++ b/recipes/general/recipe-sericea-main.yml @@ -1,22 +1,14 @@ name: sericea-main-hardened -description: "sericea main with some hardening applied" +description: "Sericea, hardened" -base-image: ghcr.io/ublue-os/sericea-main +base-image: quay.io/fedora-ostree-desktops/sericea image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/general/recipe-sericea-nvidia-open-userns.yml b/recipes/general/recipe-sericea-nvidia-open-userns.yml new file mode 100644 index 0000000..cbbda78 --- /dev/null +++ b/recipes/general/recipe-sericea-nvidia-open-userns.yml @@ -0,0 +1,18 @@ +name: sericea-nvidia-open-userns-hardened + +description: "Sericea with userns and nvidia-open, hardened" + +base-image: quay.io/fedora-ostree-desktops/sericea + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-open-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml + - type: script + scripts: + - setswaynvidiaenvironment.sh diff --git a/recipes/general/recipe-sericea-nvidia-open.yml b/recipes/general/recipe-sericea-nvidia-open.yml new file mode 100644 index 0000000..be27e49 --- /dev/null +++ b/recipes/general/recipe-sericea-nvidia-open.yml @@ -0,0 +1,18 @@ +name: sericea-nvidia-open-hardened + +description: "Sericea with nvidia-open, hardened" + +base-image: quay.io/fedora-ostree-desktops/sericea + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-open-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml + - type: script + scripts: + - setswaynvidiaenvironment.sh diff --git a/recipes/general/recipe-sericea-nvidia-userns.yml b/recipes/general/recipe-sericea-nvidia-userns.yml index d26a961..0107ac6 100644 --- a/recipes/general/recipe-sericea-nvidia-userns.yml +++ b/recipes/general/recipe-sericea-nvidia-userns.yml @@ -1,20 +1,18 @@ name: sericea-nvidia-userns-hardened -description: "sericea nvidia with some hardening applied" +description: "Sericea with nvidia and userns, hardened" -base-image: ghcr.io/ublue-os/sericea-nvidia +base-image: quay.io/fedora-ostree-desktops/sericea image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml + - type: script + scripts: + - setswaynvidiaenvironment.sh diff --git a/recipes/general/recipe-sericea-nvidia.yml b/recipes/general/recipe-sericea-nvidia.yml index 35b2347..3d88476 100644 --- a/recipes/general/recipe-sericea-nvidia.yml +++ b/recipes/general/recipe-sericea-nvidia.yml @@ -1,22 +1,18 @@ name: sericea-nvidia-hardened -description: "sericea nvidia with some hardening applied" +description: "Sericea with nvidia, hardened" -base-image: ghcr.io/ublue-os/sericea-nvidia +base-image: quay.io/fedora-ostree-desktops/sericea image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml + - type: script + scripts: + - setswaynvidiaenvironment.sh diff --git a/recipes/general/recipe-silverblue-main-userns.yml b/recipes/general/recipe-silverblue-main-userns.yml index 0d0518b..f58d719 100644 --- a/recipes/general/recipe-silverblue-main-userns.yml +++ b/recipes/general/recipe-silverblue-main-userns.yml @@ -1,25 +1,15 @@ name: silverblue-main-userns-hardened -description: "Silverblue main with some hardening applied" +description: "Silverblue with userns, hardened" -base-image: ghcr.io/ublue-os/silverblue-main +base-image: quay.io/fedora-ostree-desktops/silverblue image-version: 40 -# module configuration, executed in order -# you can include multiple instances of the same module modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/silverblue-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/silverblue-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-silverblue-main.yml b/recipes/general/recipe-silverblue-main.yml index d72ec5f..7bda178 100644 --- a/recipes/general/recipe-silverblue-main.yml +++ b/recipes/general/recipe-silverblue-main.yml @@ -1,27 +1,15 @@ name: silverblue-main-hardened -description: "Silverblue main with some hardening applied" +description: "Silverblue, hardened" -base-image: ghcr.io/ublue-os/silverblue-main +base-image: quay.io/fedora-ostree-desktops/silverblue image-version: 40 -# module configuration, executed in order -# you can include multiple instances of the same module modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/silverblue-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/silverblue-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-silverblue-nvidia-open-userns.yml b/recipes/general/recipe-silverblue-nvidia-open-userns.yml new file mode 100644 index 0000000..ede91cd --- /dev/null +++ b/recipes/general/recipe-silverblue-nvidia-open-userns.yml @@ -0,0 +1,16 @@ +name: silverblue-nvidia-open-userns-hardened + +description: "Silverblue with nvidia-open and userns, hardened" + +base-image: quay.io/fedora-ostree-desktops/silverblue + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/silverblue-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-open-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-silverblue-nvidia-open.yml b/recipes/general/recipe-silverblue-nvidia-open.yml new file mode 100644 index 0000000..da9405e --- /dev/null +++ b/recipes/general/recipe-silverblue-nvidia-open.yml @@ -0,0 +1,16 @@ +name: silverblue-nvidia-open-hardened + +description: "Silverblue with nvidia-open, hardened" + +base-image: quay.io/fedora-ostree-desktops/silverblue + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/silverblue-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-open-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-silverblue-nvidia-userns.yml b/recipes/general/recipe-silverblue-nvidia-userns.yml index a44a350..3207861 100644 --- a/recipes/general/recipe-silverblue-nvidia-userns.yml +++ b/recipes/general/recipe-silverblue-nvidia-userns.yml @@ -1,23 +1,16 @@ name: silverblue-nvidia-userns-hardened -description: "Silverblue nvidia with some hardening applied" +description: "Silverblue with nvidia and userns, hardened" -base-image: ghcr.io/ublue-os/silverblue-nvidia +base-image: quay.io/fedora-ostree-desktops/silverblue image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/silverblue-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/silverblue-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-silverblue-nvidia.yml b/recipes/general/recipe-silverblue-nvidia.yml index e8ba175..7a61265 100644 --- a/recipes/general/recipe-silverblue-nvidia.yml +++ b/recipes/general/recipe-silverblue-nvidia.yml @@ -1,25 +1,16 @@ name: silverblue-nvidia-hardened -description: "Silverblue nvidia with some hardening applied" +description: "Silverblue with nvidia, hardened" -base-image: ghcr.io/ublue-os/silverblue-nvidia +base-image: quay.io/fedora-ostree-desktops/silverblue image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gnome-packages.yml - - from-file: common/disable-gnome-extensions.yml - - from-file: common/silverblue-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/silverblue-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/nvidia-modules.yml + - from-file: common/proprietary-packages.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-hyprland-main-userns.yml b/recipes/general/recipe-wayblue-hyprland-main-userns.yml index ecd5135..b1839dc 100644 --- a/recipes/general/recipe-wayblue-hyprland-main-userns.yml +++ b/recipes/general/recipe-wayblue-hyprland-main-userns.yml @@ -1,20 +1,13 @@ name: wayblue-hyprland-main-userns-hardened -description: "wayblue hyprland main with some hardening applied" +description: "wayblue hyprland main with userns, hardened" base-image: ghcr.io/wayblueorg/hyprland image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-hyprland-main.yml b/recipes/general/recipe-wayblue-hyprland-main.yml index 71bed6e..59baf22 100644 --- a/recipes/general/recipe-wayblue-hyprland-main.yml +++ b/recipes/general/recipe-wayblue-hyprland-main.yml @@ -1,22 +1,13 @@ name: wayblue-hyprland-main-hardened -description: "wayblue hyprland main with some hardening applied" +description: "wayblue hyprland main, hardened" base-image: ghcr.io/wayblueorg/hyprland image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-hyprland-nvidia-open-userns.yml b/recipes/general/recipe-wayblue-hyprland-nvidia-open-userns.yml new file mode 100644 index 0000000..35137a7 --- /dev/null +++ b/recipes/general/recipe-wayblue-hyprland-nvidia-open-userns.yml @@ -0,0 +1,13 @@ +name: wayblue-hyprland-nvidia-open-userns-hardened + +description: "wayblue hyprland nvidia-open with userns, hardened" + +base-image: ghcr.io/wayblueorg/hyprland-nvidia-open + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-hyprland-nvidia-open.yml b/recipes/general/recipe-wayblue-hyprland-nvidia-open.yml new file mode 100644 index 0000000..3507fa7 --- /dev/null +++ b/recipes/general/recipe-wayblue-hyprland-nvidia-open.yml @@ -0,0 +1,13 @@ +name: wayblue-hyprland-nvidia-open-hardened + +description: "wayblue hyprland nvidia-open, hardened" + +base-image: ghcr.io/wayblueorg/hyprland-nvidia-open + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-hyprland-nvidia-userns.yml b/recipes/general/recipe-wayblue-hyprland-nvidia-userns.yml index 3efe46c..1a5e3c2 100644 --- a/recipes/general/recipe-wayblue-hyprland-nvidia-userns.yml +++ b/recipes/general/recipe-wayblue-hyprland-nvidia-userns.yml @@ -1,20 +1,13 @@ name: wayblue-hyprland-nvidia-userns-hardened -description: "wayblue hyprland nvidia with some hardening applied" +description: "wayblue hyprland nvidia with userns, hardened" base-image: ghcr.io/wayblueorg/hyprland-nvidia image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-hyprland-nvidia.yml b/recipes/general/recipe-wayblue-hyprland-nvidia.yml index f1fe8c5..e2a3900 100644 --- a/recipes/general/recipe-wayblue-hyprland-nvidia.yml +++ b/recipes/general/recipe-wayblue-hyprland-nvidia.yml @@ -1,22 +1,13 @@ name: wayblue-hyprland-nvidia-hardened -description: "wayblue hyprland nvidia with some hardening applied" +description: "wayblue hyprland nvidia, hardened" base-image: ghcr.io/wayblueorg/hyprland-nvidia image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-river-main-userns.yml b/recipes/general/recipe-wayblue-river-main-userns.yml index 018845b..574a814 100644 --- a/recipes/general/recipe-wayblue-river-main-userns.yml +++ b/recipes/general/recipe-wayblue-river-main-userns.yml @@ -1,20 +1,13 @@ name: wayblue-river-main-userns-hardened -description: "wayblue river main with some hardening applied" +description: "wayblue river main with userns, hardened" base-image: ghcr.io/wayblueorg/river image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-river-main.yml b/recipes/general/recipe-wayblue-river-main.yml index 24a2f33..0109904 100644 --- a/recipes/general/recipe-wayblue-river-main.yml +++ b/recipes/general/recipe-wayblue-river-main.yml @@ -1,22 +1,13 @@ name: wayblue-river-main-hardened -description: "wayblue river main with some hardening applied" +description: "wayblue river main, hardened" base-image: ghcr.io/wayblueorg/river image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-river-nvidia-open-userns.yml b/recipes/general/recipe-wayblue-river-nvidia-open-userns.yml new file mode 100644 index 0000000..8bb40a0 --- /dev/null +++ b/recipes/general/recipe-wayblue-river-nvidia-open-userns.yml @@ -0,0 +1,13 @@ +name: wayblue-river-nvidia-open-userns-hardened + +description: "wayblue river nvidia-open with userns, hardened" + +base-image: ghcr.io/wayblueorg/river-nvidia-open + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-river-nvidia-open.yml b/recipes/general/recipe-wayblue-river-nvidia-open.yml new file mode 100644 index 0000000..430dcc6 --- /dev/null +++ b/recipes/general/recipe-wayblue-river-nvidia-open.yml @@ -0,0 +1,13 @@ +name: wayblue-river-nvidia-open-hardened + +description: "wayblue river nvidia-open, hardened" + +base-image: ghcr.io/wayblueorg/river-nvidia-open + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-river-nvidia-userns.yml b/recipes/general/recipe-wayblue-river-nvidia-userns.yml index 0af2e41..eb26067 100644 --- a/recipes/general/recipe-wayblue-river-nvidia-userns.yml +++ b/recipes/general/recipe-wayblue-river-nvidia-userns.yml @@ -1,20 +1,13 @@ name: wayblue-river-nvidia-userns-hardened -description: "wayblue river nvidia with some hardening applied" +description: "wayblue river nvidia with userns, hardened" base-image: ghcr.io/wayblueorg/river-nvidia image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-river-nvidia.yml b/recipes/general/recipe-wayblue-river-nvidia.yml index e87071d..76d66a2 100644 --- a/recipes/general/recipe-wayblue-river-nvidia.yml +++ b/recipes/general/recipe-wayblue-river-nvidia.yml @@ -1,22 +1,13 @@ name: wayblue-river-nvidia-hardened -description: "wayblue river nvidia with some hardening applied" +description: "wayblue river nvidia, hardened" base-image: ghcr.io/wayblueorg/river-nvidia image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-sway-main-userns.yml b/recipes/general/recipe-wayblue-sway-main-userns.yml index 1bc19a1..1e21fe0 100644 --- a/recipes/general/recipe-wayblue-sway-main-userns.yml +++ b/recipes/general/recipe-wayblue-sway-main-userns.yml @@ -1,20 +1,13 @@ name: wayblue-sway-main-userns-hardened -description: "wayblue sway main with some hardening applied" +description: "wayblue sway main with userns, hardened" base-image: ghcr.io/wayblueorg/sway image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-sway-main.yml b/recipes/general/recipe-wayblue-sway-main.yml index d35330f..4300348 100644 --- a/recipes/general/recipe-wayblue-sway-main.yml +++ b/recipes/general/recipe-wayblue-sway-main.yml @@ -1,22 +1,13 @@ name: wayblue-sway-main-hardened -description: "wayblue sway main with some hardening applied" +description: "wayblue sway main, hardened" base-image: ghcr.io/wayblueorg/sway image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-sway-nvidia-open-userns.yml b/recipes/general/recipe-wayblue-sway-nvidia-open-userns.yml new file mode 100644 index 0000000..4ffce67 --- /dev/null +++ b/recipes/general/recipe-wayblue-sway-nvidia-open-userns.yml @@ -0,0 +1,13 @@ +name: wayblue-sway-nvidia-open-userns-hardened + +description: "wayblue sway nvidia-open with userns, hardened" + +base-image: ghcr.io/wayblueorg/sway-nvidia-open + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-sway-nvidia-open.yml b/recipes/general/recipe-wayblue-sway-nvidia-open.yml new file mode 100644 index 0000000..1c2e0ae --- /dev/null +++ b/recipes/general/recipe-wayblue-sway-nvidia-open.yml @@ -0,0 +1,13 @@ +name: wayblue-sway-nvidia-open-hardened + +description: "wayblue sway nvidia-open, hardened" + +base-image: ghcr.io/wayblueorg/sway-nvidia-open + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-sway-nvidia-userns.yml b/recipes/general/recipe-wayblue-sway-nvidia-userns.yml index 9042437..4a1909e 100644 --- a/recipes/general/recipe-wayblue-sway-nvidia-userns.yml +++ b/recipes/general/recipe-wayblue-sway-nvidia-userns.yml @@ -1,20 +1,13 @@ name: wayblue-sway-nvidia-userns-hardened -description: "wayblue sway nvidia with some hardening applied" +description: "wayblue sway nvidia with userns, hardened" base-image: ghcr.io/wayblueorg/sway-nvidia image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-sway-nvidia.yml b/recipes/general/recipe-wayblue-sway-nvidia.yml index f059d30..ccc9ab3 100644 --- a/recipes/general/recipe-wayblue-sway-nvidia.yml +++ b/recipes/general/recipe-wayblue-sway-nvidia.yml @@ -1,22 +1,13 @@ name: wayblue-sway-nvidia-hardened -description: "wayblue sway nvidia with some hardening applied" +description: "wayblue sway nvidia, hardened" base-image: ghcr.io/wayblueorg/sway-nvidia image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-wayfire-main-userns.yml b/recipes/general/recipe-wayblue-wayfire-main-userns.yml index 3fc9e9c..4715bd8 100644 --- a/recipes/general/recipe-wayblue-wayfire-main-userns.yml +++ b/recipes/general/recipe-wayblue-wayfire-main-userns.yml @@ -1,21 +1,14 @@ name: wayblue-wayfire-main-userns-hardened -description: "wayblue wayfire main with some hardening applied" +description: "wayblue wayfire main with userns, hardened" base-image: ghcr.io/wayblueorg/wayfire image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml - from-file: common/wayfire-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-wayfire-main.yml b/recipes/general/recipe-wayblue-wayfire-main.yml index 650f01c..aad4684 100644 --- a/recipes/general/recipe-wayblue-wayfire-main.yml +++ b/recipes/general/recipe-wayblue-wayfire-main.yml @@ -1,23 +1,14 @@ name: wayblue-wayfire-main-hardened -description: "wayblue wayfire main with some hardening applied" +description: "wayblue wayfire main, hardened" base-image: ghcr.io/wayblueorg/wayfire image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml - from-file: common/wayfire-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-wayfire-nvidia-open-userns.yml b/recipes/general/recipe-wayblue-wayfire-nvidia-open-userns.yml new file mode 100644 index 0000000..d4c6c52 --- /dev/null +++ b/recipes/general/recipe-wayblue-wayfire-nvidia-open-userns.yml @@ -0,0 +1,14 @@ +name: wayblue-wayfire-nvidia-open-userns-hardened + +description: "wayblue wayfire nvidia-open with userns, hardened" + +base-image: ghcr.io/wayblueorg/wayfire-nvidia-open + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/wayfire-scripts.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-wayfire-nvidia-open.yml b/recipes/general/recipe-wayblue-wayfire-nvidia-open.yml new file mode 100644 index 0000000..55319b8 --- /dev/null +++ b/recipes/general/recipe-wayblue-wayfire-nvidia-open.yml @@ -0,0 +1,14 @@ +name: wayblue-wayfire-nvidia-open-hardened + +description: "wayblue wayfire nvidia-open, hardened" + +base-image: ghcr.io/wayblueorg/wayfire-nvidia-open + +image-version: 40 + +modules: + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/wayfire-scripts.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-wayfire-nvidia-userns.yml b/recipes/general/recipe-wayblue-wayfire-nvidia-userns.yml index 328a181..771cab5 100644 --- a/recipes/general/recipe-wayblue-wayfire-nvidia-userns.yml +++ b/recipes/general/recipe-wayblue-wayfire-nvidia-userns.yml @@ -1,21 +1,14 @@ name: wayblue-wayfire-nvidia-userns-hardened -description: "wayblue wayfire nvidia with some hardening applied" +description: "wayblue wayfire nvidia with userns, hardened" base-image: ghcr.io/wayblueorg/wayfire-nvidia image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/userns-packages.yml - from-file: common/wayfire-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/general/recipe-wayblue-wayfire-nvidia.yml b/recipes/general/recipe-wayblue-wayfire-nvidia.yml index cb1d159..af7e6de 100644 --- a/recipes/general/recipe-wayblue-wayfire-nvidia.yml +++ b/recipes/general/recipe-wayblue-wayfire-nvidia.yml @@ -1,23 +1,14 @@ name: wayblue-wayfire-nvidia-hardened -description: "wayblue wayfire nvidia with some hardening applied" +description: "wayblue wayfire nvidia, hardened" base-image: ghcr.io/wayblueorg/wayfire-nvidia image-version: 40 modules: - - from-file: common/initialization-scripts.yml - - from-file: common/disableuserns-packages.yml - - from-file: common/gui-packages.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/remove-firefox.yml - - from-file: common/gui-scripts.yml + - from-file: common/common-modules.yml + - from-file: common/desktop-modules.yml + - from-file: common/disableuserns-modules.yml - from-file: common/wayfire-scripts.yml - - from-file: common/common-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - type: yafti - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/securecore/recipe-securecore-main-userns.yml b/recipes/securecore/recipe-securecore-main-userns.yml index 6125547..46d9442 100644 --- a/recipes/securecore/recipe-securecore-main-userns.yml +++ b/recipes/securecore/recipe-securecore-main-userns.yml @@ -1,18 +1,13 @@ name: securecore-main-userns-hardened -description: "coreos with some hardening applied" +description: "CoreOS with userns, hardened" -base-image: ghcr.io/secureblue/coreos +base-image: quay.io/fedora/fedora-coreos image-version: testing modules: - - from-file: common/initialization-scripts.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/server-packages.yml - - from-file: common/common-files.yml - - from-file: common/server-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - from-file: common/common-brew.yml + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml diff --git a/recipes/securecore/recipe-securecore-main.yml b/recipes/securecore/recipe-securecore-main.yml index c6772a5..965fb1d 100644 --- a/recipes/securecore/recipe-securecore-main.yml +++ b/recipes/securecore/recipe-securecore-main.yml @@ -1,19 +1,13 @@ name: securecore-main-hardened -description: "coreos with some hardening applied" +description: "CoreOS, hardened" -base-image: ghcr.io/secureblue/coreos +base-image: quay.io/fedora/fedora-coreos image-version: testing modules: - - from-file: common/initialization-scripts.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/server-packages.yml - - from-file: common/common-files.yml - - from-file: common/server-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/securecore/recipe-securecore-nvidia-open-userns.yml b/recipes/securecore/recipe-securecore-nvidia-open-userns.yml new file mode 100644 index 0000000..dc20895 --- /dev/null +++ b/recipes/securecore/recipe-securecore-nvidia-open-userns.yml @@ -0,0 +1,14 @@ +name: securecore-nvidia-open-userns-hardened + +description: "CoreOS with nvidia-open and userns, hardened" + +base-image: quay.io/fedora/fedora-coreos + +image-version: testing + +modules: + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/nvidia-open-server-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml diff --git a/recipes/securecore/recipe-securecore-nvidia-open.yml b/recipes/securecore/recipe-securecore-nvidia-open.yml new file mode 100644 index 0000000..d6e1019 --- /dev/null +++ b/recipes/securecore/recipe-securecore-nvidia-open.yml @@ -0,0 +1,14 @@ +name: securecore-nvidia-open-hardened + +description: "CoreOS with nvidia-open, hardened" + +base-image: quay.io/fedora/fedora-coreos + +image-version: testing + +modules: + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/nvidia-open-server-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/securecore/recipe-securecore-nvidia-userns.yml b/recipes/securecore/recipe-securecore-nvidia-userns.yml index b2f1d6e..e8255d8 100644 --- a/recipes/securecore/recipe-securecore-nvidia-userns.yml +++ b/recipes/securecore/recipe-securecore-nvidia-userns.yml @@ -1,18 +1,14 @@ name: securecore-nvidia-userns-hardened -description: "coreos nvidia with some hardening applied" +description: "CoreOS with nvidia and userns, hardened" -base-image: ghcr.io/secureblue/coreos +base-image: quay.io/fedora/fedora-coreos -image-version: testing-nvidia +image-version: testing modules: - - from-file: common/initialization-scripts.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/server-packages.yml - - from-file: common/common-files.yml - - from-file: common/server-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/nvidia-server-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/final-modules.yml diff --git a/recipes/securecore/recipe-securecore-nvidia.yml b/recipes/securecore/recipe-securecore-nvidia.yml index b0629a4..67e293d 100644 --- a/recipes/securecore/recipe-securecore-nvidia.yml +++ b/recipes/securecore/recipe-securecore-nvidia.yml @@ -1,19 +1,14 @@ name: securecore-nvidia-hardened -description: "coreos nvidia with some hardening applied" +description: "CoreOS with nvidia, hardened" -base-image: ghcr.io/secureblue/coreos +base-image: quay.io/fedora/fedora-coreos -image-version: testing-nvidia +image-version: testing modules: - - from-file: common/initialization-scripts.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/server-packages.yml - - from-file: common/common-files.yml - - from-file: common/server-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/nvidia-server-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/final-modules.yml \ No newline at end of file diff --git a/recipes/securecore/recipe-securecore-zfs-main-userns.yml b/recipes/securecore/recipe-securecore-zfs-main-userns.yml index 3432ee6..b582a6e 100644 --- a/recipes/securecore/recipe-securecore-zfs-main-userns.yml +++ b/recipes/securecore/recipe-securecore-zfs-main-userns.yml @@ -1,18 +1,14 @@ name: securecore-zfs-main-userns-hardened -description: "coreos zfs with some hardening applied" +description: "CoreOS with zfs and userns, hardened" -base-image: ghcr.io/secureblue/coreos +base-image: quay.io/fedora/fedora-coreos -image-version: testing-zfs +image-version: testing modules: - - from-file: common/initialization-scripts.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/server-packages.yml - - from-file: common/common-files.yml - - from-file: common/server-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - from-file: common/common-brew.yml + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/zfs-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/securecore/recipe-securecore-zfs-main.yml b/recipes/securecore/recipe-securecore-zfs-main.yml index 63eec68..9c77103 100644 --- a/recipes/securecore/recipe-securecore-zfs-main.yml +++ b/recipes/securecore/recipe-securecore-zfs-main.yml @@ -1,19 +1,14 @@ name: securecore-zfs-main-hardened -description: "coreos zfs with some hardening applied" +description: "CoreOS with zfs, hardened" -base-image: ghcr.io/secureblue/coreos +base-image: quay.io/fedora/fedora-coreos -image-version: testing-zfs +image-version: testing modules: - - from-file: common/initialization-scripts.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/server-packages.yml - - from-file: common/common-files.yml - - from-file: common/server-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/zfs-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/securecore/recipe-securecore-zfs-nvidia-open-userns.yml b/recipes/securecore/recipe-securecore-zfs-nvidia-open-userns.yml new file mode 100644 index 0000000..92fa9bd --- /dev/null +++ b/recipes/securecore/recipe-securecore-zfs-nvidia-open-userns.yml @@ -0,0 +1,15 @@ +name: securecore-zfs-nvidia-open-userns-hardened + +description: "CoreOS with nvidia-open, userns, and zfs, hardened" + +base-image: quay.io/fedora/fedora-coreos + +image-version: testing + +modules: + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/nvidia-open-server-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/zfs-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/securecore/recipe-securecore-zfs-nvidia-open.yml b/recipes/securecore/recipe-securecore-zfs-nvidia-open.yml new file mode 100644 index 0000000..413791c --- /dev/null +++ b/recipes/securecore/recipe-securecore-zfs-nvidia-open.yml @@ -0,0 +1,15 @@ +name: securecore-zfs-nvidia-open-hardened + +description: "CoreOS with nvidia-open and zfs, hardened" + +base-image: quay.io/fedora/fedora-coreos + +image-version: testing + +modules: + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/nvidia-open-server-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/zfs-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/securecore/recipe-securecore-zfs-nvidia-userns.yml b/recipes/securecore/recipe-securecore-zfs-nvidia-userns.yml index af9dd13..38d3f31 100644 --- a/recipes/securecore/recipe-securecore-zfs-nvidia-userns.yml +++ b/recipes/securecore/recipe-securecore-zfs-nvidia-userns.yml @@ -1,18 +1,15 @@ name: securecore-zfs-nvidia-userns-hardened -description: "coreos zfs nvidia with some hardening applied" +description: "CoreOS with nvidia, userns, and zfs, hardened" -base-image: ghcr.io/secureblue/coreos +base-image: quay.io/fedora/fedora-coreos -image-version: testing-nvidia-zfs +image-version: testing modules: - - from-file: common/initialization-scripts.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/server-packages.yml - - from-file: common/common-files.yml - - from-file: common/server-files.yml - - from-file: common/common-scripts.yml - - type: secureblue-signing - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/nvidia-server-modules.yml + - from-file: common/userns-packages.yml + - from-file: common/zfs-modules.yml + - from-file: common/final-modules.yml diff --git a/recipes/securecore/recipe-securecore-zfs-nvidia.yml b/recipes/securecore/recipe-securecore-zfs-nvidia.yml index 4aa1915..12c0859 100644 --- a/recipes/securecore/recipe-securecore-zfs-nvidia.yml +++ b/recipes/securecore/recipe-securecore-zfs-nvidia.yml @@ -1,19 +1,15 @@ name: securecore-zfs-nvidia-hardened -description: "coreos zfs nvidia with some hardening applied" +description: "CoreOS with nvidia and zfs, hardened" -base-image: ghcr.io/secureblue/coreos +base-image: quay.io/fedora/fedora-coreos -image-version: testing-nvidia-zfs +image-version: testing modules: - - from-file: common/initialization-scripts.yml - - from-file: common/common-packages.yml - - from-file: common/non-rechunked-scripts.yml - - from-file: common/server-packages.yml - - from-file: common/common-files.yml - - from-file: common/server-files.yml - - from-file: common/common-scripts.yml - - from-file: common/disableuserns-scripts.yml - - type: secureblue-signing - - from-file: common/common-brew.yml \ No newline at end of file + - from-file: common/common-modules.yml + - from-file: common/server-modules.yml + - from-file: common/nvidia-server-modules.yml + - from-file: common/disableuserns-modules.yml + - from-file: common/zfs-modules.yml + - from-file: common/final-modules.yml