scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-03 03:48:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add back yafti and include various new steps, including kernel and flatpak hardening automation

Browse Source
This commit is contained in:
qoijjj
2023-11-30 21:13:11 -08:00
parent 719016a526
commit f559a983f7
7 changed files with 53 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -80,14 +80,9 @@ To rebase an existing Silverblue/Kinoite installation to the latest build:
```
systemctl reboot
```
### Post-install
The following command is available to append kernel boot parameters that apply additional hardening (reboot required):
```
just set-kargs-hardening
```
#### Nvidia
If you are using an nvidia image, run this after installation:

107
config/files/usr/share/ublue-os/firstboot/yafti.yml
View File

@@ -1,37 +1,45 @@
title: Welcome to uBlue
title: Welcome to secureblue!
properties:
mode: "run-on-change"
screens:
first-screen:
source: yafti.screen.title
values:
title: "Welcome to uBlue (Alpha)"
title: "Welcome to secureblue!"
icon: "/path/to/icon"
description: |
This guided installer will help you get started with your new system.
can-we-harden-your-kargs:
source: yafti.screen.consent
values:
title: Kernel hardening
description: |
This step will enable additional kernel hardening. You must run this manually, since it requires sudo. Run "just set-kargs-hardening" in a terminal, then click accept.
actions:
- run: just set-kargs-hardening
can-we-harden-your-flatpaks:
source: yafti.screen.consent
values:
title: Flatpak hardening
description: |
This step will enable hardening for installed flatpaks.
actions:
- run: flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
can-we-modify-your-flatpaks:
source: yafti.screen.consent
values:
title: Welcome, Traveler!
condition:
run: flatpak remotes --columns=name | grep fedora
title: Flathub setup
description: |
We have detected the limited, Fedora-provided Flatpak remote on your system, whose applications are usually missing important codecs and other features. This step will therefore remove all basic Fedora Flatpaks from your system! We will instead switch all core Flatpak applications over to the vastly superior, unfiltered Flathub. If you don't want to do this, simply exit this installer.
This step will therefore remove all basic Fedora Flatpaks from your system and replace it with Flathub's verified repository. It will also disable the system flatpaks in favor of user flatpaks.
actions:
- run: flatpak remote-delete --system --force fedora
- run: flatpak remote-delete --user --force fedora
- run: flatpak remove --system --noninteractive --all
- run: flatpak remote-add --if-not-exists --user flathub https://flathub.org/repo/flathub.flatpakrepo
check-user-flathub:
source: yafti.screen.consent
values:
title: Missing Flathub Repository (User)
condition:
run: flatpak remotes --user --columns=name | grep flathub | wc -l | grep '^0$'
description: |
We have detected that you don't have Flathub's repository on your current user account. We will now add that repository to your account.
actions:
- run: flatpak remote-add --if-not-exists --user flathub https://flathub.org/repo/flathub.flatpakrepo
- run: flatpak remote-add --if-not-exists --user --subset=verified flathub-verified https://flathub.org/repo/flathub.flatpakrepo
applications:
source: yafti.screen.package
values:
@@ -39,8 +47,8 @@ screens:
show_terminal: true
package_manager: yafti.plugin.flatpak
package_manager_defaults:
user: false
system: true
user: true
system: false
groups:
Core GNOME Apps:
description: Core system applications for the GNOME desktop environment.
@@ -66,55 +74,18 @@ screens:
- Text Editor: org.gnome.TextEditor
- Videos (Player): org.gnome.Totem
- Weather: org.gnome.Weather
Core KDE Plasma Apps:
description: Core system applications for the KDE Plasma desktop environment.
default: false
packages:
- Gwenview: org.kde.gwenview
System Apps:
description: System applications for all desktop environments.
default: false
default: true
packages:
- Deja Dup Backups: org.gnome.DejaDup
- Fedora Media Writer: org.fedoraproject.MediaWriter
- Flatseal (Permission Manager): com.github.tchx84.Flatseal
- Font Downloader: org.gustavoperedo.FontDownloader
- Mozilla Firefox: org.mozilla.firefox
Web Browsers:
description: Additional browsers to complement or replace Firefox.
default: false
packages:
- Brave: com.brave.Browser
- GNOME Web: org.gnome.Epiphany
- Google Chrome: com.google.Chrome
- Microsoft Edge: com.microsoft.Edge
- Opera: com.opera.Opera
Gaming:
description: "Rock and Stone!"
default: false
packages:
- Bottles: com.usebottles.bottles
- Discord: com.discordapp.Discord
- Heroic Games Launcher: com.heroicgameslauncher.hgl
- Steam: com.valvesoftware.Steam
- Gamescope (Utility): org.freedesktop.Platform.VulkanLayer.gamescope
- MangoHUD (Utility): org.freedesktop.Platform.VulkanLayer.MangoHud//22.08
- SteamTinkerLaunch (Utility): com.valvesoftware.Steam.Utility.steamtinkerlaunch
- Proton Updater for Steam: net.davidotek.pupgui2
Office:
description: Boost your productivity.
default: false
packages:
- LibreOffice: org.libreoffice.LibreOffice
- OnlyOffice: org.onlyoffice.desktopeditors
- Obsidian: md.obsidian.Obsidian
- Slack: com.slack.Slack
- Standard Notes: org.standardnotes.standardnotes
- Thunderbird Email: org.mozilla.Thunderbird
Streaming:
description: Stream to the Internet.
default: false
packages:
- OBS Studio: com.obsproject.Studio
- VkCapture for OBS: com.obsproject.Studio.OBSVkCapture
- Gstreamer for OBS: com.obsproject.Studio.Plugin.Gstreamer
- Gstreamer VAAPI for OBS: com.obsproject.Studio.Plugin.GStreamerVaapi
- Boatswain for Streamdeck: com.feaneron.Boatswain
final-screen:
source: yafti.screen.title
@@ -122,11 +93,7 @@ screens:
title: "All done!"
icon: "/path/to/icon"
links:
- "Install More Applications":
run: /usr/bin/gnome-software
- "Website":
run: /usr/bin/xdg-open https://ublue.it
- "Join the Discord Community":
run: /usr/bin/xdg-open https://discord.gg/XjG48C7VHx
run: /usr/bin/xdg-open https://github.com/secureblue/secureblue
description: |
Thanks for trying uBlue, we hope you enjoy it!
Thanks for trying secureblue, we hope you enjoy it!

3
config/files/usr/share/ublue-os/just/60-custom.just
View File

@@ -3,3 +3,6 @@
# Add additional boot parameters for hardening (requires reboot)
set-kargs-hardening:
rpm-ostree kargs --append="init_on_alloc=1" --append="init_on_free=1" --append="slab_nomerge" --append="page_alloc.shuffle=1" --append="randomize_kstack_offset=on" --append="vsyscall=none" --append="debugfs=off" --append="lockdown=confidentiality" --append="random.trust_cpu=off" --append="random.trust_bootloader=off" --append="intel_iommu=on" --append="amd_iommu=on" --append="efi=disable_early_pci_dma" --append="iommu.passthrough=0" --append="iommu.strict=1" --append="nvme_core.default_ps_max_latency_us=0" --append="mitigations=auto,nosmt"
harden-flatpak:
flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so

4
config/recipe-kinoite-main.yml
View File

@@ -18,4 +18,6 @@ modules:
- from-file: common-packages.yml
- from-file: common-bling.yml
- from-file: common-scripts.yml
- from-file: common-scripts.yml
- type: yafti

4
config/recipe-kinoite-nvidia.yml
View File

@@ -18,4 +18,6 @@ modules:
- from-file: common-packages.yml
- from-file: common-bling.yml
- from-file: common-scripts.yml
- from-file: common-scripts.yml
- type: yafti

4
config/recipe-silverblue-main.yml
View File

@@ -18,4 +18,6 @@ modules:
- from-file: common-packages.yml
- from-file: common-bling.yml
- from-file: common-scripts.yml
- from-file: common-scripts.yml
- type: yafti

4
config/recipe-silverblue-nvidia.yml
View File

@@ -18,4 +18,6 @@ modules:
- from-file: common-packages.yml
- from-file: common-bling.yml
- from-file: common-scripts.yml
- from-file: common-scripts.yml
- type: yafti