Skip to content

A Fedora Silverblue image that has been hardened for extra security

License

Notifications You must be signed in to change notification settings

aguslr/bluerock

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

build-image

A Fedora Silverblue image that has been hardened for extra security.

Usage

  1. Rebase to an unsigned image to get proper signing keys:

    rpm-ostree rebase -r ostree-unverified-registry:ghcr.io/aguslr/bluerock:stable
    
  2. Rebase to a signed image to finish the installation:

    rpm-ostree rebase -r ostree-image-signed:docker://ghcr.io/aguslr/bluerock:stable
    

Alternatively, an ISO file for offline installation can be generated with the following command:

sudo podman run --rm --privileged \
    --volume .:/build-container-installer/build \
    --security-opt label=disable --pull=newer \
    ghcr.io/jasonn3/build-container-installer:latest \
    IMAGE_REPO="ghcr.io/aguslr" \
    IMAGE_NAME="bluerock" \
    IMAGE_TAG="latest" \
    VARIANT="Silverblue"

Features

  • Start with a custom Fedora Silverblue image.
  • Set automatic updates for the system.
  • Set automatic updates for Flatpaks.
  • Set automatic updates for Homebrew.
  • Set automatic updates for Nix.
  • Set additional kernel boot parameters.
  • Set additional kernel runtime parameters.
  • Blacklist rarely used kernel modules.
  • Install Chromium.
  • Allow only verified Flathub apps.

Verification

These images are signed with Sisgstore's Cosign. You can verify the signature by downloading the cosign.pub key from this repo and running the following command:

cosign verify --key cosign.pub ghcr.io/aguslr/bluerock

References

About

A Fedora Silverblue image that has been hardened for extra security

Topics

Resources

License

Stars

Watchers

Forks

Packages