os-images · boredsquirrel · Jun 7, 2024
@@ -1,43 +1,33 @@
-# BlueBuild Template &nbsp; [![build-ublue](https://github.com/blue-build/template/actions/workflows/build.yml/badge.svg)](https://github.com/blue-build/template/actions/workflows/build.yml)
+# CentOS Atomic &nbsp; [![build-ublue](https://github.com/fantastic-fedora/CentOS-Atomic/actions/workflows/build.yml/badge.svg)](https://github.com/blue-build/template/actions/workflows/build.yml)
 
-See the [BlueBuild docs](https://blue-build.org/how-to/setup/) for quick setup instructions for setting up your own repository based on this template.
+Fedora Atomic Desktops use rpm-ostree, which is the best distribution method for stability. But Fedora is also very up to date, so it is probably not fitting for a business environment.
 
-After setup, it is recommended you update this README to describe your custom image.
+CentOS Stream is the upstream of RHEL, but downstream of Fedora. It is a good middleground, for a stable workstation.
 
-## Installation
+CentOS Steam and RHEL will eventually adopt `rpm-ostree` as the distribution method, and [CentOS-bootc](https://github.com/CentOS/centos-bootc/) is a fully bootable rpm-ostree based image, which you can find [here](https://quay.io/repository/centos-bootc/centos-bootc-dev?tab=tags)
+
+This project consumes this image, and adds the packages needed for a good desktop experience to it.
 
-> **Warning**  
-> [This is an experimental feature](https://www.fedoraproject.org/wiki/Changes/OstreeNativeContainerStable), try at your own discretion.
+## Installation
 
 To rebase an existing atomic Fedora installation to the latest build:
 
 - First rebase to the unsigned image, to get the proper signing keys and policies installed:
   ```
-  rpm-ostree rebase ostree-unverified-registry:ghcr.io/blue-build/template:latest
-  ```
-- Reboot to complete the rebase:
-  ```
-  systemctl reboot
+  rpm-ostree rebase --reboot ostree-unverified-registry:ghcr.io/fantastic-fedora/CentOS-Atomic:latest
   ```
+
 - Then rebase to the signed image, like so:
   ```
-  rpm-ostree rebase ostree-image-signed:docker://ghcr.io/blue-build/template:latest
-  ```
-- Reboot again to complete the installation
-  ```
-  systemctl reboot
+  rpm-ostree rebase --reboot ostree-image-signed:docker://ghcr.io/fantastic-fedora/CentOS-Atomic:latest
   ```
 
-The `latest` tag will automatically point to the latest build. That build will still always use the Fedora version specified in `recipe.yml`, so you won't get accidentally updated to the next major version.
-
-## ISO
-
-If build on Fedora Atomic, you can generate an offline ISO with the instructions available [here](https://blue-build.org/learn/universal-blue/#fresh-install-from-an-iso). These ISOs cannot unfortunately be distributed on GitHub for free due to large sizes, so for public projects something else has to be used for hosting.
+The `latest` tag will automatically point to the latest build. That build will still always use the CentOS Stream version specified in `recipe.yml`, so you won't get accidentally updated to the next major version.
 
 ## Verification
 
 These images are signed with [Sigstore](https://www.sigstore.dev/)'s [cosign](https://github.com/sigstore/cosign). You can verify the signature by downloading the `cosign.pub` file from this repo and running the following command:
 
 ```bash
-cosign verify --key cosign.pub ghcr.io/blue-build/template
+cosign verify --key /path/to/cosign.pub ghcr.io/fantastic-fedora/CentOS-Atomic
 ```
@@ -0,0 +1,7 @@
+find correct CentOS 9 repos to add
+
+https://centos.pkgs.org/
+
+Mention Apache 2.0 License of secureblue
+
+link to files in secureblue instead of copying
@@ -0,0 +1,6 @@
+type: files
+files:
+  - usr: /usr # copy static configurations
+              # configuration you wish to end up in /etc/ on the booted system should be
+              # added into /usr/etc/ (under /config/files) as that is the proper "distro"
+              # config directory on ostree read more in the files module's README
@@ -0,0 +1,26 @@
+type: rpm-ostree
+repos:
+  - https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/repo/fedora-%OS_VERSION%/secureblue-hardened_malloc-fedora-%OS_VERSION%.repo
+install:
+  - lynis
+  - usbguard
+  - usbguard-dbus
+  - setools
+  - podman
+  - distrobox
+  - fwupd
+  - fwupd-efi
+  - fwupd-plugin-flashrom
+  - fwupd-plugin-modem-manager
+  - fwupd-plugin-uefi-capsule-data
+  - parallel
+  - fish
+  - firewalld
+  - htop
+  - nvme-cli
+  - cosign
+  - wireguard-tools
+  - pam_yubico
+  - grub2-tools-extra
+  - vim-enhanced
+#  - snapper
@@ -0,0 +1,5 @@
+type: script
+scripts:
+  - authselect.sh
+  - setfilepermissions.sh
+  - disablesealertpopups.sh
@@ -0,0 +1,6 @@
+type: files
+files:
+  - gnome/usr: /usr # copy static configurations
+              # configuration you wish to end up in /etc/ on the booted system should be
+              # added into /usr/etc/ (under /config/files) as that is the proper "distro"
+              # config directory on ostree read more in the files module's README
@@ -0,0 +1,44 @@
+type: rpm-ostree
+repos:
+  - .repo
+install:
+  - gnome-shell
+  - gnome-terminal
+  - xdg-desktop-portal-gnome
+  - gnome-session
+  - gnome-session-wayland-session
+  - chrome-gnome-shell
+  - gnome-backgrounds
+  - gnome-bluetooth
+  - gnome-calculator
+  - gnome-characters
+  - gnome-classic-session
+  - gnome-color-manager
+  - gnome-control-center
+  - gnome-control-center
+  - gnome-control-center-filesystem
+  - gnome-disk-utility
+  - gnome-font-viewer
+  - gnome-initial-setup
+  - gnome-kiosk
+  - gnome-logs
+  - gnome-menus
+  - gnome-online-accounts
+  - gnome-remote-desktop
+  - gnome-screenshot
+  - gnome-settings-daemon
+  - gnome-software
+  - gnome-software-flatpak
+  - gnome-system-monitor
+  - gnome-terminal-nautilus
+  - gnome-tour
+  - gnome-tweaks
+  - gnome-user-docs
+  - libgnomekbd
+  - nautilus
+  - xdg-user-dirs-gtk
+#  - gnome-shell-extension-dash-to-panel
+#  - gnome-shell-extension-apps-menu
+#  - gnome-shell-extension-drive-menu
+#  - gnome-shell-extension-places-menu
+#  - gnome-shell-extension-systemMonitor
@@ -0,0 +1,36 @@
+type: rpm-ostree
+repos:
+  - https://copr.fedorainfracloud.org/coprs/secureblue/bubblejail/repo/fedora-%OS_VERSION%/secureblue-bubblejail-fedora-%OS_VERSION%.repo
+install:
+  - python3-pip
+  # GNOME's GTK4 theme, Libadwaita. Already included in Silverblue, but not
+  # other spins. You can remove if you aren't using yafti, but many native
+  # apps and binaries require it, so it's a good idea to always include it
+  # if you ever download or compile any custom software on your machine.
+  - libadwaita
+  - bubblejail
+  - usbguard-notifier
+  - NetworkManager-config-connectivity-redhat
+  - bluedevil
+  - lm_sensors
+  - setroubleshoot
+  - flatpak
+  - flatpak-selinux
+  - glibc-all-langpacks
+  - cups-pk-helper
+  - gnome-keyring
+  - gnome-keyring-pam
+  - notify-send
+  - setroubleshoot
+  - firefox
+  - xdg-user-dirs
+  - google-noto-color-emoji-fonts
+  - xdg-desktop-portal
+  - xdg-desktop-portal-gtk
+  - power-profiles-daemon
+  - powerdevil
+  - upower
+  - firewall-config
+
+# left out
+# @"Hardware Support" @base-x @Fonts @"Common NetworkManager Submodules"
@@ -0,0 +1,7 @@
+type: rpm-ostree
+repos:
+  - https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/repo/fedora-%OS_VERSION%/secureblue-hardened_malloc-fedora-%OS_VERSION%.repo
+install:
+  - intel-media-driver
+  - libratbag-ratbagd
+  - headsetcontrol
@@ -0,0 +1,3 @@
+type: script
+scripts:
+  - createautostartdir.sh
@@ -0,0 +1,6 @@
+type: files
+files:
+  - kinoite/usr: /usr # copy static configurations
+              # configuration you wish to end up in /etc/ on the booted system should be
+              # added into /usr/etc/ (under /config/files) as that is the proper "distro"
+              # config directory on ostree read more in the files module's README
@@ -0,0 +1,86 @@
+type: rpm-ostree
+repos:
+  -
+install:
+  - plasma-workspace-wayland
+  - sddm
+  - breeze-icon-theme
+  - colord-kde
+  - dolphin
+  - flatpak-kcm
+  - kate
+  - kde-connect
+  - kde-gtk-config
+  - kde-partitionmanager
+  - kde-print-manager
+  - kde-settings
+  - kde-settings-plasma
+  - kde-settings-sddm
+  - kde-settings-splash
+  - kde-style-breeze
+  - kdeconnectd
+  - kdegraphics-thumbnailers
+  - kdeplasma-addons
+  - kdialog
+  - kf5-akonadi-server
+  - kf5-akonadi-server-mysql
+  - kf5-baloo-file
+  - kf5-kipi-plugins
+  - khotkeys
+  - kmenuedit
+  - konsole5
+  - kscreen
+  - kscreenlocker
+  - ksshaskpass
+  - kwalletmanager5
+  - kwebkitpart
+  - kwin-wayland
+  - pam-kwallet
+  - phonon-qt5-backend-gstreamer
+  - pinentry-qt
+  - plasma-breeze
+  - plasma-desktop
+  - plasma-desktop-doc
+  - plasma-discover
+  - plasma-discover-flatpak
+  - plasma-drkonqi
+  - plasma-nm
+  - plasma-nm-l2tp
+  - plasma-nm-openconnect
+  - plasma-nm-openvpn
+  - plasma-pa
+  - plasma-user-manager
+  - plasma-workspace-geolocation
+  - polkit-kde
+  - qt5-qtbase-gui
+  - qt5-qtdeclarative
+  - sddm-breeze
+  - sddm-kcm
+  - sni-qt
+  - plasma-vault
+  - plasma-disk
+  - plasma-thunderbolt
+  - plasma-integration
+  - plasma-welcome
+  - plasma-browser-integration
+  - sddm-wayland-plasma
+  - spectacle
+  - ark
+  - xwaylandvideobridge
+  - kaccounts-providers
+  - kaccounts-integration
+  - accountsservice
+  - kio-fuse
+  - kio-admin
+  - kio-extras
+  - kio-gdrive
+  - xdg-desktop-portal-kde
+  - filelight
+  - kinfocenter
+  - kcalc
+  - kcharselect
+  - kmenuedit
+  - plasma-systemmonitor
+
+# left out packages
+# breeze-gtk cagibi kdnssd ksysguard plasma-nm-openswan plasma-nm-pptp plasma-nm-vpnc xorg-x11-drv-libinput
@@ -0,0 +1,8 @@
+type: rpm-ostree
+repos:
+  - https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/repo/fedora-%OS_VERSION%/secureblue-hardened_malloc-fedora-%OS_VERSION%.repo
+install:
+  - ffmpeg
+  - ffmpegthumbnailer
+  - mediainfo
+  - libavcodec-freeworld
@@ -0,0 +1,6 @@
+type: files
+files:
+  - server/usr: /usr # copy static configurations
+              # configuration you wish to end up in /etc/ on the booted system should be
+              # added into /usr/etc/ (under /config/files) as that is the proper "distro"
+              # config directory on ostree read more in the files module's README
@@ -0,0 +1,8 @@
+type: rpm-ostree
+repos:
+  - https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/repo/fedora-%OS_VERSION%/secureblue-hardened_malloc-fedora-%OS_VERSION%.repo
+install:
+  - tmux
+
+
+
@@ -0,0 +1,10 @@
+# Sets the display server to wayland instead of xorg
+[General]
+DisplayServer=wayland
+# uses kwin_wayland as a compositor for sddm instead of sway,
+# drm mode for rendering,
+# disables lock-screen as we are not logged in yet,
+# disables global shortcuts to make sure user shortcuts are not inherited for security reasons
+# and uses the system locale as opposed to the user's locale
+[Wayland]
+CompositorCommand=kwin_wayland --drm --no-lockscreen --no-global-shortcuts --locale1
@@ -0,0 +1,7 @@
+# disable all addons
+# https://discuss.kde.org/t/12829
+
+[KDE Action Restrictions][$i]
+ghns=false
+
+# COPY this file to "kdeglobals" to make it active
@@ -0,0 +1 @@
+
@@ -0,0 +1,26 @@
+# Only allow ten auth attempts
+MaxAuthTries 10
+
+# Only allow two simultaneous sessions
+MaxSessions 2
+
+# Forbid agent forwarding
+AllowAgentForwarding no
+
+# Forbid TCP forwarding
+AllowTcpForwarding no
+
+# Forbid X11 forwarding
+X11Forwarding no
+
+# Disable TCPKeepAlive
+TCPKeepAlive no
+
+# Maximum number of client alive messages sent without response||
+ClientAliveCountMax 2
+
+# Forbid sshing as root
+PermitRootLogin no
+
+# Disable compression
+# Compression no
@@ -0,0 +1,8 @@
+[device-mac-randomization]
+# "yes" is already the default for scanning
+wifi.scan-rand-mac-address=yes
+
+[connection-mac-randomization]
+# Generate a random MAC for each Network and associate the two permanently.
+ethernet.cloned-mac-address=stable
+wifi.cloned-mac-address=stable