A Fedora Silverblue image that has been hardened for extra security.
-
Rebase to an unsigned image to get proper signing keys:
rpm-ostree rebase -r ostree-unverified-registry:ghcr.io/aguslr/bluerock:stable -
Rebase to a signed image to finish the installation:
rpm-ostree rebase -r ostree-image-signed:docker://ghcr.io/aguslr/bluerock:stable
Alternatively, an ISO file for offline installation can be generated with the following command:
sudo podman run --rm --privileged \
--volume .:/build-container-installer/build \
--security-opt label=disable --pull=newer \
ghcr.io/jasonn3/build-container-installer:latest \
IMAGE_REPO="ghcr.io/aguslr" \
IMAGE_NAME="bluerock" \
IMAGE_TAG="latest" \
VARIANT="Silverblue"
- Start with a custom Fedora Silverblue image.
- Set automatic updates for the system.
- Set automatic updates for Flatpaks.
- Set automatic updates for Homebrew.
- Set automatic updates for Nix.
- Set additional kernel boot parameters.
- Set additional kernel runtime parameters.
- Blacklist rarely used kernel modules.
- Install Chromium.
- Allow only verified Flathub apps.
These images are signed with Sisgstore's Cosign. You can verify the
signature by downloading the cosign.pub key from this repo and running the
following command:
cosign verify --key cosign.pub ghcr.io/aguslr/bluerock