A Fedora Silverblue image that has been hardened for extra security.
-
Rebase to an unsigned image to get proper signing keys:
rpm-ostree rebase ostree-unverified-registry:ghcr.io/aguslr/bluerock:latest && systemctl reboot
-
Rebase to a signed image to finish the installation:
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/aguslr/bluerock:latest && systemctl reboot
Alternatively, an ISO file for offline installation can be generated with the following command:
sudo podman run --rm --privileged --volume .:/isogenerator/output \
--security-opt label=disable --pull=newer \
-e IMAGE_REPO="ghcr.io/aguslr" -e IMAGE_NAME="bluerock" \
-e IMAGE_TAG="latest" -e VARIANT="Silverblue" \
ghcr.io/ublue-os/isogenerator:39
- Start with a custom Fedora Silverblue image.
- Set automatic updates for the system.
- Set additional kernel boot parameters.
- Set additional kernel runtime parameters.
- Blacklist rarely used kernel modules.
- Replace Firefox with Chromium.
- Allow only verified Flathub apps.
These images are signed with Sisgstore's Cosign. You can verify the
signature by downloading the cosign.pub
key from this repo and running the
following command:
cosign verify --key cosign.pub ghcr.io/aguslr/bluerock