My customized ParticleOS configuration

             @@ -8,6 +8,5 @@     8      8mkosi.version     9      9.mkosi-private    10     10mkosi.packages/    11       keys/    12     11mkosi.profiles/custom/mkosi.extra/usr/local/bin/    13     12versions/

             @@ -1,23 +1,53 @@     1      1# ParticleOS     2      2     3       ParticleOS is a fully customizable immutable distribution implementing the     4       concepts described in     5       [Fitting Everything Together](https://0pointer.net/blog/fitting-everything-together.html).     6            7       This is my own version/soft fork of ParticleOS. Most important commands are     8       contained in the [`makefile`](makefile). Most imporant are `make build` and     9       `make sysupdate`.            3[ParticleOS](https://github.com/systemd/particleos) is an extremely cool            4meta-distribution from the systemd project. It's my favorite thing in software            5since I discovered IPv6. Concretely, it's a configuration for systemd's            6[`mkosi` tool](https://mkosi.systemd.io/) that you use to build your own            7ParticleOS images. As described in the readme:            8            9> ParticleOS is a fully customizable immutable distribution implementing the           10concepts described in [Fitting Everything           11Together](https://0pointer.net/blog/fitting-everything-together.html).           12           13Among other things, it has the following characteristics:           14           15- OS versions are delivered as immutable `/usr` partitions           16  - A/B partitions for worry-free upgrades and rollbacks           17  - Block-level integrity provided by           18    [dm-verity](https://wiki.archlinux.org/title/Dm-verity)           19  - Authenticity provided by a signature on the dm-verity data, done with           20    your own keys           21- Is easily hacked on, just like traditional mutable OSes           22  - Essentially *is* a traditional OS (one of Arch, Debian, or Fedora), built           23    fully from regular distro packages           24  - Hacking on `/usr` is done at image build-time, rather than during OS           25    runtime           26- Is signed with your own SecureBoot keys           27- LUKS-encrypted root partition with TPM-stored key for automatic unlocking           28- LUKS-encrypted home directory managed by           29  [`systemd-homed`](https://systemd.io/HOME_DIRECTORY/)           30           31This here is my own customized version/soft fork of ParticleOS. It's the Fedora           32variant.    10     33    11     34## Notable files/directories    12     35    13       - [makefile](makefile)—contains most imporant commands. `build` and           36- [makefile](makefile)—contains most important commands. `build` and    14     37  `sysupdate` targets are the main ones. is also responsible for downloading    15     38  miscellaneous unpackaged binaries.    16       - [mkosi.local.conf](mkosi.local.conf)—the linchpin that holds my custom           39- [mkosi.local.conf](mkosi.local.conf)—the linchpin that holds the custom    17     40  configuration together.    18       - [mkosi.profiles/custom](mkosi.profiles/custom)—the custom profile where    19         most of my additions live.    20         - [mkosi.conf](mkosi.profiles/custom/mkosi.conf)—primarily contains the           41- [mkosi.profiles/custom](mkosi.profiles/custom)—the custom `mkosi` profile           42  where most of my customizations live.           43  - [mkosi.conf](mkosi.profiles/custom/mkosi.conf)—contains the    21     44    packages I want installed.    22     45  - [mkosi.extra](mkosi.profiles/custom/mkosi.extra)—additional files that    23     46    get included in the built images.           47           48## Other changes           49           50In addition to the above customizations, there are a number of other small           51tweaks I've made, mostly to get Fedora+KDE Plasma working together. Some of them           52should probably be upstreamed to the ParticleOS project. The overall patchset           53can be seen [here on Gitpatch](https://gitpatch.com/jcgl/particleos/patch/5).

             @@ -10,6 +10,8 @@    10     10Packages=    11     11        bash-color-prompt    12     12        bpftool           13        # cryptsetup luksAddKey --token-type systemd-tpm2 /dev/<device> fails           14        # for me otherwise    13     15        cracklib-dicts    14     16        cryptsetup    15     17        distribution-gpg-keys

             @@ -1,4 +0,0 @@     1       #!/usr/bin/sh     2            3       chmod 755 /usr/bin/dumpcap     4       setcap -r /usr/bin/dumpcap

             @@ -0,0 +1,2 @@            1SELINUX=permissive            2SELINUXTYPE=targeted

             @@ -0,0 +1,60 @@            1# Authors: Jason Tang <jtang@tresys.com>            2#            3# Copyright (C) 2004-2005 Tresys Technology, LLC            4#            5#  This library is free software; you can redistribute it and/or            6#  modify it under the terms of the GNU Lesser General Public            7#  License as published by the Free Software Foundation; either            8#  version 2.1 of the License, or (at your option) any later version.            9#           10#  This library is distributed in the hope that it will be useful,           11#  but WITHOUT ANY WARRANTY; without even the implied warranty of           12#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU           13#  Lesser General Public License for more details.           14#           15#  You should have received a copy of the GNU Lesser General Public           16#  License along with this library; if not, write to the Free Software           17#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA           18#           19# Specify how libsemanage will interact with a SELinux policy manager.           20# The four options are:           21#           22#  "source"     - libsemanage manipulates a source SELinux policy           23#  "direct"     - libsemanage will write directly to a module store.           24#  /foo/bar     - Write by way of a policy management server, whose           25#                 named socket is at /foo/bar.  The path must begin           26#                 with a '/'.           27#  foo.com:4242 - Establish a TCP connection to a remote policy           28#                 management server at foo.com.  If there is a colon           29#                 then the remainder is interpreted as a port number;           30#                 otherwise default to port 4242.           31module-store = direct           32           33# When generating the final linked and expanded policy, by default           34# semanage will set the policy version to POLICYDB_VERSION_MAX, as           35# given in <sepol/policydb.h>.  Change this setting if a different           36# version is necessary.           37#policy-version = 19           38           39# expand-check check neverallow rules when executing all semanage           40# commands. There might be a penalty in execution time if this           41# option is enabled.           42expand-check=0           43           44# usepasswd check tells semanage to scan all pass word records for home directories           45# and setup the labeling correctly. If this is turned off, SELinux will label only /home           46# and home directories of users with SELinux login mappings defined, see           47# semanage login -l for the list of such users.           48# If you want to use a different home directory, you will need to use semanage fcontext command.           49# For example, if you had home dirs in /althome directory you would have to execute           50# semanage fcontext -a -e /home /althome           51usepasswd=False           52bzip-small=true           53bzip-blocksize=5           54ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var           55optimize-policy=true           56           57[sefcontext_compile]           58path = /usr/sbin/sefcontext_compile           59args = -r $@           60[end]

             @@ -0,0 +1,3 @@            1L? /etc/selinux/targeted            2C /etc/selinux/config          -    -    -     -   /usr/share/factory/etc/selinux/config            3C /etc/selinux/semanage.conf   -    -    -     -   /usr/share/factory/etc/selinux/semanage.conf