From 4eeb4391021503e74f2f9e18aa0165eaae7985dd Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:19:27 -0800
Subject: [PATCH 01/11] docs: content improvements
---
content/INSTALL.md | 23 +++++++----------------
1 file changed, 7 insertions(+), 16 deletions(-)
diff --git a/content/INSTALL.md b/content/INSTALL.md
index ac7d8875..0cfc8fdf 100644
--- a/content/INSTALL.md
+++ b/content/INSTALL.md
@@ -77,7 +77,7 @@ Then, follow the following steps in order:
### Subscribe to secureblue release notifications
{: #release-notifications}
-[FAQ](/faq#releases)
+[How to subscribe to secureblue release notifications](/faq#releases)
### Set NVIDIA-specific kargs if applicable
{: #nvidia}
@@ -88,7 +88,7 @@ If you are using an `nvidia` image, run this after installation:
ujust set-kargs-nvidia
```
-You may also need this (solves flickering and luks issues on some NVIDIA hardware):
+If you encounter flickering or luks issues, you may also (rarely) need this karg:
```
rpm-ostree kargs \
@@ -146,26 +146,17 @@ Creating a dedicated wheel user and removing wheel from your primary user helps
{% include alert.html type='caution' content='If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.' %}
+{% include alert.html type='note' content='We log in as admin to do the final step of removing the user account\'s wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.' %}
1. `run0`
2. `adduser admin`
3. `usermod -aG wheel admin`
4. `passwd admin`
5. `exit`
6. `reboot`
-
-{% include alert.html type='note' content='We log in as admin to do the final step of removing the user account\'s wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.' %}
-
-5. Log in as `admin`
-6. `run0`
-7. `gpasswd -d {your username here} wheel`
-8. `reboot`
-
-When using a non-wheel user, you can add the user to other groups if you want. For example:
-
-- use libvirt: `libvirt`
-- use `adb` and `fastboot`: `plugdev`
-- use systemwide flatpaks: `flatpak`
-- use usbguard: `usbguard`
+7. Log in as `admin`
+8. `run0`
+9. `gpasswd -d {your username here} wheel`
+10. `reboot`
{% include alert.html type='note' content='You don\'t need to login using your wheel user to use it for privileged operations. When logged in as your non-wheel user, polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling run0.' %}
From 1166ae7644fc48f93ee0384ec796be31d077ea3a Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:21:21 -0800
Subject: [PATCH 02/11] add detail
---
content/INSTALL.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/INSTALL.md b/content/INSTALL.md
index 0cfc8fdf..6bba250a 100644
--- a/content/INSTALL.md
+++ b/content/INSTALL.md
@@ -31,8 +31,8 @@ Before rebasing and during the installation, the following checks are recommende
### Fedora installation
- Select the option to encrypt the drive you're installing to.
- Use a [strong password](https://security.harvard.edu/use-strong-passwords) when prompted.
-- Leave the root account disabled.
-- Select wheel group membership for your user.
+- Leave the root account disabled if prompted.
+- Select wheel group membership for your user if prompted.
### BIOS hardening
- Ensure secureboot is enabled.
From f7864ca166e7b7137949fd8316f891ad043678c2 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:22:34 -0800
Subject: [PATCH 03/11] polish
---
content/INSTALL.md | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/content/INSTALL.md b/content/INSTALL.md
index 6bba250a..de5dd128 100644
--- a/content/INSTALL.md
+++ b/content/INSTALL.md
@@ -54,10 +54,6 @@ bash install_secureblue.sh
## Post-install
-After installation, [yafti](https://github.com/ublue-os/yafti) will open. Make sure to follow the steps listed carefully and read the directions closely.
-
-Then, follow the following steps in order:
-
- [Subscribe to secureblue release notifications](#release-notifications)
- [Set NVIDIA-specific kargs if applicable](#nvidia)
- [Enroll secureboot key](#secureboot)
@@ -74,6 +70,8 @@ Then, follow the following steps in order:
- [Optional: Trivalent Flags](#trivalent-flags)
- [Read the FAQ](#faq)
+{% include alert.html type='note' content='After installation, [yafti](https://github.com/ublue-os/yafti) will open. Make sure to follow the steps listed carefully and read the directions closely.' %}
+
### Subscribe to secureblue release notifications
{: #release-notifications}
From 90a740db96d2c20a54dedcdf8138569665c49319 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:25:32 -0800
Subject: [PATCH 04/11] content
---
content/INSTALL.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/INSTALL.md b/content/INSTALL.md
index de5dd128..1078f888 100644
--- a/content/INSTALL.md
+++ b/content/INSTALL.md
@@ -42,7 +42,7 @@ Before rebasing and during the installation, the following checks are recommende
## Rebase
-To rebase a Fedora Atomic or Fedora CoreOS installation to a secureblue image, download the script below. This script does not install secureblue into the existing system. It rebases (fully replaces the existing system) with secureblue.
+Now that you have a Fedora Atomic or Fedora CoreOS installation, rebase it to the secureblue image of your choice using the script below. This script does not install secureblue into the existing system. It rebases (fully replaces the existing system) with secureblue.
Download secureblue installer
From 0d34382e25e5fe8efeed992a38dc648a15ab947e Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:26:19 -0800
Subject: [PATCH 05/11] fix link
---
content/INSTALL.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/INSTALL.md b/content/INSTALL.md
index 1078f888..cfd81dec 100644
--- a/content/INSTALL.md
+++ b/content/INSTALL.md
@@ -70,7 +70,7 @@ bash install_secureblue.sh
- [Optional: Trivalent Flags](#trivalent-flags)
- [Read the FAQ](#faq)
-{% include alert.html type='note' content='After installation, [yafti](https://github.com/ublue-os/yafti) will open. Make sure to follow the steps listed carefully and read the directions closely.' %}
+{% include alert.html type='note' content='After installation, yafti will open. Make sure to follow the steps listed carefully and read the directions closely.' %}
### Subscribe to secureblue release notifications
{: #release-notifications}
From 3602160cbd46ce1d9045994b90d2117139444f15 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:36:34 -0800
Subject: [PATCH 06/11] test hr
---
content/INSTALL.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/content/INSTALL.md b/content/INSTALL.md
index cfd81dec..d80d5b31 100644
--- a/content/INSTALL.md
+++ b/content/INSTALL.md
@@ -16,6 +16,8 @@ To install secureblue, you will use a Fedora Atomic (or CoreOS, for securecore)
- [Rebase](#rebase)
- [Post-install](#post-install)
+
+
## Pre-install
The following is advice on what to do before and during the installation of a Fedora ISO, and how.
@@ -40,6 +42,8 @@ Before rebasing and during the installation, the following checks are recommende
- Disable booting from USB (some manufacturers allow firmware changes from live systems).
- Set a BIOS password to prevent tampering.
+
+
## Rebase
Now that you have a Fedora Atomic or Fedora CoreOS installation, rebase it to the secureblue image of your choice using the script below. This script does not install secureblue into the existing system. It rebases (fully replaces the existing system) with secureblue.
@@ -52,6 +56,8 @@ Then, run it from the directory you downloaded it to:
bash install_secureblue.sh
```
+
+
## Post-install
- [Subscribe to secureblue release notifications](#release-notifications)
From 455850e1f120c2920994c88e96b34cb40cc360cc Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:37:39 -0800
Subject: [PATCH 07/11] oxford comma
---
content/INSTALL.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/INSTALL.md b/content/INSTALL.md
index d80d5b31..e77950a5 100644
--- a/content/INSTALL.md
+++ b/content/INSTALL.md
@@ -22,7 +22,7 @@ To install secureblue, you will use a Fedora Atomic (or CoreOS, for securecore)
The following is advice on what to do before and during the installation of a Fedora ISO, and how.
-{% include alert.html type='note' content='The cross-platform Fedora Media Writer is the official, tested and supported method for the creation of bootable media. Instructions (alongside a word on alternative methods) are available in the Fedora documentation.' %}
+{% include alert.html type='note' content='The cross-platform Fedora Media Writer is the official, tested, and supported method for the creation of bootable media. Instructions (alongside a word on alternative methods) are available in the Fedora documentation.' %}
{% include alert.html type='tip' content='If you don\'t already have a Fedora Atomic installation, use a Fedora Atomic ISO that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue ISO, Kinoite for Kinoite, Sericea (Sway Atomic) for Sericea and all the Wayblue images, and CoreOS for all the securecore images.
For more details on the available images, have a look at the list of available images before proceeding.' %}
From 55ab003e882f5cb0fe901638cdb0456a6c7b3db2 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:39:09 -0800
Subject: [PATCH 08/11] fix link
---
content/FEATURES.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/FEATURES.md b/content/FEATURES.md
index 171aa716..8b92534e 100644
--- a/content/FEATURES.md
+++ b/content/FEATURES.md
@@ -10,7 +10,7 @@ permalink: /features
- Installing and enabling [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally, including for flatpaks. [Thanks to rusty-snake's spec](https://github.com/rusty-snake/fedora-extras)
- Installing our chromium-based browser [Trivalent](https://github.com/secureblue/Trivalent), which is inspired by [Vanadium](https://github.com/GrapheneOS/Vanadium). [Why chromium?](https://grapheneos.org/usage#web-browsing) [Why not flatpak chromium?](https://forum.vivaldi.net/post/669805)
- SELinux-restricted [unprivileged user namespaces](/articles/userns)
-- Setting numerous hardened sysctl values [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/hardening.conf)
+- Setting numerous hardened sysctl values [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/60-hardening.conf)
- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) [details](/articles/kargs)
- Configure chronyd to use Network Time Security (NTS) [using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)
- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
From 70ceda1a43be1dd8392b7175b6822424d811c7ce Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:40:15 -0800
Subject: [PATCH 09/11] add linkspector
---
.github/workflows/config/linkspector.yml | 3 +++
.github/workflows/linkspector.yml | 18 ++++++++++++++++++
2 files changed, 21 insertions(+)
create mode 100644 .github/workflows/config/linkspector.yml
create mode 100644 .github/workflows/linkspector.yml
diff --git a/.github/workflows/config/linkspector.yml b/.github/workflows/config/linkspector.yml
new file mode 100644
index 00000000..8f33b34b
--- /dev/null
+++ b/.github/workflows/config/linkspector.yml
@@ -0,0 +1,3 @@
+dirs:
+ - .
+ useGitIgnore: true
\ No newline at end of file
diff --git a/.github/workflows/linkspector.yml b/.github/workflows/linkspector.yml
new file mode 100644
index 00000000..fc32109f
--- /dev/null
+++ b/.github/workflows/linkspector.yml
@@ -0,0 +1,18 @@
+name: linkspector-scan
+on:
+ pull_request:
+ branches:
+ - live
+jobs:
+ check-links:
+ name: Linkspector
+ runs-on: ubuntu-22.04
+ steps:
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ - name: Run linkspector
+ uses: umbrelladocs/action-linkspector@de84085e0f51452a470558693d7d308fbb2fa261 # v1.2.5
+ with:
+ filter_mode: nofilter
+ reporter: github-pr-review
+ fail_on_error: true
+ config_file: .github/workflows/config/linkspector.yml
\ No newline at end of file
From 72c879d2fcc192619c1356fc555c564404c05d7c Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:41:26 -0800
Subject: [PATCH 10/11] indent
---
.github/workflows/config/linkspector.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/config/linkspector.yml b/.github/workflows/config/linkspector.yml
index 8f33b34b..d7eddc9c 100644
--- a/.github/workflows/config/linkspector.yml
+++ b/.github/workflows/config/linkspector.yml
@@ -1,3 +1,3 @@
dirs:
- .
- useGitIgnore: true
\ No newline at end of file
+useGitIgnore: true
\ No newline at end of file
From 6d16775499058fded6edcf6df39e99d7a5dc7933 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 5 Feb 2025 17:43:21 -0800
Subject: [PATCH 11/11] remove linkspector
---
.github/workflows/config/linkspector.yml | 3 ---
.github/workflows/linkspector.yml | 18 ------------------
2 files changed, 21 deletions(-)
delete mode 100644 .github/workflows/config/linkspector.yml
delete mode 100644 .github/workflows/linkspector.yml
diff --git a/.github/workflows/config/linkspector.yml b/.github/workflows/config/linkspector.yml
deleted file mode 100644
index d7eddc9c..00000000
--- a/.github/workflows/config/linkspector.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-dirs:
- - .
-useGitIgnore: true
\ No newline at end of file
diff --git a/.github/workflows/linkspector.yml b/.github/workflows/linkspector.yml
deleted file mode 100644
index fc32109f..00000000
--- a/.github/workflows/linkspector.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-name: linkspector-scan
-on:
- pull_request:
- branches:
- - live
-jobs:
- check-links:
- name: Linkspector
- runs-on: ubuntu-22.04
- steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - name: Run linkspector
- uses: umbrelladocs/action-linkspector@de84085e0f51452a470558693d7d308fbb2fa261 # v1.2.5
- with:
- filter_mode: nofilter
- reporter: github-pr-review
- fail_on_error: true
- config_file: .github/workflows/config/linkspector.yml
\ No newline at end of file