A custom bootc operating system image based on the lessons from Universal Blue and Bluefin, built from the finpilot template.
This image uses the multi-stage build architecture from @projectbluefin/distroless, combining resources from multiple OCI containers for modularity and maintainability.
Here are the changes from the base silverblue-main image. This image uses Bluefin's build patterns (silverblue-main + GNOME) and includes these customizations:
- Core Tools (
10-build.sh): gnome-pomodoro, kitty, et, neovim, stow, syncthing - Networking (
20-tailscale.sh): Tailscale VPN client with tailscaled daemon - Security (
21-keybase.sh): Keybase encrypted messaging and filesystem - Wayland Compositors (
40-desktops.sh):- Niri (scrollable-tiling compositor from COPR yalter/niri)
- Mango (MangoWM compositor from Terra repository)
- Noctalia Shell (niri shell layer from Terra repository)
- Desktop Helpers (
40-desktops.sh): brightnessctl, kanshi, playerctl, wayland-utils, wev, wl-clipboard, wlr-randr, xdg-desktop-portal-gnome, xdg-desktop-portal-wlr, xwayland-satellite
- CLI Tools (Homebrew): None added yet — see
custom/brew/default.Brewfileto add CLI tools - GUI Apps (Flatpak): None added yet — see
custom/flatpaks/default.preinstallto add GUI apps
- Uses
@projectbluefin/commondesktop configuration shared with Bluefin/Aurora - Homebrew integration via
@ublue-os/brew
- (TODO) SBOM generation (Software Bill of Materials) for supply chain transparency
- Image signed with cosign for cryptographic verification
- Automated security updates via Renovate
- Build provenance tracking
Users can verify images with:
cosign verify --key cosign.pub ghcr.io/your-username/your-repo-name:stableAll changes should be made via pull requests:
- Open a pull request on GitHub with the change you want.
- The PR will automatically trigger:
- Build validation
- Brewfile, Flatpak, Justfile, and shellcheck validation
- Test image build
- Once checks pass, merge the PR
- Merging triggers publishes a
:stableimage
Test your changes before pushing:
just build # Build container image
just build-qcow2 # Build VM disk image
just run-vm-qcow2 # Test in browser-based VMSwitch to finicky:
sudo bootc switch ghcr.io/agriffis/finicky:stable
sudo systemctl rebootThis template follows the multi-stage build architecture from @projectbluefin/distroless, as documented in the Bluefin Contributing Guide.
Stage 1: Context (ctx) - Combines resources from multiple sources:
- Local build scripts (
/build) - Local custom files (
/custom) - @projectbluefin/common - Desktop configuration shared with Aurora
- @projectbluefin/branding - Branding assets
- @ublue-os/artwork - Artwork shared with Aurora and Bazzite
- @ublue-os/brew - Homebrew integration
Stage 2: Base Image - Default options:
ghcr.io/ublue-os/silverblue-main:latest(Fedora-based, default)quay.io/centos-bootc/centos-bootc:stream10(CentOS-based alternative)
- Modularity: Compose your image from reusable OCI containers
- Maintainability: Update shared components independently
- Reproducibility: Renovate automatically updates OCI tags to SHA digests
- Consistency: Share components across Bluefin, Aurora, and custom images
The template imports files from these OCI containers at build time:
COPY --from=ghcr.io/ublue-os/base-main:latest /system_files /oci/base
COPY --from=ghcr.io/projectbluefin/common:latest /system_files /oci/common
COPY --from=ghcr.io/ublue-os/brew:latest /system_files /oci/brewYour build scripts can access these files at:
/ctx/oci/base/- Base system configuration/ctx/oci/common/- Shared desktop configuration/ctx/oci/branding/- Branding assets/ctx/oci/artwork/- Artwork files/ctx/oci/brew/- Homebrew integration files
Note: Renovate automatically updates :latest tags to SHA digests for reproducible builds.
- Homebrew/Brewfiles - Runtime package management
- Flatpak Preinstall - GUI application setup
- ujust Commands - User convenience commands
- Build Scripts - Build-time customization