├── mkosi.images └── netesp │ ├── mkosi.extra │ └── efi │ │ └── loader │ │ ├── loader.conf │ │ └── entries │ │ ├── 90-debian-13-particleos-obs-current.conf │ │ ├── 90-fedora-42-particleos-obs-current.conf │ │ ├── 90-debian-testing-particleos-obs-current.conf │ │ └── 90-fedora-rawhide-particleos-obs-current.conf │ ├── mkosi.conf.d │ ├── arch.conf │ ├── fedora.conf │ └── debian.conf │ └── mkosi.conf ├── mkosi.extra ├── usr │ ├── lib │ │ ├── modprobe.d │ │ │ └── 00-pcspkr-blacklist.conf │ │ ├── systemd │ │ │ ├── network │ │ │ │ └── 89-ethernet.network │ │ │ ├── user-preset │ │ │ │ └── 10-particleos.preset │ │ │ ├── system │ │ │ │ └── preset-global.service │ │ │ └── system-preset │ │ │ │ └── 10-particleos.preset │ │ ├── repart.d │ │ │ ├── 20-usr-verity-sig.conf │ │ │ ├── 11-usr-verity.conf │ │ │ ├── 10-usr-verity-sig.conf │ │ │ ├── 00-esp.conf │ │ │ ├── 21-usr-verity.conf │ │ │ ├── 22-usr.conf │ │ │ ├── 12-usr.conf │ │ │ ├── 50-home.conf │ │ │ ├── 30-swap.conf │ │ │ └── 40-root.conf │ │ ├── environment.d │ │ │ └── 00-particleos.conf │ │ └── tmpfiles.d │ │ │ └── etc.conf │ └── share │ │ └── p11-kit │ │ └── modules │ │ └── opensc.module └── boot │ └── loader │ └── loader.conf ├── mkosi.conf.d ├── arch │ ├── mkosi.extra │ │ ├── usr │ │ │ └── lib │ │ │ │ └── systemd │ │ │ │ └── zram-generator.conf │ │ └── etc │ │ │ └── pacman.conf │ ├── mkosi.postinst │ └── mkosi.conf ├── debian │ ├── mkosi.extra │ │ └── usr │ │ │ └── lib │ │ │ ├── systemd │ │ │ ├── zram-generator.conf │ │ │ └── system-preset │ │ │ │ └── 20-particleos-debian.preset │ │ │ ├── sysusers.d │ │ │ ├── cups.conf │ │ │ ├── wpasupplicant.conf │ │ │ ├── tpm2-tss.conf │ │ │ ├── geoclue.conf │ │ │ ├── colord.conf │ │ │ └── speech-dispatcher.conf │ │ │ └── tmpfiles.d │ │ │ └── etc-debian.conf │ ├── mkosi.postinst.chroot │ └── mkosi.conf └── fedora │ └── mkosi.conf ├── mkosi.bump ├── mkosi.profiles ├── obs │ ├── systemd-trusted │ ├── arch.conf │ ├── mkosi.conf.d │ │ ├── debian.conf │ │ ├── debian-tools.conf │ │ ├── fedora.conf │ │ ├── fedora-tools.conf │ │ ├── arch.conf │ │ └── arch-tools.conf │ ├── fedora.repo │ ├── systemd.gpg │ └── debian.sources ├── gnome │ ├── mkosi.conf.d │ │ ├── arch │ │ │ └── mkosi.conf │ │ ├── debian │ │ │ ├── mkosi.extra │ │ │ │ └── usr │ │ │ │ │ └── lib │ │ │ │ │ ├── systemd │ │ │ │ │ ├── system-preset │ │ │ │ │ │ └── 20-particleos-debian-gnome.preset │ │ │ │ │ └── system │ │ │ │ │ │ └── gdm.service.d │ │ │ │ │ │ └── alias.conf │ │ │ │ │ └── sysusers.d │ │ │ │ │ └── debian-gdm.conf │ │ │ ├── mkosi.conf.d │ │ │ │ └── gnome-xsession.conf │ │ │ └── mkosi.conf │ │ └── fedora │ │ │ └── mkosi.conf │ ├── mkosi.extra │ │ └── usr │ │ │ └── lib │ │ │ └── systemd │ │ │ └── system │ │ │ └── homed-accounts-workaround.service │ └── mkosi.conf ├── desktop │ ├── mkosi.extra │ │ └── usr │ │ │ └── lib │ │ │ └── NetworkManager │ │ │ └── conf.d │ │ │ └── 40-particleos-desktop.conf │ ├── mkosi.conf.d │ │ ├── arch │ │ │ ├── mkosi.conf.d │ │ │ │ └── x86-64.conf │ │ │ └── mkosi.conf │ │ ├── debian │ │ │ ├── mkosi.conf.d │ │ │ │ └── x86-64.conf │ │ │ └── mkosi.conf │ │ └── fedora │ │ │ ├── mkosi.conf.d │ │ │ └── x86-64.conf │ │ │ └── mkosi.conf │ └── mkosi.conf ├── kde │ ├── mkosi.conf.d │ │ ├── arch.conf │ │ └── fedora.conf │ ├── mkosi.extra │ │ └── usr │ │ │ └── lib │ │ │ └── sddm │ │ │ └── sddm.conf.d │ │ │ └── particleos.conf │ └── mkosi.conf └── flathub │ └── mkosi.extra │ └── usr │ └── share │ └── flatpak │ └── remotes.d │ └── flathub.flatpakrepo ├── mkosi.clean ├── mkosi.repart ├── 00-esp.conf ├── 10-usr-verity-sig.conf ├── 11-usr-verity.conf └── 12-usr.conf ├── .gitignore ├── .editorconfig ├── mkosi.finalize ├── mkosi.sysupdate ├── 12-usr.transfer ├── 11-usr-verity.transfer ├── 10-usr-verity-sig.transfer └── 20-uki.transfer ├── mkosi.uki-profiles ├── 80-storagetm.conf ├── 91-factory-reset-with-tpm-clear.conf ├── 95-emergency.conf ├── 90-factory-reset.conf ├── 99-debug.conf └── 10-live.conf ├── .obs └── workflows.yml ├── mkosi.credentials └── home.create.particleos ├── TODO ├── mkosi.postinst.chroot ├── mkosi.conf ├── README.md └── LICENSE /mkosi.images/netesp/mkosi.extra/efi/loader/loader.conf: -------------------------------------------------------------------------------- 1 | timeout 7 2 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/modprobe.d/00-pcspkr-blacklist.conf: -------------------------------------------------------------------------------- 1 | blacklist pcspkr 2 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/systemd/network/89-ethernet.network: -------------------------------------------------------------------------------- 1 | 89-ethernet.network.example -------------------------------------------------------------------------------- /mkosi.extra/boot/loader/loader.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | timeout 20 4 | -------------------------------------------------------------------------------- /mkosi.conf.d/arch/mkosi.extra/usr/lib/systemd/zram-generator.conf: -------------------------------------------------------------------------------- 1 | [zram0] 2 | #zram-size = min(ram / 2, 4096) 3 | -------------------------------------------------------------------------------- /mkosi.bump: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: LGPL-2.1-or-later 3 | set -e 4 | 5 | date +%Y%m%d%H%M%S 6 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/systemd/zram-generator.conf: -------------------------------------------------------------------------------- 1 | [zram0] 2 | #zram-size = min(ram / 2, 4096) 3 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/systemd-trusted: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | CF496DFD918C8A3F55C56EBC713BF72732820778:4: 3 | -------------------------------------------------------------------------------- /mkosi.extra/usr/share/p11-kit/modules/opensc.module: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | module: opensc-pkcs11.so 4 | -------------------------------------------------------------------------------- /mkosi.conf.d/arch/mkosi.extra/etc/pacman.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [options] 4 | DBPath = /usr/lib/pacman 5 | -------------------------------------------------------------------------------- /mkosi.clean: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # SPDX-License-Identifier: LGPL-2.1-or-later 3 | set -e 4 | set -o nounset 5 | 6 | rm -rf "$OUTPUTDIR"/"$IMAGE_ID"* 7 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/20-usr-verity-sig.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr-verity-sig 5 | Label=_empty 6 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/sysusers.d/cups.conf: -------------------------------------------------------------------------------- 1 | # TODO: drop after https://salsa.debian.org/printing-team/cups/-/merge_requests/11 is merged 2 | g lpadmin 3 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/sysusers.d/wpasupplicant.conf: -------------------------------------------------------------------------------- 1 | # TODO: drop after https://salsa.debian.org/debian/wpa/-/merge_requests/18 is merged 2 | g netdev 3 | -------------------------------------------------------------------------------- /mkosi.images/netesp/mkosi.conf.d/arch.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=arch 5 | 6 | [Content] 7 | Packages=systemd 8 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/11-usr-verity.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr-verity 5 | Label=%M_%A_verity 6 | CopyBlocks=auto 7 | -------------------------------------------------------------------------------- /mkosi.images/netesp/mkosi.conf.d/fedora.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=fedora 5 | 6 | [Content] 7 | Packages=systemd-boot 8 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.conf.d/arch/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=arch 5 | 6 | [Content] 7 | Packages= 8 | gdm 9 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/10-usr-verity-sig.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr-verity-sig 5 | Label=%M_%A_verity_sig 6 | CopyBlocks=auto 7 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/arch.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [system_systemd_Arch] 4 | Server = https://download.opensuse.org/repositories/system:/systemd/Arch/$arch 5 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/sysusers.d/tpm2-tss.conf: -------------------------------------------------------------------------------- 1 | # TODO: drop after https://salsa.debian.org/debian/tpm2-tss/-/merge_requests/10 is merged 2 | u tss - "tss user for tpm2" 3 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/environment.d/00-particleos.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | ELECTRON_OZONE_PLATFORM_HINT=auto 4 | SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ssh-agent.socket 5 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/sysusers.d/geoclue.conf: -------------------------------------------------------------------------------- 1 | # TODO: drop after https://gitlab.freedesktop.org/geoclue/geoclue/-/merge_requests/202 is merged 2 | u geoclue - - /var/lib/geoclue 3 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/00-esp.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=esp 5 | Format=vfat 6 | CopyFiles=/boot:/ 7 | SizeMinBytes=1G 8 | SizeMaxBytes=1G 9 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.conf.d/debian/mkosi.extra/usr/lib/systemd/system-preset/20-particleos-debian-gnome.preset: -------------------------------------------------------------------------------- 1 | # Disabled by default in the package 2 | disable speech-dispatcherd.service 3 | 4 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/systemd/user-preset/10-particleos.preset: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | enable ssh-agent.service 4 | enable p11-kit-server.service 5 | enable pipewire.service 6 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/21-usr-verity.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr-verity 5 | Label=_empty 6 | NoAuto=1 7 | SizeMinBytes=400M 8 | SizeMaxBytes=400M 9 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.conf.d/debian/mkosi.extra/usr/lib/systemd/system/gdm.service.d/alias.conf: -------------------------------------------------------------------------------- 1 | # TODO: drop once https://bugs.debian.org/1025349 is fixed 2 | [Install] 3 | Alias=display-manager.service 4 | -------------------------------------------------------------------------------- /mkosi.repart/00-esp.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=esp 5 | Format=vfat 6 | CopyFiles=/efi:/ 7 | CopyFiles=/boot:/ 8 | SizeMinBytes=1G 9 | SizeMaxBytes=1G 10 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/22-usr.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr 5 | Label=_empty 6 | NoAuto=1 7 | SizeMinBytes=5G 8 | SizeMaxBytes=20G 9 | Weight=2000 10 | -------------------------------------------------------------------------------- /mkosi.repart/10-usr-verity-sig.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr-verity-sig 5 | Label=%M_%A_verity_sig 6 | Verity=signature 7 | VerityMatchKey=usr 8 | SplitName=%t.%U 9 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/12-usr.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr 5 | Label=%M_%A 6 | SizeMinBytes=5G 7 | SizeMaxBytes=20G 8 | Weight=2000 9 | CopyBlocks=auto 10 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/50-home.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=home 5 | Format=btrfs 6 | SizeMinBytes=1G 7 | Weight=40000 8 | FactoryReset=yes 9 | Label=%M-home 10 | -------------------------------------------------------------------------------- /mkosi.profiles/desktop/mkosi.extra/usr/lib/NetworkManager/conf.d/40-particleos-desktop.conf: -------------------------------------------------------------------------------- 1 | [main] 2 | # On desktop systems, we do not want NetworkManager to pick up 3 | # a transient hostname from DHCP. 4 | hostname-mode=none 5 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/sysusers.d/colord.conf: -------------------------------------------------------------------------------- 1 | # TODO: drop after https://salsa.debian.org/debian/colord/-/merge_requests/7 is merged 2 | u colord - "colord colour management daemon" /var/lib/colord /usr/sbin/nologin 3 | -------------------------------------------------------------------------------- /mkosi.profiles/kde/mkosi.conf.d/arch.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=arch 5 | 6 | [Content] 7 | Packages= 8 | discover 9 | drkonqi 10 | print-manager 11 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/mkosi.conf.d/debian.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=debian 5 | Release=testing 6 | 7 | [Build] 8 | SandboxTrees=debian.sources:/etc/apt/sources.list.d/systemd.sources 9 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/30-swap.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=swap 5 | Format=swap 6 | SizeMinBytes=4G 7 | SizeMaxBytes=4G 8 | Encrypt=tpm2 9 | FactoryReset=yes 10 | Label=%M-swap 11 | -------------------------------------------------------------------------------- /mkosi.profiles/desktop/mkosi.conf.d/arch/mkosi.conf.d/x86-64.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Architecture=x86-64 5 | 6 | [Content] 7 | Packages= 8 | amd-ucode 9 | intel-ucode 10 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.conf.d/debian/mkosi.extra/usr/lib/sysusers.d/debian-gdm.conf: -------------------------------------------------------------------------------- 1 | # TODO: drop once https://salsa.debian.org/gnome-team/gdm/-/merge_requests/28 is merged 2 | u Debian-gdm - "Gnome Display Manager" /var/lib/gdm3 /bin/false 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | mkosi.local/ 3 | mkosi.local.conf 4 | mkosi.output/ 5 | mkosi.cache/ 6 | mkosi.tools/ 7 | mkosi.tools.manifest 8 | mkosi.key 9 | mkosi.crt 10 | mkosi.version 11 | .mkosi-private 12 | -------------------------------------------------------------------------------- /mkosi.repart/11-usr-verity.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr-verity 5 | Label=%M_%A_verity 6 | Verity=hash 7 | VerityMatchKey=usr 8 | SizeMinBytes=400M 9 | SizeMaxBytes=400M 10 | SplitName=%t.%U 11 | -------------------------------------------------------------------------------- /mkosi.profiles/kde/mkosi.conf.d/fedora.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=fedora 5 | 6 | [Content] 7 | Packages= 8 | plasma-discover 9 | plasma-drkonqi 10 | plasma-print-manager 11 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/systemd/system-preset/20-particleos-debian.preset: -------------------------------------------------------------------------------- 1 | # apt gets pulled in, but with /usr read-only doesn't make sense to run updates 2 | disable apt-daily.timer 3 | disable apt-daily-upgrade.timer 4 | disable apt-listchanges.timer 5 | -------------------------------------------------------------------------------- /mkosi.repart/12-usr.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=usr 5 | Label=%M_%A 6 | Format=erofs 7 | CopyFiles=/usr:/ 8 | Verity=data 9 | VerityMatchKey=usr 10 | Minimize=yes 11 | Compression=zstd 12 | SplitName=%t.%U 13 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/mkosi.conf.d/debian-tools.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | ToolsTreeDistribution=debian 5 | ToolsTreeRelease=testing 6 | 7 | [Build] 8 | ToolsTreeSandboxTrees=debian.sources:/etc/apt/sources.list.d/systemd.sources 9 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/sysusers.d/speech-dispatcher.conf: -------------------------------------------------------------------------------- 1 | # TODO: drop after https://salsa.debian.org/tts-team/speech-dispatcher/-/merge_requests/6 is merged 2 | u speech-dispatcher - "Speech Dispatcher" /run/speech-dispatcher /bin/false 3 | m speech-dispatcher audio 4 | -------------------------------------------------------------------------------- /mkosi.images/netesp/mkosi.conf.d/debian.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | # needssslcertforbuild 3 | 4 | [Match] 5 | Distribution=|debian 6 | Distribution=|ubuntu 7 | 8 | [Content] 9 | Packages= 10 | systemd-boot-efi 11 | systemd-boot-efi-signed 12 | -------------------------------------------------------------------------------- /mkosi.images/netesp/mkosi.extra/efi/loader/entries/90-debian-13-particleos-obs-current.conf: -------------------------------------------------------------------------------- 1 | title Debian 13 ParticleOS Current from OBS (Network Boot) 2 | architecture x64 3 | uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/debian_13_images/ParticleOS_x86-64.efi 4 | -------------------------------------------------------------------------------- /mkosi.images/netesp/mkosi.extra/efi/loader/entries/90-fedora-42-particleos-obs-current.conf: -------------------------------------------------------------------------------- 1 | title Fedora 42 ParticleOS Current from OBS (Network Boot) 2 | architecture x64 3 | uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/fedora_42_images/ParticleOS_x86-64.efi 4 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/mkosi.conf.d/fedora.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=fedora 5 | Release=rawhide 6 | 7 | [Build] 8 | SandboxTrees=systemd.gpg:/usr/share/pki/rpm-gpg/systemd.gpg 9 | fedora.repo:/etc/yum.repos.d/systemd.repo 10 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/repart.d/40-root.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Partition] 4 | Type=root 5 | Format=btrfs 6 | SizeMinBytes=1G 7 | Weight=20000 8 | Subvolumes=/var 9 | MakeDirectories=/var/log/journal 10 | Encrypt=tpm2 11 | FactoryReset=yes 12 | Label=%M-root 13 | -------------------------------------------------------------------------------- /mkosi.images/netesp/mkosi.extra/efi/loader/entries/90-debian-testing-particleos-obs-current.conf: -------------------------------------------------------------------------------- 1 | title Debian Testing ParticleOS Current from OBS (Network Boot) 2 | architecture x64 3 | uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/debian_14_images/ParticleOS_x86-64.efi 4 | -------------------------------------------------------------------------------- /mkosi.images/netesp/mkosi.extra/efi/loader/entries/90-fedora-rawhide-particleos-obs-current.conf: -------------------------------------------------------------------------------- 1 | title Fedora Rawhide ParticleOS Current from OBS (Network Boot) 2 | architecture x64 3 | uki-url http://downloadcontentcdn.opensuse.org/repositories/system:/systemd/fedora_44_images/ParticleOS_x86-64.efi 4 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.conf.d/fedora/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=fedora 5 | 6 | [Content] 7 | Packages= 8 | adwaita-fonts-all 9 | gdm 10 | rsms-inter-fonts 11 | rsms-inter-vf-fonts 12 | default-fonts-core-emoji 13 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | root = true 3 | 4 | [*] 5 | end_of_line = lf 6 | insert_final_newline = true 7 | trim_trailing_whitespace = true 8 | charset = utf-8 9 | 10 | [*.conf] 11 | indent_style = space 12 | indent_size = 4 13 | 14 | [mkosi.passphrase] 15 | insert_final_newline = false 16 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.conf.d/debian/mkosi.conf.d/gnome-xsession.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [TriggerMatch] 4 | Distribution=debian 5 | Release=trixie 6 | 7 | [TriggerMatch] 8 | Distribution=ubuntu 9 | Release=|oracular 10 | Release=|plucky 11 | 12 | [Content] 13 | Packages=gnome-session-xsession 14 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/mkosi.conf.d/fedora-tools.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | ToolsTreeDistribution=fedora 5 | ToolsTreeRelease=rawhide 6 | 7 | [Build] 8 | ToolsTreeSandboxTrees=systemd.gpg:/usr/share/pki/rpm-gpg/systemd.gpg 9 | fedora.repo:/etc/yum.repos.d/systemd.repo 10 | -------------------------------------------------------------------------------- /mkosi.profiles/desktop/mkosi.conf.d/debian/mkosi.conf.d/x86-64.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Architecture=x86-64 5 | 6 | [Content] 7 | Packages= 8 | amd64-microcode 9 | firmware-cirrus 10 | firmware-intel-graphics 11 | firmware-intel-sound 12 | intel-microcode 13 | -------------------------------------------------------------------------------- /mkosi.profiles/desktop/mkosi.conf.d/fedora/mkosi.conf.d/x86-64.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Architecture=x86-64 5 | 6 | [Content] 7 | Packages= 8 | microcode_ctl 9 | amd-ucode-firmware 10 | cirrus-audio-firmware 11 | intel-audio-firmware 12 | intel-gpu-firmware 13 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/mkosi.conf.d/arch.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=arch 5 | 6 | [Build] 7 | SandboxTrees=systemd.gpg:/usr/share/pacman/keyrings/systemd.gpg 8 | systemd-trusted:/usr/share/pacman/keyrings/systemd-trusted 9 | arch.conf:/etc/pacman.d/systemd.conf 10 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/fedora.repo: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [systemd] 4 | name=systemd packages built from upstream main (Fedora_Rawhide) 5 | type=rpm-md 6 | baseurl=https://download.opensuse.org/repositories/system:/systemd/Fedora_Rawhide/ 7 | gpgcheck=1 8 | gpgkey=file:///usr/share/pki/rpm-gpg/systemd.gpg 9 | enabled=1 10 | -------------------------------------------------------------------------------- /mkosi.images/netesp/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Profiles=netesp 5 | 6 | [Output] 7 | Format=esp 8 | # UEFI insists on the .img suffix for disk images to boot from, hence let's combine our usual suffix with UEFI's 9 | OutputExtension=raw.img 10 | Output=netesp_%a 11 | ImageVersion= 12 | 13 | [Content] 14 | Bootable=no 15 | -------------------------------------------------------------------------------- /mkosi.conf.d/arch/mkosi.postinst: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: LGPL-2.1-or-later 3 | 4 | rm -f "$BUILDROOT/usr/lib/tmpfiles.d/arch.conf" 5 | rm -f "$BUILDROOT/usr/lib/tmpfiles.d/audit.conf" 6 | rm -f "$BUILDROOT/usr/lib/tmpfiles.d/openssh.conf" 7 | 8 | mkdir "$BUILDROOT/usr/lib/pacman" 9 | mv "$BUILDROOT/var/lib/pacman/local" "$BUILDROOT/usr/lib/pacman" 10 | -------------------------------------------------------------------------------- /mkosi.finalize: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: LGPL-2.1-or-later 3 | set -e 4 | 5 | # Capture the entirety of /etc in /usr/share/factory/etc so we can use 6 | # systemd-tmpfiles to symlink individual directories from it to /etc. 7 | mkdir -p "$BUILDROOT/usr/share/factory/" 8 | cp --archive --no-target-directory --update=none "$BUILDROOT/etc" "$BUILDROOT/usr/share/factory/etc" 9 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.conf.d/debian/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=debian 5 | 6 | [Content] 7 | Packages= 8 | gnome-browser-connector 9 | gnome-core 10 | gnome-initial-setup 11 | gnome-keyring-pkcs11 12 | gnome-software-plugin-flatpak 13 | gnome-software-plugin-fwupd 14 | -------------------------------------------------------------------------------- /mkosi.profiles/kde/mkosi.extra/usr/lib/sddm/sddm.conf.d/particleos.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [General] 4 | Numlock=on 5 | DisplayServer=wayland 6 | GreeterEnvironment=QT_WAYLAND_SHELL_INTEGRATION=layer-shell 7 | 8 | [Theme] 9 | Current=breeze 10 | 11 | [Wayland] 12 | CompositorCommand=kwin_wayland --no-global-shortcuts --no-lockscreen --locale1 13 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/mkosi.conf.d/arch-tools.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | ToolsTreeDistribution=arch 5 | 6 | [Build] 7 | ToolsTreeSandboxTrees=systemd.gpg:/usr/share/pacman/keyrings/systemd.gpg 8 | systemd-trusted:/usr/share/pacman/keyrings/systemd-trusted 9 | arch.conf:/etc/pacman.d/systemd.conf 10 | -------------------------------------------------------------------------------- /mkosi.sysupdate/12-usr.transfer: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Transfer] 4 | ProtectVersion=%A 5 | 6 | [Source] 7 | Type=regular-file 8 | Path=/ 9 | PathRelativeTo=explicit 10 | MatchPattern=%M_@v_%a.usr-%a.@u.raw 11 | 12 | [Target] 13 | Type=partition 14 | Path=auto 15 | MatchPattern=%M_@v 16 | MatchPartitionType=usr 17 | PartitionFlags=0 18 | ReadOnly=1 19 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.postinst.chroot: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: LGPL-2.1-or-later 3 | set -e 4 | 5 | # Debian/Ubuntu PAM patches break /usr/lib/pam.d/ so copy to factory 6 | # TODO: drop after https://salsa.debian.org/vorlon/pam/-/merge_requests/26 is merged 7 | if [[ -f /usr/lib/tmpfiles.d/debian.conf ]]; then 8 | sed -i '/\/etc\/pam.d/d' /usr/lib/tmpfiles.d/debian.conf 9 | fi 10 | -------------------------------------------------------------------------------- /mkosi.sysupdate/11-usr-verity.transfer: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Transfer] 4 | ProtectVersion=%A 5 | 6 | [Source] 7 | Type=regular-file 8 | Path=/ 9 | PathRelativeTo=explicit 10 | MatchPattern=%M_@v_%a.usr-%a-verity.@u.raw 11 | 12 | [Target] 13 | Type=partition 14 | Path=auto 15 | MatchPattern=%M_@v_verity 16 | MatchPartitionType=usr-verity 17 | PartitionFlags=0 18 | ReadOnly=1 19 | -------------------------------------------------------------------------------- /mkosi.uki-profiles/80-storagetm.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [UKIProfile] 4 | Profile= 5 | ID=storagetm 6 | TITLE=Storage Target Mode with Public Access 7 | 8 | Cmdline= 9 | rd.systemd.unit=storage-target-mode.target 10 | ip=any 11 | ro 12 | audit=0 13 | systemd.image_policy=- 14 | root=off 15 | 16 | SignExpectedPcr=no 17 | -------------------------------------------------------------------------------- /mkosi.sysupdate/10-usr-verity-sig.transfer: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Transfer] 4 | ProtectVersion=%A 5 | 6 | [Source] 7 | Type=regular-file 8 | Path=/ 9 | PathRelativeTo=explicit 10 | MatchPattern=%M_@v_%a.usr-%a-verity-sig.@u.raw 11 | 12 | [Target] 13 | Type=partition 14 | Path=auto 15 | MatchPattern=%M_@v_verity_sig 16 | MatchPartitionType=usr-verity-sig 17 | PartitionFlags=0 18 | ReadOnly=1 19 | -------------------------------------------------------------------------------- /mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [UKIProfile] 4 | Profile= 5 | ID=factory-reset-tpm2-clear 6 | TITLE=Reset System to Factory Defaults + TPM2 Clear [CAUTION!] 7 | 8 | Cmdline= 9 | rd.systemd.unit=factory-reset.target 10 | ro 11 | audit=0 12 | systemd.image_policy=- 13 | root=off 14 | 15 | SignExpectedPcr=no 16 | -------------------------------------------------------------------------------- /.obs/workflows.yml: -------------------------------------------------------------------------------- 1 | rebuild: 2 | steps: 3 | - trigger_services: 4 | project: system:systemd 5 | package: particleos-debian 6 | - trigger_services: 7 | project: system:systemd 8 | package: particleos-debian-arm 9 | - trigger_services: 10 | project: system:systemd 11 | package: particleos-fedora 12 | filters: 13 | event: push 14 | branches: 15 | only: 16 | - obs 17 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/systemd/system/preset-global.service: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Unit] 4 | ConditionFirstBoot=yes 5 | ConditionPathIsReadWrite=/etc 6 | 7 | DefaultDependencies=no 8 | 9 | Before=basic.target 10 | Conflicts=shutdown.target 11 | Before=shutdown.target 12 | 13 | [Service] 14 | Type=oneshot 15 | RemainAfterExit=yes 16 | ExecStart=systemctl preset-all --global 17 | 18 | [Install] 19 | WantedBy=basic.target 20 | -------------------------------------------------------------------------------- /mkosi.credentials/home.create.particleos: -------------------------------------------------------------------------------- 1 | { 2 | "userName": "particleos", 3 | "uid": 1000, 4 | "gid": 1000, 5 | "disposition": "regular", 6 | "enforcePasswordPolicy": false, 7 | "memberOf": [ 8 | "wheel", 9 | "systemd-journal" 10 | ], 11 | "secret": { 12 | "password": ["particleos"] 13 | }, 14 | "privileged": { 15 | "hashedPassword": ["$1$idWouTQ8$ez22l/yqjROCxwZ27R1kO."] 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /mkosi.profiles/desktop/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Content] 4 | Packages= 5 | bluez 6 | bolt 7 | desktop-file-utils 8 | pax-utils 9 | pgpdump 10 | pipewire 11 | pipewire-alsa 12 | qemu-guest-agent 13 | wireless-regdb 14 | xdg-desktop-portal 15 | 16 | # NetworkManager is used in the desktop profiles 17 | RemoveFiles=/usr/lib/systemd/network/89-ethernet.network 18 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.extra/usr/lib/tmpfiles.d/etc-debian.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | # Debian/Ubuntu PAM patches break /usr/lib/pam.d/ so symlink to /etc/ 4 | L? /etc/pam.d - - - - /usr/lib/pam.d 5 | 6 | # On Debian/Ubuntu it's called gdm3, not gdm 7 | L? /etc/gdm3 8 | 9 | # On Debian/Ubuntu the nftable service fails if this config is not present 10 | L? /etc/nftables.conf 11 | 12 | # These can be dropped once https://bugs.debian.org/1108017 is fixed 13 | L? /etc/adduser.conf 14 | L? /etc/deluser.conf 15 | -------------------------------------------------------------------------------- /mkosi.sysupdate/20-uki.transfer: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Transfer] 4 | ProtectVersion=%A 5 | 6 | [Source] 7 | Type=regular-file 8 | Path=/ 9 | PathRelativeTo=explicit 10 | MatchPattern=%M_@v_%a.efi 11 | 12 | [Target] 13 | Type=regular-file 14 | Path=/EFI/Linux 15 | PathRelativeTo=boot 16 | MatchPattern=%M_@v_%a+@l-@d.efi \ 17 | %M_@v_%a+@l.efi \ 18 | %M_@v_%a.efi \ 19 | %M_@v+@l-@d.efi \ 20 | %M_@v+@l.efi \ 21 | %M_@v.efi 22 | Mode=0600 23 | TriesLeft=3 24 | TriesDone=0 25 | InstancesMax=2 26 | -------------------------------------------------------------------------------- /mkosi.profiles/desktop/mkosi.conf.d/arch/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=arch 5 | 6 | [Content] 7 | Splash=/usr/share/systemd/bootctl/splash-arch.bmp 8 | Packages= 9 | adobe-source-code-pro-fonts 10 | linux-firmware 11 | intel-media-driver 12 | mesa 13 | modemmanager 14 | networkmanager 15 | noto-fonts 16 | pipewire-pulse 17 | power-profiles-daemon 18 | sof-firmware 19 | vulkan-intel 20 | vulkan-nouveau 21 | vulkan-radeon 22 | wpa_supplicant 23 | -------------------------------------------------------------------------------- /mkosi.uki-profiles/95-emergency.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [UKIProfile] 4 | Profile= 5 | ID=emergency 6 | TITLE=Boot into Emergency Mode 7 | 8 | Cmdline= 9 | root=dissect 10 | mount.usr=dissect 11 | systemd.unit=emergency.target 12 | rw 13 | audit=0 14 | systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted+absent:swap=encrypted+unused+absent:home=unprotected+absent:=ignore 15 | systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*:root=ParticleOS-*:swap=ParticleOS-*:home=ParticleOS-* 16 | 17 | SignExpectedPcr=yes 18 | -------------------------------------------------------------------------------- /mkosi.uki-profiles/90-factory-reset.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [UKIProfile] 4 | Profile= 5 | ID=factory-reset 6 | TITLE=Reset System to Factory Defaults [CAUTION!] 7 | 8 | Cmdline= 9 | root=dissect 10 | mount.usr=dissect 11 | systemd.factory_reset=1 12 | rw 13 | audit=0 14 | systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted+absent:swap=encrypted+unused+absent:home=unprotected+absent:=ignore 15 | systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*:root=ParticleOS-*:swap=ParticleOS-*:home=ParticleOS-* 16 | 17 | SignExpectedPcr=yes 18 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | posted: 2 | • homed adopt 3 | • hostnamectl should show image id 4 | 5 | todo: 6 | • luks recovery key firstboot prompt 7 | • installer tool (wrapping repart, bootctl install, tpm2-clear, reboot) 8 | • make sure reset and so on are never candidates for auto selection in menu 9 | • boot counting 10 | • pcrlock 11 | • sysupdate from http 12 | • ask for confirmation before factory reset 13 | • firstboot: when asking for kbd mapping, preselect uefi firmware default 14 | • firstboot: when asking for hostname, preselect default hostname 15 | • ask for comfirmation before factory reset 16 | 17 | later: 18 | • in live mode: mark root block device read-only on block level 19 | • pkcs7 for image downloads, rather than gpg 20 | • https boot 21 | -------------------------------------------------------------------------------- /mkosi.profiles/desktop/mkosi.conf.d/fedora/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=fedora 5 | 6 | [Content] 7 | Splash=/usr/share/pixmaps/fedora-logo.png 8 | Packages= 9 | adobe-source-code-pro-fonts 10 | alsa-sof-firmware 11 | amd-gpu-firmware 12 | fedora-logos 13 | glx-utils 14 | kernel-modules 15 | iwlwifi-mvm-firmware 16 | linux-firmware 17 | mesa-dri-drivers 18 | mesa-vulkan-drivers 19 | ModemManager 20 | nvidia-gpu-firmware 21 | NetworkManager 22 | pipewire-pulseaudio 23 | steam-devices 24 | tuned-ppd 25 | google-noto-fonts-all 26 | wpa_supplicant 27 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.extra/usr/lib/systemd/system/homed-accounts-workaround.service: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | # TODO: drop once https://gitlab.freedesktop.org/accountsservice/accountsservice/-/issues/89 is fixed 3 | 4 | [Unit] 5 | Description=Tell the accounts service about homed users 6 | After=systemd-homed.service accounts-daemon.service 7 | Before=systemd-user-sessions.service 8 | 9 | [Service] 10 | Type=oneshot 11 | ExecStart=/bin/bash -c "for n in $$(busctl call org.freedesktop.home1 /org/freedesktop/home1 org.freedesktop.home1.Manager ListHomes --json=pretty | jq -r '.data.[].[].[0]'); do busctl call org.freedesktop.Accounts /org/freedesktop/Accounts org.freedesktop.Accounts CacheUser s $$n; done" 12 | 13 | [Install] 14 | WantedBy=multi-user.target 15 | -------------------------------------------------------------------------------- /mkosi.profiles/kde/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | # Requires desktop profile. 4 | 5 | [Content] 6 | Packages= 7 | ark 8 | sddm 9 | bluedevil 10 | breeze-gtk 11 | kde-gtk-config 12 | kdeplasma-addons 13 | kgamma 14 | kinfocenter 15 | kscreen 16 | ksshaskpass 17 | kwallet-pam 18 | kwrited 19 | ocean-sound-theme 20 | plasma-desktop 21 | plasma-disks 22 | plasma-nm 23 | plasma-pa 24 | plasma-systemmonitor 25 | plasma-thunderbolt 26 | plasma-welcome 27 | plasma-workspace-wallpapers 28 | powerdevil 29 | sddm-kcm 30 | xdg-desktop-portal-kde 31 | flatpak-kcm 32 | konsole 33 | dolphin 34 | spectacle 35 | -------------------------------------------------------------------------------- /mkosi.uki-profiles/99-debug.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [UKIProfile] 4 | Profile= 5 | ID=debug 6 | TITLE=Boot with debug logs enabled 7 | 8 | Cmdline= 9 | root=dissect 10 | mount.usr=dissect 11 | debug 12 | systemd.log_level=debug 13 | systemd.journald.forward_to_console=1 14 | rw 15 | audit=0 16 | systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted+absent:swap=encrypted+unused+absent:home=unprotected+absent:=ignore 17 | systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*:root=ParticleOS-*:swap=ParticleOS-*:home=ParticleOS-* 18 | 19 | # More knobs to enable: 20 | # systemd.log_target=console 21 | # rd.systemd.break=pre-switch-root 22 | 23 | SignExpectedPcr=yes 24 | -------------------------------------------------------------------------------- /mkosi.uki-profiles/10-live.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [UKIProfile] 4 | Profile= 5 | ID=live 6 | TITLE=Live System (Installer) 7 | 8 | Cmdline= 9 | root=tmpfs 10 | mount.usr=dissect 11 | rd.systemd.mask=systemd-repart.service 12 | systemd.mask=systemd-repart.service 13 | systemd.firstboot=no 14 | systemd.set-credential=agetty.autologin:root 15 | systemd.set-credential=login.noauth:yes 16 | SYSTEMD_SULOGIN_FORCE=1 17 | systemd.journald.forward_to_console=1 18 | systemd.journald.max_level_console=warning 19 | rw 20 | audit=0 21 | systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:=ignore 22 | systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_* 23 | 24 | SignExpectedPcr=no 25 | -------------------------------------------------------------------------------- /mkosi.conf.d/arch/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=arch 5 | 6 | [Content] 7 | Packages= 8 | archlinux-keyring 9 | bpf 10 | ccid 11 | compsize 12 | cryptsetup 13 | dbus-broker-units 14 | expac 15 | git 16 | iproute2 17 | iputils 18 | libfido2 19 | linux 20 | man-db 21 | man-pages 22 | openssh 23 | pacman 24 | pcsclite 25 | perf 26 | polkit 27 | procps-ng 28 | psmisc 29 | python3 30 | qrencode 31 | sbsigntools 32 | shadow 33 | systemd-ukify 34 | tgt 35 | tpm2-tools 36 | tpm2-tss 37 | vim-minimal 38 | wget 39 | xz 40 | zram-generator 41 | 42 | VolatilePackages= 43 | systemd-ukify 44 | -------------------------------------------------------------------------------- /mkosi.profiles/desktop/mkosi.conf.d/debian/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=debian 5 | 6 | [Content] 7 | Packages= 8 | debconf 9 | desktop-base 10 | firmware-amd-graphics 11 | firmware-iwlwifi 12 | firmware-linux 13 | firmware-sof-signed 14 | fonts-adobe-sourcesans3 15 | fonts-noto-color-emoji 16 | fonts-noto-mono 17 | gstreamer1.0-libav 18 | gstreamer1.0-plugins-ugly 19 | kbd 20 | libsecret-tools 21 | libyubikey-udev 22 | mesa-vulkan-drivers 23 | modemmanager 24 | network-manager 25 | pipewire-pulse 26 | plymouth-themes 27 | steam-devices 28 | tuned-ppd 29 | va-driver-all 30 | vdpau-driver-all 31 | wpasupplicant 32 | 33 | InitrdVolatilePackages= 34 | systemd-container 35 | systemd-resolved 36 | -------------------------------------------------------------------------------- /mkosi.postinst.chroot: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: LGPL-2.1-or-later 3 | set -e 4 | 5 | if command -v authselect >/dev/null; then 6 | authselect select local 7 | authselect enable-feature with-systemd-homed 8 | fi 9 | 10 | if [[ -d /etc/pam.d ]]; then 11 | find /etc/pam.d -mindepth 1 -exec mv {} /usr/lib/pam.d \; 12 | rmdir /etc/pam.d 13 | fi 14 | 15 | # Get rid of obsolete stuff in the pam stack. 16 | find /usr/lib/pam.d/ -mindepth 1 -exec sed --in-place '/pam_shells.so/d' {} \; 17 | find /usr/lib/pam.d/ -mindepth 1 -exec sed --in-place '/pam_securetty.so/d' {} \; 18 | 19 | # Fedora disables the userdb ssh dropin by default, but helpfully leaves it available in 20 | # the package so that we can just symlink it to a name that will be picked up by systemd-tmpfiles. 21 | if [[ -f /usr/lib/tmpfiles.d/20-systemd-userdb.conf.example ]]; then 22 | ln --symbolic 20-systemd-userdb.conf.example /usr/lib/tmpfiles.d/20-systemd-userdb.conf 23 | fi 24 | -------------------------------------------------------------------------------- /mkosi.profiles/gnome/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | # Requires desktop profile. 4 | 5 | [Content] 6 | Packages= 7 | baobab 8 | evince 9 | gnome-backgrounds 10 | gnome-calculator 11 | gnome-calendar 12 | gnome-characters 13 | gnome-clocks 14 | gnome-color-manager 15 | gnome-contacts 16 | gnome-control-center 17 | gnome-disk-utility 18 | gnome-font-viewer 19 | gnome-keyring 20 | gnome-logs 21 | gnome-maps 22 | gnome-menus 23 | gnome-music 24 | gnome-session 25 | gnome-settings-daemon 26 | gnome-shell 27 | gnome-software 28 | gnome-system-monitor 29 | gnome-terminal 30 | gnome-text-editor 31 | gnome-tour 32 | ibus 33 | nautilus 34 | snapshot 35 | tecla 36 | loupe 37 | xdg-desktop-portal-gnome 38 | xdg-desktop-portal-gtk 39 | xdg-user-dirs-gtk 40 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/systemd/system-preset/10-particleos.preset: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | # Make sure we have networking available. 4 | enable systemd-networkd.service 5 | enable systemd-networkd.socket 6 | enable systemd-networkd-wait-online.service 7 | enable systemd-resolved.service 8 | 9 | # Enable NetworkManager as well for desktop environments. systemd-networkd won't 10 | # manage any interfaces by default and so shouldn't conflict with 11 | # NetworkManager. 12 | enable NetworkManager.service 13 | enable NetworkManager-wait-online.service 14 | 15 | # These are not enabled by default in the default systemd preset. 16 | enable systemd-timesyncd.service 17 | enable systemd-homed-firstboot.service 18 | 19 | # Disable avahi in favor of resolved 20 | disable avahi.* 21 | 22 | enable pcscd.service 23 | enable power-profiles-daemon.service 24 | 25 | # Our own service to run systemctl preset --global. 26 | enable preset-global.service 27 | 28 | # Should be enabled manually by the user after first boot. 29 | disable gdm.service 30 | 31 | # Prefer socket activated SSH over daemon SSH 32 | disable sshd.service 33 | disable ssh.service 34 | enable sshd.socket 35 | enable ssh.socket 36 | enable sshd-keygen.service 37 | -------------------------------------------------------------------------------- /mkosi.conf.d/fedora/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=fedora 5 | 6 | [Distribution] 7 | Release=rawhide 8 | 9 | [Content] 10 | Packages= 11 | bash-color-prompt 12 | bpftool 13 | cryptsetup 14 | distribution-gpg-keys 15 | dnf5 16 | fido2-tools 17 | git-core 18 | integritysetup 19 | iproute 20 | iproute-tc 21 | iputils 22 | kernel-core 23 | libcap-ng-utils 24 | libfido2 25 | man-db 26 | man-pages 27 | openssh 28 | openssh-clients 29 | openssh-server 30 | pam 31 | passwd 32 | pcsc-lite 33 | pcsc-lite-ccid 34 | perf 35 | polkit 36 | procps-ng 37 | python3 38 | rpm 39 | sbsigntools 40 | systemd-boot 41 | systemd-container 42 | systemd-networkd 43 | systemd-networkd-defaults 44 | systemd-oomd-defaults 45 | systemd-resolved 46 | systemd-ukify 47 | tpm2-tools 48 | tpm2-tss 49 | veritysetup 50 | vim-minimal 51 | wget2 52 | xz 53 | zram-generator-defaults 54 | 55 | VolatilePackages= 56 | systemd-boot 57 | systemd-container 58 | systemd-networkd 59 | systemd-networkd-defaults 60 | systemd-oomd-defaults 61 | systemd-resolved 62 | systemd-ukify 63 | -------------------------------------------------------------------------------- /mkosi.conf.d/debian/mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Match] 4 | Distribution=debian 5 | 6 | [Distribution] 7 | Release=trixie 8 | Repositories=non-free-firmware 9 | 10 | [Content] 11 | Packages= 12 | apparmor 13 | apt 14 | bpftool 15 | ca-certificates 16 | cryptsetup-bin 17 | debian-archive-keyring 18 | fido2-tools 19 | git 20 | iproute2 21 | iputils-ping 22 | libcap-ng-utils 23 | libidn2-0 24 | libnss-myhostname 25 | libnss-mymachines 26 | libnss-systemd 27 | libpam-systemd 28 | libpwquality1 29 | libqrencode4 30 | linux-image-generic 31 | linux-perf 32 | linux-sysctl-defaults 33 | login 34 | manpages 35 | openssh-client 36 | openssh-server 37 | passwd 38 | pcsc-tools 39 | pcscd 40 | polkitd 41 | procps 42 | python3 43 | sbsigntool 44 | systemd-boot 45 | systemd-boot-efi 46 | systemd-boot-efi-signed 47 | systemd-container 48 | systemd-coredump 49 | systemd-cryptsetup 50 | systemd-homed 51 | systemd-resolved 52 | systemd-repart 53 | systemd-sysv 54 | systemd-timesyncd 55 | systemd-ukify 56 | systemd-zram-generator 57 | tpm2-tools 58 | util-linux-extra 59 | wget 60 | xz-utils 61 | 62 | VolatilePackages= 63 | libnss-myhostname 64 | libnss-mymachines 65 | libnss-systemd 66 | libpam-systemd 67 | systemd-boot 68 | systemd-boot-efi 69 | systemd-boot-efi-signed 70 | systemd-container 71 | systemd-coredump 72 | systemd-cryptsetup 73 | systemd-homed 74 | systemd-resolved 75 | systemd-repart 76 | systemd-sysv 77 | systemd-timesyncd 78 | systemd-ukify 79 | 80 | InitrdVolatilePackages= 81 | systemd-container 82 | systemd-resolved 83 | -------------------------------------------------------------------------------- /mkosi.extra/usr/lib/tmpfiles.d/etc.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | # This overrides the same file from systemd since we want to symlink everything 4 | # into /etc instead of copying so updates to /usr propagate properly. 5 | L /etc/os-release - - - - ../usr/lib/os-release 6 | L+ /etc/mtab - - - - ../proc/self/mounts 7 | # Contains the default systemd locale 8 | L /etc/locale.conf 9 | L /etc/nsswitch.conf 10 | L /etc/issue 11 | L /etc/profile 12 | L /etc/profile.d 13 | # Required by pam_env plugin 14 | L /etc/security 15 | L? /etc/bashrc 16 | L? /etc/bash.bashrc 17 | L? /etc/bash.bash_logout 18 | # TODO: drop once https://github.com/scop/bash-completion/pull/1399 is merged, 19 | # needed for shell completion of sd-run/run0 20 | L? /etc/bash_completion.d 21 | # Canonical location to look for certificates 22 | L? /etc/ca-certificates 23 | L? /etc/crypto-policies 24 | L? /etc/pki 25 | L /etc/debuginfod 26 | L /etc/ssh/ssh_config 27 | L /etc/ssh/ssh_config.d 28 | L /etc/ssh/sshd_config 29 | L /etc/ssh/sshd_config.d 30 | # Canonical location to look for certificates 31 | L /etc/ssl 32 | # Required by pam environment plugin 33 | L /etc/environment 34 | # pacman configuration file to look up the local database in /usr. 35 | L? /etc/pacman.conf 36 | # Required to generate desktop environment application menus 37 | L /etc/xdg 38 | # Contains default font configuration 39 | L /etc/fonts 40 | # Configuration for man 41 | L /etc/man_db.conf 42 | # Configuration for ldconfig 43 | L /etc/ld.so.conf 44 | L /etc/ld.so.conf.d 45 | # Required by authselect (Fedora/CentOS) 46 | L? /etc/authselect 47 | # Required by tuned 48 | L? /etc/tuned 49 | # Required by gdm 50 | L? /etc/gdm 51 | # Required by geoclue 52 | L? /etc/geoclue 53 | # Required by fwupd 54 | L /etc/fwupd 55 | # Required by gnome 56 | L? /etc/dconf 57 | L? /etc/skel 58 | # CUPS is pulled in by GNOME, and fails if the configs are not there 59 | L? /etc/cups 60 | # On some distributions various binaries in /usr/bin are managed via 61 | # /etc/alternatives. 62 | L? /etc/alternatives 63 | # PackageKit does not run without /etc/PackageKit/ and GNOME stalls 64 | # logout/reboot if it doesn't run. 65 | L? /etc/PackageKit 66 | # ModemManager needds its dbus policy file 67 | L? /etc/dbus1/systemd.d/org.freedesktop.ModemManager1.conf 68 | # man fails without this in /etc/ 69 | L? /etc/manpath.config 70 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/systemd.gpg: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | -----BEGIN PGP PUBLIC KEY BLOCK----- 3 | 4 | mQINBGeRJx8BEADqKZE5kFgSgfWDAyxe00hPpFkallYzPH7w2qHLXAZxeRo3tlHf 5 | 8K5W02omR5/3sNEsEPVt5mjIo7gjvu/40Anw7c8H0/j/yw1YydVWBPvFqRFagRxf 6 | HSVdoVL/+n8h/Fe1QO3+y4Y2+iOHBxPdmK8GEAfsvy24zP6us5wNclihD/+x91NY 7 | bhUX55s0W3ZGIRjxlL3MQkGJ/Ax/oYykVpmPrJXLKJz77pIJvFmYiRypwamgatu8 8 | VwaeNstBn7Xx2QezAPPMNHc35g1TJGxHC2dohOJV5BFospPeqMSt1PVZ+ycSPDeH 9 | XLVPVnSbgZJBGFDQJ90kF58lYl3MlMRDlcGCxmhFMQ+auw4n7CGJv5dq0FH7SxAK 10 | eAcrqAV7Vf+9uRkNYemlU7aG8SVtjHaGNObX4HvuWhsvHVwwfq+u+g0MRfQLtOJZ 11 | ZdHWfP0c0lhGtJWWvhxAcVnOOv3zIZNGx2uNBDHpwo3ysGXRhNzdUi/FCyIcS0mQ 12 | JMVfbW/L/GPLvlnQHbtkSPFxoOkLuSrrhQ8jbw9fY+BT9xAxL1sQmmyWNM6idCNV 13 | EZoxSD639nLHCf8qVNL+nl83oC2nmR87RNcy8WKUdTKoX3DcGOzyWIlAyXu3OBSJ 14 | yOh1ueouYpJZRADTuQvGjGFg2Spi7NV6GWDuOhMlJfsY//Z053WGKeEXyQARAQAB 15 | tD5zeXN0ZW06c3lzdGVtZCBPQlMgUHJvamVjdCA8c3lzdGVtOnN5c3RlbWRAYnVp 16 | bGQub3BlbnN1c2Uub3JnPokCVAQTAQgAPhYhBM9Jbf2RjIo/VcVuvHE79ycyggd4 17 | BQJnkScfAhsDBQkEHrAABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHE79ycy 18 | ggd495EQALoChId0Gq2cv9F3cj/EYK7RCcEb1zRLwWQTtMEFqadfSANIzNJPWmkD 19 | n3g2gGnaQsmDqKw9EwPYfMw4hGgT9/WnMC/FbN0bwKJWJJogO24VmsCebqGUlv2t 20 | Cd7XVdzFJZ6V6TlrKapJc8PaoQrlkquyN8O2RKYbpJQyaArt5owVPYyvtBxSSxOt 21 | CFyYkQOlSkzBVZEyl4rFsNvZk7ypi6Ol17oldB43c+bFNPMxVY+zd8TN6+lZ358Y 22 | P6em6gz2koUQUiTbg/0wvSN6yu2WMNJ9R9LWEWbuNdKSfAr+1p5A5URPC3spMuwg 23 | MpWqhfqaOHjSgmJwy8KDHxclD4BKXRMeNBYVGRDzWEhf3hu9FVVkL3kQeumFlKXu 24 | CsWM+JByOyoxMGa4U+GECuQVqHeLnkby9/xD+8SkvALtgxE8eAgMFfjmj6xaUQye 25 | rAZlAz3okYnw/rTvLCioAy2c68j+BFrgmixDDis3qh6/vNzf5iMJ4vIDflKZhlzT 26 | Q4JMIvbbzPYxn7AaYfZYvEn8AUczK2kOjac9ocJbMY33TVS/L0FJ413+xbfMB70d 27 | 5Ug3N3VkMgXgV0AeTYT/3oob/YDmq+131MwFQTRUGK172wPyO+ceNM43rfj6ktZu 28 | i3gQ5DKFJjY3oe99po+mh/462CthVIviANcxTq+6BZs8fbzUCxUgiQIzBBMBCAAd 29 | FiEEzDXMPTXlo2Q+VFpDzwuSjN7WTzsFAmeRJyAACgkQzwuSjN7WTzt9AA/+MaM7 30 | +HzwfUx7ue1gFukpBaLizvDFi8jOTe/wdOCvejlmsVwAnurogqt3huchb9MyZJps 31 | MLxD5aHQR+6zliLleloWrYY0DIbTFG8Z7caexPwF11izkcbIll4WaMP+yEuyDFqk 32 | rjPQHctk/rlJ5sN6KvPdRQx+BudZxuz8Ej72+DTHuazMoRLvt66CdgZqRbXhcdEW 33 | mMK8atImS0Ws380bJkdrKpa0b3X5oRAQOCxd7cKwfU7KMTbYa2gvKpscC/CFLdVS 34 | u8B4G3oCpiVaRL8GxGSvvraEqBi5zKt+/2NuqdIudhHXUMdXsNFtbggspYWXGvcp 35 | n0TgjeccB8zWnHu1HFSRu+2ZyRh0chfxVXlU2mf0MgVNtKmNIpPEqeP6bxCyPh2l 36 | d5VYQjXiIFhXgGWF9QaZEtbwKjvgTU/ml/pL0/+CqCcDNSe7cPwSF5zNBDe6lALt 37 | 76opOwYUmPRxRGZz5xcm3U7wTK2agl4+eZwtohQGr++2GhsNIAJnlQUI11reZkF2 38 | dGY4d7V4lk6mvhXC00qFbyU17cD37TjhPX91zpW7raL/Ni1ixQYjDC+/LccdH1IU 39 | Dv3ziXvweHRW1NB+YDvg++QWgwsQ9LXITy8HJU7UubOV9aReQslG4adwCHOtLOLS 40 | eaFoffTr4S8HomntcGNWIXat26E55VAETAWYFtI= 41 | =/SNl 42 | -----END PGP PUBLIC KEY BLOCK----- 43 | -------------------------------------------------------------------------------- /mkosi.profiles/obs/debian.sources: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | Types: deb 3 | URIs: http://download.opensuse.org/repositories/system:/systemd/Debian_Testing/ 4 | Suites: / 5 | Signed-By: 6 | -----BEGIN PGP PUBLIC KEY BLOCK----- 7 | . 8 | mQINBGeRJx8BEADqKZE5kFgSgfWDAyxe00hPpFkallYzPH7w2qHLXAZxeRo3tlHf 9 | 8K5W02omR5/3sNEsEPVt5mjIo7gjvu/40Anw7c8H0/j/yw1YydVWBPvFqRFagRxf 10 | HSVdoVL/+n8h/Fe1QO3+y4Y2+iOHBxPdmK8GEAfsvy24zP6us5wNclihD/+x91NY 11 | bhUX55s0W3ZGIRjxlL3MQkGJ/Ax/oYykVpmPrJXLKJz77pIJvFmYiRypwamgatu8 12 | VwaeNstBn7Xx2QezAPPMNHc35g1TJGxHC2dohOJV5BFospPeqMSt1PVZ+ycSPDeH 13 | XLVPVnSbgZJBGFDQJ90kF58lYl3MlMRDlcGCxmhFMQ+auw4n7CGJv5dq0FH7SxAK 14 | eAcrqAV7Vf+9uRkNYemlU7aG8SVtjHaGNObX4HvuWhsvHVwwfq+u+g0MRfQLtOJZ 15 | ZdHWfP0c0lhGtJWWvhxAcVnOOv3zIZNGx2uNBDHpwo3ysGXRhNzdUi/FCyIcS0mQ 16 | JMVfbW/L/GPLvlnQHbtkSPFxoOkLuSrrhQ8jbw9fY+BT9xAxL1sQmmyWNM6idCNV 17 | EZoxSD639nLHCf8qVNL+nl83oC2nmR87RNcy8WKUdTKoX3DcGOzyWIlAyXu3OBSJ 18 | yOh1ueouYpJZRADTuQvGjGFg2Spi7NV6GWDuOhMlJfsY//Z053WGKeEXyQARAQAB 19 | tD5zeXN0ZW06c3lzdGVtZCBPQlMgUHJvamVjdCA8c3lzdGVtOnN5c3RlbWRAYnVp 20 | bGQub3BlbnN1c2Uub3JnPokCVAQTAQgAPhYhBM9Jbf2RjIo/VcVuvHE79ycyggd4 21 | BQJnkScfAhsDBQkEHrAABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHE79ycy 22 | ggd495EQALoChId0Gq2cv9F3cj/EYK7RCcEb1zRLwWQTtMEFqadfSANIzNJPWmkD 23 | n3g2gGnaQsmDqKw9EwPYfMw4hGgT9/WnMC/FbN0bwKJWJJogO24VmsCebqGUlv2t 24 | Cd7XVdzFJZ6V6TlrKapJc8PaoQrlkquyN8O2RKYbpJQyaArt5owVPYyvtBxSSxOt 25 | CFyYkQOlSkzBVZEyl4rFsNvZk7ypi6Ol17oldB43c+bFNPMxVY+zd8TN6+lZ358Y 26 | P6em6gz2koUQUiTbg/0wvSN6yu2WMNJ9R9LWEWbuNdKSfAr+1p5A5URPC3spMuwg 27 | MpWqhfqaOHjSgmJwy8KDHxclD4BKXRMeNBYVGRDzWEhf3hu9FVVkL3kQeumFlKXu 28 | CsWM+JByOyoxMGa4U+GECuQVqHeLnkby9/xD+8SkvALtgxE8eAgMFfjmj6xaUQye 29 | rAZlAz3okYnw/rTvLCioAy2c68j+BFrgmixDDis3qh6/vNzf5iMJ4vIDflKZhlzT 30 | Q4JMIvbbzPYxn7AaYfZYvEn8AUczK2kOjac9ocJbMY33TVS/L0FJ413+xbfMB70d 31 | 5Ug3N3VkMgXgV0AeTYT/3oob/YDmq+131MwFQTRUGK172wPyO+ceNM43rfj6ktZu 32 | i3gQ5DKFJjY3oe99po+mh/462CthVIviANcxTq+6BZs8fbzUCxUgiQIzBBMBCAAd 33 | FiEEzDXMPTXlo2Q+VFpDzwuSjN7WTzsFAmeRJyAACgkQzwuSjN7WTzt9AA/+MaM7 34 | +HzwfUx7ue1gFukpBaLizvDFi8jOTe/wdOCvejlmsVwAnurogqt3huchb9MyZJps 35 | MLxD5aHQR+6zliLleloWrYY0DIbTFG8Z7caexPwF11izkcbIll4WaMP+yEuyDFqk 36 | rjPQHctk/rlJ5sN6KvPdRQx+BudZxuz8Ej72+DTHuazMoRLvt66CdgZqRbXhcdEW 37 | mMK8atImS0Ws380bJkdrKpa0b3X5oRAQOCxd7cKwfU7KMTbYa2gvKpscC/CFLdVS 38 | u8B4G3oCpiVaRL8GxGSvvraEqBi5zKt+/2NuqdIudhHXUMdXsNFtbggspYWXGvcp 39 | n0TgjeccB8zWnHu1HFSRu+2ZyRh0chfxVXlU2mf0MgVNtKmNIpPEqeP6bxCyPh2l 40 | d5VYQjXiIFhXgGWF9QaZEtbwKjvgTU/ml/pL0/+CqCcDNSe7cPwSF5zNBDe6lALt 41 | 76opOwYUmPRxRGZz5xcm3U7wTK2agl4+eZwtohQGr++2GhsNIAJnlQUI11reZkF2 42 | dGY4d7V4lk6mvhXC00qFbyU17cD37TjhPX91zpW7raL/Ni1ixQYjDC+/LccdH1IU 43 | Dv3ziXvweHRW1NB+YDvg++QWgwsQ9LXITy8HJU7UubOV9aReQslG4adwCHOtLOLS 44 | eaFoffTr4S8HomntcGNWIXat26E55VAETAWYFtI= 45 | =/SNl 46 | -----END PGP PUBLIC KEY BLOCK----- 47 | -------------------------------------------------------------------------------- /mkosi.conf: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: LGPL-2.1-or-later 2 | 3 | [Config] 4 | MinimumVersion=26~devel 5 | 6 | [Build] 7 | ToolsTree=default 8 | ToolsTreeProfiles=misc,runtime,gui 9 | History=yes 10 | CacheDirectory=mkosi.cache 11 | Incremental=yes 12 | 13 | [Output] 14 | OutputDirectory=mkosi.output 15 | SplitArtifacts=uki,partitions 16 | Format=disk 17 | ImageId=ParticleOS 18 | ManifestFormat=json 19 | Output=%i_%v_%a 20 | 21 | [Content] 22 | UnifiedKernelImageFormat=%i_%v_%a 23 | KernelCommandLine= 24 | root=dissect 25 | mount.usr=dissect 26 | rw 27 | audit=0 28 | systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted+absent:swap=encrypted+unused+absent:home=unprotected+absent:=ignore 29 | systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*:root=ParticleOS-*:swap=ParticleOS-*:home=ParticleOS-* 30 | InitrdProfiles= 31 | KernelInitrdModules=default 32 | Hostname=particle-????-???? 33 | 34 | Packages= 35 | acl 36 | attr 37 | bash-completion 38 | btrfs-progs 39 | coreutils 40 | cpio 41 | curl 42 | dbus-broker 43 | diffutils 44 | dmidecode 45 | dosfstools 46 | e2fsprogs 47 | efibootmgr 48 | erofs-utils 49 | exfatprogs 50 | file 51 | findutils 52 | fish 53 | fwupd 54 | gdb 55 | gdisk 56 | grep 57 | gzip 58 | jq 59 | kbd 60 | kexec-tools 61 | kmod 62 | less 63 | man 64 | mtools 65 | nano 66 | nftables 67 | nvme-cli 68 | opensc 69 | openssl 70 | patch 71 | p11-kit 72 | pciutils 73 | pkcs11-provider 74 | sed 75 | socat 76 | strace 77 | systemd 78 | tar 79 | tree 80 | udev 81 | unzip 82 | usbutils 83 | util-linux 84 | which 85 | wireguard-tools 86 | xxd 87 | yubikey-manager 88 | zip 89 | zstd 90 | 91 | VolatilePackages= 92 | systemd 93 | udev 94 | 95 | InitrdVolatilePackages= 96 | systemd 97 | udev 98 | 99 | [Validation] 100 | SecureBoot=yes 101 | SignExpectedPcr=yes 102 | 103 | [Runtime] 104 | RuntimeSize=30G 105 | RAM=4G 106 | CPUs=4 107 | Ephemeral=yes 108 | Credentials= 109 | passwd.plaintext-password.root=particleos 110 | tty.serial.hvc0.agetty.autologin=particleos 111 | tty.serial.hvc0.login.noauth=yes 112 | tty.console.agetty.autologin=particleos 113 | tty.console.login.noauth=yes 114 | tty.virtual.tty1.agetty.autologin=particleos 115 | tty.virtual.tty1.login.noauth=yes 116 | -------------------------------------------------------------------------------- /mkosi.profiles/flathub/mkosi.extra/usr/share/flatpak/remotes.d/flathub.flatpakrepo: -------------------------------------------------------------------------------- 1 | [Flatpak Repo] 2 | Title=Flathub 3 | Url=https://dl.flathub.org/repo/ 4 | Homepage=https://flathub.org/ 5 | Comment=Central repository of Flatpak applications 6 | Description=Central repository of Flatpak applications 7 | Icon=https://dl.flathub.org/repo/logo.svg 8 | GPGKey=mQINBFlD2sABEADsiUZUOYBg1UdDaWkEdJYkTSZD68214m8Q1fbrP5AptaUfCl8KYKFMNoAJRBXn9FbE6q6VBzghHXj/rSnA8WPnkbaEWR7xltOqzB1yHpCQ1l8xSfH5N02DMUBSRtD/rOYsBKbaJcOgW0K21sX+BecMY/AI2yADvCJEjhVKrjR9yfRX+NQEhDcbXUFRGt9ZT+TI5yT4xcwbvvTu7aFUR/dH7+wjrQ7lzoGlZGFFrQXSs2WI0WaYHWDeCwymtohXryF8lcWQkhH8UhfNJVBJFgCY8Q6UHkZG0FxMu8xnIDBMjBmSZKwKQn0nwzwM2afskZEnmNPYDI8nuNsSZBZSAw+ThhkdCZHZZRwzmjzyRuLLVFpOj3XryXwZcSefNMPDkZAuWWzPYjxS80cm2hG1WfqrG0Gl8+iX69cbQchb7gbEb0RtqNskTo9DDmO0bNKNnMbzmIJ3/rTbSahKSwtewklqSP/01o0WKZiy+n/RAkUKOFBprjJtWOZkc8SPXV/rnoS2dWsJWQZhuPPtv3tefdDiEyp7ePrfgfKxuHpZES0IZRiFI4J/nAUP5bix+srcIxOVqAam68CbAlPvWTivRUMRVbKjJiGXIOJ78wAMjqPg3QIC0GQ0EPAWwAOzzpdgbnG7TCQetaVV8rSYCuirlPYN+bJIwBtkOC9SWLoPMVZTwQARAQABtC5GbGF0aHViIFJlcG8gU2lnbmluZyBLZXkgPGZsYXRodWJAZmxhdGh1Yi5vcmc+iQJUBBMBCAA+FiEEblwF2XnHba+TwIE1QYTdTZB6fK4FAllD2sACGwMFCRLMAwAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQQYTdTZB6fK5RJQ/+Ptd4sWxaiAW91FFk7+wmYOkEe1NY2UDNJjEEz34PNP/1RoxveHDt43kYJQ23OWaPJuZAbu+fWtjRYcMBzOsMCaFcRSHFiDIC9aTp4ux/mo+IEeyarYt/oyKb5t5lta6xaAqg7rwt65jW5/aQjnS4h7eFZ+dAKta7Y/fljNrOznUp81/SMcx4QA5G2Pw0hs4Xrxg59oONOTFGBgA6FF8WQghrpR7SnEe0FSEOVsAjwQ13Cfkfa7b70omXSWp7GWfUzgBKyoWxKTqzMN3RQHjjhPJcsQnrqH5enUu4Pcb2LcMFpzimHnUgb9ft72DP5wxfzHGAWOUiUXHbAekfq5iFks8cha/RST6wkxG3Rf44Zn09aOxh1btMcGL+5xb1G0BuCQnA0fP/kDYIPwh9z22EqwRQOspIcvGeLVkFeIfubxpcMdOfQqQnZtHMCabV5Q/Rk9K1ZGc8M2hlg8gHbXMFch2xJ0Wu72eXbA/UY5MskEeBgawTQnQOK/vNm7t0AJMpWK26Qg6178UmRghmeZDj9uNRc3EI1nSbgvmGlpDmCxaAGqaGL1zW4KPW5yN25/qeqXcgCvUjZLI9PNq3Kvizp1lUrbx7heRiSoazCucvHQ1VHUzcPVLUKKTkoTP8okThnRRRsBcZ1+jI4yMWIDLOCT7IW3FePr+3xyuy5eEo9a25Ag0EWUPa7AEQALT/CmSyZ8LWlRYQZKYw417p7Z2hxqd6TjwkwM3IQ1irumkWcTZBZIbBgrSOg6CcXD2oWydCQHWi9qaxhuhEl2bJL5LskmBcMxVdQeD0LLHd8QUnbnnIby8ocvWN1alPfvJFjCUTrmD22U1ycOzRw2lIe4kiQONbOZtdWrVImQQSndjFlisitbmlWHvHm2lOOYy8+GJB7YffVV193hmnBSJffCy4bvkuLxsI+n1DhOzc7MPV3z6HGk4HiEcF0yyt9tCYhpsxHFdBoq2h771HfAcS0s98EVAqYMFnf9em+4cnYpdI6mhIfS1FQiKl6DBAYA8tT3ggla00DurPo0JwX/zN+PaO5h/6O9aCZwV7G6rbkgMuqMergXaf8oP38gr0z+MqWnkfM63Bodq68GP4l4hd02BoFBbDf38TMuGQB14+twJMdfbAxo2MbgluvQgfwHfZ2ca6gyEY+9s/YD1gugLjV+S6CB51WkFNe1z4tAPgJZNxUcKCbeaHNbthl8Hks/pY9RCEseX/EdfzF18epbSjJMPh4DPQXbUoFwmyuYcoBOPmvZHNl9hK7B/1RP8w1ZrXk8qdupC0SNbafX7270B7lMMVImzZetGsM9ypXJ6llhp3FwW09iseNyGJGPsr/dvTMGDXqOPfU/9SAS1LSTY4K9PbRtdrBE318YX8mIk5ABEBAAGJBHIEGAEIACYWIQRuXAXZecdtr5PAgTVBhN1NkHp8rgUCWUPa7AIbAgUJEswDAAJACRBBhN1NkHp8rsF0IAQZAQgAHRYhBFSmzd2JGfsgQgDYrFYnAunj7X7oBQJZQ9rsAAoJEFYnAunj7X7oR6AP/0KYmiAFeqx14Z43/6s2gt3VhxlSd8bmcVV7oJFbMhdHBIeWBp2BvsUf00I0Zl14ZkwCKfLwbbORC2eIxvzJ+QWjGfPhDmS4XUSmhlXxWnYEveSek5Tde+fmu6lqKM8CHg5BNx4GWIX/vdLi1wWJZyhrUwwICAxkuhKxuP2Z1An48930eslTD2GGcjByc27+9cIZjHKa07I/aLffo04V+oMT9/tgzoquzgpVV4jwekADo2MJjhkkPveSNI420bgT+Q7Fi1l0X1aFUniBvQMsaBa27PngWm6xE2ZYvh7nWCdd5g0c0eLIHxWwzV1lZ4Ryx4ITO/VL25ItECcjhTRdYa64sA62MYSaB0x3eR+SihpgP3wSNPFu3MJo6FKTFdi4CBAEmpWHFW7FcRmd+cQXeFrHLN3iNVWryy0HK/CUEJmiZEmpNiXecl4vPIIuyF0zgSCztQtKoMr+injpmQGC/rF/ELBVZTUSLNB350S0Ztvw0FKWDAJSxFmoxt3xycqvvt47rxTrhi78nkk6jATKGyvP55sO+K7Q7Wh0DXA69hvPrYW2eu8jGCdVGxi6HX7L1qcfEd0378S71dZ3g9o6KKl1OsDWWQ6MJ6FGBZedl/ibRfs8p5+sbCX3lQSjEFy3rx6n0rUrXx8U2qb+RCLzJlmC5MNBOTDJwHPcX6gKsUcXZrEQALmRHoo3SrewO41RCr+5nUlqiqV3AohBMhnQbGzyHf2+drutIaoh7Rj80XRh2bkkuPLwlNPf+bTXwNVGse4bej7B3oV6Ae1N7lTNVF4Qh+1OowtGjmfJPWo0z1s6HFJVxoIof9z58Msvgao0zrKGqaMWaNQ6LUeC9g9Aj/9Uqjbo8X54aLiYs8Z1WNc06jKP+gv8AWLtv6CR+l2kLez1YMDucjm7v6iuCMVAmZdmxhg5I/X2+OM3vBsqPDdQpr2TPDLX3rCrSBiS0gOQ6DwN5N5QeTkxmY/7QO8bgLo/Wzu1iilH4vMKW6LBKCaRx5UEJxKpL4wkgITsYKneIt3NTHo5EOuaYk+y2+Dvt6EQFiuMsdbfUjs3seIHsghX/cbPJa4YUqZAL8C4OtVHaijwGo0ymt9MWvS9yNKMyT0JhN2/BdeOVWrHk7wXXJn/ZjpXilicXKPx4udCF76meE+6N2u/T+RYZ7fP1QMEtNZNmYDOfA6sViuPDfQSHLNbauJBo/n1sRYAsL5mcG22UDchJrlKvmK3EOADCQg+myrm8006LltubNB4wWNzHDJ0Ls2JGzQZCd/xGyVmUiidCBUrD537WdknOYE4FD7P0cHaM9brKJ/M8LkEH0zUlo73bY4XagbnCqve6PvQb5G2Z55qhWphd6f4B6DGed86zJEa/RhS 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ParticleOS 2 | 3 | ParticleOS is a fully customizable immutable distribution implementing the 4 | concepts described in 5 | [Fitting Everything Together](https://0pointer.net/blog/fitting-everything-together.html). 6 | 7 | Note that ParticleOS is still in development, and we don't provide any backwards 8 | compatibility guarantees at all. 9 | 10 | The crucial difference that makes ParticleOS unique compared to other immutable 11 | distributions is that users build the ParticleOS image themselves and sign it 12 | with their own keys instead of installing vendor signed images. This allows 13 | configuring the image to your liking by having full control over which 14 | distribution is used as the base and which packages are installed into the 15 | image. 16 | 17 | The ParticleOS image is built using [mkosi](https://github.com/systemd/mkosi). 18 | You will need to install the current main branch of mkosi to build current 19 | ParticleOS images. 20 | 21 | First, configure the variant you'd like to build in `mkosi.local.conf`. For a 22 | desktop system, you'll want the `desktop` profile and either the `gnome` or the 23 | `kde` profile. 24 | 25 | ```conf 26 | [Distribution] 27 | Distribution=arch 28 | 29 | [Config] 30 | Profiles=desktop,kde 31 | ``` 32 | 33 | To build the image, run `mkosi -B -f` from the ParticleOS repository. Currently 34 | `arch`, `fedora` and `debian` are supported distributions. Implementing support for a 35 | new distribution (that's already supported in mkosi) is as simple as writing the 36 | necessary config files to install the required packages for that distribution. 37 | 38 | To update the system after installation, you clone the ParticleOS repository 39 | or your fork of it, make sure `mkosi.local.conf` is configured to your liking and 40 | run `mkosi -B -ff sysupdate -- update --reboot` which will update the system using 41 | `systemd-sysupdate` and then reboot. 42 | 43 | ## Using the OBS profile to fetch a newer systemd 44 | 45 | Sometimes ParticleOS adopts systemd features as soon as they get merged into 46 | systemd without waiting for an official release. That's why we recommend 47 | enabling the `obs` profile to enable the systemd repositories on OBS 48 | (https://software.opensuse.org//download.html?project=system%3Asystemd&package=systemd) 49 | containing systemd packages which are built every day from systemd's git main 50 | branch. 51 | 52 | To enable the `obs` profile, add the following to `mkosi.local.conf`: 53 | 54 | ```conf 55 | [Config] 56 | Profiles=obs 57 | ``` 58 | 59 | ## Building systemd from source 60 | 61 | As an alternative to using the `obs` profile, you can build systemd from source: 62 | 63 | ```sh 64 | git clone https://github.com/systemd/systemd 65 | cd systemd 66 | mkosi -f sandbox -- meson setup build 67 | mkosi -f sandbox -- meson compile -C build 68 | mkosi -t none -f 69 | ``` 70 | 71 | Then write the following to `mkosi.local.conf` in the ParticleOS repository to 72 | use the artifacts from the systemd repository built by mkosi in ParticleOS: 73 | 74 | ```conf 75 | [Content] 76 | VolatilePackageDirectories=../systemd/build/mkosi.builddir/~~ 77 | 78 | [Build] 79 | ExtraSearchPaths=../systemd/build 80 | ``` 81 | 82 | Make sure the distribution and release in `mkosi.local.conf` are identical in the 83 | systemd checkout and the particleos checkout. 84 | 85 | To build a newer systemd, run `git pull` in the systemd repository followed by 86 | `mkosi -f sandbox -- meson compile -C build` and `mkosi -t none`. 87 | 88 | ## Signing keys 89 | 90 | ParticleOS images are signed for Secure Boot with the user's keys. To generate a new key, 91 | run `mkosi genkey`. The key must be stored safely, it will be required to sign updates. 92 | 93 | The key can be stored in a smartcard. Then you have to set the key in `mkosi.local.conf`: 94 | 95 | ``` 96 | [Validation] 97 | SecureBootKey=pkcs11:object=Private key 1;type=private 98 | SecureBootKeySource=provider:pkcs11 99 | SignExpectedPcrKey=pkcs11:object=Private key 1;type=private 100 | SignExpectedPcrKeySource=provider:pkcs11 101 | VerityKey=pkcs11:object=Private key 1;type=private 102 | VerityKeySource=provider:pkcs11 103 | ``` 104 | 105 | ## Installation 106 | 107 | Before installing ParticleOS, make sure that Secure Boot is in setup mode on the 108 | target system. The Secure Boot mode can be configured in the UEFI firmware 109 | interface of the target system. If there's an existing Linux installation on the 110 | target system already, run `systemctl reboot --firmware-setup` to reboot into 111 | the UEFI firmware interface. At the same time, make sure the UEFI firmware 112 | interface is password protected so an attacker cannot just disable Secure Boot 113 | again. 114 | 115 | To install ParticleOS with a USB drive, first build the image on an existing 116 | Linux system as described above. Then, burn it to the USB drive with 117 | `mkosi burn /dev/`. Once burned to the USB drive, plug the USB drive into 118 | the system onto which you'd like to install ParticleOS and boot into the USB 119 | drive via the firmware. Then, boot into the "Installer" UKI profile. When you 120 | end up in the root shell, run 121 | `systemd-repart --dry-run=no --empty=force --defer-partitions=swap,root,home /dev/` 122 | to install ParticleOS to the system's drive. Finally, reboot into the target 123 | drive (not the USB) and the regular profile (not the installer one) to complete 124 | the installation. 125 | 126 | ## LUKS recovery key 127 | 128 | systemd doesn't support adding a recovery key to a partition enrolled with a token 129 | only (tpm/fido2). It is possible to use cryptenroll to add a recovery password 130 | to the root partition: `cryptsetup luksAddKey --token-type systemd-tpm2 /dev/` 131 | 132 | ## Firmwares 133 | 134 | Only firmwares that are dependencies of a kernel module are included, but some 135 | modules don't declare their dependencies properly. Dependencies of a module can be 136 | found with `modinfo`. If you experience missing firmwares, you should report 137 | this to the module maintainer. `FirmwareInclude=` can be added in `mkosi.local.conf` 138 | to include the firmware regardless of whether a module depends on it. 139 | 140 | ## Configuring systemd-homed after installation 141 | 142 | After installing ParticleOS and logging into your systemd-homed managed user, 143 | run the following to configure systemd-homed for the best experience: 144 | 145 | ```sh 146 | homectl update \ 147 | --auto-resize-mode=off \ 148 | --disk-size=max \ 149 | --luks-discard=on" 150 | ``` 151 | 152 | Disabling the auto resize mode avoids slow system boot and shutdown. Enabling 153 | LUKS discard makes sure the home directory doesn't become inaccessible because 154 | systemd-homed is unable to resize the home directory. 155 | 156 | ## Default root password and user when booting in a virtual machine 157 | 158 | If you boot ParticleOS in a virtual machine using `mkosi vm`, the root password 159 | is automatically set to `particleos` and a default user `particleos` with password 160 | `particleos` is created as well. 161 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 2.1, February 1999 3 | 4 | Copyright (C) 1991, 1999 Free Software Foundation, Inc. 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | [This is the first released version of the Lesser GPL. It also counts 10 | as the successor of the GNU Library Public License, version 2, hence 11 | the version number 2.1.] 12 | 13 | Preamble 14 | 15 | The licenses for most software are designed to take away your 16 | freedom to share and change it. By contrast, the GNU General Public 17 | Licenses are intended to guarantee your freedom to share and change 18 | free software--to make sure the software is free for all its users. 19 | 20 | This license, the Lesser General Public License, applies to some 21 | specially designated software packages--typically libraries--of the 22 | Free Software Foundation and other authors who decide to use it. You 23 | can use it too, but we suggest you first think carefully about whether 24 | this license or the ordinary General Public License is the better 25 | strategy to use in any particular case, based on the explanations below. 26 | 27 | When we speak of free software, we are referring to freedom of use, 28 | not price. Our General Public Licenses are designed to make sure that 29 | you have the freedom to distribute copies of free software (and charge 30 | for this service if you wish); that you receive source code or can get 31 | it if you want it; that you can change the software and use pieces of 32 | it in new free programs; and that you are informed that you can do 33 | these things. 34 | 35 | To protect your rights, we need to make restrictions that forbid 36 | distributors to deny you these rights or to ask you to surrender these 37 | rights. These restrictions translate to certain responsibilities for 38 | you if you distribute copies of the library or if you modify it. 39 | 40 | For example, if you distribute copies of the library, whether gratis 41 | or for a fee, you must give the recipients all the rights that we gave 42 | you. You must make sure that they, too, receive or can get the source 43 | code. If you link other code with the library, you must provide 44 | complete object files to the recipients, so that they can relink them 45 | with the library after making changes to the library and recompiling 46 | it. And you must show them these terms so they know their rights. 47 | 48 | We protect your rights with a two-step method: (1) we copyright the 49 | library, and (2) we offer you this license, which gives you legal 50 | permission to copy, distribute and/or modify the library. 51 | 52 | To protect each distributor, we want to make it very clear that 53 | there is no warranty for the free library. Also, if the library is 54 | modified by someone else and passed on, the recipients should know 55 | that what they have is not the original version, so that the original 56 | author's reputation will not be affected by problems that might be 57 | introduced by others. 58 | 59 | Finally, software patents pose a constant threat to the existence of 60 | any free program. We wish to make sure that a company cannot 61 | effectively restrict the users of a free program by obtaining a 62 | restrictive license from a patent holder. Therefore, we insist that 63 | any patent license obtained for a version of the library must be 64 | consistent with the full freedom of use specified in this license. 65 | 66 | Most GNU software, including some libraries, is covered by the 67 | ordinary GNU General Public License. This license, the GNU Lesser 68 | General Public License, applies to certain designated libraries, and 69 | is quite different from the ordinary General Public License. We use 70 | this license for certain libraries in order to permit linking those 71 | libraries into non-free programs. 72 | 73 | When a program is linked with a library, whether statically or using 74 | a shared library, the combination of the two is legally speaking a 75 | combined work, a derivative of the original library. The ordinary 76 | General Public License therefore permits such linking only if the 77 | entire combination fits its criteria of freedom. The Lesser General 78 | Public License permits more lax criteria for linking other code with 79 | the library. 80 | 81 | We call this license the "Lesser" General Public License because it 82 | does Less to protect the user's freedom than the ordinary General 83 | Public License. It also provides other free software developers Less 84 | of an advantage over competing non-free programs. These disadvantages 85 | are the reason we use the ordinary General Public License for many 86 | libraries. However, the Lesser license provides advantages in certain 87 | special circumstances. 88 | 89 | For example, on rare occasions, there may be a special need to 90 | encourage the widest possible use of a certain library, so that it becomes 91 | a de-facto standard. To achieve this, non-free programs must be 92 | allowed to use the library. A more frequent case is that a free 93 | library does the same job as widely used non-free libraries. In this 94 | case, there is little to gain by limiting the free library to free 95 | software only, so we use the Lesser General Public License. 96 | 97 | In other cases, permission to use a particular library in non-free 98 | programs enables a greater number of people to use a large body of 99 | free software. For example, permission to use the GNU C Library in 100 | non-free programs enables many more people to use the whole GNU 101 | operating system, as well as its variant, the GNU/Linux operating 102 | system. 103 | 104 | Although the Lesser General Public License is Less protective of the 105 | users' freedom, it does ensure that the user of a program that is 106 | linked with the Library has the freedom and the wherewithal to run 107 | that program using a modified version of the Library. 108 | 109 | The precise terms and conditions for copying, distribution and 110 | modification follow. Pay close attention to the difference between a 111 | "work based on the library" and a "work that uses the library". The 112 | former contains code derived from the library, whereas the latter must 113 | be combined with the library in order to run. 114 | 115 | GNU LESSER GENERAL PUBLIC LICENSE 116 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 117 | 118 | 0. This License Agreement applies to any software library or other 119 | program which contains a notice placed by the copyright holder or 120 | other authorized party saying it may be distributed under the terms of 121 | this Lesser General Public License (also called "this License"). 122 | Each licensee is addressed as "you". 123 | 124 | A "library" means a collection of software functions and/or data 125 | prepared so as to be conveniently linked with application programs 126 | (which use some of those functions and data) to form executables. 127 | 128 | The "Library", below, refers to any such software library or work 129 | which has been distributed under these terms. A "work based on the 130 | Library" means either the Library or any derivative work under 131 | copyright law: that is to say, a work containing the Library or a 132 | portion of it, either verbatim or with modifications and/or translated 133 | straightforwardly into another language. (Hereinafter, translation is 134 | included without limitation in the term "modification".) 135 | 136 | "Source code" for a work means the preferred form of the work for 137 | making modifications to it. For a library, complete source code means 138 | all the source code for all modules it contains, plus any associated 139 | interface definition files, plus the scripts used to control compilation 140 | and installation of the library. 141 | 142 | Activities other than copying, distribution and modification are not 143 | covered by this License; they are outside its scope. The act of 144 | running a program using the Library is not restricted, and output from 145 | such a program is covered only if its contents constitute a work based 146 | on the Library (independent of the use of the Library in a tool for 147 | writing it). Whether that is true depends on what the Library does 148 | and what the program that uses the Library does. 149 | 150 | 1. You may copy and distribute verbatim copies of the Library's 151 | complete source code as you receive it, in any medium, provided that 152 | you conspicuously and appropriately publish on each copy an 153 | appropriate copyright notice and disclaimer of warranty; keep intact 154 | all the notices that refer to this License and to the absence of any 155 | warranty; and distribute a copy of this License along with the 156 | Library. 157 | 158 | You may charge a fee for the physical act of transferring a copy, 159 | and you may at your option offer warranty protection in exchange for a 160 | fee. 161 | 162 | 2. You may modify your copy or copies of the Library or any portion 163 | of it, thus forming a work based on the Library, and copy and 164 | distribute such modifications or work under the terms of Section 1 165 | above, provided that you also meet all of these conditions: 166 | 167 | a) The modified work must itself be a software library. 168 | 169 | b) You must cause the files modified to carry prominent notices 170 | stating that you changed the files and the date of any change. 171 | 172 | c) You must cause the whole of the work to be licensed at no 173 | charge to all third parties under the terms of this License. 174 | 175 | d) If a facility in the modified Library refers to a function or a 176 | table of data to be supplied by an application program that uses 177 | the facility, other than as an argument passed when the facility 178 | is invoked, then you must make a good faith effort to ensure that, 179 | in the event an application does not supply such function or 180 | table, the facility still operates, and performs whatever part of 181 | its purpose remains meaningful. 182 | 183 | (For example, a function in a library to compute square roots has 184 | a purpose that is entirely well-defined independent of the 185 | application. Therefore, Subsection 2d requires that any 186 | application-supplied function or table used by this function must 187 | be optional: if the application does not supply it, the square 188 | root function must still compute square roots.) 189 | 190 | These requirements apply to the modified work as a whole. If 191 | identifiable sections of that work are not derived from the Library, 192 | and can be reasonably considered independent and separate works in 193 | themselves, then this License, and its terms, do not apply to those 194 | sections when you distribute them as separate works. But when you 195 | distribute the same sections as part of a whole which is a work based 196 | on the Library, the distribution of the whole must be on the terms of 197 | this License, whose permissions for other licensees extend to the 198 | entire whole, and thus to each and every part regardless of who wrote 199 | it. 200 | 201 | Thus, it is not the intent of this section to claim rights or contest 202 | your rights to work written entirely by you; rather, the intent is to 203 | exercise the right to control the distribution of derivative or 204 | collective works based on the Library. 205 | 206 | In addition, mere aggregation of another work not based on the Library 207 | with the Library (or with a work based on the Library) on a volume of 208 | a storage or distribution medium does not bring the other work under 209 | the scope of this License. 210 | 211 | 3. You may opt to apply the terms of the ordinary GNU General Public 212 | License instead of this License to a given copy of the Library. To do 213 | this, you must alter all the notices that refer to this License, so 214 | that they refer to the ordinary GNU General Public License, version 2, 215 | instead of to this License. (If a newer version than version 2 of the 216 | ordinary GNU General Public License has appeared, then you can specify 217 | that version instead if you wish.) Do not make any other change in 218 | these notices. 219 | 220 | Once this change is made in a given copy, it is irreversible for 221 | that copy, so the ordinary GNU General Public License applies to all 222 | subsequent copies and derivative works made from that copy. 223 | 224 | This option is useful when you wish to copy part of the code of 225 | the Library into a program that is not a library. 226 | 227 | 4. You may copy and distribute the Library (or a portion or 228 | derivative of it, under Section 2) in object code or executable form 229 | under the terms of Sections 1 and 2 above provided that you accompany 230 | it with the complete corresponding machine-readable source code, which 231 | must be distributed under the terms of Sections 1 and 2 above on a 232 | medium customarily used for software interchange. 233 | 234 | If distribution of object code is made by offering access to copy 235 | from a designated place, then offering equivalent access to copy the 236 | source code from the same place satisfies the requirement to 237 | distribute the source code, even though third parties are not 238 | compelled to copy the source along with the object code. 239 | 240 | 5. A program that contains no derivative of any portion of the 241 | Library, but is designed to work with the Library by being compiled or 242 | linked with it, is called a "work that uses the Library". Such a 243 | work, in isolation, is not a derivative work of the Library, and 244 | therefore falls outside the scope of this License. 245 | 246 | However, linking a "work that uses the Library" with the Library 247 | creates an executable that is a derivative of the Library (because it 248 | contains portions of the Library), rather than a "work that uses the 249 | library". The executable is therefore covered by this License. 250 | Section 6 states terms for distribution of such executables. 251 | 252 | When a "work that uses the Library" uses material from a header file 253 | that is part of the Library, the object code for the work may be a 254 | derivative work of the Library even though the source code is not. 255 | Whether this is true is especially significant if the work can be 256 | linked without the Library, or if the work is itself a library. The 257 | threshold for this to be true is not precisely defined by law. 258 | 259 | If such an object file uses only numerical parameters, data 260 | structure layouts and accessors, and small macros and small inline 261 | functions (ten lines or less in length), then the use of the object 262 | file is unrestricted, regardless of whether it is legally a derivative 263 | work. (Executables containing this object code plus portions of the 264 | Library will still fall under Section 6.) 265 | 266 | Otherwise, if the work is a derivative of the Library, you may 267 | distribute the object code for the work under the terms of Section 6. 268 | Any executables containing that work also fall under Section 6, 269 | whether or not they are linked directly with the Library itself. 270 | 271 | 6. As an exception to the Sections above, you may also combine or 272 | link a "work that uses the Library" with the Library to produce a 273 | work containing portions of the Library, and distribute that work 274 | under terms of your choice, provided that the terms permit 275 | modification of the work for the customer's own use and reverse 276 | engineering for debugging such modifications. 277 | 278 | You must give prominent notice with each copy of the work that the 279 | Library is used in it and that the Library and its use are covered by 280 | this License. You must supply a copy of this License. If the work 281 | during execution displays copyright notices, you must include the 282 | copyright notice for the Library among them, as well as a reference 283 | directing the user to the copy of this License. Also, you must do one 284 | of these things: 285 | 286 | a) Accompany the work with the complete corresponding 287 | machine-readable source code for the Library including whatever 288 | changes were used in the work (which must be distributed under 289 | Sections 1 and 2 above); and, if the work is an executable linked 290 | with the Library, with the complete machine-readable "work that 291 | uses the Library", as object code and/or source code, so that the 292 | user can modify the Library and then relink to produce a modified 293 | executable containing the modified Library. (It is understood 294 | that the user who changes the contents of definitions files in the 295 | Library will not necessarily be able to recompile the application 296 | to use the modified definitions.) 297 | 298 | b) Use a suitable shared library mechanism for linking with the 299 | Library. A suitable mechanism is one that (1) uses at run time a 300 | copy of the library already present on the user's computer system, 301 | rather than copying library functions into the executable, and (2) 302 | will operate properly with a modified version of the library, if 303 | the user installs one, as long as the modified version is 304 | interface-compatible with the version that the work was made with. 305 | 306 | c) Accompany the work with a written offer, valid for at 307 | least three years, to give the same user the materials 308 | specified in Subsection 6a, above, for a charge no more 309 | than the cost of performing this distribution. 310 | 311 | d) If distribution of the work is made by offering access to copy 312 | from a designated place, offer equivalent access to copy the above 313 | specified materials from the same place. 314 | 315 | e) Verify that the user has already received a copy of these 316 | materials or that you have already sent this user a copy. 317 | 318 | For an executable, the required form of the "work that uses the 319 | Library" must include any data and utility programs needed for 320 | reproducing the executable from it. However, as a special exception, 321 | the materials to be distributed need not include anything that is 322 | normally distributed (in either source or binary form) with the major 323 | components (compiler, kernel, and so on) of the operating system on 324 | which the executable runs, unless that component itself accompanies 325 | the executable. 326 | 327 | It may happen that this requirement contradicts the license 328 | restrictions of other proprietary libraries that do not normally 329 | accompany the operating system. Such a contradiction means you cannot 330 | use both them and the Library together in an executable that you 331 | distribute. 332 | 333 | 7. You may place library facilities that are a work based on the 334 | Library side-by-side in a single library together with other library 335 | facilities not covered by this License, and distribute such a combined 336 | library, provided that the separate distribution of the work based on 337 | the Library and of the other library facilities is otherwise 338 | permitted, and provided that you do these two things: 339 | 340 | a) Accompany the combined library with a copy of the same work 341 | based on the Library, uncombined with any other library 342 | facilities. This must be distributed under the terms of the 343 | Sections above. 344 | 345 | b) Give prominent notice with the combined library of the fact 346 | that part of it is a work based on the Library, and explaining 347 | where to find the accompanying uncombined form of the same work. 348 | 349 | 8. You may not copy, modify, sublicense, link with, or distribute 350 | the Library except as expressly provided under this License. Any 351 | attempt otherwise to copy, modify, sublicense, link with, or 352 | distribute the Library is void, and will automatically terminate your 353 | rights under this License. However, parties who have received copies, 354 | or rights, from you under this License will not have their licenses 355 | terminated so long as such parties remain in full compliance. 356 | 357 | 9. You are not required to accept this License, since you have not 358 | signed it. However, nothing else grants you permission to modify or 359 | distribute the Library or its derivative works. These actions are 360 | prohibited by law if you do not accept this License. Therefore, by 361 | modifying or distributing the Library (or any work based on the 362 | Library), you indicate your acceptance of this License to do so, and 363 | all its terms and conditions for copying, distributing or modifying 364 | the Library or works based on it. 365 | 366 | 10. Each time you redistribute the Library (or any work based on the 367 | Library), the recipient automatically receives a license from the 368 | original licensor to copy, distribute, link with or modify the Library 369 | subject to these terms and conditions. You may not impose any further 370 | restrictions on the recipients' exercise of the rights granted herein. 371 | You are not responsible for enforcing compliance by third parties with 372 | this License. 373 | 374 | 11. If, as a consequence of a court judgment or allegation of patent 375 | infringement or for any other reason (not limited to patent issues), 376 | conditions are imposed on you (whether by court order, agreement or 377 | otherwise) that contradict the conditions of this License, they do not 378 | excuse you from the conditions of this License. If you cannot 379 | distribute so as to satisfy simultaneously your obligations under this 380 | License and any other pertinent obligations, then as a consequence you 381 | may not distribute the Library at all. For example, if a patent 382 | license would not permit royalty-free redistribution of the Library by 383 | all those who receive copies directly or indirectly through you, then 384 | the only way you could satisfy both it and this License would be to 385 | refrain entirely from distribution of the Library. 386 | 387 | If any portion of this section is held invalid or unenforceable under any 388 | particular circumstance, the balance of the section is intended to apply, 389 | and the section as a whole is intended to apply in other circumstances. 390 | 391 | It is not the purpose of this section to induce you to infringe any 392 | patents or other property right claims or to contest validity of any 393 | such claims; this section has the sole purpose of protecting the 394 | integrity of the free software distribution system which is 395 | implemented by public license practices. Many people have made 396 | generous contributions to the wide range of software distributed 397 | through that system in reliance on consistent application of that 398 | system; it is up to the author/donor to decide if he or she is willing 399 | to distribute software through any other system and a licensee cannot 400 | impose that choice. 401 | 402 | This section is intended to make thoroughly clear what is believed to 403 | be a consequence of the rest of this License. 404 | 405 | 12. If the distribution and/or use of the Library is restricted in 406 | certain countries either by patents or by copyrighted interfaces, the 407 | original copyright holder who places the Library under this License may add 408 | an explicit geographical distribution limitation excluding those countries, 409 | so that distribution is permitted only in or among countries not thus 410 | excluded. In such case, this License incorporates the limitation as if 411 | written in the body of this License. 412 | 413 | 13. The Free Software Foundation may publish revised and/or new 414 | versions of the Lesser General Public License from time to time. 415 | Such new versions will be similar in spirit to the present version, 416 | but may differ in detail to address new problems or concerns. 417 | 418 | Each version is given a distinguishing version number. If the Library 419 | specifies a version number of this License which applies to it and 420 | "any later version", you have the option of following the terms and 421 | conditions either of that version or of any later version published by 422 | the Free Software Foundation. If the Library does not specify a 423 | license version number, you may choose any version ever published by 424 | the Free Software Foundation. 425 | 426 | 14. If you wish to incorporate parts of the Library into other free 427 | programs whose distribution conditions are incompatible with these, 428 | write to the author to ask for permission. For software which is 429 | copyrighted by the Free Software Foundation, write to the Free 430 | Software Foundation; we sometimes make exceptions for this. Our 431 | decision will be guided by the two goals of preserving the free status 432 | of all derivatives of our free software and of promoting the sharing 433 | and reuse of software generally. 434 | 435 | NO WARRANTY 436 | 437 | 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO 438 | WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. 439 | EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR 440 | OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY 441 | KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE 442 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 443 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 444 | LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME 445 | THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 446 | 447 | 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN 448 | WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY 449 | AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU 450 | FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR 451 | CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE 452 | LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING 453 | RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A 454 | FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF 455 | SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 456 | DAMAGES. 457 | 458 | END OF TERMS AND CONDITIONS 459 | 460 | How to Apply These Terms to Your New Libraries 461 | 462 | If you develop a new library, and you want it to be of the greatest 463 | possible use to the public, we recommend making it free software that 464 | everyone can redistribute and change. You can do so by permitting 465 | redistribution under these terms (or, alternatively, under the terms of the 466 | ordinary General Public License). 467 | 468 | To apply these terms, attach the following notices to the library. It is 469 | safest to attach them to the start of each source file to most effectively 470 | convey the exclusion of warranty; and each file should have at least the 471 | "copyright" line and a pointer to where the full notice is found. 472 | 473 | 474 | Copyright (C) 475 | 476 | This library is free software; you can redistribute it and/or 477 | modify it under the terms of the GNU Lesser General Public 478 | License as published by the Free Software Foundation; either 479 | version 2.1 of the License, or (at your option) any later version. 480 | 481 | This library is distributed in the hope that it will be useful, 482 | but WITHOUT ANY WARRANTY; without even the implied warranty of 483 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 484 | Lesser General Public License for more details. 485 | 486 | You should have received a copy of the GNU Lesser General Public 487 | License along with this library; if not, write to the Free Software 488 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 489 | USA 490 | 491 | Also add information on how to contact you by electronic and paper mail. 492 | 493 | You should also get your employer (if you work as a programmer) or your 494 | school, if any, to sign a "copyright disclaimer" for the library, if 495 | necessary. Here is a sample; alter the names: 496 | 497 | Yoyodyne, Inc., hereby disclaims all copyright interest in the 498 | library `Frob' (a library for tweaking knobs) written by James Random 499 | Hacker. 500 | 501 | , 1 April 1990 502 | Ty Coon, President of Vice 503 | 504 | That's all there is to it! 505 | --------------------------------------------------------------------------------