variant: fcos

version: 1.6.0

passwd:

users:

- name: core

groups:

- wheel

password_hash: $y$j9T$mefBCJbp/a49aSkTT4hpE1$6BXtrIuV8856t4A9r/R1GW4aR9eKXxsmB8FXt56Hx70 # 'secureblue'

ssh_authorized_keys:

- ssh-ed25519 <key>

storage:

files:

- path: /etc/pki/containers/secureblue-2025.pub

mode: 0644

contents:

inline: |

-----BEGIN PUBLIC KEY-----

MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdruKsOhUkgdd0lNDHNBymE2Wyb/p

GVnx59QbNoGFbImqZLRVt6uQnO9MfiHU9IZiJl9aNetfAqDsgsltAUQnXQ==

-----END PUBLIC KEY-----

- path: /etc/containers/policy.json

mode: 0644

overwrite: true

contents:

inline: |

{

"default": [{"type": "reject"}],

"transports": {

"docker": {

"ghcr.io/secureblue": [

{

"type": "sigstoreSigned",

"keyPath": "/etc/pki/containers/secureblue-2025.pub",

"signedIdentity": {"type": "matchRepository"}

}

]

}

}

}

- path: /opt/install_secureblue.sh

mode: 0755

contents:

inline: |

sudo systemctl disable --now zincati.service 2>/dev/null

sudo systemctl stop rpm-ostreed-automatic.timer rpm-ostreed-automatic.service 2>/dev/null

echo 'Rebasing to securecore (secureblue CoreOS image)...'

# If you want Nvidia or ZFS support, replace 'securecore-main-hardened' below with

# the name of the image you want. See here for a list of securecore images:

# https://secureblue.dev/images#coreos

sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/securecore-main-hardened:latest

status=$?

if [ "$status" -ne 0 ]; then

echo "Error: Secureblue installation failed." >&2

exit "$status"

else

sudo cp /usr/etc/containers/policy.json /etc/containers/policy.json

sed -i -e '/\/opt\/install_secureblue.sh/d' /var/home/core/.bash_profile

sudo rm -f /opt/install_secureblue.sh /etc/pki/containers/secureblue-2025.pub

echo "Automatically rebooting in 5 seconds..."

sleep 5

sudo systemctl reboot

fi

- path: /var/home/core/.bash_profile

overwrite: false

append:

- inline: |

/opt/install_secureblue.sh