- Single source of truth:
usr/share/mios/ai/INDEX.md+usr/share/mios/mios.toml. Every package belongs inmios.toml [packages.<section>].pkgs, every architectural rule inusr/share/mios/ai/INDEX.md. Other docs cite, never duplicate. Human-readable package documentation lives atusr/share/doc/mios/reference/PACKAGES.md-- it is documentation, not the runtime SSOT. - USR-OVER-ETC, NO-MKDIR-IN-VAR, BOUND-IMAGES, BOOTC-CONTAINER-LINT,
UNIFIED-AI-REDIRECTS, UNPRIVILEGED-QUADLETS -- see
usr/share/mios/ai/INDEX.md§3. Violating any of the six is a build/audit fail. - Pure build-up. Only the ~25 GNOME packages required for the desktop
ship. No
dnf removebloat blocks. User-facing apps are Flatpaks; RPMs are restricted to kernel modules, drivers, virtualization, container runtime, system tools, and GNOME infrastructure. - Nothing gets removed without permission. If a file or package exists in the repo, do not delete it in a PR without prior discussion.
- Complete files only. No diffs, patches, fragments, or "paste this into X" instructions. Every contribution is a drop-in replacement.
- Podman (rootful, for bootc image builds)
- 8 GB RAM, 250 GB disk on the builder
- Windows: PowerShell 7+ and WSL2
Linux:
just preflight # System prereq check
just build # Build the OCI image
just lint # Re-run bootc container lint on the built image
just rechunk # Optimized Day-2 deltas
just raw # RAW disk image via BIB
just iso # Anaconda ISO via BIB
just sbom # CycloneDX SBOM via syftWindows:
.\preflight.ps1
.\mios-build-local.ps1The PowerShell orchestrator handles Podman machine creation, credential injection, image build, rechunk, disk-image generation, GHCR push, and cleanup.
set -euo pipefail.automation/build.shruns with-eand togglesset +eonly around the per-phase invocation (automation/build.sh:234-237); phase scripts themselves are strict.- Arithmetic:
VAR=$((VAR + 1)). Never((VAR++)). - Use
install_packages/install_packages_strict/install_packages_optionalfromautomation/lib/packages.sh. Never calldnf installon hard-coded names. - File naming:
NN-name.shwhere NN encodes execution order.
/ctxis bind-mounted read-only from thectxstage. Mutating writes go to/tmp/build.SYSTEMD_OFFLINE=1andcontainer=podmanto prevent scriptlet hangs (set automatically by Podman; do not override).- Final RUN must be
bootc container lint.
- Immutable config:
/usr/lib/. - Admin-overridable config:
/etc/(only when upstream contract demands /etc/, e.g., yum repos, nvidia-container-toolkit). - The
usr/,etc/,home/,srv/directories at repo root mirror the deployed root; the overlay is applied byautomation/08-system-files-overlay.sh.
- Per-rule individual
.temodules, not monolithic. - New booleans/fcontexts go in the
semanageblock ofautomation/37-selinux.sh.
- Bare-metal-only:
ConditionVirtualization=nodrop-in. - WSL2-incompatible:
ConditionVirtualization=!wsl. - Optional:
systemctl enable ... || true.
- Branch from
main. - Local validation:
just build(Containerfile lint runs as final RUN). - If you added or changed packages, edit
usr/share/mios/mios.tomlunder the matching[packages.<section>]table (the configurator HTML atusr/share/mios/configurator/index.htmlis the WYSIWYG editor for the same file). Updateusr/share/doc/mios/reference/PACKAGES.mdin the same PR if the prose rationale changes. - If user-facing, bump
VERSION. - Open a PR against
main.
- Bug Report -- for broken behavior.
- Feature Request -- for new functionality.
- Security -- see
SECURITY.mdfor private disclosure.
Contributions are accepted under the project license (Apache-2.0,
LICENSE).
- bootc: https://github.com/containers/bootc
- bootc-image-builder: https://github.com/osbuild/bootc-image-builder
- bootc docs: https://bootc-dev.github.io/bootc/
- Universal Blue (uCore base): https://github.com/ublue-os/main
- uupd: https://github.com/ublue-os/uupd
- rechunk: https://github.com/hhd-dev/rechunk
- cosign: https://github.com/sigstore/cosign
- bootstrap repo (user-facing installer): https://github.com/mios-dev/mios-bootstrap