Skip to content
/ outpost Public
generated from blue-build/template

Fedora Kinoite based image with built in DoD CAC support.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

large-farva/outpost

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

91 Commits
.github
.github
 
 
assets
assets
 
 
certificates
certificates
 
 
files
files
 
 
recipes
recipes
 
 
.editorconfig
.editorconfig
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cosign.pub
cosign.pub
 
 

Repository files navigation

Outpost logo

Outpost

Outpost is a custom Fedora Kinoite immutable desktop image built with BlueBuild.

It is based on the official upstream Fedora Kinoite image and provides a CAC-ready Fedora workstation with curated defaults and no post-install configuration required.

Outpost is designed for environments where Common Access Card (CAC) authentication and DoD PKI trust are required.

Features

DoD CAC support

  • opensc
  • pcsc-lite, pcsc-lite-ccid
  • pcsc-tools
  • p11-kit
  • pcscd.socket enabled for on-demand activation

Outpost does not ship CACKey, CoolKey, or proprietary vendor middleware.
OpenSC is the supported and tested provider.

DoD trust anchors

  • Official DoD PKCS#7 certificate bundle is vendored in the repository
  • ZIP filename is unchanged from the official distribution
  • Certificates are extracted, converted to PEM, and installed into the system trust store at build time

Firefox

  • Firefox is installed as an RPM, not a Flatpak
  • Uses system NSS, PKCS#11, and CA trust integration
  • CAC works without per-user manual setup in normal cases

Curated Flatpak baseline

  • Kontainer
  • OnlyOffice
  • Signal
  • XCA

Installation

⚠️ You must rebase from Fedora Kinoite or a Kinoite-based image.

1. Bootstrap

rpm-ostree rebase ostree-unverified-registry:ghcr.io/large-farva/outpost:latest
sudo systemctl reboot

2. Rebase to the signed image

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/large-farva/outpost:latest
sudo systemctl reboot

Verification

Outpost images are signed using Sigstore Cosign.

Verify with the included public key:

cosign verify --key cosign.pub ghcr.io/large-farva/outpost:latest

CAC Support

Outpost includes all middleware and trust components required for CAC authentication.

Supported:

  • Firefox (RPM)
  • System-wide PKCS#11 and CA trust integration

Not supported:

  • Flatpak browsers
  • Proprietary middleware

Documentation

Detailed documentation is available in the Wiki.

This includes:

  • CAC architecture and behavior
  • Diagnostics and troubleshooting
  • Firefox-specific behavior
  • Trust store handling
  • Network and captive portal considerations

Please review the wiki before opening an issue.

Roadmap

Near-term

  • Documentation polish
  • Diagnostics refinement

Longer-term

  • Okular support for CAC based PDF signing
  • NVIDIA-compatibile image variant

Issues

When reporting issues, include relevant diagnostics from the wiki where applicable.

About

Fedora Kinoite based image with built in DoD CAC support.

Topics

linux immutable atomic operating-system oci oci-image image-based custom-image bluebuild linux-custom-image

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Packages

 
 
 

Contributors

Languages