- Nov 11, 2022
- 48
I am running Fedora Silverblue 37 on my Surface Go tablet. Fedora Silverblue is an immutable operating system, meaning that it cannot end up in an unrecoverable state due to software.
To achieve this Fedora Silverblue mounts the system as read only, you only have write access to a handful of folders like /var/home/%username%/. This means you cannot install software the traditional way. Instead you are meant to use Flatpaks, which can have their permissions managed by the program Flatseal. For those programs that are only available as .rpm files, you have two options. Either layer the RPM on top of the system by installing it with rpm-ostree, or install it in a toolbox (which is just a Podman container with access to devices and /var/home/ on the host.) Obviously the latter is the preferred method.
Fedora Silverblue's system files are stored in snapshots with rpm-ostree providing a method similar to git (but for system files.) When you update the system it creates a new system snapshot, applies the updates to that, then when you reboot it boots into that new snapshot. It then leaves the last few for you to roll back to in case something goes sideways.
Managing permissions of programs with Flatseal is critical to privacy. For example, I have Microsoft Edge installed but it only has access to my downloads folder. The read only file system and SELinux in enforced mode also provide some resiliency against most malware. This isn't my primary device, my main computer is running Qubes OS.
For my files I host a Nextcloud server (Ubuntu, public cloud provider) with E2E encryption and encryption at rest. Those get backed up to an isolated virtual machine in my home running Open Suse MicroOS. That server then encrypts and uploads the files to S3 storage in the cloud.
To achieve this Fedora Silverblue mounts the system as read only, you only have write access to a handful of folders like /var/home/%username%/. This means you cannot install software the traditional way. Instead you are meant to use Flatpaks, which can have their permissions managed by the program Flatseal. For those programs that are only available as .rpm files, you have two options. Either layer the RPM on top of the system by installing it with rpm-ostree, or install it in a toolbox (which is just a Podman container with access to devices and /var/home/ on the host.) Obviously the latter is the preferred method.
Fedora Silverblue's system files are stored in snapshots with rpm-ostree providing a method similar to git (but for system files.) When you update the system it creates a new system snapshot, applies the updates to that, then when you reboot it boots into that new snapshot. It then leaves the last few for you to roll back to in case something goes sideways.
Managing permissions of programs with Flatseal is critical to privacy. For example, I have Microsoft Edge installed but it only has access to my downloads folder. The read only file system and SELinux in enforced mode also provide some resiliency against most malware. This isn't my primary device, my main computer is running Qubes OS.
For my files I host a Nextcloud server (Ubuntu, public cloud provider) with E2E encryption and encryption at rest. Those get backed up to an isolated virtual machine in my home running Open Suse MicroOS. That server then encrypts and uploads the files to S3 storage in the cloud.