Stats
Actions
Tags
From frostyard-os
WHEN: Building, testing, or publishing bootc/mkosi images. WHEN NOT: General container/Docker workflows unrelated to mkosi.
How this skill is triggered — by the user, by Claude, or both
Slash command
/frostyard-os:image-buildingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Guide to building, testing, and publishing frostyard OS images with mkosi and just.
Guide to building, testing, and publishing frostyard OS images with mkosi and just.
Install on Debian/Ubuntu:
pipx install mkosi # mkosi v24+ (not available in distro repos)
sudo apt install just buildah systemd-container
just # List all targets
just sysexts # Build base + all 8 sysexts
just snow # Build snow desktop image
just snowloaded # Build snowloaded variant
just snowfield # Build snowfield (Surface kernel)
just snowfieldloaded # Build snowfieldloaded variant
just clean # Remove build artifacts
All just targets run mkosi clean first — every build is a clean build.
For each image, mkosi runs scripts in this order:
Scripts are specified in mkosi.conf via BuildScripts=, PostInstallationScripts=, etc. Scripts in profiles compose with (not replace) base image scripts.
set -euo pipefail.chroot file extensionExternal binaries and resources are downloaded with integrity verification:
shared/download/checksums.json — pins URLs with SHA256 hashes and versionsshared/download/verified-download.sh — provides the verified_download() helperUsage in build scripts:
source "$BUILDROOT/../shared/download/verified-download.sh"
verified_download "package-key" "/tmp/package.deb"
dpkg -i /tmp/package.deb
Add entry to shared/download/checksums.json:
{
"package-key": {
"url": "https://example.com/package-1.0.0-amd64.deb",
"sha256": "<hash>",
"version": "1.0.0"
}
}
Pin to a specific version/commit — never use latest or branch names
Add a corresponding update check to .github/workflows/check-dependencies.yml
Desktop images are packaged as OCI containers via shared/outformat/image/buildah-package.sh:
ghcr.io in CITo build an OCI image locally:
just snow # Builds image + runs buildah packaging
buildah images # Verify the OCI image was created
The just targets for desktop profiles automatically invoke the buildah postoutput script.
| Workflow | Purpose |
|---|---|
build.yml | Builds base + sysexts, publishes to Frostyard repo (Cloudflare R2) |
build-images.yml | Matrix build of 4 desktop profiles, pushes OCI to ghcr.io |
check-dependencies.yml | Weekly check for external dependency updates, creates PRs |
sudo mkosi -f -i <sysext-name>
This builds only the specified image (plus its dependencies like base).
Boot a built desktop image with QEMU:
sudo mkosi qemu # Boot the default profile image
sudo mkosi -p snow qemu # Boot a specific profile
mkosi handles VM configuration (UEFI, TPM, disk) automatically. Use Ctrl-A X to exit QEMU.
| Symptom | Cause | Fix |
|---|---|---|
| Permission denied | Missing sudo | All mkosi builds require sudo |
| Package not found | Missing repository | Check Repositories= in root mkosi.conf |
| Script fails silently | Missing set -euo pipefail | Add to top of every script |
| Sysext not in output | Missing from Dependencies= | Add image name to root mkosi.conf |
| Stale build artifacts | Incremental cache | Run just clean or mkosi clean first |
For verbose output: sudo mkosi -f -i <name> --debug
npx claudepluginhub frostyard/frostyard-ai --plugin frostyard-osBuilding and packaging applications with Flox. Use for manifest builds, Nix expression builds, sandbox modes, multi-stage builds, and packaging assets.
Configures Skaffold test and verify stages for container image validation using structure tests, custom security scans like Grype/Trivy, and post-deployment checks. For pre-deploy tests and pipeline integration.