A sovereign Linux distribution engineered for the Orzatty ecosystem — built on Linux 6.18.5, Debian Bookworm, KDE Plasma 6, and natively integrating CENTINELA security and OrzattyAccount SSO from the kernel up.
OrzattyOS is the institutional operating system of the Orzatty ecosystem. Like Alphabet's ChromeOS or Apple's macOS, it represents the foundation on which all Orzatty software products will eventually run — providing a sovereign, fully controlled compute platform under the governance of ORZ Holdings.
The core design principle is integration without compromise: rather than being a generic Linux distribution with Orzatty branding applied as a skin, OrzattyOS is purpose-built to natively consume ecosystem services. Installing OrzattyOS means the CENTINELA security engine runs as a system service from first boot, OrzattyAccount manages authentication at the PAM layer, OrzattyDrive mounts as a FUSE filesystem, and the Orzatty Protocol daemon establishes P2P mesh connectivity automatically.
| Component | Choice | Rationale |
|---|---|---|
| Kernel | Linux 6.18.5 vanilla | No distribution patches — clean, auditable source. Custom -orzatty suffix applied. |
| Base System | Debian Bookworm via debootstrap | Minimal trust chain — only Debian's signed package archive as upstream. |
| Desktop Environment | KDE Plasma 6 + Wayland | Most feature-complete Wayland-native desktop. Material Design 3 theming support. |
| Display Server | Wayland (Weston/KWin) | Eliminates X11 security model weaknesses (unrestricted keylogging, screenshot access). |
| Init System | systemd | Native integration with CENTINELA services and OrzattyAccount PAM. |
| Login Manager | SDDM | Native KDE Plasma display manager. Supports PAM modules for SSO. |
| Package Format | .deb (dpkg/apt) | Largest ecosystem, reproducible builds, strong cryptographic signing. |
| Default Filesystem | ext4 (btrfs optional) | Most stable, widest driver support. btrfs available for users wanting snapshots. |
| Bootloader | GRUB 2 | Supports both BIOS and UEFI. Mature, widely audited. |
| Installer | Calamares | Framework-agnostic graphical installer with modular plugin system. |
| Architecture | amd64 (x86_64) | Initial target. ARM64 planned for Phase 2. |
The kernel is compiled from the unmodified linux-6.18.5.tar.xz source with a minimal, purpose-built .config optimized for desktop responsiveness, CENTINELA security integration, and ecosystem hardware requirements.
# Identity
CONFIG_LOCALVERSION="-orzatty"
CONFIG_DEFAULT_HOSTNAME="orzatty"
# Preemption model — full preemption for responsive desktop
CONFIG_PREEMPT=y
CONFIG_HZ_1000=y # 1000Hz timer for 1ms task scheduling granularity
CONFIG_HZ=1000
# Filesystems
CONFIG_EXT4_FS=y
CONFIG_BTRFS_FS=m # Optional — loaded on demand
CONFIG_FUSE_FS=y # CRITICAL: Required for OrzattyDrive FUSE client
CONFIG_CUSE=m # Character device in userspace (FUSE extension)
# Network Security (CENTINELA dependency)
CONFIG_NETFILTER=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_NF_TABLES=y # nftables for CENTINELA firewall backend
# Mandatory Access Control
CONFIG_SECURITY=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY_APPARMOR=y # AppArmor active by default
CONFIG_AUDIT=y # Kernel audit subsystem for CENTINELA event stream
# Cryptography (CENTINELA hardware-accelerated paths)
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_CHACHA20POLY1305=y # AEAD for Orzatty Protocol transport
# GPU drivers (modular — loaded only if hardware present)
CONFIG_DRM=y
CONFIG_DRM_I915=m # Intel iGPU
CONFIG_DRM_AMDGPU=m # AMD Radeon
CONFIG_DRM_NOUVEAU=m # NVIDIA open-source
# Virtualization (KVM — for development environments)
CONFIG_KVM=m
CONFIG_KVM_INTEL=m
CONFIG_KVM_AMD=m
# Power management
CONFIG_ACPI=y
CONFIG_CPU_FREQ=y
CONFIG_CPU_FREQ_GOV_PERFORMANCE=y # Default governor: performanceThe kernel is compiled using make bindeb-pkg, which generates a self-contained .deb package that can be deployed via the standard dpkg toolchain:
# 1. Extract sources
tar -xf linux-6.18.5.tar.xz && cd linux-6.18.5
# 2. Apply Orzatty configuration
cp ../kernel/config-orzatty-amd64 .config
# 3. Compile (parallel on all cores)
make -j$(nproc) bindeb-pkg
# Outputs:
# linux-image-6.18.5-orzatty_1.0_amd64.deb (kernel + modules)
# linux-headers-6.18.5-orzatty_1.0_amd64.deb (header files)
# linux-libc-dev_1.0_amd64.deb (userspace API headers)build-essential libncurses-dev flex bison libssl-dev libelf-dev bc dwarves debhelperThe root filesystem is constructed via debootstrap — Debian's official bootstrap tool — which fetches packages directly from Debian's signed repositories and verifies every package signature. This process produces a minimal but functional Debian Bookworm base.
ROOTFS="./build/rootfs"
mkdir -p $ROOTFS
# Two-Stage Bootstrap
# Stage 1: Fetch and verify packages from Debian mirrors
debootstrap --arch=amd64 --variant=minbase bookworm $ROOTFS http://deb.debian.org/debian
# Stage 2: Mount pseudo-filesystems (required for package scripts)
mount --bind /dev $ROOTFS/dev
mount --bind /dev/pts $ROOTFS/dev/pts
mount -t proc proc $ROOTFS/proc
mount -t sysfs sysfs $ROOTFS/sys
# Install kernel and Orzatty packages inside chroot
cp linux-image-6.18.5-orzatty_*.deb $ROOTFS/tmp/
cp centinela-security_*.deb $ROOTFS/tmp/
chroot $ROOTFS /bin/bash /tmp/configure-base.sh
# Unmount after configuration
umount $ROOTFS/{sys,proc,dev/pts,dev}OrzattyOS deliberately avoids the "kitchen sink" approach of large distributions like Ubuntu. The default installation includes only what is necessary for a functional desktop, with emphasis on:
firmware-linux-nonfree is available in the repositories but not installed by default. The installer offers an opt-in during setup.Every OrzattyOS component ships as a signed .deb package, enabling clean installation, upgrade, and removal via the standard dpkg/apt toolchain. Each package follows a strict structure:
package-name/
├── DEBIAN/
│ ├── control # Metadata: Name, Version, Architecture, Dependencies, Description
│ ├── postinst # Post-installation script (register services, apply AppArmor profiles)
│ ├── prerm # Pre-removal cleanup
│ └── conffiles # List of configuration files (preserved on upgrade)
└── (files installed relative to filesystem root /)orzatty-os-baseOS branding, APT sources for Orzatty repository, MOTD, neofetch config, /etc/os-release
orzatty-desktopKDE Plasma 6 theme, icon set, wallpapers, SDDM theme, Konsole color profile
centinela-securityCENTINELA daemon, nftables firewall rules, AppArmor profiles for all Orzatty apps, auditd config
orzatty-account-pamPAM module pam_orzatty.so for SSO authentication at login screen
orzatty-drive-clientFUSE-based multi-cloud storage client. Mounts OrzattyCloud storage at ~/OrzattyDrive
orzatty-protocol-clientOrzatty Protocol mesh daemon. Establishes P2P connectivity automatically on boot
All packages in the Orzatty APT repository are signed with a 4096-bit RSA key managed by ORZ Holdings's key signing infrastructure — separate from the operational system, stored in an offline hardware security module (HSM). Users add the Orzatty repository key during installation and benefit from APT's built-in signature verification on every update.
The Orzatty desktop theme is a Material Design 3-inspired visual system for KDE Plasma 6, targeting both productivity and aesthetic coherence across the entire ecosystem. It comprises 7 components:
Orzatty.colors): Light and dark variants with WCAG 2.1 AA contrast ratiosorzatty-icons): Modern flat icon set following Google Material Icons conventionsAll color assignments respect a minimum contrast ratio of 4.5:1 for normal text and 3:1 for large text, fulfilling WCAG 2.1 Level AA requirements across both dark and light variants.
The final distributable artifact is a hybrid ISO image that boots on both legacy BIOS hardware and modern UEFI systems. The build process uses xorriso to generate an El Torito-compliant image with both ISOLINUX (BIOS) and GRUB EFI (UEFI) boot entries.
# 1. Compress root filesystem into squashfs (read-only layered FS for live boot)
mksquashfs build/rootfs build/iso/live/filesystem.squashfs \
-comp xz -Xbcj x86 -Xdict-size 1M
# 2. Copy kernel and initramfs
cp build/rootfs/boot/vmlinuz-6.18.5-orzatty build/iso/boot/
cp build/rootfs/boot/initrd.img-6.18.5-orzatty build/iso/boot/
# 3. Generate hybrid ISO (BIOS + UEFI in one image)
xorriso -as mkisofs \
-iso-level 3 \
-o build/orzatty-os-1.0-amd64.iso \
-full-iso9660-filenames \
-volid "OrzattyOS 1.0" \
-isohybrid-mbr /usr/lib/ISOLINUX/isohdpfx.bin \
-eltorito-boot isolinux/isolinux.bin \
-no-emul-boot -boot-load-size 4 -boot-info-table \
-boot-catalog isolinux/boot.cat \
-eltorito-alt-boot \
-e EFI/boot/efiboot.img \
-no-emul-boot \
-isohybrid-gpt-basdat \
build/isoThe -isohybrid-mbr flag makes the ISO directly writable to a USB drive (dd if=orzatty-os-1.0.iso of=/dev/sdX) and bootable as a USB drive on BIOS systems — eliminating the need for separate USB creation tools like Rufus or Balena Etcher in most cases.
OrzattyOS uses Calamares, the distribution-agnostic graphical system installer used by KDE Neon, Manjaro, and dozens of other distributions. Its modular architecture allows Orzatty to inject custom modules at any stage of the installation pipeline.
OrzattyOS is the primary deployment target of the CENTINELA Security Suite. From the moment the system boots, CENTINELA's 7-crate security engine operates as a set of systemd services with strict process isolation:
# CENTINELA service units (all active from boot)
centinela-kernel.service → Kernel monitor + AppArmor profile enforcer
centinela-network.service → Network flow analyzer + DDoS detector
centinela-gateway.service → Outbound request filter + TLS enforcer
# Firewall management (via centinela-network, writing to nftables)
systemctl status nftables.service → Managed by CENTINELAAppArmor profiles for all Orzatty applications are shipped in the centinela-security package and automatically loaded by centinela-kernel.service. These profiles whitelist the specific files, capabilities, and network addresses each application is allowed to access — a violation immediately triggers a CENTINELA Intrusion event.
OrzattyOS provides seamless single sign-on across the operating system and all web services via a PAM (Pluggable Authentication Module) integration with OrzattyAccount. The module pam_orzatty.so is installed by the orzatty-account-pam package and plugged into the PAM stack at the login level:
# /etc/pam.d/sddm (modified by orzatty-account-pam)
auth required pam_unix.so try_first_pass
auth optional pam_orzatty.so server=account.orzatty.com
session required pam_loginuid.so
session optional pam_orzatty.so setup_session=1When a user logs in with their OrzattyAccount credentials, pam_orzatty.so validates the token against the OrzattyAccount Auth Service and, if successful, establishes a session token stored in /run/user/$UID/orzatty-session. All OrzattyOS applications (OrzattyDrive, Rany IDE, CENTINELA CLI) automatically inherit this session without requiring the user to re-authenticate.
| Order | Phase | Estimated Effort | Dependencies | Status |
|---|---|---|---|---|
| 1 | Kernel config + build scripts | 1 session | Linux build host | In Progress |
| 2 | Debian base RootFS scripts | 1 session | Linux build host | In Progress |
| 3 | .deb package structure (all 6) | 2 sessions | Phases 1-2 | Planned |
| 4 | KDE Plasma 6 theme assets | 1 session | None | Design Phase |
| 5 | ISO builder scripts | 1 session | Phases 1-4 | Planned |
| 6 | Calamares installer config | 1 session | Phase 5 | Planned |
| 7 | First real build (on Linux host) | 1 session | All above | Planned |