Miasma OS

                                                                                    
                                                                                    
                                                  .                                 
                       t                         ;W                                 
            ..       : Ej             ..        f#E          ..       :           ..
           ,W,     .Et E#,           ;W,      .E#f          ,W,     .Et          ;W,
          t##,    ,W#t E#t          j##,     iWW;          t##,    ,W#t         j##,
         L###,   j###t E#t         G###,    L##Lffi       L###,   j###t        G###,
       .E#j##,  G#fE#t E#t       :E####,   tLLG##L      .E#j##,  G#fE#t      :E####,
      ;WW; ##,:K#i E#t E#t      ;W#DG##,     ,W#i      ;WW; ##,:K#i E#t     ;W#DG##,
     j#E.  ##f#W,  E#t E#t     j###DW##,    j#E.      j#E.  ##f#W,  E#t    j###DW##,
   .D#L    ###K:   E#t E#t    G##i,,G##,  .D#j      .D#L    ###K:   E#t   G##i,,G##,
  :K#t     ##D.    E#t E#t  :K#K:   L##, ,WK,      :K#t     ##D.    E#t :K#K:   L##,
  ...      #G      ..  E#t ;##D.    L##, EG.       ...      #G      .. ;##D.    L##,
           j           ,;. ,,,      .,,  ,                  j          ,,,      .,, 
                                                                                    

➜ ~/coming-soon

Welcome to Miasma OS - An immutable, security first, Arch based distribution. Designed to be secure by default but modern and user friendly.

Overview:

MiasmaOS aims at being a security hardened, immutable, and opinionated Linux distribution build on top of Arch Linux. While this distribution takes inspiration from GrapheneOS, Secureblue, DivestOS, and many other security focused systems, the goal here is to make a secure distribution that is also modern and easy to use without much configuration. It is an attempt to break the perceived security vs usability tradoff, by creating a system that is highly secure by default, but modern, snappy, with sensible defaults.

Security features

• Custom kernel that adds additional security to the hardened-linux kernel
• Applications run with hardened_malloc by GrapheneOS
• Flatpak app store for installing GUI applications
• Immutable base, so root files cannot be tampered with
• Firejail and Apparmor for additional containerization for non Flatpak applications
• XWayland-Satellite for rather than XWayland. This offers more isolation and better compatibility for X11 appscompatibility for X11 apps.
• Cosmic desktop. Whilst I can acknowledge the Cosmic desktop is still in beta, it is written in Rust (memory safety) and does not contain the amount of unsafe X11 code that other desktop environments like Gnome and KDE Plasma have. It's both a logical choice and good futureproofing.
• Opendoas to replace sudo. This distro doesn't completely remove elevated privileges (by default) but it does replace sudo with doas. doas was ported from OpenBSD and has a smaller codebase so it has a smaller attack surface and is easier to maintain.
• doas has also been limited. If you must run higher privilege commands that are out of scope for doas, please use run0. Run0 removes set‑uid binaries, creates an isolated execution environment for commands, and uses Polkit to manage permissions. The distribution does attempt to treat you like an adult, and you can use elevated permissions, but this is made somewhat inconvenient purposely to discourage/minimize it.
• Blacklisted module - copied from Secureblue
• Brace scripts by DivestOS to add hardened policies to certain applications.
• Boot and System Integrity:
  MiasmaOS boots through systemd‑boot with Secure Boot enabled on UEFI firmware. The boot chain is measured with the TPM 2.0, guaranteeing that every component—from the bootloader to the kernel and initramfs—is cryptographically verified before execution.
• Btrfs root with a dedicated @snapshots subvolume for rollback.
• Optional LUKS2 encryption (AES‑XTS, 256‑bit key) on install.
• Preinstalled vulnerability checks, so users can scan there own system for Spectre, Meltdown, and other vulnerabilities.

Additional Features

• The default browser is a slightly modified version of Ungoogled-Chromium. Ungoogled-Chromium needs certain flags switched on for full Wayland support, and since avoiding anything X11 is a top priority of this distribution, that needs to be on by default. Additionally the Chromium-Web-Store extension by NeverDecaf comes preinstalled, so users can access their favorite browser extensions. Note that browser extensions can be a big security risk and by default, only a handful of extensions are approved by default (SkewedZeppelin Brace policy) but this can be modified by copying the policies /etc/chromium into ~/.config/chromium.
  Additional note on this: Ungoogled-Chromium is not simply "Chromium without Google". There are many privacy and security features that have been added to the browser that allow it to stand on its on amongst other browsers like Brave, Librewolf, Mullvad etc.
• Neovim is the default text editor and Vim is not installed. Additionally this is preconfigured with LazyVim. This is what I use and I don't really see a purpose for Vim in a modern desktop environment.
• Kanagawa Dragon theme everywhere.
• Alacritty is the default terminal. I prefer Ghostty but with memory safety in mind, I went with as many Rust apps as I could. Why not Wezterm? For now, Alacritty feels like more of a stable longterm project to me. I may be wrong but that is the vibe I get.
• Zsh is the default shell. Bash is still included as it is required for root processes, but Zsh is the default shell here as we are attempting to build a modern and convenient distribution that also happens to be extremely secure.
• The 'MiasmaAUR' user repository is also available for additional packages. All these packages have been signed, and are available for auditing. Keeping this repository small makes it easier to vet the packages rather than using yay or paru and downloading from the entire AUR catelog. Please audit these packages yourself and send any requests for packages you would like to be added to the repository.

➜ ~/git.miasma-os.com

Welcome to the MiasmaAUR instance.

Git links:

• User package repository
• Miasma OS repo
• Miasma website

➜ ~/wiki.miasma-os.com

Welcome to the Wiki

Useful links:

• Home
• Login
• Pages

➜ ~/about_us

Coming soon - Miasma OS is still in development

The inspiration for building Miasma OS is simply that I have done so much hardening to Arch Linux on my desktop, and while all the policies, tools, have made my desktop secure, the usability is still excellent. There is very little tradeoff between security and usability in my configuration.
The problem was that I also had to maintain this on other devices such as my laptop. I was wishing that there was a pre-configured desktop that matched all my needs that I could install on a laptop and not have to maintain it with the same time and frequency that I maintain my desktop. I tried other options but did not find anything that checked all the boxes:

• Arch based
• Immutable so I don't have to worry about it
• Security focused defaults
• Modern desktop environments and window managers

So the goal was personal but I really do think this is something missing despite all the custom isos out there.

Miasma OS at the end of the day Arch with a bunch of post install scripts, similar to something like Omarchy, but the philosophy and goal of the project is its distinguishing factor.