endlessm · Oct 15, 2025 · Oct 13, 2025 · Oct 10, 2025 · Oct 1, 2025 · Oct 13, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -46,6 +46,16 @@ jobs:
             secret/secure-boot-signer/api-users/ostree-builder password | SBSIGNER_PASSWORD ;
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
 
+      - name: Fetch Github read credentials from Vault
+        uses: hashicorp/vault-action@v3
+        with:
+          url: https://vault.endlessos.org
+          method: jwt
+          path: ghactions
+          role: endlessm-eos-build-meta
+          secrets: |
+            secret/github/users/eos-backup token | EOS_BACKUP_TOKEN ;
+
       - name: Configure BuildStream
         run: |
           # Certificate for BuildStream cache
@@ -66,7 +76,7 @@ jobs:
             max-jobs: 4
           logging:
             key-length: 0
-            verbose: false
+            verbose: true
             error-lines: 20
             message-lines: 20
             debug: false
@@ -129,6 +139,10 @@ jobs:
           machine sb-signer.endlessm-sf.com
           login ostree-builder
           password ${SBSIGNER_PASSWORD}
+
+          machine github.com
+          login eos-backup
+          password ${EOS_BACKUP_TOKEN}
           EOF
           chmod 600 ~/.netrc
 
@@ -146,13 +160,21 @@ jobs:
                 timeout: 30
           EOF
           source venv/bin/activate
-          bst -o signed_boot endless build --retry-failed eos/repo.bst
+          bst -o payg true -o signed_boot endless build --retry-failed eos/repo.bst
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
 
       - name: Build root filesystem (signed_boot=snakeoil)
         run: |
+          echo "Set up ~/.netrc"
+          cat >> ~/.netrc << EOF
+          machine github.com
+          login eos-backup
+          password ${EOS_BACKUP_TOKEN}
+          EOF
+          chmod 600 ~/.netrc
+
           source venv/bin/activate
-          bst -o signed_boot snakeoil build eos/repo.bst
+          bst -o payg true -o signed_boot snakeoil build --retry-failed eos/repo.bst
         if: ${{ github.event_name == 'pull_request' || github.ref != 'refs/heads/main' }}
 
       - name: Export OSTree commit and push it

diff --git a/TEST_MATRIX.md b/TEST_MATRIX.md
@@ -34,10 +34,13 @@ hardware support is working. Others can be on a laptop or VM.
 
 ## Testing the Image stage
 
-There is 1 variant of the image stage:
+Image variants are listed in [`doc/overview/images.md`](./doc/overview/images.md).
 
-  * product=eos flavor=base platform=amd64
+We currently test two of these variants:
 
-The following scenarios need to be tested for the image:
+  1. eos-amd64-amd64-base
+  2. eosimpact-amd64-payg-base
+
+The following scenarios need to be tested for each image:
 
   1. Boot the disk image in a VM, using UEFI firmware with Secure Boot enabled.
diff --git a/doc/howto/build.md b/doc/howto/build.md
@@ -221,9 +221,11 @@ output.
 
 ## Image build stage
 
-See `doc/overview/build.md` for an overview of the image build process and
-links to external documentation. Read on for instructions on how to run the
-image build.
+See `doc/overview/images.md` for an overview of the different Endless OS images
+variants and links for further reading.
+
+This document covers how to build the `eos-amd64-amd64-base` variant. The PAYG variant
+can only be built inside Endless.
 
 ### Automated builds
 

diff --git a/doc/overview/build.md b/doc/overview/build.md
@@ -122,6 +122,7 @@ This stage is defined in [eos-image-builder.git](https://github.com/endlessm/eos
 
 For more information on this stage, see:
 
+  * [`doc/overview/images.md`](./doc/overview/images.md)
   * The eos-image-builder
     [README](https://github.com/endlessm/eos-image-builder/blob/master/README.md)
   * The Endless Support & Training page

diff --git a/doc/overview/images.md b/doc/overview/images.md
@@ -0,0 +1,48 @@
+# EOS7 images
+
+This is an overview of the available types of image for Endless OS 7
+and how they are produced. It's up to date as of 2025-10-10.
+
+## Image variants
+
+Official images of Endless OS are built in an internal CI system with a set of
+predefined configs.
+
+The latest in-development version is built by "nightly-master-pipeline", which
+produces the variants documented below.
+
+Release pipelines can produce more variants which aren't listed here. And since
+Endless OS is developed in the open, there can be an infinite variety of
+unofficial builds as well.
+
+## eos-amd64-amd64-base
+
+This image variant targets all users.
+
+To produce it, CI calls eos-image-builder with the following flags:
+
+    --product=eos --arch=amd64 --platform=amd64 --personality=base
+
+Image files for this variant use the prefix `eos-amd64-amd64`.
+
+## eosinstaller-amd64-amd64-base
+
+TBD
+
+## eosimpact-amd64-payg-base
+
+This image is specifically for Pay-as-you-Go laptops. It includes private
+components and can only be built inside Endless.
+
+To produce it, CI calls eos-image-builder with the following flags:
+
+    --product=eosimpact --arch=amd64 --platform=payg --personality=base
+
+# Image build process
+
+Images are built using eos-image-builder. Here is are documentation links:
+
+  * The [eos-image-builder README](https://github.com/endlessm/eos-image-builder/blob/master/README.md)
+  * The ["Endless OS Image Builder"](https://support.endlessos.org/en/deployment/image-builder) support guide.
+
+If you want a guide to building images locally, see [`doc/howto/build.md`](doc/howto/build.md).
diff --git a/elements/components/systemd-base.bst b/elements/components/systemd-base.bst
@@ -0,0 +1,113 @@
+kind: meson
+
+sources:
+- kind: git_repo
+  url: github:endlessm/systemd
+  track: 161-rebase-256.17
+  ref: Version_256.17-9-gba32d89741ca101e4a14a2a04020628dcc11dcc6
+
+build-depends:
+- freedesktop-sdk.bst:bootstrap-import.bst
+- freedesktop-sdk.bst:public-stacks/buildsystem-meson.bst
+- freedesktop-sdk.bst:components/audit.bst
+- freedesktop-sdk.bst:components/gperf.bst
+- freedesktop-sdk.bst:components/m4.bst
+- freedesktop-sdk.bst:components/libcap.bst
+- freedesktop-sdk.bst:components/libgcrypt.bst
+- freedesktop-sdk.bst:components/libgpg-error.bst
+- freedesktop-sdk.bst:components/libseccomp.bst
+- freedesktop-sdk.bst:components/lz4.bst
+- freedesktop-sdk.bst:components/zstd.bst
+- freedesktop-sdk.bst:components/util-linux-full.bst
+- freedesktop-sdk.bst:components/linux-pam.bst
+- freedesktop-sdk.bst:components/kmod.bst
+- freedesktop-sdk.bst:components/pyelftools.bst
+- freedesktop-sdk.bst:components/libxslt.bst
+- freedesktop-sdk.bst:components/docbook-xsl.bst
+- freedesktop-sdk.bst:components/cryptsetup-lvm2-stage1.bst
+- freedesktop-sdk.bst:components/p11-kit.bst
+- freedesktop-sdk.bst:components/libfido2.bst
+- freedesktop-sdk.bst:components/libidn2.bst
+- freedesktop-sdk.bst:components/openssl.bst
+- freedesktop-sdk.bst:components/python3-jinja2.bst
+- freedesktop-sdk.bst:components/apparmor.bst
+- freedesktop-sdk.bst:components/tpm2-tss.bst
+- freedesktop-sdk.bst:components/curl.bst
+- freedesktop-sdk.bst:components/libqrencode.bst
+- freedesktop-sdk.bst:components/iptables.bst
+- freedesktop-sdk.bst:components/libxkbcommon.bst
+- freedesktop-sdk.bst:components/llvm.bst # for compiling bpf
+- freedesktop-sdk.bst:components/libmicrohttpd.bst
+- freedesktop-sdk.bst:components/libarchive.bst
+- gnome-build-meta.bst:core-deps/python-pefile.bst
+
+config:
+  install-commands:
+    (>):
+    - |
+      shopt -s nullglob
+      for name in %{install-root}%{indep-libdir}/systemd/boot/efi/*.elf.stub
+      do
+      chmod a-x ${name}
+      done
+      shopt -u nullglob
+
+variables:
+  efi: 'false'
+  bootloader: 'disabled'
+  (?):
+  - arch in ["x86_64", "i686", "arm", "aarch64", "riscv64"]:
+      efi: 'true'
+      bootloader: 'enabled'
+  meson-local: >-
+    -Dsysvinit-path=%{sysconfdir}/init.d
+    -Dsystem-uid-max=999
+    -Dsystem-gid-max=999
+    -Dusers-gid=100
+    -Dbootloader=%{bootloader}
+    -Defi=%{efi}
+    -Dfirstboot=true
+    -Ddefault-dnssec=no
+    -Didn=true
+    -Dman=enabled
+    -Dhtml=enabled
+    -Dtpm=true
+    -Dsbat-distro=gnome-os
+    -Dsbat-distro-generation=1
+    -Dsbat-distro-summary="GNOME OS"
+    -Dsbat-distro-url=https://gitlab.gnome.org/GNOME/gnome-build-meta
+    -Dversion-tag="$(git describe --abbrev=7 | sed "s/^v//")"
+    -Dxenctrl=disabled
+    -Dgnutls=disabled
+    -Dglib=disabled
+    -Ddbus=disabled
+    -Dbpf-framework=disabled
+    -Dstatus-unit-format-default=combined
+    -Dselinux=disabled
+
+public:
+  cpe:
+    vendor: 'freedesktop'
+    product: 'systemd'
+    version-match: '\d+'
+
+  bst:
+    split-rules:
+      systemd-libs:
+      - '%{libdir}'
+      - '%{libdir}/libsystemd*.so*'
+      - '%{libdir}/libudev*.so*'
+      - '%{libdir}/libnss_resolve.so*'
+      - '%{libdir}/pkgconfig'
+      - '%{libdir}/pkgconfig/libsystemd.pc'
+      - '%{libdir}/pkgconfig/libudev.pc'
+      - '%{includedir}'
+      - '%{includedir}/libudev.h'
+      - '%{includedir}/systemd'
+      - '%{includedir}/systemd/**'
+      - '%{debugdir}/dwz/%{stripdir-suffix}/*'
+      - '%{debugdir}%{libdir}/libsystemd*.so*'
+      - '%{debugdir}%{libdir}/libudev*.so*'
+      - '%{debugdir}%{libdir}/libnss_resolve.so*'
+      - '%{sourcedir}'
+      - '%{sourcedir}/**'
diff --git a/elements/eos/black.bst b/elements/eos/black.bst
@@ -0,0 +1,14 @@
+kind: pyproject
+
+build-depends:
+- freedesktop-sdk.bst:public-stacks/buildsystem-python-hatchling.bst
+- freedesktop-sdk.bst:components/python3-hatch-fancy-pypi-readme.bst
+
+runtime-depends:
+- freedesktop-sdk.bst:components/python3.bst
+
+sources:
+- kind: git_repo
+  url: github:psf/black
+  track: '*.*.*'
+  ref: 25.9.0-0-gaf0ba72a73598c76189d6dd1b21d8532255d5942
diff --git a/elements/eos/deps.bst b/elements/eos/deps.bst
@@ -43,6 +43,8 @@ depends:
 - eos/eos-shell-content.bst
 - eos/eos-theme.bst
 - eos/eos-updater.bst
+- eos/payg/deps.bst
+- eos/update-ca-certificates-symlink.bst
 
 # Used by eos-image-builder. This could move into a separate tree.
 # See: <https://github.com/endlessm/eos-build-meta/issues/81>

diff --git a/elements/eos/efi-binaries.bst b/elements/eos/efi-binaries.bst
@@ -5,9 +5,12 @@ description: |
   This element collects all the UEFI applications and configuration involved in
   booting EOS7.
 
-  These are installed to the well-known path `/usr/lib/efi_binaries` in the
-  filesystem. When building images, eos-image-builder copies them into the
-  EFI System Partition.
+  UEFI binaries for variants using GRUB are installed to the well-known path
+  `/usr/lib/efi_binaries` in the filesystem. When building images,
+  eos-image-builder copies them into the EFI System Partition.
+
+  UEFI binaries for variants using systemd-boot are installed to
+  `/usr/lib/systemd/boot/efi`.
 
   At time of writing, the ESP is not updated on existing systems in any case.
   It could be done, using coreos bootupd or something similar.

diff --git a/elements/eos/payg/deps.bst b/elements/eos/payg/deps.bst
@@ -0,0 +1,13 @@
+kind: stack
+description: |
+  All dependencies of PAYG features, if enabled.
+
+depends: []
+
+(?):
+  - payg == true:
+      depends:
+        (>):
+          - eos/payg/eos-payg.bst
+          - eos/payg/eos-payg-nonfree.bst
+          - eos/payg/uki-signed.bst
diff --git a/elements/eos/payg/eos-payg-nonfree.bst b/elements/eos/payg/eos-payg-nonfree.bst
@@ -0,0 +1,21 @@
+kind: meson
+description: |
+  Private components of PAYG systems.
+
+  Source for this element is only available within Endless. Use the `payg` build option
+  to opt in to building it.
+
+build-depends:
+- eos/black.bst
+- freedesktop-sdk.bst:components/dracut.bst
+- freedesktop-sdk.bst:public-stacks/buildsystem-meson.bst
+
+depends:
+- eos/payg/eos-payg.bst
+- eos/payg/libsodium.bst
+
+sources:
+- kind: git_repo
+  url: github:endlessm/eos-payg-nonfree
+  track: master
+  ref: Release_6.0.7-6-ge1a4545cf194cae4cd047d6896995764e6b6cdca
diff --git a/elements/eos/payg/eos-payg.bst b/elements/eos/payg/eos-payg.bst
@@ -0,0 +1,27 @@
+kind: meson
+description: |
+  Endless OS pay-as-you-go daemon
+
+build-depends:
+- freedesktop-sdk.bst:components/dracut.bst
+- freedesktop-sdk.bst:components/systemd.bst
+- freedesktop-sdk.bst:public-stacks/buildsystem-meson.bst
+- gnome-build-meta.bst:sdk/gtk-doc.bst
+
+depends:
+- gnome-build-meta.bst:sdk/glib.bst
+- eos/payg/libpeas-1.bst
+
+sources:
+- kind: git_repo
+  url: github:endlessm/eos-payg.git
+  track: master
+  ref: Release_6.0.7-2-ge4c0993ad5748b3728c337d2a42cbae915cf025c
+- kind: git_module
+  path: subprojects/libglnx
+  url: gnome:libglnx.git
+  ref: b38235ac2d8f1a7b1b8b9960a109eb734b8ec4dd
+- kind: git_module
+  path: subprojects/libgsystemservice
+  url: gnome_gitlab:pwithnall/libgsystemservice.git
+  ref: 58468f2622e1415b5d1d2ffa06864ab31ab12c9a
diff --git a/elements/eos/payg/libpeas-1.bst b/elements/eos/payg/libpeas-1.bst
@@ -0,0 +1,26 @@
+kind: meson
+sources:
+- kind: git_repo
+  url: gnome:libpeas.git
+  track: 1.36
+
+  ref: libpeas-1.36.0-1-gc68ecac0025caa5fa2401deff41d3b1959062600
+build-depends:
+- gnome-build-meta.bst:sdk/gi-docgen.bst
+- gnome-build-meta.bst:sdk/gobject-introspection.bst
+- gnome-build-meta.bst:sdk/vala.bst
+- freedesktop-sdk.bst:public-stacks/buildsystem-meson.bst
+
+depends:
+- gnome-build-meta.bst:sdk/gjs.bst
+- gnome-build-meta.bst:sdk/glib.bst
+- gnome-build-meta.bst:sdk/pygobject.bst
+- freedesktop-sdk.bst:public-stacks/runtime-minimal.bst
+
+variables:
+  meson-local: >-
+    -Dpython3=true
+    -Dlua51=false
+    -Dintrospection=true
+    -Dvapi=true
+    -Dgtk_doc=true