Zena is an operating system built with bootc. It is immutable and container‑native, designed for reproducibility, developer productivity, and a responsive desktop experience. Zena ships with systemd-homed for secure, portable home directories and a Cachy kernel compiled with Link‑Time Optimization (LTO) for improved performance.
- Project overview
- Key features
- System requirements
- Installation
- Initial setup (first boot)
- Zix - Lightweight Nix profile manager
- Gaming (opt-in)
- systemd-homed and home storage details
- Podman, Distrobox and homectl notes
- Configuration & customization
- Security considerations
- Development & contributing
- Roadmap
- License
- Contact & support
Zena delivers an immutable desktop operating system optimized for developer workflows and reproducibility. Key design principles:
- Atomic & container-native - The os is delivered as an image and updated atomically with rollback support via the
bootcmodel. - Fedora-based (currently tracking Fedora 42) - Zena uses Fedora as its base, inheriting its toolchain, and ecosystem.
- Rapid, image-based updates - Updates are delivered daily, and sometimes multiple times per day, while remaining fully atomic and rollback-safe.
- Secure & portable homes -
systemd-homedis enabled by default to provide portable, encrypted home directories. - Reproducible development environment - Nix is included for reproducible builds and per-user package management.
- Developer friendly - Nix! and Containers! all the tooling you need.
- Cachy Kernel (LTO) - kernel built with Link‑Time Optimization to improve performance.
- systemd-homed by default - encrypted LUKS homes with btrfs by default (configurable to fscrypt or plain directories).
- Niri - A wayland compositor. Windows are arranged in columns on an infinite strip going to the right.
- Dank Material Shell - A modern and beautiful desktop shell with dynamic theming and smooth animations.
- Nix + Zix - Nix a package manager available system‑wide;
zixprovided as a lightweight per‑user convenience fornix profileoperations. - Immutable, Bootc - atomic updates, and simple rollback.
- Podman friendly - guidance for subordinate UID/GID mapping and unprivileged containers.
- Gaming (opt-in) - an optional CLI-managed gaming environment that creates and manages a Distrobox named
Gaming, and installs common gaming tools and launchers automatically. See the Gaming (opt-in) section for details.
Minimum recommended hardware for a pleasant desktop experience:
- 64-bit x86_64 CPU (modern Intel/AMD recommended)
- 8 GB RAM (16 GB recommended for heavy development/gaming workloads)
- 128 GB free disk for system images + user storage (additional space required for encrypted LUKS homes)
- UEFI firmware (Secure Boot optional; see Roadmap)
Notes:
- Zena targets laptop, desktop and workstation hardware.
- Supported Nvidia GPUs (GTX 16xx and RTX series)
- For gaming, a modern discrete GPU is strongly recommended.
- See Security considerations section on how to enable secureboot.
- Download the latest ISO/installer image from Gofile link or from the GitHub Actions artifact storage.
- Create a bootable USB (e.g.,
dd, balenaEtcher, Rufus). - Boot the target machine from the installer image and follow the installer prompts.
Installer options include:
- Target disk selection and partitioning
- Enable LUKS encryption for the system
Switching to Zena from an existing bootc system:
bootc switch ghcr.io/zena-linux/zena:latest
On first boot the system presents a TUI setup that collects basic account and system settings. The TUI options are:
- Create Account - create your primary user (username and passphrase). Homed user creation is performed via
systemd-homed. - Set Home Size - choose the size for the encrypted home container (uses LUKS; other options will be added later).
- Select Timezone - select the system timezone.
After the TUI completes and you log in, perform these recommended steps:
- Verify
systemd-homedprovisioned your account:
homectl show $(whoami)
Review storage, encryption, and home-size fields.
- Configure subordinate UID/GID ranges for unprivileged containers (Podman):
sudo homectl with $(whoami) add-subuids
- Migrate Podman storage (run once per user):
podman system migrate
- Make sure you are using latest update:
sudo bootc upgrade
- Install per-user packages:
- Use Bazaar, the dedicated GUI app store for Flatpak applications.
- Use
zix(see below) ornix profilefor reproducible per-user packages.
zix is a small CLI wrapper included to simplify common nix profile operations for users who are new to Nix and want an easy CLI.
zix add <package>...- install package(s) to the current user profilezix remove <package>...- remove package(s) from the profilezix list- list installed packages in the current profilezix search <term>- searchnixpkgs
Examples:
zix add ripgrep fd
zix remove ripgrep
zix list
zix search python
Implementation notes:
zixforwards tonix profilesubcommands and handles common error messaging.- Advanced users should use the
nixCLI directly for complex workflows.
Zena includes an optional gaming feature implemented as a small CLI wrapper named gaming. This feature is opt-in: it is not enabled by default and requires the user to run gaming install to provision the gaming environment.
Note: The performance is still native, So don't worry :>
- Provide a convenient, reproducible gaming environment isolated from the main immutable system image.
- Create a Distrobox container named
Gamingthat contains common gaming tools and launchers (Heroic, Lutris, Steam, ProtonUp-Qt, gOverlay, etc.). - Expose desktop entries for GUI launchers so installed apps integrate with the desktop environment.
- Allow easy lifecycle management: install, uninstall, upgrade, and enter the gaming container.
When you run gaming install it will:
-
Create a Distrobox instance named
Gaming: a persistent, first-class container workspace for gaming. -
Inside the
GamingDistrobox:- Install a curated set of gaming tools and launchers.
- Register desktop files on the host (so Heroic, Lutris, Steam, etc. appear in the host application launcher).
-
Leave the
GamingDistrobox image in a state where the user can rungaming enterto open an interactive shell connected into the Distrobox (ordistrobox enter Gamingdirectly).
When you run gaming uninstall, the utility will:
- Remove the
GamingDistrobox and all installed packages inside it. - Removes exported apps and binaries.
When you run gaming upgrade, the utility will:
- Update package lists inside the
GamingDistrobox and upgrade packages to their latest available versions.
When you run gaming enter, the utility will:
- Open an interactive shell into the
GamingDistrobox (equivalent todistrobox enter Gaming) so you can run launchers or manage the environment manually.
- If a launcher appears but does not start, run the launcher from a terminal to inspect errors (use
gaming enterfor the containerized launchers). - Ensure user subordinate UID/GID ranges are configured (
homectl with $(whoami) add-subuids) as described in the initial setup section. - If Steam shows black, Disable GPU acceleration on steam settings via system tray.
Zena enables systemd-homed by default to provide portable, encrypted homes that are easy to create, modify, and export.
- Storage format: LUKS2 container with a btrfs filesystem by default (provides snapshots and subvolumes).
- Alternatives: fscrypt-backed homes are supported when LUKS is not desired.
Administration:
- Inspect a homed account:
homectl show <username> - List homed accounts:
homectl list - Create or modify homed users:
homectl create/homectl update
For proper unprivileged container behavior, configure subordinate UID/GID mappings and migrate Podman storage when appropriate.
- Add subordinate UID/GID ranges to the homed account:
sudo homectl with $(whoami) add-subuids
- Confirm
/etc/subuidand/etc/subgidcontain expected ranges for the user. - Run a one-time storage migration:
podman system migrate
If you encounter permission issues, re-check homectl entries and subordinate ranges.
Common customization points:
- User profile packages: use
zixornix profile. - Desktop: customize Dank Material Shell and Niri via DMS Settings or
~/.config. - Gaming: after
gaming install, you can further customize theGamingDistrobox by entering it and installing additional packages or configuring Proton/GEs manually.
- Home encryption: Use strong passphrases.
- Atomic updates & rollbacks: Use
bootcto perform atomic updates; if a regression occurs, usebootcor the bootloader to restore a previous image. - Service exposure: Validate firewall rules and prefer unprivileged namespaces for network‑facing workloads.
- Secure Boot: Secure Boot is now supported. To enable it for your system, follow these steps:
- Import the public MOK certificate:
sudo mokutil --import /secureboot/MOK.derYou will be prompted to set a temporary password.
-
Reboot your machine. During boot the MOK Manager will appear:
- Choose Enroll MOK.
- Enter the password set during import.
- Confirm and finish enrollment, then reboot again.
-
Verify the enrollment:
sudo mokutil --sb-state
sudo mokutil --list-enrolled--sb-state should report SecureBoot enabled once firmware is in User Mode and Secure Boot is active. Your kernel and module signatures will then be trusted.
We welcome contributions.
- Fork the repository and create a feature branch.
- Open a pull request with a clear description of changes and rationale.
- Include tests or a short verification plan when applicable.
Short-to-mid term items:
- Default Flatpaks (optional, toggle via initial setup)
- Improvements to the TUI
zena-setup
See the LICENSE file in the repository for licensing details.
For issues and feature requests, open an issue in the GitHub repository. Provide logs, steps to reproduce, and relevant hardware details.