Declarative System Configuration for Arch Linux
Security-first, reproducible, auditable system setup for red teamers and security researchers
Vision β’ Current Status β’ Roadmap β’ Installation β’ Documentation
S1bCr4ft aims to be a declarative system configuration framework for Arch Linux. Think of it as bringing NixOS-style reproducibility to Arch, but without forcing you to learn Nix. The goal is simple: write your system configuration once in YAML, then recreate it anywhere, anytime, with complete confidence.
When this project reaches its full potential, here's what it will offer:
- π Security-First Architecture - GPG signing, audit trails, sandboxed hooks
- π¦ 57+ Pre-built Modules - Red team, malware analysis, AI/ML, window managers, development
- π Reproducible Builds - Same config = same system, every time
- π‘οΈ Hardening Built-in - Kernel hardening, AppArmor/SELinux templates
- π Fast & Efficient - Parallel installation, minimal overhead
- YAML Configuration - Simple, human-readable configs
- Module System - Dependency resolution, conflict detection, versioning
- Package Management - Wrapper around pacman/paru/yay with atomic transactions
- Backup/Rollback - Timeshift integration, point-in-time recovery
- Audit Logging - Immutable, GPG-signed logs of all changes
- Lua Scripting - Pre/post-sync hooks for custom logic
- Multiple Interfaces - CLI, TUI, and REST API
Reality check: This is alpha software. The foundation is solid and secure, but the main feature - actually installing packages - is still being built.
| Feature | Status | Details |
|---|---|---|
| Configuration System | β | Load, validate, parse YAML configs |
| Module Definitions | β | 57 YAML modules defined and ready |
| Security Infrastructure | β | Command injection prevention, Lua sandbox |
| CLI Framework | β | init, validate, status work great |
| Testing | β | 60 tests passing, ~70% coverage |
| Feature | Status | Details |
|---|---|---|
| Package Installation | π§ | Detection works, installation stubbed |
s1bcr4ft sync |
π§ | Parses config, shows preview only |
| TUI Interface | π§ | Skeleton with demo data |
| Backup/Rollback | β³ | Structure exists, not wired up |
| GPG Signing | π§ | Infrastructure ready |
| REST API | π§ | Endpoints defined |
Bottom line: You can create configurations and validate them today, but you can't actually install anything yet. If you need something production-ready, check back in a few months.
We're building this in phases. No dates promised - we're building it right, not fast.
The groundwork is done and tested:
- Core configuration engine (YAML parsing, validation)
- Security infrastructure (command injection prevention, Lua sandbox)
- 57 module definitions ready to go
- CLI framework with basic commands
- 60 tests passing
This is the big one - actually installing stuff:
- Real pacman/paru/yay integration
- Module execution engine
- Working
s1bcr4ft synccommand - Dependency resolution
Making it safe to experiment:
- Timeshift backup/rollback
- Dotfile management
- Configuration snapshots
Making it pretty and easy:
- Complete TUI with real data (not demo)
- Interactive module browser
- Better error messages
For the power users:
- REST API completion
- Remote management
- Multi-machine orchestration
git clone https://github.com/S1b-Team/S1bCr4ft.git
cd S1bCr4ft
cargo install --path crates/s1bcr4ft-cliyay -S s1bcr4ft-gits1bcr4ft init my-arch-setup
cd my-arch-setup# config.yml
version: "1.0"
name: "my-arch-setup"
description: "My custom Arch Linux configuration"
modules:
- core/base-system
- core/bootloader
- development/languages/rust
- linux-optimization/terminal-config/zsh
- security/hardening/kernel-hardening
options:
auto_backup: true
parallel_install: true# Check if your config is valid
s1bcr4ft validate
# See what would be installed (preview only)
s1bcr4ft sync --dry-run# This will actually install packages once Phase 2 is done
s1bcr4ft sync| Command | Status | Description |
|---|---|---|
s1bcr4ft init <name> |
β | Initialize new project |
s1bcr4ft validate |
β | Validate configuration |
s1bcr4ft status |
β | Show system status |
s1bcr4ft sync --dry-run |
β | Preview changes |
s1bcr4ft sync |
π§ | Apply configuration (Phase 2) |
s1bcr4ft module list |
π§ | Browse modules (Phase 2) |
s1bcr4ft module search |
π§ | Search modules (Phase 2) |
s1bcr4ft rollback <id> |
β³ | Rollback to backup (Phase 3) |
s1bcr4ft audit |
β³ | View audit log (Phase 3) |
s1bcr4ft health |
β³ | System health check (Phase 3) |
We have 57 module definitions ready to go:
- core/ - Base system, bootloader, kernel
- development/ - Languages (Rust, Python, Go), tools (Docker, Git)
- security/ - Hardening, firewalls, VPNs, AppArmor
- red-team/ - Reconnaissance, exploitation, C2 frameworks
- malware-analysis/ - Static/dynamic analysis, sandboxing
- linux-optimization/ - Terminal configs, window managers, dotfiles
- ai-ml/ - Ollama, CUDA, TensorFlow, PyTorch
- Basic Arch - Minimal setup
- Developer Workstation - Hyprland + modern dev tools
- Red Team Workstation - Full C2 + exploitation
- Malware Analysis Lab - Isolated analysis environment
S1bCr4ft/
βββ crates/
β βββ s1bcr4ft-core/ # Core engine (parser, modules, packages)
β βββ s1bcr4ft-cli/ # Command-line interface
β βββ s1bcr4ft-tui/ # Terminal UI (Phase 5)
β βββ s1bcr4ft-api/ # REST API (Phase 5)
β βββ s1bcr4ft-security/ # Security modules & presets
βββ modules/ # Pre-built module library (57 ready)
β βββ core/
β βββ development/
β βββ security/
β βββ red-team/
β βββ malware-analysis/
βββ examples/ # Example configurations
Q: Can I actually use this to install packages right now?
A: Not yet. You can create configurations and validate them, but the actual installation happens in Phase 2. If you run s1bcr4ft sync today, it'll show you what would be installed, but won't actually do it.
Q: Is this just another Ansible/Chef/Puppet clone?
A: Nope. Those are general-purpose tools that happen to work on Arch. S1bCr4ft is Arch-native - it understands pacman, AUR, and Arch-specific quirks out of the box. Plus it brings NixOS-style reproducibility without forcing you to learn Nix.
Q: Why should I care about "declarative configuration"?
A: Instead of remembering what packages you installed and what configs you tweaked, you write it down once. Then you can recreate your exact setup on a new machine in minutes, roll back when something breaks, and share configurations with your team.
Q: Is it safe to run on my main system?
A: In its current state, yes - because it doesn't actually change anything yet. Once Phase 2 hits and it starts actually installing packages, treat it like any other system tool: test in a VM first.
Q: Will this work on distros other than Arch?
A: Short answer: no. Long answer: the architecture could theoretically support other distros, but the focus is 100% on Arch Linux. We use pacman, AUR helpers, and Arch-specific paths. If you want Ubuntu support, fork it.
Q: How is this different from just using pacman/paru directly?
A: Three things: reproducibility (same config = same system), auditability (see exactly what changed and when), and rollback (undo changes when they break stuff). Plus you get to define your entire system in one YAML file instead of running 50 different commands.
Q: Can I contribute?
A: The code is open source, so technically yes. But honestly, the core architecture is still settling. If you're itching to help, testing the init and validate commands and reporting bugs is super valuable right now.
Q: When will this be production-ready?
A: When Phase 2 is done and we've battle-tested the package installation. Could be months. If you need something today, use Ansible or just write a shell script.
Q: Why GPL-3.0 instead of MIT?
A: Because this is a system-level tool that touches security-critical stuff. GPL ensures derivatives stay open source. If you want to build a proprietary fork, you'll need to negotiate a commercial license.
S1bCr4ft is released under the GPL-3.0 License.
Created by ind4skylivey β’ Maintained by S1BGr0up
β Star us on GitHub if you find S1bCr4ft useful!