All Systems Go! 2026

Ryan Lahfa (@raitobezarius)

NixOS developer, lanzaboote (Secure Boot for NixOS) co-author, author of Sécurix/Bureautix — a NixOS variant for the public sector, deployed in the French government.


Session

10-01
10:45
25min
Native OS enrollment for the Linux userspace: A proposal for open APIs and protocols
Ryan Lahfa (@raitobezarius)

Enterprise Linux deployments lack a standardized, native enrollment flow. Current solutions rely on distro‑specific first‑boot mechanisms (systemd-firstboot, cloud‑init, realmd, ignition, kickstart and more) or external configuration management layered post‑deployment, resulting in poor feature sets w.r.t. modern features enabled by TPM2 or UEFI setting management.

This talk proposes to explore minimal, vendor‑neutral set of APIs and protocols for OS enrollment, analogous to Windows Autopilot but designed for the Linux userspace stack and specifically for the ParticleOS ecosystem. We will examine a concrete model based on device identity (TPM, SMBIOS information), secure attestation, policy discovery, and management‑hint delivery, decoupled from any particular configuration management system.

There might be a live demonstration presenting a reference implementation on NixOS communicating with a lightweight enrollment service over HTTP(S) leveraging a bunch of Varlink APIs built across the past years and presented at ASG.

The primary outcome is a community‑reviewed specification draft for enrollment APIs, intended for integration into systemd and distro installers.

The talk is not a proposal for a new tool but rather invite the attendees to think about the problem space around corporate enrollment for Linux distributions and how do we build native solutions for distributions interested by this idea.

Loft