The Immutable Linux OS That Never Breaks

Shanios uses blue-green deployment architecture with two complete system images (@blue and @green) implemented as Btrfs subvolumes. While you use one image, updates install to the other. After verification, a simple reboot switches to the updated image atomically.

The custom shani-deploy tool orchestrates the entire process—downloading verified images, applying configurations via overlays, generating new unified kernel images, updating the bootloader, and validating everything before switching. Updates are applied to the inactive system copy, meaning your current working environment is never at risk.

This dual-image design eliminates mid-update failures entirely. If verification fails, the update never applies. Your active system remains untouched and fully functional throughout the entire update process. This brings datacenter-grade reliability to the desktop.

Immutable system core: Root filesystem (/) mounted read-only, preventing system corruption, malware modifications, and configuration drift while maintaining maximum performance. The system partition ensures absolute stability.

/etc as overlay filesystem: Persistent configuration changes without breaking immutability. /var managed with systemd.volatile=state for optimized state management. User applications via Flatpak for complete isolation. Mutable /home for user data and configurations.

This sophisticated architecture provides the perfect balance of immutability and flexibility, allowing necessary customization while keeping the core system protected and reliable.

Both system images (blue and green) remain intact and bootable at all times. If anything goes wrong after an update, select the previous image from the boot menu. The switch is instant—rollback completes in under a minute, just a reboot away.

Zero downtime updates: System updates happen in the background on the inactive partition. Reboot to switch partitions, and if anything goes wrong, reboot again to instantly return to your previous working state. No interruption to your workflow.

Your personal files, settings, and applications persist across both images using shared storage. Only the system core rolls back, giving you the best of both worlds: instant recovery without losing your work or data.

Arch Linux default kernel for maximum stability and hardware compatibility. Access to the latest software and libraries through Arch's rolling release model, but with the safety of immutable deployment.

Developer friendly: Cutting-edge tools and libraries from Arch repositories, combined with image-based system stability that traditional package-managed distributions can't match. Get the best of both worlds—newest software with bulletproof reliability.

The comprehensive container support makes it perfect for multi-distribution development workflows, allowing developers to work in any environment they need without compromising the host system.

Filesystem optimizations: Btrfs with zstd compression for optimal storage efficiency and speed. Intelligent subvolume management for snapshots and rollbacks without performance penalty.

Memory management tweaks: zram for compressed swap in RAM, transparent hugepages for reduced memory overhead. Custom-configured schedulers and I/O optimizations for responsive multitasking and low latency.

Gaming optimizations: Pre-configured with custom kernel parameters for low latency, proper Vulkan/OpenGL setup, and system-wide performance tuning that benefits both work and play.

Security layers: Immutable core prevents persistent malware, hardened kernel with security patches, AppArmor profiles for mandatory access control, firewalld configurations for network protection, optional LUKS full-disk encryption, and sandboxed applications via Flatpak.

The read-only root filesystem prevents tampering. Even with administrative access, core files cannot be modified during operation. Both system images mount as read-only, preventing corruption and persistent malware attacks.

Security updates apply safely and atomically with instant rollback capability. The immutable design inherently prevents many attack vectors that traditional distributions are vulnerable to. User data remains writable, ensuring both safety and flexibility.

GNOME: Clean, distraction-free interface ideal for productivity, enterprise, and OEM deployments. Streamlined workflow with essential tools.

KDE Plasma: Highly customizable desktop with advanced features for power users. Comes with Steam, Heroic Games Launcher (for Epic Games Store and GOG), and RetroArch (for retro gaming emulation) pre-installed and ready to play.

Both editions support professional deployment with branding, custom configurations, and enterprise tooling. OEM Initial Setup: Professional OEM-style first-boot configuration experience that allows users to personalize their system (language, timezone, user accounts, preferences) on first launch, making Shanios perfect for pre-installed systems and enterprise deployment.

Pre-configured applications, network settings, and security policies ensure systems are ready at scale and remain stable over time.

Graphics: Intel, AMD, and NVIDIA open drivers pre-installed with proper Vulkan/OpenGL configuration for optimal performance and compatibility.

Printers & Scanners: Complete printer driver support with CUPS and manufacturer-specific drivers. Scanner support via SANE with auto-detection. Just plug in and print or scan.

Peripherals: Audio, video, GPS, fingerprint readers, game controllers, consoles, batteries, and UPS—all peripheral drivers pre-configured and ready to use.

Connectivity: Wi-Fi, Bluetooth, and network tools fully configured for immediate use. No manual driver installation required.

Comprehensive font support: Indian language fonts for Devanagari, Tamil, Telugu, and more. Complete CJK (Chinese, Japanese, Korean) font coverage for proper text rendering. Full emoji support for modern communication.

IBus as default input method: Seamless multilingual input with support for dozens of languages and input methods. Switch between languages effortlessly while typing.

Accessibility & Language Support: Screen readers, multiple input languages, proper text rendering across all supported scripts. Shanios is ready for users worldwide, ensuring diverse linguistic needs are met from day one.

Apps Included: Vivaldi Browser for web browsing with advanced features and privacy controls. OnlyOffice for full-featured document editing compatible with Microsoft Office formats. Essential productivity tools ready from first boot.

Professional workflow: Pre-configured applications and tools for immediate productivity. No time wasted on setup—everything you need to work is already installed and configured.

Everything works out-of-the-box so you can start using your system immediately—no setup required. Focus on your work, not on configuring your operating system.

Flatpak provides sandboxed applications with controlled permissions—apps cannot modify system files. Complete isolation ensures security while maintaining functionality.

Gear Lever manages AppImages with automatic desktop integration. Portable applications that run without installation, perfect for trying new software without system changes.

This separation between OS and applications is fundamental to Shanios's reliability. Install, remove, experiment—your system core stays perfect. No dependency conflicts, no system bloat, no breakage.

Waydroid: Run Android applications directly using containerization with full hardware acceleration—no emulation overhead. Desktop integration and Google Play Store access (after setup) for thousands of Android apps.

Perfect for mobile development, testing, or accessing Android-exclusive apps while maintaining system immutability. Native performance with complete isolation from the host system.

Bottles: Advanced Windows application compatibility layer using Wine. Run Windows applications and games with easy prefix management, dependency installation, and per-application configurations in sandboxed environments.

Supports DXVK, VKD3D, esync/fsync, and snapshots. Installed via Flatpak, Bottles runs completely sandboxed, ensuring Windows apps never affect the immutable system core. Each bottle is isolated for maximum stability.

Gaming Platforms (KDE Plasma): Steam for native Linux and Windows games via Proton. Heroic Games Launcher for Epic Games Store and GOG titles. Bottles for Windows applications and games. RetroArch for retro gaming emulation—all pre-installed and ready to play.

Gaming Peripherals: Configure racing wheels and flight sticks with Oversteer, remap controllers with AntiMicroX, and customize RGB lighting with OpenRGB and Piper—all included out of the box.

Performance Tools: Monitor FPS and system stats with MangoHud and GOverlay, optimize visuals with vkBasalt post-processing, and run games in GameScope for better frame pacing and HDR support.

Optimized for gaming: Custom kernel parameters for low latency, proper graphics driver setup, and system-wide performance tuning ensure responsive performance, smooth multitasking, and lag-free gameplay.

Podman with pods GUI: Docker-compatible, rootless container runtime for application containers. Run containerized apps without root privileges or compromising security.Pods: GUI for easy container management.

LXC: System containers for running complete Linux distributions. systemd-nspawn: Lightweight containerization for isolated environments.

Distrobox with BoxBuddy GUI: Desktop-integrated container environments with an intuitive graphical interface. Run any Linux distribution, access distribution-specific software, or create isolated development environments without compromising the immutable host.

Perfect for developers needing multiple distribution environments, testing software, or accessing packages not available as Flatpaks. Complete isolation keeps your system safe.

Shells & Search

Zsh (default, with Starship), Bash, Fish; Zsh plugins for autosuggestions, completions, syntax highlighting, and history substring search; Bash completion; McFly; FZF.

Editors

Vim, Vi, Nano, Micro, Tmux, Ed, Less

Core CLI Utilities

Coreutils, Findutils, Grep, Gawk, BC, Diffutils, Patch, Time, Which

System & Monitoring Tools

Words, BSD-games, Man-db, Gnupg, Plocate, Inxi, Dmidecode, Strace, Lsof, Ncdu, Sysstat, Cronie, PV, JQ, Expect, Dialog

Version Control

Git, Subversion, Mercurial

Networking Tools

Iftop, Ethtool, Net-tools, Nmap, Traceroute, Tcpdump, Wireless Tools, Inetutils, USB Utilities, Bridge-utils, OpenBSD Netcat, Nbd, Zsync, Rsync, Iperf3, MTR, Tailscale, Cloudflared, Caddy

Internet Utilities

Curl, Wget, Aria2, Bind, Whois

Caddy makes it easy to host personal websites, dashboards, or file servers with automatic HTTPS. It is not active by default and runs only when you start and configure it.

Ideal for self-hosting directly from your desktop, without needing a dedicated server.

Cloudflared creates an encrypted tunnel to Cloudflare, allowing public HTTPS access to services running on your desktop. It is disabled by default and requires manual setup.

Perfect for hosting websites on home connections or behind NAT and CGNAT, without exposing your real IP address.

Tailscale creates a private encrypted network between your devices using WireGuard. It is not active unless you sign in and enable it.

Use it to access your hosted websites and services privately, without making them public on the internet.

OpenSSH provides industry-standard encrypted remote access and file transfer (SSH, SCP, SFTP). The SSH server is not enabled by default.

Useful for managing your desktop-hosted websites locally, over Tailscale, or through secure tunnels.

Fail2ban monitors authentication logs and temporarily blocks abusive IP addresses using firewall rules. It is not enabled by default.

Recommended when exposing services such as SSH or web applications to the public, adding an extra layer of protection.

firewalld provides a dynamic firewall with zones and services to control inbound and outbound network traffic. It is not active by default.

Use it to restrict access to your hosted websites, SSH, and other services, ensuring that only allowed connections reach your desktop.