NullSec 2.0: The Arch Rebuild
NullSec v1.x was Debian-based. v2.0 is Arch. Here's why we switched and what it took.
Why leave Debian?
- Stale packages — security tools move fast; Debian stable is always 6-18 months behind
- No AUR — many niche security tools are only in AUR
- Kernel lag — Debian's kernel misses recent hardware support and security features
Why Arch?
- Rolling release — always current, no painful dist-upgrades
- AUR — 80,000+ packages, including most security tools
- Minimal base — we control exactly what's installed
- pacman — fast, simple, reliable package manager
Migration process
We rewrote the build system from live-build (Debian) to archiso. The tool manifest moved from .deb package names to a mix of Arch packages and AUR builds. Our CI pipeline builds and tests the ISO nightly.
Results
The v2.0 ISO is 200 MB smaller than v1.x despite having 80 more tools. Boot time dropped from 22 seconds to 14 seconds. Package updates that took weeks on Debian now land same-day.
The build system
NullSec v2.0's ISO is built entirely by a Lateralus pipeline. The build system replaced 3,000 lines of shell scripts with 800 lines of structured Lateralus code:
// build.ltl — NullSec ISO builder
let config = Config::load("nullsec.toml")
// Phase 1: Bootstrap the Arch base
let rootfs = archiso::bootstrap(config.arch_mirror)
|> install_base_packages(["base", "linux-hardened", "linux-firmware"])
|> configure_locale("en_US.UTF-8")
|> configure_timezone("UTC")
// Phase 2: Install tools by category
config.tools
|> group_by(|t| t.source) // pacman vs AUR vs manual
|> each(|(source, tools)| match source {
Pacman => pacman_install(rootfs, tools),
Aur => aur_build_install(rootfs, tools),
Manual => tools |> each(|t| t.install_script(rootfs)),
})
// Phase 3: Apply NullSec customizations
rootfs
|> install_nullkia_de()
|> install_lateralus_sdk()
|> apply_kernel_hardening(config.kernel_config)
|> apply_sysctl_hardening(config.sysctl_rules)
|> configure_firewall(config.nftables_rules)
|> copy_dotfiles(config.dotfiles_dir)
// Phase 4: Package and sign
let iso = archiso::build_iso(rootfs, config.iso_settings)
iso |> sign_gpg(config.gpg_key)
|> generate_sha256()
|> upload_to_mirror(config.cdn_endpoint)The entire build runs in CI on every merge to main. Build time: 45 minutes on a 4-core runner.
AUR integration
One of the biggest wins of moving to Arch is the AUR. Here are some security tools we can now install directly instead of packaging ourselves:
burpsuite— was a custom .deb repackage, now a single AUR packageghidra— NSA's reverse engineering suite, always up to date via AURbloodhound— Active Directory attack path visualizationferoxbuster— fast content discovery, previously required manual Rust buildsligolo-ng— tunneling tool, was manually compiled from Go sourcepwntools-git— latest exploit development framework, always current
Before Arch, maintaining these packages consumed ~20 hours per release. Now they update automatically with paru -Syu.
Rolling release strategy
Rolling release doesn't mean reckless updates. NullSec v2.0 uses a staged update model:
- Nightly — automated CI runs the full test suite against the latest Arch packages. If a breakage is detected, the update is held.
- Weekly — vetted updates are pushed to the
nullsec-stablerepository. Users on the default config get these. - Immediate — security patches (CVEs affecting kernel, OpenSSL, etc.) bypass the weekly cycle and push immediately.
Users can opt into the bleeding-edge channel (nullsec-testing) or pin specific packages. The update manager shows a diff of changes before applying, and every update creates a btrfs snapshot for instant rollback.
Performance comparison
Benchmarks against v1.x (Debian) and Kali 2025.4:
- Boot time — NullSec v2.0: 14s, v1.x: 22s, Kali: 28s
- ISO size — NullSec v2.0: 3.1 GB, v1.x: 3.3 GB, Kali: 4.1 GB
- Idle RAM — NullSec v2.0 (Nullkia): 380 MB, v1.x (XFCE): 520 MB, Kali (GNOME): 890 MB
- nmap full scan — identical across all three (network-bound)
- hashcat bcrypt — identical (GPU-bound, not OS-dependent)