Cerberix
v0.1.0 — Styx

A hardened Arch,
ready the moment it boots.

Cerberix is a security-focused Linux distribution built on Arch. Firewall, intrusion detection, VPN tooling, and a polished XFCE desktop — configured correctly on first boot, not your tenth.

Download ISO Quick install
x86_64 · UEFI + BIOS GPG-signed releases Rolling release
yodabytz@cerberix ~ 
$ fastfetch
                   -`                      yodabytz@cerberix
                  .o+`                     ─────────────────
                 `ooo/                     OS       Cerberix 0.1.0 Styx
                `+oooo:                    Kernel   Linux 6.13.x
               `+oooooo:                   Shell    fish 3.7
               -+oooooo+:                  DE       XFCE 4.20
             `/:-:++oooo+:                 Theme    Tokyo Night Moon
            `/++++/+++++++:                Shield   ● active
           `/++++++++++++++:               Firewall ● nftables
          `/+++ooooooooooooo/`             VPN      wireguard ready
         ./ooosssso++osssssso+`          
$ sudo cerberix-harden --status
   nftables        active
   fail2ban        active, 4 jails
   aide            baseline current
   unattended      opt-in (off)
   kernel hardening 23/23 sysctl keys
$

Three heads. One system.

Every Cerberix install ships with the trio preconfigured and tested.

Hardened by default

nftables firewall, fail2ban with sane jails, AIDE file integrity, WireGuard tooling, and a curated set of kernel sysctl tweaks. No hunting down guides — it boots ready.

Desktop, actually.

XFCE 4.20 with Tokyo Night Moon theming, Plank dock, and a tuned font stack. Plus Firefox, Thunar, and the everyday tools that other security distros treat as an afterthought.

Built-in tools

Cerberix Shield watches your system tray and flags anomalies. Cerberix Connect pairs with the firewall appliance for dashboard visibility. Both written for this distro, not bolted on.

What's inside

A curated stack — not a pile of features.

BaseArch Linux (rolling)
Kernellinux + hardened sysctl
DesktopXFCE 4.20
DisplayLightDM greeter
Shellfish (zsh available)
Firewallnftables + ufw
IDSAIDE + rkhunter
Intrusionfail2ban
VPNWireGuard
Sandboxfirejail
Reposcore + extra + chaotic-aur
Archx86_64 (UEFI + BIOS)

Download

Burn it to USB, boot it, try it. Installer takes about six minutes.

cerberix-linux-0.1.0-x86_64.iso latest
~2.6 GB · Released 2026-04-18 · x86_64
Download
SHA256SUMS | GPG signature | Signing key | Release notes
Verify your download 
# 1. Import the signing key
curl https://cerberix.org/gpg.asc | gpg --import

# 2. Verify the signature
gpg --verify cerberix-linux-0.1.0-x86_64.iso.sig \
            cerberix-linux-0.1.0-x86_64.iso

# 3. Check the hash
sha256sum -c cerberix-linux-0.1.0-x86_64.iso.sha256

Install in six minutes

Boot the ISO, log in, and run one command.

$ sudo cerberix-install

  Cerberix Linux Installer
  ============================================

  Available Disks:
    sda   256G   Samsung SSD 860
    nvme0 1.0T   Samsung 980 PRO

  Install to disk: nvme0
  Username:        you
  Password:        ••••••••

   Partitioning (GPT, UEFI)
   Base system (pacstrap)
   XFCE + LightDM + autologin
   Security stack (nftables, fail2ban, AIDE)
   Bootloader (GRUB)

  Cerberix Linux installed. Remove ISO and reboot.

That's it. No DE choice screen, no 20-step wizard, no surprise telemetry. The installer is a single Bash script — open it first if you want to see exactly what happens.

Why another distro?

Because "security-focused" usually means one of two things: a pentester's toolkit you wouldn't daily-drive, or a hardened server spin with no desktop in sight.

Cerberix is for everyone in between: developers, sysadmins, and curious users who want sensible defaults — firewall on, logs rotating, file integrity checks running — without giving up a normal desktop.

It's Arch underneath, so pacman works, the wiki applies, and the AUR is one yay away. The difference is the first boot, not the fork.