veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/docs/INSTALL.md

107 lines
3.1 KiB
Markdown
Raw Normal View History

veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme
2026-04-30 03:43:33 +01:00
# Installing veilor-os
## What you need
- USB drive (8GB+) flashed with the veilor-os ISO
- Target machine with UEFI (BIOS legacy works but Secure Boot is the
whole point — use UEFI)
- ~30GB free disk
## Install flow
The installer is **fully scripted**. The only thing it asks you for
is the **LUKS passphrase**.
1. Boot from USB.
2. Pick "Install veilor-os" from the boot menu.
3. Anaconda runs the kickstart automatically.
4. When prompted, **set a strong LUKS passphrase**. This is the only
prompt. Choose well — losing it = losing the disk.
5. Wait. Install + `%post` hardening takes ~1015 min depending on
network speed.
6. Reboot. Pull out the USB.
## First boot
1. **LUKS prompt** — enter your passphrase to unlock the disk.
2. **TTY1 banner appears:**
```
┌──────────────────────────────────────────────────────────┐
│ veilor-os │
│ first boot — admin password │
└──────────────────────────────────────────────────────────┘
```
3. Type a password for the local admin account. Must meet:
- ≥ 14 characters
- 1 digit, 1 upper, 1 lower, 1 special
4. Once accepted, SDDM starts.
5. Log in as `admin` with the password you just set.
6. Shell prompt: `admin@veilor-os`.
## Post-install hygiene
### Set USBGuard allowlist
USBGuard ships with an empty allowlist — every USB device you plug in
will be blocked until you whitelist your trusted set.
Plug in everything you trust (keyboard, mouse, dock, yubikey, etc.),
then run:
```bash
sudo usbguard generate-policy > /etc/usbguard/rules.conf
sudo systemctl restart usbguard
```
To allow a new device after that:
```bash
sudo usbguard list-devices
sudo usbguard allow-device <id>
```
### Verify hardening
```bash
getenforce # Enforcing
mokutil --sb-state # SecureBoot enabled
sysctl kernel.yama.ptrace_scope # = 2
sysctl fs.suid_dumpable # = 0
firewall-cmd --get-default-zone # drop
fail2ban-client status sshd # active, jail loaded
veilor-power status # current profile + governor
```
### Check `/etc/os-release`
```bash
cat /etc/os-release
# NAME="veilor-os"
# PRETTY_NAME="veilor-os 0.1 (Fedora 43 base)"
# ID=veilor
# ID_LIKE=fedora
```
### Add additional users
The kickstart only creates `admin`. Add more users from there:
```bash
sudo useradd -m -s /bin/bash <name>
sudo passwd <name>
```
Don't add anyone to `wheel` unless they need root.
## Known caveats
- **Bluetooth disabled by default** — `sudo systemctl enable --now bluetooth`
if you need it.
- **Printing disabled** — CUPS removed; `sudo dnf install cups cups-browsed`
if you need a printer.
- **No PackageKit** — updates manual via `sudo dnf upgrade`. Run weekly.
- **Battery cap at 80%** — udev rule. Edit
`/etc/udev/rules.d/91-veilor-battery-threshold.rules` to change.
Reference in a new issue Copy permalink