veilor-os/docs/BUILD.md

# Building veilor-os

## Requirements

- **Host:** Fedora 43+ or RHEL/CentOS 9+ (anything with podman + KVM bits)
- **podman** with rootless or rootful — privileged mode required
- **Disk:** ~15GB free for build cache + ISO
- **Network:** internet (pulls Fedora repos, base container)

## One-shot build

From repo root:

```bash
./build/build-iso.sh
```

Output: `build/out/veilor-os-43-YYYYMMDD.iso` and `.sha256`.

## What the build does

1. `ksvalidator` checks `kickstart/veilor-os.ks` syntax.
2. Builds `veilor-build:latest` container from `build/Containerfile`
   (Fedora 43 base + lorax + livemedia-creator + pykickstart).
3. Runs `livemedia-creator --make-iso --no-virt` inside the container
   with `--privileged` (loop devices and chroot mounts required).
4. Anaconda runs the kickstart in a tmpfs root, packages are pulled,
   `%post` executes (hardening + theme + branding), root is squashed
   into a Live ISO.
5. ISO + sha256 + build log dropped in `build/out/`.

## Custom builds

Environment variables:

```bash
RELEASEVER=43 ./build/build-iso.sh   # default
RELEASEVER=44 ./build/build-iso.sh   # rebase to Fedora 44 when released
```

Edit `kickstart/veilor-os.ks` to:

- Change locale / timezone (`lang`, `keyboard`, `timezone` lines)
- Add/remove packages (`%packages` section)
- Adjust LUKS parameters (`part pv.veilor` line)

## Writing to USB

```bash
sudo dd if=build/out/veilor-os-43-YYYYMMDD.iso of=/dev/sdX bs=4M status=progress conv=fsync
sync
```

Replace `/dev/sdX` with your USB device. **Triple-check** with `lsblk`
before running — `dd` will overwrite without warning.

Ventoy is **not** supported for hardened-install ISOs because Anaconda
expects to find the kickstart at the ISO root. Use `dd` directly.

## Troubleshooting

- **`livemedia-creator` fails inside container:** ensure `--privileged`
  is set (the script already passes it). On hosts with strict SELinux,
  set `setsebool -P container_manage_cgroup on` once.
- **Packages not found:** the Fedora mirror may have moved. Update
  `url --mirrorlist=` in the kickstart.
- **Kickstart syntax errors:** run `ksvalidator kickstart/veilor-os.ks`
  directly. Errors point to a line number in the .ks file.
- **Build hangs at "Setting up Install Process":** Fedora mirror
  timeouts. Pin a specific mirror with `url --url=https://...`.

## Reproducibility

The same kickstart + same Fedora release version + same overlay tree
should produce ISOs with identical package sets. Bit-for-bit identical
ISOs require pinning Fedora compose IDs (planned for v1).
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`# Building veilor-os`

			`## Requirements`

			`- Host: Fedora 43+ or RHEL/CentOS 9+ (anything with podman + KVM bits)`
			`- podman with rootless or rootful — privileged mode required`
			`- Disk: ~15GB free for build cache + ISO`
			`- Network: internet (pulls Fedora repos, base container)`

			`## One-shot build`

			`From repo root:`

			```bash
			`./build/build-iso.sh`
			```

			Output: `build/out/veilor-os-43-YYYYMMDD.iso` and `.sha256`.

			`## What the build does`

			1. `ksvalidator` checks `kickstart/veilor-os.ks` syntax.
			2. Builds `veilor-build:latest` container from `build/Containerfile`
			`(Fedora 43 base + lorax + livemedia-creator + pykickstart).`
			3. Runs `livemedia-creator --make-iso --no-virt` inside the container
			with `--privileged` (loop devices and chroot mounts required).
			`4. Anaconda runs the kickstart in a tmpfs root, packages are pulled,`
			`%post` executes (hardening + theme + branding), root is squashed
			`into a Live ISO.`
			5. ISO + sha256 + build log dropped in `build/out/`.

			`## Custom builds`

			`Environment variables:`

			```bash
			`RELEASEVER=43 ./build/build-iso.sh # default`
			`RELEASEVER=44 ./build/build-iso.sh # rebase to Fedora 44 when released`
			```

			Edit `kickstart/veilor-os.ks` to:

			- Change locale / timezone (`lang`, `keyboard`, `timezone` lines)
			- Add/remove packages (`%packages` section)
			- Adjust LUKS parameters (`part pv.veilor` line)

			`## Writing to USB`

			```bash
			`sudo dd if=build/out/veilor-os-43-YYYYMMDD.iso of=/dev/sdX bs=4M status=progress conv=fsync`
			`sync`
			```

			Replace `/dev/sdX` with your USB device. Triple-check with `lsblk`
			before running — `dd` will overwrite without warning.

			`Ventoy is not supported for hardened-install ISOs because Anaconda`
			expects to find the kickstart at the ISO root. Use `dd` directly.

			`## Troubleshooting`

			- `livemedia-creator` fails inside container: ensure `--privileged`
			`is set (the script already passes it). On hosts with strict SELinux,`
			set `setsebool -P container_manage_cgroup on` once.
			`- Packages not found: the Fedora mirror may have moved. Update`
			`url --mirrorlist=` in the kickstart.
			- Kickstart syntax errors: run `ksvalidator kickstart/veilor-os.ks`
			`directly. Errors point to a line number in the .ks file.`
			`- Build hangs at "Setting up Install Process": Fedora mirror`
			timeouts. Pin a specific mirror with `url --url=https://...`.

			`## Reproducibility`

			`The same kickstart + same Fedora release version + same overlay tree`
			`should produce ISOs with identical package sets. Bit-for-bit identical`
			`ISOs require pinning Fedora compose IDs (planned for v1).`