veilor-os/kickstart/veilor-os.ks

#version=DEVEL
# veilor-os kickstart — Fedora 43 KDE base, hardened, minimal.
# Build with livemedia-creator inside build/Containerfile.

# ── Install source ──
url --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch"
repo --name=updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch"

# ── Locale / keyboard / time (template — adjust per build) ──
keyboard --xlayouts='us'
lang en_GB.UTF-8
timezone Europe/London --utc

# ── Install mode ──
text
firstboot --disable
eula --agreed
selinux --enforcing
services --enabled=sshd,fail2ban,usbguard,tuned,auditd,firewalld,chronyd,sddm,veilor-firstboot,veilor-modules-lock

# ── Network / hostname ──
network --bootproto=dhcp --device=link --activate --hostname=veilor-os
firewall --enabled --service=ssh

# ── Identity (zero-prompt; only LUKS passphrase asked at install) ──
rootpw --lock
user --name=admin --groups=wheel --gecos="veilor admin" --password="" --plaintext
auth --useshadow --passalgo=sha512

# ── Bootloader: kernel hardening flags ──
bootloader --location=mbr --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none"

# ── Disk: BIOS+UEFI, LUKS2, btrfs subvols, zram swap (no disk swap) ──
zerombr
clearpart --all --initlabel
reqpart --add-boot
part /boot --fstype=ext4 --size=1024 --asprimary
part pv.veilor --size=1 --grow --encrypted --luks-version=luks2 \
    --pbkdf=argon2id --pbkdf-memory=1048576 --pbkdf-iterations=9 \
    --cipher=aes-xts-plain64 --hash=sha512
volgroup veilor pv.veilor
logvol / --vgname=veilor --name=root --fstype=btrfs --size=1 --grow \
    --mkfsoptions="--mixed"

# ── Packages ──
%packages --excludedocs
@^kde-desktop-environment
@kde-apps
@core
@hardware-support
@standard

# core hardening tools
fail2ban
fail2ban-firewalld
usbguard
usbguard-tools
audit
policycoreutils-python-utils
tuned
chrony
firewalld
plymouth

# admin essentials
git
vim-enhanced
tmux
htop
podman
skopeo
NetworkManager
NetworkManager-wifi

# fonts
fontconfig
freetype
fira-code-fonts

# remove fluff
-cups
-cups-browsed
-abrt*
-snapd
-geoclue2
-avahi
-avahi-libs
-kde-connect
-open-vm-tools-desktop
-PackageKit
-PackageKit-command-not-found
-mlocate
-ModemManager
-pcsc-lite
-rsync-daemon

%end

# ── Post-install (nochroot): copy overlay tree into installed root ──
%post --nochroot
set -eu
SRC=/run/install/repo/veilor
DEST=/mnt/sysimage
if [[ -d $SRC/overlay ]]; then
    cp -a $SRC/overlay/. $DEST/
fi
mkdir -p $DEST/usr/share/veilor-os
cp -a $SRC/assets $DEST/usr/share/veilor-os/
cp -a $SRC/scripts $DEST/usr/share/veilor-os/
%end

# ── Post-install (chroot): apply hardening, theme, branding ──
%post
set -uo pipefail
exec > >(tee -a /var/log/veilor-install.log) 2>&1

echo "════════════════════════════════════════════════════════"
echo " veilor-os install — %post"
echo "════════════════════════════════════════════════════════"

REPO=/usr/share/veilor-os
chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh /usr/local/bin/veilor-power /usr/local/sbin/veilor-firstboot

# Apply hardening
bash $REPO/scripts/10-harden-base.sh
bash $REPO/scripts/20-harden-kernel.sh

# Build SELinux module
bash $REPO/scripts/selinux/build-policy.sh || echo "[WARN] SELinux build failed; load on first boot"

# Apply KDE theme + DuckSans + os-release branding
bash $REPO/scripts/kde-theme-apply.sh

# Force admin password set on first boot (chage expires immediately)
chage -d 0 admin

# zram swap (no disk swap; keys never leak to platter)
dnf install -y zram-generator || true
cat > /etc/systemd/zram-generator.conf << 'EOF'
[zram0]
zram-size = min(ram, 8192)
compression-algorithm = zstd
EOF

# Enable services
systemctl enable veilor-firstboot.service
systemctl enable veilor-modules-lock.service
systemctl enable sshd fail2ban usbguard tuned auditd firewalld chronyd

# Default tuned profile = balanced (AC/battery udev rule will override)
tuned-adm profile veilor-balanced 2>/dev/null || true

# Lock root explicitly (kickstart --lock should already do this)
passwd -l root

# Sanity: zero references to onyx / personal IPs in installed system
if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local' /etc/veilor* /etc/tuned/profiles/veilor-* 2>/dev/null; then
    echo "[ERR] brand leak detected in /etc — investigate"
fi

echo "════════════════════════════════════════════════════════"
echo " veilor-os install complete"
echo "════════════════════════════════════════════════════════"
%end
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`#version=DEVEL`
			`# veilor-os kickstart — Fedora 43 KDE base, hardened, minimal.`
			`# Build with livemedia-creator inside build/Containerfile.`

			`# ── Install source ──`
			`url --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch"`
			`repo --name=updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch"`

			`# ── Locale / keyboard / time (template — adjust per build) ──`
			`keyboard --xlayouts='us'`
			`lang en_GB.UTF-8`
			`timezone Europe/London --utc`

			`# ── Install mode ──`
			`text`
			`firstboot --disable`
			`eula --agreed`
			`selinux --enforcing`
			`services --enabled=sshd,fail2ban,usbguard,tuned,auditd,firewalld,chronyd,sddm,veilor-firstboot,veilor-modules-lock`

			`# ── Network / hostname ──`
			`network --bootproto=dhcp --device=link --activate --hostname=veilor-os`
			`firewall --enabled --service=ssh`

			`# ── Identity (zero-prompt; only LUKS passphrase asked at install) ──`
			`rootpw --lock`
			`user --name=admin --groups=wheel --gecos="veilor admin" --password="" --plaintext`
			`auth --useshadow --passalgo=sha512`

			`# ── Bootloader: kernel hardening flags ──`
			`bootloader --location=mbr --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none"`

			`# ── Disk: BIOS+UEFI, LUKS2, btrfs subvols, zram swap (no disk swap) ──`
			`zerombr`
			`clearpart --all --initlabel`
			`reqpart --add-boot`
			`part /boot --fstype=ext4 --size=1024 --asprimary`
			`part pv.veilor --size=1 --grow --encrypted --luks-version=luks2 \`
			`--pbkdf=argon2id --pbkdf-memory=1048576 --pbkdf-iterations=9 \`
			`--cipher=aes-xts-plain64 --hash=sha512`
			`volgroup veilor pv.veilor`
			`logvol / --vgname=veilor --name=root --fstype=btrfs --size=1 --grow \`
			`--mkfsoptions="--mixed"`

			`# ── Packages ──`
			`%packages --excludedocs`
			`@^kde-desktop-environment`
			`@kde-apps`
			`@core`
			`@hardware-support`
			`@standard`

			`# core hardening tools`
			`fail2ban`
			`fail2ban-firewalld`
			`usbguard`
			`usbguard-tools`
			`audit`
			`policycoreutils-python-utils`
			`tuned`
			`chrony`
			`firewalld`
			`plymouth`

			`# admin essentials`
			`git`
			`vim-enhanced`
			`tmux`
			`htop`
			`podman`
			`skopeo`
			`NetworkManager`
			`NetworkManager-wifi`

			`# fonts`
			`fontconfig`
			`freetype`
fonts: swap DuckSans → Fira Code (Fedora fira-code-fonts, SIL OFL 1.1) 2026-04-30 03:57:17 +01:00			`fira-code-fonts`
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00
			`# remove fluff`
			`-cups`
			`-cups-browsed`
			`-abrt*`
			`-snapd`
			`-geoclue2`
			`-avahi`
			`-avahi-libs`
			`-kde-connect`
			`-open-vm-tools-desktop`
			`-PackageKit`
			`-PackageKit-command-not-found`
			`-mlocate`
			`-ModemManager`
			`-pcsc-lite`
			`-rsync-daemon`

			`%end`

			`# ── Post-install (nochroot): copy overlay tree into installed root ──`
			`%post --nochroot`
			`set -eu`
			`SRC=/run/install/repo/veilor`
			`DEST=/mnt/sysimage`
			`if [[ -d $SRC/overlay ]]; then`
			`cp -a $SRC/overlay/. $DEST/`
			`fi`
			`mkdir -p $DEST/usr/share/veilor-os`
			`cp -a $SRC/assets $DEST/usr/share/veilor-os/`
			`cp -a $SRC/scripts $DEST/usr/share/veilor-os/`
			`%end`

			`# ── Post-install (chroot): apply hardening, theme, branding ──`
			`%post`
			`set -uo pipefail`
			`exec > >(tee -a /var/log/veilor-install.log) 2>&1`

			`echo "════════════════════════════════════════════════════════"`
			`echo " veilor-os install — %post"`
			`echo "════════════════════════════════════════════════════════"`

			`REPO=/usr/share/veilor-os`
			`chmod +x $REPO/scripts/.sh $REPO/scripts/selinux/.sh /usr/local/bin/veilor-power /usr/local/sbin/veilor-firstboot`

			`# Apply hardening`
			`bash $REPO/scripts/10-harden-base.sh`
			`bash $REPO/scripts/20-harden-kernel.sh`

			`# Build SELinux module`
			`bash $REPO/scripts/selinux/build-policy.sh \|\| echo "[WARN] SELinux build failed; load on first boot"`

			`# Apply KDE theme + DuckSans + os-release branding`
			`bash $REPO/scripts/kde-theme-apply.sh`

			`# Force admin password set on first boot (chage expires immediately)`
			`chage -d 0 admin`

			`# zram swap (no disk swap; keys never leak to platter)`
			`dnf install -y zram-generator \|\| true`
			`cat > /etc/systemd/zram-generator.conf << 'EOF'`
			`[zram0]`
			`zram-size = min(ram, 8192)`
			`compression-algorithm = zstd`
			`EOF`

			`# Enable services`
			`systemctl enable veilor-firstboot.service`
			`systemctl enable veilor-modules-lock.service`
			`systemctl enable sshd fail2ban usbguard tuned auditd firewalld chronyd`

			`# Default tuned profile = balanced (AC/battery udev rule will override)`
			`tuned-adm profile veilor-balanced 2>/dev/null \|\| true`

			`# Lock root explicitly (kickstart --lock should already do this)`
			`passwd -l root`

			`# Sanity: zero references to onyx / personal IPs in installed system`
			`if grep -rqi 'onyx\\|192\.168\.0\.\\|fedora\.local' /etc/veilor* /etc/tuned/profiles/veilor-* 2>/dev/null; then`
			`echo "[ERR] brand leak detected in /etc — investigate"`
			`fi`

			`echo "════════════════════════════════════════════════════════"`
			`echo " veilor-os install complete"`
			`echo "════════════════════════════════════════════════════════"`
			`%end`