ks: add upstream live plumbing + explicit base repo

Agent A: missing livesys-scripts + anaconda-live = lorax can't build EFI/BOOT.
Agent B: livecd-creator ignores url=, only reads repo.repoList — added
explicit repo --name=fedora to feed it the base.

Both Fedora's own pipeline + livecd-creator now have what they need.
Live image plumbing in %post: enable livesys.service livesys-late.service
tmp.mount, reset machine-id.

kickstart/veilor-os.ks

@@ -9,12 +9,13 @@
 # file_contexts.bin, which fails chroot %triggerin against host's
 # libselinux (built against pcre2 10.46). 43.7 in updates is rebuilt.
 url --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64"
+# Explicit `repo --name=fedora` lets livecd-creator see base repo (it only
+# reads repo.repoList, ignores url= directive). livemedia-creator + Anaconda
+# honor both. No behavior change for either tool.
+repo --name=fedora --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64" --install
 repo --name=updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64" --install
-# Local fix-repo: ships selinux-policy 43.7 + pcre2 10.47 paired (matched
+# Local fix-repo: build-time-only workaround for host pcre2/libselinux skew.
-# regex versions) — bypasses Anaconda's repo-merger ignoring cost/priority
+# Stripped from CI ks via sed in build-iso.yml. NOT shipped state.
-# from updates. cost=1 = highest priority. Build via:
-#   dnf download pcre2-10.47 selinux-policy-43.7 ... -d /tmp/veilor-fix-repo
-#   createrepo_c /tmp/veilor-fix-repo
 repo --name=veilor-fix --baseurl=file:///tmp/veilor-fix-repo --install --cost=1
 
 # ── Locale / keyboard / time (template — adjust per build) ──
@@ -62,6 +63,15 @@ part / --fstype=ext4 --size=8192
 @standard
 
 # live install plumbing (required by livemedia-creator --make-iso)
+# CRITICAL: livesys-scripts + anaconda-live ship the systemd units lorax expects
+# at squashfs creation. Without them, EFI/BOOT not built and ISO wrap fails.
+# (Upstream Fedora's fedora-live-kde.ks includes these via fedora-live-base.ks.)
+livesys-scripts
+anaconda-live
+@anaconda-tools
+kernel-modules
+kernel-modules-extra
+glibc-all-langpacks
 dracut-live
 dracut-config-generic
 kernel
@@ -167,6 +177,14 @@ echo "════════════════════════
 REPO=/usr/share/veilor-os
 chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh /usr/local/bin/veilor-power /usr/local/sbin/veilor-firstboot
 
+# Live image plumbing (matches upstream Fedora live ks). Without these the
+# squashfs/EFI build fails — livesys-scripts ships systemd units lorax expects.
+systemctl enable livesys.service livesys-late.service 2>/dev/null || true
+systemctl enable tmp.mount 2>/dev/null || true
+
+# /etc/machine-id reset on first boot (live image baseline)
+> /etc/machine-id
+
 # Apply hardening
 bash $REPO/scripts/10-harden-base.sh
 bash $REPO/scripts/20-harden-kernel.sh