diff --git a/overlay/usr/local/bin/veilor-installer b/overlay/usr/local/bin/veilor-installer index 5da0da9..3417620 100644 --- a/overlay/usr/local/bin/veilor-installer +++ b/overlay/usr/local/bin/veilor-installer @@ -377,7 +377,7 @@ __SSHKEY_DIRECTIVE__ # Full hardening cmdline (installed system, not live): # --location=none: anaconda auto-places bootloader (UEFI grub2-efi or BIOS). -bootloader --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none plymouth.enable=0 rd.plymouth=0 logo.nologo console=tty0" +bootloader --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none" # Disk: zero, LUKS2 (argon2id), btrfs subvolumes (no LVM intermediary). # Native btrfs-on-LUKS matches Fedora KDE Spin defaults; LVM+btrfs combo @@ -436,9 +436,7 @@ policycoreutils-python-utils tuned chrony firewalld -# plymouth: removed in v0.5.13. Splash unreliable in QEMU; LUKS prompt -# falls back to systemd-tty-ask-password-agent on tty1 (text). Cleaner -# boot, smaller initramfs, fewer moving parts. +plymouth # admin essentials git @@ -466,9 +464,6 @@ zram-generator -kde-connect -open-vm-tools-desktop -mlocate --plymouth --plymouth-plugin-label --plymouth-system-theme %end @@ -551,49 +546,12 @@ bash $REPO/scripts/kde-theme-apply.sh # on tty1 — text "Please enter passphrase for disk... :" — works in # QEMU sendkey AND on real hardware. -# Layer 1: initramfs -mkdir -p /etc/dracut.conf.d -cat > /etc/dracut.conf.d/99-veilor-no-plymouth.conf << 'EOF' -omit_dracutmodules+=" plymouth " -# Ensure systemd-cryptsetup module + systemd-ask-password agent are -# included so LUKS prompt appears on tty1 (text mode) when plymouth -# is omitted. Without these, dracut loops on devexists waiting for -# an unlock that never happens. -add_dracutmodules+=" crypt systemd-cryptsetup " -install_items+=" /usr/bin/systemd-tty-ask-password-agent " -EOF -# Regenerate initramfs for ALL installed kernels with our dracut config. -# `--regenerate-all` walks /lib/modules itself; safer than bash glob in -# chroot where shell may be dash + nullglob unset → glob expands literally -# → dracut --kver "/lib/modules/*/" fails silently. -dracut --force --regenerate-all 2>&1 | tail -5 || true - -# Layer 2: real-root masks -mkdir -p /etc/systemd/system -for unit in \ - plymouth-start.service \ - plymouth-quit.service \ - plymouth-quit-wait.service \ - plymouth-read-write.service \ - plymouth-switch-root.service \ - systemd-ask-password-plymouth.path \ - systemd-ask-password-plymouth.service \ - ; do - ln -sf /dev/null /etc/systemd/system/$unit -done - -# GRUB branding: drop fedora menu titles + theme + graphical splash. -# Pure text-mode "hackery" boot per veilor aesthetic. Logo/theme work -# revisits in v0.6 via plymouth + veilor-black theme. +# GRUB branding: replace fedora distributor with veilor-os in menu titles. +# Theme + splash kept default (plymouth handles boot UI). v0.6 will swap +# fedora-logos with veilor-logos for full visual rebrand. sed -i \ -e 's|^GRUB_DISTRIBUTOR=.*|GRUB_DISTRIBUTOR="veilor-os"|' \ - -e 's|^GRUB_THEME=.*|GRUB_THEME=|' \ - -e 's|^GRUB_TERMINAL_OUTPUT=.*|GRUB_TERMINAL_OUTPUT="console"|' \ - -e '/^GRUB_BACKGROUND=/d' \ /etc/default/grub 2>/dev/null || true -# Append GRUB_TERMINAL_OUTPUT if not present -grep -q '^GRUB_TERMINAL_OUTPUT=' /etc/default/grub 2>/dev/null || \ - echo 'GRUB_TERMINAL_OUTPUT="console"' >> /etc/default/grub # Regen grub.cfg with new branding (anaconda already wrote one; replace). grub2-mkconfig -o /boot/grub2/grub.cfg 2>/dev/null || true [ -f /boot/efi/EFI/fedora/grub.cfg ] && \