From 6391b1104b8ed39b1b718fb08c1bd5728c664b64 Mon Sep 17 00:00:00 2001
From: obsidian-ai <obsidian-ai@s8n.ru>
Date: Wed, 6 May 2026 16:50:02 +0100
Subject: [PATCH] bluebuild(recipe): reconcile kickstart %post into BlueBuild
 modules (A2)

Walk every action in kickstart/veilor-os.ks %post and map to its
v0.7 atomic equivalent:

Build-time script additions:
- chmod +x /usr/share/veilor-os/scripts/* + /usr/local/bin/veilor-*
  (BlueBuild type:files sometimes drops perms)
- fc-cache -f after Fira Code stamping
- os-release brand override (NAME=veilor-os, ID=veilor, ID_LIKE)
- brand-leak guard: fail the image build if any onyx/personal data
  slipped through into shipped state

Layered packages:
- zram-generator (memory hygiene; replaces dnf install in kickstart)
- jq (used by veilor-doctor for `bootc status --json`)
- vim-enhanced + tmux + htop (admin essentials, parity with v0.5.x)

Systemd unit enables added:
- veilor-postinstall.service (first-login TUI; new in A3)
- veilor-doctor.timer (weekly drift check; new in A3)

Dropped: anaconda transaction_progress.py patch (build-time CI work,
not image content); SDDM display-manager symlink (kinoite ships
sddm.service already); SELinux module build (secureblue has its
own); systemctl set-default multi-user.target (kinoite is
graphical.target by design).
---
 bluebuild/recipe.yml | 42 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml
index bdf2229..64d0fff 100644
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@@ -52,6 +52,29 @@ modules:
         bash /usr/share/veilor-os/scripts/kde-theme-apply.sh || true
         bash /usr/share/veilor-os/scripts/30-apply-v03-theme.sh 2>/dev/null || true
         plymouth-set-default-theme details 2>/dev/null || true
+        # Mark all our shipped scripts + CLIs executable. cp -a from the
+        # repo preserves perms but BlueBuild's `type: files` sometimes
+        # drops the +x bit on the way through; belt-and-braces here.
+        chmod +x /usr/share/veilor-os/scripts/*.sh \
+                 /usr/share/veilor-os/scripts/selinux/*.sh \
+                 /usr/local/bin/veilor-* 2>/dev/null || true
+        # Refresh fontconfig cache so Fira Code is picked up by KDE
+        fc-cache -f 2>/dev/null || true
+        # os-release brand override (atomic /etc is r/w; safe to overwrite)
+        if [ -f /etc/os-release ]; then
+          sed -i \
+            -e 's|^NAME=.*|NAME="veilor-os"|' \
+            -e 's|^PRETTY_NAME=.*|PRETTY_NAME="veilor-os 0.7 (atomic)"|' \
+            -e 's|^ID=.*|ID=veilor|' \
+            -e 's|^ID_LIKE=.*|ID_LIKE="fedora kinoite"|' \
+            /etc/os-release || true
+        fi
+        # Sanity: brand-leak check, fail build if any onyx/personal data slipped in
+        if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local\|xynki\.dev' \
+            /etc/veilor* /etc/tuned/profiles/veilor-* /usr/share/veilor-os 2>/dev/null; then
+          echo "[ERR] brand leak detected in shipped state"
+          exit 1
+        fi
 
   # ── 3. Override secureblue's run0-only — restore sudo ───────────
   # secureblue removes sudo + replaces with run0. Too disruptive for
@@ -86,6 +109,19 @@ modules:
       - tailscale
       - yggdrasil
 
+  # ── 6b. Memory hygiene + ergonomic deps ─────────────────────────
+  # zram-generator gives us zram swap (no disk swap, no cold-boot
+  # leak). gum is the TUI primitive used by veilor-postinstall +
+  # veilor-update + veilor-doctor — vendor binary at build time so
+  # post-install layering doesn't need it.
+  - type: rpm-ostree
+    install:
+      - zram-generator
+      - jq
+      - vim-enhanced
+      - tmux
+      - htop
+
   # ── 7. ujust recipes for opt-in components ──────────────────────
   - type: files
     files:
@@ -103,13 +139,15 @@ modules:
         # auditd, firewalld, chronyd, sddm — no re-enable needed.
 
   # ── 9. veilor-os specific systemd units ─────────────────────────
-  # veilor-firstboot.service comes in via overlay/etc/systemd/system/
-  # — needs explicit enable since it's not part of secureblue's set.
+  # All veilor-* units come in via overlay/etc/systemd/system/ —
+  # explicit enable here since they aren't part of secureblue's set.
   - type: systemd
     system:
       enabled:
         - veilor-firstboot.service
         - veilor-modules-lock.service
+        - veilor-postinstall.service
+        - veilor-doctor.timer
 
   # ── 10. signing config ──────────────────────────────────────────
   # bluebuild emits cosign.pub at root; CI uses the pinned key