veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1

docs: CHANGELOG v0.2.0-v0.2.5, README rewrite, ROADMAP, release notes update (#5)

Browse source 
Co-authored-by: veilor-org <admin@veilor.org>
This commit is contained in:
s8n 2026-05-02 03:42:39 +01:00 committed by GitHub
parent fc7c3f858b
commit a7e7d6e10c
3 changed files with 562 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

255
CHANGELOG.md Normal file
View file

@ -0,0 +1,255 @@
# Changelog
All notable changes to veilor-os are documented here.
The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project loosely follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
during the pre-1.0 phase.
Each release section records the **bug found** and the **fix applied** so
future maintainers can see why a change exists, not just what it changes.
## [Unreleased]
### Planned
- v0.3 polish — Plymouth black theme, SDDM theme, Konsole profile,
wallpaper SVG. Re-enable `init_on_alloc=1 init_on_free=1` post-install
via `veilor-firstboot` so live boot stays fast but installed system
keeps the memory hygiene.
- USBGuard auto-snapshot on first boot.
- veilor-firstboot UX improvements (cleaner banner, better error paths).
---
## [0.2.5] — 2026-05-01
**Commit:** `8515bdb`
### Fixed
- **Live boot took 5+ minutes on KVM.** Dracut sat at the parse-livenet
stage for what looked like a hang. Root cause: `init_on_alloc=1`
and `init_on_free=1` zero every memory page on allocation and free.
In a virtualised guest with paravirtual memory, this multiplied the
early-boot cost by ~5x. Removed both flags from the *live* kernel
cmdline.
### Notes
- The two memory-hygiene flags will be re-added on the **installed**
system via `veilor-firstboot` in v0.3 — the cost on bare metal is
negligible, the live-ISO penalty is the only place it bites.
- Live cmdline retained: `lockdown=integrity slab_nomerge
randomize_kstack_offset=on vsyscall=none`.
---
## [0.2.4] — 2026-05-01
**Commit:** `a23ce63`
### Fixed
- **VM booted but stalled at dracut "parse-livenet" looking for a label
that never matched.** Root cause: an upstream bug in
`livecd-tools``imgcreate/live.py::__get_efi_image_stanza()` writes
the EFI grub stanza as `root=live:LABEL=...` for dracut. Dracut on
live ISOs expects `live:CDLABEL=...` for ISO9660 volume labels;
`LABEL=` matches partition labels which a live ISO doesn't have.
- Patched `live.py` in-place inside the CI build container before
invoking `livecd-creator`. With the patched stanza, the VM booted
cleanly to the SDDM login prompt.
### Changed
- CI workflow now `sed`s the patch into the installed `live.py` and
asserts the patch landed before continuing the build.
### Notes
- Bug also affects `livemedia-creator --make-iso --no-virt` and any
other consumer of `imgcreate.LiveImageCreator`. Worth filing
upstream once we have a clean repro recipe.
---
## [0.2.3] — 2026-05-01
**Commit:** `ef54a24`
### Added
- Manual `useradd admin` invocation in chroot `%post`. `livecd-creator`
does not run an installer phase, so the kickstart `user` directive
is silently ignored. Without this, the booted live system has no
admin account at all, and SDDM falls back to "no users" — login
impossible.
### Fixed
- **`/etc/os-release` was still pointing at stock Fedora.** Even with
the overlay tree successfully copied, `kde-theme-apply.sh` was
resolving `/etc/os-release.d/veilor` from the wrong path (the build
host's repo, not the overlay's installed location).
- Rewired the symlink chain cleanly: `/etc/os-release →
../usr/lib/os-release`, with the override file written to
`/usr/lib/os-release` directly during `%post`.
- Branding now reflects veilor-os in `/etc/os-release`,
`hostnamectl`, and the SDDM session menu.
### Notes
- The `user --name=admin` directive stays in the kickstart for
documentation and for any future `livemedia-creator`-based
installer ISO that *does* honour it.
---
## [0.2.2] — 2026-05-01
**Commit:** `3408841`
### Fixed
- **Overlay was partially copied — boot worked but veilor-power, KDE
theme, custom scripts were all missing.** Found via offline debugfs
inspection of the v0.2.1 rootfs: tuned profiles, sshd hardening,
sudoers entries, and systemd units were present, but
`/usr/share/veilor-os/{assets,scripts}` was empty.
- Root cause: `%post --nochroot` ran with `set -eu`. When the first
`cp` of a non-essential overlay file returned non-zero, the script
aborted, leaving the assets/scripts copy step un-executed. None of
the chroot `%post` scripts could then find what they needed and they
silently no-op'd.
### Changed
- `%post --nochroot` now uses `set +e` around `cp`/`mkdir` so a
partial-permissions error on one tree doesn't kill the whole copy.
- Added `/var/log/veilor-nochroot.log` — every action in
`%post --nochroot` now traces with timestamps. Future debugging is
one `journalctl --boot` away.
### Notes
- The looser error handling is intentional but bounded — only the
overlay copy uses `set +e`. Hardening scripts that follow run with
strict mode.
---
## [0.2.1] — 2026-05-01
**Commit:** `9c6136f`
### Fixed
- **ISO booted, but it was effectively bare Fedora KDE.** No
hardening, no theme, no `veilor-power`, no `/etc/os-release`
override. Confirmed by mounting v0.2.0 with debugfs:
`/etc/os-release` symlinked to `../usr/lib/os-release` (Fedora's
default), no `/usr/share/veilor-os`, no overlay files anywhere.
- Root cause: `%post --nochroot` hardcoded `/mnt/sysimage` as the
destination. `/mnt/sysimage` is the **livemedia-creator** install
root. We had switched the build pipeline to **livecd-creator**,
which exposes the destination as `$INSTALL_ROOT` — a different path
inside its tmpfs sandbox.
- Switched the copy target to `$INSTALL_ROOT`.
### Notes
- Partial overlay landed in v0.2.1 (tuned, sshd, sddm.conf) — but
`/usr/share/veilor-os/{assets,scripts}` was still missing because
`set -eu` aborted partway through the cp tree. That fix is in v0.2.2.
- Lesson learned: tooling-specific environment variables matter.
`$INSTALL_ROOT` is the portable answer; `/mnt/sysimage` is a
livemedia-creator-only convention.
---
## [0.2.0] — 2026-04-30
**Commit:** `7c4a94d` (tagged release)
### Added
- First green ISO. Reproducible build pipeline lands.
- GitHub Actions workflow `build-iso.yml` produces a UEFI+BIOS-bootable
live ISO from `kickstart/veilor-os.ks`.
- CI: kickstart syntax linting (`ksvalidator`) gate.
- Kickstart based on Fedora 43, KDE Plasma minimal, hardening
packages selected (`fail2ban`, `usbguard`, `tuned`, `audit`,
`firewalld`).
- Overlay tree authored: tuned profiles, sshd hardening, sysctl
drop-in, sudoers, udev rules, KDE theme assets, Fira Code font.
- 3-mode power profiles: `veilor-power save | mid | perf` with
AC/battery udev auto-switching.
### Notes — known limitations of v0.2.0
- **The overlay never actually applied to the installed system.**
The `%post --nochroot` copy step targeted `/mnt/sysimage`
(livemedia-creator's install root) but the build pipeline had moved
to livecd-creator, which uses `$INSTALL_ROOT`. Result: the ISO
*boots* and presents a working KDE Plasma desktop, but it is in
practice **stock Fedora 43 KDE** with no veilor-os hardening,
branding, theme, or power scripts applied.
- v0.2.0 is best understood as a **build-pipeline milestone** — the
ISO format, EFI/BIOS bootability, partitioning, and squashfs build
all work end-to-end. The userspace customisation layer was wired
but not delivering. Treat v0.2.0 as proof-of-build, not as a
feature-complete release.
- See **v0.2.5** for the first feature-complete ISO that actually
ships veilor-os hardening and branding into the running system.
### Build pipeline path to green
For posterity, the issues resolved between v0.1 (scaffold) and v0.2.0
(first green ISO):
- pcre2 / selinux-policy version skew on stock Fedora 43 base —
worked around with a pinned `fix-repo` for the local build only;
CI uses `dnf upgrade --refresh` to sidestep entirely.
- KDE Plasma hard-deps (cups, geoclue2, ModemManager, PackageKit) —
kept at the package level, masked at the daemon level.
- `%post --nochroot` source path — multi-path detection added so the
overlay can be sourced from `/work` (CI) or `/run/install/repo`
(virt) or kickstart-relative (no-virt).
- `livemedia-creator --make-iso --no-virt` produced a squashfs but
no EFI/BOOT image. Switched to `livecd-creator` (`livecd-tools`)
which is purpose-built for live ISOs and handles EFI grafting.
- Tmpdir on `/tmp` exhausted the GitHub Actions tmpfs cap (16GB
vs ~30GB working set). Moved to `/var/lmc` on the runner's host
ext4.
---
## [0.1.0] — 2026-04-29
**Commit:** `1822005`
### Added
- Initial repo scaffold: `kickstart/`, `build/`, `overlay/`, `scripts/`,
`assets/`, `docs/`, `test/`.
- Kickstart skeleton (Fedora 43 KDE base, single-prompt LUKS install,
hardened bootloader cmdline, locked root, blank-password admin with
`chage -d 0` to force first-boot reset).
- Hardening scripts ported and rebranded from operator's reference
system: base hardening, kernel hardening, custom SELinux policy
module `veilor-systemd`.
- KDE theme: BreezeBlackPure base + grey accent (`#686B6F`).
- Fira Code chosen as system font (Fedora `fira-code-fonts`,
SIL OFL 1.1).
- Test harness: VM runner (`test/run-vm.sh`) with QEMU + OVMF for
fast iteration, with `SECBOOT=1` and `FRESH=1` modes.
- Documentation: `BUILD.md`, `INSTALL.md`, `HARDENING.md`,
`POWER.md`, `boot-checklist.md`.
### Notes
- v0.1 was scaffold-only — no green ISO yet. Build pipeline iterated
through ~22 distinct toolchain issues before producing v0.2.0.
- All `onyx` references stripped from shipped artifacts; comments
refer to "reference system" only.

165
README.md
View file

@ -1,49 +1,152 @@
# veilor-os # veilor-os
> Hardened minimal Fedora KDE remix. Black-on-black. Locked down by default. > **Hardened minimal Fedora KDE spin. Black-on-black. Locked down by default.**
veilor-os is a Fedora 43 KDE spin built for operators who want a clean, fast, [![Build veilor-os ISO](https://github.com/veilor-org/veilor-os/actions/workflows/build-iso.yml/badge.svg)](https://github.com/veilor-org/veilor-os/actions/workflows/build-iso.yml)
opinionated desktop with serious hardening already in place. No prompts at [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
install beyond the LUKS passphrase. Boot, set admin password, work. [![Status: pre-release](https://img.shields.io/badge/status-pre--release_v0.2.5-orange)](CHANGELOG.md)
## Highlights veilor-os is a Fedora 43 KDE Plasma remix for operators who want a clean,
fast, opinionated desktop with serious hardening already wired in. Boot the
ISO, set an admin password, work. No installer wizard. No initial-setup
screen. No telemetry. No "would you like to enable X" prompts.
- **Single-prompt install** — only LUKS passphrase. No account wizard, no ---
initial-setup screen. `admin` account is created automatically; password
is set on first boot. ## Status
- **Hardened by default** — SELinux enforcing, USBGuard, fail2ban, firewalld
drop zone, kernel sysctl lockdown, NTS-authenticated NTP, DNS-over-TLS. **Pre-release `v0.2.5`** — first feature-complete ISO that actually applies
- **3-mode power management**`veilor-power save | mid | perf`, with the veilor-os overlay to the installed system. The build pipeline is green
AC/battery auto-switching via udev. Backed by tuned profiles. on CI; the live ISO boots to KDE on KVM and bare metal. See
- **Fira Code system font** — programming ligatures, monospace [CHANGELOG.md](CHANGELOG.md) for the full v0.2.0 → v0.2.5 story (it is
consistency across UI + terminal. (DuckSans planned for v0.3.) worth reading — five real bugs caught and documented).
- **Pure-black KDE color scheme**`veilor-black` theme system-wide.
- **LUKS2 + Secure Boot** — argon2id, aes-xts, btrfs subvolumes, zram swap What is **done**: hardening (SELinux, sysctl, USBGuard, fail2ban,
(no disk swap, no cold-boot leak). firewalld), KDE black theme, Fira Code system font, 3-mode power
- **Reproducible build** — kickstart + podman + livemedia-creator. ISO management, single-prompt LUKS install, first-boot admin password flow,
output is deterministic given pinned base. reproducible CI build, EFI+BIOS bootable live ISO.
What is **planned** (see [docs/ROADMAP.md](docs/ROADMAP.md)): Plymouth
black theme, SDDM theme, signed ISOs (own MOK + GPG), AppArmor + nftables,
veilor-update / veilor-doctor helpers, public docs site.
---
## Quick install
```bash
# 1. Download the ISO (after public release; CI artifact for now)
sha256sum -c veilor-os-43-*.iso.sha256
# 2. Flash to USB. Replace /dev/sdX with your USB device — triple-check.
sudo dd if=veilor-os-43-*.iso of=/dev/sdX bs=4M status=progress conv=fsync
sync
# 3. Boot from USB, pick "Install veilor-os" from the menu.
# 4. Set a strong LUKS passphrase — the only prompt during install.
# 5. Reboot, remove USB.
# 6. On first boot: TTY prompts for an admin password (≥14 chars, mixed case,
# digit, symbol). Once accepted, SDDM starts. Log in as `admin`.
```
Full install + first-boot walkthrough: [docs/INSTALL.md](docs/INSTALL.md).
---
## What veilor-os ships
| Layer | Hardening |
|-------|-----------|
| Boot | Secure Boot, `lockdown=integrity`, `slab_nomerge`, `randomize_kstack_offset=on`, `vsyscall=none`. LUKS2 (aes-xts-plain64, argon2id, mem=1GB). zram swap (no disk swap, no cold-boot leak). |
| Kernel | Locked sysctls: ptrace=2, kptr_restrict=2, dmesg_restrict=1, perf_event_paranoid=3, BPF JIT hardening, full ASLR, no SUID core dumps. |
| MAC | SELinux **enforcing**, targeted policy + custom `veilor-systemd` module. |
| Network | firewalld zone = `drop`, ssh only inbound. systemd-resolved with DNS-over-TLS (Cloudflare/Quad9 fallback), LLMNR off. NTS-authenticated chrony time. |
| SSH | password auth off, root login off, single `admin` user, X11 forwarding off, MaxAuthTries 3. |
| Auth | root **locked**, single `admin` user with sudo. pwquality minlen=14, 4 character classes. First-boot password forced via `chage -d 0`. |
| Audit | `auditd` rules covering passwd/shadow/sudoers/ssh/cron/sysctl/kernel modules and all privileged binaries. |
| IDS | `fail2ban` with sshd + pam-generic jails, journal backend, firewalld rich-rule action. |
| USB | `USBGuard` daemon, **default-block**, empty allowlist on first boot. |
| Services off | `abrt*`, `cups`, `geoclue`, `avahi-daemon`, `bluetooth`, `ModemManager`, `gssproxy`, `atd`, `pcscd`, `kdeconnectd`, `PackageKit`. |
| UX | KDE Plasma minimal, `BreezeBlackPure` colour scheme, Fira Code system font, `veilor-power save \| mid \| perf` with udev AC/battery auto-switch. |
Full reference: [docs/HARDENING.md](docs/HARDENING.md).
---
## 60-second tour — what's different from stock Fedora KDE
- **No Anaconda Initial Setup** wizard after first boot. Single LUKS
passphrase prompt is the entire install interaction. Admin user is
pre-created; password is set once on TTY1, then SDDM starts.
- **Root is locked.** `passwd -S root` reports `L`. There is no `su -`
to root, ever. Use `sudo`.
- **No PackageKit, no Flatpak by default.** Updates happen with
`sudo dnf upgrade` on your terms, not in the background.
- **Default firewall zone is `drop`**, not `FedoraWorkstation`. The only
thing your machine answers is sshd on its assigned port.
- **USBGuard blocks every USB device by default.** First-boot procedure:
plug in everything you trust, run `usbguard generate-policy`,
done.
- **Black-on-black KDE.** Wallpaper, panel, Konsole all match. No "white
flash" anywhere in the session.
- **`veilor-power save | mid | perf`** swaps the full tuned profile,
CPU governor, EPP, battery threshold, and screen-dim policy in one
command. Wired to AC/battery udev events too — laptop drops to `save`
when unplugged automatically.
---
## How veilor-os compares
| Feature | veilor-os | Stock Fedora KDE | Kicksecure |
|---|:-:|:-:|:-:|
| SELinux enforcing OOTB | yes | yes | yes |
| AppArmor | planned (v0.5) | no | yes |
| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable |
| LUKS2 with argon2id | default | optional | default |
| Single-prompt install (LUKS only) | yes | no | no |
| Root account locked by default | yes | no | yes |
| firewalld default zone = drop | yes | no | n/a (uses nftables) |
| USBGuard default-block | yes | no | yes |
| fail2ban + auditd OOTB | yes | no | partial |
| DNS-over-TLS by default | yes | no | yes |
| NTS-authenticated NTP | yes | no | yes |
| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes |
| Telemetry / phone-home | none | minimal | none |
| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) |
| Power-profile CLI | yes (3-mode) | partial | no |
| Reproducible kickstart-built ISO | yes | yes | yes (from Debian) |
| Base distro | Fedora 43 | Fedora 43 | Debian |
veilor-os is **not** trying to compete with Whonix-style anonymity or
Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
clean, locked down, with no manual post-install hardening required.
---
## Repo layout ## Repo layout
``` ```
kickstart/ veilor-os.ks full kickstart definition kickstart/ veilor-os.ks full kickstart definition
build/ Containerfile + build-iso.sh reproducible ISO builder build/ Containerfile + build-iso.sh reproducible ISO builder
overlay/ files dropped into installed root via %post overlay/ files dropped into installed root via %post
scripts/ hardening, SELinux policy, theme apply, firstboot scripts/ hardening, SELinux policy, theme apply, firstboot
assets/ fonts, KDE color scheme, branding, plymouth theme assets/ fonts, KDE colour scheme, branding, plymouth (planned)
docs/ HARDENING / POWER / BUILD / INSTALL docs/ BUILD / INSTALL / HARDENING / POWER / ROADMAP
test/ boot-checklist + findings log test/ boot-checklist + KVM runner
.github/ CI workflows + PR template + CODEOWNERS
``` ```
See `docs/BUILD.md` for build instructions, `docs/INSTALL.md` for install, Build instructions: [docs/BUILD.md](docs/BUILD.md).
`docs/HARDENING.md` for what's locked down and why. Roadmap: [docs/ROADMAP.md](docs/ROADMAP.md).
Contributing: [CONTRIBUTING.md](CONTRIBUTING.md).
Changelog: [CHANGELOG.md](CHANGELOG.md).
## Status ---
Pre-release. v0.x. Repo private until first green ISO boots clean on test
hardware.
## License ## License
MIT — see [LICENSE](LICENSE). Fira Code ships from Fedora's MIT — see [LICENSE](LICENSE). Fira Code ships from Fedora's
`fira-code-fonts` package under SIL OFL 1.1. `fira-code-fonts` package under SIL OFL 1.1. Fedora packages remain
under their respective licences. Kickstart, overlay, scripts, and
docs in this repo are MIT.

173
docs/ROADMAP.md Normal file
View file

@ -0,0 +1,173 @@
# Roadmap
Versioned roadmap for veilor-os. Targets are intentionally short and
testable. No fluff. Items in earlier versions are blockers for later
ones unless explicitly noted.
For the historical record of what landed in each release, see
[`../CHANGELOG.md`](../CHANGELOG.md).
---
## v0.2 — green ISO + base hardening (DONE)
Reproducible CI build pipeline. UEFI+BIOS bootable live ISO from a single
kickstart. Single-prompt LUKS install. First-boot admin password flow.
Full overlay applied (sysctl, sshd, sudoers, tuned profiles, KDE black
theme, Fira Code, branded `/etc/os-release`). SELinux enforcing.
firewalld drop zone. fail2ban + auditd + USBGuard active. The build
chased five real bugs (DEST hardcoded, `set -eu` killing `cp`,
os-release symlink, missing admin user, `LABEL=` vs `CDLABEL=` in
livecd-tools) before greening.
Released `v0.2.5` on 2026-05-01. CI on every push to `main`.
---
## v0.3 — UX polish (in progress)
The visible polish layer that v0.2 deferred for build velocity.
- **Plymouth black theme** — boot splash matching the desktop. No Fedora
drum, no white flash. `assets/plymouth/veilor/`.
- **SDDM theme** — black login background, single-user prompt with
`admin` pre-filled, no userlist.
- **Konsole profile** — black background, Fira Code, transparent panel
off (no compositor cost on resume).
- **Wallpaper SVG** — flat black with subtle veilor wordmark, 1080p +
4K + ultrawide variants.
- **Re-enable memory hygiene on installed system.** v0.2.5 stripped
`init_on_alloc=1 init_on_free=1` from the *live* cmdline because they
5x'd KVM boot time. Re-add post-install via `veilor-firstboot` so the
installed system gets the protection without the ISO penalty.
- **USBGuard auto-snapshot on first boot.** Currently the operator
runs `usbguard generate-policy` manually. v0.3 wires this into
`veilor-firstboot` after the password step (with a clear
"plug in trusted devices first" prompt).
Target: this month. None of it is a kickstart change — pure overlay
work.
---
## v0.4 — distribution + signing
Get veilor-os to a state where the ISO is downloadable, verifiable, and
trusted by Secure Boot without user shenanigans.
- **GPG-signed releases.** Tag → CI builds → CI signs ISO + sha256 with
veilor.org release key → GitHub Release artifact carries `.iso.asc`.
- **Reproducible builds.** Pin Fedora compose ID, lock package versions
via `dnf snapshot` or equivalent, document how to verify two builds
match.
- **Own MOK (Machine Owner Key) + sbsign for Secure Boot.** Currently
veilor-os relies on Fedora's signed shim chain. v0.4 ships our own
MOK, signs the kernel + initramfs at build time, optionally enrols
the MOK on first boot for users who want a cleaner trust path.
- **ISO download mirror** — static download page on veilor.org with
current + previous release, sha256, gpg signature. **Not** an RPM
mirror — veilor-os does not ship its own packages, only the spin
configuration.
- **Release process documented** — tagging, CI, signing, mirror sync
in `docs/RELEASE.md`.
---
## v0.5 — hardening tier 2
Hardening that builds on v0.2's foundation. Each item is opt-in unless
specified — defaults stay sane for a daily driver.
- **AppArmor profiles in addition to SELinux.** Stack-not-replace.
Targeted at the browser, the mail client, and anything that touches
attacker-controlled data. SELinux remains the primary MAC.
- **systemd-homed** — encrypted-per-user `~`, suspend-aware, key
unlocked at PAM login. Optional, opt-in via post-install helper.
- **nftables ruleset** alongside firewalld defaults. Default firewalld
policy stays drop; nftables provides advanced filtering for users
who want it.
- **Audit log shipping** — opt-in `auditd` -> remote syslog over TLS,
for users running a central log aggregator.
- **Installer kickstart split** — separate `veilor-os-install.ks` for
installer ISO (real LUKS partitioning, not the live-rootfs
simplification used in v0.2). Lets users install veilor-os as the
primary OS without going through the live boot first.
- **Audit baseline** — re-run the security audit (template in
`security/audit-template.md`) and target a lower risk score than v0.2.
---
## v0.6 — ergonomics
Smooth the operator experience so day-to-day work doesn't fight the
hardening.
- **`veilor-update`** — wraps `dnf upgrade` with a pre-check (snapshot
available?), an auditd pause, and post-update sysctl/SELinux
validation. One command, no surprises.
- **`veilor-doctor`** — diagnostic helper. Walks the audit checklist
(`getenforce`, `mokutil --sb-state`, `firewall-cmd --get-default-zone`,
fail2ban status, USBGuard policy, sysctl drift) and reports what's
drifted from baseline.
- **Opt-in installer ISO** — flip from live-only to live + installer,
user picks at boot menu. Installer uses the v0.5 kickstart with full
LUKS + btrfs subvols + zram.
- **First-boot UX** — replace TTY password prompt with a small
Plymouth-rendered dialog. Less raw.
- **Bluetooth opt-in helper** — single command to enable + bring up
the daemon + add the user to the right group. Currently three
commands.
---
## v0.7 — public flex
Take veilor-os out of "private repo, contained audience" mode.
- **Public docs site** — Hugo or mdBook on `veilor.org`, generated from
`docs/`. Single source of truth for INSTALL, HARDENING, BUILD,
ROADMAP, RELEASE, CONTRIBUTING.
- **Repo public** — flip GitHub visibility, announce.
- **Comparison + benchmarks** — published numbers vs stock Fedora KDE
on cold boot, idle RAM, idle network egress, suspend/resume time.
- **Threat model published** — what veilor-os defends against, what it
does not. Honest scope.
- **Press kit** — wallpapers, logo, screenshots, feature one-liner.
---
## v1.0 — production
The line where veilor-os is recommended for a non-author user as a
daily driver.
- **Multi-arch.** x86_64 today; v1.0 ships aarch64 ISO too (laptops
on ARM are real now). Build matrix in CI.
- **LTS commitment** — major versions tied to Fedora's release cadence,
patch releases for security only, documented EOL per major.
- **Recovery ISO** — minimal rescue image with veilor tools (LUKS
unlock, btrfs scrub, sysctl reset, fail2ban unban) for "I cannot log
in to my system" days.
- **TPM2 integration** — sealed LUKS unlock against TPM2 PCRs (opt-in,
default stays password). Ships as helper script, not silent default.
- **Signed update channel** — beyond GPG-signed ISOs, a signed metadata
repo so `veilor-doctor` can detect available updates without trusting
Fedora's mirrorlists alone.
---
## Stretch goals — not on the v0.x → v1.0 critical path
These are spin variants that share veilor-os DNA but need their own
kickstart or build tool. They live on a separate track and do not
block v1.0.
- **`veilor-server`** — no KDE, no GUI, hardened headless Fedora for
homelab / VPS. Same overlay, different package set.
- **`veilor-kiosk`** — single-app Plasma session, locked-down user,
read-only root. For dedicated-purpose machines.
- **`veilor-atomic`** — rpm-ostree / bootc-image-builder rebase.
Immutable root, transactional updates, atomic rollback. Different
build tool entirely (likely `bootc-image-builder`); all veilor
hardening would translate to a `Containerfile`. Schedule for after
v0.5+ once the standard spin is stable.