From b3509b4b065fa11faf8095330c6e1e60d552700f Mon Sep 17 00:00:00 2001
From: veilor-org <admin@veilor.org>
Date: Mon, 4 May 2026 04:08:40 +0100
Subject: [PATCH] v0.5.25: don't run veilor-firstboot on live ISO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Live ISO boot chain showing extra step:
  boot → text scroll → veilor-firstboot prompts admin pw → installer

veilor-firstboot.service was enabled in live ks but it's an INSTALLED
system feature (forces admin pw set on first real boot). Made no
sense to ask on live (no persistent admin user, throwaway VM, etc).

Live ks now: doesn't enable veilor-firstboot, masks the unit so
overlay-copied unit file can't auto-activate. Install ks chroot %post
already enables it (correct path).

After fix:
  boot → text scroll → installer banner directly
---
 kickstart/veilor-os.ks | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kickstart/veilor-os.ks b/kickstart/veilor-os.ks
index ad4ee91..5075748 100644
--- a/kickstart/veilor-os.ks
+++ b/kickstart/veilor-os.ks
@@ -268,9 +268,14 @@ compression-algorithm = zstd
 EOF
 
 # Enable services
-systemctl enable veilor-firstboot.service
+# veilor-firstboot.service NOT enabled on live ISO — it prompts admin pw
+# which makes no sense on a live boot. Real installs enable it in their
+# generated kickstart's chroot %post (see overlay/usr/local/bin/veilor-installer).
 systemctl enable veilor-modules-lock.service
 systemctl enable sshd fail2ban usbguard tuned auditd firewalld chronyd
+# Mask veilor-firstboot on live so even if it landed in /etc/systemd/system
+# (overlay drag), it can't activate.
+systemctl mask veilor-firstboot.service 2>/dev/null || true
 
 # Default tuned profile = balanced (AC/battery udev rule will override)
 tuned-adm profile veilor-balanced 2>/dev/null || true