# Installing veilor-os

## What you need

- USB drive (8GB+) flashed with the veilor-os ISO
- Target machine with UEFI (BIOS legacy works but Secure Boot is the
  whole point — use UEFI)
- ~30GB free disk

## Install flow

The installer is **fully scripted**. The only thing it asks you for
is the **LUKS passphrase**.

1. Boot from USB.
2. Pick "Install veilor-os" from the boot menu.
3. Anaconda runs the kickstart automatically.
4. When prompted, **set a strong LUKS passphrase**. This is the only
   prompt. Choose well — losing it = losing the disk.
5. Wait. Install + `%post` hardening takes ~10–15 min depending on
   network speed.
6. Reboot. Pull out the USB.

## First boot

1. **LUKS prompt** — enter your passphrase to unlock the disk.
2. **TTY1 banner appears:**

   ```
   ┌──────────────────────────────────────────────────────────┐
   │                       veilor-os                          │
   │              first boot — admin password                 │
   └──────────────────────────────────────────────────────────┘
   ```

3. Type a password for the local admin account. Must meet:
   - ≥ 14 characters
   - 1 digit, 1 upper, 1 lower, 1 special
4. Once accepted, SDDM starts.
5. Log in as `admin` with the password you just set.
6. Shell prompt: `admin@veilor-os`.

## Post-install hygiene

### Set USBGuard allowlist

USBGuard ships with an empty allowlist — every USB device you plug in
will be blocked until you whitelist your trusted set.

Plug in everything you trust (keyboard, mouse, dock, yubikey, etc.),
then run:

```bash
sudo usbguard generate-policy > /etc/usbguard/rules.conf
sudo systemctl restart usbguard
```

To allow a new device after that:

```bash
sudo usbguard list-devices
sudo usbguard allow-device <id>
```

### Verify hardening

```bash
getenforce              # Enforcing
mokutil --sb-state      # SecureBoot enabled
sysctl kernel.yama.ptrace_scope    # = 2
sysctl fs.suid_dumpable            # = 0
firewall-cmd --get-default-zone    # drop
fail2ban-client status sshd        # active, jail loaded
veilor-power status                # current profile + governor
```

### Check `/etc/os-release`

```bash
cat /etc/os-release
# NAME="veilor-os"
# PRETTY_NAME="veilor-os 0.1 (Fedora 43 base)"
# ID=veilor
# ID_LIKE=fedora
```

### Add additional users

The kickstart only creates `admin`. Add more users from there:

```bash
sudo useradd -m -s /bin/bash <name>
sudo passwd <name>
```

Don't add anyone to `wheel` unless they need root.

## Known caveats

- **Bluetooth disabled by default** — `sudo systemctl enable --now bluetooth`
  if you need it.
- **Printing disabled** — CUPS removed; `sudo dnf install cups cups-browsed`
  if you need a printer.
- **No PackageKit** — updates manual via `sudo dnf upgrade`. Run weekly.
- **Battery cap at 80%** — udev rule. Edit
  `/etc/udev/rules.d/91-veilor-battery-threshold.rules` to change.