#version=DEVEL
# veilor-os kickstart — Fedora 43 KDE base, hardened, minimal.
# Build with livemedia-creator inside build/Containerfile.

# ── Install source ──
url --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch"
repo --name=updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch"

# ── Locale / keyboard / time (template — adjust per build) ──
keyboard --xlayouts='us'
lang en_GB.UTF-8
timezone Europe/London --utc

# ── Install mode ──
text
firstboot --disable
eula --agreed
selinux --enforcing
services --enabled=sshd,fail2ban,usbguard,tuned,auditd,firewalld,chronyd,sddm,veilor-firstboot,veilor-modules-lock

# ── Network / hostname ──
network --bootproto=dhcp --device=link --activate --hostname=veilor-os
firewall --enabled --service=ssh

# ── Identity (zero-prompt; only LUKS passphrase asked at install) ──
rootpw --lock
user --name=admin --groups=wheel --gecos="veilor admin" --password="" --plaintext
auth --useshadow --passalgo=sha512

# ── Bootloader: kernel hardening flags ──
bootloader --location=mbr --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none"

# ── Disk: BIOS+UEFI, LUKS2, btrfs subvols, zram swap (no disk swap) ──
zerombr
clearpart --all --initlabel
reqpart --add-boot
part /boot --fstype=ext4 --size=1024 --asprimary
part pv.veilor --size=1 --grow --encrypted --luks-version=luks2 \
    --pbkdf=argon2id --pbkdf-memory=1048576 --pbkdf-iterations=9 \
    --cipher=aes-xts-plain64 --hash=sha512
volgroup veilor pv.veilor
logvol / --vgname=veilor --name=root --fstype=btrfs --size=1 --grow \
    --mkfsoptions="--mixed"

# ── Packages ──
%packages --excludedocs
@^kde-desktop-environment
@kde-apps
@core
@hardware-support
@standard

# core hardening tools
fail2ban
fail2ban-firewalld
usbguard
usbguard-tools
audit
policycoreutils-python-utils
tuned
chrony
firewalld
plymouth

# admin essentials
git
vim-enhanced
tmux
htop
podman
skopeo
NetworkManager
NetworkManager-wifi

# fonts
fontconfig
freetype
fira-code-fonts

# remove fluff
-cups
-cups-browsed
-abrt*
-snapd
-geoclue2
-avahi
-avahi-libs
-kde-connect
-open-vm-tools-desktop
-PackageKit
-PackageKit-command-not-found
-mlocate
-ModemManager
-pcsc-lite
-rsync-daemon

%end

# ── Post-install (nochroot): copy overlay tree into installed root ──
%post --nochroot
set -eu
SRC=/run/install/repo/veilor
DEST=/mnt/sysimage
if [[ -d $SRC/overlay ]]; then
    cp -a $SRC/overlay/. $DEST/
fi
mkdir -p $DEST/usr/share/veilor-os
cp -a $SRC/assets $DEST/usr/share/veilor-os/
cp -a $SRC/scripts $DEST/usr/share/veilor-os/
%end

# ── Post-install (chroot): apply hardening, theme, branding ──
%post
set -uo pipefail
exec > >(tee -a /var/log/veilor-install.log) 2>&1

echo "════════════════════════════════════════════════════════"
echo " veilor-os install — %post"
echo "════════════════════════════════════════════════════════"

REPO=/usr/share/veilor-os
chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh /usr/local/bin/veilor-power /usr/local/sbin/veilor-firstboot

# Apply hardening
bash $REPO/scripts/10-harden-base.sh
bash $REPO/scripts/20-harden-kernel.sh

# Build SELinux module
bash $REPO/scripts/selinux/build-policy.sh || echo "[WARN] SELinux build failed; load on first boot"

# Apply KDE theme + DuckSans + os-release branding
bash $REPO/scripts/kde-theme-apply.sh

# Force admin password set on first boot (chage expires immediately)
chage -d 0 admin

# zram swap (no disk swap; keys never leak to platter)
dnf install -y zram-generator || true
cat > /etc/systemd/zram-generator.conf << 'EOF'
[zram0]
zram-size = min(ram, 8192)
compression-algorithm = zstd
EOF

# Enable services
systemctl enable veilor-firstboot.service
systemctl enable veilor-modules-lock.service
systemctl enable sshd fail2ban usbguard tuned auditd firewalld chronyd

# Default tuned profile = balanced (AC/battery udev rule will override)
tuned-adm profile veilor-balanced 2>/dev/null || true

# Lock root explicitly (kickstart --lock should already do this)
passwd -l root

# Sanity: zero references to onyx / personal IPs in installed system
if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local' /etc/veilor* /etc/tuned/profiles/veilor-* 2>/dev/null; then
    echo "[ERR] brand leak detected in /etc — investigate"
fi

echo "════════════════════════════════════════════════════════"
echo " veilor-os install complete"
echo "════════════════════════════════════════════════════════"
%end