veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/docs/INSTALL.md

3.1 KiB
Raw Permalink Blame History

Installing veilor-os

What you need

  • USB drive (8GB+) flashed with the veilor-os ISO
  • Target machine with UEFI (BIOS legacy works but Secure Boot is the whole point — use UEFI)
  • ~30GB free disk

Install flow

The installer is fully scripted. The only thing it asks you for is the LUKS passphrase.

  1. Boot from USB.
  2. Pick "Install veilor-os" from the boot menu.
  3. Anaconda runs the kickstart automatically.
  4. When prompted, set a strong LUKS passphrase. This is the only prompt. Choose well — losing it = losing the disk.
  5. Wait. Install + %post hardening takes ~1015 min depending on network speed.
  6. Reboot. Pull out the USB.

First boot

  1. LUKS prompt — enter your passphrase to unlock the disk.

  2. TTY1 banner appears:

    ┌──────────────────────────────────────────────────────────┐
│                       veilor-os                          │
│              first boot — admin password                 │
└──────────────────────────────────────────────────────────┘

  3. Type a password for the local admin account. Must meet:

    • ≥ 14 characters
    • 1 digit, 1 upper, 1 lower, 1 special

  4. Once accepted, SDDM starts.

  5. Log in as admin with the password you just set.

  6. Shell prompt: admin@veilor-os.

Post-install hygiene

Set USBGuard allowlist

USBGuard ships with an empty allowlist — every USB device you plug in will be blocked until you whitelist your trusted set.

Plug in everything you trust (keyboard, mouse, dock, yubikey, etc.), then run:

sudo usbguard generate-policy > /etc/usbguard/rules.conf
sudo systemctl restart usbguard

To allow a new device after that:

sudo usbguard list-devices
sudo usbguard allow-device <id>

Verify hardening

getenforce              # Enforcing
mokutil --sb-state      # SecureBoot enabled
sysctl kernel.yama.ptrace_scope    # = 2
sysctl fs.suid_dumpable            # = 0
firewall-cmd --get-default-zone    # drop
fail2ban-client status sshd        # active, jail loaded
veilor-power status                # current profile + governor

Check /etc/os-release

cat /etc/os-release
# NAME="veilor-os"
# PRETTY_NAME="veilor-os 0.1 (Fedora 43 base)"
# ID=veilor
# ID_LIKE=fedora

Add additional users

The kickstart only creates admin. Add more users from there:

sudo useradd -m -s /bin/bash <name>
sudo passwd <name>

Don't add anyone to wheel unless they need root.

Known caveats

  • Bluetooth disabled by defaultsudo systemctl enable --now bluetooth if you need it.
  • Printing disabled — CUPS removed; sudo dnf install cups cups-browsed if you need a printer.
  • No PackageKit — updates manual via sudo dnf upgrade. Run weekly.
  • Battery cap at 80% — udev rule. Edit /etc/udev/rules.d/91-veilor-battery-threshold.rules to change.