veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/docs/INSTALL.md

106 lines
3.1 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Installing veilor-os
## What you need
- USB drive (8GB+) flashed with the veilor-os ISO
- Target machine with UEFI (BIOS legacy works but Secure Boot is the
whole point — use UEFI)
- ~30GB free disk
## Install flow
The installer is **fully scripted**. The only thing it asks you for
is the **LUKS passphrase**.
1. Boot from USB.
2. Pick "Install veilor-os" from the boot menu.
3. Anaconda runs the kickstart automatically.
4. When prompted, **set a strong LUKS passphrase**. This is the only
prompt. Choose well — losing it = losing the disk.
5. Wait. Install + `%post` hardening takes ~1015 min depending on
network speed.
6. Reboot. Pull out the USB.
## First boot
1. **LUKS prompt** — enter your passphrase to unlock the disk.
2. **TTY1 banner appears:**
```
┌──────────────────────────────────────────────────────────┐
│ veilor-os │
│ first boot — admin password │
└──────────────────────────────────────────────────────────┘
```
3. Type a password for the local admin account. Must meet:
- ≥ 14 characters
- 1 digit, 1 upper, 1 lower, 1 special
4. Once accepted, SDDM starts.
5. Log in as `admin` with the password you just set.
6. Shell prompt: `admin@veilor-os`.
## Post-install hygiene
### Set USBGuard allowlist
USBGuard ships with an empty allowlist — every USB device you plug in
will be blocked until you whitelist your trusted set.
Plug in everything you trust (keyboard, mouse, dock, yubikey, etc.),
then run:
```bash
sudo usbguard generate-policy > /etc/usbguard/rules.conf
sudo systemctl restart usbguard
```
To allow a new device after that:
```bash
sudo usbguard list-devices
sudo usbguard allow-device <id>
```
### Verify hardening
```bash
getenforce # Enforcing
mokutil --sb-state # SecureBoot enabled
sysctl kernel.yama.ptrace_scope # = 2
sysctl fs.suid_dumpable # = 0
firewall-cmd --get-default-zone # drop
fail2ban-client status sshd # active, jail loaded
veilor-power status # current profile + governor
```
### Check `/etc/os-release`
```bash
cat /etc/os-release
# NAME="veilor-os"
# PRETTY_NAME="veilor-os 0.1 (Fedora 43 base)"
# ID=veilor
# ID_LIKE=fedora
```
### Add additional users
The kickstart only creates `admin`. Add more users from there:
```bash
sudo useradd -m -s /bin/bash <name>
sudo passwd <name>
```
Don't add anyone to `wheel` unless they need root.
## Known caveats
- **Bluetooth disabled by default** — `sudo systemctl enable --now bluetooth`
if you need it.
- **Printing disabled** — CUPS removed; `sudo dnf install cups cups-browsed`
if you need a printer.
- **No PackageKit** — updates manual via `sudo dnf upgrade`. Run weekly.
- **Battery cap at 80%** — udev rule. Edit
`/etc/udev/rules.d/91-veilor-battery-threshold.rules` to change.
Reference in a new issue View git blame Copy permalink