veilor-os

History

s8n 085fc57d3a v0.5.1: gum installer + full veilor-os kickstart generation (#9 ) * v0.5.1: gum installer + full veilor-os ks generation Two changes, one commit (matches v0.5.1 milestone): 1. Swap whiptail → gum (charm.sh) - Source /usr/share/veilor-os/assets/installer/colors.gum at top so all prompts pick up branded GUM_* env vars. - Render banner.txt via `gum style --border rounded`. - Wrap every prompt behind prompt_choose / prompt_input / prompt_password / prompt_confirm / prompt_message / prompt_error helpers that dispatch gum→whiptail based on `command -v gum`. Defensive: minimal images without /usr/local/bin/gum still get a working TUI. - Main menu items now use literal labels (case-matched), not 1..5 tags. 2. Generated kickstart now installs full veilor-os Previously emitted a vanilla F43 KDE + ~12 hardening packages with no overlay/scripts/branding. Now mirrors live ks (kickstart/veilor-os.ks 63-141) for %packages, plus: - %post --nochroot copies overlay/, scripts/, assets/ from /run/install/repo/veilor (single source — boot ISO mount path). - %post (chroot) runs scripts/10-harden-base.sh, 20-harden-kernel.sh, selinux/build-policy.sh, kde-theme-apply.sh. - `chage -d 0 admin` so first login forces password change. (Account itself is created by anaconda from the `user` directive — admin pw collected via gum is passed through --plaintext.) - `systemctl set-default graphical.target` (real install boots SDDM, not the TTY1 installer like live). - Drops live-only entries (livesys-scripts, anaconda-live, dracut-live, isomd5sum, xorriso, livesys.service enables). Tested: bash -n clean; ksvalidator on a substituted-placeholder copy exits 0. gum binary itself (/usr/local/bin/gum) is vendored by a separate build-side change — not in this PR. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix: escape sed special chars + reject & \| / in passwords Reviewer found a password like aA1!@#%^&()_-+={}[] becomes aA1!@#%^__ADMIN_PW__()_-+={}[] because sed expands & to matched pattern. Two layers of defense: 1. validate_pw rejects & \| / newline at input 2. sed_escape() helper escapes any remaining special chars before substitution --------- Co-authored-by: veilor-org <admin@veilor.org> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-02 04:39:27 +01:00
..
bin	veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme	2026-04-30 03:43:33 +01:00
sbin	v0.5.1: gum installer + full veilor-os kickstart generation (#9 )	2026-05-02 04:39:27 +01:00

v0.5.1: gum installer + full veilor-os kickstart generation (#9 )

* v0.5.1: gum installer + full veilor-os ks generation

Two changes, one commit (matches v0.5.1 milestone):

1. Swap whiptail → gum (charm.sh)
   - Source /usr/share/veilor-os/assets/installer/colors.gum at top so all
     prompts pick up branded GUM_* env vars.
   - Render banner.txt via `gum style --border rounded`.
   - Wrap every prompt behind prompt_choose / prompt_input / prompt_password
     / prompt_confirm / prompt_message / prompt_error helpers that dispatch
     gum→whiptail based on `command -v gum`. Defensive: minimal images
     without /usr/local/bin/gum still get a working TUI.
   - Main menu items now use literal labels (case-matched), not 1..5 tags.

2. Generated kickstart now installs full veilor-os
   Previously emitted a vanilla F43 KDE + ~12 hardening packages with no
   overlay/scripts/branding. Now mirrors live ks (kickstart/veilor-os.ks
   63-141) for %packages, plus:
   - %post --nochroot copies overlay/, scripts/, assets/ from
     /run/install/repo/veilor (single source — boot ISO mount path).
   - %post (chroot) runs scripts/10-harden-base.sh, 20-harden-kernel.sh,
     selinux/build-policy.sh, kde-theme-apply.sh.
   - `chage -d 0 admin` so first login forces password change. (Account
     itself is created by anaconda from the `user` directive — admin pw
     collected via gum is passed through --plaintext.)
   - `systemctl set-default graphical.target` (real install boots SDDM,
     not the TTY1 installer like live).
   - Drops live-only entries (livesys-scripts, anaconda-live, dracut-live,
     isomd5sum, xorriso, livesys.service enables).

Tested: bash -n clean; ksvalidator on a substituted-placeholder copy
exits 0.

gum binary itself (/usr/local/bin/gum) is vendored by a separate
build-side change — not in this PR.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix: escape sed special chars + reject & | / in passwords

Reviewer found a password like aA1!@#%^&*()_-+={}[] becomes
aA1!@#%^__ADMIN_PW__*()_-+={}[] because sed expands & to matched
pattern. Two layers of defense:
1. validate_pw rejects & | / newline at input
2. sed_escape() helper escapes any remaining special chars before
   substitution

---------

Co-authored-by: veilor-org <admin@veilor.org>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-02 04:39:27 +01:00

bin

veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme

2026-04-30 03:43:33 +01:00

sbin

v0.5.1: gum installer + full veilor-os kickstart generation (#9 )

2026-05-02 04:39:27 +01:00