hardened Fedora KDE; primary on Forgejo

Find a file

veilor-org 3c247bc601 v0.7 spike: BlueBuild recipe + ostreecontainer kickstart + cosign workflow Initial scaffold for the v0.7 hybrid path. Spike branch only — does NOT land in main until success criteria pass (see bluebuild/README.md). ## What this commits - bluebuild/recipe.yml — BlueBuild recipe extending ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest with: * veilor branding overlay (overlay/, assets/, scripts/ at /usr/share/veilor-os) * sudo restored (revert secureblue's run0-only) * Xwayland restored (some apps still need it) * mullvad-browser layered alongside Trivalent (default browser kept) * tailscale + yggdrasil packages (mesh stack layers 1 + 2) * tailscaled.service pre-disabled (awaits first-boot prompt) * yggdrasil.service enabled (idle warm-fallback per STRATEGY.md) * veilor-firstboot.service + veilor-modules-lock.service enabled * cosign signing module configured - bluebuild/config/just/60-veilor.just — ujust recipes: * install-reticulum (RetiNet AGPL fork — mesh layer 3) * install-reticulum-rnode (LoRa hardware) * install-thorium (opt-in browser with explicit CVE-lag warning) * veilor-mesh-join (token paste / QR for tailscale onboarding) - bluebuild/README.md — spike doc + smoke-test commands + 5-item success criteria checklist - kickstart/install-ostreecontainer.ks — install kickstart template for the v0.7 path. No %packages block; uses `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry` to populate / from the OCI image directly during anaconda's install pass. No first-boot rebase, no transition window. Keeps existing LUKS+btrfs partitioning verbatim. - .github/workflows/build-bluebuild.yml — GH Actions workflow: * Triggered on push to v0.7-bluebuild-spike, weekly cron, dispatch * Uses blue-build/github-action@v1 (TODO: pin to commit SHA per CI hardening agent 8 follow-up) * Builds + cosign-signs (keyless via Sigstore) + pushes to GHCR * Smoke-tests the OCI image (sudo, mullvad-browser, yggdrasil, tailscale all present) * Generates SBOM (SPDX) via anchore/sbom-action * Publishes SLSA build provenance attestation ## What this does NOT change - main branch is untouched. v0.5.x kickstart path keeps shipping. - kickstart/veilor-os.ks (the live-ISO ks) is untouched — the v0.7 hybrid uses the existing live-ISO build path; only the install-time ks (install-ostreecontainer.ks) is new. - overlay/, scripts/, assets/ are untouched on this branch — the recipe pulls them in via `type: files` modules at build time. ## Spike success criteria (reproduced from bluebuild/README.md) - [ ] `bluebuild build recipe.yml` exits 0 - [ ] `bootc container lint` exits 0 on resulting image - [ ] `podman run` smoke-test passes - [ ] CI workflow builds + cosign-signs + pushes to GHCR - [ ] Installer ISO using `ostreecontainer` against this OCI reaches SDDM with admin login on first boot If all 5 land, merge v0.7-bluebuild-spike → main as v0.7.0. ## Reference - docs/STRATEGY.md (full plan) - docs/ROADMAP.md v0.7 (schedule) - docs/THREAT-MODEL.md (publish before v0.7 ship) - secureblue: https://github.com/secureblue/secureblue - BlueBuild: https://blue-build.org - ostreecontainer: https://docs.fedoraproject.org/en-US/bootc/anaconda-install/		2026-05-05 15:30:04 +01:00
.github	v0.7 spike: BlueBuild recipe + ostreecontainer kickstart + cosign workflow	2026-05-05 15:30:04 +01:00
assets	v0.5.27: rd.luks.uuid via grubby, GRUB rebrand, fbcon=nodefer, ASCII gum cursor	2026-05-05 01:43:00 +01:00
bluebuild	v0.7 spike: BlueBuild recipe + ostreecontainer kickstart + cosign workflow	2026-05-05 15:30:04 +01:00
build	ci: switch refs from `veilor` → `veilor-org` (GH org slug); domain veilor.org	2026-04-30 13:59:20 +01:00
docs	docs: refine strategy — ostreecontainer install + mesh stack + browser stack	2026-05-05 15:15:52 +01:00
kickstart	v0.7 spike: BlueBuild recipe + ostreecontainer kickstart + cosign workflow	2026-05-05 15:30:04 +01:00
overlay	v0.5.31: kernel-install via /etc/kernel/cmdline + set-e leak + rescue glob	2026-05-05 13:47:23 +01:00
scripts	v0.5.2: move veilor-installer + veilor-firstboot to /usr/local/bin	2026-05-02 05:33:22 +01:00
test	v0.5.30: broad error suppression + manual bootloader + virtio log capture	2026-05-05 11:59:35 +01:00
upstream	v0.3 theme: match onyx exactly — solid black wallpaper, Linux Konsole scheme, Breeze_Light cursor	2026-04-30 17:18:14 +01:00
.gitignore	chore: gitignore agent worktrees + un-track accidental embedded repos	2026-05-02 01:08:14 +01:00
CHANGELOG.md	docs: CHANGELOG v0.2.0-v0.2.5, README rewrite, ROADMAP, release notes update (#5 )	2026-05-02 03:42:39 +01:00
CONTRIBUTING.md	ci: switch refs from `veilor` → `veilor-org` (GH org slug); domain veilor.org	2026-04-30 13:59:20 +01:00
LICENSE	veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme	2026-04-30 03:43:33 +01:00
README.md	docs: refine strategy — ostreecontainer install + mesh stack + browser stack	2026-05-05 15:15:52 +01:00

README.md

veilor-os

Hardened minimal Fedora KDE spin. Black-on-black. Locked down by default.

veilor-os is a Fedora 43 KDE Plasma remix for operators who want a clean, fast, opinionated desktop with serious hardening already wired in. Boot the ISO, set an admin password, work. No installer wizard. No initial-setup screen. No telemetry. No "would you like to enable X" prompts.

The current install path is an Anaconda kickstart with a custom gum TUI on top. v0.7+ ships a hybrid path: the kickstart ISO becomes the bootstrap installer (Anaconda's LUKS UX is mature), but the root filesystem is populated directly from a cosign-signed bootc OCI image built via BlueBuild on top of secureblue's hardened Kinoite variant. Updates from there flow through bootc upgrade — atomic A/B, instant rollback. v1.0 is bootc-only.

See docs/STRATEGY.md for the full trajectory.

Status

Active development on the install path. Three bug classes have been worked through (LUKS unlock cmdline, anaconda RPM-6.0 cmdline-mode brittleness, bootloader install via gen_grub_cfgstub); current focus is the v0.5.32 blocker list from the 2026-05-05 9-agent research wave.

What is shipping: hardening (SELinux, sysctl, USBGuard, fail2ban, firewalld), KDE black theme, Fira Code system font, 3-mode power management, single-prompt LUKS install, first-boot admin password flow, reproducible CI build, EFI+BIOS bootable live ISO.

What is planned (see docs/ROADMAP.md): Plymouth

SDDM polish, signed ISOs (own MOK + GPG, sigstore/cosign on OCI), AppArmor + nftables stack, veilor-update / veilor-doctor / veilor-postinstall helpers, public docs site, bootc OCI hybrid spike at v0.7, bootc-only at v1.0.

Quick install

# 1. Download the ISO (after public release; CI artifact for now)
sha256sum -c veilor-os-43-*.iso.sha256

# 2. Flash to USB. Replace /dev/sdX with your USB device — triple-check.
sudo dd if=veilor-os-43-*.iso of=/dev/sdX bs=4M status=progress conv=fsync
sync

# 3. Boot from USB, pick "Install veilor-os" from the menu.
# 4. Set a strong LUKS passphrase — the only prompt during install.
# 5. Reboot, remove USB.
# 6. On first boot: TTY prompts for an admin password (≥14 chars, mixed case,
#    digit, symbol). Once accepted, SDDM starts. Log in as `admin`.

Full install + first-boot walkthrough: docs/INSTALL.md.

What veilor-os ships

Layer	Hardening
Boot	Secure Boot, `lockdown=integrity`, `slab_nomerge`, `randomize_kstack_offset=on`, `vsyscall=none`. LUKS2 (aes-xts-plain64, argon2id, mem=1GB). zram swap (no disk swap, no cold-boot leak).
Kernel	Locked sysctls: ptrace=2, kptr_restrict=2, dmesg_restrict=1, perf_event_paranoid=3, BPF JIT hardening, full ASLR, no SUID core dumps.
MAC	SELinux enforcing, targeted policy + custom `veilor-systemd` module.
Network	firewalld zone = `drop`, ssh only inbound. systemd-resolved with DNS-over-TLS (Cloudflare/Quad9 fallback), LLMNR off. NTS-authenticated chrony time.
SSH	password auth off, root login off, single `admin` user, X11 forwarding off, MaxAuthTries 3.
Auth	root locked, single `admin` user with sudo. pwquality minlen=14, 4 character classes. First-boot password forced via `chage -d 0`.
Audit	`auditd` rules covering passwd/shadow/sudoers/ssh/cron/sysctl/kernel modules and all privileged binaries.
IDS	`fail2ban` with sshd + pam-generic jails, journal backend, firewalld rich-rule action.
USB	`USBGuard` daemon, default-block, empty allowlist on first boot.
Services off	`abrt*`, `cups`, `geoclue`, `avahi-daemon`, `bluetooth`, `ModemManager`, `gssproxy`, `atd`, `pcscd`, `kdeconnectd`, `PackageKit`.
UX	KDE Plasma minimal, `BreezeBlackPure` colour scheme, Fira Code system font, `veilor-power save \| mid \| perf` with udev AC/battery auto-switch.

Full reference: docs/HARDENING.md.

60-second tour — what's different from stock Fedora KDE

No Anaconda Initial Setup wizard after first boot. Single LUKS passphrase prompt is the entire install interaction. Admin user is pre-created; password is set once on TTY1, then SDDM starts.
Root is locked. passwd -S root reports L. There is no su - to root, ever. Use sudo.
No PackageKit, no Flatpak by default. Updates happen with sudo dnf upgrade on your terms, not in the background.
Default firewall zone is drop, not FedoraWorkstation. The only thing your machine answers is sshd on its assigned port.
USBGuard blocks every USB device by default. First-boot procedure: plug in everything you trust, run usbguard generate-policy, done.
Black-on-black KDE. Wallpaper, panel, Konsole all match. No "white flash" anywhere in the session.
veilor-power save | mid | perf swaps the full tuned profile, CPU governor, EPP, battery threshold, and screen-dim policy in one command. Wired to AC/battery udev events too — laptop drops to save when unplugged automatically.

How veilor-os compares

Feature	veilor-os	Stock Fedora KDE	Kicksecure
SELinux enforcing OOTB	yes	yes	yes
AppArmor	planned (v0.5)	no	yes
Secure Boot	yes (Fedora keys)	yes (Fedora keys)	configurable
LUKS2 with argon2id	default	optional	default
Single-prompt install (LUKS only)	yes	no	no
Root account locked by default	yes	no	yes
firewalld default zone = drop	yes	no	n/a (uses nftables)
USBGuard default-block	yes	no	yes
fail2ban + auditd OOTB	yes	no	partial
DNS-over-TLS by default	yes	no	yes
NTS-authenticated NTP	yes	no	yes
`init_on_alloc/free` (post-install)	yes (planned re-enable)	no	yes
Telemetry / phone-home	none	minimal	none
KDE Plasma branded theme	yes (black)	Breeze	n/a (XFCE)
Power-profile CLI	yes (3-mode)	partial	no
Reproducible kickstart-built ISO	yes	yes	yes (from Debian)
Base distro	Fedora 43	Fedora 43	Debian

veilor-os is not trying to compete with Whonix-style anonymity or Qubes-style isolation. It is a hardened daily-driver desktop — fast, clean, locked down, with no manual post-install hardening required.

Repo layout

kickstart/   veilor-os.ks                 full kickstart definition
build/       Containerfile + build-iso.sh    reproducible ISO builder
overlay/     files dropped into installed root via %post
scripts/     hardening, SELinux policy, theme apply, firstboot
assets/      fonts, KDE colour scheme, branding, plymouth (planned)
docs/        BUILD / INSTALL / HARDENING / POWER / ROADMAP
test/        boot-checklist + KVM runner
.github/     CI workflows + PR template + CODEOWNERS

Build instructions: docs/BUILD.md. Roadmap: docs/ROADMAP.md. Contributing: CONTRIBUTING.md. Changelog: CHANGELOG.md.

License

MIT — see LICENSE. Fira Code ships from Fedora's fira-code-fonts package under SIL OFL 1.1. Fedora packages remain under their respective licences. Kickstart, overlay, scripts, and docs in this repo are MIT.