hardened Fedora KDE; primary on Forgejo

Find a file

veilor-org 79e32fc922 v0.5.27: rd.luks.uuid via grubby, GRUB rebrand, fbcon=nodefer, ASCII gum cursor Critical install bug fix + cosmetic round-up + first formal test procedure document. ## Critical: LUKS unlock on first boot Generated installer kickstart's %post was injecting `rd.luks.uuid=…` into `/etc/default/grub` only. Fedora 43 uses BLS (Boot Loader Specification) entries in `/boot/loader/entries/.conf`; those are NOT regenerated by `grub2-mkconfig`. Result: the kernel boots without `rd.luks.uuid=`, dracut's cryptsetup-generator never spawns the unlock unit, plymouth has no password to ask for, and dracut-initqueue loops on dev-disk-by-uuid for ~3min before dropping to emergency shell. The fix layers both write paths: - `/etc/default/grub` — keeps the args around for future kernels (kernel-install reads this when adding new entries). - `grubby --update-kernel=ALL --args=...` — rewrites the `options` line of every existing BLS entry so the kernel that boots NEXT actually has the args. Verified by reading `/proc/cmdline` from the dracut emergency shell on a v0.5.26 install; old cmdline had only `root=UUID=… ro rootflags=subvol=root` and was missing the LUKS arg entirely. ## GRUB / branding - `/etc/default/grub` is sed'd to `GRUB_DISTRIBUTOR="veilor-os"` (was already there, kept). - BLS entries' `title` line is rewritten in-place to "veilor-os (<kver>)" for every kernel — `grub2-mkconfig` does not touch BLS titles, so this is the only path. - `/boot/loader/entries/-0-rescue-*.conf` is removed: the auto-built rescue entry was leaking "Fedora Linux" into the GRUB menu and showing a second boot option that nobody asked for. The rescue kernel image itself is left in /boot. - Hostname defaults to `veilor` (was inheriting the `localhost-live` name anaconda writes when the kickstart's network directive is ignored under cmdline mode). - `/etc/machine-info` adds `PRETTY_HOSTNAME="veilor-os"` so `hostnamectl status` and any consumer reading machine-info see the brand. ## Boot UX - `fbcon=nodefer` added to live-ISO bootloader cmdline. On real laptops with a hardware GPU, the kernel modeset blanks the framebuffer console mid-boot; without `nodefer` the installer banner draws into a frozen framebuffer and the user sees a black screen with a blinking cursor for ~30s. virtio-vga in QEMU doesn't trigger this so it never reproduced in VM. Symptom report on v0.5.26 was the trigger to investigate. ## Installer cosmetics - `GUM_CHOOSE_CURSOR` and `GUM_INPUT_PROMPT` switched from `❯ ` to `> `. The unicode arrow falls back to a fixed-width block on the linux fbcon font and lipgloss then duplicates that block at col +23, producing the "Install Install" double-render and the stray-T artifact in password fields. Plain ASCII renders identically across fbcon, virtio-vga, and X/Wayland gum runs. - `VERSION_ID` bumped 0.5.8 → 0.5.27 in the os-release drop-in. The installer banner reads this at runtime, so the live ISO + installed system both now show "veilor-os 0.5.27". ## Test procedure - `test/TESTING.md` — first canonical test procedure document. Splits VM (cheap iteration, hybrid sendkey + human passwords) from real hardware (mandatory for tag). Documents the standard test passwords (`veilortest1` for both LUKS and admin), the kill-and-relaunch step to skip CD on second boot, and the per-step pass/fail contract. - `test/METHOD-CHANGELOG.md` — append-only audit trail for changes to the procedure. Future releases that alter the test method must add an entry here with the why. - `test/test-runs/_TEMPLATE.md` — per-run report template. Each tagged release should land a filled report alongside it. ## test/run-vm.sh Decoupled QEMU monitor sock setup from auto-inject. Previously `NO_INJECT=1` (used to suppress autotype noise into prompts) also killed the monitor sock, leaving the VM undriveable. Monitor sock is now always exposed; only the inject helper is gated on the pubkey detection.		2026-05-05 01:43:00 +01:00
.github	ci: drop updates repo (3x 404 on its zchunk repodata)	2026-05-03 04:15:12 +01:00
assets	v0.5.27: rd.luks.uuid via grubby, GRUB rebrand, fbcon=nodefer, ASCII gum cursor	2026-05-05 01:43:00 +01:00
build	ci: switch refs from `veilor` → `veilor-org` (GH org slug); domain veilor.org	2026-04-30 13:59:20 +01:00
docs	sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3 )	2026-05-02 04:39:39 +01:00
kickstart	v0.5.27: rd.luks.uuid via grubby, GRUB rebrand, fbcon=nodefer, ASCII gum cursor	2026-05-05 01:43:00 +01:00
overlay	v0.5.27: rd.luks.uuid via grubby, GRUB rebrand, fbcon=nodefer, ASCII gum cursor	2026-05-05 01:43:00 +01:00
scripts	v0.5.2: move veilor-installer + veilor-firstboot to /usr/local/bin	2026-05-02 05:33:22 +01:00
test	v0.5.27: rd.luks.uuid via grubby, GRUB rebrand, fbcon=nodefer, ASCII gum cursor	2026-05-05 01:43:00 +01:00
upstream	v0.3 theme: match onyx exactly — solid black wallpaper, Linux Konsole scheme, Breeze_Light cursor	2026-04-30 17:18:14 +01:00
.gitignore	chore: gitignore agent worktrees + un-track accidental embedded repos	2026-05-02 01:08:14 +01:00
CHANGELOG.md	docs: CHANGELOG v0.2.0-v0.2.5, README rewrite, ROADMAP, release notes update (#5 )	2026-05-02 03:42:39 +01:00
CONTRIBUTING.md	ci: switch refs from `veilor` → `veilor-org` (GH org slug); domain veilor.org	2026-04-30 13:59:20 +01:00
LICENSE	veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme	2026-04-30 03:43:33 +01:00
README.md	docs: CHANGELOG v0.2.0-v0.2.5, README rewrite, ROADMAP, release notes update (#5 )	2026-05-02 03:42:39 +01:00

README.md

veilor-os

Hardened minimal Fedora KDE spin. Black-on-black. Locked down by default.

veilor-os is a Fedora 43 KDE Plasma remix for operators who want a clean, fast, opinionated desktop with serious hardening already wired in. Boot the ISO, set an admin password, work. No installer wizard. No initial-setup screen. No telemetry. No "would you like to enable X" prompts.

Status

Pre-release v0.2.5 — first feature-complete ISO that actually applies the veilor-os overlay to the installed system. The build pipeline is green on CI; the live ISO boots to KDE on KVM and bare metal. See CHANGELOG.md for the full v0.2.0 → v0.2.5 story (it is worth reading — five real bugs caught and documented).

What is done: hardening (SELinux, sysctl, USBGuard, fail2ban, firewalld), KDE black theme, Fira Code system font, 3-mode power management, single-prompt LUKS install, first-boot admin password flow, reproducible CI build, EFI+BIOS bootable live ISO.

What is planned (see docs/ROADMAP.md): Plymouth black theme, SDDM theme, signed ISOs (own MOK + GPG), AppArmor + nftables, veilor-update / veilor-doctor helpers, public docs site.

Quick install

# 1. Download the ISO (after public release; CI artifact for now)
sha256sum -c veilor-os-43-*.iso.sha256

# 2. Flash to USB. Replace /dev/sdX with your USB device — triple-check.
sudo dd if=veilor-os-43-*.iso of=/dev/sdX bs=4M status=progress conv=fsync
sync

# 3. Boot from USB, pick "Install veilor-os" from the menu.
# 4. Set a strong LUKS passphrase — the only prompt during install.
# 5. Reboot, remove USB.
# 6. On first boot: TTY prompts for an admin password (≥14 chars, mixed case,
#    digit, symbol). Once accepted, SDDM starts. Log in as `admin`.

Full install + first-boot walkthrough: docs/INSTALL.md.

What veilor-os ships

Layer	Hardening
Boot	Secure Boot, `lockdown=integrity`, `slab_nomerge`, `randomize_kstack_offset=on`, `vsyscall=none`. LUKS2 (aes-xts-plain64, argon2id, mem=1GB). zram swap (no disk swap, no cold-boot leak).
Kernel	Locked sysctls: ptrace=2, kptr_restrict=2, dmesg_restrict=1, perf_event_paranoid=3, BPF JIT hardening, full ASLR, no SUID core dumps.
MAC	SELinux enforcing, targeted policy + custom `veilor-systemd` module.
Network	firewalld zone = `drop`, ssh only inbound. systemd-resolved with DNS-over-TLS (Cloudflare/Quad9 fallback), LLMNR off. NTS-authenticated chrony time.
SSH	password auth off, root login off, single `admin` user, X11 forwarding off, MaxAuthTries 3.
Auth	root locked, single `admin` user with sudo. pwquality minlen=14, 4 character classes. First-boot password forced via `chage -d 0`.
Audit	`auditd` rules covering passwd/shadow/sudoers/ssh/cron/sysctl/kernel modules and all privileged binaries.
IDS	`fail2ban` with sshd + pam-generic jails, journal backend, firewalld rich-rule action.
USB	`USBGuard` daemon, default-block, empty allowlist on first boot.
Services off	`abrt*`, `cups`, `geoclue`, `avahi-daemon`, `bluetooth`, `ModemManager`, `gssproxy`, `atd`, `pcscd`, `kdeconnectd`, `PackageKit`.
UX	KDE Plasma minimal, `BreezeBlackPure` colour scheme, Fira Code system font, `veilor-power save \| mid \| perf` with udev AC/battery auto-switch.

Full reference: docs/HARDENING.md.

60-second tour — what's different from stock Fedora KDE

No Anaconda Initial Setup wizard after first boot. Single LUKS passphrase prompt is the entire install interaction. Admin user is pre-created; password is set once on TTY1, then SDDM starts.
Root is locked. passwd -S root reports L. There is no su - to root, ever. Use sudo.
No PackageKit, no Flatpak by default. Updates happen with sudo dnf upgrade on your terms, not in the background.
Default firewall zone is drop, not FedoraWorkstation. The only thing your machine answers is sshd on its assigned port.
USBGuard blocks every USB device by default. First-boot procedure: plug in everything you trust, run usbguard generate-policy, done.
Black-on-black KDE. Wallpaper, panel, Konsole all match. No "white flash" anywhere in the session.
veilor-power save | mid | perf swaps the full tuned profile, CPU governor, EPP, battery threshold, and screen-dim policy in one command. Wired to AC/battery udev events too — laptop drops to save when unplugged automatically.

How veilor-os compares

Feature	veilor-os	Stock Fedora KDE	Kicksecure
SELinux enforcing OOTB	yes	yes	yes
AppArmor	planned (v0.5)	no	yes
Secure Boot	yes (Fedora keys)	yes (Fedora keys)	configurable
LUKS2 with argon2id	default	optional	default
Single-prompt install (LUKS only)	yes	no	no
Root account locked by default	yes	no	yes
firewalld default zone = drop	yes	no	n/a (uses nftables)
USBGuard default-block	yes	no	yes
fail2ban + auditd OOTB	yes	no	partial
DNS-over-TLS by default	yes	no	yes
NTS-authenticated NTP	yes	no	yes
`init_on_alloc/free` (post-install)	yes (planned re-enable)	no	yes
Telemetry / phone-home	none	minimal	none
KDE Plasma branded theme	yes (black)	Breeze	n/a (XFCE)
Power-profile CLI	yes (3-mode)	partial	no
Reproducible kickstart-built ISO	yes	yes	yes (from Debian)
Base distro	Fedora 43	Fedora 43	Debian

veilor-os is not trying to compete with Whonix-style anonymity or Qubes-style isolation. It is a hardened daily-driver desktop — fast, clean, locked down, with no manual post-install hardening required.

Repo layout

kickstart/   veilor-os.ks                 full kickstart definition
build/       Containerfile + build-iso.sh    reproducible ISO builder
overlay/     files dropped into installed root via %post
scripts/     hardening, SELinux policy, theme apply, firstboot
assets/      fonts, KDE colour scheme, branding, plymouth (planned)
docs/        BUILD / INSTALL / HARDENING / POWER / ROADMAP
test/        boot-checklist + KVM runner
.github/     CI workflows + PR template + CODEOWNERS

Build instructions: docs/BUILD.md. Roadmap: docs/ROADMAP.md. Contributing: CONTRIBUTING.md. Changelog: CHANGELOG.md.

License

MIT — see LICENSE. Fira Code ships from Fedora's fira-code-fonts package under SIL OFL 1.1. Fedora packages remain under their respective licences. Kickstart, overlay, scripts, and docs in this repo are MIT.