veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/README.md
obsidian-ai 97939d76f8 docs(README): add secureblue column + upstream credit section 
secureblue (AGPLv3) is the upstream hardened atomic Fedora that the
v0.7 BlueBuild spike layers on top of. Comparison table now includes
secureblue alongside Kicksecure + stock Fedora KDE. New "Credit &
relationship to secureblue" section spells out where their work
already solves problems we don't need to reinvent (Trivalent,
SELinux policy, kernel cmdline, signed OCI), how veilor-os differs
(kickstart install path + branding + Forgejo CI), and the AGPLv3
attribution rule for any code we lift verbatim.
2026-05-06 16:10:03 +01:00

9.6 KiB
Raw Blame History

veilor-os

Hardened minimal Fedora KDE spin. Black-on-black. Locked down by default.

Build veilor-os ISO License: MIT

veilor-os is a Fedora 43 KDE Plasma remix for operators who want a clean, fast, opinionated desktop with serious hardening already wired in. Boot the ISO, set an admin password, work. No installer wizard. No initial-setup screen. No telemetry. No "would you like to enable X" prompts.

The current install path is an Anaconda kickstart with a custom gum TUI on top. v0.7+ ships a hybrid path: the kickstart ISO becomes the bootstrap installer (Anaconda's LUKS UX is mature), but the root filesystem is populated directly from a cosign-signed bootc OCI image built via BlueBuild on top of secureblue's hardened Kinoite variant. Updates from there flow through bootc upgrade — atomic A/B, instant rollback. v1.0 is bootc-only.

See docs/STRATEGY.md for the full trajectory.

Status

Active development on the install path. Three bug classes have been worked through (LUKS unlock cmdline, anaconda RPM-6.0 cmdline-mode brittleness, bootloader install via gen_grub_cfgstub); current focus is the v0.5.32 blocker list from the 2026-05-05 9-agent research wave.

Primary git host: https://git.s8n.ru/veilor-org/veilor-os. The GitHub mirror was disabled 2026-05-06; this repo is private-by-default on Forgejo. ISO builds and CI artifacts are produced by the Forgejo runner on nullstone — no GitHub Actions involvement.

What is shipping: hardening (SELinux, sysctl, USBGuard, fail2ban, firewalld), KDE black theme, Fira Code system font, 3-mode power management, single-prompt LUKS install, first-boot admin password flow, reproducible CI build, EFI+BIOS bootable live ISO.

What is planned (see docs/ROADMAP.md): Plymouth

  • SDDM polish, signed ISOs (own MOK + GPG, sigstore/cosign on OCI), AppArmor + nftables stack, veilor-update / veilor-doctor / veilor-postinstall helpers, public docs site, bootc OCI hybrid spike at v0.7, bootc-only at v1.0.

Quick install

# 1. Download the ISO from the latest Forgejo release.
#    https://git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest
#    (rolling tag; replaced on each successful build-iso.yml run)
sha256sum -c veilor-os-43-*.iso.sha256

# 2. Flash to USB. Replace /dev/sdX with your USB device — triple-check.
sudo dd if=veilor-os-43-*.iso of=/dev/sdX bs=4M status=progress conv=fsync
sync

# 3. Boot from USB, pick "Install veilor-os" from the menu.
# 4. Set a strong LUKS passphrase — the only prompt during install.
# 5. Reboot, remove USB.
# 6. On first boot: TTY prompts for an admin password (≥14 chars, mixed case,
#    digit, symbol). Once accepted, SDDM starts. Log in as `admin`.

Full install + first-boot walkthrough: docs/INSTALL.md.

What veilor-os ships

Layer Hardening
Boot Secure Boot, lockdown=integrity, slab_nomerge, randomize_kstack_offset=on, vsyscall=none. LUKS2 (aes-xts-plain64, argon2id, mem=1GB). zram swap (no disk swap, no cold-boot leak).
Kernel Locked sysctls: ptrace=2, kptr_restrict=2, dmesg_restrict=1, perf_event_paranoid=3, BPF JIT hardening, full ASLR, no SUID core dumps.
MAC SELinux enforcing, targeted policy + custom veilor-systemd module.
Network firewalld zone = drop, ssh only inbound. systemd-resolved with DNS-over-TLS (Cloudflare/Quad9 fallback), LLMNR off. NTS-authenticated chrony time.
SSH password auth off, root login off, single admin user, X11 forwarding off, MaxAuthTries 3.
Auth root locked, single admin user with sudo. pwquality minlen=14, 4 character classes. First-boot password forced via chage -d 0.
Audit auditd rules covering passwd/shadow/sudoers/ssh/cron/sysctl/kernel modules and all privileged binaries.
IDS fail2ban with sshd + pam-generic jails, journal backend, firewalld rich-rule action.
USB USBGuard daemon, default-block, empty allowlist on first boot.
Services off abrt*, cups, geoclue, avahi-daemon, bluetooth, ModemManager, gssproxy, atd, pcscd, kdeconnectd, PackageKit.
UX KDE Plasma minimal, BreezeBlackPure colour scheme, Fira Code system font, veilor-power save | mid | perf with udev AC/battery auto-switch.

Full reference: docs/HARDENING.md.

60-second tour — what's different from stock Fedora KDE

  • No Anaconda Initial Setup wizard after first boot. Single LUKS passphrase prompt is the entire install interaction. Admin user is pre-created; password is set once on TTY1, then SDDM starts.
  • Root is locked. passwd -S root reports L. There is no su - to root, ever. Use sudo.
  • No PackageKit, no Flatpak by default. Updates happen with sudo dnf upgrade on your terms, not in the background.
  • Default firewall zone is drop, not FedoraWorkstation. The only thing your machine answers is sshd on its assigned port.
  • USBGuard blocks every USB device by default. First-boot procedure: plug in everything you trust, run usbguard generate-policy, done.
  • Black-on-black KDE. Wallpaper, panel, Konsole all match. No "white flash" anywhere in the session.
  • veilor-power save | mid | perf swaps the full tuned profile, CPU governor, EPP, battery threshold, and screen-dim policy in one command. Wired to AC/battery udev events too — laptop drops to save when unplugged automatically.

How veilor-os compares

Feature veilor-os Stock Fedora KDE Kicksecure secureblue
SELinux enforcing OOTB yes yes yes yes (custom policy)
AppArmor deferred (post-v0.6 / v0.7 LSM stack) no yes no
Secure Boot yes (Fedora keys) yes (Fedora keys) configurable yes (Fedora keys)
LUKS2 with argon2id default optional default default (Anaconda)
Single-prompt install (LUKS only) yes no no rebase via Anaconda
Root account locked by default yes no yes yes
firewalld default zone = drop yes no n/a (nftables) yes
USBGuard default-block yes no yes yes
fail2ban + auditd OOTB yes no partial partial (auditd)
DNS-over-TLS by default yes no yes yes
NTS-authenticated NTP yes no yes yes
init_on_alloc/free (post-install) yes (planned re-enable) no yes yes
Telemetry / phone-home none minimal none none
KDE Plasma branded theme yes (black) Breeze n/a (XFCE) upstream Kinoite
Power-profile CLI yes (3-mode) partial no no
Hardened browser (Trivalent / Mullvad) yes (v0.6+) no no yes (Trivalent shipped)
Atomic OCI image + signed base v0.7 spike (BlueBuild) no no yes (bootc)
Userns-remap default + module sig enforce yes no partial yes
Base distro Fedora 43 (KDE) Fedora 43 Debian Fedora atomic (Kinoite/Silverblue)

veilor-os is not trying to compete with Whonix-style anonymity or Qubes-style isolation. It is a hardened daily-driver desktop — fast, clean, locked down, with no manual post-install hardening required.

Credit & relationship to secureblue

secureblue (AGPLv3) is an upstream hardened atomic Fedora build that already solves a long list of problems we'd otherwise reinvent: Trivalent (hardened Chromium), custom SELinux policy, sysctl hardening, module.sig_enforce=1, USBGuard defaults, libpam-pwquality config, kernel cmdline hardening, and a full BlueBuild OCI pipeline with cosign-signed releases. The v0.7 veilor-os spike layers on top of secureblue's securecore-kinoite-hardened-userns image rather than re-deriving the same hardening from scratch.

Where veilor-os differs is the path, not the destination: a kickstart-installed flat install for v0.5.x (operator-friendly LUKS flow, single-prompt install), a hybrid kickstart-bootstrap + secureblue-OCI image at v0.7, and a fully OCI/bootc upgrade path at v1.0. Branding, theming, the gum installer, the 3-mode power CLI, and the Forgejo-hosted CI/release plumbing are veilor's own work.

If a chunk of secureblue code, config, or policy ends up in veilor-os verbatim or near-verbatim, the file carries an upstream-attribution header and the LICENSE file in this repo records the AGPLv3 obligation on those files. Anything we ship under MIT is original to this repo. Thanks to the secureblue maintainers — without their public work the v0.7 path would be a year of duplicate effort.

Repo layout

kickstart/   veilor-os.ks                 full kickstart definition
build/       Containerfile + build-iso.sh    reproducible ISO builder
overlay/     files dropped into installed root via %post
scripts/     hardening, SELinux policy, theme apply, firstboot
assets/      fonts, KDE colour scheme, branding, plymouth (planned)
docs/        BUILD / INSTALL / HARDENING / POWER / ROADMAP
test/        boot-checklist + KVM runner
.github/     CI workflows + PR template + CODEOWNERS

Build instructions: docs/BUILD.md. Roadmap: docs/ROADMAP.md. Contributing: CONTRIBUTING.md. Changelog: CHANGELOG.md.

License

MIT — see LICENSE. Fira Code ships from Fedora's fira-code-fonts package under SIL OFL 1.1. Fedora packages remain under their respective licences. Kickstart, overlay, scripts, and docs in this repo are MIT.