164 lines
4.9 KiB
Text
164 lines
4.9 KiB
Text
#version=DEVEL
|
|
# veilor-os kickstart — Fedora 43 KDE base, hardened, minimal.
|
|
# Build with livemedia-creator inside build/Containerfile.
|
|
|
|
# ── Install source ──
|
|
url --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch"
|
|
repo --name=updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch"
|
|
|
|
# ── Locale / keyboard / time (template — adjust per build) ──
|
|
keyboard --xlayouts='us'
|
|
lang en_GB.UTF-8
|
|
timezone Europe/London --utc
|
|
|
|
# ── Install mode ──
|
|
text
|
|
firstboot --disable
|
|
eula --agreed
|
|
selinux --enforcing
|
|
services --enabled=sshd,fail2ban,usbguard,tuned,auditd,firewalld,chronyd,sddm,veilor-firstboot,veilor-modules-lock
|
|
|
|
# ── Network / hostname ──
|
|
network --bootproto=dhcp --device=link --activate --hostname=veilor-os
|
|
firewall --enabled --service=ssh
|
|
|
|
# ── Identity (zero-prompt; only LUKS passphrase asked at install) ──
|
|
rootpw --lock
|
|
user --name=admin --groups=wheel --gecos="veilor admin" --password="" --plaintext
|
|
auth --useshadow --passalgo=sha512
|
|
|
|
# ── Bootloader: kernel hardening flags ──
|
|
bootloader --location=mbr --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none"
|
|
|
|
# ── Disk: BIOS+UEFI, LUKS2, btrfs subvols, zram swap (no disk swap) ──
|
|
zerombr
|
|
clearpart --all --initlabel
|
|
reqpart --add-boot
|
|
part /boot --fstype=ext4 --size=1024 --asprimary
|
|
part pv.veilor --size=1 --grow --encrypted --luks-version=luks2 \
|
|
--pbkdf=argon2id --pbkdf-memory=1048576 --pbkdf-iterations=9 \
|
|
--cipher=aes-xts-plain64 --hash=sha512
|
|
volgroup veilor pv.veilor
|
|
logvol / --vgname=veilor --name=root --fstype=btrfs --size=1 --grow \
|
|
--mkfsoptions="--mixed"
|
|
|
|
# ── Packages ──
|
|
%packages --excludedocs
|
|
@^kde-desktop-environment
|
|
@kde-apps
|
|
@core
|
|
@hardware-support
|
|
@standard
|
|
|
|
# core hardening tools
|
|
fail2ban
|
|
fail2ban-firewalld
|
|
usbguard
|
|
usbguard-tools
|
|
audit
|
|
policycoreutils-python-utils
|
|
tuned
|
|
chrony
|
|
firewalld
|
|
plymouth
|
|
|
|
# admin essentials
|
|
git
|
|
vim-enhanced
|
|
tmux
|
|
htop
|
|
podman
|
|
skopeo
|
|
NetworkManager
|
|
NetworkManager-wifi
|
|
|
|
# fonts
|
|
fontconfig
|
|
freetype
|
|
fira-code-fonts
|
|
|
|
# remove fluff
|
|
-cups
|
|
-cups-browsed
|
|
-abrt*
|
|
-snapd
|
|
-geoclue2
|
|
-avahi
|
|
-avahi-libs
|
|
-kde-connect
|
|
-open-vm-tools-desktop
|
|
-PackageKit
|
|
-PackageKit-command-not-found
|
|
-mlocate
|
|
-ModemManager
|
|
-pcsc-lite
|
|
-rsync-daemon
|
|
|
|
%end
|
|
|
|
# ── Post-install (nochroot): copy overlay tree into installed root ──
|
|
%post --nochroot
|
|
set -eu
|
|
SRC=/run/install/repo/veilor
|
|
DEST=/mnt/sysimage
|
|
if [[ -d $SRC/overlay ]]; then
|
|
cp -a $SRC/overlay/. $DEST/
|
|
fi
|
|
mkdir -p $DEST/usr/share/veilor-os
|
|
cp -a $SRC/assets $DEST/usr/share/veilor-os/
|
|
cp -a $SRC/scripts $DEST/usr/share/veilor-os/
|
|
%end
|
|
|
|
# ── Post-install (chroot): apply hardening, theme, branding ──
|
|
%post
|
|
set -uo pipefail
|
|
exec > >(tee -a /var/log/veilor-install.log) 2>&1
|
|
|
|
echo "════════════════════════════════════════════════════════"
|
|
echo " veilor-os install — %post"
|
|
echo "════════════════════════════════════════════════════════"
|
|
|
|
REPO=/usr/share/veilor-os
|
|
chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh /usr/local/bin/veilor-power /usr/local/sbin/veilor-firstboot
|
|
|
|
# Apply hardening
|
|
bash $REPO/scripts/10-harden-base.sh
|
|
bash $REPO/scripts/20-harden-kernel.sh
|
|
|
|
# Build SELinux module
|
|
bash $REPO/scripts/selinux/build-policy.sh || echo "[WARN] SELinux build failed; load on first boot"
|
|
|
|
# Apply KDE theme + DuckSans + os-release branding
|
|
bash $REPO/scripts/kde-theme-apply.sh
|
|
|
|
# Force admin password set on first boot (chage expires immediately)
|
|
chage -d 0 admin
|
|
|
|
# zram swap (no disk swap; keys never leak to platter)
|
|
dnf install -y zram-generator || true
|
|
cat > /etc/systemd/zram-generator.conf << 'EOF'
|
|
[zram0]
|
|
zram-size = min(ram, 8192)
|
|
compression-algorithm = zstd
|
|
EOF
|
|
|
|
# Enable services
|
|
systemctl enable veilor-firstboot.service
|
|
systemctl enable veilor-modules-lock.service
|
|
systemctl enable sshd fail2ban usbguard tuned auditd firewalld chronyd
|
|
|
|
# Default tuned profile = balanced (AC/battery udev rule will override)
|
|
tuned-adm profile veilor-balanced 2>/dev/null || true
|
|
|
|
# Lock root explicitly (kickstart --lock should already do this)
|
|
passwd -l root
|
|
|
|
# Sanity: zero references to onyx / personal IPs in installed system
|
|
if grep -rqi 'onyx\|192\.168\.0\.\|fedora\.local' /etc/veilor* /etc/tuned/profiles/veilor-* 2>/dev/null; then
|
|
echo "[ERR] brand leak detected in /etc — investigate"
|
|
fi
|
|
|
|
echo "════════════════════════════════════════════════════════"
|
|
echo " veilor-os install complete"
|
|
echo "════════════════════════════════════════════════════════"
|
|
%end
|