list tracker/for proposals of base packages that can be removed in kinoite

there are alot of commands that the program needs to execute needing sudo permission, this includes system wide modifications in flatpak overrides, config modifications in /etc, addition of repo with sudo ostree, or removing and adding systemd services and autostart programs.

handling sudo by including it in the CMD_ argument to subprocess.Popen or subprocess.call does not seem to be a good idea. The polkit cannot be configured either since it is in /usr

not really necessary and can be removed

• general
  • #39
  • #43
• laptop specific
  • thinkpads
    • #25

fix documentation in docs

• functions
• packages and modules

This package to replace the SDDM theme manually. This is currently not possible.

Other problems:

• unifying the breeze cursor (Brave, toolboxapps?)
• allow removing of old themes (currently not possible in GUI?)
• maybe change the font
• #55
• remove the start screen? Makes system faster, ugly KDE loading stays anyways
• #56

changes that involve hardware and in depth system wide changes for the general population

• #5
• #14
• #40
• #15
• #30
• #20
• #48
• #35
• hardware specific
  • #62
  • #64
  • arm
  • #54
  • framework

• Install Lynis for security audit
• Hardened Firefox Profile
• Install & enable opensnitch Application firewall, load configs
• disable cups and bluetooth by default
• enable MAC randomization
• Apply more SELinux rules?
• other hardening steps
• Hardened Kernel COPR (maybe dead)
• hardened Malloc (dead?)
• firewall rules?

They work exactly the same, but toolbox only supports Fedora (being only useful for Fedora devs), while Distrobox supports every linux distro, so that you can use any .deb, AUR package e.g. natively, even create appstarters

# remove
toolbox

# add to install RPMs
distrobox

only problem: Distrobox uses Docker by default.

• #82
• #83
• hide unwanted Folders and Files from homedir
• autoupdates
• Link useful folders normal
• Link useful folders advanced
• Flatpak app folder
• firefox folder ~/.mozilla/firefox/
• maybe Brave config folder ~/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/
• Libreoffice config folder ~/.var/app/org.libreoffice.LibreOffice/config/libreoffice
• Autostart folder ~/.config/autostart
• add .hidden file to $HOME
• autoupdate Arkenfox user.js
• add custom Dolphin extensions working with filetypes
• link folders to dolphin extensions
• link download folder from to used folder for the extensions
• create lots of dolphin extensions working with Flatpaks or Distrobox instead of native apps
• add custom templates for creating md and office documents, link that folder and a guide how to do it (online too)
• add "copr" script to use COPR repos normally
• Install emojis, make them work

• third party repository setups
  • flathub
  • gnome nightly
  • kde nightly
  • rpmfusion
    • free
    • nonfree
    • tainted

there are cases where power-profiles-daemon perform worse than tlp, but both cannot be installed together.

this feature request will allow to switch/replace the power-profiles-daemon with tlp and vice versa

version rpmfusion prevents rebasing to another fedora release, thus an unversioned rpmfusion is needed to used instead to avoid future rebasing problems

Rstudio:

sudo rpm-ostree install R rstudio-desktop

sudo wget https://rpm.tuxedocomputers.com/opensuse/15.4/repo-tuxedo-computers.repo -P /etc/yum.repos.d/Tuxedo.repo

The Tuxdedo Control center has nice features like a graphical hardware and energy manager too, so may be usable for any Laptop with similar hardware, maybe with a few tweaks.

They include the packages packages:

• Tuxedofancontrol
• Tuxedo control center
• displaylink (the proprietary protocol?)
• anydesk
• rocketchat
• Zoiper

We should make sure it is chosen with lowest priority, as it may supply packages that are available in official repos.

You can see what repo is the latest here, the versions are for OpenSuse though.

Originally posted by @trytomakeyouprivate in https://github.com/iaacornus/Fedora-OSTree-Setup/issues/51#issuecomment-1445499861

KDE Plasma and Gnome should support the ~/.config/autostart/ folder.

but other distros need a workaround: (Link, UnixStackexchange)

printf """#!/bin/sh

shopt -s nullglob # Ensure shell expansion with 0 files expands to an empty list, rather than trying to read the "*.sh" file

if [ -z "$XDG_CONFIG_HOME" ]; then
    XDG_CONFIG_HOME=~/.config
fi
for f in "$XDG_CONFIG_HOME/autostart-scripts/"*.sh; do
    test -x "$f" && . "$f" || true
done""" > ~/.scripts/autostart.sh

printf """[Desktop Entry]
Exec=~/.scripts/autostart-exec.sh
Icon=system-run
NotShowIn=KDE
Terminal=false
TerminalOptions=
Type=Application""" >/etc/xdg/autostart/exec-autostart/workaround.desktop

This may be completely irrelevant for Silverblue / Kinoite, but good for waydroid people.

Currently the only thing you can overwrite are RPMs, removing or adding them.

There is a hack for SDDM login screens, this awesome tool. It creates working RPMs that only contain an addition to the exact folder, to place the SDDM theme there.

We could fork that project and add icons, or other changes like that.

Goal is to avoid needing to build the system ourself, as using these tools and local rpm-ostree overwrites, we dont have to provide the service

Kate is an awesome KDE text editor. Features:

• completely configurable GUI
• Modules for Markdown or other documents preview
• works for all tasks, can use sudo
• syntax highlighting, LSP, auto completion and syntax check
• Git integration
• ...

the Flatpak has missing features, document preview doesnt work and obviously things like writing system files too.

I tested it, Kate can fully replace the preinstalled Kwrite on KDE. I have no idea how styling is on GNOME, I guess horrible, so this may need some extra steps.

Also when installing it, it needs a small appstarter, because it doesnt create its own.

printf """[Desktop Entry]
Exec=kate
GenericName=Editor
Icon=kate
Name=Kate
Type=Application""" > ~/.local/share/applications/kate.desktop

Either we set an indicator value for GNOME vs. KDE, this could be extended for more Desktops / WMs with further OSTree distros. Then depending on this flag, we could decide what to remove. The unelegant solution, that I would prefer is:

rpm-ostree override remove kwrite --install kate;rpm-ostree override remove gedit --install kate

rpm-ostree will abort if the override package is not installed, in that case the next command will be executed anyways.

we could use this technique for all other packages too, if there is a GNOME package to remove and a KDE package to remove. Instead of differentiating between desktops and having dependend command trees, just print all, and the command for the wrong Distro will just abort.

I created an "Arkenfox-softening" script, because I find Arkenfox unuseable. This gives you a really secure browser with all functionality preserved.

Thunderbird the same, there is no preset for that so I bundled up some settings from various sources.

You can run the profile chooser with these commands:

flatpak run eu.betterbird.Betterbird -P
flatpak run org.mozilla.Firefox -P
flatpak run org.mozilla.Thunderbird -P

The files are just a user.js that has to be copied into the last folder used in the named directory. Firefox and Thunderbird create two profiles by default, one is unnessecary.

You could do it like that:

move the existing profile if wanted (chosen as if else after choosing "remove rpm firefox") to the right folder

mv ~/.mozilla/firefox/* ~/.var/app/org.mozilla.firefox/.mozilla/firefox

mv ~/.thunderbird/* ~/.var/app/eu.betterbird.Betterbird/.thunderbird/ #or 

mv ~/.thunderbird/* ~/.var/app/org.mozilla.Thunderbird/.thunderbird/

install thunderbird and firefox flatpak

remove the unneeded profile

rm ~/.var/app/org.mozilla.firefox/.mozilla/firefox/*.default

rm  ~/.var/app/eu.betterbird.Betterbird/.thunderbird/*.default

rm ~/.var/app/org.mozilla.Thunderbird/.thunderbird/*.default

add the user.js to the right places

# Arkenfox
wget https://raw.githubusercontent.com/arkenfox/user.js/master/user.js -P ~/.var/app/org.mozilla.firefox/.mozilla/firefox/*.default-release/

# Thunderbird hardening
wget https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/user.js ~/.var/app/org.mozilla.Thunderbird/.thunderbird/*.default-release/

# Betterbird hardening
wget https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/user.js ~/.var/app/eu.betterbird.Betterbird/.thunderbird/*.default-release/

Nice! You can also auto-create an unsafe unmodified (empty) profile as the insecure profile! This is not needed for Thunderbird, as there are no problems. Browsers are way more important and used for stuff like Banking (referrer header), WebGL, canvas stuff, bot detection...

mkdir ~/.var/app/org.mozilla.firefox/.mozilla/firefox/unsafe

printf"""[Profile2]
Name=unsafe
IsRelative=1
Path=UNSAFE
""" >> ~/.var/app/org.mozilla.firefox/.mozilla/firefox/profiles.ini

printf"""[Desktop Entry]
Comment=
Exec=/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=firefox --file-forwarding org.mozilla.firefox @@u %u @@ -P unsafe
Icon=data-warning
Name=Unsafe Firefox
StartupNotify=true
Terminal=false
Type=Application""" > ~/.local/share/applications/Unsafe-Firefox.desktop

zenity --info --text="Your default Firefox is now hardened with the Arkenfox user.js! \n You can find an unsafe Firefox in your menu,\n named \"Unsafe Firefox\"\." --title="Info"

There is a package to install to make Flatpaks use the KDE Theme. And there seems to be another one for the mouse cursor?

flatpak install -y org.kde.KStyle.Kvantum org.kde.KStyle.Adwaita

On Gnome there is a different way

flatpak install gnome org.freedesktop.Platform.Icontheme

# or, manual dirty way:

flatpak --user override com.discordapp.Discord --filesystem=/home/$USER/.icons/:ro

• installation of recommended apps (rpm)

in some laptop, especially for those alderlake, the battery drains at significant undesirable rate under s2idle suspend mode, which seem to be fixed by changing it to deep

this will use systemd service to set the threshold in /sys/class/power_supply/BAT0/charge_control_end_threshold

sudo rpm-ostree install PyQt5 lm_sensors

sudo printf """thinkpad_acpi fan_control=1""" >> /etc/modprobe.d/thinkpad_acpi.conf

• function to check if a laptop is thinkpad or not
• install dependencies and echo fan control in acpi.conf

• install multimedia codes
• install decoder for amd gpus

Boxen performs way better than Virtualbox, which is also hard to setup on fedora. The flatpak version has some problems, making it not very usable.

https://dausruddin.com/how-to-enable-clipboard-and-folder-sharing-in-qemu-kvm-on-windows-guest/

sudo rpm-ostree install gnome-boxes virt-manager #decide what to use

# Clipboard sharing
wget https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe -P ~/Downloads/

zenity --info --text=" \n "Spice-Guest-Addition" was downloaded.  \n Please move it to a USB-Stick, import it to your Windows-VM \n and install it there. Your Display may blink for a short time. " --title="Enabling Clipboard-Sync"

#Folder sharing with Cockpit ?

sudo rpm-ostree install cockpit
sudo systemctl enable --now cockpit.socket
sudo firewall-cmd --add-service=cockpit
sudo firewall-cmd --add-service=cockpit --permanent

xdg-open http://localhost:9090/ 

xdg-open https://dausruddin.com/how-to-enable-clipboard-and-folder-sharing-in-qemu-kvm-on-windows-guest/

wget https://www.spice-space.org/download/windows/spice-webdavd/spice-webdavd-x64-latest.msi -P ~/Downloads

wget https://www.spice-space.org/download/windows/spice-webdavd/spice-webdavd-x86-latest.msi -P ~/Downloads/

zenity --info --text="Please follow the tutorial on this site. \n Downloads should be already done to your Downloads directory." --title="Enabling Folder-Sync.  \n You will need a USB-Stick / SD Card / external Drive"

Guide for KeepassXC Addon

Some communication tool, work in process

Different method, blog post

The problem simply is, that apps want to communicate with each other, to have security benefits like keepassxc or comfort stuff like Gnome extensions, zotero, KDE integration, KDE Connect integration etc.

I guess if the above solution works we can automate this for every installed app wanted

• KeepassXC + Firefox
• Zotero + Firefox
• KDE Connect + Firefox
• KDE Integration + Firefox
• Gnome software + Firefox
• ...

to track issues for user and simple system wide tweaks

• #34
• #50
• #55
• #44
• #13
• #45
• #6
• #7
• #33
• #26
• #12
• #19
• #38
• #22
• #21
• variant based changes
  • kinoite
    - [ ] disable baloo
    - [ ] removal of flatpak preinstalled applications
    • #36
  • silverblue
    • disabling of gnome software from autostart
    • removal of flatpak preinstalled applications
    • #37

list tracker/for proposals of base packages that can be removed in silverblue

if the user is using wayland instead of x11 which can be determined using the env value of XDG_SESSION_TYPE, append MOZ_ENABLE_WAYLAND=1 in /etc/environment for firefox rpm. this should speed up firefox in wayland users.

while for firefox flatpak, the --socket and --env of firefox org.mozilla.firefox with sudo flatpak override:

sudo flatpak override --socket=wayland --env=MOZ_ENABLE_WAYLAND=1 org.mozilla.firefox

this defaults to system wide change, although for user, --user can be used and sudo can be removed.

ToDo:

• install waydroid as package, launch the following commands:
• init waydroid with specific parameters
• create shutdown, start and fullscreen desktop entries (have to try what is already there)
• add a delete command and notify about it somewhere useful (Waydroid folder in home?)
• install the waydroid-extras script for ARM emulation, NDK, Magisk or GAPPS (guide how to use, maybe choosable options)
• get keyboard layouts working (remount /var/lib rw, edit a .kl file, no fixes and closed issues...)
• enable autostart of waydroid (if wanted for some reason)
• mount bind folders
• fix appstarters for enabling and disabling systemd service against RAM hog
• additional bugfixes

Waydroid starting manually commands

installation of appropriate/corresponding gpu driver upon detection based on user's discretion

    Testdisk COPR repo for new updates of testdisk:

sudo dnf copr enable grenier/testdisk
sudo dnf install testdisk qphotorec

Originally posted by @trytomakeyouprivate in https://github.com/iaacornus/Fedora-OSTree-Setup/issues/6#issuecomment-1374600399

• installation of recommended flatpak apps upon confirmation by user

For me still KDE-connect does not run over a VPN

firewall-cmd --add-port 1716/tcp --permanent
firewall-cmd --add-port 1716/udp --permanent

sudo systemctl restart firewalld.service

may open enough ports for one device, this has to be optional.

the project also plans to introduce config for easy reproducible starting setup, the config would allow the user to utilize the features of the program in a fully autonomous manner

Originally posted by @iaacornus in https://github.com/iaacornus/Fedora-OSTree-Setup/issues/57#issuecomment-1454525749

I chose a created folder called ~/.scripts, so its hidden by default (I hate folders bloating home) but also recognizable as custom.

we could also use another folder If there is a better one.

• AMD improvements
• Intel improvements
• Asahi M1 ?
• Arm ?
• Tuxedo Computer repository
• Thinkfan
• Framework improvements
• Libfprint?

• #42
• #24
• #58
  • disable greetings

          Here is how to install the hardened kernel instead of the normal one. Ostree is so great for that, just remove the layering and you got your old kernel back. If something breaks, just boot into the old state.

sudo rpm-ostree override remove kernel kernel-core kernel-modules kernel-modules-extra --install kernel-hardened

Originally posted by @trytomakeyouprivate in https://github.com/iaacornus/Fedora-OSTree-Setup/issues/19#issuecomment-1407764625

• for addition:
  • R rstudio-desktop (bundle, does this work in current syntax? )
  • selinux-policy-sandbox selinux-policy-doc (does this work?)
  • virt-manager qemu qemu-kvm
• for removal:
  • geoclue2 (constantly running in background, not needed after first install, not removble), use
  • baloo (crashing always, not removable by default)
  • kwrite (obsolete using Kate)

use brightnessctl and give a default keybinding if not working out of the box

• install fish
• change default shell to fish

its soo annoying, that the Flatpak CLI doesnt remove leftover files.

Here is a bash script offering deletion of Flatpak directories with no corresponding app existing

I think we should add that and create an appstarter for it.

wget https://raw.githubusercontent.com/ChristianSilvermoon/Flatpurge/master/flatpurge -P ~/.scripts

chmod +x  ~/.scripts/*

I cant get an appstarter to open a GUI Terminal and allow interaction.

the command would be ~/.scripts/flatpurge -d

• determine if the user is running on ssd
• check if the ssd is encrypted
• determine the encrypted volume
• set --perf-no_read_workqueue --perf-no_write_workqueue --persistent to the encrypted volume

this assumes that the device is partitioned with the default fedora partition:

/dev/DEVICE/
├─/dev/DEVICEp1
├─/dev/DEVICEp2
└─/dev/DEVICEp3
  └─/dev/mapper/luks-UID

tasks were removed to avoid confusion in trackers

log: 02/03/23 3:54AM UTC+8:00