From 71be578fe097e98453583a820baef1901145ad27 Mon Sep 17 00:00:00 2001 From: mustard Date: Sun, 22 Dec 2024 22:15:37 +0100 Subject: [PATCH] Tweaking fedora 41 gnome template --- .../etc/dconf/db/local.d/adw-gtk3-dark | 2 + .../etc/dconf/db/local.d/automount-disable | 4 + .../dconf/db/local.d/locks/automount-disable | 3 + .../etc/dconf/db/local.d/locks/privacy | 14 ++ qubes-config/etc/dconf/db/local.d/prefer-dark | 2 + qubes-config/etc/dconf/db/local.d/privacy | 2 + qubes-config/etc/dnf/dnf.conf | 11 ++ qubes-config/etc/environment | 3 + qubes-config/etc/ld.so.preload | 1 + .../limits.d/30-disable-coredump.conf | 1 + .../etc/systemd/coredump.conf.d/disable.conf | 2 + .../systemd/user/update-user-flatpaks.service | 6 + .../systemd/user/update-user-flatpaks.timer | 9 ++ qubes-config/etc/systemd/zram-generator.conf | 4 + tasks/fedora-41-template.yaml | 143 ++++++++++++++---- 15 files changed, 176 insertions(+), 31 deletions(-) create mode 100644 qubes-config/etc/dconf/db/local.d/adw-gtk3-dark create mode 100644 qubes-config/etc/dconf/db/local.d/automount-disable create mode 100644 qubes-config/etc/dconf/db/local.d/locks/automount-disable create mode 100644 qubes-config/etc/dconf/db/local.d/locks/privacy create mode 100644 qubes-config/etc/dconf/db/local.d/prefer-dark create mode 100644 qubes-config/etc/dconf/db/local.d/privacy create mode 100644 qubes-config/etc/dnf/dnf.conf create mode 100644 qubes-config/etc/environment create mode 100644 qubes-config/etc/ld.so.preload create mode 100644 qubes-config/etc/security/limits.d/30-disable-coredump.conf create mode 100644 qubes-config/etc/systemd/coredump.conf.d/disable.conf create mode 100644 qubes-config/etc/systemd/user/update-user-flatpaks.service create mode 100644 qubes-config/etc/systemd/user/update-user-flatpaks.timer create mode 100644 qubes-config/etc/systemd/zram-generator.conf diff --git a/qubes-config/etc/dconf/db/local.d/adw-gtk3-dark b/qubes-config/etc/dconf/db/local.d/adw-gtk3-dark new file mode 100644 index 0000000..9babeb5 --- /dev/null +++ b/qubes-config/etc/dconf/db/local.d/adw-gtk3-dark @@ -0,0 +1,2 @@ +[org/gnome/desktop/interface] +gtk-theme='adw-gtk3-dark' diff --git a/qubes-config/etc/dconf/db/local.d/automount-disable b/qubes-config/etc/dconf/db/local.d/automount-disable new file mode 100644 index 0000000..fe09af4 --- /dev/null +++ b/qubes-config/etc/dconf/db/local.d/automount-disable @@ -0,0 +1,4 @@ +[org/gnome/desktop/media-handling] +automount=false +automount-open=false +autorun-never=true diff --git a/qubes-config/etc/dconf/db/local.d/locks/automount-disable b/qubes-config/etc/dconf/db/local.d/locks/automount-disable new file mode 100644 index 0000000..5088a40 --- /dev/null +++ b/qubes-config/etc/dconf/db/local.d/locks/automount-disable @@ -0,0 +1,3 @@ +org/gnome/desktop/media-handling/automount +org/gnome/desktop/media-handling/automount-open +/org/gnome/desktop/media-handling/autorun-never diff --git a/qubes-config/etc/dconf/db/local.d/locks/privacy b/qubes-config/etc/dconf/db/local.d/locks/privacy new file mode 100644 index 0000000..385883f --- /dev/null +++ b/qubes-config/etc/dconf/db/local.d/locks/privacy @@ -0,0 +1,14 @@ +/org/gnome/system/location/enabled + +/org/gnome/desktop/privacy/remember-recent-files +/org/gnome/desktop/privacy/remove-old-trash-files +/org/gnome/desktop/privacy/remove-old-temp-files +/org/gnome/desktop/privacy/report-technical-problems +/org/gnome/desktop/privacy/send-software-usage-stats +/org/gnome/desktop/privacy/remember-app-usage + +/org/gnome/online-accounts/whitelisted-providers + +/org/gnome/desktop/remote-desktop/rdp/enable + +/org/gnome/desktop/remote-desktop/vnc/enable diff --git a/qubes-config/etc/dconf/db/local.d/prefer-dark b/qubes-config/etc/dconf/db/local.d/prefer-dark new file mode 100644 index 0000000..3f040b5 --- /dev/null +++ b/qubes-config/etc/dconf/db/local.d/prefer-dark @@ -0,0 +1,2 @@ +[org/gnome/desktop/interface] +color-scheme='prefer-dark' diff --git a/qubes-config/etc/dconf/db/local.d/privacy b/qubes-config/etc/dconf/db/local.d/privacy new file mode 100644 index 0000000..3f040b5 --- /dev/null +++ b/qubes-config/etc/dconf/db/local.d/privacy @@ -0,0 +1,2 @@ +[org/gnome/desktop/interface] +color-scheme='prefer-dark' diff --git a/qubes-config/etc/dnf/dnf.conf b/qubes-config/etc/dnf/dnf.conf new file mode 100644 index 0000000..b1ebaf6 --- /dev/null +++ b/qubes-config/etc/dnf/dnf.conf @@ -0,0 +1,11 @@ +[main] +gpgcheck=True +installonly_limit=3 +clean_requirements_on_remove=True +best=False +skip_if_unavailable=True +max_parallel_downloads=10 +deltarpm=False +defaultyes=True +install_weak_deps=False +countme=False diff --git a/qubes-config/etc/environment b/qubes-config/etc/environment new file mode 100644 index 0000000..df0aa6c --- /dev/null +++ b/qubes-config/etc/environment @@ -0,0 +1,3 @@ +JavaScriptCoreUseJIT=0 +GJS_DISABLE_JIT=1 +XDG_CURRENT_DESKTOP=GNOME diff --git a/qubes-config/etc/ld.so.preload b/qubes-config/etc/ld.so.preload new file mode 100644 index 0000000..fdf2d64 --- /dev/null +++ b/qubes-config/etc/ld.so.preload @@ -0,0 +1 @@ +libhardened_malloc.so diff --git a/qubes-config/etc/security/limits.d/30-disable-coredump.conf b/qubes-config/etc/security/limits.d/30-disable-coredump.conf new file mode 100644 index 0000000..4cc9012 --- /dev/null +++ b/qubes-config/etc/security/limits.d/30-disable-coredump.conf @@ -0,0 +1 @@ +* hard core 0 diff --git a/qubes-config/etc/systemd/coredump.conf.d/disable.conf b/qubes-config/etc/systemd/coredump.conf.d/disable.conf new file mode 100644 index 0000000..519f838 --- /dev/null +++ b/qubes-config/etc/systemd/coredump.conf.d/disable.conf @@ -0,0 +1,2 @@ +[Coredump] +Storage=none diff --git a/qubes-config/etc/systemd/user/update-user-flatpaks.service b/qubes-config/etc/systemd/user/update-user-flatpaks.service new file mode 100644 index 0000000..003310d --- /dev/null +++ b/qubes-config/etc/systemd/user/update-user-flatpaks.service @@ -0,0 +1,6 @@ +[Unit] +Description=Update user Flatpaks + +[Service] +Type=oneshot +ExecStart=/usr/bin/flatpak --user update -y diff --git a/qubes-config/etc/systemd/user/update-user-flatpaks.timer b/qubes-config/etc/systemd/user/update-user-flatpaks.timer new file mode 100644 index 0000000..f34af44 --- /dev/null +++ b/qubes-config/etc/systemd/user/update-user-flatpaks.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Update user Flatpaks daily + +[Timer] +OnCalendar=daily +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/qubes-config/etc/systemd/zram-generator.conf b/qubes-config/etc/systemd/zram-generator.conf new file mode 100644 index 0000000..b481b97 --- /dev/null +++ b/qubes-config/etc/systemd/zram-generator.conf @@ -0,0 +1,4 @@ +[zram0] +zram-fraction = 1 +max-zram-size = 8192 +compression-algorithm = zstd diff --git a/tasks/fedora-41-template.yaml b/tasks/fedora-41-template.yaml index 2ef6cf3..6764a29 100644 --- a/tasks/fedora-41-template.yaml +++ b/tasks/fedora-41-template.yaml @@ -33,7 +33,7 @@ - name: Make home directory private ansible.builtin.file: - path: /home + path: /home/* state: directory recurse: true mode: '0700' @@ -61,22 +61,22 @@ - name: Disable coredump ansible.builtin.copy: - src: '/etc/security/limits.d/30-disable-coredump.conf' + src: '../qubes-config/etc/security/limits.d/30-disable-coredump.conf' dest: '/etc/security/limits.d/30-disable-coredump.conf' mode: '0644' - - name: Create coredump.conf.d + - name: Create coredump.conf.d ansible.builtin.file: path: '/etc/systemd/coredump.conf.d' state: 'directory' mode: '0755' - name: Copy disable.conf ansible.builtin.copy: - src: '/etc/systemd/coredump.conf.d/disable.conf' + src: '../qubes-config/etc/systemd/coredump.conf.d/disable.conf' dest: '/etc/systemd/coredump.conf.d/disable.conf' mode: '0644' - name: Make locks dir for dconf ansible.builtin.file: - path: '/etc/dconf/db/local.d/locks' + path: '../qubes-config/etc/dconf/db/local.d/locks' state: 'directory' mode: '0755' - name: copy dconf file 1 @@ -136,23 +136,49 @@ dest: '/etc/environment' mode: '0600' - - name: Mark packages as manually installed to avoid removal - shell: 'sudo dnf mark install flatpak gnome-menus qubes-menus' + - name: Upgrade all packages + ansible.builtin.dnf5: + name: "*" + state: latest - - name: Remove unwanted groups as well as unnecessary stuff from the template - ansible.builtin.dnf: + - name: Mark packages as manually installed to avoid removal + shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y' + + - name: Remove unnecessary stuff from the template + ansible.builtin.dnf5: name: - '@Container Management' - '@Desktop Accessibility' - '@Firefox Web Browser' + - '@Guest Desktop Agents' + - '@Libreoffice' + - '@Printing Support' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove unnecessary stuff + ansible.builtin.dnf5: + name: - 'gnome-software' - 'httpd' - 'keepassxc' - 'thunderbird' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove firefox packages + ansible.builtin.dnf5: + name: - 'fedora-bookmarks' - 'fedora-chromium-config' - 'firefox' - 'mozilla-filesystem' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove Network + hardware tools packages + ansible.builtin.dnf5: + name: - 'avahi' - 'cifs*' - '*cups' @@ -173,6 +199,12 @@ - 'teamd' - 'traceroute' - 'usb_modeswitch' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove support for some languages + ansible.builtin.dnf5: + name: - '*anthy*' - '*hangul*' - 'ibus-typing-booster' @@ -182,11 +214,23 @@ - 'texlive-libs' - ' words' - '*zhuyin*' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove codec + image + printers + ansible.builtin.dnf5: + name: - 'openh264' - 'ImageMagick*' - 'sane*' - 'simple-scan' - - 'sssd*' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove Active Directory + Sysadmin + reporting tools + ansible.builtin.dnf5: + name: + - 'sssd*' - 'realmd' - 'cyrus-sasl-gssapi' - 'quota*' @@ -195,6 +239,12 @@ - 'sos' - 'samba-client' - 'gvfs-smb' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove NetworkManager + ansible.builtin.dnf5: + name: - 'NetworkManager-pptp-gnome' - 'NetworkManager-ssh-gnome' - 'NetworkManager-openconnect-gnome' @@ -202,6 +252,12 @@ - 'NetworkManager-vpnc-gnome' - 'ppp*' - 'ModemManager' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove Gnome apps + ansible.builtin.dnf5: + name: - 'baobab' - 'chrome-gnome-shell' - 'eog' @@ -234,6 +290,12 @@ - 'loupe' - 'snapshot' - 'totem' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove apps + ansible.builtin.dnf5: + name: - 'abrt*' - 'cheese' - 'evince' @@ -242,38 +304,45 @@ - 'mediawriter' - 'rhythmbox' - 'yelp' + state: 'absent' + allowerasing: true + autoremove: true + - name: Remove other packages + ansible.builtin.dnf5: + name: - 'lvm2' - 'rng-tools' - 'thermald' - '*perl*' - - state: 'absent' + allowerasing: true autoremove: true - name: Disable openh264 repo (y tho?) - community.general.dnf_config_manager: - name: 'fedora-cisco-openh264' - state: disabled + shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0' + # community.general.dnf_config_manager: + # name: 'fedora-cisco-openh264' + # state: disabled - name: Install custom packages - ansible.builtin.dnf: - name: - - 'qubes-ctap' - - 'qubes-gpg-split' - - 'adw-gtk3-theme' - - 'ncurses' - - 'gnome-shell' - - 'ptyxis' - state: 'present' - - Enable hardened_malloc COPR - community.general.copr: - name: 'secureblue/hardened_malloc' - state: 'enabled' + ansible.builtin.dnf5: + name: + - 'qubes-ctap' + - 'qubes-gpg-split' + - 'adw-gtk3-theme' + - 'ncurses' + - 'gnome-shell' + - 'ptyxis' + state: 'present' + - name: Enable hardened_malloc COPR + shell: 'sudo dnf copr enable secureblue/hardened_malloc -y' + # + # name: 'secureblue/hardened_malloc' + # state: 'enabled' - name: Install hardened_malloc - ansible.builtin.dnf: - name: 'hardened_malloc' - state: 'present' + ansible.builtin.dnf5: + name: 'hardened_malloc' + state: 'present' - name: Enable hardened_malloc ansible.builtin.copy: @@ -290,4 +359,16 @@ dest: '/etc/dnf/dnf.conf' mode: '0644' + - name: Get list of files + ansible.builtin.find: + paths: /etc/yum.repos.d/ + recurse: true + register: found_files + + - name: Replace text in those files + ansible.builtin.replace: + path: '{{ item.path }}' + regexp: '^metalink=.*' + replace: '&\&protocol=https' + loop: '{{ found_files.files }}'