Tweaking fedora 41 gnome template

qubes-config/etc/dconf/db/local.d/adw-gtk3-dark

@@ -0,0 +1,2 @@
+[org/gnome/desktop/interface]
+gtk-theme='adw-gtk3-dark'

qubes-config/etc/dconf/db/local.d/automount-disable

@@ -0,0 +1,4 @@
+[org/gnome/desktop/media-handling]
+automount=false
+automount-open=false
+autorun-never=true

qubes-config/etc/dconf/db/local.d/locks/automount-disable

@@ -0,0 +1,3 @@
+org/gnome/desktop/media-handling/automount
+org/gnome/desktop/media-handling/automount-open
+/org/gnome/desktop/media-handling/autorun-never

qubes-config/etc/dconf/db/local.d/locks/privacy

@@ -0,0 +1,14 @@
+/org/gnome/system/location/enabled
+
+/org/gnome/desktop/privacy/remember-recent-files
+/org/gnome/desktop/privacy/remove-old-trash-files
+/org/gnome/desktop/privacy/remove-old-temp-files
+/org/gnome/desktop/privacy/report-technical-problems
+/org/gnome/desktop/privacy/send-software-usage-stats
+/org/gnome/desktop/privacy/remember-app-usage
+
+/org/gnome/online-accounts/whitelisted-providers
+
+/org/gnome/desktop/remote-desktop/rdp/enable
+
+/org/gnome/desktop/remote-desktop/vnc/enable

qubes-config/etc/dconf/db/local.d/prefer-dark

@@ -0,0 +1,2 @@
+[org/gnome/desktop/interface]
+color-scheme='prefer-dark'

qubes-config/etc/dconf/db/local.d/privacy

@@ -0,0 +1,2 @@
+[org/gnome/desktop/interface]
+color-scheme='prefer-dark'

qubes-config/etc/dnf/dnf.conf

@@ -0,0 +1,11 @@
+[main]
+gpgcheck=True
+installonly_limit=3
+clean_requirements_on_remove=True
+best=False
+skip_if_unavailable=True
+max_parallel_downloads=10
+deltarpm=False
+defaultyes=True
+install_weak_deps=False
+countme=False

qubes-config/etc/environment

@@ -0,0 +1,3 @@
+JavaScriptCoreUseJIT=0
+GJS_DISABLE_JIT=1
+XDG_CURRENT_DESKTOP=GNOME

qubes-config/etc/ld.so.preload

@@ -0,0 +1 @@
+libhardened_malloc.so

qubes-config/etc/security/limits.d/30-disable-coredump.conf

@@ -0,0 +1 @@
+* hard core 0

qubes-config/etc/systemd/coredump.conf.d/disable.conf

@@ -0,0 +1,2 @@
+[Coredump]
+Storage=none

qubes-config/etc/systemd/user/update-user-flatpaks.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Update user Flatpaks
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flatpak --user update -y

qubes-config/etc/systemd/user/update-user-flatpaks.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Update user Flatpaks daily
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target

qubes-config/etc/systemd/zram-generator.conf

@@ -0,0 +1,4 @@
+[zram0]
+zram-fraction = 1
+max-zram-size = 8192
+compression-algorithm = zstd

tasks/fedora-41-template.yaml

@@ -33,7 +33,7 @@
 
    - name: Make home directory private
      ansible.builtin.file:
-       path: /home
+       path: /home/*
        state: directory
        recurse: true
        mode: '0700'
@@ -61,22 +61,22 @@
 
    - name: Disable coredump
      ansible.builtin.copy:
-       src: '/etc/security/limits.d/30-disable-coredump.conf'
+       src: '../qubes-config/etc/security/limits.d/30-disable-coredump.conf'
        dest: '/etc/security/limits.d/30-disable-coredump.conf'
        mode: '0644'
-   - name: Create coredump.conf.d  
+   - name: Create coredump.conf.d
      ansible.builtin.file:
        path: '/etc/systemd/coredump.conf.d'
        state: 'directory'
        mode: '0755'
    - name: Copy disable.conf
      ansible.builtin.copy:
-       src: '/etc/systemd/coredump.conf.d/disable.conf'
+       src: '../qubes-config/etc/systemd/coredump.conf.d/disable.conf'
        dest: '/etc/systemd/coredump.conf.d/disable.conf'
        mode: '0644'
    - name: Make locks dir for dconf
      ansible.builtin.file:
-       path: '/etc/dconf/db/local.d/locks'
+       path: '../qubes-config/etc/dconf/db/local.d/locks'
        state: 'directory'
        mode: '0755'
    - name: copy dconf file 1
@@ -136,23 +136,49 @@
        dest: '/etc/environment'
        mode: '0600'
 
-   - name: Mark packages as manually installed to avoid removal
+   - name: Upgrade all packages
-     shell: 'sudo dnf mark install flatpak gnome-menus qubes-menus'
+     ansible.builtin.dnf5:
+       name: "*"
+       state: latest
 
-   - name: Remove unwanted groups as well as unnecessary stuff from the template
+   - name: Mark packages as manually installed to avoid removal
-     ansible.builtin.dnf:
+     shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+
+   - name: Remove unnecessary stuff from the template
+     ansible.builtin.dnf5:
        name:
          - '@Container Management'
          - '@Desktop Accessibility'
          - '@Firefox Web Browser'
+         - '@Guest Desktop Agents'
+         - '@Libreoffice'
+         - '@Printing Support'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove unnecessary stuff
+     ansible.builtin.dnf5:
+       name:
          - 'gnome-software'
          - 'httpd'
          - 'keepassxc'
          - 'thunderbird'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove firefox packages
+     ansible.builtin.dnf5:
+       name:
          - 'fedora-bookmarks'
          - 'fedora-chromium-config'
          - 'firefox'
          - 'mozilla-filesystem'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove Network + hardware tools packages
+     ansible.builtin.dnf5:
+       name:
          - 'avahi'
          - 'cifs*'
          - '*cups'
@@ -173,6 +199,12 @@
          - 'teamd'
          - 'traceroute'
          - 'usb_modeswitch'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove support for some languages
+     ansible.builtin.dnf5:
+       name:
          -  '*anthy*'
          - '*hangul*'
          - 'ibus-typing-booster'
@@ -182,11 +214,23 @@
          - 'texlive-libs'
          - ' words'
          - '*zhuyin*'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove codec + image + printers
+     ansible.builtin.dnf5:
+       name:
          - 'openh264'
          - 'ImageMagick*'
          - 'sane*'
          - 'simple-scan'
-         -  'sssd*'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove Active Directory + Sysadmin + reporting tools
+     ansible.builtin.dnf5:
+       name:
+         - 'sssd*'
          - 'realmd'
          - 'cyrus-sasl-gssapi'
          - 'quota*'
@@ -195,6 +239,12 @@
          - 'sos'
          - 'samba-client'
          - 'gvfs-smb'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove NetworkManager
+     ansible.builtin.dnf5:
+       name:
          - 'NetworkManager-pptp-gnome'
          - 'NetworkManager-ssh-gnome'
          - 'NetworkManager-openconnect-gnome'
@@ -202,6 +252,12 @@
          - 'NetworkManager-vpnc-gnome'
          - 'ppp*'
          - 'ModemManager'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove Gnome apps
+     ansible.builtin.dnf5:
+       name:
          - 'baobab'
          - 'chrome-gnome-shell'
          - 'eog'
@@ -234,6 +290,12 @@
          - 'loupe'
          - 'snapshot'
          - 'totem'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove apps
+     ansible.builtin.dnf5:
+       name:
          - 'abrt*'
          - 'cheese'
          - 'evince'
@@ -242,38 +304,45 @@
          - 'mediawriter'
          - 'rhythmbox'
          - 'yelp'
+       state: 'absent'
+       allowerasing: true
+       autoremove: true
+   - name: Remove other packages
+     ansible.builtin.dnf5:
+       name:
          - 'lvm2'
          - 'rng-tools'
          - 'thermald'
          - '*perl*'
-
-
        state: 'absent'
+       allowerasing: true
        autoremove: true
 
    - name: Disable openh264 repo (y tho?)
-     community.general.dnf_config_manager:
+     shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0'
-     name: 'fedora-cisco-openh264'
+    #     community.general.dnf_config_manager:
-     state: disabled
+     #  name: 'fedora-cisco-openh264'
+      # state: disabled
 
    - name: Install custom packages
-     ansible.builtin.dnf:
+     ansible.builtin.dnf5:
-     name:
+       name:
-       - 'qubes-ctap'
+         - 'qubes-ctap'
-       - 'qubes-gpg-split'
+         - 'qubes-gpg-split'
-       - 'adw-gtk3-theme'
+         - 'adw-gtk3-theme'
-       - 'ncurses'
+         - 'ncurses'
-       - 'gnome-shell'
+         - 'gnome-shell'
-       - 'ptyxis'
+         - 'ptyxis'
-     state: 'present'
+       state: 'present'
-   - Enable hardened_malloc COPR
+   - name: Enable hardened_malloc COPR
-     community.general.copr:
+     shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
-       name: 'secureblue/hardened_malloc'
+     # 
-       state: 'enabled'
+     #  name: 'secureblue/hardened_malloc'
+     #  state: 'enabled'
    - name: Install hardened_malloc
-     ansible.builtin.dnf:
+     ansible.builtin.dnf5:
-     name: 'hardened_malloc'
+       name: 'hardened_malloc'
-     state: 'present'
+       state: 'present'
 
    - name: Enable hardened_malloc
      ansible.builtin.copy:
@@ -290,4 +359,16 @@
        dest: '/etc/dnf/dnf.conf'
        mode: '0644'
 
+   - name: Get list of files
+     ansible.builtin.find:
+       paths: /etc/yum.repos.d/
+       recurse: true
+     register: found_files
+
+   - name: Replace text in those files
+     ansible.builtin.replace:
+       path: '{{ item.path }}'
+       regexp: '^metalink=.*'
+       replace: '&\&protocol=https'
+     loop: '{{ found_files.files }}'