dotfiles/setup/fedora-system-setup.md

Fedora System Setup

Congratulations on your new install! Now, let's set the system up.

Note: This document details the system level setup only. For user level setup that is remembered in the user home directories, see Fedora User Setup. This is originally written for Fedora 39 and updated to Fedora 40.

Rename your system in Settings -> About.

UEFI

Limit the battery charge to 95%.

System packages

Your first dnf install would probably ask you to confirm the Fedora GPG key, which you may find the fingerprint of at https://fedoraproject.org/security.

dnf install vim-enhanced mosh keepassxc thunderbird-wayland mpv obs-studio wl-clipboard qrencode xournalpp gstreamer1-plugins-bad-free-extras gnome-extensions-app gnome-shell-extension-gsconnect nautilus-gsconnect kernel-tools mozilla-openh264 gstreamer1-plugin-openh264 trash-cli ripgrep gnome-tweaks goldendict-ng gcc-c++ gimp alacritty clang clang-tools-extra bat helix fish kdiskmark kiwix-desktop

As needed

dnf install gnome-usage install rlwrap mediainfo nmap xeyes progress duperemove memtest86+ lm_sensors efitools quearcode qpdf kdenlive stress

AMD

sudo dnf install rocminfo rocm-smi
sudo usermod -a -G render,video $(whoami)

Then relog.

Flathub apps

If you are somewhat of a FOSS purist like me and didn't enable third party repositories at the time of install, you may enable Flathub in Software.

Use Flatseal to lock down all of them: dnf install flatseal You may also use flatpak permission-show and flatpak permission-remove to clear out any left over dynamic permissions. flatpak uninstall --delete-data can clear the app data.

• Mission Center
  • flatpak install flathub io.missioncenter.MissionCenter
  • Use Wayland and disable X11 and its fallback
• Resources
  • flatpak install flathub net.nokyan.Resources
  • Use Wayland and disable X11 and its fallback
  • Remove filesystem=host (sus)
• Video Trimmer
  • flatpak install flathub org.gnome.gitlab.YaLTeR.VideoTrimmer
  • Use Wayland and disable X11 and its fallback
• Bottles
  • flatpak install flathub com.usebottles.bottles
• Signal
  • flatpak install flathub org.signal.Signal
  • Use Wayland: SIGNAL_USE_WAYLAND=1 and disable X11 and its fallback.
  • Disable filesystem=host. Not sure why it would ever be a good idea. PR that enabled this by default mentioned that "Electron broke portals" and some default settings "will never satisfy everyone", but that does not convince me.
  • Disable org.freedesktop.login1. Not sure why it's needed. If you know why, please let me know!
  • Turn on notifications
• Speech Note
  • flatpak install net.mkiol.SpeechNote
  • flatpak install net.mkiol.SpeechNote.Addon.amd
  • Disable X11 and fallback
  • Remove:
    • xdg-documents
    • xdg-videos
    • xdg-music
    • xdg-desktop
    • xdg-download
• Cameractrls
  • flatpak install flathub hu.irl.cameractrls
  • Disable X11 and fallback
• Denaro
  • flatpak install flathub org.nickvision.money
  • Disable X11 and fallback
• Ungoogled Chromium
  • flatpak install flathub io.github.ungoogled_software.ungoogled_chromium
  • Disable smart cards, printing system, all user files
  • Enable GPU acceleration
  • Remove Other files: /run/.heim_org.h5l.kcm-socket
• Minecraft (Prism Launcher)
  • flatpak install flathub org.prismlauncher.PrismLauncher
  • Remove xdg-download:ro
  • Remove ~/.ftba:ro
  • Remove xdg-run/app/com.discordapp.Discord:create
  • Remove /sys/kernel/mm/transparent_hugepage:ro
  • Remove /sys/kernel/mm/hugepages:ro
  • Remove xdg-config/kdeglobals:ro
• Steam
  • flatpak install flathub com.valvesoftware.Steam
  • Remove xdg-run/app/com.discordapp.Discord:create
• Geekbench 6
  • flatpak install flathub com.geekbench.Geekbench6
  • Remove X11
  • flatpak run com.geekbench.Geekbench6
  • flatpak run com.geekbench.Geekbench6 --compute vulkan
• Slack
  • flatpak install flathub com.slack.Slack
  • Disable X11, enable Wayland
  • There are some suspicious permissions. I would lock them down with Flatseal and use Wayland.
• Discord
  • flatpak install flathub com.discordapp.Discord
  • Remove xdg-pictures:ro, xdg-videos:ro
  • Allow background and notifications
• Zoom
  • flatpak install flathub us.zoom.Zoom
• WeChat
  • flatpak install flathub com.tencent.WeChat
  • Remove "Owns: org.kde.*"
  • Remove xdg-download:ro; why do you need to read it? Isn't write what you are after?

SSH

In System -> Secure Shell: turn on Secure Shell and edit /etc/ssh/sshd_config according to system/sshd/sshd_config-rhel, or if you are lazy:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo cp ../system/sshd/sshd_config-rhel /etc/ssh/sshd_config

sudoedit /etc/ssh/sshd_config.d/00-no-gss.conf and write GSSAPIAuthentication no to override /etc/ssh/sshd_config.d/50-redhat.conf, which changes the default setting for some stupid reason. (Why does that file exist at all?? Please let me know if you have a clue.)

systemctl reload sshd
sudo groupadd --system ssh-users
sudo usermod -aG ssh-users $(whoami)

Finally, log out then log in again for the usermod to take effect.

If you have just came from a non-SELinux distro (say the Debian family) and see a permission denied message from sshd in your logs, use restorecon -RFv ~/.ssh to please SELinux.

(Don't forget to install Mosh!)

Framework 16

Put the following into /etc/udev/rules.d/50-framework-inputmodule.rules:

# Framework Laptop 16 - LED Matrix
SUBSYSTEMS=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0020", MODE="0660", TAG+="uaccess"

Then run sudo udevadm control --reload && sudo udevadm trigger