dotfiles/setup/fedora-system-setup.md

# Fedora System Setup

Congratulations on your new install!  Now, let's set the system up.

_Note: This document details the system level setup only.  For user level setup
that is remembered in the user home directories, see
[Fedora User Setup](fedora-user-setup.md).  This is originally written for
Fedora 39 and updated to Fedora 40._

Rename your system in `Settings` -> `About`.

## UEFI

Limit the battery charge to 95%.

## System packages

Your first `dnf` install would probably ask you to confirm the Fedora GPG key,
which you may find the fingerprint of at <https://fedoraproject.org/security>.

`dnf install vim-enhanced mosh keepassxc thunderbird-wayland mpv obs-studio
wl-clipboard qrencode xournalpp gstreamer1-plugins-bad-free-extras
gnome-extensions-app gnome-shell-extension-gsconnect nautilus-gsconnect
kernel-tools mozilla-openh264 gstreamer1-plugin-openh264 trash-cli ripgrep
gnome-tweaks goldendict-ng gcc-c++ gimp alacritty clang clang-tools-extra bat
helix fish kdiskmark kiwix-desktop`

### As needed

`dnf install gnome-usage install rlwrap mediainfo nmap xeyes progress
duperemove memtest86+ lm_sensors efitools quearcode qpdf kdenlive stress`

## AMD

```
sudo dnf install rocminfo rocm-smi
sudo usermod -a -G render,video $(whoami)
````
Then relog.

## Flathub apps

If you are somewhat of a FOSS purist like me and didn't enable third party
repositories at the time of install, you may enable Flathub in Software.

Use Flatseal to lock down all of them: `dnf install flatseal`
You may also use `flatpak permission-show` and `flatpak permission-remove` to
clear out any left over dynamic permissions.  `flatpak uninstall --delete-data`
can clear the app data.

- Mission Center
    - `flatpak install flathub io.missioncenter.MissionCenter`
    - Use Wayland and disable X11 and its fallback
- Resources
    - `flatpak install flathub net.nokyan.Resources`
    - Use Wayland and disable X11 and its fallback
    - Remove `filesystem=host` (sus)
- Video Trimmer
	- `flatpak install flathub org.gnome.gitlab.YaLTeR.VideoTrimmer`
	- Use Wayland and disable X11 and its fallback
- Bottles
	- `flatpak install flathub com.usebottles.bottles`
- Signal
	- `flatpak install flathub org.signal.Signal`
	- Use Wayland: `SIGNAL_USE_WAYLAND=1` and disable X11 and its fallback.
	- Disable `filesystem=host`.  Not sure why it would ever be a good idea.
	  [PR that enabled this by default
	  ](https://github.com/flathub/org.signal.Signal/pull/766) mentioned that
	  "Electron broke portals" and some default settings "will never satisfy
	  everyone", but that does not convince me.
	- Disable `org.freedesktop.login1`.  Not sure why it's needed.
	  If you know why, please let me know!
	- Turn on notifications
- Speech Note
	- `flatpak install net.mkiol.SpeechNote`
	- `flatpak install net.mkiol.SpeechNote.Addon.amd`
	- Disable X11 and fallback
	- Remove:
		- `xdg-documents`
		- `xdg-videos`
		- `xdg-music`
		- `xdg-desktop`
		- `xdg-download`
- Cameractrls
	- `flatpak install flathub hu.irl.cameractrls`
	- Disable X11 and fallback
- Denaro
	- `flatpak install flathub org.nickvision.money`
	- Disable X11 and fallback
- Ungoogled Chromium
	- `flatpak install flathub io.github.ungoogled_software.ungoogled_chromium`
	- Disable smart cards, printing system, all user files
	- Enable GPU acceleration
	- Remove Other files: `/run/.heim_org.h5l.kcm-socket`
- Minecraft (Prism Launcher)
	- `flatpak install flathub org.prismlauncher.PrismLauncher`
	- Remove `xdg-download:ro`
	- Remove `~/.ftba:ro`
	- Remove `xdg-run/app/com.discordapp.Discord:create`
	- Remove `/sys/kernel/mm/transparent_hugepage:ro`
	- Remove `/sys/kernel/mm/hugepages:ro`
	- Remove `xdg-config/kdeglobals:ro`
- Steam
	- `flatpak install flathub com.valvesoftware.Steam`
	- Remove `xdg-run/app/com.discordapp.Discord:create`
- Geekbench 6
    - `flatpak install flathub com.geekbench.Geekbench6`
    - Remove X11
    - `flatpak run com.geekbench.Geekbench6`
    - `flatpak run com.geekbench.Geekbench6 --compute vulkan`
- Slack
	- `flatpak install flathub com.slack.Slack`
	- Disable X11, enable Wayland
	- There are some
	  [suspicious permissions](https://github.com/flathub/com.slack.Slack/issues/217).
	  I would lock them down with Flatseal and use Wayland.
- Discord
	- `flatpak install flathub com.discordapp.Discord`
	- Remove `xdg-pictures:ro`, `xdg-videos:ro`
	- Allow background and notifications
- Zoom
	- `flatpak install flathub us.zoom.Zoom`
- WeChat
	- `flatpak install flathub com.tencent.WeChat`
	- Remove "Owns: `org.kde.*`"
	- Remove `xdg-download:ro`; why do you need to read it?  Isn't write what
	  you are after?

## SSH

In `System` -> `Secure Shell`: turn on `Secure Shell` and edit
`/etc/ssh/sshd_config` according to `system/sshd/sshd_config-rhel`, or if you
are lazy:
```
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo cp ../system/sshd/sshd_config-rhel /etc/ssh/sshd_config
```

`sudoedit /etc/ssh/sshd_config.d/00-no-gss.conf` and write
`GSSAPIAuthentication no` to override `/etc/ssh/sshd_config.d/50-redhat.conf`,
which changes the default setting for some stupid reason.
(Why does that file exist at all??  Please let me know if you have a clue.)

```
systemctl reload sshd
sudo groupadd --system ssh-users
sudo usermod -aG ssh-users $(whoami)
```
Finally, log out then log in again for the `usermod` to take effect.

If you have just came from a non-SELinux distro (say the Debian family) and see
a permission denied message from `sshd` in your logs, use
`restorecon -RFv ~/.ssh` to please SELinux.

(Don't forget to install Mosh!)

## Framework 16

Put the following into `/etc/udev/rules.d/50-framework-inputmodule.rules`:
```
# Framework Laptop 16 - LED Matrix
SUBSYSTEMS=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0020", MODE="0660", TAG+="uaccess"
```
Then run `sudo udevadm control --reload && sudo udevadm trigger`