DuckDuckWhale
9c33c97200
- shells: tune ab-av1 parameters - setup: alacritty -> ptyxis and remove thunderbird-wayland - mac-fnmode: regenerate initramfs to fix fnmode-persistent-fedora - sshd: AcceptEnv NO_COLOR
175 lines
6.2 KiB
Markdown
175 lines
6.2 KiB
Markdown
# Fedora System Setup
|
|
|
|
Congratulations on your new install! Now, let's set the system up.
|
|
|
|
_Note: This document details the system level setup only. For user level setup
|
|
that is remembered in the user home directories, see
|
|
[Fedora User Setup](fedora-user-setup.md). This is originally written for
|
|
Fedora 39 and updated to Fedora 40._
|
|
|
|
Rename your system in `Settings` -> `About`.
|
|
|
|
## UEFI
|
|
|
|
Limit the battery charge to 95%.
|
|
|
|
## System packages
|
|
|
|
Your first `dnf` install would probably ask you to confirm the Fedora GPG key,
|
|
which you may find the fingerprint of at <https://fedoraproject.org/security>.
|
|
|
|
`dnf install vim-enhanced mosh keepassxc thunderbird mpv obs-studio wl-clipboard
|
|
qrencode xournalpp gstreamer1-plugins-bad-free-extras gnome-extensions-app
|
|
gnome-shell-extension-gsconnect nautilus-gsconnect kernel-tools mozilla-openh264
|
|
gstreamer1-plugin-openh264 trash-cli ripgrep gnome-tweaks goldendict-ng gcc-c++
|
|
gimp ptyxis clang clang-tools-extra bat helix fish kdiskmark kiwix-desktop
|
|
libjxl-utils torbrowser-launcher`
|
|
|
|
### As needed
|
|
|
|
`dnf install gnome-usage install rlwrap mediainfo nmap xeyes progress
|
|
duperemove memtest86+ lm_sensors efitools quearcode qpdf kdenlive stress tokei
|
|
f3 exiftool datediff qalculate-gtk syncplay`
|
|
|
|
## AMD
|
|
|
|
```
|
|
sudo dnf install rocminfo rocm-smi
|
|
sudo usermod -a -G render,video $(whoami)
|
|
````
|
|
Then relog.
|
|
|
|
## Flathub apps
|
|
|
|
If you are somewhat of a FOSS purist like me and didn't enable third party
|
|
repositories at the time of install, you may enable Flathub in Software.
|
|
|
|
Use Flatseal to lock down all of them: `dnf install flatseal`
|
|
You may also use `flatpak permission-show` and `flatpak permission-remove` to
|
|
clear out any left over dynamic permissions. `flatpak uninstall --delete-data`
|
|
can clear the app data.
|
|
|
|
- Mission Center
|
|
- `flatpak install flathub io.missioncenter.MissionCenter`
|
|
- Use Wayland and disable X11 and its fallback
|
|
- Resources
|
|
- `flatpak install flathub net.nokyan.Resources`
|
|
- Use Wayland and disable X11 and its fallback
|
|
- Remove `filesystem=host` (sus)
|
|
- Video Trimmer
|
|
- `flatpak install flathub org.gnome.gitlab.YaLTeR.VideoTrimmer`
|
|
- Use Wayland and disable X11 and its fallback
|
|
- Bottles
|
|
- `flatpak install flathub com.usebottles.bottles`
|
|
- Signal
|
|
- `flatpak install flathub org.signal.Signal`
|
|
- Use Wayland: `SIGNAL_USE_WAYLAND=1` and disable X11 and its fallback.
|
|
- Disable `filesystem=host`. Not sure why it would ever be a good idea.
|
|
[PR that enabled this by default
|
|
](https://github.com/flathub/org.signal.Signal/pull/766) mentioned that
|
|
"Electron broke portals" and some default settings "will never satisfy
|
|
everyone", but that does not convince me.
|
|
- Disable `org.freedesktop.login1`. Not sure why it's needed.
|
|
If you know why, please let me know!
|
|
- Turn on notifications
|
|
- Speech Note
|
|
- `flatpak install net.mkiol.SpeechNote`
|
|
- `flatpak install net.mkiol.SpeechNote.Addon.amd`
|
|
- Disable X11 and fallback
|
|
- Remove:
|
|
- `xdg-documents`
|
|
- `xdg-videos`
|
|
- `xdg-music`
|
|
- `xdg-desktop`
|
|
- `xdg-download`
|
|
- Cameractrls
|
|
- `flatpak install flathub hu.irl.cameractrls`
|
|
- Disable X11 and fallback
|
|
- Denaro
|
|
- `flatpak install flathub org.nickvision.money`
|
|
- Disable X11 and fallback
|
|
- Ungoogled Chromium
|
|
- `flatpak install flathub io.github.ungoogled_software.ungoogled_chromium`
|
|
- Disable smart cards, printing system, all user files
|
|
- Enable GPU acceleration and disable all devices
|
|
- Remove Other files: `/run/.heim_org.h5l.kcm-socket`
|
|
- Removing X11 will cause it to fail to launch, so don't do that.
|
|
- Minecraft (Prism Launcher)
|
|
- `flatpak install flathub org.prismlauncher.PrismLauncher`
|
|
- Remove `xdg-download:ro`
|
|
- Remove `~/.ftba:ro`
|
|
- Remove `xdg-run/app/com.discordapp.Discord:create`
|
|
- Remove `/sys/kernel/mm/transparent_hugepage:ro`
|
|
- Remove `/sys/kernel/mm/hugepages:ro`
|
|
- Remove `xdg-config/kdeglobals:ro`
|
|
- Steam
|
|
- `flatpak install flathub com.valvesoftware.Steam`
|
|
- Remove `xdg-run/app/com.discordapp.Discord:create`
|
|
- Geekbench 6
|
|
- `flatpak install flathub com.geekbench.Geekbench6`
|
|
- Remove X11
|
|
- `flatpak run com.geekbench.Geekbench6`
|
|
- `flatpak run com.geekbench.Geekbench6 --compute vulkan`
|
|
- Slack
|
|
- `flatpak install flathub com.slack.Slack`
|
|
- Disable X11, enable Wayland
|
|
- There are some
|
|
[suspicious permissions](https://github.com/flathub/com.slack.Slack/issues/217).
|
|
I would lock them down with Flatseal and use Wayland.
|
|
- Discord
|
|
- `flatpak install flathub com.discordapp.Discord`
|
|
- Remove `xdg-pictures:ro`, `xdg-videos:ro`
|
|
- Allow background and notifications
|
|
- Zoom
|
|
- `flatpak install flathub us.zoom.Zoom`
|
|
- WeChat
|
|
- `flatpak install flathub com.tencent.WeChat`
|
|
- Remove "Owns: `org.kde.*`"
|
|
- Remove `xdg-download:ro`; why do you need to read it? Isn't write what
|
|
you are after?
|
|
|
|
## SSH
|
|
|
|
In `System` -> `Secure Shell`: turn on `Secure Shell` and edit
|
|
`/etc/ssh/sshd_config` according to `system/sshd/sshd_config-rhel`, or if you
|
|
are lazy:
|
|
```
|
|
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
|
|
sudo cp ../system/sshd/sshd_config-rhel /etc/ssh/sshd_config
|
|
```
|
|
|
|
`sudoedit /etc/ssh/sshd_config.d/00-no-gss.conf` and write
|
|
`GSSAPIAuthentication no` to override `/etc/ssh/sshd_config.d/50-redhat.conf`,
|
|
which changes the default setting for some stupid reason.
|
|
(Why does that file exist at all?? Please let me know if you have a clue.)
|
|
|
|
```
|
|
systemctl reload sshd
|
|
sudo groupadd --system ssh-users
|
|
sudo usermod -aG ssh-users $(whoami)
|
|
```
|
|
Finally, log out then log in again for the `usermod` to take effect.
|
|
|
|
If you have just came from a non-SELinux distro (say the Debian family) and see
|
|
a permission denied message from `sshd` in your logs, use
|
|
`restorecon -RFv ~/.ssh` to please SELinux.
|
|
|
|
### Custom Port
|
|
|
|
If you are paranoid like me and want to put an extra layer of defense against
|
|
script kiddies vulnerability scans over SSH, here's how you may use a custom
|
|
port for your SSH:
|
|
|
|
1. Change `Port 22` to `Port <your-port>` in `/etc/ssh/sshd_config`.
|
|
2. `sudo semanage port -a -t ssh_port_t -p tcp <your-port>`
|
|
3. `sudo systemctl reload sshd`
|
|
|
|
## Framework 16
|
|
|
|
Put the following into `/etc/udev/rules.d/50-framework-inputmodule.rules`:
|
|
```
|
|
# Framework Laptop 16 - LED Matrix
|
|
SUBSYSTEMS=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0020", MODE="0660", TAG+="uaccess"
|
|
```
|
|
Then run `sudo udevadm control --reload && sudo udevadm trigger`
|