From 238e4615537ee96ead243db1317620b955ba65ec Mon Sep 17 00:00:00 2001
From: veilor <veilor@localhost>
Date: Thu, 30 Apr 2026 04:31:49 +0100
Subject: [PATCH] =?UTF-8?q?ks:=20keep=20KDE=20deps=20(cups/geoclue2/MM/Pac?=
 =?UTF-8?q?kageKit)=20=E2=80=94=20mask=20daemons=20at=20runtime=20instead?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kickstart/veilor-os.ks      | 15 +++++----------
 scripts/20-harden-kernel.sh | 14 +++++++++++---
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/kickstart/veilor-os.ks b/kickstart/veilor-os.ks
index c25ebf7..a07edd3 100644
--- a/kickstart/veilor-os.ks
+++ b/kickstart/veilor-os.ks
@@ -79,21 +79,16 @@ fontconfig
 freetype
 fira-code-fonts
 
-# remove fluff (only items not transitively required by KDE/samba)
-# Note: avahi-libs and pcsc-lite kept because libavahi-client.so.3 and PCSC libs
-# are broadly required (samba, libtinysparql, gtk3, ibus). The *daemons* are
-# disabled at runtime via 20-harden-kernel.sh.
--cups
--cups-browsed
+# remove fluff
+# Note: KDE Plasma 6 hard-deps on cups/geoclue2/ModemManager/PackageKit
+# transitively (plasma-print-manager, xdg-desktop-portal, NM-wwan etc),
+# so package removal breaks depsolve. Daemons disabled at runtime via
+# scripts/20-harden-kernel.sh instead.
 -abrt*
 -snapd
--geoclue2
 -kde-connect
 -open-vm-tools-desktop
--PackageKit
--PackageKit-command-not-found
 -mlocate
--ModemManager
 
 %end
 
diff --git a/scripts/20-harden-kernel.sh b/scripts/20-harden-kernel.sh
index fbaf09a..9c3eadb 100755
--- a/scripts/20-harden-kernel.sh
+++ b/scripts/20-harden-kernel.sh
@@ -106,12 +106,20 @@ EOF
 ok "pwquality: minlen=14, 4 classes required"
 
 # ── disable unneeded services ──
-for svc in gssproxy atd pcscd.socket pcscd.service cups cups-browsed abrtd \
-           abrt-journal-core abrt-xorg abrt-oops abrt-ccpp geoclue avahi-daemon \
-           bluetooth ModemManager; do
+# Packages stay installed (KDE depsolve), but the daemons never start.
+for svc in gssproxy atd pcscd.socket pcscd.service cups cups-browsed cups.socket \
+           cups.path abrtd abrt-journal-core abrt-xorg abrt-oops abrt-ccpp \
+           geoclue avahi-daemon avahi-daemon.socket bluetooth ModemManager \
+           packagekit packagekit-offline-update; do
     systemctl disable --now "$svc" 2>/dev/null && ok "disabled $svc" || true
 done
 
+# Mask cups so even socket activation can't bring it up
+systemctl mask cups.service cups.socket cups.path 2>/dev/null || true
+systemctl mask geoclue.service 2>/dev/null || true
+systemctl mask ModemManager.service 2>/dev/null || true
+systemctl mask packagekit.service 2>/dev/null || true
+
 # ── USBGuard ──
 info "Setting up USBGuard"
 rpm -q usbguard &>/dev/null || dnf install -y usbguard usbguard-tools