veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

ks: keep KDE deps (cups/geoclue2/MM/PackageKit) — mask daemons at runtime instead

Browse source
This commit is contained in:
veilor 2026-04-30 04:31:49 +01:00
parent ec79dc1746
commit 238e461553
2 changed files with 16 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
kickstart/veilor-os.ks
View file

@ -79,21 +79,16 @@ fontconfig
freetype freetype
fira-code-fonts fira-code-fonts
# remove fluff (only items not transitively required by KDE/samba) # remove fluff
# Note: avahi-libs and pcsc-lite kept because libavahi-client.so.3 and PCSC libs # Note: KDE Plasma 6 hard-deps on cups/geoclue2/ModemManager/PackageKit
# are broadly required (samba, libtinysparql, gtk3, ibus). The *daemons* are # transitively (plasma-print-manager, xdg-desktop-portal, NM-wwan etc),
# disabled at runtime via 20-harden-kernel.sh. # so package removal breaks depsolve. Daemons disabled at runtime via
-cups # scripts/20-harden-kernel.sh instead.
-cups-browsed
-abrt* -abrt*
-snapd -snapd
-geoclue2
-kde-connect -kde-connect
-open-vm-tools-desktop -open-vm-tools-desktop
-PackageKit
-PackageKit-command-not-found
-mlocate -mlocate
-ModemManager
%end %end

14
scripts/20-harden-kernel.sh
View file

@ -106,12 +106,20 @@ EOF
ok "pwquality: minlen=14, 4 classes required" ok "pwquality: minlen=14, 4 classes required"
# ── disable unneeded services ── # ── disable unneeded services ──
for svc in gssproxy atd pcscd.socket pcscd.service cups cups-browsed abrtd \ # Packages stay installed (KDE depsolve), but the daemons never start.
abrt-journal-core abrt-xorg abrt-oops abrt-ccpp geoclue avahi-daemon \ for svc in gssproxy atd pcscd.socket pcscd.service cups cups-browsed cups.socket \
bluetooth ModemManager; do cups.path abrtd abrt-journal-core abrt-xorg abrt-oops abrt-ccpp \
geoclue avahi-daemon avahi-daemon.socket bluetooth ModemManager \
packagekit packagekit-offline-update; do
systemctl disable --now "$svc" 2>/dev/null && ok "disabled $svc" || true systemctl disable --now "$svc" 2>/dev/null && ok "disabled $svc" || true
done done
# Mask cups so even socket activation can't bring it up
systemctl mask cups.service cups.socket cups.path 2>/dev/null || true
systemctl mask geoclue.service 2>/dev/null || true
systemctl mask ModemManager.service 2>/dev/null || true
systemctl mask packagekit.service 2>/dev/null || true
# ── USBGuard ── # ── USBGuard ──
info "Setting up USBGuard" info "Setting up USBGuard"
rpm -q usbguard &>/dev/null || dnf install -y usbguard usbguard-tools rpm -q usbguard &>/dev/null || dnf install -y usbguard usbguard-tools