ks: keep KDE deps (cups/geoclue2/MM/PackageKit) — mask daemons at runtime instead

2026-04-30 04:31:49 +01:00 · 2026-04-30 04:31:49 +01:00 · 238e461553
commit 238e461553
parent ec79dc1746
2 changed files with 16 additions and 13 deletions
--- a/kickstart/veilor-os.ks
+++ b/kickstart/veilor-os.ks
@ -79,21 +79,16 @@ fontconfig
 freetype
 fira-code-fonts

-# remove fluff (only items not transitively required by KDE/samba)
-# Note: avahi-libs and pcsc-lite kept because libavahi-client.so.3 and PCSC libs
-# are broadly required (samba, libtinysparql, gtk3, ibus). The *daemons* are
-# disabled at runtime via 20-harden-kernel.sh.
-cups
-cups-browsed
+# remove fluff
+# Note: KDE Plasma 6 hard-deps on cups/geoclue2/ModemManager/PackageKit
+# transitively (plasma-print-manager, xdg-desktop-portal, NM-wwan etc),
+# so package removal breaks depsolve. Daemons disabled at runtime via
+# scripts/20-harden-kernel.sh instead.
 -abrt*
 -snapd
-geoclue2
 -kde-connect
 -open-vm-tools-desktop
-PackageKit
-PackageKit-command-not-found
 -mlocate
-ModemManager

 %end

--- a/scripts/20-harden-kernel.sh
+++ b/scripts/20-harden-kernel.sh
@ -106,12 +106,20 @@ EOF
 ok "pwquality: minlen=14, 4 classes required"

 # ── disable unneeded services ──
-for svc in gssproxy atd pcscd.socket pcscd.service cups cups-browsed abrtd \
-           abrt-journal-core abrt-xorg abrt-oops abrt-ccpp geoclue avahi-daemon \
-           bluetooth ModemManager; do
+# Packages stay installed (KDE depsolve), but the daemons never start.
+for svc in gssproxy atd pcscd.socket pcscd.service cups cups-browsed cups.socket \
+           cups.path abrtd abrt-journal-core abrt-xorg abrt-oops abrt-ccpp \
+           geoclue avahi-daemon avahi-daemon.socket bluetooth ModemManager \
+           packagekit packagekit-offline-update; do
    systemctl disable --now "$svc" 2>/dev/null && ok "disabled $svc" || true
 done

+# Mask cups so even socket activation can't bring it up
+systemctl mask cups.service cups.socket cups.path 2>/dev/null || true
+systemctl mask geoclue.service 2>/dev/null || true
+systemctl mask ModemManager.service 2>/dev/null || true
+systemctl mask packagekit.service 2>/dev/null || true
+
 # ── USBGuard ──
 info "Setting up USBGuard"
 rpm -q usbguard &>/dev/null || dnf install -y usbguard usbguard-tools