diff --git a/iso/airootfs/etc/calamares/post-install.sh b/iso/airootfs/etc/calamares/post-install.sh index 87b5f63..e318ed1 100644 --- a/iso/airootfs/etc/calamares/post-install.sh +++ b/iso/airootfs/etc/calamares/post-install.sh @@ -100,11 +100,33 @@ fi # --------------------------------------------------------------------------- for unit in NetworkManager.service bluetooth.service systemd-timesyncd.service \ tlp.service greetd.service snapper-cleanup.timer grub-btrfsd.service \ - fstrim.timer cups.socket; do + fstrim.timer cups.socket avahi-daemon.service ufw.service \ + fwupd-refresh.timer reflector.timer; do systemctl enable "$unit" || echo "WARN: failed to enable $unit" done systemctl set-default graphical.target || echo "WARN: set-default graphical failed" +# --------------------------------------------------------------------------- +# mDNS resolution (nss-mdns): insert mdns_minimal into the hosts: line so the +# resolver answers *.local (network printers, other hosts) via avahi. Idempotent. +# --------------------------------------------------------------------------- +if [[ -f /etc/nsswitch.conf ]] && ! grep -q 'mdns_minimal' /etc/nsswitch.conf; then + sed -i 's/^\(hosts:[[:space:]]*\)/\1mdns_minimal [NOTFOUND=return] /' \ + /etc/nsswitch.conf || echo "WARN: wiring nss-mdns failed" +fi + +# --------------------------------------------------------------------------- +# Firewall: deny inbound by default, allow outbound, and permit inbound mDNS so +# avahi printer/service discovery keeps working. Best-effort — rule application +# happens at boot; here we only persist the policy + enable the unit. +# --------------------------------------------------------------------------- +if command -v ufw &>/dev/null; then + ufw default deny incoming || echo "WARN: ufw default deny incoming failed" + ufw default allow outgoing || echo "WARN: ufw default allow outgoing failed" + ufw allow 5353/udp || echo "WARN: ufw allow mDNS failed" + ufw --force enable || echo "WARN: ufw enable failed" +fi + # The bread ecosystem (bakery + bread, breadbar, breadbox, breadcrumbs, breadpad) # is bakery-managed, not pacman: the binaries and bakery manifest live in # /etc/skel/.local (baked in at ISO build time) and are copied into the user's diff --git a/iso/airootfs/etc/skel/.config/mimeapps.list b/iso/airootfs/etc/skel/.config/mimeapps.list new file mode 100644 index 0000000..58c48fe --- /dev/null +++ b/iso/airootfs/etc/skel/.config/mimeapps.list @@ -0,0 +1,51 @@ +# Default applications for common file types. Without this, freshly installed +# BOS has no handler registered for images/video/text/etc., so opening a file +# from nautilus does nothing. Maps to the apps shipped in packages.x86_64. +[Default Applications] +# Images -> Loupe +image/png=org.gnome.Loupe.desktop +image/jpeg=org.gnome.Loupe.desktop +image/gif=org.gnome.Loupe.desktop +image/webp=org.gnome.Loupe.desktop +image/bmp=org.gnome.Loupe.desktop +image/tiff=org.gnome.Loupe.desktop +image/svg+xml=org.gnome.Loupe.desktop + +# Audio/Video -> VLC +audio/mpeg=vlc.desktop +audio/flac=vlc.desktop +audio/ogg=vlc.desktop +audio/x-wav=vlc.desktop +audio/aac=vlc.desktop +video/mp4=vlc.desktop +video/x-matroska=vlc.desktop +video/webm=vlc.desktop +video/quicktime=vlc.desktop +video/x-msvideo=vlc.desktop + +# Plain text / source -> GNOME Text Editor +text/plain=org.gnome.TextEditor.desktop +text/markdown=org.gnome.TextEditor.desktop +application/x-shellscript=org.gnome.TextEditor.desktop +application/json=org.gnome.TextEditor.desktop +application/toml=org.gnome.TextEditor.desktop +text/x-readme=org.gnome.TextEditor.desktop + +# Documents / web -> Zen (PDF + HTML) +application/pdf=zen.desktop +text/html=zen.desktop +x-scheme-handler/http=zen.desktop +x-scheme-handler/https=zen.desktop + +# Archives -> File Roller +application/zip=org.gnome.FileRoller.desktop +application/x-tar=org.gnome.FileRoller.desktop +application/gzip=org.gnome.FileRoller.desktop +application/x-7z-compressed=org.gnome.FileRoller.desktop +application/x-rar=org.gnome.FileRoller.desktop +application/vnd.rar=org.gnome.FileRoller.desktop +application/x-xz=org.gnome.FileRoller.desktop +application/x-bzip2=org.gnome.FileRoller.desktop + +# Directories -> Nautilus +inode/directory=org.gnome.Nautilus.desktop diff --git a/iso/airootfs/etc/systemd/zram-generator.conf b/iso/airootfs/etc/systemd/zram-generator.conf new file mode 100644 index 0000000..b1d46e5 --- /dev/null +++ b/iso/airootfs/etc/systemd/zram-generator.conf @@ -0,0 +1,6 @@ +# Compressed RAM swap. systemd-zram-generator reads this and creates a zram +# device + swap at boot — no on-disk swap partition needed. Sized at half RAM +# capped to 4 GiB, zstd-compressed (typically ~3:1, so cheap headroom). +[zram0] +zram-size = min(ram / 2, 4096) +compression-algorithm = zstd diff --git a/iso/packages.x86_64 b/iso/packages.x86_64 index 788708d..c05b24e 100644 --- a/iso/packages.x86_64 +++ b/iso/packages.x86_64 @@ -75,6 +75,11 @@ pipewire-jack networkmanager network-manager-applet iw +# mDNS service/name resolution — lets CUPS auto-discover network printers and +# resolves .local hostnames (avahi-daemon enabled + nss-mdns wired in +# post-install.sh). +avahi +nss-mdns # Wi-Fi backend for NetworkManager (its default; no extra config needed). wpa_supplicant bluez @@ -107,6 +112,11 @@ noto-fonts-emoji ttf-jetbrains-mono # Nerd font variant — icons in terminal tools (eza --icons, fastfetch, yazi) ttf-jetbrains-mono-nerd +# Metric-compatible (Arial/Times/Courier) so Office/web docs lay out correctly, +# broad Unicode fallback, and the Font Awesome icon glyph set. +ttf-liberation +ttf-dejavu +ttf-font-awesome # Terminal kitty @@ -236,6 +246,14 @@ system-config-printer # remote post-install (needs network); the runtime is shipped ready. flatpak +# Firewall — ufw, enabled deny-incoming in post-install.sh (mDNS allowed so +# printer discovery still works). +ufw +# Firmware updates via LVFS (works with gnome-software / fwupdmgr). +fwupd +# Compressed RAM swap — see /etc/systemd/zram-generator.conf. +zram-generator + # Icon and cursor themes # Papirus-Dark: cohesive icon set used as the BOS default (set via gsettings in # hyprland.lua autostart and in skel gtk-3.0/settings.ini).