Complete the desktop: default apps, mDNS, firewall, zram, fonts

Wire up features that were half-shipped and add sensible resilience
defaults:

- mimeapps.list in skel: images->loupe, A/V->vlc, text->gnome-text-editor,
  pdf/html->zen, archives->file-roller, dirs->nautilus (so opening a file
  from nautilus actually does something)
- avahi + nss-mdns: CUPS network-printer discovery + .local resolution
  (enable avahi-daemon; insert mdns_minimal into nsswitch hosts:)
- ufw: deny-incoming firewall, mDNS (5353/udp) allowed so discovery still
  works; enabled in post-install
- zram-generator: compressed RAM swap (half RAM capped 4 GiB, zstd)
- fwupd + reflector.timer: firmware updates and periodic mirror refresh
- fonts: ttf-liberation (Office/web metric compat), ttf-dejavu, font-awesome

iso/airootfs/etc/calamares/post-install.sh

@@ -100,11 +100,33 @@ fi
 # ---------------------------------------------------------------------------
 for unit in NetworkManager.service bluetooth.service systemd-timesyncd.service \
             tlp.service greetd.service snapper-cleanup.timer grub-btrfsd.service \
-            fstrim.timer cups.socket; do
+            fstrim.timer cups.socket avahi-daemon.service ufw.service \
+            fwupd-refresh.timer reflector.timer; do
     systemctl enable "$unit" || echo "WARN: failed to enable $unit"
 done
 systemctl set-default graphical.target || echo "WARN: set-default graphical failed"
 
+# ---------------------------------------------------------------------------
+# mDNS resolution (nss-mdns): insert mdns_minimal into the hosts: line so the
+# resolver answers *.local (network printers, other hosts) via avahi. Idempotent.
+# ---------------------------------------------------------------------------
+if [[ -f /etc/nsswitch.conf ]] && ! grep -q 'mdns_minimal' /etc/nsswitch.conf; then
+    sed -i 's/^\(hosts:[[:space:]]*\)/\1mdns_minimal [NOTFOUND=return] /' \
+        /etc/nsswitch.conf || echo "WARN: wiring nss-mdns failed"
+fi
+
+# ---------------------------------------------------------------------------
+# Firewall: deny inbound by default, allow outbound, and permit inbound mDNS so
+# avahi printer/service discovery keeps working. Best-effort — rule application
+# happens at boot; here we only persist the policy + enable the unit.
+# ---------------------------------------------------------------------------
+if command -v ufw &>/dev/null; then
+    ufw default deny incoming  || echo "WARN: ufw default deny incoming failed"
+    ufw default allow outgoing || echo "WARN: ufw default allow outgoing failed"
+    ufw allow 5353/udp         || echo "WARN: ufw allow mDNS failed"
+    ufw --force enable         || echo "WARN: ufw enable failed"
+fi
+
 # The bread ecosystem (bakery + bread, breadbar, breadbox, breadcrumbs, breadpad)
 # is bakery-managed, not pacman: the binaries and bakery manifest live in
 # /etc/skel/.local (baked in at ISO build time) and are copied into the user's