Complete the desktop: default apps, mDNS, firewall, zram, fonts

Wire up features that were half-shipped and add sensible resilience defaults: - mimeapps.list in skel: images->loupe, A/V->vlc, text->gnome-text-editor, pdf/html->zen, archives->file-roller, dirs->nautilus (so opening a file from nautilus actually does something) - avahi + nss-mdns: CUPS network-printer discovery + .local resolution (enable avahi-daemon; insert mdns_minimal into nsswitch hosts:) - ufw: deny-incoming firewall, mDNS (5353/udp) allowed so discovery still works; enabled in post-install - zram-generator: compressed RAM swap (half RAM capped 4 GiB, zstd) - fwupd + reflector.timer: firmware updates and periodic mirror refresh - fonts: ttf-liberation (Office/web metric compat), ttf-dejavu, font-awesome Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 14:47:06 +08:00 · 2026-06-16 14:47:06 +08:00 · 7652d92b81
commit 7652d92b81
parent 1f53377914
4 changed files with 98 additions and 1 deletions
--- a/iso/airootfs/etc/calamares/post-install.sh
+++ b/iso/airootfs/etc/calamares/post-install.sh
@ -100,11 +100,33 @@ fi
 # ---------------------------------------------------------------------------
 for unit in NetworkManager.service bluetooth.service systemd-timesyncd.service \
            tlp.service greetd.service snapper-cleanup.timer grub-btrfsd.service \
-            fstrim.timer cups.socket; do
+            fstrim.timer cups.socket avahi-daemon.service ufw.service \
+            fwupd-refresh.timer reflector.timer; do
    systemctl enable "$unit" || echo "WARN: failed to enable $unit"
 done
 systemctl set-default graphical.target || echo "WARN: set-default graphical failed"

+# ---------------------------------------------------------------------------
+# mDNS resolution (nss-mdns): insert mdns_minimal into the hosts: line so the
+# resolver answers *.local (network printers, other hosts) via avahi. Idempotent.
+# ---------------------------------------------------------------------------
+if [[ -f /etc/nsswitch.conf ]] && ! grep -q 'mdns_minimal' /etc/nsswitch.conf; then
+    sed -i 's/^\(hosts:[[:space:]]*\)/\1mdns_minimal [NOTFOUND=return] /' \
+        /etc/nsswitch.conf || echo "WARN: wiring nss-mdns failed"
+fi
+
+# ---------------------------------------------------------------------------
+# Firewall: deny inbound by default, allow outbound, and permit inbound mDNS so
+# avahi printer/service discovery keeps working. Best-effort — rule application
+# happens at boot; here we only persist the policy + enable the unit.
+# ---------------------------------------------------------------------------
+if command -v ufw &>/dev/null; then
+    ufw default deny incoming  || echo "WARN: ufw default deny incoming failed"
+    ufw default allow outgoing || echo "WARN: ufw default allow outgoing failed"
+    ufw allow 5353/udp         || echo "WARN: ufw allow mDNS failed"
+    ufw --force enable         || echo "WARN: ufw enable failed"
+fi
+
 # The bread ecosystem (bakery + bread, breadbar, breadbox, breadcrumbs, breadpad)
 # is bakery-managed, not pacman: the binaries and bakery manifest live in
 # /etc/skel/.local (baked in at ISO build time) and are copied into the user's
--- a/iso/airootfs/etc/skel/.config/mimeapps.list
+++ b/iso/airootfs/etc/skel/.config/mimeapps.list
@ -0,0 +1,51 @@
+# Default applications for common file types. Without this, freshly installed
+# BOS has no handler registered for images/video/text/etc., so opening a file
+# from nautilus does nothing. Maps to the apps shipped in packages.x86_64.
+[Default Applications]
+# Images -> Loupe
+image/png=org.gnome.Loupe.desktop
+image/jpeg=org.gnome.Loupe.desktop
+image/gif=org.gnome.Loupe.desktop
+image/webp=org.gnome.Loupe.desktop
+image/bmp=org.gnome.Loupe.desktop
+image/tiff=org.gnome.Loupe.desktop
+image/svg+xml=org.gnome.Loupe.desktop
+
+# Audio/Video -> VLC
+audio/mpeg=vlc.desktop
+audio/flac=vlc.desktop
+audio/ogg=vlc.desktop
+audio/x-wav=vlc.desktop
+audio/aac=vlc.desktop
+video/mp4=vlc.desktop
+video/x-matroska=vlc.desktop
+video/webm=vlc.desktop
+video/quicktime=vlc.desktop
+video/x-msvideo=vlc.desktop
+
+# Plain text / source -> GNOME Text Editor
+text/plain=org.gnome.TextEditor.desktop
+text/markdown=org.gnome.TextEditor.desktop
+application/x-shellscript=org.gnome.TextEditor.desktop
+application/json=org.gnome.TextEditor.desktop
+application/toml=org.gnome.TextEditor.desktop
+text/x-readme=org.gnome.TextEditor.desktop
+
+# Documents / web -> Zen (PDF + HTML)
+application/pdf=zen.desktop
+text/html=zen.desktop
+x-scheme-handler/http=zen.desktop
+x-scheme-handler/https=zen.desktop
+
+# Archives -> File Roller
+application/zip=org.gnome.FileRoller.desktop
+application/x-tar=org.gnome.FileRoller.desktop
+application/gzip=org.gnome.FileRoller.desktop
+application/x-7z-compressed=org.gnome.FileRoller.desktop
+application/x-rar=org.gnome.FileRoller.desktop
+application/vnd.rar=org.gnome.FileRoller.desktop
+application/x-xz=org.gnome.FileRoller.desktop
+application/x-bzip2=org.gnome.FileRoller.desktop
+
+# Directories -> Nautilus
+inode/directory=org.gnome.Nautilus.desktop
--- a/iso/airootfs/etc/systemd/zram-generator.conf
+++ b/iso/airootfs/etc/systemd/zram-generator.conf
@ -0,0 +1,6 @@
+# Compressed RAM swap. systemd-zram-generator reads this and creates a zram
+# device + swap at boot — no on-disk swap partition needed. Sized at half RAM
+# capped to 4 GiB, zstd-compressed (typically ~3:1, so cheap headroom).
+[zram0]
+zram-size = min(ram / 2, 4096)
+compression-algorithm = zstd