chmod: add the Fedora Atomic /var/roothome

if the automatic management doesn't want to work, DIY

.config

@@ -0,0 +1 @@
+conf

.local

@@ -0,0 +1 @@
+local

chmod

@@ -48,4 +48,9 @@ if hash setfacl 2> /dev/null; then
 	fi
 fi
 
+# Fedora Atomic compatibility
+if [ -d /var/roothome ]; then
+	chmod -v a+x /var/roothome
+fi
+
 set +x

conf/kscreenlockerrc

@@ -0,0 +1,4 @@
+# ~/.config/kscreenlockerrc
+# Lock screen on login (for combination with autologin)
+[Daemon]
+LockOnStart=true

etc/NetworkManager-resolv.conf-restore.bash

@@ -5,6 +5,11 @@ set -x
 # well. I think it's even less likely I use this than the systemd-resolved
 # one, but anyway
 
+if [[ ! -d /sysroot/ostree ]]; then
+	echo "Let's not mess up with Fedora Atomic. Try \$RES_OPTIONS instead? In profile.d?"
+	exit 1
+fi
+
 # I know there are old versions that used something else, but I don't remember
 # that name and they are ancient.
 if ! hash nmcli 2> /dev/null; then

etc/NetworkManager/conf.d/iwd.conf

@@ -3,7 +3,6 @@
 # Important!
 # systemctl disable --now wpa_supplicant
 # systemctl mask wpa_supplicant
-# systemctl enable --now iwd
 # systemctl restart NetworkManager
 
 [device]

etc/firefox/policies/policies.json

@@ -460,6 +460,13 @@
 				"private_browsing": true,
 				"restricted_domains": []
 			},
+			"{759dbb01-b646-4327-bf9e-69ca2543ef8d}": {
+				"blocked_install_message": "OpenDyslexic",
+				"default_area": "navbar",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/opendyslexic-for-firefox/latest.xpi",
+				"installation_mode": "normal_installed",
+				"private_browsing": true
+			},
 			"{8620c15f-30dc-4dba-a131-7c5d20cf4a29}": {
 				"blocked_install_message": "Firefox Nightly Tester Tools",
 				"default_area": "menupanel",
@@ -741,6 +748,16 @@
 				"Type": "number",
 				"Value": 0
 			},
+			"browser.tabs.insertAfterCurrent": {
+				"Status": "default",
+				"Type": "boolean",
+				"Value": true
+			},
+			"browser.tabs.insertAfterCurrentExceptPinned": {
+				"Status": "default",
+				"Type": "boolean",
+				"Value": true
+			},
 			"browser.tabs.unloadOnLowMemory": {
 				"Status": "locked",
 				"Type": "boolean",

etc/profile.d/99-resolv.conf-options.sh

@@ -0,0 +1,2 @@
+# This is equivalent to options in /etc/resolv.conf
+export RES_OPTIONS="timeout:1 attempts:5 rotate edns0 trust-ad"

etc/resolv.conf-generate.bash

@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 set -x
 
+if [[ ! -d /sysroot/ostree ]]; then
+	echo "Let's not mess up with Fedora Atomic. Try \$RES_OPTIONS instead? In profile.d?"
+	exit 1
+fi
+
 # Require root or exit
 if [ "$(id -u)" != "0" ]; then
 	echo "This script requires root." 1>&2

etc/sddm.conf.d/10-wayland.conf

@@ -0,0 +1,9 @@
+# https://wiki.archlinux.org/title/SDDM#Wayland
+[General]
+DisplayServer=wayland
+GreeterEnvironment=QT_WAYLAND_SHELL_INTEGRATION=layer-shell
+
+[Wayland]
+# virtual keyboard since Steam Deck
+CompositorCommand=kwin_wayland --drm --no-lockscreen --no-global-shortcuts --locale1 --inputmethod maliit-keyboard
+

etc/sddm.conf.d/99-autologin-aminda.conf

@@ -0,0 +1,4 @@
+# I don't usually recommend this, but Steam Deck
+[Autologin]
+User=aminda
+Session=plasma

etc/systemd-resolv.conf-generate.bash

@@ -5,6 +5,11 @@ set -x
 # systemd-resolved as a DNS server. And then it also took parts of the
 # restore script.
 
+if [[ ! -d /sysroot/ostree ]]; then
+	echo "Let's not mess up with Fedora Atomic. Try \$RES_OPTIONS instead? In profile.d?"
+	exit 1
+fi
+
 # I know there are old versions that used something else, but I don't remember
 # that name and they are ancient.
 if ! hash resolvectl 2> /dev/null; then

etc/systemd-resolv.conf-restore.bash

@@ -4,6 +4,11 @@ set -x
 # I just had a feeling I should also have a quick script to quickly restore
 # systemd-resolved handling of the file.
 
+if [[ ! -d /sysroot/ostree ]]; then
+	echo "Let's not mess up with Fedora Atomic. Try \$RES_OPTIONS instead? In profile.d?"
+	exit 1
+fi
+
 # I know there are old versions that used something else, but I don't remember
 # that name and they are ancient.
 if ! hash resolvectl 2> /dev/null; then

etc/systemd/system/aminda-nocron-reboot.service

@@ -14,7 +14,11 @@ ExecStartPre=-echo 1 > /sys/devices/system/cpu/microcode/reload
 ExecStartPre=-systemctl enable aminda-nocron-rebootish.service
 ExecStartPre=-systemctl enable  aminda-nocron-rebootish.timer
 ExecStartPre=-systemctl enable linuxbrew-permissions.timer
+# In case we do have cron?
+ExecStartPre=-systemctl enable --now crond.service
 ExecStartPre=-systemctl enable --now linuxbrew-permissions.service
+ExecStartPre=-systemctl enable --now rngd.service
+ExecStartPre=-systemctl enable --now haveged.service
 ExecStartPre=-systemctl enable --now unbound.service
 ExecStartPre=-systemctl enable --now systemd-resolved.service
 ExecStartPre=-sysctl net.ipv6.conf.all.disable_ipv6=0
@@ -53,6 +57,7 @@ ExecStart=-systemctl enable --now unbound.service
 ExecStart=-systemctl enable --now chrony.service
 ExecStart=-systemctl enable --now chronyd.service
 ExecStart=-systemctl enable --now systemd-oomd.service systemd-oomd.socket
+ExecStart=-systemctl enable firewalld.service
 User=root
 StandardOutput=journal
 StandardError=journal

etc/systemd/system/haveged.service.d/rngd-wanted.conf

@@ -0,0 +1 @@
+../service.d/rngd-wanted.conf

etc/systemd/system/sddm.service.d/rngd-wanted.conf

@@ -0,0 +1 @@
+../service.d/rngd-wanted.conf

etc/systemd/system/service.d/rngd-wanted.conf

@@ -0,0 +1,2 @@
+[Unit]
+Wants=rngd.service

etc/traditional-resolv.conf-generate.bash

@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 set -x
 
+if [[ ! -d /sysroot/ostree ]]; then
+	echo "Let's not mess up with Fedora Atomic. Try \$RES_OPTIONS instead? In profile.d?"
+	exit 1
+fi
+
 # Require root or exit
 if [ "$(id -u)" != "0" ]; then
 	echo "This script requires root. (And the 3 nameserver IPs as arguments)" 1>&2

etc/unbound/unbound.conf.d/dot-443.conf.sample

@@ -0,0 +1,11 @@
+# Don't use this file alone, append it to something else.
+server:
+	tls-system-cert: yes
+	qname-minimisation: no
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	# https://appliedprivacy.net/services/dns/ - Vienna, Austria, no ECS
+	forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net
+	forward-addr: 146.255.56.98@443#dot1.applied-privacy.net
+# vim: filetype=unbound.conf

etc/xdg/autostart/flatpak-steam-bigpicture.desktop

@@ -0,0 +1,6 @@
+[Desktop Entry]
+Name=Steam autostart in big picture mode
+Exec=flatpak run com.valvesoftware.Steam -tenfoot
+Icon=com.valvesoftware.Steam
+Type=Application
+Hidden=false

etc/xdg/autostart/flatpak-steam-tray.desktop

@@ -0,0 +1,6 @@
+[Desktop Entry]
+Name=Steam autostart in tray
+Exec=flatpak run com.valvesoftware.Steam -silent
+Icon=com.valvesoftware.Steam
+Type=Application
+Hidden=false

etc/yum.repos.d/yggdrasil.repo

@@ -0,0 +1,11 @@
+# Fedora Atomic doesn't provide dnf copr
+[yggdrasil]
+name=Copr repo for yggdrasil-go owned by neilalexander
+baseurl=https://download.copr.fedorainfracloud.org/results/neilalexander/yggdrasil-go/fedora-$releasever-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://download.copr.fedorainfracloud.org/results/neilalexander/yggdrasil-go/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1

install

@@ -7,6 +7,9 @@ set -x
 ln -nsfv /dev/null $HOME/nul
 ln -nsfv /dev/null $HOME/null
 
+# Of course LaTeX templates exist
+mkdir -vp ~/texmf/tex/latex/local
+
 # If my allowed_signers are present, use them, if not, clone them, and try
 # again. The gitconfig expects them here.
 if [ -d $HOME/src/codeberg.org/Aminda/ssh-allowed_signers ]; then

package.json

@@ -1,14 +1,14 @@
 {
 	"devDependencies": {
-		"@aminda/global-prettier-config": "2025.16.0",
+		"@aminda/global-prettier-config": "2025.21.0",
 		"@prettier/plugin-ruby": "4.0.4",
 		"@prettier/plugin-xml": "3.4.1",
 		"corepack": "latest",
 		"prettier": "3.5.3",
 		"prettier-plugin-nginx": "1.0.3",
-		"prettier-plugin-sh": "0.17.2",
-		"prettier-plugin-toml": "2.0.4"
+		"prettier-plugin-sh": "0.17.4",
+		"prettier-plugin-toml": "2.0.5"
 	},
-	"packageManager": "pnpm@10.10.0+sha512.d615db246fe70f25dcfea6d8d73dee782ce23e2245e3c4f6f888249fb568149318637dca73c2c5c8ef2a4ca0d5657fb9567188bfab47f566d1ee6ce987815c39",
+	"packageManager": "pnpm@10.11.0+sha512.6540583f41cc5f628eb3d9773ecee802f4f9ef9923cc45b69890fb47991d4b092964694ec3a4f738a420c918a333062c8b925d312f42e4f0c263eb603551f977",
 	"prettier": "@aminda/global-prettier-config"
 }

pnpm-lock.yaml

@@ -8,8 +8,8 @@ importers:
   .:
     devDependencies:
       "@aminda/global-prettier-config":
-        specifier: 2025.16.0
-        version: 2025.16.0
+        specifier: 2025.21.0
+        version: 2025.21.0
       "@prettier/plugin-ruby":
         specifier: 4.0.4
         version: 4.0.4(prettier@3.5.3)
@@ -26,17 +26,17 @@ importers:
         specifier: 1.0.3
         version: 1.0.3
       prettier-plugin-sh:
-        specifier: 0.17.2
-        version: 0.17.2(prettier@3.5.3)
+        specifier: 0.17.4
+        version: 0.17.4(prettier@3.5.3)
       prettier-plugin-toml:
-        specifier: 2.0.4
-        version: 2.0.4(prettier@3.5.3)
+        specifier: 2.0.5
+        version: 2.0.5(prettier@3.5.3)
 
 packages:
-  "@aminda/global-prettier-config@2025.16.0":
+  "@aminda/global-prettier-config@2025.21.0":
     resolution:
       {
-        integrity: sha512-A++pQoqdFbeeXradpFJvwmuf0KFh9ykJpfaLMaVBCmG+4ssRy+B3e2OcSiI5oqG7D1EzgX+izQBPsAC4g0y9cQ==,
+        integrity: sha512-2r7n24AgkOK5mHHNVagM0DADSWpYv1deF1eC80HMCoXKyuT0TSb+fMvZUfhi8w+S5DCZKzoTvQH3+3wFg7f3bA==,
       }
 
   "@prettier/plugin-ruby@4.0.4":
@@ -100,19 +100,19 @@ packages:
         integrity: sha512-vV5q85s8XnV6NEgvz1gVLfZhmxAxY03MyOYj2ApBpjFkbs00lRsRkTmqO9L39ADuD18z1RRCcfZ3eVxKhI/nqg==,
       }
 
-  prettier-plugin-sh@0.17.2:
+  prettier-plugin-sh@0.17.4:
     resolution:
       {
-        integrity: sha512-7+dEo/IYbhrUj4qP+1QXj41/5Hv9ZkxBuEatI1jywrcAlVF1aGhdYJF4Sn+M67nkA16iRL53W4FSRe1bitTdmQ==,
+        integrity: sha512-aAVKXZ7GTEMZdZsIPSwMwddwPvt2ibMbRGd4OJAP0G7QoeYZV+mPNg2Oln3R53sZ4PVjeAA7Xzi/PuI0QlHHfQ==,
       }
     engines: { node: ">=16.0.0" }
     peerDependencies:
       prettier: ^3.0.3
 
-  prettier-plugin-toml@2.0.4:
+  prettier-plugin-toml@2.0.5:
     resolution:
       {
-        integrity: sha512-uOTNPClqnE3T9XJ8hCqAJek70Jnk3/ZuAG/aXRTmrWbVe8lJyuZ60KV7OtgWqF+iGZOPVpkh+giHhX9GZYRHGA==,
+        integrity: sha512-WjXXKQyY4TdXWHU1v73UJxK/oDLSppf+b9KrSVl2kC4ZOr9CIVPKTQ/JxttgbYMaH8r3ihw7WYhMpI1EFa1obg==,
       }
     engines: { node: ">=16.0.0" }
     peerDependencies:
@@ -132,10 +132,10 @@ packages:
         integrity: sha512-tlbJqcMHnPKI9zSrystikWKwHkBqu2a/Sgw01h3zFjvYrMxEDYHzzoMZnUrbIfpTFEsoRnnviOXNCzFiSc54Qw==,
       }
 
-  sh-syntax@0.5.7:
+  sh-syntax@0.5.8:
     resolution:
       {
-        integrity: sha512-74m9dt91konrF5+m0kASugzi37VxKsnTJQ6yvdDZu3IijG5/vIZpImP6FadsJLWNt2X2YD0VaTwW5W7Ox7mFVg==,
+        integrity: sha512-JfVoxf4FxQI5qpsPbkHhZo+n6N9YMJobyl4oGEUBb/31oQYlgTjkXQD8PBiafS2UbWoxrTO0Z5PJUBXEPAG1Zw==,
       }
     engines: { node: ">=16.0.0" }
 
@@ -146,15 +146,15 @@ packages:
       }
 
 snapshots:
-  "@aminda/global-prettier-config@2025.16.0":
+  "@aminda/global-prettier-config@2025.21.0":
     dependencies:
       "@prettier/plugin-ruby": 4.0.4(prettier@3.5.3)
       "@prettier/plugin-xml": 3.4.1(prettier@3.5.3)
       corepack: 0.32.0
       prettier: 3.5.3
       prettier-plugin-nginx: 1.0.3
-      prettier-plugin-sh: 0.17.2(prettier@3.5.3)
-      prettier-plugin-toml: 2.0.4(prettier@3.5.3)
+      prettier-plugin-sh: 0.17.4(prettier@3.5.3)
+      prettier-plugin-toml: 2.0.5(prettier@3.5.3)
 
   "@prettier/plugin-ruby@4.0.4(prettier@3.5.3)":
     dependencies:
@@ -185,13 +185,13 @@ snapshots:
 
   prettier-plugin-nginx@1.0.3: {}
 
-  prettier-plugin-sh@0.17.2(prettier@3.5.3):
+  prettier-plugin-sh@0.17.4(prettier@3.5.3):
     dependencies:
       "@reteps/dockerfmt": 0.3.6
       prettier: 3.5.3
-      sh-syntax: 0.5.7
+      sh-syntax: 0.5.8
 
-  prettier-plugin-toml@2.0.4(prettier@3.5.3):
+  prettier-plugin-toml@2.0.5(prettier@3.5.3):
     dependencies:
       "@taplo/lib": 0.5.0
       prettier: 3.5.3
@@ -200,7 +200,7 @@ snapshots:
 
   regexp-to-ast@0.5.0: {}
 
-  sh-syntax@0.5.7:
+  sh-syntax@0.5.8:
     dependencies:
       tslib: 2.8.1
 

rc/bashrc

@@ -662,6 +662,7 @@ alias journalf="journalctl --no-hostname --follow"
 alias journalfu="journalctl --utc --no-hostname --follow"
 alias journalb="journalctl --no-hostname --boot"
 alias journalbu="journalctl --utc --no-hostname --boot"
+alias journalfdns="journalf -u systemd-resolved -u unbound"
 
 # To complement my nordvpn-off wrapper
 alias nordvpn-offf="sudo systemctl stop nordvpnd.service;sudo systemctl stop nordvpnd.socket"

rc/kscreenlockerrc

@@ -0,0 +1 @@
+../conf/kscreenlockerrc

rc/zshrc

@@ -649,6 +649,7 @@ alias journalf="journalctl --no-hostname --follow"
 alias journalfu="journalctl --utc --no-hostname --follow"
 alias journalb="journalctl --no-hostname --boot"
 alias journalbu="journalctl --utc --no-hostname --boot"
+alias journalfdns="journalf -u systemd-resolved -u unbound"
 
 # To complement my nordvpn-off wrapper
 alias nordvpn-offf="sudo systemctl stop nordvpnd.service;sudo systemctl stop nordvpnd.socket"

submodules/jauderho-nts-servers

@@ -1 +1 @@
-Subproject commit 56e177e277589e69b00ba2a00146a8787680f2ad
+Subproject commit c07a75a26d84430a3ec6c0e4f9f8d5dc2d0650e6

submodules/pgp-alt-wot

@@ -1 +1 @@
-Subproject commit 7e1601e5d6b10da8816c396f21c3168ab2340e22
+Subproject commit 2517c814b842ff19f82699cc4038b7682bcc8156

var/lib/iwd/fix-networkmanager-iwd-selinux.bash

@@ -4,7 +4,6 @@
 # permitted to unlink files.
 
 set -x
-for targetfile in $(find /var/lib/iwd/*.{psk,open}); do
-	semanage fcontext -a -t NetworkManager_etc_rw_t $targetfile
-done
+find /var/lib/iwd/*.{psk,open} -exec semanage fcontext -a -t NetworkManager_etc_rw_t '{}' \;
+find /var/lib/iwd/*.{psk,open} -exec restorecon -v '{}' \;
 set +x

var/spool/cron/root

@@ -19,4 +19,9 @@
 @reboot /usr/bin/sleep 300 && /usr/sbin/sysctl net.ipv6.conf.all.disable_ipv6=0 >/dev/null 2>&1
 @reboot /usr/bin/sleep 315 && /usr/bin/systemctl restart yggdrasil.service --quiet
 
+# Fedora Kinoite on Steam Deck workaround for disappearing network on boot
+# iwd is pulled in by NetworkManager
+@reboot /usr/bin/sleep 30 && /usr/bin/systemctl stop iwd.service --quiet
+@reboot /usr/bin/sleep 45 && /usr/bin/systemctl restart NetworkManager.service
+
 # vim: filetype=crontab