Symlinks ~/.ssh to ${DECRYPTEDDATADIR}/ssh_keys (migrating any existing
content once) so the key lives in the gocryptfs-encrypted area instead
of the plain home directory. Also passes -N "" to ssh-keygen so key
generation no longer prompts for a passphrase.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Provisions ~/.ssh/id_ed25519 once and stores it in the FreeIPA KRA
vault so the key persists across reinstalls/new machines instead of
being regenerated each time. Guards against silently overwriting an
existing vault key on transient failures (missing ~/.ssh, vault-add
errors, ssh-keygen failures) before archiving.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Anaconda adds 'server _gateway iburst' as a fallback NTP source when
no NTP servers are specified in the kickstart. chronyd cannot resolve
the special hostname '_gateway' at startup, logging an error each boot.
The sourcedir /run/chrony-dhcp directive already handles DHCP-provided
NTP servers, making the _gateway line redundant.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
systemd-xdg-autostart-generator warns that .desktop files with
execute permissions set are invalid. .desktop files should not be
executable.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ExecStop on the user service caused an unmount race: it fired
asynchronously after logout while the next login's install.sh had
already remounted the wallet, then unmounted it again leaving
kwalletd6 without its wallet directory.
install.sh already handles umount/remount at login start, so no
ExecStop is needed. On gocryptfs systems the wallet becomes
inaccessible at logout naturally when ~/data is unmounted.
user_run.sh now explicitly stops any leftover kwalletd6-logon unit
from a previous session before creating a new one, avoiding the
systemd-run unit-name-conflict failure.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ExecStop (umount) fires asynchronously ~26s after logout, by which
time a second login's install.sh has already remounted the wallet.
ExecStop then unmounts the fresh mount, leaving kwalletd6 without
the wallet directory.
Fix: stop kwalletd6-logon.service at the top of install.sh so its
ExecStop fires and drains before the remount, eliminating the race.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
kwalletd6 exits with code 1 when the Wayland compositor shuts down
during logout. Without SuccessExitStatus=1, the service is marked
failed and ExecStop (the bind mount umount) never runs. Treating
exit code 1 as success keeps the service in active-exited state so
systemd fires ExecStop cleanly on session end.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch kwalletd6-logon from --scope to a transient service with
RemainAfterExit=yes (kwalletd6 forks to background, so the service
must stay active after the main process exits). ExecStop runs
'sudo umount -l' to detach the wallet bind mount before gocryptfs
unmounts ~/data (Before=gocryptfs-home.service ordering).
install.sh adds a per-user sudoers drop-in so the user service
can call umount as root without a password.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without -fg, gocryptfs forks to background and the parent exits,
causing systemd to consider the service done and immediately call
ExecStop (fusermount -u). With -fg, gocryptfs stays as the tracked
service process so ExecStop only fires on explicit service stop at
logout.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
systemd-run service mode returns as soon as the start request is
accepted, before gocryptfs has read the passfile. Poll /proc/mounts
for up to 10 seconds so the passfile is only removed after the mount
is confirmed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Wrap kwriteconfig5 calls in a KDE check so they are skipped on
Cinnamon and other desktops. Also add empty-session setting so
previous apps are not restored on login.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch from --scope to a transient service so systemd can run
fusermount -u via ExecStop before terminating the process.
With KillMode=none, gocryptfs exits on its own once the FUSE
filesystem is detached.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
If the IPA server FQDN cannot be resolved at startup (e.g. due to a
DNSSEC outage or network not yet ready), the logon script would silently
fail later. The new check prompts the user to retry, continue anyway, or
quit, so the problem is immediately visible.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in
offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab
before the cached-credential fallback is reached. Adding krb5_validate =
False disables the keytab validation step and restores reliable offline
authentication for FreeIPA domain users.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
F44 dropped @kde-spin-initial-setup; plasma-setup (mandatory in @kde-desktop)
is now the first-boot wizard and is not covered by firstboot --disable.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
obel1x
Daniel unbrot Pätzold
unbrot