Without -fg, gocryptfs forks to background and the parent exits,
causing systemd to consider the service done and immediately call
ExecStop (fusermount -u). With -fg, gocryptfs stays as the tracked
service process so ExecStop only fires on explicit service stop at
logout.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
systemd-run service mode returns as soon as the start request is
accepted, before gocryptfs has read the passfile. Poll /proc/mounts
for up to 10 seconds so the passfile is only removed after the mount
is confirmed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Wrap kwriteconfig5 calls in a KDE check so they are skipped on
Cinnamon and other desktops. Also add empty-session setting so
previous apps are not restored on login.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch from --scope to a transient service so systemd can run
fusermount -u via ExecStop before terminating the process.
With KillMode=none, gocryptfs exits on its own once the FUSE
filesystem is detached.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
If the IPA server FQDN cannot be resolved at startup (e.g. due to a
DNSSEC outage or network not yet ready), the logon script would silently
fail later. The new check prompts the user to retry, continue anyway, or
quit, so the problem is immediately visible.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in
offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab
before the cached-credential fallback is reached. Adding krb5_validate =
False disables the keytab validation step and restores reliable offline
authentication for FreeIPA domain users.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
F44 dropped @kde-spin-initial-setup; plasma-setup (mandatory in @kde-desktop)
is now the first-boot wizard and is not covered by firstboot --disable.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@kde-pim is optional and not selected, so all KDE PIM packages are
safe to exclude. Replaces the previous partial -akonadi-server/mysql
with the complete exclusion list matching cinnamon_fullsetup.cfg.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Anaconda's depsolve pulls in akonadi-server via kmymoney-libs (kmymoney
is an optional package in @office). Exclude the entire akonadi chain
so neither akonadi-server nor any package requiring it gets installed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Introduce NC_FLATPAK_APP and NC_FLATPAK_DIR variables so the app ID
and ~/.var/app path are defined once and referenced everywhere, rather
than repeated as literals. Also fixes a stray leading '/' in the
nextcloud.cfg grep path.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
git clean -fd scopes to the current directory and below, so running it
from the system_setup/ subdirectory missed untracked files in sibling
dirs like config/. Use -C "${SYSCONFIGPATH}" to always clean from the
repo root regardless of invocation directory.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace the broken `git rebase HEAD^` with a proper shallow fetch:
- `git fetch --depth=1` limits local history to one commit, regardless of server history
- `git reset --hard FETCH_HEAD` syncs the working tree to the fetched tip
- `git clean -fd` removes untracked non-ignored files left by old versions
- `git gc --prune=now` immediately purges unreachable history objects
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
obel1x
Daniel unbrot Pätzold
unbrot