From 063011d404f3077fb988345a8e84687d835b9948 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 15:47:14 +0200 Subject: [PATCH 1/7] 0030_desktop_symbols does not need root for installing --- client_software/0030_desktop_symbols/install.sh | 15 --------------- client_software/0030_desktop_symbols/user_run.sh | 8 ++++++++ 2 files changed, 8 insertions(+), 15 deletions(-) delete mode 100755 client_software/0030_desktop_symbols/install.sh create mode 100755 client_software/0030_desktop_symbols/user_run.sh diff --git a/client_software/0030_desktop_symbols/install.sh b/client_software/0030_desktop_symbols/install.sh deleted file mode 100755 index 966cf48..0000000 --- a/client_software/0030_desktop_symbols/install.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env sh -# SPDX-FileCopyrightText: Daniel Pätzold -# SPDX-License-Identifier: AGPL-3.0-or-later -# -# Sofwareinstallation script for Nextcloud Talk. -# - -#Check for root -if [ "$EUID" -ne 0 ]; then - echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo." - exit 1 -fi - -cp -n *.desktop $SUDO_HOME/Schreibtisch -chown $SUDO_USER:$SUDO_USER $SUDO_HOME/Schreibtisch/*.desktop diff --git a/client_software/0030_desktop_symbols/user_run.sh b/client_software/0030_desktop_symbols/user_run.sh new file mode 100755 index 0000000..67bbdf6 --- /dev/null +++ b/client_software/0030_desktop_symbols/user_run.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env sh +# SPDX-FileCopyrightText: Daniel Pätzold +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# Copies the included Desktop files to the Desktop +# + +cp -n *.desktop $HOME/Schreibtisch From 49a998fc12b768ed1ac9db383b8e3a0a065368b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 16:17:56 +0200 Subject: [PATCH 2/7] Mozilla_pre: Make Firefox profile customizable --- .gitignore | 6 ++---- client_software/0020_nextcloud_mozilla_pre/user_run.sh | 3 +++ system_setup/config.dist/setup_system.conf.dist | 10 ++++++++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index ea0f5de..b617e87 100644 --- a/.gitignore +++ b/.gitignore @@ -3,10 +3,8 @@ .kdev4/* client_software/.sync_*.db client_software/setup_system.conf -config/setup_system.conf -config/*.bak -config/skel.tar.zst -config/.sync_*.db +config/* +!config/README.md config.d/*.conf config.d/*.sys config.d/*.bak diff --git a/client_software/0020_nextcloud_mozilla_pre/user_run.sh b/client_software/0020_nextcloud_mozilla_pre/user_run.sh index ac2a392..6a30af3 100755 --- a/client_software/0020_nextcloud_mozilla_pre/user_run.sh +++ b/client_software/0020_nextcloud_mozilla_pre/user_run.sh @@ -21,6 +21,9 @@ from webdav3.client import Client #Variables thunderbird_tar = os.path.dirname(__file__) + '/thunderbird.tar.zst' firefox_tar = os.path.dirname(__file__) + '/firefox.tar.zst' +#If defined, use another Profile for that Company +if 'PROFILE_FIREFOX_TAR_FILE' in environ: + firefox_tar=environ['PROFILE_FIREFOX_TAR_FILE'] firefoxhome_path = environ['HOME'] + "/.config/mozilla/firefox" firefoxhome_profile_src = os.path.dirname(__file__) + '/profiles_ff.ini' firefoxhome_profile_dst = firefoxhome_path + '/profiles.ini' diff --git a/system_setup/config.dist/setup_system.conf.dist b/system_setup/config.dist/setup_system.conf.dist index 9a0afc3..bede8c8 100644 --- a/system_setup/config.dist/setup_system.conf.dist +++ b/system_setup/config.dist/setup_system.conf.dist @@ -68,12 +68,18 @@ if [ "$EUID" -ne 0 ]; then export CLIENT_DATA_SYNC_DECLARE="$(declare -p CLIENT_DATA_SYNC)" # Do not remove #End of Sync Folder for nextcloud client - #Firefox Profiles of the User + #Firefox Profiles export PROFILE_FIREFOX_RESET_LOCAL="true" # Set this to wipe ~/.mozilla each time if you don't want users to setup their own firefox profile + # Optional: own Firefox profile used for this company if given as default + # You may use any tar file, that contains a valid firefox profile set up to your companies need. + # As example look at 0020_nextcloud_mozilla_pre/firefox.tar.zst + # You should put it under e.g SYSCONFIGPATH and than use the filepath relative. e.g. "${SYSCONFIGPATH}/firefox.tar.zst" + export PROFILE_FIREFOX_TAR_FILE="" + #Mozilla profile paths on Nextcloud Server. Syncs your profiles to Nextcloud. export PROFILE_FIREFOX_SRC="mozilla_profiles/firefox" export PROFILE_FIREFOX_DST="${DECRYPTEDDATADIR}/firefox" - #Thunderbird Profiles + #Thunderbird Profiles to also be synced export PROFILE_TB_SRC="mozilla_profiles/thunderbird" export PROFILE_TB_DST="${DECRYPTEDDATADIR}/thunderbird" From fdc2a4458210d498dc8c2232740b97089940f773 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 16:43:26 +0200 Subject: [PATCH 3/7] install: given repo url will be used intead of already existing ones --- system_setup/install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/system_setup/install.sh b/system_setup/install.sh index c201a3b..d8e0e9b 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -361,8 +361,12 @@ if [[ -n "$EXISTING_OEMDRV_DEV" ]]; then fi if [[ -f "$MOUNT_POINT/system_setup/setup_system.inc.sh" && -f "$MOUNT_POINT/config/setup_system.conf" ]]; then + if [ ! -z $REPO_URL ]; then BACK_REPO_URL="$REPO_URL"; fi + if [ ! -z $REPO_BRANCH ]; then BACK_REPO_BRANCH="$REPO_BRANCH"; fi info "Reading existing configuration from ${MOUNT_POINT} ..." source "$MOUNT_POINT/system_setup/setup_system.inc.sh" + if [ ! -z $BACK_REPO_URL ]; then REPO_URL="$BACK_REPO_URL"; fi + if [ ! -z $BACK_REPO_BRANCH ]; then REPO_BRANCH="$BACK_REPO_BRANCH"; fi fi # ── Check existing git repository origin ────────────────────────────── From 4da2a3fa69aa34147a9c4f41b4e971aa5de61e58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 17:02:19 +0200 Subject: [PATCH 4/7] mount_ecrypt_home: unmount gocryptfs cleanly on session logout Switch from --scope to a transient service so systemd can run fusermount -u via ExecStop before terminating the process. With KillMode=none, gocryptfs exits on its own once the FUSE filesystem is detached. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/mount_ecrypt_home.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh index a0820c1..0367822 100755 --- a/system_setup/mount_ecrypt_home.sh +++ b/system_setup/mount_ecrypt_home.sh @@ -93,7 +93,10 @@ if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null fi -systemd-run --user --scope --unit=gocryptfs-home \ +systemd-run --user --unit=gocryptfs-home \ + --property="ExecStop=/usr/bin/fusermount -u ${DECRYPTEDDATADIR}" \ + --property=KillMode=none \ + --property=TimeoutStopSec=30 \ gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null RETVAL=$? rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY From 588f669a603ab5be788642d37e41cc345bf76ba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 17:10:27 +0200 Subject: [PATCH 5/7] logon_script: gate KDE-specific settings on XDG_CURRENT_DESKTOP Wrap kwriteconfig5 calls in a KDE check so they are skipped on Cinnamon and other desktops. Also add empty-session setting so previous apps are not restored on login. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/logon_script.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/system_setup/logon_script.sh b/system_setup/logon_script.sh index 26697ad..756d415 100755 --- a/system_setup/logon_script.sh +++ b/system_setup/logon_script.sh @@ -47,9 +47,12 @@ if [[ $? -ne 0 ]]; then echo "Error: python3-ipaclient is not installed. Please install it via: sudo dnf install python3-ipaclient" fi -#TODO C: Check if Desktop is KDE/Plasma and support other Displays -# Make kdesu use sudo -kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo >/dev/null 2>&1 +if [ "${XDG_CURRENT_DESKTOP}" = "KDE" ]; then + # Start each session empty (not restoring previous apps) - avoids stale mounts and autostart conflicts + kwriteconfig5 --file ksmserverrc --group General --key loginMode 2 >/dev/null 2>&1 + # Make kdesu use sudo + kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo >/dev/null 2>&1 +fi # Mount the private Directory elog_add_command "${SYSCONFIGPATH}/system_setup/mount_ecrypt_home.sh" From 815fa46daa2d400b0c0804025b2497f3b2806701 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 17:39:55 +0200 Subject: [PATCH 6/7] mount_ecrypt_home: wait for FUSE mount before removing passfile systemd-run service mode returns as soon as the start request is accepted, before gocryptfs has read the passfile. Poll /proc/mounts for up to 10 seconds so the passfile is only removed after the mount is confirmed. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/mount_ecrypt_home.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh index 0367822..537023a 100755 --- a/system_setup/mount_ecrypt_home.sh +++ b/system_setup/mount_ecrypt_home.sh @@ -99,7 +99,14 @@ systemd-run --user --unit=gocryptfs-home \ --property=TimeoutStopSec=30 \ gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null RETVAL=$? -rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY +# Service starts asynchronously - wait for the FUSE mount to appear before removing +# the passfile, otherwise gocryptfs may not have read it yet +_t=0 +while [ "${_t}" -lt 10 ] && ! grep -q "${DECRYPTEDDATADIR}" /proc/mounts 2>/dev/null; do + sleep 1 + _t=$((_t + 1)) +done +rm -f ${XDG_RUNTIME_DIR}/IPAVAULTKEY cd ${EXECDIR} if [ ${RETVAL} -eq 0 ]; then echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}" From b9d13e821dfc64d9d6caffb19915b9b758299d2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 17:55:28 +0200 Subject: [PATCH 7/7] mount_ecrypt_home: run gocryptfs in foreground to fix premature ExecStop Without -fg, gocryptfs forks to background and the parent exits, causing systemd to consider the service done and immediately call ExecStop (fusermount -u). With -fg, gocryptfs stays as the tracked service process so ExecStop only fires on explicit service stop at logout. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/mount_ecrypt_home.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh index 537023a..2f1d35a 100755 --- a/system_setup/mount_ecrypt_home.sh +++ b/system_setup/mount_ecrypt_home.sh @@ -97,7 +97,7 @@ systemd-run --user --unit=gocryptfs-home \ --property="ExecStop=/usr/bin/fusermount -u ${DECRYPTEDDATADIR}" \ --property=KillMode=none \ --property=TimeoutStopSec=30 \ - gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null + gocryptfs -fg -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null RETVAL=$? # Service starts asynchronously - wait for the FUSE mount to appear before removing # the passfile, otherwise gocryptfs may not have read it yet