Notes on setting up and using secureblue

Installing:

• Find some way to pass allow-discards on creation of the LUKS partition when installing Silverblue.

Trivalent:

• Enable the V8 Optimizer in settings > privacy and security or else it will run dog slow
• There will still be a Javascript performance penalty due to other mitigations, but the impact can only be seen in benchmarks and is negligible in day-to-day usage
• Enable extensions support in settings and install uBlock Lite
• Disable aggressive popup blocking and intrusive ad blocking
• Enable WebGL and 3D APIs in settings > privacy and security
• If you select DuckDuckGo as your default search engine, it will make your new tab page load DuckDuckGo partially for some reason...
• That's it for now

Flatpak:

• Run ujust flatpak-permissions-lockdown if you want, but it seems like it would make flatpaks completely unusable
• Recommended to add the normal flathub repo, but try to install from the included flatpak-verified repo whenever possible.
• Try not to install any flatpaks in system, stick to user.
• You may have to use Flatseal to remove the LD_PRELOAD of hardened malloc in order to get some Flatpaks to run. For example, Firefox.
• Secureblue website actually has OK documentation on how to use Flatpak.

Miscellaneous/general OS:

• Read the FAQ. Seriously. Do it early and often.
• Also read the secureblue GitHub, especially the issues. It will have answers if you encounter a problem more often than you think.
• If your belief system allows you to use Discord, join the secureblue Discord channel. There is an active community of users and the developers are very nice and prompt with answering questions.
• There's no sudo. It has been replaced by run0. Which is essentially a drop-in replacement for sudo with systemd and polkit integration.
  • Just run run0 with no arguments if you want to drop to a root shell.
• Follow the all post-install instructions on the website. But skip:
  • The USBGuard setup unless you have a highly restrictive threat model
  • Separate wheel account setup. Decide whether you want to do that after you've used the OS for a while.
  • Bash environment lockdown. This will make it impossible to edit your .bashrc. But you can do this if you don't care about customizing your shell.
  • Flatpak permissions tuning (for reasons outlined above)
  • Skip disabling simultaneous multithreading (SMT) and skip all of the unstable kargs when doing the hardened kargs step.
• If you didn't enable discards when setting up LUKS on install, then you should either:
  • Modify the LUKS header to enable discards by running cryptsetup --allow-discards --persistent refresh luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • Use rpm-ostree to modify the kernel commandline to tell LUKS to allow discards by running rpm-ostree kargs --append=rd.luks.options=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx=discard
  • Obviously use the actual UUID of your LUKS partition and not all of those x's
• Enable fstrim.timer after confirming TRIM/discards work
• If you want to run containers using podman (which comes installed by default), run ujust toggle-container-domain-userns-creation
• You will want to enable CUPS by running ujust toggle-cups if you care about printing.
• If you want to use geolocation services, you need to run systemctl unmask geoclue.service. Don't enable the service through systemctl though; GNOME will autostart it through systemd socket activation after you unmask it.
• Run ujust toggle-gnome-extensions if you want to use GNOME extensions.
  • Don't install the GNOME extensions Chrome extension though. Just download the archives for the extensions you want to install, and then install them manually by running gnome-extensions install <archive>
• To upgrade the system, run rpm-ostree upgrade
  • Secureblue comes with a systemd timer/service enabled by default that runs rpm-ostree upgrade automatically in the background at a specified interval, usually daily. So you usually don't have to run a system upgrade manually (unless you're neurotic about upgrades like me).
• To get Tor Browser working, you have to run its launcher script from the shell and with hardened_malloc disabled (i.e. by running ujust with-standard-malloc <launcher script>). There might be some way to modify the bundled Tor Browser .desktop file so that you can launch it The Normal Way™, but I got too annoyed by trying to get it to work and gave up.
• Set ELECTRON_OZONE_PLATFORM_HINT=auto environment variable in your login shell/profile/whatever and globally in Flatseal in order to force Electron apps to use Wayland (works only for Electron v28 and newer)

Setting up development environments:

• Flatpaks greatly change and/or complicate the usage of IDEs
  • IDEs installed through Flatpak can't access toolchains installed on the host system
  • You have to install other Flatpaks with specific toolchains (e.g. the Flatpak for Python) so that IDEs can use them
  • This means toolchains will be duplicated if they are installed on the host
  • You can't use tooling (e.g. uv, npm, cargo, etc.) installed on the host system either.
  • You can't even use the host shell/environment.
  • The way around this is to use "dev containers", toolbox, distrobox etc. but it seems like a lot of work and a major departure from The Way It's Always Been Done™
    • It's probably better and more modern in the long run though. Moral of the story? Change is hard.
• I tried doing it the newfangled way (as described above) but ended up giving up and "cheating" and installed VSCode using rpm-ostree from the official Microsoft repository. It works great and in the "traditional" way.