#!/usr/bin/env bash set -euo pipefail echo "Installing fprintd service" mkdir -p /usr/etc/systemd/system/ cat </usr/etc/systemd/system/fprintd.service [Unit] Description=Fingerprint Authentication Daemon Documentation=man:fprintd(1) [Service] Type=dbus BusName=net.reactivated.Fprint ExecStart=/usr/libexec/fprintd # Filesystem lockdown ProtectSystem=strict ProtectKernelTunables=true ProtectKernelLogs=true ProtectControlGroups=true # This always corresponds to /var/lib/fprint StateDirectory=fprint StateDirectoryMode=0700 ProtectHome=true PrivateTmp=true SystemCallFilter=@system-service # Network RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_NETLINK # Execute Mappings MemoryDenyWriteExecute=true # Modules ProtectKernelModules=true # Real-time RestrictRealtime=true # Privilege escalation NoNewPrivileges=true # Protect clock, allow USB and SPI device access ProtectClock=yes DeviceAllow=char-usb_device rw DeviceAllow=char-spi rw DeviceAllow=char-hidraw rw # Allow tuning USB parameters (wakeup and persist) ReadWritePaths=/sys/devices [Install] WantedBy=multi-user.target EOL echo "Installing tlp config" mkdir -p /usr/etc/tlp.d/ cat </usr/etc/tlp.d/50-framework.conf # ------------------------------------------------------------------------------ # /etc/tlp.conf - TLP user configuration (version 1.4) # See full explanation: https://linrunner.de/tlp/settings # # Settings are read in the following order: # # 1. Intrinsic defaults # 2. /etc/tlp.d/*.conf - Drop-in customization snippets # 3. /etc/tlp.conf - User configuration (this file) # # Notes: # - In case of identical parameters, the last occurence has precedence # - This also means, parameters enabled here will override anything else # - However you may append values to a parameter already defined as intrinsic # default or in a previously read file: use PARAMETER+="add values" # - IMPORTANT: all parameters here are disabled; remove the leading '#' if you # like to enable a feature without default or have a value different from the # default # - Default *: intrinsic default that is effective when the parameter is missing # or disabled by a leading '#'; use PARAM="" to disable an intrinsic default # - Default : do nothing or use kernel/hardware defaults # - # ------------------------------------------------------------------------------ # tlp - Parameters for power saving # # Settings based on Framework's guidance: https://knowledgebase.frame.work/en_us/optimizing-fedora-battery-life-r1baXZh # Select a CPU frequency scaling governor. # Intel processor with intel_pstate driver: # performance, powersave(*). # Intel processor with intel_cpufreq driver (aka intel_pstate passive mode): # conservative, ondemand, userspace, powersave, performance, schedutil(*). # Intel and other processor brands with acpi-cpufreq driver: # conservative, ondemand(*), userspace, powersave, performance, schedutil(*). # Use tlp-stat -p to show the active driver and available governors. # Important: # Governors marked (*) above are power efficient for *almost all* workloads # and therefore kernel and most distributions have chosen them as defaults. # You should have done your research about advantages/disadvantages *before* # changing the governor. # Default: CPU_SCALING_GOVERNOR_ON_AC=performance CPU_SCALING_GOVERNOR_ON_BAT=powersave # Set Intel CPU energy/performance policies HWP.EPP and EPB: # performance, balance_performance, default, balance_power, power. # Values are given in order of increasing power saving. # Notes: # - HWP.EPP: requires kernel 4.10, intel_pstate scaling driver and Intel Core i # 6th gen. or newer CPU # - EPB: requires kernel 5.2 or module msr and x86_energy_perf_policy from # linux-tools, intel_pstate or intel_cpufreq scaling driver and Intel Core i # 2nd gen. or newer CPU # - When HWP.EPP is available, EPB is not set # Default: balance_performance (AC), balance_power (BAT) CPU_ENERGY_PERF_POLICY_ON_AC=performance CPU_ENERGY_PERF_POLICY_ON_BAT=power # Set Intel CPU P-state performance: 0..100 (%). # Limit the max/min P-state to control the power dissipation of the CPU. # Values are stated as a percentage of the available performance. # Requires intel_pstate or intel_cpufreq driver and Intel Core i 2nd gen. or # newer CPU. # Default: CPU_MIN_PERF_ON_AC=0 CPU_MAX_PERF_ON_AC=100 CPU_MIN_PERF_ON_BAT=0 CPU_MAX_PERF_ON_BAT=30 # Set the CPU "turbo boost" (Intel) or "turbo core" (AMD) feature: # 0=disable, 1=allow. # Note: a value of 1 does *not* activate boosting, it just allows it. # Default: CPU_BOOST_ON_AC=1 CPU_BOOST_ON_BAT=0 # Set the Intel CPU HWP dynamic boost feature: # 0=disable, 1=enable. # Requires intel_pstate scaling driver in 'active' mode and Intel Core i # 6th gen. or newer CPU. # Default: CPU_HWP_DYN_BOOST_ON_AC=1 CPU_HWP_DYN_BOOST_ON_BAT=0 # Select platform profile: # performance, balanced, low-power. # Controls system operating characteristics around power/performance levels, # thermal and fan speed. Values are given in order of increasing power saving. # Note: check the output of tlp-stat -p to determine availability on your # hardware and additional profiles such as: balanced-performance, quiet, cool. # Default: PLATFORM_PROFILE_ON_AC=performance PLATFORM_PROFILE_ON_BAT=low-power # Set the min/max/turbo frequency for the Intel GPU. # Possible values depend on your hardware. For available frequencies see # the output of tlp-stat -g. # Default: INTEL_GPU_MIN_FREQ_ON_AC=100 INTEL_GPU_MIN_FREQ_ON_BAT=100 INTEL_GPU_MAX_FREQ_ON_AC=1300 INTEL_GPU_MAX_FREQ_ON_BAT=800 INTEL_GPU_BOOST_FREQ_ON_AC=1300 INTEL_GPU_BOOST_FREQ_ON_BAT=1100 # Wi-Fi power saving mode: on=enable, off=disable. # Default: off (AC), on (BAT) #WIFI_PWR_ON_AC=off WIFI_PWR_ON_BAT=off # PCIe Active State Power Management (ASPM): # default(*), performance, powersave, powersupersave. # (*) keeps BIOS ASPM defaults (recommended) # Default: #PCIE_ASPM_ON_AC=default PCIE_ASPM_ON_BAT=powersupersave # Exclude PCIe devices assigned to the listed drivers from Runtime PM. # Note: this preserves the kernel driver default, to force a certain state # use RUNTIME_PM_ENABLE/DISABLE instead. # Separate multiple drivers with spaces. # Default: "mei_me nouveau radeon", use "" to disable completely. RUNTIME_PM_DRIVER_DENYLIST="" EOL