Operational Documentation

This deployment guide is specifically optimized for Fedora KDE Plasma. Adherence to these steps ensures compatibility with the DNF package manager and Systemd user session architecture.

Establish a baseline of physical security during the initial OS deployment:

• Validate installer ISO checksum.
• Flash image via Rufus.
• Enable Full Disk Encryption (FDE).

Aside6!-Pack7%-Plus2^-Forgot8)-Hay0|-Chair4>

Administrative Policy: Do not enable a dedicated root account; utilize sudo for all privileged operations.

Standardize the local environment for secure credential management following the initial boot:

sudo dnf update -y

Deploy the primary credential manager (KeePassXC):

sudo dnf install keepassxc -y

1. Establish a secure Wi-Fi connection.
2. Synchronize repositories via the Discovery application store.
3. Import records into a database stored at /home/[user]/Vault.
4. Purge intermediate export files immediately.

Install the rclone utility and initiate the configuration wizard:

sudo dnf install rclone

rclone config

Step A: Base Remote (gdrive)

• Action: n (New remote)
• Name: gdrive
• Storage: 24 (Google Drive)
• Client ID/Secret: Provide custom credentials (do not use internal keys).
• Scope: Full access (Option 1).
• OAuth: Use web browser to authorize; save and keep remote.

Step B: Encryption Layer (crypt)

• Action: n (New remote)
• Name: crypt
• Storage: 16 (Encrypt/Decrypt a remote)
• Remote to encrypt: gdrive:encrypted-bucket
• Filename Encryption: 1 (Encrypted)
• Directory Encryption: 1 (Encrypted)
• Security: Provide a strong passphrase and salt; confirm and exit.

Security Reasoning for Permission Hardening: The rclone.conf file contains API Client IDs and Secrets in plain text. Restricting permissions to 600 ensures only the owner can access these credentials.

chmod 600 ~/.config/rclone/rclone.conf

Automate the cloud mount as a user-level service:

mkdir -p ~/.config/systemd/user/

sudo dnf install vim

vim ~/.config/systemd/user/rclone@.service

Apply the service unit configuration (i to insert, :wq to save):

[Unit]
Description=rclone: Remote FUSE filesystem for cloud storage config %i
Documentation=man:rclone(1)
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
ExecStartPre=-/usr/bin/mkdir -p %h/mnt/%i
ExecStart= \
  /usr/bin/rclone mount \
    --config=%h/.config/rclone/rclone.conf \
    --vfs-cache-mode writes \
    --vfs-cache-max-size 100M \
    --log-level INFO \
    --log-file /tmp/rclone-%i.log \
    --umask 022 \
    --allow-other \
    %i: %h/mnt/%i
ExecStop=/bin/fusermount -u %h/mnt/%i
Restart=on-failure

[Install]
WantedBy=default.target

Modify FUSE settings and enable the service:

sudo vim /etc/fuse.conf

Uncomment "user_allow_other"

systemctl --user daemon-reload

systemctl --user enable --now rclone@crypt

Deploy a background agent to synchronize the local KeePassXC database using inotify-tools:

sudo dnf install inotify-tools

mkdir -p ~/.config/scripts

vim ~/.config/scripts/syncpass.sh

Synchronization Script Logic:

#!/bin/bash
SOURCE="$HOME/Vault/"
DEST="$HOME/mnt/crypt/Vault"

if [ ! -d "$HOME/mnt/crypt" ]; then
    echo "Error: Destination mount not found."
    exit 1
fi

while inotifywait -q -r -e modify,create,delete,move "$SOURCE"; do
    rsync -avz --delete "$SOURCE" "$DEST"
    echo "Sync completed at $(date)"
done

Apply permissions and enable the watcher unit:

chmod +x ~/.config/scripts/syncpass.sh

vim ~/.config/systemd/user/vault-watcher.service

Apply the watcher configuration:

[Unit]
Description=Watch folder for changes and rsync
ConditionPathIsMountPoint=%h/mnt/crypt

[Service]
Type=simple
ExecStart=%h/.config/scripts/syncpass.sh
Restart=always
RestartSec=5

[Install]
WantedBy=default.target

systemctl --user daemon-reload

systemctl --user enable --now vault-watcher.service

Isolate credentials from the browser session:

• Disable "Ask to save passwords" in settings.
• Optionally bridge via the official KeePassXC extension.