feat: disable ghns by default

FAQ.md

@@ -54,10 +54,16 @@ To use flatpak steam you need to:
 - Be on a [userns](USERNS.md) variant
 - Remove `LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so` from flatpak steam's environment variables in Flatseal
 
-#### How do I enable bluetooth kernel modules?
+#### Why are bluetooth kernel modules disabled? How do I enable them?
 
-Run `ujust toggle-bluetooth-modules`
+Bluetooth has a long and consistent history of security issues. However, if you still need it, run `ujust toggle-bluetooth-modules`
 
 #### Why are upgrades so large?
 
 https://universal-blue.org/faq/?h=diff#why-does-it-download-more-changes-than-it-seems-like-it-should
+
+#### Why can't I install new KDE themes?
+
+The functionality that provides this, called GHNS, is disabled by default due to the risk posed by the installation of potentially damaging or malicious scripts. This has caused [real damage](https://blog.davidedmundson.co.uk/blog/kde-store-content/). 
+
+If you still want to enable this functionality, run `ujust toggle-ghns`

README.md

@@ -39,6 +39,7 @@ Hardening applied:
 - Installing chkrootkit, usbguard, and bubblejail
 - Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
 - Configure chronyd to use Network Time Security (NTS) <sup>[using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)</sup>
+- Disable KDE GHNS by default <sup>[why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/)</sup>
 - (Non-userns variants) Disabling unprivileged user namespaces
 - (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces
 

config/files/kinoite/usr/etc/xdg/kdeglobals

@@ -0,0 +1,2 @@
+[KDE Action Restrictions][$i]
+ghns=false

config/files/usr/share/ublue-os/just/60-custom.just

@@ -69,4 +69,22 @@ toggle-bluetooth-modules:
       sudo sh -c 'echo "install btusb /sbin/modprobe --ignore-install btusb" >> "$1"' _ "$BLUE_MOD_FILE"
       sudo chmod 644 $BLUE_MOD_FILE
       echo "Bluetooth kernel modules enabled. Reboot to take effect."
-    fi
+    fi
+
+# Toggle GHNS (KDE Get New Stuff)
+toggle-ghns:
+    #!/usr/bin/pkexec /usr/bin/bash
+    KDE_GLOBALS_FILE="/etc/xdg/kdeglobals"
+    if test -e $KDE_GLOBALS_FILE; then
+      if grep -q "ghns=false" "$KDE_GLOBALS_FILE"; then
+        sed -i "s/ghns=false/ghns=true/" "$KDE_GLOBALS_FILE"
+        echo "GHNS enabled."
+      elif grep -q "ghns=true" "$KDE_GLOBALS_FILE"; then
+        sed -i "s/ghns=true/ghns=false/" "$KDE_GLOBALS_FILE"
+        echo "GHNS disabled."
+      else 
+        echo "The kdeglobals file is missing the ghns toggle."
+      fi
+    else
+      echo "No kdeglobals file found. Are you on kinoite?"
+    fi