Migrating from Kubuntu to Kinoite

I have 10 workstations in 10 different locations that run Kubuntu LTS. It works great (except some minor issues with Wifi printers), but Canonical pushes Snaps so hard, that leaves me wondering: if I have to use snap/flatpak anyways, why not use immutable distro then? I did research and it seems most things should work as expected, but can someone confirm immutable KDE distro will meet all these requirements?

  1. Auto updates. Workstations are being used by non-admin users, and admin only visits office once or twice a year, so OS should be able to auto update everything in background (OS components and Flatpaks) without any user interaction while being run by non-admin. It can be achieved by editing etc/dnf/automatic.conf, right?

  2. Disabled USB storage. I know it can be done via UEFI, but I also need to do it in OS level. Will adding a rule in etc/modprobe.d/ work?

  3. All http traffic routed via local proxy. In short, I have to block all websites except specific ones. In Kubuntu, I do this by installing Squid, setting system proxy to 127.0.0.1 in /etc/environment and locking Firefox configuration with help of policy JSON file. The problem is that Squid flatpak doesn’t exist. I can also use Privoxy, but it has no Flatpak too. Can I solve it with “layering”? Will it work as usual?

  4. Disable all outgoing connections except specified ports and IPs. As simple as adding firewall rules, just like in “normal” distro, right?

  5. Pre-configured keyboard layouts and Wifi connections for new user accounts. In Kubuntu, I do this for WiFi: sudo nmcli connection add con-name “YourWiFiName” ifname “*” type wifi ssid “YourWiFiSSID” wifi-sec.key-mgmt wpa-psk wifi-sec.psk “YourWiFiPassword” connection.autoconnect yes
    And to auto setup keyboard layout, I add some lines to /etc/default/keyboard
    Will it work in Kinoite?

  6. Easy configuration of WiFi printer/scanner. All workstations use Brother multi-function devices (printers/scanners) that Brother provides downloadable drivers for. In the past, I had problems using generic Cups drivers, and scanner only worked after installing Brother drivers. Is drivers installation similar in Kinoite?

  7. Option to access workstation remotely via SSH from specific IPs via specific port, but I’m sure it’s no different from non-immutable distros?

You’ll need to look at rpm-ostreed.conf: rpm-ostree daemon configuration file | rpm-ostree File Formats | Man Pages | ManKier instead until we complete Changes/KDEKinoiteAutoUpdateByDefault - Fedora Project Wiki. I don’t think there is an equivalent for Flatpak, but Universal Blue as a systemd timer to automate Flatpaks update AFAIK.

That should work if the modules are not loaded in the initramfs. Otherwise denylisting them using a kernel command line should work.

This is a service so I would recommend running it from a container. You can create a container and have it share the system network namespace using podman so that it’s available for all applications.

I don’t remember where Firefox needs this config to be but if it’s in /usr then you’ll have to create a small RPM package with the config (using FPM for example) to layer it.

That depends widely on how those drivers work and where they are installed.

The rest should be similar to other distros.

I think this option is out my league, especially sharing network… Sure, I could figure it out after reading all the documentation, but I’m sure it will take lots of time to configure everything for me…

You can do it via podman run --network=host .... See: podman-run — Podman documentation

If you have an existing working Squid setup, it should be reasonably manageable to adapt it to run from inside a container.

I do have existing Squid setup on all Kubuntu machines. I also have no problems switching from Squid to Privoxy because it should be even easier to setup, I believe (and I don’t need caching feature of Squid anyway).

I wonder if it works for Fedora, isn’t it Debian-specific?
https://manpages.debian.org/bookworm/keyboard-configuration/keyboard.5.en.html