My Opinionated Fedora Silverblue Setup

Source: Dev.to

Why Fedora Silverblue?

• Immutable base – the core system cannot be broken, making debugging simple.
• Atomic updates – the whole system is updated in one step.
• Layered approach – everything you add sits on top of the base, so you can start over without leaving residues (even config files).
• “Unbreakable” – a system your mom or grandma can’t accidentally wreck.

Table of Contents

1. Enable Transparent Disk Compression
2. Use a Secure DNS Resolver
3. Enable BBR (Better Congestion Control)
4. Enable ptrace_scope = 1
5. Change the Default ZRAM Configuration
6. Enable RPM Fusion for Non‑free Codecs
7. Remove Unwanted Flatpak Apps & Disable the Repo
8. Strip Unused Packages from the Base Image
9. Enable System Auto‑Update

Enable Transparent Disk Compression

Btrfs supports on‑the‑fly compression, but it is disabled by default.
I use zstd level 1 (least CPU, decent ratio).

# Show current kernel boot arguments (avoid duplicates)
rpm-ostree kargs

# Append the compression flag
sudo rpm-ostree kargs --append="rootflags=subvol=root,compress=zstd:1"

# Reboot for the change to take effect
sudo reboot

Note: The command only compresses new data. To compress existing data:

sudo btrfs filesystem defragment -r -v -f -czstd /var

More details in my compression write‑up.

Use a Secure DNS Resolver

I prefer Cloudflare’s DNS with malware filtering.

Steps

# Disable systemd‑resolved sockets and service
sudo systemctl disable --now systemd-resolved-monitor.socket \
    systemd-resolved-varlink.socket systemd-resolved

# Remove the autogenerated resolv.conf
sudo rm -f /etc/resolv.conf

# Tell NetworkManager to use dnsmasq
sudo nano /etc/NetworkManager/NetworkManager.conf

Add (or edit) the [main] section:

[main]
dns=dnsmasq

# Restart NetworkManager
sudo systemctl restart NetworkManager

Now NetworkManager will forward DNS queries to the DNS servers you configure in /etc/NetworkManager/dnsmasq.d/ (or via the GUI).

More details in my DNS guide.

Enable BBR – Better Network Congestion Control

Verify if the module is already loaded

lsmod | grep bbr

If nothing is returned, load the module:

echo "tcp_bbr" | sudo tee /etc/modules-load.d/bbr.conf
sudo reboot

Configure sysctl

sudo nano /etc/sysctl.conf

Add the following lines:

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# Apply immediately (or reboot)
sudo sysctl -p

# Verify
sysctl net.ipv4.tcp_congestion_control

Enable ptrace_scope = 1

Needed for full sandboxing in Chromium‑based browsers (enabled by default on Ubuntu, Arch, openSUSE).

cat /proc/sys/kernel/yama/ptrace_scope

If the output is 0, enable it:

# Copy the default config and edit
sudo cp /usr/lib/sysctl.d/10-default-yama-scope.conf /etc/sysctl.d/
sudo nano /etc/sysctl.d/10-default-yama-scope.conf

Change the last line to:

kernel.yama.ptrace_scope = 1

sudo sysctl -p /etc/sysctl.d/10-default-yama-scope.conf
sudo reboot

More background in my ptrace_scope write‑up.

Change the Default ZRAM Configuration

Fedora ships ZRAM enabled, but the default size is conservative. I set it to 1.5 × RAM and give it a high swap priority.

# Create a directory for an overriding rule
sudo mkdir -p /etc/systemd/zram-generator.conf.d

# Create the custom config
sudo nano /etc/systemd/zram-generator.conf.d/zram-generator.conf

Paste:

[zram0]
zram-size = ram * 1.5
compression-algorithm = zstd
swap-priority = 100

Additional sysctl tweaks for memory pressure

sudo nano /etc/sysctl.conf

Add:

vm.page-cluster = 0
vm.swappiness = 180
vm.watermark_boost_factor = 0
vm.watermark_scale_factor = 125

sudo sysctl -p
sudo reboot

These values are inspired by Pop!_OS’s “compressed swap in RAM” optimizations.

Enable RPM Fusion for Non‑free Codecs

Many media files (e.g., MP3, H.264) need codecs from RPM Fusion.

# Free repository
sudo rpm-ostree install \
    https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm

# Non‑free repository (contains proprietary codecs)
sudo rpm-ostree install \
    https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

After a reboot, you can install packages like ffmpeg, gstreamer1-plugin-openh264, etc.

Remove Unwanted Flatpak Apps & Disable the Repo

I prefer native RPM packages for most software.

# List installed Flatpaks
flatpak list

# Remove each unwanted app, e.g.
flatpak uninstall org.gnome.Todo

# Disable the Flathub remote (if you don’t want any Flatpaks)
flatpak remote-delete flathub

Strip Unused Packages from the Base Image

Fedora Silverblue ships a fairly minimal base, but you can still prune what you don’t need.

# Example: remove the default GNOME games
rpm-ostree override remove gnome-2048 gnome-robots gnome-taquin

Replace the package names with anything you consider unnecessary.

Enable System Auto‑Update

Silverblue already supports automatic updates via systemd.timer. To enable it:

sudo systemctl enable --now rpm-ostreed-automatic.timer

You can check the status with:

systemctl status rpm-ostreed-automatic.timer

Closing Thoughts

Fedora Silverblue’s immutable design gives me a rock‑solid foundation. By tweaking compression, DNS, networking, memory handling, and codec support, I get a fast, secure, and media‑ready workstation that my grandma can’t break.

Feel free to copy any of the snippets above, adapt them to your hardware, and enjoy the simplicity of an immutable OS!

All the commands have been tested on Fedora Silverblue 38 (as of Dec 2025).

RPM Fusion on Your System

Please refer to the official RPM Fusion documentation for OSTree systems here.

Installing Apps via GNOME Software

You can install apps through the GNOME Software GUI (see the screenshot above). If needed, you can reinstall these apps from Flathub.

Note: Fedora’s Flatpak implementation has the same proprietary‑codec limitations as Fedora’s native RPM packages. If you do not need it, you may remove it, as it provides no additional benefit.

Removing Packages from the Base Immutable Image

If you want to remove applications that are part of the base image (e.g., Firefox), run:

sudo rpm-ostree override remove firefox firefox-langpacks

Then reboot the system.

You can verify the image status with:

rpm-ostree status

This command helps identify most issues or feature‑parity differences with other systems that use the same image.

Adding Packages to the System Layer

To layer additional packages, use rpm-ostree install. For example, to install distrobox:

sudo rpm-ostree install distrobox

Only install packages this way when necessary.

Automatic Software Updates

Enabling “Automatic software updates” in GNOME Software does not automatically update your system, and the official docs do not mention automatic updates.

Enable Automatic Updates (stage policy)

1. Edit /etc/rpm-ostreed.conf:

   sudo nano /etc/rpm-ostreed.conf

   Change (or add) the line to:

   AutomaticUpdatePolicy=stage

2. Reload the daemon:

   sudo rpm-ostree reload

3. Enable and start the timer:

   sudo systemctl enable rpm-ostreed-automatic.timer --now

4. Verify the status:

   rpm-ostree status

   You should see something like:

   AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 3h 4min ago

Cover Photo by Alexandru Acea on Unsplash