A fresh install gives you a baseline, not a finished machine
You just finished the Fedora installer. The desktop loads. It looks clean. You open a terminal to install your favorite tools and immediately hit a wall. Video playback stutters because of missing codecs. Your graphics card falls back to software rendering. Package managers complain about missing repositories. A fresh installation provides a secure, minimal foundation. It does not provide a configured workstation. You need to bridge the gap between the default image and your daily workflow without breaking the package manager or leaving security holes open.
What is actually happening
Fedora ships with a strict software policy. The base system contains only free and open-source software. Proprietary codecs, commercial drivers, and closed-source applications live outside the default repositories. The package manager enforces this boundary to keep the system stable and legally compliant. When you try to install multimedia tools or hardware drivers, dnf refuses because it cannot find the packages in its configured sources. You need to extend the package sources, apply the missing components, and lock down the configuration before the system drifts into an unmanageable state.
The installer pulls packages from the nearest mirror at the time of installation. Those mirrors might be outdated or missing recent security patches. The desktop environment ships with a minimal set of utilities to reduce attack surface and storage footprint. Network services remain disabled by default. Storage optimization runs on a conservative schedule. Every component expects you to declare your intent explicitly.
Update and extend package sources
Start with the base system. Synchronize the local cache with the upstream repositories before installing anything else. Stale metadata causes dependency resolution failures and leaves known vulnerabilities unpatched.
Here is how to refresh the package cache and apply pending updates.
sudo dnf upgrade --refresh
# --refresh forces dnf to ignore cached metadata and fetch fresh package lists
# This prevents stale dependency resolution and catches security updates
# Reboot immediately if the output mentions a new kernel version
Fedora's release cadence is six months. The dnf upgrade --refresh command handles routine maintenance within a release. Do not confuse it with dnf system-upgrade, which crosses major version boundaries like 40 to 42. Keep them separate. The N-2 release goes end-of-life when N+1 ships. Plan your major upgrades on that cycle.
Next, add the RPM Fusion repositories. Fedora cannot ship proprietary codecs or commercial drivers due to licensing restrictions. RPM Fusion fills that gap with a curated collection of non-free packages. The installation command pulls the repository definition files directly from the project servers.
Here is how to register both the free and non-free RPM Fusion repositories.
sudo dnf install \
https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
# The free repository contains open-source packages that depend on non-free components
# The nonfree repository holds proprietary codecs and closed-source drivers
# rpm -E %fedora dynamically resolves your current release number for the correct URL
Verify the repositories are active before proceeding. Missing entries cause cryptic dependency errors later.
Here is how to confirm the new repositories appear in the package manager.
dnf repolist
# Lists all enabled repositories and their package counts
# Look for rpmfusion-free and rpmfusion-nonfree in the output
# An empty or missing entry means the installation failed silently
Run dnf repolist before installing anything else. Missing repositories cause cryptic dependency errors later.
Multimedia and hardware drivers
Video playback and hardware acceleration require proprietary components. The default ffmpeg package uses free codecs only. Swap it for the full version and install the multimedia group.
Here is how to replace the free codec package and pull in the full multimedia stack.
sudo dnf swap ffmpeg-free ffmpeg --allowerasing
# --allowerasing permits dnf to remove the free ffmpeg variant
# The swap command replaces the package while preserving configuration files
sudo dnf groupinstall "Multimedia"
# Pulls in gstreamer plugins, audio converters, and video decoders
NVIDIA graphics cards need the proprietary kernel module. The akmod-nvidia package compiles the driver against your running kernel automatically. Wait for the build process to finish before rebooting.
Here is how to install the NVIDIA driver and trigger the kernel module build.
sudo dnf install akmod-nvidia
# akmod triggers the kernel module build service on first boot
# The compilation takes two to five minutes depending on CPU speed
# Do not force a reboot until the build service reports success
If you see Failed to start nvidia.service during boot, your kernel headers are missing or the build failed. Check the build logs before reinstalling.
Reboot after the driver installation. The X server or Wayland compositor will not load the proprietary module until the next session.
Desktop configuration and workflow tools
GNOME ships with a minimal set of utilities. Install the extension manager and tweaks tool to customize the interface. Add Flathub for sandboxed applications that do not exist in the main repositories.
Here is how to install desktop customization tools and register the Flathub remote.
sudo dnf install gnome-tweaks gnome-extensions-app
# gnome-tweaks exposes hidden desktop settings and font configurations
# gnome-extensions-app provides a graphical interface for managing extensions
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
# --if-not-exists prevents duplicate remote entries if you run the command twice
# Flathub hosts sandboxed applications with their own runtime dependencies
Configure your hostname and enable automatic security updates. The hostname helps identify the machine on a network. Automatic updates keep the system patched without manual intervention.
Here is how to set a persistent hostname and enable background security patching.
sudo hostnamectl set-hostname fedora-workstation
# Updates the system hostname across all network services
# The change takes effect immediately for new terminal sessions
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic-install.timer
# Enables the background timer that checks for updates daily
# The timer applies security patches automatically while leaving major upgrades manual
Trust the package manager for system updates. Manual file edits drift, snapshots stay.
Security, storage, and maintenance
Lock down the network stack and verify storage health. The firewall blocks unsolicited connections by default. Open ports only when you need remote access. Enable TRIM for solid-state drives to maintain write performance over time.
Here is how to verify the firewall state and permit SSH access permanently.
sudo firewall-cmd --state
# Confirms the firewall daemon is running and active
sudo firewall-cmd --permanent --add-service=ssh
# Adds SSH to the permanent configuration file
sudo firewall-cmd --reload
# Applies the permanent rules to the live firewall without dropping connections
Always run firewall-cmd --reload after every rule change. Otherwise the runtime configuration and the persistent configuration diverge, and your changes vanish on reboot.
Enable the TRIM timer for SSDs. Modern filesystems support discard operations, but the background timer is safer than continuous TRIM.
Here is how to schedule weekly TRIM operations for mounted solid-state drives.
sudo systemctl enable --now fstrim.timer
# Schedules a weekly TRIM operation for all mounted SSDs
# The timer runs as a background service to prevent write amplification
# Check execution status with systemctl list-timers fstrim.timer
Verify SELinux remains active. Fedora enforces mandatory access controls by default. Disabling it weakens the entire security model.
Here is how to confirm the security policy is enforcing.
getenforce
# Returns Enforcing on a properly configured system
# If it returns Permissive or Disabled, check /etc/selinux/config
# SELinux denials appear in journalctl -t setroubleshoot with actionable summaries
Read the SELinux denial summaries before disabling the policy. Most application failures resolve with a single restorecon command.
Verify the configuration
Run a quick diagnostic pass to confirm every component is functioning. Check the journal for boot errors, verify repository availability, and confirm the desktop environment loaded correctly.
Here is how to review recent boot logs and filter for critical failures.
journalctl -b -p err
# -b limits output to the current boot session
# -p err filters for error-level messages and above
# Scan for failed units or missing dependencies before proceeding
Check the package manager cache and verify the multimedia stack.
Here is how to confirm the codec swap and repository registration succeeded.
rpm -q ffmpeg
# Returns the installed ffmpeg version string
# A successful swap shows the non-free variant without the -free suffix
flatpak remotes
# Lists all configured Flatpak remotes
# flathub should appear with a valid URL and priority
Run journalctl -xe first. Read the actual error before guessing.
Common pitfalls and what the error looks like
New users often force package installations when dependencies conflict. The dnf transaction test will refuse to proceed and print Error: Transaction test error: package python3-3.12.x conflicts with python3-3.13.y. The conflict is intentional. Fedora maintains strict Python version boundaries to prevent system breakage. Do not use --skip-broken or --best to bypass it. Install the correct version for your release or use a virtual environment.
Another frequent issue involves Flatpak permissions. Applications run in isolated sandboxes. If a Flatpak app cannot access your home directory or external drives, the sandbox is working correctly. Grant explicit access through the Flatseal utility or the GNOME Software permissions dialog. Do not disable sandboxing globally.
Kernel module builds fail when headers are missing. The akmod system requires kernel-devel and kernel-headers matching your running kernel. If the build service fails, run sudo dnf install kernel-devel kernel-headers and trigger a rebuild with sudo akmods --force. Check /var/log/dkms/ for compilation errors.
Config files in /etc/ are user-modified. Files in /usr/lib/ ship with the package. Edit /etc/. Never edit /usr/lib/. Package updates overwrite /usr/lib/ changes and leave your system in an inconsistent state.
When to use this approach versus alternatives
Use the default dnf repositories when you need system stability and long-term package support. Use RPM Fusion when you require proprietary codecs or commercial hardware drivers. Use Flatpak when you want sandboxed applications with independent update cycles. Use dnf-automatic for routine security patches but keep major version upgrades manual. Stay on the upstream Workstation image if you only deviate from the defaults occasionally. Switch to Silverblue when you want a known-good base image you can always roll back to.
Match the tool to the task. System packages for core stability, Flatpak for desktop apps, RPM Fusion for closed-source hardware support.