dotfiles/meta/flatpak.txt, branch masterMy linux config and rc fileshttps://git.sommerfeld.dev/dotfiles/atom/meta/flatpak.txt?h=master2026-05-29T10:18:15Zchore(thunderbird): switch flatpak app id to org.mozilla.thunderbird2026-05-29T10:18:15Zsommerfeldsommerfeld@sommerfeld.dev2026-05-29T10:18:15Zurn:sha1:d1536ec455abc28a2bde34281d4b33cdad398436
Upstream marked org.mozilla.Thunderbird end-of-life. Flathub split it
into two replacement IDs:
org.mozilla.thunderbird monthly release channel (new default)
org.mozilla.thunderbird_esr ESR / long-term-support channel
Move to the lowercase monthly-release flatpak, which is what Mozilla
now recommends for regular desktop users and gets features at the same
cadence as Firefox.
Renamed references in:
* meta/flatpak.txt - the package list the user installs from
* meta/base.txt - comment in the mail-bits section
* dot_config/sway/config - window-match app_id rule for marking
* dot_config/mimeapps.list - mailto/ics/webcal handler .desktop names
* run_onchange_after_deploy-thunderbird.sh.tmpl - profile path under
~/.var/app/<id>/.thunderbird/
* run_onchange_after_deploy-tb-eer.sh.tmpl - flatpak override target
and sandbox path for External Editor Revived bridge
* run_onchange_after_deploy-pteid-pkcs11.sh.tmpl - Mozilla-family
flatpak NSS DB registration list
* README.md - doc snippets and xdg-mime example
On-host migration:
flatpak install -y flathub org.mozilla.thunderbird
# Preserve accounts, OpenPGP keys, calendars, EER bridge wrapper:
mv ~/.var/app/org.mozilla.Thunderbird ~/.var/app/org.mozilla.thunderbird
flatpak uninstall -y org.mozilla.Thunderbird
chezmoi apply -v
update-desktop-database ~/.local/share/applications 2>/dev/null || true
Verify mail handler:
xdg-mime query default x-scheme-handler/mailto
# -> org.mozilla.thunderbird.desktop
feat(flatpak): add teams_for_linux2026-05-13T12:43:40Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:40Zurn:sha1:1135d66d925d2b60ae5f56bc46320999fde6b34e
Unofficial Microsoft Teams client for Linux. Needed for Sii work
communications inside the Win11 VM is overkill for chat; running it
natively on the host keeps Teams notifications visible outside the VM.
feat(meta): add snx-rs (work) and nxplayer (flatpak)2026-05-13T12:43:40Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:40Zurn:sha1:1f306501dea892c3c90bdfdddc9a9cc668865e87
snx-rs: Rust reimplementation of Check Point SNX VPN client; needed
for work VPN access. AUR package.
com.nomachine.nxplayer: NoMachine remote desktop client; needed for
work remote access.
feat(flatpak): add Signal desktop2026-05-13T12:43:26Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:26Zurn:sha1:50bcdbbe80c35458c1218c2abd0f7b0a4fb203f1feat(flatpak): switch Chromium -> ungoogled-chromium2026-05-13T12:43:25Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:25Zurn:sha1:f2d1a269e52b4d76fe10c976fb1597c007034eb3
Same sandbox model, but the Google-phone-home bits (Safe Browsing
pings, sync, FLoC/topics, variation seed, etc.) are patched out at
build time. Better aligned with the LibreWolf+arkenfox philosophy
applied to the primary browser. Update lag vs upstream Chromium is
acceptable since this is only the fallback browser.
feat(flatpak): sandbox zathura + add mpv hybrid for browser/mail handoffs2026-05-13T12:43:25Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:25Zurn:sha1:db229deaef3b0c88f9930bd168e1779f7a4c6074
Defense-in-depth for the cross-sandbox handoff vector: when the
LibreWolf/Thunderbird flatpaks open a downloaded PDF or video via the
OpenURI portal, the receiving app currently runs natively with full
$HOME access — defeating part of the browser/mail isolation.
- meta/flatpak.txt: add org.pwmt.zathura, io.mpv.Mpv
- meta/wayland.txt: drop native zathura + zathura-pdf-mupdf
- meta/media.txt: keep native mpv (streamlink, /tmp/mpvsocket IPC,
fast yt-dlp) — flatpak mpv is *additional*, only as the mimeapps
default for video/audio to receive sandboxed handoffs
- dot_config/mimeapps.list: rewrite mpv.desktop -> io.mpv.Mpv.desktop,
zathura-pdf-mupdf.desktop -> org.pwmt.zathura.desktop, and replace
stale userapp-Thunderbird-* entries with org.mozilla.Thunderbird.desktop
- run_onchange_after_deploy-flatpak-overrides.sh.tmpl (new):
--filesystem=xdg-config/{zathura,mpv}:ro so the flatpaks read our
chezmoi-managed configs as a single source of truth
- README: media row + new deploy-script row
Manual one-shot on host: chezmoi apply -v.
The pteid bridge already iterates a flatpak app list, so cartão de
cidadão remains correctly registered for the Mozilla flatpaks. Native
mpv config (input-ipc-server) keeps working since each flatpak has its
own /tmp; no socket collision.
feat(thunderbird): migrate to flatpak with NMH + PKCS#11 bridges2026-05-13T12:43:25Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:25Zurn:sha1:79d68fcc03c1639c1f13343b4b7d5f9f06274295
Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak,
mirroring the LibreWolf migration. Bubblewrap isolates the mail client from
the rest of $HOME (ssh keys, password store, gpg sockets); intra-process
isolation regression is real but minor (same tradeoff as the browser).
Three cross-sandbox glue points handled in repo:
- run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from
~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird
- run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate
over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so
cartão de cidadão signing/encryption works for S/MIME in TB
- run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges
external-editor-revived's native messaging host into the sandbox via
a flatpak-spawn --host wrapper + relocated manifest
Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered
by Flathub default permissions.
Manual one-shot migration on host (after pulling + just sync): close TB,
copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/,
chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop
x-scheme-handler/mailto. Once verified working, archive the old profile
via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak.
feat(flatpak): support .flatpak bundle URLs; migrate autenticacao-gov-pt2026-05-13T12:43:25Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:25Zurn:sha1:9b133edc20702a0c9cccb613fbb9296a7fb9f597
Extend meta/flatpak.txt format to allow per-line URL for non-Flathub
.flatpak bundles. Lines are now either '<id>' (Flathub) or '<id> <url>'
(downloaded + installed via 'flatpak install <file>'). Bundle entries
are skipped on pkg-apply/pkg-fix when already installed, and re-fetched
on flatpak-update only when the version embedded in the URL differs
from the installed version.
Use this to migrate Portuguese Citizen Card (pteid-mw) off the AUR
'autenticacao-gov-pt-bin' pseudo-flatpak unpack to the upstream-shipped
flatpak bundle from amagovpt/autenticacao.gov GitHub releases — same
codebase the AUR PKGBUILD already vendors, but properly sandboxed.
Refactors duplicated install logic in pkg-apply/pkg-fix into a private
_flatpak-install helper. ID-only contexts (pkg-status, undeclared,
pkg-list) now extract the first whitespace-separated token instead of
treating each line as a single ID.
Caveat: PKCS#11-based Citizen Card web auth in the LibreWolf flatpak
remains unsolved — the .so lives inside the autenticacao-gov sandbox
and would need a 'flatpak override' + 'modutil' bridge to be loaded
across sandboxes. The CLI/GUI eID app works as expected.
feat(browser): migrate librewolf to flatpak for host-isolation2026-05-13T12:43:24Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:24Zurn:sha1:729087821785cfc4923a14a7aed633850119b723
Move LibreWolf from native librewolf-bin to Flathub
io.gitlab.librewolf-community. Bubblewrap isolates the browser from
$HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost
of namespace chroot + IPC/network namespace isolation between content
processes (mozilla bug 1756236, P3, considered defense-in-depth).
seccomp-bpf — the dominant sandbox layer — is preserved.
- meta/flatpak.txt: + io.gitlab.librewolf-community
- meta/browser.txt: - librewolf-bin
- run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to
~/.var/app/io.gitlab.librewolf-community/.librewolf
- dot_config/mimeapps.list: librewolf.desktop -> flatpak app id
- dot_local/bin/executable_linkhandler: flatpak run wrapper
- README.md: blurb + new profile path
arkenfox-user.js + chezmoi user-overrides.js deploy keep working
unchanged because the flatpak profile is still on the host fs.
refactor(packages): drop gaming, manage select GUI apps via flatpak group2026-05-13T12:43:24Zsommerfeldsommerfeld@sommerfeld.dev2026-05-13T12:43:24Zurn:sha1:68b1ffb42f7644b8a5f2275a16e94820b369818e
- Delete meta/gaming.txt entirely (no longer used; takes discord with it)
- Delete now-empty meta/office.txt; LibreOffice and Okular move to flatpak
- Trim meta/browser.txt: chromium and torbrowser-launcher now flatpaks
- New meta/flatpak.txt: 4 Flathub app IDs (chromium, okular, libreoffice,
torbrowser-launcher), under --user scope
- Add flatpak runtime to meta/extra.txt
- Teach pkg-apply / pkg-list / pkg-fix / pkg-add / pkg-status / undeclared
to branch on the magic 'flatpak' group name (no parallel recipe namespace)
- New flatpak-update recipe; update aggregate now refreshes flatpaks too
- _active-packages now skips flatpak.txt (it remains pacman-only)
- pkg-apply (no args) installs pacman groups together, then flatpaks
- First flatpak install auto-adds the flathub --user remote