My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/meta?h=master 2026-05-29T10:18:16Z 2026-05-29T10:18:16Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:16Z urn:sha1:0d667e494213ef2315261657ab004bcd89a4888c linux-hardened-headers and linux-lts-headers in meta/base.txt already cover every installed kernel, so 'linux-headers' here would only pull the stock 'linux' kernel back in via dependency — which we just removed. 2026-05-29T10:18:16Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:16Z urn:sha1:a6f1e9026e5d19b50c7c522e30e6f216fc9f8180 Promotes linux-hardened to the sole primary kernel and replaces linux with linux-lts as the safety-net fallback. Rationale: - linux and linux-hardened track the same upstream major version and ship within days of each other, so 'linux' was a poor fallback for the regression class that historically takes out the hardened kernel on this hardware (e.g. checkpoint 026 wake-from-suspend panic). linux-lts lags by weeks/months and is almost always known-good when hardened breaks. - Drop etc/mkinitcpio.d/linux.preset, add linux-lts.preset. Hardened preset header + bootstrap.sh efibootmgr instructions updated accordingly (hardened registered first so it's the default; lts registered as the on-demand fallback). - Also add mkinitcpio-firmware (AUR) to silence the spurious 'missing firmware' warnings during initramfs builds. Manual host-side steps after deploy: paru -S linux-lts linux-lts-headers mkinitcpio-firmware sudo pacman -Rsn linux # or via 'just pkg-apply' undeclared flow sudo rm -f /etc/mkinitcpio.d/linux.preset # chezmoi-deployed, not pkg-owned sudo mkinitcpio -P sudo efibootmgr # add the Arch LTS entries, drop the stock linux ones Note: meta/nvidia.txt still lists 'linux-headers' for nvidia-dkms. That's a per-host concern; flagged for follow-up if any nvidia host moves to the linux-lts world. 2026-05-29T10:18:16Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:16Z urn:sha1:be3c6fda881bc11d5123d6b3a09ce9d250199b32 The AUR `external-editor-revived` PKGBUILD declares a hard `thunderbird` dependency, which blocks removing the unused system Thunderbird binary alongside the org.mozilla.thunderbird flatpak (and pacman's `AssumeInstalled` is a CLI flag, not a pacman.conf directive, so the previous workaround was nonfunctional). Nixpkgs' `external-editor-revived` is just `rustPlatform.buildRustPackage` plus a relocatable native-messaging manifest — zero mailer dep — so the host gets it from nix instead. * nix/host.nix: add `external-editor-revived` to `home.packages`. Kept out of `common.nix` so the remote-dev VM (which has no Thunderbird) doesn't carry the build closure. * run_onchange_after_deploy-tb-eer.sh.tmpl: search `~/.nix-profile/{bin,lib/mozilla/native-messaging-hosts}` first and fall through to the legacy pacman paths. The chezmoi manifest-hash probe now checks the nix path too, so the hook re-runs cleanly when nix bumps the EER version. * meta/base.txt: drop the `external-editor-revived` AUR entry and rewrite the comment to point at the nix declaration. * etc/pacman.conf: revert the bogus `AssumeInstalled` directive (CLI-only, not pacman.conf). On-host migration: home-manager switch --flake ~/dotfiles/nix#host # picks up EER sudo pacman -Rns external-editor-revived thunderbird mpv chezmoi apply -v # re-runs tb-eer hook 2026-05-29T10:18:16Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:16Z urn:sha1:cd1c92b746a51a6994281f34a5f773c37d1d2dfe Both org.mozilla.thunderbird and io.mpv.Mpv are already installed via flatpak, but several places still launched the system binaries (because they were in PATH). Worse, `mpv` was kept on the host *only* for the streamlink-launches-mpv path, and `thunderbird` was being pulled in as a hard dep of external-editor-revived even though it was never the mailer actually used. Untangle both. Thunderbird ----------- * dot_config/sway/executable_tb-toggle.sh, dot_config/sway/executable_tb-autostart.sh: swap `thunderbird` → `flatpak run org.mozilla.thunderbird`. The `app_id` matcher in sway config already targets the flatpak id, so the scratchpad-stash and Super+t toggle keep working unchanged. * etc/pacman.conf: add `AssumeInstalled = thunderbird=999.0-1`. external-editor-revived (AUR) hard-depends on `thunderbird`; this satisfies the dep without installing the package. Run `sudo pacman -Rns thunderbird` after deploy to remove the now-unneeded system binary. * meta/base.txt: document the AssumeInstalled trick next to the external-editor-revived entry. mpv --- * dot_config/streamlink/config: `player=mpv` → `player=flatpak run io.mpv.Mpv`. The flatpak already pulls in our ~/.config/mpv via the read-only filesystem override (see run_onchange_after_deploy-flatpak-overrides.sh.tmpl), so behavior is unchanged. * dot_local/bin/executable_linkhandler: same swap for inline video URLs. * dot_local/bin/executable_mpv: deleted. The wrapper only existed to bwrap /usr/bin/mpv into _sandbox-net-parser; flatpak's own sandbox supersedes that. * dot_local/bin/executable__sandbox-net-parser, dot_local/bin/executable_streamlink: comment refresh — mpv is no longer one of the tools this wraps, and the streamlink wrapper now forwards to the flatpak player rather than nested-bwrap caveats. * meta/base.txt: drop `mpv` from the host package list and update the surrounding comment. README.md: refresh the media row of the stack table to match. On-host steps: chezmoi apply -v sudo pacman -Syu # picks up AssumeInstalled sudo pacman -Rns thunderbird mpv # safe now flatpak install -y flathub org.mozilla.thunderbird io.mpv.Mpv swaymsg reload # pick up new tb scripts 2026-05-29T10:18:15Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:15Z urn:sha1:d1536ec455abc28a2bde34281d4b33cdad398436 Upstream marked org.mozilla.Thunderbird end-of-life. Flathub split it into two replacement IDs: org.mozilla.thunderbird monthly release channel (new default) org.mozilla.thunderbird_esr ESR / long-term-support channel Move to the lowercase monthly-release flatpak, which is what Mozilla now recommends for regular desktop users and gets features at the same cadence as Firefox. Renamed references in: * meta/flatpak.txt - the package list the user installs from * meta/base.txt - comment in the mail-bits section * dot_config/sway/config - window-match app_id rule for marking * dot_config/mimeapps.list - mailto/ics/webcal handler .desktop names * run_onchange_after_deploy-thunderbird.sh.tmpl - profile path under ~/.var/app/<id>/.thunderbird/ * run_onchange_after_deploy-tb-eer.sh.tmpl - flatpak override target and sandbox path for External Editor Revived bridge * run_onchange_after_deploy-pteid-pkcs11.sh.tmpl - Mozilla-family flatpak NSS DB registration list * README.md - doc snippets and xdg-mime example On-host migration: flatpak install -y flathub org.mozilla.thunderbird # Preserve accounts, OpenPGP keys, calendars, EER bridge wrapper: mv ~/.var/app/org.mozilla.Thunderbird ~/.var/app/org.mozilla.thunderbird flatpak uninstall -y org.mozilla.Thunderbird chezmoi apply -v update-desktop-database ~/.local/share/applications 2>/dev/null || true Verify mail handler: xdg-mime query default x-scheme-handler/mailto # -> org.mozilla.thunderbird.desktop 2026-05-29T10:18:13Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:13Z urn:sha1:aabcdc206246aa935790908f2ab7e7edcc88b3b9 fuse-overlayfs is dog-slow on `podman commit` (and noticeably slower than native overlay/btrfs for layer extraction in general) because every read/write round-trips through a FUSE daemon. The kernel overlay driver does not support btrfs as a lowerdir, so on a btrfs root fs the choices were: - fuse-overlayfs (slow, but works) - btrfs (native subvolume + CoW snapshot per layer; fast) Switching graph drivers is destructive — the on-disk layout is incompatible, so a one-time `podman system reset --force` is required. A migration helper script lives at the repo root (gitignored, chezmoiignored) that snapshots stateful containers, exports images and volumes, runs the reset, and restores everything on the new driver. Drops fuse-overlayfs from meta/base.txt — no longer needed and pulls in libfuse3 transitively for nothing. (Flatpak still depends on it for its own sandbox; pacman won't actually uninstall the binary while flatpak is around — that's fine.) VM (nix/vm.nix) is unaffected: it sets its own storage.conf inline with driver=overlay since its rootfs is ext4. 2026-05-29T10:18:13Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:13Z urn:sha1:1ab5e40fc75e293b87f645fc2de08e0a0fe3d50f Two breakages observed on first linux-hardened boot: 1. `podman run` failed because linux-hardened sets kernel.unprivileged_userns_clone=0 by default (stock linux: 1). Rootless podman requires unprivileged user namespaces. Restoring the stock-kernel default via sysctl — this is a documented hardened knob meant to be flipped back if you actually use rootless containers. No-op on stock kernel. 2. "kernel does not support overlay fs: 'overlay' is not supported over btrfs". Kernel overlayfs cannot use a btrfs subvolume as lowerdir; podman needs fuse-overlayfs as the user-mode shim. ~10-30% slower I/O than native overlay but works correctly and is the upstream recommendation for btrfs-backed rootless storage. 2026-05-29T10:18:12Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:12Z urn:sha1:1a8a19e6286aa58c5a46f03882f8f09e54456051 These three tools are the native (non-flatpak) network parsers in the install set — every other internet-facing app is already flatpak'd. The threat model is a RCE in a subtitle/extractor/muxer that walks $HOME looking for SSH keys, GPG keyring, pass store, cloud tokens, etc. Approach (defence in depth, not full sandboxing): - bwrap --bind / / keeps Wayland, PipeWire, DBus, GPU, hwaccel and all config files working transparently. - --tmpfs over known-sensitive dirs (.ssh, .gnupg, .password-store, .config/gh, .config/op, .aws, .local/share/keyrings) blanks them from the sandbox view; a compromised parser literally cannot see them. - inner PATH stripped of ~/.local/bin so streamlink's spawn of `mpv` resolves to /usr/bin/mpv and does not re-enter the sandbox. - --die-with-parent + --new-session for tidy lifecycle. - Escape hatch: SANDBOX=0 mpv ... bypasses for one invocation. - Graceful degradation if bwrap is missing (warns and execs anyway). bubblewrap added explicitly to meta/base.txt (was implicit via flatpak). Wrappers in ~/.local/bin shadow /usr/bin via dot_zprofile:15 PATH order. Not symlinked into the Ubuntu VM (nix/vm.nix does not touch ~/.local/bin), which is fine: those tools on the headless VM don't need sandboxing. 2026-05-29T10:18:12Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:12Z urn:sha1:8ebe3f106e53dc4032428a2e3435c4feea969087 Installs linux-hardened + linux-hardened-headers alongside the stock linux kernel. Stock kernel remains the default; linux-hardened is opt-in via efibootmgr --bootnext after the EFI entry is registered (one-time host-side step, documented in the preset). After first 'just pkg-apply', mkinitcpio auto-builds /boot/EFI/Linux/arch-linux-hardened.efi from the new preset (sharing etc/kernel/cmdline.tmpl with the stock UKI — same LUKS root, no kernel-specific cmdline knobs). Host-side EFI entry registration: sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \ --label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi' Roll back any time by removing both packages and the preset file; the stock kernel and its UKI are untouched. 2026-05-22T09:41:22Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-22T09:41:22Z urn:sha1:45dba9ed41116c9de6a4d68a6b7fb36067bf7c39 ttf-font-awesome is a virtual provided by otf-font-awesome (already declared on the line above) — paru resolves the former to the latter, so listing both adds nothing and confuses the mark-explicit step in pkg-apply.