My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/run_onchange_after_deploy-flatpak-overrides.sh.tmpl?h=master 2026-05-13T12:43:41Z 2026-05-13T12:43:41Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:41Z urn:sha1:6efbd1cd57f72f80808c7992ea03642f65c7aa2a Adds two generated 256x256 hicolor PNG icons under ~/.local/share/icons/hicolor/256x256/apps/ and wires them up: * Icon=teams-{sii,xsight} -> launcher / waybar / sway use them * --appIcon=<absolute path> -> electron tray icon picks them up (teams-for-linux respects this flag) The flatpak override script gains a --filesystem=xdg-data/icons:ro binding for com.github.IsmaelMartinez.teams_for_linux so the absolute icon path is reachable from inside the sandbox. 2026-05-13T12:43:39Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:39Z urn:sha1:6ab4b0faef22b4fda4b6a3b45dca4c3858eb8802 usevia.app uses WebHID to talk to /dev/hidraw* directly. Two layers were blocking it: 1. Host: no udev rule existed for ZSA boards, so /dev/hidraw nodes were root-only. Add etc/udev/rules.d/50-zsa.rules covering the ZSA VID 3297 (ErgoDox EZ / Moonlander / Voyager) with TAG+=uaccess so logind grants the active session user access. Also include the two bootloader VIDs used during firmware flashing for completeness. 2. Sandbox: the chromium flatpak only sees /dev/dri by default. Add a --device=all override (flatpak has no finer-grained device knob). The host udev rule still gates which hidraw nodes the user can actually open, so this isn't a meaningful escalation. Also wire `udevadm control --reload && udevadm trigger` into the etc deploy script so rule changes apply without a reboot or replug. 2026-05-13T12:43:30Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:30Z urn:sha1:7c0e7252eefd539345b7bd5b3ce955bc75307162 flatpak refuses '/usr/share/fonts' ("Path /usr is reserved") and auto-mounts host fonts to /run/host/fonts and ~/.local/share/fonts to /run/host/user-fonts already. The override was a no-op. The remaining emoji/nerd-glyph rendering issue in browsers is browser-side font fallback, not flatpak sandboxing. 2026-05-13T12:43:30Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:30Z urn:sha1:6bc872c28d44f42fe53b755be661257e8533df0f LibreWolf and ungoogled-chromium were rendering emoji and nerd-font glyphs as tofu because flatpaks don't see /usr/share/fonts by default. Apply a global override (no app argument) granting read-only access to the system font dirs and the user's fontconfig. noto-fonts-emoji is already in meta/fonts.txt. 2026-05-13T12:43:30Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:30Z urn:sha1:651ec1f8b7470e2ffac848b4fe99ce7ccdb826dd - wofi config: key_up/key_down accept Up,k / Down,j; Ctrl-u/Ctrl-d for page jumps. Picker scripts auto-load this since they only pass --style. - waybar webcam glyph: U+F0D5D (camera/photo, looked Instagram-y) -> U+F0567 nf-md-video (handheld video camera). - Clipboard picker migrated from fuzzel to wofi for consistency with the notification picker. New driver dot_config/waybar/clip-picker.sh: pick (Mod+p) Enter pastes, Alt-d deletes delete (Mod+Shift+p) Enter deletes No clipboard "read" indicator: Wayland has no API for observing reads. - Emoji picker: bemoji on Mod+period, driven through wofi (so vim nav applies there too) and configured to type + copy via wtype. - LibreWolf flatpak: --device=all override so v4l2 webcams work. Flatpak has no finer-grained device flag. - KEYBINDS.md updated: Mod+p / Mod+Shift+p now describe wofi behavior; Mod+period documented. 2026-05-13T12:43:25Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:25Z urn:sha1:db229deaef3b0c88f9930bd168e1779f7a4c6074 Defense-in-depth for the cross-sandbox handoff vector: when the LibreWolf/Thunderbird flatpaks open a downloaded PDF or video via the OpenURI portal, the receiving app currently runs natively with full $HOME access — defeating part of the browser/mail isolation. - meta/flatpak.txt: add org.pwmt.zathura, io.mpv.Mpv - meta/wayland.txt: drop native zathura + zathura-pdf-mupdf - meta/media.txt: keep native mpv (streamlink, /tmp/mpvsocket IPC, fast yt-dlp) — flatpak mpv is *additional*, only as the mimeapps default for video/audio to receive sandboxed handoffs - dot_config/mimeapps.list: rewrite mpv.desktop -> io.mpv.Mpv.desktop, zathura-pdf-mupdf.desktop -> org.pwmt.zathura.desktop, and replace stale userapp-Thunderbird-* entries with org.mozilla.Thunderbird.desktop - run_onchange_after_deploy-flatpak-overrides.sh.tmpl (new): --filesystem=xdg-config/{zathura,mpv}:ro so the flatpaks read our chezmoi-managed configs as a single source of truth - README: media row + new deploy-script row Manual one-shot on host: chezmoi apply -v. The pteid bridge already iterates a flatpak app list, so cartão de cidadão remains correctly registered for the Mozilla flatpaks. Native mpv config (input-ipc-server) keeps working since each flatpak has its own /tmp; no socket collision.