diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
| commit | 3d263bdbb48e7616a12af26ef094e5a416f9a735 (patch) | |
| tree | 34cf90cef24496ecfc271055255f8a7596f84627 /.github | |
| parent | 51b8af587e46d4e03b059a51253d9671e27d08e3 (diff) | |
| download | dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.tar.gz dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.tar.bz2 dotfiles-3d263bdbb48e7616a12af26ef094e5a416f9a735.zip | |
feat(privesc): migrate from opendoas to sudo-rs
doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.
- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention
No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.
Diffstat (limited to '.github')
| -rw-r--r-- | .github/copilot-instructions.md | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 31c9842..d56fa93 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -17,7 +17,6 @@ The repo root is a chezmoi source directory. Files targeting `$HOME` use chezmoi - `meta/` contains plain text package lists for Arch Linux (one package per line, `#` comments). Each `.txt` file represents a group (e.g. `base.txt`, `dev.txt`, `wayland.txt`). Install with `just pkg-apply base dev` or `just pkg-apply` (all groups). Detect drift with `just pkg-status` (or `just status` for the aggregate). - `systemd-units/` contains plain text systemd unit lists split by scope: `systemd-units/system/<group>.txt` for system units (enabled via `sudo systemctl`) and `systemd-units/user/<group>.txt` for user units (enabled via `systemctl --user`). System groups are paired by name with `meta/` groups (e.g. `systemd-units/system/base.txt` ↔ `meta/base.txt`); user groups stand alone. Units listed here are enabled by `just unit-apply` (run automatically by `just init`, walks both scopes). Inspect with `just unit-list`, detect drift with `just unit-status`. The recipe group token is `<name>` or `system:<name>` (both → `system/<name>.txt`) or `user:<name>` (→ `user/<name>.txt`). E.g. `just unit-add user:graphical kanshi.service`. - `firefox/` contains Firefox/LibreWolf hardening overrides (`user-overrides.js`) and custom CSS (`chrome/userChrome.css`). Deployed by `run_onchange_after_deploy-firefox.sh.tmpl`. -- `dot_local/bin/executable_doasedit` (deployed to `~/.local/bin/doasedit`) is a small wrapper that emulates `sudoedit` for `doas`. - `bootstrap.sh` at the repo root is a POSIX shell script that takes a fresh minimal Arch install (only `base`) to a fully deployed state. It installs prerequisites, enables `%wheel` sudoers, bootstraps `paru-bin` from the AUR, clones the repo, and runs `just init`. On EFI systems missing an Arch boot entry it prints the `efibootmgr` command to register the UKI. Designed to be curlable: `curl -fsSL .../bootstrap.sh | sh`. - `.chezmoiignore` excludes non-home files (`etc/`, `meta/`, `systemd-units/`, `firefox/`, docs) from deployment to `$HOME`. - `.githooks/` contains git hooks: `pre-commit` runs `just check` as a code quality gate (bypass with `--no-verify`); `post-commit` runs `chezmoi apply`. Activated by `just init`. @@ -44,7 +43,7 @@ Additionally, `dot_config/sh/inputrc` provides readline config for non-zsh tools ## Key conventions - **XDG compliance**: All tools are configured to respect XDG base directories. History files, caches, and data go to `$XDG_CACHE_HOME`, `$XDG_DATA_HOME`, etc. — never bare `~/` dotfiles when avoidable. -- **`doas` over `sudo`**: The system uses `doas` as the privilege escalation tool; `sudo` is aliased to `doas`. +- **`sudo-rs` (memory-safe Rust sudo), not opendoas or the C sudo**: The system uses `sudo-rs` as the privilege escalation tool. The `sudo` package is not installed; `/usr/local/bin/{sudo,su,visudo,sudoedit}` are symlinks to the `sudo-rs` binaries. Sudoers config lives in `/etc/sudoers-rs` (sudo-rs prefers that path over `/etc/sudoers`). - **GPG-signed commits**: All git commits and tags are signed. The GPG agent also handles SSH authentication. - **Secrets via `pass`**: API keys and tokens are stored in the `pass` password manager and sourced into env vars at shell init, never hardcoded. - **EditorConfig**: LF line endings, UTF-8, final newlines, trimmed trailing whitespace. Lua uses 2-space indentation with 80-char line limit. Makefiles use tabs. |