diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:25 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:25 +0100 |
| commit | db229deaef3b0c88f9930bd168e1779f7a4c6074 (patch) | |
| tree | 9e8210b98913c670b64197b28487957d2f5e5a45 | |
| parent | 7f083ce825ac452c781bba9976138f249b1f7510 (diff) | |
| download | dotfiles-db229deaef3b0c88f9930bd168e1779f7a4c6074.tar.gz dotfiles-db229deaef3b0c88f9930bd168e1779f7a4c6074.tar.bz2 dotfiles-db229deaef3b0c88f9930bd168e1779f7a4c6074.zip | |
feat(flatpak): sandbox zathura + add mpv hybrid for browser/mail handoffs
Defense-in-depth for the cross-sandbox handoff vector: when the
LibreWolf/Thunderbird flatpaks open a downloaded PDF or video via the
OpenURI portal, the receiving app currently runs natively with full
$HOME access — defeating part of the browser/mail isolation.
- meta/flatpak.txt: add org.pwmt.zathura, io.mpv.Mpv
- meta/wayland.txt: drop native zathura + zathura-pdf-mupdf
- meta/media.txt: keep native mpv (streamlink, /tmp/mpvsocket IPC,
fast yt-dlp) — flatpak mpv is *additional*, only as the mimeapps
default for video/audio to receive sandboxed handoffs
- dot_config/mimeapps.list: rewrite mpv.desktop -> io.mpv.Mpv.desktop,
zathura-pdf-mupdf.desktop -> org.pwmt.zathura.desktop, and replace
stale userapp-Thunderbird-* entries with org.mozilla.Thunderbird.desktop
- run_onchange_after_deploy-flatpak-overrides.sh.tmpl (new):
--filesystem=xdg-config/{zathura,mpv}:ro so the flatpaks read our
chezmoi-managed configs as a single source of truth
- README: media row + new deploy-script row
Manual one-shot on host: chezmoi apply -v.
The pteid bridge already iterates a flatpak app list, so cartão de
cidadão remains correctly registered for the Mozilla flatpaks. Native
mpv config (input-ipc-server) keeps working since each flatpak has its
own /tmp; no socket collision.
| -rw-r--r-- | README.md | 21 | ||||
| -rw-r--r-- | dot_config/mimeapps.list | 148 | ||||
| -rw-r--r-- | meta/flatpak.txt | 2 | ||||
| -rw-r--r-- | meta/media.txt | 4 | ||||
| -rw-r--r-- | meta/wayland.txt | 5 | ||||
| -rw-r--r-- | run_onchange_after_deploy-flatpak-overrides.sh.tmpl | 17 |
6 files changed, 110 insertions, 87 deletions
@@ -32,7 +32,7 @@ My Arch Linux configuration, managed with [chezmoi](https://www.chezmoi.io/). | Browser | [LibreWolf](https://librewolf.net/) (Flathub `io.gitlab.librewolf-community` for bubblewrap host-isolation), hardened via `user-overrides.js` + `userChrome.css` (kept under `firefox/` by name for recognizability) | | Mail | [Thunderbird](https://www.thunderbird.net/) (Flathub `org.mozilla.Thunderbird`) against [ProtonMail Bridge](https://proton.me/mail/bridge) + Radicale (CalDAV/CardDAV); non-private prefs tracked under `thunderbird/` | | Secrets & identity | [GPG](https://gnupg.org/) (commit signing + SSH auth via gpg-agent), [pass](https://www.passwordstore.org/) | -| Media & viewers | [mpv](https://mpv.io/), [zathura](https://pwmt.org/projects/zathura/), [yazi](https://yazi-rs.github.io/) | +| Media & viewers | [mpv](https://mpv.io/) (native for streamlink/IPC + Flathub `io.mpv.Mpv` as the sandboxed default for browser/mail handoffs), [zathura](https://pwmt.org/projects/zathura/) (Flathub `org.pwmt.zathura`), [yazi](https://yazi-rs.github.io/) | | Code quality | stylua + [selene](https://github.com/Kampfkarren/selene), [shfmt](https://github.com/mvdan/sh) + [shellcheck](https://www.shellcheck.net/), [ruff](https://github.com/astral-sh/ruff), [taplo](https://taplo.tamasfe.dev/), [prettier](https://prettier.io/) — all wired through `just check` | Keybinds are documented in [`KEYBINDS.md`](./KEYBINDS.md). @@ -75,15 +75,16 @@ chezmoi apply -v Everything is driven by [just](https://just.systems/) recipes against four parallel models: -| Directory | Managed by | Purpose | -| ----------------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `dot_*`, `private_dot_*` | chezmoi | Dotfiles deployed to `$HOME`. Prefixes: `dot_` → `.`, `private_` → `0600`, `executable_` → `+x`. | -| `meta/*.txt` | `just pkg-apply`, `just pkg-status` | Plain-text package lists (one per line, `#` comments). Groups: `base`, `dev`, `wayland`, etc. | -| `systemd-units/{system,user}/*.txt` | `just unit-apply`, `just unit-status` | Units to enable, split by scope. `system/` files pair by name with `meta/` groups (`system/base.txt` ↔ `meta/base.txt`); `user/` files are standalone. Recipe group token: `<name>` / `system:<name>` / `user:<name>`. | -| `etc/` | `run_onchange_after_deploy-etc.sh.tmpl` | System-level configs deployed to `/etc/` via a chezmoi onchange hook. | -| `firefox/` | `run_onchange_after_deploy-firefox.sh.tmpl` | LibreWolf `user-overrides.js` + `userChrome.css` (kept under the familiar `firefox/` name). | -| (cartão de cidadão) | `run_onchange_after_deploy-pteid-pkcs11.sh.tmpl` | Bridges the `pt.gov.autenticacao` flatpak's PKCS#11 module into the NSS DB of every flatpak that needs cartão de cidadão (LibreWolf, Thunderbird, Okular, LibreOffice) — `--filesystem` + `--socket=pcsc` override + `modutil -add` per NSS DB (per-profile for Mozilla apps, shared `~/.pki/nssdb` for Okular/LibreOffice). No-op unless `pt.gov.autenticacao` is installed. | -| (Thunderbird native editor) | `run_onchange_after_deploy-tb-eer.sh.tmpl` | Bridges `external-editor-revived` (host pacman package) into the Thunderbird flatpak: deploys a `flatpak-spawn --host` wrapper into the sandbox's `~/.mozilla/native-messaging-hosts/` and rewrites the manifest `path` to point at it. No-op unless TB flatpak + EER host package are both installed. | +| Directory | Managed by | Purpose | +| ----------------------------------- | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `dot_*`, `private_dot_*` | chezmoi | Dotfiles deployed to `$HOME`. Prefixes: `dot_` → `.`, `private_` → `0600`, `executable_` → `+x`. | +| `meta/*.txt` | `just pkg-apply`, `just pkg-status` | Plain-text package lists (one per line, `#` comments). Groups: `base`, `dev`, `wayland`, etc. | +| `systemd-units/{system,user}/*.txt` | `just unit-apply`, `just unit-status` | Units to enable, split by scope. `system/` files pair by name with `meta/` groups (`system/base.txt` ↔ `meta/base.txt`); `user/` files are standalone. Recipe group token: `<name>` / `system:<name>` / `user:<name>`. | +| `etc/` | `run_onchange_after_deploy-etc.sh.tmpl` | System-level configs deployed to `/etc/` via a chezmoi onchange hook. | +| `firefox/` | `run_onchange_after_deploy-firefox.sh.tmpl` | LibreWolf `user-overrides.js` + `userChrome.css` (kept under the familiar `firefox/` name). | +| (cartão de cidadão) | `run_onchange_after_deploy-pteid-pkcs11.sh.tmpl` | Bridges the `pt.gov.autenticacao` flatpak's PKCS#11 module into the NSS DB of every flatpak that needs cartão de cidadão (LibreWolf, Thunderbird, Okular, LibreOffice) — `--filesystem` + `--socket=pcsc` override + `modutil -add` per NSS DB (per-profile for Mozilla apps, shared `~/.pki/nssdb` for Okular/LibreOffice). No-op unless `pt.gov.autenticacao` is installed. | +| (Thunderbird native editor) | `run_onchange_after_deploy-tb-eer.sh.tmpl` | Bridges `external-editor-revived` (host pacman package) into the Thunderbird flatpak: deploys a `flatpak-spawn --host` wrapper into the sandbox's `~/.mozilla/native-messaging-hosts/` and rewrites the manifest `path` to point at it. No-op unless TB flatpak + EER host package are both installed. | +| (flatpak config sharing) | `run_onchange_after_deploy-flatpak-overrides.sh.tmpl` | Read-only `--filesystem=xdg-config/<app>:ro` overrides so the zathura and mpv flatpaks read our chezmoi-managed `~/.config/<app>/` instead of a separate in-sandbox copy. | ## Recipes at a glance diff --git a/dot_config/mimeapps.list b/dot_config/mimeapps.list index 70143e9..d8cbd87 100644 --- a/dot_config/mimeapps.list +++ b/dot_config/mimeapps.list @@ -1,68 +1,68 @@ [Default Applications] -audio/x-vorbis+ogg=mpv.desktop -audio/aac=mpv.desktop -audio/x-aac=mpv.desktop -audio/m4a=mpv.desktop -audio/x-m4a=mpv.desktop -audio/mp1=mpv.desktop -audio/x-mp1=mpv.desktop -audio/mp2=mpv.desktop -audio/x-mp2=mpv.desktop -audio/mp3=mpv.desktop -audio/x-mp3=mpv.desktop -audio/mpeg=mpv.desktop -audio/x-mpeg=mpv.desktop -audio/mpegurl=mpv.desktop -audio/x-mpegurl=mpv.desktop -audio/mpg=mpv.desktop -audio/x-mpg=mpv.desktop -audio/rn-mpeg=mpv.desktop -audio/ogg=mpv.desktop -audio/scpls=mpv.desktop -audio/x-scpls=mpv.desktop -audio/vnd.rn-realaudio=mpv.desktop -audio/wav=mpv.desktop -audio/x-pn-windows-pcm=mpv.desktop -audio/x-realaudio=mpv.desktop -audio/x-pn-realaudio=mpv.desktop -audio/x-ms-wma=mpv.desktop -audio/x-pls=mpv.desktop -audio/x-wav=mpv.desktop -audio/x-flac=mpv.desktop -audio/x-shorten=mpv.desktop -audio/x-ape=mpv.desktop -audio/x-wavpack=mpv.desktop -audio/x-tta=mpv.desktop -audio/AMR=mpv.desktop -audio/ac3=mpv.desktop -audio/flac=mpv.desktop -audio/mp4=mpv.desktop -video/x-ogm+ogg=mpv.desktop -video/mpeg=mpv.desktop -video/x-mpeg=mpv.desktop -video/x-mpeg2=mpv.desktop -video/mp4=mpv.desktop -video/msvideo=mpv.desktop -video/x-msvideo=mpv.desktop -video/ogg=mpv.desktop -video/quicktime=mpv.desktop -video/vnd.rn-realvideo=mpv.desktop -video/x-ms-afs=mpv.desktop -video/x-ms-asf=mpv.desktop -video/x-ms-wmv=mpv.desktop -video/x-ms-wmx=mpv.desktop -video/x-ms-wvxvideo=mpv.desktop -video/x-avi=mpv.desktop -video/x-fli=mpv.desktop -video/x-flv=mpv.desktop -video/x-theora=mpv.desktop -video/x-matroska=mpv.desktop -video/webm=mpv.desktop -video/mp2t=mpv.desktop +audio/x-vorbis+ogg=io.mpv.Mpv.desktop +audio/aac=io.mpv.Mpv.desktop +audio/x-aac=io.mpv.Mpv.desktop +audio/m4a=io.mpv.Mpv.desktop +audio/x-m4a=io.mpv.Mpv.desktop +audio/mp1=io.mpv.Mpv.desktop +audio/x-mp1=io.mpv.Mpv.desktop +audio/mp2=io.mpv.Mpv.desktop +audio/x-mp2=io.mpv.Mpv.desktop +audio/mp3=io.mpv.Mpv.desktop +audio/x-mp3=io.mpv.Mpv.desktop +audio/mpeg=io.mpv.Mpv.desktop +audio/x-mpeg=io.mpv.Mpv.desktop +audio/mpegurl=io.mpv.Mpv.desktop +audio/x-mpegurl=io.mpv.Mpv.desktop +audio/mpg=io.mpv.Mpv.desktop +audio/x-mpg=io.mpv.Mpv.desktop +audio/rn-mpeg=io.mpv.Mpv.desktop +audio/ogg=io.mpv.Mpv.desktop +audio/scpls=io.mpv.Mpv.desktop +audio/x-scpls=io.mpv.Mpv.desktop +audio/vnd.rn-realaudio=io.mpv.Mpv.desktop +audio/wav=io.mpv.Mpv.desktop +audio/x-pn-windows-pcm=io.mpv.Mpv.desktop +audio/x-realaudio=io.mpv.Mpv.desktop +audio/x-pn-realaudio=io.mpv.Mpv.desktop +audio/x-ms-wma=io.mpv.Mpv.desktop +audio/x-pls=io.mpv.Mpv.desktop +audio/x-wav=io.mpv.Mpv.desktop +audio/x-flac=io.mpv.Mpv.desktop +audio/x-shorten=io.mpv.Mpv.desktop +audio/x-ape=io.mpv.Mpv.desktop +audio/x-wavpack=io.mpv.Mpv.desktop +audio/x-tta=io.mpv.Mpv.desktop +audio/AMR=io.mpv.Mpv.desktop +audio/ac3=io.mpv.Mpv.desktop +audio/flac=io.mpv.Mpv.desktop +audio/mp4=io.mpv.Mpv.desktop +video/x-ogm+ogg=io.mpv.Mpv.desktop +video/mpeg=io.mpv.Mpv.desktop +video/x-mpeg=io.mpv.Mpv.desktop +video/x-mpeg2=io.mpv.Mpv.desktop +video/mp4=io.mpv.Mpv.desktop +video/msvideo=io.mpv.Mpv.desktop +video/x-msvideo=io.mpv.Mpv.desktop +video/ogg=io.mpv.Mpv.desktop +video/quicktime=io.mpv.Mpv.desktop +video/vnd.rn-realvideo=io.mpv.Mpv.desktop +video/x-ms-afs=io.mpv.Mpv.desktop +video/x-ms-asf=io.mpv.Mpv.desktop +video/x-ms-wmv=io.mpv.Mpv.desktop +video/x-ms-wmx=io.mpv.Mpv.desktop +video/x-ms-wvxvideo=io.mpv.Mpv.desktop +video/x-avi=io.mpv.Mpv.desktop +video/x-fli=io.mpv.Mpv.desktop +video/x-flv=io.mpv.Mpv.desktop +video/x-theora=io.mpv.Mpv.desktop +video/x-matroska=io.mpv.Mpv.desktop +video/webm=io.mpv.Mpv.desktop +video/mp2t=io.mpv.Mpv.desktop image/x-nikon-nef=imv.desktop image/jpeg=imv.desktop image/png=imv.desktop -image/gif=mpv.desktop +image/gif=io.mpv.Mpv.desktop image/svg+xml=io.gitlab.librewolf-community.desktop text/markdown=org.kde.okular.desktop text/plain=nvim.desktop @@ -71,11 +71,11 @@ text/x-chdr=nvim.desktop text/x-tex=nvim.desktop application/x-shellscript=nvim.desktop application/x-bittorrent=transmission.desktop -application/pdf=org.pwmt.zathura-pdf-mupdf.desktop -application/postscript=zathura-pdf-poppler.desktop;org.pwmt.zathura-pdf-mupdf.desktop +application/pdf=org.pwmt.zathura.desktop +application/postscript=org.pwmt.zathura.desktop application/rss+xml=rss.desktop x-scheme-handler/magnet=transmission.desktop -x-scheme-handler/mailto=userapp-Thunderbird-CJ20N3.desktop +x-scheme-handler/mailto=org.mozilla.Thunderbird.desktop application/msword-template=xdot.desktop x-scheme-handler/http=io.gitlab.librewolf-community.desktop x-scheme-handler/https=io.gitlab.librewolf-community.desktop @@ -87,12 +87,12 @@ application/x-extension-shtml=io.gitlab.librewolf-community.desktop application/xhtml+xml=io.gitlab.librewolf-community.desktop application/x-extension-xhtml=io.gitlab.librewolf-community.desktop application/x-extension-xht=io.gitlab.librewolf-community.desktop -message/rfc822=userapp-Thunderbird-CJ20N3.desktop -x-scheme-handler/mid=userapp-Thunderbird-CJ20N3.desktop -x-scheme-handler/webcal=userapp-Thunderbird-1BJ3N3.desktop -text/calendar=userapp-Thunderbird-1BJ3N3.desktop -application/x-extension-ics=userapp-Thunderbird-1BJ3N3.desktop -x-scheme-handler/webcals=userapp-Thunderbird-1BJ3N3.desktop +message/rfc822=org.mozilla.Thunderbird.desktop +x-scheme-handler/mid=org.mozilla.Thunderbird.desktop +x-scheme-handler/webcal=org.mozilla.Thunderbird.desktop +text/calendar=org.mozilla.Thunderbird.desktop +application/x-extension-ics=org.mozilla.Thunderbird.desktop +x-scheme-handler/webcals=org.mozilla.Thunderbird.desktop [Added Associations] x-scheme-handler/http=io.gitlab.librewolf-community.desktop; @@ -105,7 +105,7 @@ application/x-extension-shtml=io.gitlab.librewolf-community.desktop; application/xhtml+xml=io.gitlab.librewolf-community.desktop; application/x-extension-xhtml=io.gitlab.librewolf-community.desktop; application/x-extension-xht=io.gitlab.librewolf-community.desktop; -x-scheme-handler/mailto=userapp-Thunderbird-CJ20N3.desktop; -x-scheme-handler/mid=userapp-Thunderbird-CJ20N3.desktop; -x-scheme-handler/webcal=userapp-Thunderbird-1BJ3N3.desktop; -x-scheme-handler/webcals=userapp-Thunderbird-1BJ3N3.desktop; +x-scheme-handler/mailto=org.mozilla.Thunderbird.desktop; +x-scheme-handler/mid=org.mozilla.Thunderbird.desktop; +x-scheme-handler/webcal=org.mozilla.Thunderbird.desktop; +x-scheme-handler/webcals=org.mozilla.Thunderbird.desktop; diff --git a/meta/flatpak.txt b/meta/flatpak.txt index c76b100..abdabb7 100644 --- a/meta/flatpak.txt +++ b/meta/flatpak.txt @@ -9,10 +9,12 @@ # version embedded in the URL differs from the installed version. io.gitlab.librewolf-community +io.mpv.Mpv org.chromium.Chromium org.kde.okular org.libreoffice.LibreOffice org.mozilla.Thunderbird +org.pwmt.zathura org.torproject.torbrowser-launcher # Portuguese Citizen Card (eID) middleware + GUI. Not on Flathub; ships diff --git a/meta/media.txt b/meta/media.txt index 03a3d10..8e5b5c2 100644 --- a/meta/media.txt +++ b/meta/media.txt @@ -1,3 +1,7 @@ +# Native mpv is kept for streamlink piping and the /tmp/mpvsocket IPC +# integration; the io.mpv.Mpv flatpak (meta/flatpak.txt) is set as the +# mimeapps default for video/* so files handed off by the browser/mail +# sandbox stay sandboxed. mpv streamlink yt-dlp diff --git a/meta/wayland.txt b/meta/wayland.txt index 91d68b4..413e47b 100644 --- a/meta/wayland.txt +++ b/meta/wayland.txt @@ -40,9 +40,8 @@ imv zbar xorg-xwayland # needed for zbarcam's X11 preview -# Document viewer -zathura -zathura-pdf-mupdf +# Document viewer is the org.pwmt.zathura flatpak (see meta/flatpak.txt) so +# PDFs handed off from the browser/mail sandbox stay sandboxed. # Misc brightnessctl diff --git a/run_onchange_after_deploy-flatpak-overrides.sh.tmpl b/run_onchange_after_deploy-flatpak-overrides.sh.tmpl new file mode 100644 index 0000000..d8be763 --- /dev/null +++ b/run_onchange_after_deploy-flatpak-overrides.sh.tmpl @@ -0,0 +1,17 @@ +#!/bin/sh +# Read-only host config bindings for flatpaks that should pick up our +# chezmoi-managed ~/.config/<app>/ rather than maintaining a separate +# in-sandbox copy. Idempotent; flatpak override merges entries. +# +# script hash: {{ output "sh" "-c" (printf "sha256sum %q/run_onchange_after_deploy-flatpak-overrides.sh.tmpl 2>/dev/null || true" .chezmoi.sourceDir) }} +set -eu + +apply() { + app=$1 + shift + flatpak info --user "$app" >/dev/null 2>&1 || return 0 + flatpak override --user "$@" "$app" +} + +apply org.pwmt.zathura --filesystem=xdg-config/zathura:ro +apply io.mpv.Mpv --filesystem=xdg-config/mpv:ro |