diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:24 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:24 +0100 |
| commit | 729087821785cfc4923a14a7aed633850119b723 (patch) | |
| tree | ce5705086772495c18f42f2760bf01bfabfce54f /README.md | |
| parent | 68b1ffb42f7644b8a5f2275a16e94820b369818e (diff) | |
| download | dotfiles-729087821785cfc4923a14a7aed633850119b723.tar.gz dotfiles-729087821785cfc4923a14a7aed633850119b723.tar.bz2 dotfiles-729087821785cfc4923a14a7aed633850119b723.zip | |
feat(browser): migrate librewolf to flatpak for host-isolation
Move LibreWolf from native librewolf-bin to Flathub
io.gitlab.librewolf-community. Bubblewrap isolates the browser from
$HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost
of namespace chroot + IPC/network namespace isolation between content
processes (mozilla bug 1756236, P3, considered defense-in-depth).
seccomp-bpf — the dominant sandbox layer — is preserved.
- meta/flatpak.txt: + io.gitlab.librewolf-community
- meta/browser.txt: - librewolf-bin
- run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to
~/.var/app/io.gitlab.librewolf-community/.librewolf
- dot_config/mimeapps.list: librewolf.desktop -> flatpak app id
- dot_local/bin/executable_linkhandler: flatpak run wrapper
- README.md: blurb + new profile path
arkenfox-user.js + chezmoi user-overrides.js deploy keep working
unchanged because the flatpak profile is still on the host fs.
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -29,7 +29,7 @@ My Arch Linux configuration, managed with [chezmoi](https://www.chezmoi.io/). | Bar / launcher | [waybar](https://github.com/Alexays/Waybar), [fuzzel](https://codeberg.org/dnkl/fuzzel) | | Notifications | [mako](https://github.com/emersion/mako) | | Lock screen | [swaylock](https://github.com/swaywm/swaylock) | -| Browser | [LibreWolf](https://librewolf.net/), hardened via `user-overrides.js` + `userChrome.css` (kept under `firefox/` by name for recognizability) | +| Browser | [LibreWolf](https://librewolf.net/) (Flathub `io.gitlab.librewolf-community` for bubblewrap host-isolation), hardened via `user-overrides.js` + `userChrome.css` (kept under `firefox/` by name for recognizability) | | Mail | [Thunderbird](https://www.thunderbird.net/) against [ProtonMail Bridge](https://proton.me/mail/bridge) + Radicale (CalDAV/CardDAV); non-private prefs tracked under `thunderbird/` | | Secrets & identity | [GPG](https://gnupg.org/) (commit signing + SSH auth via gpg-agent), [pass](https://www.passwordstore.org/) | | Media & viewers | [mpv](https://mpv.io/), [zathura](https://pwmt.org/projects/zathura/), [yazi](https://yazi-rs.github.io/) | @@ -143,6 +143,6 @@ The repo is enough to rebuild a machine's tooling and configuration, but not its - GPG master key and subkeys (`gpg --export-secret-keys`, `gpg --export-ownertrust`). The agent also handles SSH auth, so this restores both. - `~/.password-store/` — the `pass` store that feeds API keys/tokens into the shell at login. - SSH private keys under `~/.ssh/id_*` (only `.pub` / config is in the repo). -- LibreWolf profile data (bookmarks, history, extension state) — only the hardening policy lives in `firefox/`. +- LibreWolf profile data (bookmarks, history, extension state) at `~/.var/app/io.gitlab.librewolf-community/.librewolf/` — only the hardening policy lives in `firefox/`. Recovery on a fresh install: run `bootstrap.sh`, then `gpg --import` + `pass init <KEYID>`, restore `~/.password-store/`, drop SSH private keys into `~/.ssh/`, and restore the LibreWolf profile. |