diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:25 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:25 +0100 |
| commit | 79d68fcc03c1639c1f13343b4b7d5f9f06274295 (patch) | |
| tree | 636a7c3cf2c9d0fe7c0b9027c5ff11756953a846 /private_dot_ssh | |
| parent | 8d557eac140e7437a98a299908c99d7d6772cf1c (diff) | |
| download | dotfiles-79d68fcc03c1639c1f13343b4b7d5f9f06274295.tar.gz dotfiles-79d68fcc03c1639c1f13343b4b7d5f9f06274295.tar.bz2 dotfiles-79d68fcc03c1639c1f13343b4b7d5f9f06274295.zip | |
feat(thunderbird): migrate to flatpak with NMH + PKCS#11 bridges
Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak,
mirroring the LibreWolf migration. Bubblewrap isolates the mail client from
the rest of $HOME (ssh keys, password store, gpg sockets); intra-process
isolation regression is real but minor (same tradeoff as the browser).
Three cross-sandbox glue points handled in repo:
- run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from
~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird
- run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate
over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so
cartão de cidadão signing/encryption works for S/MIME in TB
- run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges
external-editor-revived's native messaging host into the sandbox via
a flatpak-spawn --host wrapper + relocated manifest
Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered
by Flathub default permissions.
Manual one-shot migration on host (after pulling + just sync): close TB,
copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/,
chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop
x-scheme-handler/mailto. Once verified working, archive the old profile
via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak.
Diffstat (limited to 'private_dot_ssh')
0 files changed, 0 insertions, 0 deletions