diff options
| -rw-r--r-- | dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf | 10 | ||||
| -rw-r--r-- | dot_config/systemd/user/teams-sii.service | 27 | ||||
| -rw-r--r-- | dot_config/systemd/user/teams-xsight.service | 27 | ||||
| -rw-r--r-- | dot_local/bin/executable_snxctl-chromium | 37 | ||||
| -rw-r--r-- | dot_local/share/snx-rs/bin/executable_xdg-open | 11 | ||||
| -rw-r--r-- | etc/pacman.conf | 4 | ||||
| -rw-r--r-- | firefox/user-overrides.js | 18 | ||||
| -rw-r--r-- | systemd-units/user.txt | 2 |
8 files changed, 127 insertions, 9 deletions
diff --git a/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf b/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf new file mode 100644 index 0000000..a5380e3 --- /dev/null +++ b/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf @@ -0,0 +1,10 @@ +[Service] +# Force snx-rs to use the flatpak ungoogled-chromium as its SAML browser. +# snx-rs calls `xdg-open <url>` via the `opener` crate. Prepending a private +# PATH dir that contains an `xdg-open` shim makes the daemon find our shim +# first, without affecting xdg-open for any other user process. +# +# Why not the system default browser? LibreWolf force-upgrades loopback to +# HTTPS and enables LNA blocking, both of which break snx-rs's plain-HTTP +# 127.0.0.1:7779 SAML callback. See firefox/user-overrides.js comments. +Environment=PATH=%h/.local/share/snx-rs/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin diff --git a/dot_config/systemd/user/teams-sii.service b/dot_config/systemd/user/teams-sii.service new file mode 100644 index 0000000..df0453e --- /dev/null +++ b/dot_config/systemd/user/teams-sii.service @@ -0,0 +1,27 @@ +[Unit] +Description=Microsoft Teams — Sii account (flatpak) +PartOf=graphical-session.target +After=graphical-session.target +ConditionEnvironment=WAYLAND_DISPLAY + +[Service] +Type=simple +# Mirrors the Exec= line in teams-sii.desktop. --user-data-dir isolates this +# instance from teams-xsight; --class is for sway window matching. +ExecStart=/usr/bin/flatpak run com.github.IsmaelMartinez.teams_for_linux \ + --class=teams-sii \ + --user-data-dir=%h/.var/app/com.github.IsmaelMartinez.teams_for_linux/config/profile-sii \ + --appIcon=%h/.local/share/icons/hicolor/256x256/apps/teams-sii.png \ + "--appTitle=Teams — Sii" +# Both Teams instances share the same flatpak app id, so we can't use +# `flatpak kill <app-id>` in ExecStop (it would also kill the xsight one). +# KillMode=mixed sends SIGTERM to the main process only — teams-for-linux +# treats that as a real Quit (not tray-hide), and SIGKILL hits stragglers +# after the stop timeout if Electron misbehaves. +KillMode=mixed +Restart=on-failure +RestartSec=5s +TimeoutStopSec=15s + +[Install] +WantedBy=sway-session.target diff --git a/dot_config/systemd/user/teams-xsight.service b/dot_config/systemd/user/teams-xsight.service new file mode 100644 index 0000000..478f734 --- /dev/null +++ b/dot_config/systemd/user/teams-xsight.service @@ -0,0 +1,27 @@ +[Unit] +Description=Microsoft Teams — XSight account (flatpak) +PartOf=graphical-session.target +After=graphical-session.target +ConditionEnvironment=WAYLAND_DISPLAY + +[Service] +Type=simple +# Mirrors the Exec= line in teams-xsight.desktop. --user-data-dir isolates +# this instance from teams-sii; --class is for sway window matching. +ExecStart=/usr/bin/flatpak run com.github.IsmaelMartinez.teams_for_linux \ + --class=teams-xsight \ + --user-data-dir=%h/.var/app/com.github.IsmaelMartinez.teams_for_linux/config/profile-xsight \ + --appIcon=%h/.local/share/icons/hicolor/256x256/apps/teams-xsight.png \ + "--appTitle=Teams — XSight" +# Both Teams instances share the same flatpak app id, so we can't use +# `flatpak kill <app-id>` in ExecStop (it would also kill the sii one). +# KillMode=mixed sends SIGTERM to the main process only — teams-for-linux +# treats that as a real Quit (not tray-hide), and SIGKILL hits stragglers +# after the stop timeout if Electron misbehaves. +KillMode=mixed +Restart=on-failure +RestartSec=5s +TimeoutStopSec=15s + +[Install] +WantedBy=sway-session.target diff --git a/dot_local/bin/executable_snxctl-chromium b/dot_local/bin/executable_snxctl-chromium new file mode 100644 index 0000000..d52ddfb --- /dev/null +++ b/dot_local/bin/executable_snxctl-chromium @@ -0,0 +1,37 @@ +#!/bin/sh +# snxctl-chromium: `snxctl connect` with the flatpak ungoogled-chromium as +# the SAML browser. Bypasses LibreWolf's loopback HTTPS-upgrade + LNA block +# that prevent snx-rs's 127.0.0.1:7779 SAML callback from completing. +# +# How it works +# ------------ +# A tracked drop-in +# (~/.config/systemd/user/snx-rs.service.d/10-chromium-saml.conf) prepends +# ~/.local/share/snx-rs/bin to the daemon's PATH. That directory contains +# an `xdg-open` shim that flatpak-runs ungoogled-chromium. snx-rs uses the +# `opener` crate which spawns `xdg-open` — the shim wins. +# +# This script just makes sure the daemon picks up the override (it only +# loads Environment= at start time, so a freshly-edited drop-in needs a +# daemon-reload + service restart) and then runs `snxctl connect`. +set -eu + +SERVICE=snx-rs.service + +if ! systemctl --user cat "$SERVICE" >/dev/null 2>&1; then + printf '%s: %s is not a known user unit; aborting.\n' "${0##*/}" "$SERVICE" >&2 + exit 1 +fi + +current_path=$(systemctl --user show -p Environment --value "$SERVICE") +case "$current_path" in + *"$HOME/.local/share/snx-rs/bin"*) ;; + *) + echo "${0##*/}: applying chromium SAML drop-in (daemon-reload + restart)…" >&2 + systemctl --user daemon-reload + systemctl --user restart "$SERVICE" + sleep 1 + ;; +esac + +exec snxctl connect "$@" diff --git a/dot_local/share/snx-rs/bin/executable_xdg-open b/dot_local/share/snx-rs/bin/executable_xdg-open new file mode 100644 index 0000000..5577b10 --- /dev/null +++ b/dot_local/share/snx-rs/bin/executable_xdg-open @@ -0,0 +1,11 @@ +#!/bin/sh +# xdg-open shim that hands every URL to the flatpak ungoogled-chromium. +# +# Used by snx-rs (which calls `xdg-open` via the `opener` crate) to land +# the SAML callback inside a browser that won't HTTPS-upgrade or LNA-block +# the loopback handoff to 127.0.0.1:7779. Wired up via a systemd --user +# drop-in (dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf) +# that prepends this directory to the daemon's PATH — it does NOT shadow +# the system-wide xdg-open for any other process. +exec flatpak run io.github.ungoogled_software.ungoogled_chromium \ + --new-window "$@" diff --git a/etc/pacman.conf b/etc/pacman.conf index f6e7e64..8adc5ae 100644 --- a/etc/pacman.conf +++ b/etc/pacman.conf @@ -22,7 +22,9 @@ HoldPkg = pacman glibc Architecture = auto # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup -#IgnorePkg = +# llama-cpp-vulkan: AUR rebuilds on every llama.cpp commit (1-2 hour build); +# pin and update manually with `paru -S llama-cpp-vulkan` when intended. +IgnorePkg = llama-cpp-vulkan #IgnoreGroup = #NoUpgrade = diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index 6265f95..52059c2 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -29,14 +29,16 @@ user_pref("media.gmp-manager.url", "https://aus5.mozilla.org/update/3/GMP/%VERSI /** Network **/ user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled -/** Loopback callbacks (VPN/SSO clients like snx-rs, Forticlient) **/ -// snx-rs and similar VPN clients land SAML callbacks on http://127.0.0.1:<port>/<token>. -// LibreWolf hardens beyond arkenfox by force-upgrading loopback to HTTPS and enabling -// LNA blocking; both break the plain-HTTP loopback handoff. Restoring stock Firefox / -// arkenfox behaviour for loopback only. arkenfox 1245 deliberately leaves upgrade_local -// commented out and does not touch network.lna.*. See LibreWolf issues #2954, #2962. -user_pref("dom.security.https_only_mode.upgrade_local", false); -user_pref("network.lna.local-network-to-localhost.skip-checks", true); +// NOTE on snx-rs SAML loopback callbacks (Check Point VPN): +// LibreWolf force-upgrades http://127.0.0.1:<port>/<token> to HTTPS and +// enables LNA blocking, which both break the snx-rs SAML handoff. +// `dom.security.https_only_mode.upgrade_local = false` and +// `network.lna.local-network-to-localhost.skip-checks = true` were tried +// here and did NOT actually fix the SAML flow — left disabled. The +// working fix is the wrapper script ~/.local/bin/snxctl-chromium, which +// routes snx-rs's xdg-open through flatpak ungoogled-chromium via a +// systemd --user drop-in. See dot_local/share/snx-rs/bin/xdg-open and +// dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf. /** Resist Fingerprinting **/ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); diff --git a/systemd-units/user.txt b/systemd-units/user.txt index 8badf82..009b2b3 100644 --- a/systemd-units/user.txt +++ b/systemd-units/user.txt @@ -11,6 +11,8 @@ pass-secret-service.service signal.service swayidle.service swayrd.service +teams-sii.service +teams-xsight.service waybar.service wob.service |