diff options
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | dot_config/streamlink/config | 2 | ||||
| -rw-r--r-- | dot_config/sway/executable_tb-autostart.sh | 2 | ||||
| -rw-r--r-- | dot_config/sway/executable_tb-toggle.sh | 2 | ||||
| -rw-r--r-- | dot_local/bin/executable__sandbox-net-parser | 16 | ||||
| -rwxr-xr-x | dot_local/bin/executable_linkhandler | 2 | ||||
| -rw-r--r-- | dot_local/bin/executable_mpv | 4 | ||||
| -rw-r--r-- | dot_local/bin/executable_streamlink | 5 | ||||
| -rw-r--r-- | etc/pacman.conf | 6 | ||||
| -rw-r--r-- | meta/base.txt | 11 |
10 files changed, 29 insertions, 23 deletions
@@ -32,7 +32,7 @@ My Arch Linux configuration, managed with [chezmoi](https://www.chezmoi.io/). | Browser | [LibreWolf](https://librewolf.net/) (Flathub `io.gitlab.librewolf-community` for bubblewrap host-isolation), hardened via `user-overrides.js` + `userChrome.css` (kept under `firefox/` by name for recognizability) | | Mail | [Thunderbird](https://www.thunderbird.net/) (Flathub `org.mozilla.thunderbird`) against [ProtonMail Bridge](https://proton.me/mail/bridge) + Radicale (CalDAV/CardDAV); non-private prefs tracked under `thunderbird/` | | Secrets & identity | [GPG](https://gnupg.org/) (commit signing + SSH auth via gpg-agent), [pass](https://www.passwordstore.org/) | -| Media & viewers | [mpv](https://mpv.io/) (native for streamlink/IPC + Flathub `io.mpv.Mpv` as the sandboxed default for browser/mail handoffs), [zathura](https://pwmt.org/projects/zathura/) (Flathub `org.pwmt.zathura`), [yazi](https://yazi-rs.github.io/) | +| Media & viewers | [mpv](https://mpv.io/) (Flathub `io.mpv.Mpv`; streamlink launches it via `flatpak run`), [zathura](https://pwmt.org/projects/zathura/) (Flathub `org.pwmt.zathura`), [yazi](https://yazi-rs.github.io/) | | Code quality | stylua + [selene](https://github.com/Kampfkarren/selene), [shfmt](https://github.com/mvdan/sh) + [shellcheck](https://www.shellcheck.net/), [ruff](https://github.com/astral-sh/ruff), [taplo](https://taplo.tamasfe.dev/), [prettier](https://prettier.io/) — all wired through `just check` | Keybinds are documented in [`KEYBINDS.md`](./KEYBINDS.md). diff --git a/dot_config/streamlink/config b/dot_config/streamlink/config index 6916230..3a18521 100644 --- a/dot_config/streamlink/config +++ b/dot_config/streamlink/config @@ -1,3 +1,3 @@ -player=mpv +player=flatpak run io.mpv.Mpv default-stream=best twitch-disable-reruns diff --git a/dot_config/sway/executable_tb-autostart.sh b/dot_config/sway/executable_tb-autostart.sh index efb5cc3..13c8fe8 100644 --- a/dot_config/sway/executable_tb-autostart.sh +++ b/dot_config/sway/executable_tb-autostart.sh @@ -25,7 +25,7 @@ done # Small grace period so the SMTP listener (1025) catches up too. sleep 10 -thunderbird & +flatpak run org.mozilla.thunderbird & for _ in $(seq 1 200); do if swaymsg -t get_tree | jq -e --arg m "$MARK" ' diff --git a/dot_config/sway/executable_tb-toggle.sh b/dot_config/sway/executable_tb-toggle.sh index 77a3307..56bb662 100644 --- a/dot_config/sway/executable_tb-toggle.sh +++ b/dot_config/sway/executable_tb-toggle.sh @@ -18,7 +18,7 @@ tb_ws=$(swaymsg -t get_tree | jq -r --arg m "$MARK" ' ) // empty') if [ -z "$tb_ws" ]; then - exec thunderbird + exec flatpak run org.mozilla.thunderbird fi if [ "$tb_ws" = "__i3_scratch" ]; then diff --git a/dot_local/bin/executable__sandbox-net-parser b/dot_local/bin/executable__sandbox-net-parser index 648ad0f..d998ace 100644 --- a/dot_local/bin/executable__sandbox-net-parser +++ b/dot_local/bin/executable__sandbox-net-parser @@ -1,6 +1,6 @@ #!/usr/bin/env sh # Sandbox wrapper for tools that parse data from untrusted network -# sources (mpv, yt-dlp, streamlink). The threat model is RCE in a +# sources (yt-dlp, streamlink). The threat model is RCE in a # subtitle / muxer / extractor that walks the user's home directory # looking for SSH/GPG keys, password store, cloud tokens, etc. # @@ -9,10 +9,13 @@ # work transparently; the sandbox only tmpfs-shadows known-sensitive # directories so a compromised parser cannot read them. # +# (mpv itself is run as the io.mpv.Mpv flatpak, which is its own +# sandbox — no extra bwrap wrapper needed.) +# # Set SANDBOX=0 to bypass entirely for a single invocation: -# SANDBOX=0 mpv weird-codec-file.mkv +# SANDBOX=0 streamlink weird-stream-url # -# Usage (called by the per-tool wrappers): _sandbox-net-parser /usr/bin/mpv "$@" +# Usage (called by the per-tool wrappers): _sandbox-net-parser /usr/bin/yt-dlp "$@" set -eu @@ -33,10 +36,9 @@ bin=$1 shift # Prevent re-entry: any tool spawned inside the sandbox that resolves -# `mpv`/`yt-dlp`/`streamlink` via PATH (e.g. streamlink launching mpv) -# must find the real binary, not another wrapper that would try to -# nest a second bwrap and fail. Strip ~/.local/bin and nix-profile/bin -# from PATH inside the namespace. +# `yt-dlp`/`streamlink` via PATH must find the real binary, not another +# wrapper that would try to nest a second bwrap and fail. Strip +# ~/.local/bin and nix-profile/bin from PATH inside the namespace. inner_path='/usr/local/sbin:/usr/local/bin:/usr/bin' exec bwrap \ diff --git a/dot_local/bin/executable_linkhandler b/dot_local/bin/executable_linkhandler index 48dd6ae..a440634 100755 --- a/dot_local/bin/executable_linkhandler +++ b/dot_local/bin/executable_linkhandler @@ -18,7 +18,7 @@ fi case "$url" in *.mkv* | *.webm* | *.mp4* | *.mp3* | *.ogg* | *.mov* | *.ts* | *.m3u8* | *.gif* | *.m4a* | *youtube.com/watch* | *youtube.com/playlist* | *youtu.be* | *twitch.tv* | *invidio.us* | *lbry* | *streamye.com* | *streamvi.com* | *streamwo.com* | *videos.lukesmith.xyz*) - setsid mpv -quiet "$url" >/dev/null 2>&1 & + setsid flatpak run io.mpv.Mpv --quiet "$url" >/dev/null 2>&1 & ;; acestream://*) setsid acestream-launcher "$url" >/dev/null 2>&1 & diff --git a/dot_local/bin/executable_mpv b/dot_local/bin/executable_mpv deleted file mode 100644 index ba6787b..0000000 --- a/dot_local/bin/executable_mpv +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env sh -# Thin wrapper: run /usr/bin/mpv inside _sandbox-net-parser. See that -# script for the threat model and the SANDBOX=0 escape hatch. -exec _sandbox-net-parser /usr/bin/mpv "$@" diff --git a/dot_local/bin/executable_streamlink b/dot_local/bin/executable_streamlink index 86ab12a..67dc122 100644 --- a/dot_local/bin/executable_streamlink +++ b/dot_local/bin/executable_streamlink @@ -1,5 +1,6 @@ #!/usr/bin/env sh # Thin wrapper: run /usr/bin/streamlink inside _sandbox-net-parser. The -# sandbox strips ~/.local/bin from PATH so streamlink's internal launch -# of `mpv` resolves to /usr/bin/mpv (avoids nested bwrap). +# sandbox keeps `/` bind-mounted, so streamlink's configured player +# (`flatpak run io.mpv.Mpv` — see ~/.config/streamlink/config) is reachable +# via /usr/bin/flatpak. exec _sandbox-net-parser /usr/bin/streamlink "$@" diff --git a/etc/pacman.conf b/etc/pacman.conf index 7097940..a2cba6c 100644 --- a/etc/pacman.conf +++ b/etc/pacman.conf @@ -27,6 +27,12 @@ Architecture = auto IgnorePkg = llama.cpp-vulkan #IgnoreGroup = +# external-editor-revived (AUR) hard-depends on `thunderbird`, but we run +# Thunderbird as the org.mozilla.thunderbird flatpak instead. Tell pacman to +# pretend the system thunderbird package is installed so the dep is satisfied +# without pulling in the binary. Version is arbitrary — only the name matches. +AssumeInstalled = thunderbird=999.0-1 + #NoUpgrade = #NoExtract = diff --git a/meta/base.txt b/meta/base.txt index d22dc9c..a226674 100644 --- a/meta/base.txt +++ b/meta/base.txt @@ -197,13 +197,14 @@ perl-mime-tools perl-net-smtp-ssl # Native messaging host binary for External Editor Revived; bridged into # the TB flatpak by run_onchange_after_deploy-tb-eer.sh.tmpl. +# Pulls `thunderbird` as a hard dep, which we don't want (we use the +# org.mozilla.thunderbird flatpak); pacman.conf's AssumeInstalled rule +# pretends thunderbird is installed so this resolves without the package. external-editor-revived -# --- media (native mpv kept for streamlink piping and the /tmp/mpvsocket -# IPC integration; the io.mpv.Mpv flatpak (meta/flatpak.txt) is set as -# the mimeapps default for video/* so files handed off by the -# browser/mail sandbox stay sandboxed) --- -mpv +# --- media (mpv is the io.mpv.Mpv flatpak in meta/flatpak.txt; streamlink +# and yt-dlp run on the host and pipe/launch into the flatpak mpv via +# `flatpak run io.mpv.Mpv`, see dot_config/streamlink/config) --- streamlink yt-dlp |