| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split the hardened UKI cmdline off the shared etc/kernel/cmdline.tmpl
so we can carry workarounds without poking the stock linux build.
Daily-driving linux-hardened on this hardware has reliably hung on
resume from S3: black screen, blinking caps-lock + power LED, only
the power button helps. The kernel journal stops at 'PM: suspend
entry (deep)' with nothing after, so the freeze is below the level
where logs can flush — characteristic of a hard hang inside a device
driver's suspend/resume callback rather than a userspace bug.
linux-hardened defaults init_on_free=1, which zeroes pages on free.
On Intel + iwlwifi/i915/nvme stacks this routinely surfaces latent
UAFs as suspend hangs that are invisible on stock linux. Drop that
knob to 0 for the hardened cmdline as the working hypothesis.
Add nmi_watchdog=panic, softlockup_panic=1, panic=10 so if the next
attempt still wedges, a stuck CPU self-panics and auto-reboots
within ~10s, giving us a 'journalctl -b -1 -k' trace to look at
instead of having to force-power-off blindly.
Stock linux is untouched.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fuse-overlayfs is dog-slow on `podman commit` (and noticeably slower
than native overlay/btrfs for layer extraction in general) because every
read/write round-trips through a FUSE daemon. The kernel overlay driver
does not support btrfs as a lowerdir, so on a btrfs root fs the choices
were:
- fuse-overlayfs (slow, but works)
- btrfs (native subvolume + CoW snapshot per layer; fast)
Switching graph drivers is destructive — the on-disk layout is
incompatible, so a one-time `podman system reset --force` is required.
A migration helper script lives at the repo root (gitignored,
chezmoiignored) that snapshots stateful containers, exports images and
volumes, runs the reset, and restores everything on the new driver.
Drops fuse-overlayfs from meta/base.txt — no longer needed and pulls
in libfuse3 transitively for nothing. (Flatpak still depends on it for
its own sandbox; pacman won't actually uninstall the binary while
flatpak is around — that's fine.)
VM (nix/vm.nix) is unaffected: it sets its own storage.conf inline
with driver=overlay since its rootfs is ext4.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restructures the Home-Manager profile to support both the Arch host and
the Ubuntu remote-dev VM from the same flake.
- remote-dev/ → nix/ (hard rename; .chezmoiignore updated)
- home.nix split into common.nix (shared), vm.nix (Mason runtime
carve-outs + podman stack), host.nix (gpg scdaemon delegation to
system pcscd)
- flake.nix exposes homeConfigurations.{vm,host} via a mkProfile
helper
- rj alias in dot_zshrc updated to ~/.local/share/dotfiles/nix
- bootstrap.sh / justfile updated to use #vm against the new path
The split is behaviour-preserving for the VM: vm.nix + common.nix
together carry the same package set as the previous home.nix.
host.nix is provisioned but not yet wired into bootstrap (phase p8).
Phase 1 of the nix-on-host migration plan.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New remote-dev/ subdir with a Home-Manager flake that provisions a
headless dev environment on a remote Ubuntu 22.04 VM accessed via SSH.
Shares nvim, zellij, zsh, direnv, and ghostty configs from the same
dotfiles repo via mkOutOfStoreSymlink (no rebuilds on config edits).
CLI tool set mirrors the dev-tool subset of meta/base.txt; sysadmin
tools (procs, gdu, duf), lazygit, and node/yarn (only needed for
markdown-preview on GUI hosts) are excluded.
bootstrap.sh is one-shot: installs Nix via Determinate Systems
installer, clones the repo to ~/.local/share/dotfiles, runs
home-manager switch, and chshes to the nix-store zsh.
dot_config/zsh/dot_zshrc loses its hardcoded Arch plugin/git-prompt
paths in favour of a fallback search: Arch path first, then
$HOME/.nix-profile/share/. Same file works on host and VM.
.chezmoiignore: exclude remote-dev/ from chezmoi deploy on the host.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mirror the firefox/ pattern for Thunderbird:
- thunderbird/user.js: telemetry off, safe-browsing off, remote images
blocked, read receipts disabled, plain-text compose with flowed
wrap at 72, vertical pane, calendar on Monday start
- run_onchange_after_deploy-thunderbird.sh.tmpl: detects default
profile and copies tracked files in on any change
- meta/mail.txt: add thunderbird package (official repo)
- .chezmoiignore: exclude thunderbird/ from $HOME deployment
- README: mention Thunderbird + Bridge + Radicale stack
Accounts/credentials/mailbox data stay local per profile.
|
| |
|
|
|
|
|
|
| |
The seeded lockfile offered little value for a single-user setup: fresh
bootstraps will resolve version specs at install time, and any meaningful
pinning is already expressed in init.lua's vim.pack.add() specs. Added
an explicit .chezmoiignore entry so the runtime file doesn't show up as
drift.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
.chezmoiignore:
- remove create-efi.sh (deleted in UKI migration)
- remove dot-prefixed entries (.editorconfig, .github/, .worktrees/,
.githooks/, .stylua.toml, .prettierrc.json, .ruff_cache); chezmoi
already ignores source paths beginning with '.' by default (reserved
chezmoi names aside)
.chezmoi.toml.tmpl:
- drop unused data.hostname (not referenced by any template)
|
| |
|
|
|
|
|
|
|
| |
bootstrap.sh is host-only bootstrapping and should not deploy into $HOME.
The xdg-user-dirs-update.service user unit (shipped enabled by the
xdg-user-dirs package) rewrites ~/.config/user-dirs.dirs on login,
clobbering the tracked short-path variant (docs/dl/pics/vids). Mask
it by symlinking to /dev/null.
|
| | |
|
| |
|
|
|
|
| |
Rename nvim.yml to selene-globals.yml (more accurate scope). Add the
mpv scripting 'mp' global alongside neovim's 'vim'. Allow mixed_table
since it's idiomatic in lazy.nvim/which-key specs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add minimal config for the upcoming fmt/lint recipes:
- .stylua.toml: stylua-specific knobs only; indent/line-length/eol
continue to come from .editorconfig (stylua reads it natively).
- selene.toml + nvim.yml: lua51 base plus a 'vim' global so neovim
config files don't get flagged as undefined.
- .prettierrc.json: double quotes, trailing commas, 80-col, preserve
prose wrap (avoid reflowing markdown).
All four ignored by chezmoi so they stay repo-only.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce systemd-units/<group>.txt files paired by name with meta
groups (systemd-units/base.txt <-> meta/base.txt). Units listed there
are enabled by a new 'just services-enable' recipe, wired into 'just
init' so bootstrap.sh no longer needs its own systemctl loop.
New justfile recipes (Services section):
services list curated units with enabled/active state
services-enable idempotent 'systemctl enable --now', soft-fail per unit
services-drift two-way diff vs systemctl list-unit-files
bootstrap.sh drops its hardcoded 9-unit loop and laptop TLP block
(~22 lines); 'just init' now handles it. tlp.service lives directly in
systemd-units/base.txt (no laptop gating).
|
| |
|
|
|
|
| |
- .githooks/post-commit: runs chezmoi apply after every commit
- justfile: 'just install-hooks' sets core.hooksPath
- Added justfile and .githooks/ to .chezmoiignore
|
| |
|
|
|
|
|
|
| |
- etc2/ only existed because stow used symlinks and reflector refused
them. Chezmoi copies files, so no reason to keep them separate.
- Run scripts are now .tmpl files with sha256sum hashes of deployed
files. chezmoi only re-runs them when file content actually changes,
avoiding unnecessary doas prompts on every apply.
|
|
|
- .chezmoi.toml.tmpl: minimal config with hostname data
- .chezmoiignore: exclude repo-only files from deployment
- run_onchange_after_deploy-etc.sh: deploy etc/ and etc2/ to /etc
- run_onchange_after_deploy-firefox.sh: deploy firefox overrides to profile
|
sommerfeld