| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cartão de cidadão web authentication needs the libpteidpkcs11.so module
loaded into LibreWolf's NSS database. With both apps now sandboxed in
separate flatpaks, neither can see the other by default.
Add a chezmoi onchange script that, when both flatpaks are installed:
- Resolves the pt.gov.autenticacao install dir + .so path on the host
- Grants LibreWolf flatpak read-only filesystem access to that dir,
--socket=pcsc, and an LD_LIBRARY_PATH so the bundled deps (libxerces,
libcjose, etc.) resolve at dlopen time
- Registers the module in each LibreWolf NSS profile via modutil, with
the path rewritten to /run/host/... as seen from inside the sandbox
- Skips silently when LibreWolf is running (modutil would corrupt the DB)
Hash gate includes the pt.gov.autenticacao line from meta/flatpak.txt so
the override + registration auto-refresh on bundle bumps. Idempotent.
Also explicit pcsc-lite + ccid in meta/extra.txt — they were transitive
deps of the removed autenticacao-gov-pt-bin AUR package; pcscd.socket
in systemd-units/system/base.txt would otherwise fail to activate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend meta/flatpak.txt format to allow per-line URL for non-Flathub
.flatpak bundles. Lines are now either '<id>' (Flathub) or '<id> <url>'
(downloaded + installed via 'flatpak install <file>'). Bundle entries
are skipped on pkg-apply/pkg-fix when already installed, and re-fetched
on flatpak-update only when the version embedded in the URL differs
from the installed version.
Use this to migrate Portuguese Citizen Card (pteid-mw) off the AUR
'autenticacao-gov-pt-bin' pseudo-flatpak unpack to the upstream-shipped
flatpak bundle from amagovpt/autenticacao.gov GitHub releases — same
codebase the AUR PKGBUILD already vendors, but properly sandboxed.
Refactors duplicated install logic in pkg-apply/pkg-fix into a private
_flatpak-install helper. ID-only contexts (pkg-status, undeclared,
pkg-list) now extract the first whitespace-separated token instead of
treating each line as a single ID.
Caveat: PKCS#11-based Citizen Card web auth in the LibreWolf flatpak
remains unsolved — the .so lives inside the autenticacao-gov sandbox
and would need a 'flatpak override' + 'modutil' bridge to be loaded
across sandboxes. The CLI/GUI eID app works as expected.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move LibreWolf from native librewolf-bin to Flathub
io.gitlab.librewolf-community. Bubblewrap isolates the browser from
$HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost
of namespace chroot + IPC/network namespace isolation between content
processes (mozilla bug 1756236, P3, considered defense-in-depth).
seccomp-bpf — the dominant sandbox layer — is preserved.
- meta/flatpak.txt: + io.gitlab.librewolf-community
- meta/browser.txt: - librewolf-bin
- run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to
~/.var/app/io.gitlab.librewolf-community/.librewolf
- dot_config/mimeapps.list: librewolf.desktop -> flatpak app id
- dot_local/bin/executable_linkhandler: flatpak run wrapper
- README.md: blurb + new profile path
arkenfox-user.js + chezmoi user-overrides.js deploy keep working
unchanged because the flatpak profile is still on the host fs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Delete meta/gaming.txt entirely (no longer used; takes discord with it)
- Delete now-empty meta/office.txt; LibreOffice and Okular move to flatpak
- Trim meta/browser.txt: chromium and torbrowser-launcher now flatpaks
- New meta/flatpak.txt: 4 Flathub app IDs (chromium, okular, libreoffice,
torbrowser-launcher), under --user scope
- Add flatpak runtime to meta/extra.txt
- Teach pkg-apply / pkg-list / pkg-fix / pkg-add / pkg-status / undeclared
to branch on the magic 'flatpak' group name (no parallel recipe namespace)
- New flatpak-update recipe; update aggregate now refreshes flatpaks too
- _active-packages now skips flatpak.txt (it remains pacman-only)
- pkg-apply (no args) installs pacman groups together, then flatpaks
- First flatpak install auto-adds the flathub --user remote
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install Nix (multi-user daemon) on Arch and wire up direnv so any project
can declare its toolchain in a flake.nix and get a hermetic dev shell on
cd. No NixOS, no home-manager, no migration off paru/chezmoi — just one
new package manager scoped to project dev shells.
- meta/nix.txt: nix from extra repo
- meta/dev.txt: direnv (general-purpose, not nix-specific)
- systemd-units/system/nix.txt: nix-daemon.socket (socket-activated)
- etc/nix/nix.conf: enable flakes + nix-command, trusted-users=@wheel,
auto-optimise-store, keep-outputs/derivations so direnv envs survive GC
- dot_config/direnv/direnvrc: load nix-direnv 3.1.1 via source_url with
pinned sha256 (not packaged for Arch; refusing -git AUR)
- dot_config/nix/templates/{flake.nix,dev/}: flake template usable via
'nix flake init -t ~/.config/nix/templates'
- dot_config/zsh/dot_zshrc: 'eval "$(direnv hook zsh)"'
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds the AUR package which deploys both the Thunderbird XPI (as a
system extension under /usr/lib/thunderbird/extensions) and the
native messaging host. After restart, TB picks up the extension
automatically.
Use case: review kernel-style patches received by email and reply
with inline review comments without TB mangling tabs/spaces or
auto-wrapping. The addon bypasses TB's compose editor entirely, so
the existing format=flowed/wraplength=72/reply_on_top prefs don't
apply to messages composed through it.
A pointer comment in thunderbird/user.js explains the relationship.
|
| |
|
|
|
|
|
|
|
| |
The Bridge presents a self-signed cert on its 127.0.0.1:1025 STARTTLS
listener, so git send-email's default cert verification fails with
SSL_verify_cert. Setting smtpSslCertPath to empty disables chain
verification for this single, loopback-only endpoint.
Per https://git-send-email.io/#step-2 (Proton Bridge note).
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a [sendemail] block targeting the local Bridge SMTP listener
(127.0.0.1:1025, STARTTLS) and a credential helper scoped to that URL
that fetches the password from pass (proton/bridge-smtp). The helper
command is public; the secret stays in the password store. The bridge
SMTP username (sensitive but not secret) goes in the per-identity
private overlay (~/doxfiles), not here.
Also pull in the Perl SMTP modules git send-email needs at runtime.
|
| |
|
|
|
|
| |
Drops the libggml-git transitive dependency in favor of llama.cpp-vulkan
(versioned release). Vulkan acceleration on UHD 620 is unlikely to help
with the base model, but this gets us off a rolling -git package.
|
| |
|
|
|
|
|
|
|
|
| |
large-v3-turbo-q5_0 ran ~1-2x realtime on the T490's CPU, making
push-to-talk feel sluggish. The base multilingual model is ~142 MB
(vs 547 MB) and runs ~7-10x realtime, dropping perceived latency on
short utterances from a few seconds to near-instant.
Quality on short EN/PT dictation remains usable; bump WHISPER_MODEL
to small or large-v3-turbo if accuracy matters more than latency.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Push-to-talk dictation toggle on Super+i: parecord captures 16 kHz mono
WAV, whisper-cli transcribes (auto language), output is typed via wtype
and copied to the clipboard.
Region OCR on Super+Shift+o: slurp + grim feed tesseract (eng+por),
result lands in the clipboard with a notification preview.
Adds wtype to wayland.txt; tesseract (+eng/por data) and whisper.cpp +
the large-v3-turbo-q5_0 model package to extra.txt.
|
| |
|
|
|
|
| |
Removing a user_pref line does not reset prefs.js — the previously-written
false value persists. Explicitly set both show_alert and use_system_alert
to true so the notification path is guaranteed on every startup.
|
| |
|
|
|
|
|
|
|
| |
- xkb variant altgr-intl: AltGr dead keys + direct Euro on AltGr+5.
Preserves bare ' " ` ~ ^ for code/shell.
- Compose on Right Ctrl (compose:rctrl). Leaves Right Alt for AltGr.
- New dot_XCompose with %L include + PT-PT guillemets, Euro, ordinals,
em/en dashes, ellipsis.
- KEYBINDS.md: new Typing / Input section with AltGr + Compose cheatsheet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous 'suppress the annoying Reminders dialog' change was too
aggressive — it disabled the master prefs that produce libnotify
toasts, not just the in-app dialogs.
- mail.biff.show_alert: false -> default (true). This is the pref
that fires the libnotify/mako notification on new mail.
- calendar.alarms.show: false -> default (true). Master alarm
switch; when false, no event notifications fire at all.
- Keep calendar.alarms.playsound=false for silence.
TB has no libnotify-only path for calendar; the Reminders dialog
is the alarm UI. Trade-off accepted.
|
| |
|
|
|
|
|
|
|
|
| |
- XF86Display replaces F7 for display-toggle.sh (dedicated HW key)
- XF86Tools opens floating pulsemixer (audio mixer TUI)
- XF86Keyboard opens KEYBINDS.md in glow (floating pager)
- XF86Favorites takes over mako history picker (from Super+Alt+n)
Adds generic [app_id="floating"] window rule so ghostty --class=floating
windows open floating. Adds glow to meta/base.txt.
|
| |
|
|
|
| |
tmux-style mnemonics. Bypasses NewPane's aspect-ratio auto-direction
which misfires on widescreens with pane_frames disabled.
|
| |
|
|
|
|
|
| |
Pair with the existing '$mod+w layout tabbed' to get a bspwm-like
monocle experience: one window visible, tabs along the top, status
bar intact. Cycle with Super+[ and Super+] (mimics browser tab
shortcuts).
|
| |
|
|
|
|
| |
The floating 'dismiss/snooze' window doesn't tile cleanly under sway.
Turn it off and rely on TB's libnotify-backed desktop notifications,
which mako renders like any other notification.
|
| |
|
|
|
|
|
|
| |
The bridge opens the IMAP listener before the keyring is unlocked, so a
port-open check returns true while the server would still reject logins.
Probe for the '* OK' IMAP greeting (the bridge only sends it once it can
actually service logins) and add a 1s grace period for SMTP (1025) to
catch up.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Default-deny inbound, allow outbound. Scoped to 'inet filter' with
'destroy table' on reload so podman/netavark tables are preserved.
- meta/base.txt: add nftables
- systemd-units/system/base.txt: enable nftables.service
- etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6
essentials, DHCPv6 client, default-drop input/forward, accept output)
- etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route,
log_martians
- README.md: firewall section with reload caveat
|
| |
|
|
|
|
|
|
| |
Going through xdg-open relied on mimeapps propagation and
update-desktop-database cache. Add a dedicated `view-md` opener
that invokes okular directly and route *.md, *.markdown, and
text/markdown files to it. Still orphan=true to avoid the
unfinished-tasks prompt.
|
| |
|
|
|
|
|
| |
Default yazi rule treats .md as text and hands it to $EDITOR.
Prepend a rule that uses the `open` opener (xdg-open, now pointed
at okular) so pressing Enter on a markdown file in yazi opens the
rendered view instead of nvim.
|
| |
|
|
|
|
|
| |
xdg-open was handing .md files to nvim, which is an editor — not
what we want for casual reading. okular (with discount installed)
renders markdown as a paged document, similar to how zathura
handles pdfs.
|
| |
|
|
|
|
|
|
|
| |
yazi tracks child processes as running tasks. Default `open`
opener runs `xdg-open` synchronously, so opening a pdf (or any
file handed off to an external viewer) leaves yazi convinced a task
is still running and it prompts 'unfinished tasks, quit anyway?' on
exit. orphan = true detaches the spawned process from yazi so the
quit is clean.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old etc-status scanned all of /etc (pacman -Qkk for modified
backup configs, then 'find /etc | xargs pacman -Qo' for unowned
files), producing a discovery report of things we might want to
track. That was useful when seeding the repo but is slow and
misaligned with dotfiles-status, which only reports drift on files
chezmoi already manages.
Rewrite etc-status to mirror that model: iterate etc/, render .tmpl
sources, and cmp against the live /etc file. Report 'modified' or
'missing' per tracked path. Runs in under a second and matches the
semantics of 'just status'.
Drop the now-unused etc/.ignore and update README.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Curate the user units whose definitions or overrides we manage under
dot_config/systemd/user/:
- graphical.txt: cliphist-{image,text}, display-watcher, swayidle,
waybar — all WantedBy=sway-session.target.
- mail.txt: protonmail-bridge.service — managed via a drop-in override.
Also extend user/.ignore with the socket-activated pipewire/wireplumber
stack and a handful of distro defaults so 'just unit-status' stays
quiet on a clean system.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the three existing files into systemd-units/system/ and seed
systemd-units/user/ with a .ignore stub. Teach the unit-* recipes a
user:/system: group-token prefix (bare names keep system semantics for
back-compat). unit-apply and unit-status now walk both scopes; user
units go through 'systemctl --user' (no sudo), system units via 'sudo
systemctl' as before. Soft-fail per unit preserved for both scopes.
Top-level add/forget dispatchers need no changes: the unit-extension
sniff already routes anything ending in .service/.timer/etc to
unit-*, and user:base passes through as the group token.
Docs updated in README.md and .github/copilot-instructions.md.
|
| |
|
|
|
|
| |
--format is not supported by this mako version. Parse the native text
output (Notification N: summary / App name: X) with awk for the picker
and grep '^Notification ' for the counter.
|
| |
|
|
|
|
| |
makoctl outputs plain text by default on this version. Use --format
strings for both the history picker (%a/%s/%b) and the counter script
(%i + wc), instead of trying to parse JSON that isn't there.
|
| |
|
|
|
|
|
| |
Previous jq path (.data[0][].summary.data) only works for one nesting
shape of mako's history JSON. Recurse to find notification objects and
unwrap dbus-typed {type,data} fields defensively. Also bump
max-history from the default of 5 so more entries are retained.
|
| |
|
|
|
|
|
| |
makoctl menu only acts on currently-visible notifications, not history
(mako has no API to re-invoke arbitrary history entries). Replace with
a small script that pipes 'makoctl history' through jq and fuzzel, then
copies the selected entry to the clipboard for reference.
|
| | |
|
| |
|
|
|
|
| |
makoctl menu <cmd> expects the command to emit just the notification
id, but fuzzel --dmenu echoes the full '<id> <summary>' line. Pipe
through cut -d' ' -f1 so mako can act on the selection.
|
| |
|
|
|
| |
- Super+Ctrl+n: makoctl restore (re-show the most recent dismissed)
- Super+Alt+n: makoctl menu fuzzel --dmenu (pick any from history)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The idle_inhibitor em-dash and bare mako '0' blended with the clock.
- mako counter: prefix 'NTF', gray when empty, aqua for history, orange
for pending.
- idle_inhibitor: 'IDL'/'INH' with gray/yellow.
- privacy: red (only visible when screensharing or mic-active).
- Add padding rules so the new modules line up with the rest.
|
| |
|
|
|
|
|
| |
On cold boot Thunderbird would race protonmail-bridge and pop up a
'failed to login to 127.0.0.1' error. Poll 127.0.0.1:1143 (bridge's
default IMAP port) for up to 15s before spawning TB. Gives up silently
if the bridge doesn't come up.
|
| |
|
|
|
|
|
|
| |
Move waybar from sway's inline bar {} block to waybar.service pulled in
by sway-session.target. Matches the pattern for mako, swayidle,
poweralertd, display-watcher, cliphist. ExecReload sends SIGUSR2 so
'systemctl --user reload waybar' picks up config changes without a
restart.
|
| |
|
|
|
| |
$mod+v is sway's default splitv; my cliphist bind was shadowing it and
emitting a warning. Move clipboard history to $mod+p / $mod+Shift+p.
|
| |
|
|
|
| |
- shfmt -i 2 -ci -s on the four updated shell scripts (tabs → 2 spaces)
- prettier --write on KEYBINDS.md and README.md
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install brightnessctl and bind all seven ThinkPad multimedia keys:
- XF86MonBrightnessUp/Down → brightnessctl ±5%
- XF86AudioMicMute → pactl source mute
- XF86Bluetooth → bt-toggle.sh (bluetoothctl + notify-send)
- XF86ScreenSaver (Fn+F2) → same as $mod+Shift+s (pause + swaylock)
- XF86Sleep → systemctl suspend
- XF86WLAN / XF86RFKill → rfkill toggle
Note: rfkill may need a passwordless doas rule
(permit nopass :wheel cmd rfkill) or group membership to write
/dev/rfkill without privileges; not wired speculatively.
|
| |
|
|
|
|
| |
zprofile already exports QT_QPA_PLATFORMTHEME=qt6ct, so installing the
package is all that's needed for Qt6 apps to pick up the theme. Run
qt6ct once to configure fonts/icons.
|
| |
|
|
|
|
|
| |
Complements xdg-desktop-portal-wlr: wlr covers Screenshot/ScreenCast
(Wayland-native), gtk covers FileChooser/Print/Settings/AppChooser. With
both installed, portal auto-discovery picks the right backend per
interface. No routing file needed unless conflicts show up.
|
| |
|
|
|
|
| |
Pairs with focus_follows_mouse to prevent stale-hover focus-steal after
keyboard navigation: the cursor jumps into the new focus so subsequent
small mouse movements don't bounce focus back to where it used to be.
|
| |
|
|
|
| |
Any fullscreen window now pauses swayidle's timer. Covers mpv, video
calls, fullscreen browser video, etc.
|
| |
|
|
|
|
| |
New mako-status.sh emits JSON with pending / history counts. Click to
dismiss latest, right-click to dismiss all, middle-click to restore the
last dismissed notification.
|
| |
|
|
|
| |
Shows icons while any app holds the microphone or a screen-share source
via PipeWire. No new deps on a PipeWire system.
|
| |
|
|
|
| |
Click to toggle an inhibit lock that prevents swayidle from firing.
Useful for long reads, video playback without fullscreen, etc.
|
| |
|
|
|
| |
Pipe grim through tee so Print / Shift+Print save to disk AND copy the
PNG to the Wayland clipboard via wl-copy.
|
sommerfeld