| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Resolve nvim before exporting editor and pager variables so sudo-rs env_keep does not depend on root's secure_path.
Update the Waybar pacdiff action to pass an absolute DIFFPROG through sudo.
|
| |
|
|
|
|
|
|
| |
Move pass-secret-service, snx-rs, and Sparrow under Nix/Home Manager.
Track the snx-rs system unit, pass-secret-service user unit, and pacman cache cleanup hook in the repo.
Drop the mkinitcpio firmware metapackage, overdue, pacman-cleanup-hook, and the standalone btc package group.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the ProtonMail Bridge off the AUR protonmail-bridge-core package
and onto nix/host.nix, consistent with the other migrated user-leaf
tools. Since the AUR package previously supplied the systemd user unit
(customized via a drop-in), ship a repo-owned
dot_config/systemd/user/protonmail-bridge.service instead: it runs the
nix binary by absolute %h/.nix-profile/bin path with --noninteractive
and folds the former drop-in's PASSWORD_STORE_DIR into the unit, so the
now-redundant protonmail-bridge.service.d/override.conf is removed.
Drop protonmail-bridge-core from meta/base.txt (the git send-email Perl
prereqs stay). No vm.nix change: the bridge is host-only and user units
are not symlinked on the headless VM.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
poweralertd was migrated to nix (host.nix) but, like mako, the nix
package does not ship a systemd user unit on the manager's search
path. sway-session.target's Wants=poweralertd.service referenced a
non-existent unit (previously the pacman package supplied
/usr/lib/systemd/user/poweralertd.service), so battery/AC
notifications never started at login.
Add a repo-owned poweralertd.service (absolute nix-profile path) and
register it in systemd-units/user.txt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The nix mako package does not ship a systemd user unit on the user
manager's search path, so sway-session.target's Wants=mako.service
referenced a non-existent unit after the pacman->nix migration
(previously the Arch mako package provided /usr/lib/systemd/user/
mako.service). mako only started on first D-Bus notification, never
eagerly at session login.
Add a repo-owned mako.service (Type=dbus, org.freedesktop.Notifications)
using the absolute nix-profile path, matching the other sway-session
units, and register it in systemd-units/user.txt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The target reached active then was immediately garbage-collected:
Reached target sway compositor session
Stopped target sway compositor session
Stopping swayr.../Waybar...
Nothing holds a reverse dependency on sway-session.target, so the first
"stop unneeded units" pass (triggered when any Wanted service transitions,
e.g. a ConditionEnvironment skip during the env-import race) found it
unneeded and StopWhenUnneeded=yes tore it down, cascading via PartOf/
BindsTo to every session service. Manual `systemctl --user start` worked
because that starts the service directly, not the GC-prone target.
StopWhenUnneeded has been latent since 030848c; the nix migration's
changed startup timing exposed it. The canonical sway-session.target
omits it; teardown still works via BindsTo=graphical-session.target and
user-manager shutdown at logout (swaymsg exit).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The absolute %h/.nix-profile/bin/<name> ExecStart paths (previous commit)
fix unit startup without any PATH dependency. The remaining secondary
lookups those binaries make (wl-paste -> cliphist, swayidle -> swaymsg/
playerctl) are already covered by the sway config's existing
`systemctl --user import-environment PATH` (dot_config/sway/config), the
established mechanism that also feeds waybar's nix-provisioned pass/python3.
So environment.d/10-nix-profile-path.conf was a redundant parallel
mechanism. Remove it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous environment.d fix was insufficient: even with the nix profile
on the --user manager's PATH (confirmed via `systemctl --user
show-environment`), bare-name ExecStart= still fails 203/EXEC. systemd's
--user manager does not resolve a bare ExecStart binary against the
imported/environment.d PATH.
Invoke each unit's main binary by absolute path %h/.nix-profile/bin/<name>
(waybar, swayidle, swayrd, inhibridge, wl-paste, wob). %h expands to $HOME
at unit load. Secondary lookups those binaries/scripts perform (cliphist,
swaymsg, playerctl) still rely on PATH, which environment.d provides — so
that file stays, with its comment corrected to reflect this split.
|
| |
|
|
|
|
|
|
| |
Same root cause as ghostty: imv (OpenGL), wl-mirror (EGL) and sparrow
(JavaFX/OpenGL) are GL/EGL apps that can't find the system Mesa/DRI driver
when built by nix on a non-NixOS host. Remove them from nix/host.nix; add
imv + wl-mirror to meta/base.txt (sparrow already lives in meta/btc.txt as
sparrow-wallet). Refresh the stale base.txt media comment accordingly.
|
| |
|
|
|
|
|
|
| |
ghostty is a GPU/OpenGL terminal. Nix-built GL apps on a non-NixOS host
can't locate the system Mesa/DRI driver (FHS /usr/lib drivers don't match
nix's search paths), so the nix-migrated ghostty failed to start with
"missing OpenGL context". Move it back to meta/base.txt (pacman) so it
links against system Mesa. Same caveat flagged for imv/wl-mirror/sparrow.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The user-leaf tools (waybar, swayidle, swayr, mako, cliphist, inhibridge,
wob, …) were migrated to the Nix home profile and their .service units
reference them by bare name. The systemd user manager does not source
~/.zprofile, so its PATH lacked ~/.nix-profile/bin and every bare-name
ExecStart failed with status=203/EXEC.
The sway config's `systemctl --user import-environment PATH` raced with
`systemctl --user start sway-session.target`; when the start won, units
launched with the default PATH. environment.d is read at manager startup
before any unit, closing the race deterministically.
Pick up via fresh login/boot or `systemctl --user daemon-reexec`.
|
| |
|
|
|
|
|
| |
nixpkgs has no top-level `podman-docker` attribute — that's an Arch
convenience pkg. NixOS exposes it via the `virtualisation.podman.
dockerCompat` option but that's not reachable from home-manager. Ship
a one-line writeShellScriptBin instead; same result, no module rewire.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two changes:
1. Eliminate the paru-bin chicken-and-egg. Old flow had to manually
git-clone aur/paru-bin and run makepkg -si before just-init could
call paru. Now paru ships from nixpkgs via nix/host.nix, so the
bootstrap reorders to:
pacman -S … nix
enable nix-daemon
git clone <dotfiles>
just nix-switch # installs paru + chezmoi + … into ~/.nix-profile
PATH=$HOME/.nix-profile/bin:$PATH
just init # _chezmoi-init/apply/pkg-apply/unit-apply
pkg-apply now finds paru on PATH from the nix profile, so the
remaining AUR entries in meta/base.txt (arkenfox-user.js,
protonmail-bridge-core, pass-secret-service-bin, zsa-udev, kernel-
modules-hook, …) install correctly. chezmoi drops out of PREREQS —
it comes from the nix profile too. just stays on pacman so the
pre-nix-switch `just nix-switch` invocation works.
2. Add idempotent subuid/subgid provisioning. Required for rootless
nix-installed podman; pacman's podman package handled this via its
post-install hook, but nix-installed podman doesn't touch
/etc/subuid. Range 100000-165535 is the conventional default.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove every entry now provisioned via nix/host.nix or nix/common.nix:
- Core CLIs: chezmoi, paru, qrencode, torsocks, lshw
- Podman stack: podman-compose, podman-docker (rest already nix in
common.nix via the previous unify commit)
- Wayland session: waybar, fuzzel, wofi, mako, swayidle, swayr,
inhibridge, bemoji, wob, poweralertd, ghostty
- Wayland capture/clipboard: grim, slurp, wf-recorder, wtype,
wl-clipboard, cliphist, imv, wl-mirror
- Media control: playerctl, pulsemixer
- Streaming: yt-dlp, streamlink
- OCR: tesseract, tesseract-data-eng, tesseract-data-por
- STT: whisper.cpp-vulkan, whisper.cpp-model-base
Update the section comments to point at the nix profile for the new
home of each group. Sway itself stays on pacman (login-manager session
entry), as does libnotify (system shared lib), zbar (linked by other
pacman pkgs), swaylock (setuid + PAM), pass-secret-service-bin (D-Bus
activation), zsa-udev (udev rule), and the smartcard/font/Qt-plugin
stacks.
Drop whisper.cpp-vulkan from IgnorePkg in etc/pacman.conf — the
package no longer exists on the system.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The chezmoi-owned user units and ~/.local/bin wrapper scripts called
the migrated tools by absolute /usr/bin/ path. After the move to nix,
those binaries live under ~/.nix-profile/bin (no /usr/bin alias).
systemd user units: drop the /usr/bin/ prefix on cliphist-{text,image}
(wl-paste), inhibridge, swayidle, swayrd, waybar, and the inner wob
in wob.service (outer /usr/bin/sh stays, sh is system). systemd
resolves bare names through the unit's inherited PATH, which includes
~/.nix-profile/bin via hm-session-vars.
dictate: default_model now points at
~/.nix-profile/share/whisper-cpp-models/ggml-base.bin (overridable via
$WHISPER_MODEL). Header rewritten to mention nix instead of AUR.
yt-dlp / streamlink wrappers: pass $HOME/.nix-profile/bin/<tool> to
_sandbox-net-parser so the bwrap-sandboxed binary is resolved
explicitly (the wrappers shadow PATH lookup inside their own
~/.local/bin so re-entry would loop).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pull every pacman/AUR entry that is (1) packaged in nixpkgs and (2)
free of tight system coupling out of meta/base.txt and into
nix/host.nix. System coupling = setuid, /usr/lib/systemd/system unit,
udev rule, /usr/share/dbus-1/services file, /usr/share/wayland-sessions
entry, shared lib other pacman pkgs link, /etc/makepkg.conf reference,
system fontconfig path, PAM, Qt plugin search path, or kernel/
firmware/bootloader touchpoint. User-scope systemd units are NOT
coupling — nix drops them in ~/.nix-profile/share/systemd/user/ and
systemd picks them up; the chezmoi-owned unit files that referenced
/usr/bin/<tool> paths are fixed in a follow-up commit.
Wayland session: waybar, mako, fuzzel, wofi, swayidle, swayr,
inhibridge, bemoji, wob, poweralertd, grim, slurp, wf-recorder, wtype,
wl-clipboard, cliphist, imv, wl-mirror, playerctl, pulsemixer, ghostty.
General CLIs: qrencode, torsocks, lshw, yt-dlp, streamlink, chezmoi,
paru.
GUI: sparrow.
OCR: tesseract collapsed with .override { enableLanguages = [eng por] }
— replaces tesseract + tesseract-data-eng + tesseract-data-por.
STT: whisper-cpp.override { vulkanSupport = true; } plus an inline
whisper-cpp-model-base derivation that fetches ggml-base.bin from the
upstream huggingface mirror into
~/.nix-profile/share/whisper-cpp-models/.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the podman stack (podman, crun, conmon, netavark, aardvark-dns,
slirp4netns, passt, podman-compose, podman-docker) from a vm-only block
into common.nix so the Arch host and the Ubuntu remote-dev VM run the
same nix-pinned versions. This drops podman-compose + podman-docker
from pacman as well — they were the only podman-stack pieces still
sourced from there on the host.
Relocate registries.conf + policy.json into the chezmoi tree at
dot_config/containers/ so both flavors share them; vm.nix now picks
them up via the existing link helper. storage.conf stays inline in
vm.nix because the VM needs the overlay driver while the Arch host
uses the btrfs driver (root fs is btrfs there).
|
| |
|
|
|
|
| |
home-manager: 7d8127d3 (master, 26.11) → b179bde2 (release-26.05)
Follow-up to the release-branch pin in the previous commit.
|
| |
|
|
|
|
|
|
|
| |
HM master had rolled to the 26.11 development cycle while the
nixos-unstable nixpkgs snapshot we follow is still on 26.05. Activation
emitted the 'mismatched versions' warning at every nix-switch.
Pin HM to its release-26.05 branch so the two stay in lockstep; bump the
branch name when nixpkgs lib.version rolls over.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
nixpkgs' clang-tools derivation symlinks scripts from clang-unwrapped
only when they're executable; run-clang-tidy loses the +x bit during
the multi-output split and gets skipped. Re-expose it ourselves by
probing clang-unwrapped's main and python outputs (bin/ first, then
the legacy share/clang/ layout) and installing the first hit at
$out/bin/run-clang-tidy.
|
| |
|
|
|
|
|
| |
linux-hardened-headers and linux-lts-headers in meta/base.txt already
cover every installed kernel, so 'linux-headers' here would only
pull the stock 'linux' kernel back in via dependency — which we just
removed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Promotes linux-hardened to the sole primary kernel and replaces
linux with linux-lts as the safety-net fallback. Rationale:
- linux and linux-hardened track the same upstream major version
and ship within days of each other, so 'linux' was a poor
fallback for the regression class that historically takes out
the hardened kernel on this hardware (e.g. checkpoint 026
wake-from-suspend panic). linux-lts lags by weeks/months and is
almost always known-good when hardened breaks.
- Drop etc/mkinitcpio.d/linux.preset, add linux-lts.preset.
Hardened preset header + bootstrap.sh efibootmgr instructions
updated accordingly (hardened registered first so it's the
default; lts registered as the on-demand fallback).
- Also add mkinitcpio-firmware (AUR) to silence the spurious
'missing firmware' warnings during initramfs builds.
Manual host-side steps after deploy:
paru -S linux-lts linux-lts-headers mkinitcpio-firmware
sudo pacman -Rsn linux # or via 'just pkg-apply' undeclared flow
sudo rm -f /etc/mkinitcpio.d/linux.preset # chezmoi-deployed, not pkg-owned
sudo mkinitcpio -P
sudo efibootmgr # add the Arch LTS entries, drop the stock linux ones
Note: meta/nvidia.txt still lists 'linux-headers' for nvidia-dkms.
That's a per-host concern; flagged for follow-up if any nvidia host
moves to the linux-lts world.
|
| |
|
|
|
|
|
|
| |
Enables ResolveUnicastSingleLabel=yes so non-FQDN names like
'sw-jenkins01' get sent to the configured DNS server instead of
being dropped to LLMNR/mDNS. Needed for corp shortname resolution
via Pi-hole CNAME records that point at *.xsight.ent (resolved by
unbound's forward-zone over the new WireGuard bridge).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AUR `external-editor-revived` PKGBUILD declares a hard `thunderbird`
dependency, which blocks removing the unused system Thunderbird binary
alongside the org.mozilla.thunderbird flatpak (and pacman's
`AssumeInstalled` is a CLI flag, not a pacman.conf directive, so the
previous workaround was nonfunctional).
Nixpkgs' `external-editor-revived` is just `rustPlatform.buildRustPackage`
plus a relocatable native-messaging manifest — zero mailer dep — so the
host gets it from nix instead.
* nix/host.nix: add `external-editor-revived` to `home.packages`. Kept
out of `common.nix` so the remote-dev VM (which has no Thunderbird)
doesn't carry the build closure.
* run_onchange_after_deploy-tb-eer.sh.tmpl: search
`~/.nix-profile/{bin,lib/mozilla/native-messaging-hosts}` first and
fall through to the legacy pacman paths. The chezmoi manifest-hash
probe now checks the nix path too, so the hook re-runs cleanly when
nix bumps the EER version.
* meta/base.txt: drop the `external-editor-revived` AUR entry and
rewrite the comment to point at the nix declaration.
* etc/pacman.conf: revert the bogus `AssumeInstalled` directive
(CLI-only, not pacman.conf).
On-host migration:
home-manager switch --flake ~/dotfiles/nix#host # picks up EER
sudo pacman -Rns external-editor-revived thunderbird mpv
chezmoi apply -v # re-runs tb-eer hook
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both org.mozilla.thunderbird and io.mpv.Mpv are already installed via
flatpak, but several places still launched the system binaries (because
they were in PATH). Worse, `mpv` was kept on the host *only* for the
streamlink-launches-mpv path, and `thunderbird` was being pulled in as
a hard dep of external-editor-revived even though it was never the
mailer actually used. Untangle both.
Thunderbird
-----------
* dot_config/sway/executable_tb-toggle.sh,
dot_config/sway/executable_tb-autostart.sh:
swap `thunderbird` → `flatpak run org.mozilla.thunderbird`. The
`app_id` matcher in sway config already targets the flatpak id, so
the scratchpad-stash and Super+t toggle keep working unchanged.
* etc/pacman.conf:
add `AssumeInstalled = thunderbird=999.0-1`. external-editor-revived
(AUR) hard-depends on `thunderbird`; this satisfies the dep without
installing the package. Run `sudo pacman -Rns thunderbird` after
deploy to remove the now-unneeded system binary.
* meta/base.txt: document the AssumeInstalled trick next to the
external-editor-revived entry.
mpv
---
* dot_config/streamlink/config: `player=mpv` → `player=flatpak run
io.mpv.Mpv`. The flatpak already pulls in our ~/.config/mpv via the
read-only filesystem override (see
run_onchange_after_deploy-flatpak-overrides.sh.tmpl), so behavior is
unchanged.
* dot_local/bin/executable_linkhandler: same swap for inline video URLs.
* dot_local/bin/executable_mpv: deleted. The wrapper only existed to
bwrap /usr/bin/mpv into _sandbox-net-parser; flatpak's own sandbox
supersedes that.
* dot_local/bin/executable__sandbox-net-parser,
dot_local/bin/executable_streamlink: comment refresh — mpv is no
longer one of the tools this wraps, and the streamlink wrapper now
forwards to the flatpak player rather than nested-bwrap caveats.
* meta/base.txt: drop `mpv` from the host package list and update the
surrounding comment.
README.md: refresh the media row of the stack table to match.
On-host steps:
chezmoi apply -v
sudo pacman -Syu # picks up AssumeInstalled
sudo pacman -Rns thunderbird mpv # safe now
flatpak install -y flathub org.mozilla.thunderbird io.mpv.Mpv
swaymsg reload # pick up new tb scripts
|
sommerfeld