| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Zellij's default 'Tab #N' name is fixed at tab creation (the N is the
immutable creation index, not the live position) and never auto-updates
when tabs are closed or moved, so the default is actively misleading
after any tab reorg. Tmux's `renumber-windows on` has no zellij
equivalent and no plugin solves this cleanly.
Restore shell-side renaming but drop the position prefix `N:` — visual
order in the tab bar implies position. After a session resurrect or
closing a middle tab, untouched tabs still show their previous
dir:cmd label until the next prompt fires there, but at least there is
no misleading number to second-guess.
|
| |
|
|
|
|
|
|
|
| |
okular is installed as flatpak (org.kde.okular), not as a native
binary, so the bare `okular` invocation in the opener failed
silently (orphan = true hides the ENOENT). glow is already in
base.txt and renders inline in the terminal — better fit for a TUI
file manager. block = true keeps yazi waiting until the user quits
glow, mirroring `less`-style behaviour.
|
| |
|
|
|
|
| |
Yazi tightened its config schema; `name` is no longer accepted for
glob-based opener rules, only `url` (or `mime`). Without this fix yazi
errors on startup and falls back to preset settings.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
User confirms snx-rs's SAML loopback no longer needs chromium routing.
Remove:
- dot_local/bin/snxctl-chromium (PATH-override wrapper)
- dot_local/share/snx-rs/bin/xdg-open (chromium shim)
- snx-rs LibreWolf SAML note in user-overrides.js
The waybar snx-vpn toggle now just runs `snxctl connect` detached,
no wrapper indirection.
|
| |
|
|
|
|
| |
Affects the whole host and requires a reboot — only worth doing if you
need rootless --memory/--cpus limits. Rootless podman otherwise runs
fine on cgroups v1.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds podman + helpers (crun, conmon, netavark, aardvark-dns,
slirp4netns, passt) to the home-manager profile, plus rootless-sane
registries.conf, storage.conf (overlay driver, kernel-native — VM
kernel 5.15 supports rootless overlay since 5.13, no fuse-overlayfs
needed), and policy.json.
Documents host-side prerequisites in remote-dev/README.md: install
uidmap, ensure subuid/subgid entries for the user, and enable cgroups
v2 (systemd.unified_cgroup_hierarchy=1) so rootless resource limits
work on Ubuntu 20.04.
|
| |
|
|
|
| |
git config defines a mergiraf merge driver; install it on the VM so
.gitattributes references actually resolve.
|
| |
|
|
|
|
|
|
|
| |
mkOutOfStoreSymlink exposes the working-tree file's perms. Under
Ubuntu's default umask 002, git checks out private_dot_ssh/config
as 0664; OpenSSH refuses any group-writable ssh_config.
Replace the home.file symlink with a home-manager activation step
that copies the file to a real ~/.ssh/config with 0600.
|
| |
|
|
|
|
|
|
|
|
| |
zprofile unconditionally pointed SSH_AUTH_SOCK at the local
gpg-agent's ssh socket. On remote machines (e.g. remote-dev VM)
that clobbers ssh-agent forwarding — `ssh-add -L` reports no
identities because the VM's gpg-agent has no keys.
Only override when there's no forwarded socket (no $SSH_CONNECTION
or no $SSH_AUTH_SOCK from sshd).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mason's pypi distribution of basedpyright pulls nodejs-wheel-binaries
which only ships manylinux_2_28 Linux wheels. uv's python-build-
standalone interpreter is tagged manylinux2014 (glibc 2.17 for max
portability) and rejects those wheels; pip then falls back to building
Node 24 from source, which fails on Ubuntu 20.04's gcc 9.4 (needs
gcc >=10 for -std=gnu++20).
Provide basedpyright via the system package manager instead:
- pacman on Arch (added to meta/base.txt)
- pkgs.basedpyright on the VM (added to remote-dev/home.nix)
Drop it from mason-tool-installer's ensure_installed; lspconfig picks
it up from PATH. Document the exception in remote-dev/README.md.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The deadsnakes PPA may not be reachable on every VM (corporate apt
proxy, Ubuntu derivatives that add-apt-repository misdetects, etc.).
`uv python install 3.11` works on any distro: it fetches a portable
python-build-standalone CPython into ~/.local/share/uv/python/, which
is manylinux-wheel-compatible.
Symlink the resulting binary to ~/.local/bin/python3.11 (already on
PATH from zprofile). Move the step to after `home-manager switch`
since uv comes from the nix profile.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Nix's python rejects manylinux wheels by design (its libc is patched),
which forced pip in Mason's per-pkg venvs to compile nodejs-wheel-binaries
(pulled in by basedpyright) from source. That source build then failed on
Ubuntu 20.04's gcc 9.4 — Node 24 requires C++20 (g++ >= 12.2.0).
Replace the nix python311-versioned-only derivation with an Ubuntu-native
python3.11 from the deadsnakes PPA. It satisfies Mason's >=3.10 version
requirement, accepts manylinux wheels, and the versioned binary name
leaves /usr/bin/python3 untouched (leaf-tools policy preserved).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously `clipboard` was set to empty inside SSH sessions on the
assumption no clipboard tool would be reachable. That broke yank →
host-clipboard on the remote-dev VM.
nvim ≥0.10 ships a built-in OSC 52 provider
(vim.ui.clipboard.osc52). The terminal emulator (ghostty locally,
zellij forwarding inside it) handles the escape sequence and writes
to the host's clipboard, so we get yank-to-host without needing
wl-copy/xclip on the VM. Paste over OSC 52 is rarely supported by
terminals (security), so we wire it but it's effectively a no-op;
bracketed paste from the terminal still delivers clipboard contents
into the buffer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
User policy: Mason should install everything it lists regardless of
host-provided versions. Revert the PATH-filtering wrapper around
ensure_installed (b2f129e) — back to a plain table literal.
For shellharden specifically, Mason's only install source is
`cargo install`. The Arch host has cargo via base-devel/rustup; the
VM previously didn't, so Mason errored "ENOENT cargo". Add `cargo`
and `rustc` to the remote-dev nix profile so Mason can build it on
the VM too. Drop the shellharden package from home.nix — Mason owns
it now, no more provider competition with the nix-profile binary.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ubuntu 20.04's stock python3 is 3.8.10, which fails Mason's pep440
checks for autotools-language-server, codespell, mdformat,
nginx-language-server, systemdlint, yamllint (all want >=3.9 or
>=3.10).
Mason's pypi installer (verified against upstream
lua/mason-core/installer/managers/pypi.lua) probes python3.6 through
python3.14 in PATH in addition to plain python3, so providing
python3.11 alone (without python3) is enough.
Add a thin runCommand derivation that symlinks ONLY
pkgs.python311/bin/python3.11 into the profile — not python3 or
python — so we don't shadow Ubuntu's /usr/bin/python3 and keep the
leaf-tools policy intact.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mason's installer tries one source per package. For tools that we
already provide via the system package manager (Arch pkgs on the
host) or nix-profile (on the remote-dev VM), Mason will keep trying
to (re-)install via cargo/pip/etc. and report failures — but
conform.nvim/nvim-lint resolve their binary from PATH anyway, so
the Mason install is redundant.
Filter ensure_installed at startup against vim.fn.executable(). Keeps
behaviour identical on a fresh host (Mason still pulls everything),
but silences spurious failures for tools that the user has chosen to
provide system-wide (shellharden via nix-profile being the immediate
case).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JRE/shellharden/python3-venv
copilot.lua was hard-coding the chezmoi-pinned Node 24 at
~/.local/share/copilot-node/bin/node, which only exists on the Arch
host where chezmoi runs run_onchange_after_install-copilot-node.sh.
On the remote-dev VM the path is absent, so copilot-language-server
spawned with cmd[0]=<missing> and printed 'Could not determine
Node.js version'. Probe the pinned path with vim.fn.executable() and
fall back to 'node' from PATH otherwise.
For the VM PATH 'node' to be a supported version, switch home.nix
from the rolling 'nodejs' alias to 'nodejs_24' (the version the
chezmoi script also pins on the host).
Address the cluster of Mason install failures on the VM:
- autotools-language-server, codespell, mdformat,
nginx-language-server, systemdlint -- pip-installed; fail because
Ubuntu's python3 ships without venv. bootstrap.sh now apt-installs
python3-venv; README documents the manual command for existing VMs.
- groovy-language-server -- needs a JRE. Add 'jre' to home.packages.
- shellharden -- Mason's cargo fallback can't run under our
leaf-tools policy. Provide the binary via nix-profile instead so
Mason finds it on PATH.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Wraps the bootstrap-day-2 incantations so you don't have to remember
`home-manager switch --impure --flake '.#vm' -b backup` and its zsh
quoting gotcha. Recipes:
- `just update` — pull + switch (the everyday one)
- `just pull` — config-only changes, no nix rebuild
- `just switch` — rebuild HM from the current checkout
- `just gc` — expire HM generations >7d and gc the nix store
README updated to use these.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous guard checked `$+commands[Y]` (binary present in PATH), but the
`compdef: unknown command or service: Y` message comes from compdef when
the *completion function* `_Y` isn't registered — on the remote-dev VM
`systemctl`, `just`, `lsd` are all on PATH yet zsh has no `_systemctl`
because Ubuntu's system zsh doesn't include nix-profile's
share/zsh/site-functions in fpath.
Two-part fix:
1. Prepend $HOME/.nix-profile/share/zsh/{site-functions,vendor-completions}
to fpath (when they exist) before compinit, so the completions get
loaded on the VM the same way they do on Arch.
2. Switch the compdef guard to `$+_comps[Y]` — the assoc-array compinit
actually populates with every command that has a registered completion
handler. Still belt-and-suspenders in case something ships a binary
without a matching completion file.
|
| |
|
|
|
|
|
|
| |
The flake set `allowUnfree = false` so `home-manager switch` failed
with "Refusing to evaluate package 'claude-code-...' because it has
an unfree license". Switch to `allowUnfreePredicate` with an explicit
name allowlist — keeps the door closed for everything else while
permitting just the two AI agents we actually want.
|
| |
|
|
|
|
| |
`home-manager switch --flake .#vm` fails under our zsh (which sets
`extendedglob`) because `#` then becomes a glob qualifier and `.#vm`
parses as an unmatched pattern. Quoting the ref sidesteps it.
|
| |
|
|
|
| |
So the dotfiles `justfile` (and any in-tree project justfiles the user
checks out on the VM) work without falling back to make/scripts.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
On minimal hosts (remote-dev VM, fresh container) several of the
`compdef alias=target` lines fail at login with messages like:
compdef: unknown command or service: just
compdef: unknown command or service: systemctl
compdef: unknown command or service: lsd
— because zsh has no `_just`/`_systemctl`/`_lsd` completion function
loaded when the binary isn't on the system. Wrap each call in a small
helper that checks $commands[<target>] first so absent tools just
silently skip their alias completion instead of spamming the prompt.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The hand-rolled `N:dir:cmd` tab labels could never stay in sync:
- After session resurrection, tab names are restored from disk but no
shell-visible event fires, so labels stayed stale until the user hit
Enter to trigger precmd.
- After closing a middle tab, zellij renumbers surviving tabs but again
emits no per-pane event, so the `N:` prefix on every tab to the right
silently became wrong.
- Once a tab has a custom name, zellij's tab-bar plugin uses it verbatim
— there's no way to keep the default `Tab #N` numbering while also
injecting dir/cmd info. The only plugin that addresses this (vmaerten/
zellij-tab-rename) requires zellij built from main.
Dropping the hooks restores zellij's built-in `Tab #N`, which is the
single label that stays correct across resurrect and renumber. The zsh
prompt already shows CWD inside the pane.
|
| |
|
|
|
|
| |
workspace_auto_back_and_forth yes makes `workspace number N` jump
back to the previously focused workspace when N is already current.
Applies to both $mod+N keybinds and waybar workspace clicks.
|
| |
|
|
|
|
|
|
|
|
|
| |
New custom/snx-vpn module sits next to custom/vpn (the wireguard one):
- snx-vpn-status.sh shells out to `snxctl status` (timeout 2s) and maps
the output to three states: down (grey strikethrough), connecting/MFA
(amber), up (green). Tooltip shows the full status block when up.
- snx-vpn-toggle.sh disconnects when up, runs snxctl-chromium detached
when down (so SAML lands in the flatpak ungoogled-chromium without
blocking waybar). Both paths refresh the module via SIGRTMIN+9.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
snx-rs.service is a system unit, not --user, so the prior approach of
overriding the daemon's PATH via a systemd drop-in could never apply.
And it wasn't needed anyway: snxctl itself runs opener::open(url)
in-process, so prepending the shim dir to snxctl's PATH is enough.
- Drop dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf.
- snxctl-chromium now just sets PATH and exec's snxctl connect.
- xdg-open shim no longer forces --new-window so chromium can reuse a
warm window (faster SAML round-trip).
|
| |
|
|
|
| |
Drop --hide-search and enable --matching=fuzzy --insensitive so typing
'po' jumps to Poweroff, 'su' to Suspend, etc.
|
| |
|
|
|
|
|
| |
Fetches the current code from pass-otp's vpn/totp entry and types it
into the focused surface with wtype. Falls back to wl-copy + a
notification when wtype isn't available or the focused surface lacks
virtual-keyboard support (e.g. an Xwayland window).
|
| |
|
|
|
| |
Enables `pass otp insert/show` for TOTP secrets, used as the source
for the ungoogled-chromium VPN OTP autofill keybind.
|
| | |
|
| |
|
|
|
|
|
| |
Rebases onto @{u} re-signing each commit with the current author
identity and key, while stripping any Co-authored-by lines. Hooks are
disabled (core.hooksPath=/dev/null) so chezmoi's post-commit hook
doesn't fire once per replayed commit.
|
| |
|
|
|
|
| |
teams-for-linux --minimized=true makes the app honor systemd autostart
without popping a window on every login (parity with Signal's
--start-in-tray).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd/user/teams-{sii,xsight}.service: autostart both Teams flatpak
profiles on sway-session.target login. KillMode=mixed so SIGTERM hits
only the wrapper process — both instances share the same flatpak app
id, so killing by app id would take down the sibling instance. A 15s
SIGKILL fallback covers the case where Electron tray-hides instead of
quitting. Both units listed in systemd-units/user.txt.
etc/pacman.conf: IgnorePkg = llama-cpp-vulkan. The AUR package rebuilds
on every llama.cpp commit (multi-hour build). Update manually with
`paru -S llama-cpp-vulkan` when intended.
snxctl-chromium wrapper:
- dot_local/share/snx-rs/bin/xdg-open: shim that flatpak-runs
ungoogled-chromium, used only by snx-rs.
- dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf:
drop-in prepending that dir to the daemon's PATH so snx-rs's
opener-crate call to xdg-open lands in chromium, without affecting
xdg-open for any other process.
- dot_local/bin/snxctl-chromium: convenience wrapper that
daemon-reloads and restarts snx-rs.service if the drop-in isn't yet
applied, then execs `snxctl connect`.
firefox/user-overrides.js: revert the dom.security.https_only_mode.
upgrade_local and network.lna.local-network-to-localhost.skip-checks
prefs — they didn't actually fix the SAML flow. Replaced with a
comment pointing to the wrapper instead.
|
| |
|
|
|
|
| |
Pure formatter output from shfmt (2-space indent, '|' line breaks),
prettier (KEYBINDS.md), and 'just fmt' (justfile blank line).
No behavior change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSH-format signing
home.nix:
- Add zoxide (fixes 'command not found' on shell start), clang-tools
(no compiler driver), nodejs (Mason npm LSPs), uv (Mason python LSPs;
does not install python3 in PATH, so Ubuntu's /usr/bin/python3 stays
the system default), claude-code, github-copilot-cli.
- Refine the leaf-tools policy comment: explicit denylist of build-
toolchain binaries that would shadow Ubuntu's via PATH, plus a
carve-out for editor/AI runtimes (node, uv, clang-tools).
- Symlink ~/.config/git/{config,attributes,ignore} and ~/.ssh/config
from the dotfiles tree.
dot_config/zsh/dot_zshrc: guard direnv/zoxide/fzf inits with
'command -v X >/dev/null &&' so a fresh machine without one of them
no longer prints a stderr error on every shell start.
dot_config/git/config: append unconditional '[include] path =
~/.config/git/config.local' for machine-local overrides (used on the
remote-dev VM to switch to SSH-format signing via the forwarded
agent). Git silently skips missing include files.
remote-dev/README.md: document the update flow (config-only vs HM
rebuild), the single-shell leaf-tools policy, and the one-time VM
setup for SSH-format commit signing (allowed_signers + config.local,
ForwardAgent yes on the host).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set mako default-timeout=0 so notifications stay until acted upon. With
auto-timeout off, mako's list IS the pending set, so the
$XDG_RUNTIME_DIR/mako-dismissed bridge becomes dead weight.
- mako/config: default-timeout=0; drop redundant [urgency=critical]
default-timeout=0 override.
- Delete dismiss-visible.sh and restore-pending.sh; sway calls makoctl
directly (Mod+n=dismiss, Mod+Shift+n=dismiss --all,
Mod+Ctrl+n=restore as undo).
- Shrink mako-status.sh to a 20-line counter of makoctl list.
- Rename mako-history.py -> notification-picker.py; lists only
visible, dismisses via makoctl dismiss -n <id>.
- Update waybar config.jsonc on-click path.
- Update KEYBINDS.md wording (no more 'marks seen' / 'pending set').
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New remote-dev/ subdir with a Home-Manager flake that provisions a
headless dev environment on a remote Ubuntu 22.04 VM accessed via SSH.
Shares nvim, zellij, zsh, direnv, and ghostty configs from the same
dotfiles repo via mkOutOfStoreSymlink (no rebuilds on config edits).
CLI tool set mirrors the dev-tool subset of meta/base.txt; sysadmin
tools (procs, gdu, duf), lazygit, and node/yarn (only needed for
markdown-preview on GUI hosts) are excluded.
bootstrap.sh is one-shot: installs Nix via Determinate Systems
installer, clones the repo to ~/.local/share/dotfiles, runs
home-manager switch, and chshes to the nix-store zsh.
dot_config/zsh/dot_zshrc loses its hardcoded Arch plugin/git-prompt
paths in favour of a fallback search: Arch path first, then
$HOME/.nix-profile/share/. Same file works on host and VM.
.chezmoiignore: exclude remote-dev/ from chezmoi deploy on the host.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remote hosts without xterm-ghostty terminfo print 'xterm-ghostty: unknown
terminal type' on connect. Ghostty's shell integration ships two features
for this:
- ssh-terminfo: pipes `infocmp -x xterm-ghostty` to the remote and
installs it under ~/.terminfo on first connect, permanently fixing TERM
recognition on hosts where you have a writable home.
- ssh-env: falls back to TERM=xterm-256color (plus COLORTERM=truecolor and
TERM_PROGRAM=ghostty) for the ssh subprocess, so hosts where terminfo
install fails or home is read-only still get sane defaults.
Both required shell-integration to be on, which it already is (zsh).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LibreWolf disables media.gmp-provider.enabled and media.gmp-gmpopenh264.enabled
and falls back to media.webrtc.hw.h264.enabled=true. On Linux this rarely
works because Mozilla's bundled FFmpeg doesn't ship H.264 encode support
(patent policy), so the SDP offers H.264 but the encoder produces no frames.
Result: local camera preview works (raw MediaStreamTrack, no encoding) but
remote participants see no video. Affects MS Teams (H.264 primary); does not
affect Google Meet (VP8/VP9 native). Same symptom in flatpak and native
LibreWolf builds, confirming sandbox is not the cause.
arkenfox 2020 deliberately leaves media.gmp-provider.enabled commented out
and does not touch the OpenH264 plugin pref. Re-enabling here brings us in
line with arkenfox. media.gmp-manager.url is restored from LibreWolf's
data:text/plain blank so the OpenH264 GMP can actually download.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
LibreWolf 149+ hardens beyond arkenfox by force-upgrading loopback to HTTPS
(dom.security.https_only_mode.upgrade_local=true) and enabling LNA blocking
of public->loopback redirects. Both break snx-rs / Forticlient / generic
VPN SAML callbacks that land on http://127.0.0.1:<port>/<token>.
Restore stock Firefox / arkenfox loopback behaviour. arkenfox 1245 leaves
upgrade_local intentionally commented out and does not touch network.lna.*,
so this brings us in line with arkenfox rather than weaker than it.
Refs: LibreWolf issues #2954 (Forticlient SSO broken in 149), #2962
(HTTPS-Only Mode locked in 149.0.2-1, reverted in 149.0.2-2).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vanilla sway only has splith/splitv with no auto-orientation, so new
windows always split along whatever axis the parent container is set
to (default splith). The result: opening a third window in a workspace
that's already split horizontally just keeps stacking horizontally,
even when each pane is now narrower than it is tall.
swayr's daemon (swayrd) subscribes to sway IPC and, with
[layout].auto_tile = true, issues splith or splitv on the focused
container based on its width-vs-height before sway places the next
window. The result is the i3/awesome-style spiral tiling: each new
window splits the focused pane along its longest side.
Run swayrd as a systemd user service bound to sway-session.target so
it starts/stops with the session (matching the pattern used by
waybar, swayidle, mako, etc.). No keybind changes; only the placement
algorithm.
|
| |
|
|
|
|
|
| |
librewolf was migrated from a native package to the flatpak
io.gitlab.librewolf-community in commit f5796c7; the $mod+Shift+b
binding still called the native binary, so the keybind silently did
nothing. Use 'flatpak run' instead.
|
| |
|
|
|
|
|
|
|
| |
nftables.service starts at boot before libvirtd creates the virbr0 NAT
bridge. 'iif'/'oif' resolve to a kernel ifindex at rule-load time and
fail with 'Interface does not exist' when virbr0 isn't up yet.
'iifname'/'oifname' do a string match per packet and tolerate a missing
interface, so the ruleset loads cleanly at boot and starts matching
once libvirtd brings virbr0 up.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds two generated 256x256 hicolor PNG icons under
~/.local/share/icons/hicolor/256x256/apps/ and wires them up:
* Icon=teams-{sii,xsight} -> launcher / waybar / sway use them
* --appIcon=<absolute path> -> electron tray icon picks them up
(teams-for-linux respects this flag)
The flatpak override script gains a --filesystem=xdg-data/icons:ro
binding for com.github.IsmaelMartinez.teams_for_linux so the absolute
icon path is reachable from inside the sandbox.
|
| |
|
|
|
|
|
|
|
|
|
| |
Two flatpak-tailored .desktop entries that run separate isolated instances
of teams-for-linux via --class / --user-data-dir / --appTitle. Profile
data lives under $HOME/.var/app/<id>/config/profile-{sii,xsight}/ which
is always sandbox-writable.
The upstream flatpak .desktop is shadowed by an XDG_DATA_HOME entry of
the same basename with NoDisplay=Hidden=true so only the two profile
launchers appear in fuzzel.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The host firewall has policy=drop on both input and forward chains.
libvirt creates its own nftables table for virbr0 NAT, but:
1. It does not touch the input chain at all, so DHCP packets from
guests (UDP/67) are dropped before reaching dnsmasq. Result:
Windows guest stuck on 169.254.x APIPA forever.
2. Its forward-chain accepts have the same hook+priority as ours.
In nftables, all chains at a hook+priority must accept (any drop
wins), so our policy=drop would block guest egress and return
traffic even though libvirt's chain explicitly accepts.
Add minimal carve-outs for virbr0: DHCP+DNS in input, guest egress
and return traffic in forward.
|
| |
|
|
|
|
|
|
|
|
| |
Type=ether matches ALL L2 ethernet interfaces, including libvirt-created
vnet* tap devices. Without Name= negations, when a VM starts its tap is
pulled into bond0 instead of staying with virbr0, killing DHCP/NAT for
the guest (Windows ends up with a 169.254.x APIPA address).
Add Name= negations to skip libvirt taps/bridges, generic taps, and
common container engine virtual interfaces.
|
sommerfeld