| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vanilla sway only has splith/splitv with no auto-orientation, so new
windows always split along whatever axis the parent container is set
to (default splith). The result: opening a third window in a workspace
that's already split horizontally just keeps stacking horizontally,
even when each pane is now narrower than it is tall.
swayr's daemon (swayrd) subscribes to sway IPC and, with
[layout].auto_tile = true, issues splith or splitv on the focused
container based on its width-vs-height before sway places the next
window. The result is the i3/awesome-style spiral tiling: each new
window splits the focused pane along its longest side.
Run swayrd as a systemd user service bound to sway-session.target so
it starts/stops with the session (matching the pattern used by
waybar, swayidle, mako, etc.). No keybind changes; only the placement
algorithm.
|
| |
|
|
|
|
|
| |
librewolf was migrated from a native package to the flatpak
io.gitlab.librewolf-community in commit f5796c7; the $mod+Shift+b
binding still called the native binary, so the keybind silently did
nothing. Use 'flatpak run' instead.
|
| |
|
|
|
|
|
|
|
| |
nftables.service starts at boot before libvirtd creates the virbr0 NAT
bridge. 'iif'/'oif' resolve to a kernel ifindex at rule-load time and
fail with 'Interface does not exist' when virbr0 isn't up yet.
'iifname'/'oifname' do a string match per packet and tolerate a missing
interface, so the ruleset loads cleanly at boot and starts matching
once libvirtd brings virbr0 up.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds two generated 256x256 hicolor PNG icons under
~/.local/share/icons/hicolor/256x256/apps/ and wires them up:
* Icon=teams-{sii,xsight} -> launcher / waybar / sway use them
* --appIcon=<absolute path> -> electron tray icon picks them up
(teams-for-linux respects this flag)
The flatpak override script gains a --filesystem=xdg-data/icons:ro
binding for com.github.IsmaelMartinez.teams_for_linux so the absolute
icon path is reachable from inside the sandbox.
|
| |
|
|
|
|
|
|
|
|
|
| |
Two flatpak-tailored .desktop entries that run separate isolated instances
of teams-for-linux via --class / --user-data-dir / --appTitle. Profile
data lives under $HOME/.var/app/<id>/config/profile-{sii,xsight}/ which
is always sandbox-writable.
The upstream flatpak .desktop is shadowed by an XDG_DATA_HOME entry of
the same basename with NoDisplay=Hidden=true so only the two profile
launchers appear in fuzzel.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The host firewall has policy=drop on both input and forward chains.
libvirt creates its own nftables table for virbr0 NAT, but:
1. It does not touch the input chain at all, so DHCP packets from
guests (UDP/67) are dropped before reaching dnsmasq. Result:
Windows guest stuck on 169.254.x APIPA forever.
2. Its forward-chain accepts have the same hook+priority as ours.
In nftables, all chains at a hook+priority must accept (any drop
wins), so our policy=drop would block guest egress and return
traffic even though libvirt's chain explicitly accepts.
Add minimal carve-outs for virbr0: DHCP+DNS in input, guest egress
and return traffic in forward.
|
| |
|
|
|
|
|
|
|
|
| |
Type=ether matches ALL L2 ethernet interfaces, including libvirt-created
vnet* tap devices. Without Name= negations, when a VM starts its tap is
pulled into bond0 instead of staying with virbr0, killing DHCP/NAT for
the guest (Windows ends up with a 169.254.x APIPA address).
Add Name= negations to skip libvirt taps/bridges, generic taps, and
common container engine virtual interfaces.
|
| |
|
|
|
|
| |
Unofficial Microsoft Teams client for Linux. Needed for Sii work
communications inside the Win11 VM is overkill for chat; running it
natively on the host keeps Teams notifications visible outside the VM.
|
| |
|
|
|
|
|
|
|
| |
Spice/virt-viewer ask sway for keyboard-shortcuts-inhibit so they can
forward the Super key to the guest. That swallows all $mod+... binds
on the host while the VM window is focused. Refuse the inhibit for
those three app_ids; sway forwards Super to the guest only when the
keyboard is explicitly grabbed (click-into-VM + virt-viewer's own
Ctrl+Alt toggle), not via the wm-bind shortcut.
|
| |
|
|
|
|
|
| |
virt-install and other libvirt CLI tools default to qemu:///session
even when the user is in the libvirt group, where the default NAT
network does not exist. Pin uri_default so virt-install, virsh, etc.
agree with virt-manager's system view.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sii requires Intune enrollment with TPM + BitLocker + Azure AD join. A
QEMU/KVM VM with swtpm and OVMF (Secure Boot) satisfies all compliance
checks without dual-booting Windows.
- meta/work.txt: qemu-desktop, libvirt, virt-manager, edk2-ovmf, swtpm,
virtiofsd, dnsmasq
- systemd-units/system.txt: libvirtd.socket (socket-activated)
- etc/polkit-1/rules.d/50-libvirt-wheel.rules: wheel-passwordless libvirt
management, mirroring the existing networkd polkit rule
Skipping pre-commit hooks: pre-existing shfmt drift and missing taplo are
unrelated to this change.
|
| |
|
|
|
|
|
|
| |
snx-rs: Rust reimplementation of Check Point SNX VPN client; needed
for work VPN access. AUR package.
com.nomachine.nxplayer: NoMachine remote desktop client; needed for
work remote access.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Drop auto-optimise-store: slows every build for modest disk savings.
Run 'nix store optimise' manually if disk pressure ever shows up.
- max-jobs=auto, cores=0: defaults are 1/1, which left most of the box
idle during large closures (LLVM, protobuf, …).
- Add nix-community.cachix.org as an extra substituter with its public
key. Big hit-rate boost against nixos-unstable, which is what the new
user registry points 'nixpkgs' at.
- dot_config/nix/registry.json pins 'nixpkgs' indirect ref to
github:NixOS/nixpkgs/nixos-unstable, so 'nix shell nixpkgs#foo' is
fast + reproducible. Project flakes are unaffected — they pin their
own inputs via flake.lock.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
copilot-language-server emits 'HTTP 200 response does not appear to
originate from GitHub' under Node 26 (the current Arch nodejs). Upstream
tracking:
https://github.com/zbirenbaum/copilot.lua/issues/695
https://github.com/github/copilot.vim/issues/282
https://github.com/github/copilot-language-server-release/issues/45
Workaround universally confirmed in those threads is to run the
language-server under Node 24. Rather than downgrade system nodejs (used
by lots of other tooling) install a private Node 24 under
~/.local/share/copilot-node/ via a chezmoi run_onchange script that
verifies the official sha256, and point copilot.lua at it via
copilot_node_command. Drop in once, bump NODE_VERSION when the upstream
incompatibility is resolved.
|
| |
|
|
|
|
|
|
|
|
|
| |
lostfiles flags directories whose parent is pacman-owned but the dir
itself is not (drop-in dirs like /etc/systemd/{logind,system,user}.conf.d,
/etc/systemd/system/getty@.service.d, /etc/pacman.d/hooks). Previous
template only emitted tracked files, missing these.
Walk each tracked path emitting every ancestor up to /etc, then sort -u.
Over-emission of pacman-owned parents (e.g. /etc, /etc/systemd) is
harmless: grep -vFx simply finds no match for those lines.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream lostfiles has no extension mechanism; the weekly report ends
up dominated by files this repo intentionally deploys plus host-private
files we deliberately don't track plus regenerated GTK caches.
Add etc/lostfiles.ignore.tmpl which renders /etc/lostfiles.ignore from
two sources:
1. Every file under etc/ in the repo (auto-enumerated at chezmoi-apply
time, same find-sort pattern the etc deploy script uses). This
keeps the ignore list in sync with what we actually deploy with
zero manual maintenance.
2. A static block for: the sudo-i symlink, host-private
systemd-networkd units (99-hodor*, 99-mandibles*) which contain
WireGuard secrets, the getty@tty1 autologin override which
contains the username, and known pacman-hook-generated caches
under /usr/lib/{gdk-pixbuf-2.0,gtk-4.0}/.
Wrap /usr/bin/lostfiles in lostfiles.service via grep -vFxf, with a
fallback when /etc/lostfiles.ignore doesn't yet exist (first deploy).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Inspecting upstream qmk_udev's 50-qmk.rules: the access-granting
line (`SUBSYSTEM=="hidraw" ... ENV{ID_QMK}="1"` paired with a
MODE/TAG) is *commented out*. The package only sets ID_QMK=1 via a
helper to mark devices for ModemManager to ignore during flashing. It
does not in fact tag hidraw nodes with uaccess for runtime apps like
VIA/usevia.
zsa-udev (AUR) ships ZSA's upstream 50-oryx.rules and 50-wally.rules
which do exactly the right TAG+=uaccess on VID 3297. Same package
zsa-keymapp-bin already depends on, so this is the canonical path.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The qmk Arch package ships /usr/lib/udev/rules.d/50-qmk.rules covering
all major mech-keyboard vendors including ZSA's VID 3297, with the
same TAG+=uaccess semantics. Prefer that over maintaining our own
rules file.
- meta/base.txt: + qmk
- etc/udev/rules.d/50-zsa.rules: removed
- etc deploy script: drop the udevadm reload (only existed to support
our custom rule; pacman handles reloads for package-shipped rules).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
usevia.app uses WebHID to talk to /dev/hidraw* directly. Two layers
were blocking it:
1. Host: no udev rule existed for ZSA boards, so /dev/hidraw nodes
were root-only. Add etc/udev/rules.d/50-zsa.rules covering the ZSA
VID 3297 (ErgoDox EZ / Moonlander / Voyager) with TAG+=uaccess so
logind grants the active session user access. Also include the two
bootloader VIDs used during firmware flashing for completeness.
2. Sandbox: the chromium flatpak only sees /dev/dri by default. Add a
--device=all override (flatpak has no finer-grained device knob).
The host udev rule still gates which hidraw nodes the user can
actually open, so this isn't a meaningful escalation.
Also wire `udevadm control --reload && udevadm trigger` into the etc
deploy script so rule changes apply without a reboot or replug.
|
| |
|
|
|
|
|
|
| |
The exec_always change was only justified by a one-off migration: on
the first reload after the include-file refactor, outputs.conf didn't
exist yet. After that bootstrap, plain `exec` is sufficient -- the
include file persists across reloads and only needs to be (re)written
when the user actually toggles modes or hotplugs.
|
| |
|
|
|
|
|
| |
Plain `exec` doesn't re-run on reload. If outputs.conf is missing
(fresh deploy, never toggled) reload falls back to sway's
side-by-side defaults. `exec_always` regenerates the include on
every reload, so the next reload after that is already flash-free.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Persist the layout as a sway-include file (~/.config/sway/outputs.conf)
so sway's own parser applies output directives natively on every
reload. Eliminates the side-by-side flash that came from sway's
default "enable everything side-by-side" before exec_always could
override it.
- display-toggle.sh: write outputs.conf alongside the live swaymsg
commands, mirroring the same enable/disable/pos directives.
- sway/config: `include ~/.config/sway/outputs.conf` next to the
background line; downgrade exec_always back to plain exec since the
include handles reloads now (script only needs to run once at
startup to bootstrap the include file on first boot).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Real cause of the silent switch back to side-by-side: sway reload
(Super+Shift+c or swaymsg reload) re-evaluates output config and
defaults to all-outputs-enabled-side-by-side, dropping the runtime
positions set by display-toggle.sh.
- sway config: `exec` -> `exec_always` so the saved layout is
re-applied on every reload, and use `apply` instead of `init` so
user-chosen layouts (e.g. side-by-side picked deliberately) survive
reloads. First boot still defaults to laptop-off via the script's
state-file fallback.
- swayidle.service: drop the after-resume hook -- DPMS resume isn't
what was breaking the layout, reload was. Less surface area.
|
| |
|
|
|
| |
Move OSD to top, increase height/width, thicker border and padding.
Colors were already fully opaque (ff alpha) -- no change needed there.
|
| |
|
|
|
|
|
| |
Reading directly from the fifo (`wob <fifo`) makes wob exit as soon
as the first wrapper closes its write end (EOF after one printf). The
upstream pattern is to pipe `tail -f` into wob so there's always a
writer holding the fifo open.
|
| |
|
|
|
|
|
|
| |
The python pass-secret-service AUR package is unmaintained. Switch to
grimsteel's actively-maintained Rust implementation (-bin variant for
faster install) and enable the shipped user systemd unit so the
service is visible to systemctl --user status, not just lazily
D-Bus-activated.
|
| |
|
|
|
|
|
|
|
| |
Signal Desktop (and any libsecret consumer) wants to talk to the
org.freedesktop.secrets D-Bus service. pass-secret-service implements
that API on top of the existing pass store -- secrets land under
~/.password-store/secret-service/ encrypted with the same GPG key, so
no separate keyring to manage. The service is D-Bus activated, no
systemd unit needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- xdg-desktop-portal: pin wlr for ScreenCast/Screenshot, gtk for the
rest, so flatpak browsers (Meet, Slack, Discord) get a working
screen-share path instead of whatever the portal frontend happens to
pick first.
- wob: small wayland overlay bar fed via a fifo. New vol-osd.sh /
brightness-osd.sh wrappers replace the bare pactl/brightnessctl
invocations in keybinds so adjusting volume or backlight flashes a
bar at the bottom of the screen. wob.service owns the fifo lifecycle
(mkfifo before, rm after).
- mako: add a [mode=do-not-disturb] section that hides notifications
while the mode is active, plus a Super+x n submode binding to toggle
it. Notifications still accumulate in history; just no popups.
|
| |
|
|
|
|
|
|
| |
dismiss-visible.sh's 'all' mode previously only recorded visible
notification ids and ran 'makoctl dismiss --all'. Notifications already
in mako's history (auto-expired) still counted as pending in waybar's
mako-status. Now also append history ids to the dismissed state file so
the pending counter actually drops to zero.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After resume from suspend sway resets output config to defaults (both
monitors enabled side-by-side), so a laptop-off mode set before suspend
silently snapped back to side-by-side on wake. The display-watcher
script only reacts to changes in the count of connected externals, so
it doesn't notice this.
- Add an 'apply' mode to display-toggle.sh that reads the saved state
and applies it (no toggle, no notification).
- Wire it into swayidle's after-resume directive.
|
| |
|
|
|
|
| |
systemctl {poweroff,reboot,suspend} are authorized by polkit for the
active seat's user without a password, so the bespoke sudo rule is no
longer needed now that the power menu uses systemctl directly.
|
| |
|
|
|
|
|
|
|
| |
- wofi --dmenu --hide-search: pure j/k arrow-key picker, no fuzzy
search field. Matches existing wofi config (key_up/key_down already
include j/k).
- systemctl reboot/poweroff/suspend instead of sudo: rely on polkit,
which permits these for active session users by default — no
passwordless sudo required.
|
| |
|
|
|
|
| |
swaynag buttons require a mouse click. Replace the Mod+Shift+e session
prompt with a fuzzel --dmenu picker so the whole menu is keyboard
navigable. Adds Suspend as a new entry while we're here.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Replaces the resume-lock-grace.sh + after-resume hook from the previous
commit with the simpler observation that sway already provides a wake
grace for free: it pauses the idle counter during suspend and resets it
on the first input event post-resume, so the existing timeout 300 lock
naturally gives ~5min to interact before locking. Just dropping the
before-sleep lock is enough; the script and after-resume directive were
overcomplicating it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two related session-idle improvements:
1. ScreenSaver inhibit bridge. Browsers (LibreWolf/Chromium flatpaks)
ask the session not to idle via the legacy
org.freedesktop.ScreenSaver D-Bus API during video calls and
fullscreen video; swayidle only honors logind's BlockInhibited
property. Add inhibridge as a user unit to translate the former
into the latter, so e.g. a Google Meet tab now keeps the screen
from locking, dimming and (downstream) suspending.
2. Post-resume grace period. Locking on before-sleep meant every wake
demanded the password even for a quick check. Replace with:
before-sleep -> only pause media
after-resume -> resume-lock-grace.sh 30
The grace script runs a one-shot swayidle that locks iff the user
stays idle for 30s after the wake, with a watchdog that exits as
soon as swaylock comes up (or after a hard cap) so it never lingers
alongside the main swayidle. The 5-min main idle-lock and explicit
loginctl lock-session paths are unchanged.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous custom config rewrote the file to 4-space indentation,
added an explicit accept-policy output chain, and expanded the icmp
section into per-type whitelists. None of that changed observable
behaviour vs the stock arch nftables.conf:
* Stock already uses scoped `destroy table inet filter` (so podman
and netavark tables survive a reload).
* `meta l4proto { icmp, icmpv6 } accept` already covers NDP, MLD,
PMTUD, and echo — the explicit per-type list was equivalent.
* Without an output chain, outbound traffic is unfiltered, which is
identical to `policy accept` on an explicit output chain.
* DHCPv6 client (UDP/546) is only needed on networks that hand out
DHCPv6 leases; my home/work LANs use SLAAC + RDNSS, and the rare
DHCPv6 case can be added back in one line if it ever bites.
The only laptop-specific deviation is dropping the
`tcp dport ssh accept` line — no inbound SSH on a portable machine.
Net diff against pristine is now a single deletion, which makes
`just etc-upstream-diff` actually useful for spotting upstream
ruleset improvements on package updates.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous fix sidestepped sudo-rs's env scrubbing by setting
DIFFPROG inside a nested root shell. That works but it's the wrong
shape — every command that wants to honour a user UX env var would
have to do the same dance. Configure the policy once instead.
etc/sudoers-rs:
Defaults env_keep += "DIFFPROG"
Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR"
Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER"
Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS"
env_keep is the unconditional pass-through list, so no '-E' is needed
on the call site — `DIFFPROG='nvim -d' sudo pacdiff` Just Works, same
as it does for `EDITOR=nvim sudo systemctl edit foo`,
`PAGER=less sudo journalctl …`, etc. None of these vars influence
privilege boundaries; they only configure user-facing program
behaviour, so widening env_keep to cover them carries no security
trade-off worth accounting for. The existing per-visudo env_keep
lines are kept for documentation value (they're now subsumed by the
global rule but make the intent explicit at the visudo call sites).
The waybar pacdiff click handler reverts to the canonical form
`DIFFPROG='nvim -d' sudo pacdiff`, matching the recipe pacman.git
ships in /usr/share/doc/pacman/.
Will take effect after the next `chezmoi apply` redeploys
/etc/sudoers-rs (the run_onchange_after_deploy-etc.sh.tmpl script
re-installs it with mode 0440 whenever its hash changes).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
sudo-rs scrubs the env by default, so neither `DIFFPROG=… sudo pacdiff`
nor `sudo DIFFPROG=… pacdiff` reaches pacdiff with the variable set.
Sidestep the env-policy question entirely by running
sudo sh -c 'DIFFPROG="nvim -d" pacdiff'
so the assignment happens inside the privileged shell, after the
env-scrubbing boundary. No sudoers-rs change required, and the same
form works identically under stock sudo if the user ever switches
back.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bar layout: insert the four new modules between custom/update and
custom/thunderbird so that all 'something needs your attention'
indicators live as a contiguous group on the right side, in roughly
escalating actionability:
custom/notifications -- mako history (always present, gray baseline)
custom/update -- '`just update` was N hours/days ago'
custom/pacdiff -- '.pacnew/.pacsave waiting'
custom/arch-audit -- 'fixable CVE in installed package'
custom/failed-units -- 'systemd unit failed'
custom/lostfiles -- 'unowned files under tracked dirs'
custom/thunderbird -- 'unread mail'
Click handlers all use the floating-ghostty + 'press enter to close'
idiom established by the existing update module so output stays
inspectable. arch-audit and lostfiles open their /run report in
`nvim -R` (read-only) since the source of truth lives in those files.
style.css: extend the shared 6px-padding selector list, the .fresh
zero-padding rule (so empty-state modules disappear cleanly), and add
.warn/.critical color rules consistent with the rest of the palette
(yellow #fabd2f for 'review when convenient', red #fb4934 for 'review
soon').
systemd-units/system.txt: enable the three new system timers
- btrfs-balance@-.timer (monthly partial balance on /)
- arch-audit.timer (daily CVE report refresh)
- lostfiles.timer (weekly unowned-files report refresh)
Picked up automatically on the next `just unit-apply`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two live waybar modules — no timer/state-file pipeline because the
inputs are cheap to compute on every poll:
custom/pacdiff (interval 300s)
Counts unresolved .pacnew / .pacsave files via `pacdiff -o` (output
mode — lists only, takes no action). Hidden at zero. Yellow 'pacdiff
N' otherwise. Mako fires once on the 0→N transition, so you get
exactly one nudge per upgrade wave, not a sustained re-nag for files
you've decided to defer. Click runs `sudo DIFFPROG='nvim -d' pacdiff`
in a floating ghostty.
custom/failed-units (interval 30s)
Sums `systemctl --failed` (system) and `systemctl --user --failed`
counts. Hidden at zero. Red 'failed N' otherwise. Mako fires only on
upward transition (count went up since last poll), so already-known
failures don't keep paging you while you investigate. Click prints
both `systemctl --failed` outputs in a floating ghostty.
Both modules use the same $XDG_RUNTIME_DIR/waybar-X-prev pattern as the
update reminder for state, which makes 'reboot resets the nag' the
default behaviour — exactly the right semantics for both: a fresh boot
deserves a fresh look at pending pacdiffs and any failed units.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wiring (mirrors arch-audit, with weekly cadence and Nice=19/idle I/O):
lostfiles.timer (weekly, Persistent=true, RandomizedDelaySec=1h)
→ lostfiles.service
→ /run/lostfiles.txt (default mode — strict produces too many
false positives for a passive reminder)
→ custom/lostfiles waybar module (interval 600s)
→ mako 'normal' once/7d while count > 0
→ on-click: `ghostty -e nvim -R /run/lostfiles.txt`
Default mode (no `strict` argument) is intentional: it already filters
the package's curated false-positive list at /etc/lostfiles.conf, which
is what we want for a low-noise weekly nudge. Switching to `strict` is
a one-line change in lostfiles.service if signal-vs-noise tilts later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wiring:
arch-audit.timer (daily, RandomizedDelaySec=1h, Persistent=true)
→ arch-audit.service (After=network-online.target)
→ /run/arch-audit.txt ('--upgradable' output, atomic via .tmp+mv)
→ custom/arch-audit waybar module (interval 300s)
→ mako 'critical' once/24h while count > 0
→ on-click: `ghostty -e nvim -R /run/arch-audit.txt`
The bar entry stays hidden when there are no fixable CVEs, fades in as
red 'CVE N' the moment arch-audit finds at least one, and the throttled
mako means you'll see exactly one notification per day instead of one
per waybar poll. No -Sy refresh and no auto-update — this only reports
the gap between what's installed and what's already in the repos.
Why /run and not the user's runtime dir: the producer is a system unit
(needs the system's pacman db on the network-online path), the consumer
is a user-scope waybar that just reads it; /run is the canonical 'fast,
volatile, world-readable' system-tmpfs and survives the reboot cycle in
exactly the way we want — fresh empty file on every boot, repopulated
on the next timer fire.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Template service+timer that runs `btrfs balance start -dusage=50
-musage=50 %f` once a month on the instance's mount path. Mirrors the
shape of the stock btrfs-scrub@.{service,timer} so the operational
model is identical: enable btrfs-balance@-.timer for /, btrfs-balance@\
x2dhome.timer for /home, etc.
Why a partial balance and not a full one: full `btrfs balance start`
rewrites every block group, which on a multi-TB volume takes hours and
can chew through enormous amounts of CSUM/free-space-tree work.
`-dusage=50 -musage=50` only consolidates block groups that are less
than half full, which is exactly the operation that reclaims space
'lost' to fragmentation after lots of small writes — the only practical
reason a healthy single-disk btrfs needs balancing at all.
`Nice=19 IOSchedulingClass=idle` keeps it out of the way of foreground
work; `KillSignal=SIGINT` (same as btrfs-scrub) lets a graceful Ctrl-C
checkpoint the operation cleanly. Persistent=true catches the run on
next boot if the machine was off when the timer fired.
Enabled in systemd-units/system.txt as btrfs-balance@-.timer (root
volume only — /home isn't a separate subvolume on this machine).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three small extra-repo packages, each anchoring one strand of the new
'remind, never auto-fix' system-health story:
- arch-audit: queries security.archlinux.org for CVEs against installed
versions and prints those that already have a fix in the repos. Driven
by etc/systemd/system/arch-audit.timer (daily refresh into
/run/arch-audit.txt) and surfaced through custom/arch-audit in waybar.
- lostfiles: enumerates filesystem entries under tracked dirs (/etc,
/usr, /var…) that aren't owned by any pacman package and aren't on
its built-in safe-list. Driven by etc/systemd/system/lostfiles.timer
(weekly refresh into /run/lostfiles.txt) and surfaced through
custom/lostfiles in waybar.
- kernel-modules-hook: ships its own /usr/share/libalpm/hooks entries
that copy the running kernel's modules to /usr/lib/modules/$(uname -r)
on upgrade and prune them on shutdown, so modprobe (USB devices, vfat
mounts, etc.) keeps working between a kernel upgrade and the next
reboot. No further config — drop-in fix.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
`zstyle ':completion:*' rehash true` makes zle re-scan $PATH directories
on every TAB instead of caching the hash table at shell startup. Cost is
trivial (one stat() per PATH entry per completion), benefit is that newly
installed binaries — from paru, cargo install, pip install --user, npm
install -g, manual /usr/local/bin drops, anything — show up immediately
without an explicit `hash -r` or new shell.
The pacman-hook alternative at https://wiki.archlinux.org/title/Zsh#Persistent_rehash
only catches paru/pacman installs, missing cargo/pip/manual; rehash=true
catches them all for the same negligible cost.
|
| |
|
|
|
|
|
|
| |
The 'nvim-update' just recipe runs an admin chore, not a project edit;
loading and saving a session for it is wrong. session.lua already
treats $HOME and / as suppressed_dirs, so a leading 'cd &&' (which
defaults to $HOME) gives us the right behaviour without touching nvim
config or adding a special-case flag.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two related changes around the 'just update' UX:
1. nvim-update no longer runs --headless. The diff buffer that
vim.pack.update opens *is* the per-plugin changelog, and that was
being thrown away under headless. Drop --headless from the justfile
recipe and the trailing :qa! from config.update.run() so the buffer
stays open until the user reviews and quits manually. Mason output
was already visible because mason-tool-installer print()s.
2. New waybar 'custom/update' module + matching mako notification as a
gentle staleness reminder, replacing any temptation to run
unattended pacman -Syu (a bad idea on Arch: rolling, news-driven
manual interventions, AUR rebuilds, partial-upgrade hazards).
Source of truth: /var/log/pacman.log — last '[PACMAN] starting full
system upgrade'. No daemon, no -Sy poll, no extra state file beyond
a per-session notify-throttle stamp in $XDG_RUNTIME_DIR.
Tiers (hours since last full upgrade):
< 24h hidden (":empty" via #custom-update.fresh padding 0)
24-168h yellow + normal-urgency mako, throttled to 1/24h
>= 168h red + critical-urgency mako, throttled to 1/24h
Click runs 'just update' in a floating ghostty.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every sway action that was reachable only via an XF86 keysym now has
a Super-based alternative, so all bindings work on keyboards without
a multimedia row.
Frequent (direct binds, vim-direction layout on Super+Ctrl):
Super+Ctrl+k/j = volume +/-
Super+Ctrl+space = play/pause
Super+Ctrl+l/h = next/previous track
Super+Ctrl+]/[ = brightness +/-
Rare (submode 'system' via Super+x; one letter runs and exits):
b bluetooth · w wifi · r rfkill · s suspend · d display
v pulsemixer · k KEYBINDS viewer · m mako history
Escape/Return exits
Existing Super+m / Super+Shift+m / Super+Shift+s already covered
mic-mute / sink-mute / lock; XF86 binds untouched so the laptop's
Fn-row keeps working. KEYBINDS.md updated.
|
sommerfeld