| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Both apps support digital signatures via NSS — Okular through Poppler,
LibreOffice natively. Extend the pteid bridge to also register
libpteidpkcs11.so in their per-flatpak ~/.pki/nssdb (single shared DB,
unlike Mozilla's per-profile model).
Refactored the script around two helpers (apply_override, register_in_profile)
and two app tables (MOZILLA_APPS for per-profile, SHARED_NSS_APPS for
single-DB). register_in_profile auto-creates the NSS DB with certutil -N
if missing, since neither Okular nor LibreOffice initialise it on first run.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak,
mirroring the LibreWolf migration. Bubblewrap isolates the mail client from
the rest of $HOME (ssh keys, password store, gpg sockets); intra-process
isolation regression is real but minor (same tradeoff as the browser).
Three cross-sandbox glue points handled in repo:
- run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from
~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird
- run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate
over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so
cartão de cidadão signing/encryption works for S/MIME in TB
- run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges
external-editor-revived's native messaging host into the sandbox via
a flatpak-spawn --host wrapper + relocated manifest
Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered
by Flathub default permissions.
Manual one-shot migration on host (after pulling + just sync): close TB,
copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/,
chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop
x-scheme-handler/mailto. Once verified working, archive the old profile
via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cartão de cidadão web authentication needs the libpteidpkcs11.so module
loaded into LibreWolf's NSS database. With both apps now sandboxed in
separate flatpaks, neither can see the other by default.
Add a chezmoi onchange script that, when both flatpaks are installed:
- Resolves the pt.gov.autenticacao install dir + .so path on the host
- Grants LibreWolf flatpak read-only filesystem access to that dir,
--socket=pcsc, and an LD_LIBRARY_PATH so the bundled deps (libxerces,
libcjose, etc.) resolve at dlopen time
- Registers the module in each LibreWolf NSS profile via modutil, with
the path rewritten to /run/host/... as seen from inside the sandbox
- Skips silently when LibreWolf is running (modutil would corrupt the DB)
Hash gate includes the pt.gov.autenticacao line from meta/flatpak.txt so
the override + registration auto-refresh on bundle bumps. Idempotent.
Also explicit pcsc-lite + ccid in meta/extra.txt — they were transitive
deps of the removed autenticacao-gov-pt-bin AUR package; pcscd.socket
in systemd-units/system/base.txt would otherwise fail to activate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move LibreWolf from native librewolf-bin to Flathub
io.gitlab.librewolf-community. Bubblewrap isolates the browser from
$HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost
of namespace chroot + IPC/network namespace isolation between content
processes (mozilla bug 1756236, P3, considered defense-in-depth).
seccomp-bpf — the dominant sandbox layer — is preserved.
- meta/flatpak.txt: + io.gitlab.librewolf-community
- meta/browser.txt: - librewolf-bin
- run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to
~/.var/app/io.gitlab.librewolf-community/.librewolf
- dot_config/mimeapps.list: librewolf.desktop -> flatpak app id
- dot_local/bin/executable_linkhandler: flatpak run wrapper
- README.md: blurb + new profile path
arkenfox-user.js + chezmoi user-overrides.js deploy keep working
unchanged because the flatpak profile is still on the host fs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Default-deny inbound, allow outbound. Scoped to 'inet filter' with
'destroy table' on reload so podman/netavark tables are preserved.
- meta/base.txt: add nftables
- systemd-units/system/base.txt: enable nftables.service
- etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6
essentials, DHCPv6 client, default-drop input/forward, accept output)
- etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route,
log_martians
- README.md: firewall section with reload caveat
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old etc-status scanned all of /etc (pacman -Qkk for modified
backup configs, then 'find /etc | xargs pacman -Qo' for unowned
files), producing a discovery report of things we might want to
track. That was useful when seeding the repo but is slow and
misaligned with dotfiles-status, which only reports drift on files
chezmoi already manages.
Rewrite etc-status to mirror that model: iterate etc/, render .tmpl
sources, and cmp against the live /etc file. Report 'modified' or
'missing' per tracked path. Runs in under a second and matches the
semantics of 'just status'.
Drop the now-unused etc/.ignore and update README.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the three existing files into systemd-units/system/ and seed
systemd-units/user/ with a .ignore stub. Teach the unit-* recipes a
user:/system: group-token prefix (bare names keep system semantics for
back-compat). unit-apply and unit-status now walk both scopes; user
units go through 'systemctl --user' (no sudo), system units via 'sudo
systemctl' as before. Soft-fail per unit preserved for both scopes.
Top-level add/forget dispatchers need no changes: the unit-extension
sniff already routes anything ending in .service/.timer/etc to
unit-*, and user:base passes through as the group token.
Docs updated in README.md and .github/copilot-instructions.md.
|
| |
|
|
|
| |
- shfmt -i 2 -ci -s on the four updated shell scripts (tabs → 2 spaces)
- prettier --write on KEYBINDS.md and README.md
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mirror the firefox/ pattern for Thunderbird:
- thunderbird/user.js: telemetry off, safe-browsing off, remote images
blocked, read receipts disabled, plain-text compose with flowed
wrap at 72, vertical pane, calendar on Monday start
- run_onchange_after_deploy-thunderbird.sh.tmpl: detects default
profile and copies tracked files in on any change
- meta/mail.txt: add thunderbird package (official repo)
- .chezmoiignore: exclude thunderbird/ from $HOME deployment
- README: mention Thunderbird + Bridge + Radicale stack
Accounts/credentials/mailbox data stay local per profile.
|
| |
|
|
|
|
|
|
|
| |
Remove aerc, khal, khard, vdirsyncer from meta/mail.txt and delete their
configs (aerc/, vdirsyncer systemd override, aerc .desktop handler).
Point linkhandler mailto at xdg-open until a GUI client is set up.
Add systemd user unit for protonmail-bridge --noninteractive, tied to
graphical-session.target so it starts with the sway session.
|
| |
|
|
|
|
|
| |
Track /etc/kernel/cmdline and enable default_uki/fallback_uki in
linux.preset. Remove create-efi helper (UKI is self-contained; only
needed once at install time). Update bootstrap to print the one-off
efibootmgr command instead of launching create-efi.
|
| | |
|
| |
|
|
|
| |
Reflect the new DOMAIN-VERB scheme and shape dispatchers introduced in
the justfile refactor.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Make the 'wheel user must already exist' prerequisite explicit with a
three-line useradd/passwd snippet, rather than leaving it implicit in
bootstrap.sh's preconditions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After 'just init' the script now:
- enables recommended systemd units that base.txt installs but nothing
was activating: fstrim.timer, systemd-timesyncd, systemd-resolved,
reflector.timer, paccache.timer, pkgstats.timer, acpid, cpupower, iwd
- enables tlp.service only when a battery is present
(/sys/class/power_supply/BAT*)
- refreshes the pacman mirrorlist via reflector using the already-
deployed /etc/xdg/reflector/reflector.conf
- runs xdg-user-dirs-update to create ~/Documents, ~/Downloads, etc.
Each step is soft-fail: warns and continues on failure rather than
aborting the whole bootstrap.
pacman.conf tuning is intentionally left out (should be managed via
chezmoi's etc/ pipeline). User creation is also out of scope; the
script continues to require the wheel user to exist beforehand, per
the Arch installation guide.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Takes a minimal Arch system (only 'base' installed) to the point where
'just init' has run and dotfiles are deployed. Installs prerequisites
(sudo, git, base-devel, chezmoi, just, efibootmgr), enables %wheel in
sudoers, bootstraps paru-bin from the AUR, clones the repo, runs
'just init' (which swaps sudo for doas-sudo-shim via the existing base
meta list), and launches create-efi if no Arch EFI boot entry exists.
Designed to be curlable:
curl -fsSL https://raw.githubusercontent.com/sommerfelddev/dotfiles/master/bootstrap.sh | sh
|
| | |
|
| |
|
sommerfeld
Arnold Sommerfeld