| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Pure formatter output from shfmt (2-space indent, '|' line breaks),
prettier (KEYBINDS.md), and 'just fmt' (justfile blank line).
No behavior change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSH-format signing
home.nix:
- Add zoxide (fixes 'command not found' on shell start), clang-tools
(no compiler driver), nodejs (Mason npm LSPs), uv (Mason python LSPs;
does not install python3 in PATH, so Ubuntu's /usr/bin/python3 stays
the system default), claude-code, github-copilot-cli.
- Refine the leaf-tools policy comment: explicit denylist of build-
toolchain binaries that would shadow Ubuntu's via PATH, plus a
carve-out for editor/AI runtimes (node, uv, clang-tools).
- Symlink ~/.config/git/{config,attributes,ignore} and ~/.ssh/config
from the dotfiles tree.
dot_config/zsh/dot_zshrc: guard direnv/zoxide/fzf inits with
'command -v X >/dev/null &&' so a fresh machine without one of them
no longer prints a stderr error on every shell start.
dot_config/git/config: append unconditional '[include] path =
~/.config/git/config.local' for machine-local overrides (used on the
remote-dev VM to switch to SSH-format signing via the forwarded
agent). Git silently skips missing include files.
remote-dev/README.md: document the update flow (config-only vs HM
rebuild), the single-shell leaf-tools policy, and the one-time VM
setup for SSH-format commit signing (allowed_signers + config.local,
ForwardAgent yes on the host).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set mako default-timeout=0 so notifications stay until acted upon. With
auto-timeout off, mako's list IS the pending set, so the
$XDG_RUNTIME_DIR/mako-dismissed bridge becomes dead weight.
- mako/config: default-timeout=0; drop redundant [urgency=critical]
default-timeout=0 override.
- Delete dismiss-visible.sh and restore-pending.sh; sway calls makoctl
directly (Mod+n=dismiss, Mod+Shift+n=dismiss --all,
Mod+Ctrl+n=restore as undo).
- Shrink mako-status.sh to a 20-line counter of makoctl list.
- Rename mako-history.py -> notification-picker.py; lists only
visible, dismisses via makoctl dismiss -n <id>.
- Update waybar config.jsonc on-click path.
- Update KEYBINDS.md wording (no more 'marks seen' / 'pending set').
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New remote-dev/ subdir with a Home-Manager flake that provisions a
headless dev environment on a remote Ubuntu 22.04 VM accessed via SSH.
Shares nvim, zellij, zsh, direnv, and ghostty configs from the same
dotfiles repo via mkOutOfStoreSymlink (no rebuilds on config edits).
CLI tool set mirrors the dev-tool subset of meta/base.txt; sysadmin
tools (procs, gdu, duf), lazygit, and node/yarn (only needed for
markdown-preview on GUI hosts) are excluded.
bootstrap.sh is one-shot: installs Nix via Determinate Systems
installer, clones the repo to ~/.local/share/dotfiles, runs
home-manager switch, and chshes to the nix-store zsh.
dot_config/zsh/dot_zshrc loses its hardcoded Arch plugin/git-prompt
paths in favour of a fallback search: Arch path first, then
$HOME/.nix-profile/share/. Same file works on host and VM.
.chezmoiignore: exclude remote-dev/ from chezmoi deploy on the host.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remote hosts without xterm-ghostty terminfo print 'xterm-ghostty: unknown
terminal type' on connect. Ghostty's shell integration ships two features
for this:
- ssh-terminfo: pipes `infocmp -x xterm-ghostty` to the remote and
installs it under ~/.terminfo on first connect, permanently fixing TERM
recognition on hosts where you have a writable home.
- ssh-env: falls back to TERM=xterm-256color (plus COLORTERM=truecolor and
TERM_PROGRAM=ghostty) for the ssh subprocess, so hosts where terminfo
install fails or home is read-only still get sane defaults.
Both required shell-integration to be on, which it already is (zsh).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vanilla sway only has splith/splitv with no auto-orientation, so new
windows always split along whatever axis the parent container is set
to (default splith). The result: opening a third window in a workspace
that's already split horizontally just keeps stacking horizontally,
even when each pane is now narrower than it is tall.
swayr's daemon (swayrd) subscribes to sway IPC and, with
[layout].auto_tile = true, issues splith or splitv on the focused
container based on its width-vs-height before sway places the next
window. The result is the i3/awesome-style spiral tiling: each new
window splits the focused pane along its longest side.
Run swayrd as a systemd user service bound to sway-session.target so
it starts/stops with the session (matching the pattern used by
waybar, swayidle, mako, etc.). No keybind changes; only the placement
algorithm.
|
| |
|
|
|
|
|
| |
librewolf was migrated from a native package to the flatpak
io.gitlab.librewolf-community in commit f5796c7; the $mod+Shift+b
binding still called the native binary, so the keybind silently did
nothing. Use 'flatpak run' instead.
|
| |
|
|
|
|
|
|
|
| |
Spice/virt-viewer ask sway for keyboard-shortcuts-inhibit so they can
forward the Super key to the guest. That swallows all $mod+... binds
on the host while the VM window is focused. Refuse the inhibit for
those three app_ids; sway forwards Super to the guest only when the
keyboard is explicitly grabbed (click-into-VM + virt-viewer's own
Ctrl+Alt toggle), not via the wm-bind shortcut.
|
| |
|
|
|
|
|
| |
virt-install and other libvirt CLI tools default to qemu:///session
even when the user is in the libvirt group, where the default NAT
network does not exist. Pin uri_default so virt-install, virsh, etc.
agree with virt-manager's system view.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Drop auto-optimise-store: slows every build for modest disk savings.
Run 'nix store optimise' manually if disk pressure ever shows up.
- max-jobs=auto, cores=0: defaults are 1/1, which left most of the box
idle during large closures (LLVM, protobuf, …).
- Add nix-community.cachix.org as an extra substituter with its public
key. Big hit-rate boost against nixos-unstable, which is what the new
user registry points 'nixpkgs' at.
- dot_config/nix/registry.json pins 'nixpkgs' indirect ref to
github:NixOS/nixpkgs/nixos-unstable, so 'nix shell nixpkgs#foo' is
fast + reproducible. Project flakes are unaffected — they pin their
own inputs via flake.lock.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
copilot-language-server emits 'HTTP 200 response does not appear to
originate from GitHub' under Node 26 (the current Arch nodejs). Upstream
tracking:
https://github.com/zbirenbaum/copilot.lua/issues/695
https://github.com/github/copilot.vim/issues/282
https://github.com/github/copilot-language-server-release/issues/45
Workaround universally confirmed in those threads is to run the
language-server under Node 24. Rather than downgrade system nodejs (used
by lots of other tooling) install a private Node 24 under
~/.local/share/copilot-node/ via a chezmoi run_onchange script that
verifies the official sha256, and point copilot.lua at it via
copilot_node_command. Drop in once, bump NODE_VERSION when the upstream
incompatibility is resolved.
|
| |
|
|
|
|
|
|
| |
The exec_always change was only justified by a one-off migration: on
the first reload after the include-file refactor, outputs.conf didn't
exist yet. After that bootstrap, plain `exec` is sufficient -- the
include file persists across reloads and only needs to be (re)written
when the user actually toggles modes or hotplugs.
|
| |
|
|
|
|
|
| |
Plain `exec` doesn't re-run on reload. If outputs.conf is missing
(fresh deploy, never toggled) reload falls back to sway's
side-by-side defaults. `exec_always` regenerates the include on
every reload, so the next reload after that is already flash-free.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Persist the layout as a sway-include file (~/.config/sway/outputs.conf)
so sway's own parser applies output directives natively on every
reload. Eliminates the side-by-side flash that came from sway's
default "enable everything side-by-side" before exec_always could
override it.
- display-toggle.sh: write outputs.conf alongside the live swaymsg
commands, mirroring the same enable/disable/pos directives.
- sway/config: `include ~/.config/sway/outputs.conf` next to the
background line; downgrade exec_always back to plain exec since the
include handles reloads now (script only needs to run once at
startup to bootstrap the include file on first boot).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Real cause of the silent switch back to side-by-side: sway reload
(Super+Shift+c or swaymsg reload) re-evaluates output config and
defaults to all-outputs-enabled-side-by-side, dropping the runtime
positions set by display-toggle.sh.
- sway config: `exec` -> `exec_always` so the saved layout is
re-applied on every reload, and use `apply` instead of `init` so
user-chosen layouts (e.g. side-by-side picked deliberately) survive
reloads. First boot still defaults to laptop-off via the script's
state-file fallback.
- swayidle.service: drop the after-resume hook -- DPMS resume isn't
what was breaking the layout, reload was. Less surface area.
|
| |
|
|
|
| |
Move OSD to top, increase height/width, thicker border and padding.
Colors were already fully opaque (ff alpha) -- no change needed there.
|
| |
|
|
|
|
|
| |
Reading directly from the fifo (`wob <fifo`) makes wob exit as soon
as the first wrapper closes its write end (EOF after one printf). The
upstream pattern is to pipe `tail -f` into wob so there's always a
writer holding the fifo open.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- xdg-desktop-portal: pin wlr for ScreenCast/Screenshot, gtk for the
rest, so flatpak browsers (Meet, Slack, Discord) get a working
screen-share path instead of whatever the portal frontend happens to
pick first.
- wob: small wayland overlay bar fed via a fifo. New vol-osd.sh /
brightness-osd.sh wrappers replace the bare pactl/brightnessctl
invocations in keybinds so adjusting volume or backlight flashes a
bar at the bottom of the screen. wob.service owns the fifo lifecycle
(mkfifo before, rm after).
- mako: add a [mode=do-not-disturb] section that hides notifications
while the mode is active, plus a Super+x n submode binding to toggle
it. Notifications still accumulate in history; just no popups.
|
| |
|
|
|
|
|
|
| |
dismiss-visible.sh's 'all' mode previously only recorded visible
notification ids and ran 'makoctl dismiss --all'. Notifications already
in mako's history (auto-expired) still counted as pending in waybar's
mako-status. Now also append history ids to the dismissed state file so
the pending counter actually drops to zero.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After resume from suspend sway resets output config to defaults (both
monitors enabled side-by-side), so a laptop-off mode set before suspend
silently snapped back to side-by-side on wake. The display-watcher
script only reacts to changes in the count of connected externals, so
it doesn't notice this.
- Add an 'apply' mode to display-toggle.sh that reads the saved state
and applies it (no toggle, no notification).
- Wire it into swayidle's after-resume directive.
|
| |
|
|
|
|
|
|
|
| |
- wofi --dmenu --hide-search: pure j/k arrow-key picker, no fuzzy
search field. Matches existing wofi config (key_up/key_down already
include j/k).
- systemctl reboot/poweroff/suspend instead of sudo: rely on polkit,
which permits these for active session users by default — no
passwordless sudo required.
|
| |
|
|
|
|
| |
swaynag buttons require a mouse click. Replace the Mod+Shift+e session
prompt with a fuzzel --dmenu picker so the whole menu is keyboard
navigable. Adds Suspend as a new entry while we're here.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Replaces the resume-lock-grace.sh + after-resume hook from the previous
commit with the simpler observation that sway already provides a wake
grace for free: it pauses the idle counter during suspend and resets it
on the first input event post-resume, so the existing timeout 300 lock
naturally gives ~5min to interact before locking. Just dropping the
before-sleep lock is enough; the script and after-resume directive were
overcomplicating it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two related session-idle improvements:
1. ScreenSaver inhibit bridge. Browsers (LibreWolf/Chromium flatpaks)
ask the session not to idle via the legacy
org.freedesktop.ScreenSaver D-Bus API during video calls and
fullscreen video; swayidle only honors logind's BlockInhibited
property. Add inhibridge as a user unit to translate the former
into the latter, so e.g. a Google Meet tab now keeps the screen
from locking, dimming and (downstream) suspending.
2. Post-resume grace period. Locking on before-sleep meant every wake
demanded the password even for a quick check. Replace with:
before-sleep -> only pause media
after-resume -> resume-lock-grace.sh 30
The grace script runs a one-shot swayidle that locks iff the user
stays idle for 30s after the wake, with a watchdog that exits as
soon as swaylock comes up (or after a hard cap) so it never lingers
alongside the main swayidle. The 5-min main idle-lock and explicit
loginctl lock-session paths are unchanged.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous fix sidestepped sudo-rs's env scrubbing by setting
DIFFPROG inside a nested root shell. That works but it's the wrong
shape — every command that wants to honour a user UX env var would
have to do the same dance. Configure the policy once instead.
etc/sudoers-rs:
Defaults env_keep += "DIFFPROG"
Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR"
Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER"
Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS"
env_keep is the unconditional pass-through list, so no '-E' is needed
on the call site — `DIFFPROG='nvim -d' sudo pacdiff` Just Works, same
as it does for `EDITOR=nvim sudo systemctl edit foo`,
`PAGER=less sudo journalctl …`, etc. None of these vars influence
privilege boundaries; they only configure user-facing program
behaviour, so widening env_keep to cover them carries no security
trade-off worth accounting for. The existing per-visudo env_keep
lines are kept for documentation value (they're now subsumed by the
global rule but make the intent explicit at the visudo call sites).
The waybar pacdiff click handler reverts to the canonical form
`DIFFPROG='nvim -d' sudo pacdiff`, matching the recipe pacman.git
ships in /usr/share/doc/pacman/.
Will take effect after the next `chezmoi apply` redeploys
/etc/sudoers-rs (the run_onchange_after_deploy-etc.sh.tmpl script
re-installs it with mode 0440 whenever its hash changes).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
sudo-rs scrubs the env by default, so neither `DIFFPROG=… sudo pacdiff`
nor `sudo DIFFPROG=… pacdiff` reaches pacdiff with the variable set.
Sidestep the env-policy question entirely by running
sudo sh -c 'DIFFPROG="nvim -d" pacdiff'
so the assignment happens inside the privileged shell, after the
env-scrubbing boundary. No sudoers-rs change required, and the same
form works identically under stock sudo if the user ever switches
back.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bar layout: insert the four new modules between custom/update and
custom/thunderbird so that all 'something needs your attention'
indicators live as a contiguous group on the right side, in roughly
escalating actionability:
custom/notifications -- mako history (always present, gray baseline)
custom/update -- '`just update` was N hours/days ago'
custom/pacdiff -- '.pacnew/.pacsave waiting'
custom/arch-audit -- 'fixable CVE in installed package'
custom/failed-units -- 'systemd unit failed'
custom/lostfiles -- 'unowned files under tracked dirs'
custom/thunderbird -- 'unread mail'
Click handlers all use the floating-ghostty + 'press enter to close'
idiom established by the existing update module so output stays
inspectable. arch-audit and lostfiles open their /run report in
`nvim -R` (read-only) since the source of truth lives in those files.
style.css: extend the shared 6px-padding selector list, the .fresh
zero-padding rule (so empty-state modules disappear cleanly), and add
.warn/.critical color rules consistent with the rest of the palette
(yellow #fabd2f for 'review when convenient', red #fb4934 for 'review
soon').
systemd-units/system.txt: enable the three new system timers
- btrfs-balance@-.timer (monthly partial balance on /)
- arch-audit.timer (daily CVE report refresh)
- lostfiles.timer (weekly unowned-files report refresh)
Picked up automatically on the next `just unit-apply`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two live waybar modules — no timer/state-file pipeline because the
inputs are cheap to compute on every poll:
custom/pacdiff (interval 300s)
Counts unresolved .pacnew / .pacsave files via `pacdiff -o` (output
mode — lists only, takes no action). Hidden at zero. Yellow 'pacdiff
N' otherwise. Mako fires once on the 0→N transition, so you get
exactly one nudge per upgrade wave, not a sustained re-nag for files
you've decided to defer. Click runs `sudo DIFFPROG='nvim -d' pacdiff`
in a floating ghostty.
custom/failed-units (interval 30s)
Sums `systemctl --failed` (system) and `systemctl --user --failed`
counts. Hidden at zero. Red 'failed N' otherwise. Mako fires only on
upward transition (count went up since last poll), so already-known
failures don't keep paging you while you investigate. Click prints
both `systemctl --failed` outputs in a floating ghostty.
Both modules use the same $XDG_RUNTIME_DIR/waybar-X-prev pattern as the
update reminder for state, which makes 'reboot resets the nag' the
default behaviour — exactly the right semantics for both: a fresh boot
deserves a fresh look at pending pacdiffs and any failed units.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wiring (mirrors arch-audit, with weekly cadence and Nice=19/idle I/O):
lostfiles.timer (weekly, Persistent=true, RandomizedDelaySec=1h)
→ lostfiles.service
→ /run/lostfiles.txt (default mode — strict produces too many
false positives for a passive reminder)
→ custom/lostfiles waybar module (interval 600s)
→ mako 'normal' once/7d while count > 0
→ on-click: `ghostty -e nvim -R /run/lostfiles.txt`
Default mode (no `strict` argument) is intentional: it already filters
the package's curated false-positive list at /etc/lostfiles.conf, which
is what we want for a low-noise weekly nudge. Switching to `strict` is
a one-line change in lostfiles.service if signal-vs-noise tilts later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wiring:
arch-audit.timer (daily, RandomizedDelaySec=1h, Persistent=true)
→ arch-audit.service (After=network-online.target)
→ /run/arch-audit.txt ('--upgradable' output, atomic via .tmp+mv)
→ custom/arch-audit waybar module (interval 300s)
→ mako 'critical' once/24h while count > 0
→ on-click: `ghostty -e nvim -R /run/arch-audit.txt`
The bar entry stays hidden when there are no fixable CVEs, fades in as
red 'CVE N' the moment arch-audit finds at least one, and the throttled
mako means you'll see exactly one notification per day instead of one
per waybar poll. No -Sy refresh and no auto-update — this only reports
the gap between what's installed and what's already in the repos.
Why /run and not the user's runtime dir: the producer is a system unit
(needs the system's pacman db on the network-online path), the consumer
is a user-scope waybar that just reads it; /run is the canonical 'fast,
volatile, world-readable' system-tmpfs and survives the reboot cycle in
exactly the way we want — fresh empty file on every boot, repopulated
on the next timer fire.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
`zstyle ':completion:*' rehash true` makes zle re-scan $PATH directories
on every TAB instead of caching the hash table at shell startup. Cost is
trivial (one stat() per PATH entry per completion), benefit is that newly
installed binaries — from paru, cargo install, pip install --user, npm
install -g, manual /usr/local/bin drops, anything — show up immediately
without an explicit `hash -r` or new shell.
The pacman-hook alternative at https://wiki.archlinux.org/title/Zsh#Persistent_rehash
only catches paru/pacman installs, missing cargo/pip/manual; rehash=true
catches them all for the same negligible cost.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two related changes around the 'just update' UX:
1. nvim-update no longer runs --headless. The diff buffer that
vim.pack.update opens *is* the per-plugin changelog, and that was
being thrown away under headless. Drop --headless from the justfile
recipe and the trailing :qa! from config.update.run() so the buffer
stays open until the user reviews and quits manually. Mason output
was already visible because mason-tool-installer print()s.
2. New waybar 'custom/update' module + matching mako notification as a
gentle staleness reminder, replacing any temptation to run
unattended pacman -Syu (a bad idea on Arch: rolling, news-driven
manual interventions, AUR rebuilds, partial-upgrade hazards).
Source of truth: /var/log/pacman.log — last '[PACMAN] starting full
system upgrade'. No daemon, no -Sy poll, no extra state file beyond
a per-session notify-throttle stamp in $XDG_RUNTIME_DIR.
Tiers (hours since last full upgrade):
< 24h hidden (":empty" via #custom-update.fresh padding 0)
24-168h yellow + normal-urgency mako, throttled to 1/24h
>= 168h red + critical-urgency mako, throttled to 1/24h
Click runs 'just update' in a floating ghostty.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every sway action that was reachable only via an XF86 keysym now has
a Super-based alternative, so all bindings work on keyboards without
a multimedia row.
Frequent (direct binds, vim-direction layout on Super+Ctrl):
Super+Ctrl+k/j = volume +/-
Super+Ctrl+space = play/pause
Super+Ctrl+l/h = next/previous track
Super+Ctrl+]/[ = brightness +/-
Rare (submode 'system' via Super+x; one letter runs and exits):
b bluetooth · w wifi · r rfkill · s suspend · d display
v pulsemixer · k KEYBINDS viewer · m mako history
Escape/Return exits
Existing Super+m / Super+Shift+m / Super+Shift+s already covered
mic-mute / sink-mute / lock; XF86 binds untouched so the laptop's
Fn-row keeps working. KEYBINDS.md updated.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Same substring blacklist (copilot, claude, codex, ...) is now also
applied to every Co-authored-by trailer in the commit message, not
just the author header. Agents commonly slip in via that route.
Trailers extracted with %(trailers:key=Co-authored-by,valueonly,
unfold,separator=%x1f) and split in awk on \037, which can't appear
in identity strings, so the tab-delimited record format stays
unambiguous.
To fix a flagged trailer use git commit --amend / interactive rebase
to drop the Co-authored-by line; --reset-author won't help here.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Block commits where the author name/email contains any of:
copilot, claude, codex, chatgpt, cursor, aider, devin, [bot],
@openai., @anthropic.
Use plain index() substring matching in awk to dodge regex-escaping
pitfalls (an earlier draft using regex turned \[bot\] into a char
class via -v escape processing and false-matched 'o' in 'com').
Fix: rebase with --reset-author re-stamps you as author while
keeping the agent as it was (or drop them entirely). Documented in
the failure message.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now flags any commit whose committer name+email doesn't match the
local user.name / user.email (which respects the includeIf rules in
~/.config/git/config, so per-tree work/personal identities work).
Author is left free: pulling someone else's commit and rebasing it
locally re-stamps the committer to you, satisfies this gate, and the
original author is preserved in the commit metadata.
Both checks (signature + committer) run in one rev-list pass with
tab-separated fields so awk parses unambiguously.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Activated via core.hooksPath = ~/.config/git/hooks in the global
git config. The hook walks each ref being pushed (range: remote..local
or, for new branches, local --not --remotes) and checks %G? on every
commit. Accepts G/U/X/Y (good signature variants), rejects N/B/E/R
(no signature, bad, missing key, revoked).
Bypass: git push --no-verify
This repo overrides hooksPath to .githooks/ for its just-check
pre-commit gate, so a thin .githooks/pre-push delegates to the global
hook to keep the policy enforced here too.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
VPN module:
- Pango markup colours the text directly so up/down is visually
unambiguous even without CSS classes (green shield up, dim
strikethrough down)
- .down also gets a faint red background tint for at-a-glance scan
Sway:
- Super+Shift+t -> floating ghostty with nvim editing a fresh
$XDG_RUNTIME_DIR/scratch-<epoch>.txt (auto-cleared on reboot via
tmpfs)
- Super+c -> floating ghostty with ipython (quick calculator /
python scratch)
KEYBINDS.md updated.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
waybar:
- cpu / custom/memory: on-click opens floating ghostty with htop
- new custom/vpn module between custom/memory and network#bond:
shows 'VPN' coloured by interface UP flag (green up, dim down);
on-click toggles networkctl up/down hodor; SIGRTMIN+8 used for
instant refresh after toggle
sway:
- Super+Shift+Return -> ghostty -e yazi
- Super+Shift+b -> librewolf
vpn-toggle.sh runs networkctl (no sudo) thanks to a new polkit rule
allowing wheel-group members to invoke org.freedesktop.network1.*
without a password prompt. systemd-networkd's polkit gate is a
separate path from sudoers, so this is the idiomatic fix.
KEYBINDS.md updated for both new sway bindings.
|
| |
|
|
|
|
| |
After Enter copies+dismisses an entry, reopen the wofi window so the
remaining notifications can be processed without re-triggering the
keybind. Esc closes the loop.
|
| |
|
|
|
|
|
|
| |
wofi's key_custom_N only stages an exit code; it does not actually exit
on the keybind, so Alt-d alone did nothing visible. Drop the custom
keybind entirely and let Enter copy+dismiss in one stroke. Esc cancels.
Since dismissed entries are now hidden, walking the list with Enter is
a workable replacement for the dropped "dismiss without copy" path.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two behaviour changes:
- Hide entries that were previously dismissed via the picker (the
state file now acts as a hide-list, not a marker). The list shrinks
as you process it; no more grey ' ' rows clogging the view.
- Drop the secondary Alt-c custom key. wofi's '--define key_custom_N'
appears unreliable past N=0, so Alt-c and Alt-d both silently
failed. Reduce to a single custom slot (Alt-d) and remap actions:
Enter -> copy + dismiss (was: re-emit + mark seen)
Alt-d -> dismiss without copy
Re-emit was rarely useful given mako already shows the bubble on
arrival; copying is the common need.
KEYBINDS.md updated to reflect the new action set.
|
| |
|
|
|
| |
- Remove dot_copilot/ entirely (no longer needed).
- Run prettier on dot_config/clangd/config.yaml.
|
| |
|
|
|
|
|
| |
Pre-existing whitespace/style drift caught by `just check`. Touch
nothing semantic — pure formatter output (shfmt -i 2 -ci -s, ruff,
prettier, taplo). Excludes dot_config/clangd/config.yaml whose manual
indentation is intentionally preserved.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.
- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention
No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The packaged doas-sudo-shim is just 'exec doas "$@"', which means
'sudo -v' (used by paru --sudoloop to keep the auth timestamp fresh
during long AUR builds) hits doas, which doesn't implement -v, and
the loop dies. Then when the build finally finishes and tries the real
install, the cached timestamp has long expired, so we reprompt — and
opendoas only allows one attempt before bailing, so a single mistype
throws an hour of compilation away.
Replace it (per-user, via $HOME/.local/bin precedence) with a shim
that translates:
-v -> doas true (refresh persist timestamp)
-k / -K -> doas -L (clear)
-E -H -i -S etc -> dropped (no doas equivalent)
rest -> doas "$@"
Then enable SudoLoop in paru.conf so the timestamp stays fresh.
|
| |
|
|
|
| |
Plain Unicode anchor renders via the system emoji font everywhere
instead of the nerd-font private-use-area glyph.
|
sommerfeld