| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Defense-in-depth for the cross-sandbox handoff vector: when the
LibreWolf/Thunderbird flatpaks open a downloaded PDF or video via the
OpenURI portal, the receiving app currently runs natively with full
$HOME access — defeating part of the browser/mail isolation.
- meta/flatpak.txt: add org.pwmt.zathura, io.mpv.Mpv
- meta/wayland.txt: drop native zathura + zathura-pdf-mupdf
- meta/media.txt: keep native mpv (streamlink, /tmp/mpvsocket IPC,
fast yt-dlp) — flatpak mpv is *additional*, only as the mimeapps
default for video/audio to receive sandboxed handoffs
- dot_config/mimeapps.list: rewrite mpv.desktop -> io.mpv.Mpv.desktop,
zathura-pdf-mupdf.desktop -> org.pwmt.zathura.desktop, and replace
stale userapp-Thunderbird-* entries with org.mozilla.Thunderbird.desktop
- run_onchange_after_deploy-flatpak-overrides.sh.tmpl (new):
--filesystem=xdg-config/{zathura,mpv}:ro so the flatpaks read our
chezmoi-managed configs as a single source of truth
- README: media row + new deploy-script row
Manual one-shot on host: chezmoi apply -v.
The pteid bridge already iterates a flatpak app list, so cartão de
cidadão remains correctly registered for the Mozilla flatpaks. Native
mpv config (input-ipc-server) keeps working since each flatpak has its
own /tmp; no socket collision.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move LibreWolf from native librewolf-bin to Flathub
io.gitlab.librewolf-community. Bubblewrap isolates the browser from
$HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost
of namespace chroot + IPC/network namespace isolation between content
processes (mozilla bug 1756236, P3, considered defense-in-depth).
seccomp-bpf — the dominant sandbox layer — is preserved.
- meta/flatpak.txt: + io.gitlab.librewolf-community
- meta/browser.txt: - librewolf-bin
- run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to
~/.var/app/io.gitlab.librewolf-community/.librewolf
- dot_config/mimeapps.list: librewolf.desktop -> flatpak app id
- dot_local/bin/executable_linkhandler: flatpak run wrapper
- README.md: blurb + new profile path
arkenfox-user.js + chezmoi user-overrides.js deploy keep working
unchanged because the flatpak profile is still on the host fs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install Nix (multi-user daemon) on Arch and wire up direnv so any project
can declare its toolchain in a flake.nix and get a hermetic dev shell on
cd. No NixOS, no home-manager, no migration off paru/chezmoi — just one
new package manager scoped to project dev shells.
- meta/nix.txt: nix from extra repo
- meta/dev.txt: direnv (general-purpose, not nix-specific)
- systemd-units/system/nix.txt: nix-daemon.socket (socket-activated)
- etc/nix/nix.conf: enable flakes + nix-command, trusted-users=@wheel,
auto-optimise-store, keep-outputs/derivations so direnv envs survive GC
- dot_config/direnv/direnvrc: load nix-direnv 3.1.1 via source_url with
pinned sha256 (not packaged for Arch; refusing -git AUR)
- dot_config/nix/templates/{flake.nix,dev/}: flake template usable via
'nix flake init -t ~/.config/nix/templates'
- dot_config/zsh/dot_zshrc: 'eval "$(direnv hook zsh)"'
|
| |
|
|
|
|
|
|
|
| |
The Bridge presents a self-signed cert on its 127.0.0.1:1025 STARTTLS
listener, so git send-email's default cert verification fails with
SSL_verify_cert. Setting smtpSslCertPath to empty disables chain
verification for this single, loopback-only endpoint.
Per https://git-send-email.io/#step-2 (Proton Bridge note).
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a [sendemail] block targeting the local Bridge SMTP listener
(127.0.0.1:1025, STARTTLS) and a credential helper scoped to that URL
that fetches the password from pass (proton/bridge-smtp). The helper
command is public; the secret stays in the password store. The bridge
SMTP username (sensitive but not secret) goes in the per-identity
private overlay (~/doxfiles), not here.
Also pull in the Perl SMTP modules git send-email needs at runtime.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Push-to-talk dictation toggle on Super+i: parecord captures 16 kHz mono
WAV, whisper-cli transcribes (auto language), output is typed via wtype
and copied to the clipboard.
Region OCR on Super+Shift+o: slurp + grim feed tesseract (eng+por),
result lands in the clipboard with a notification preview.
Adds wtype to wayland.txt; tesseract (+eng/por data) and whisper.cpp +
the large-v3-turbo-q5_0 model package to extra.txt.
|
| |
|
|
|
|
|
|
|
| |
- xkb variant altgr-intl: AltGr dead keys + direct Euro on AltGr+5.
Preserves bare ' " ` ~ ^ for code/shell.
- Compose on Right Ctrl (compose:rctrl). Leaves Right Alt for AltGr.
- New dot_XCompose with %L include + PT-PT guillemets, Euro, ordinals,
em/en dashes, ellipsis.
- KEYBINDS.md: new Typing / Input section with AltGr + Compose cheatsheet.
|
| |
|
|
|
|
|
|
|
|
| |
- XF86Display replaces F7 for display-toggle.sh (dedicated HW key)
- XF86Tools opens floating pulsemixer (audio mixer TUI)
- XF86Keyboard opens KEYBINDS.md in glow (floating pager)
- XF86Favorites takes over mako history picker (from Super+Alt+n)
Adds generic [app_id="floating"] window rule so ghostty --class=floating
windows open floating. Adds glow to meta/base.txt.
|
| |
|
|
|
| |
tmux-style mnemonics. Bypasses NewPane's aspect-ratio auto-direction
which misfires on widescreens with pane_frames disabled.
|
| |
|
|
|
|
|
| |
Pair with the existing '$mod+w layout tabbed' to get a bspwm-like
monocle experience: one window visible, tabs along the top, status
bar intact. Cycle with Super+[ and Super+] (mimics browser tab
shortcuts).
|
| |
|
|
|
|
|
|
| |
The bridge opens the IMAP listener before the keyring is unlocked, so a
port-open check returns true while the server would still reject logins.
Probe for the '* OK' IMAP greeting (the bridge only sends it once it can
actually service logins) and add a 1s grace period for SMTP (1025) to
catch up.
|
| |
|
|
|
|
|
|
| |
Going through xdg-open relied on mimeapps propagation and
update-desktop-database cache. Add a dedicated `view-md` opener
that invokes okular directly and route *.md, *.markdown, and
text/markdown files to it. Still orphan=true to avoid the
unfinished-tasks prompt.
|
| |
|
|
|
|
|
| |
Default yazi rule treats .md as text and hands it to $EDITOR.
Prepend a rule that uses the `open` opener (xdg-open, now pointed
at okular) so pressing Enter on a markdown file in yazi opens the
rendered view instead of nvim.
|
| |
|
|
|
|
|
| |
xdg-open was handing .md files to nvim, which is an editor — not
what we want for casual reading. okular (with discount installed)
renders markdown as a paged document, similar to how zathura
handles pdfs.
|
| |
|
|
|
|
|
|
|
| |
yazi tracks child processes as running tasks. Default `open`
opener runs `xdg-open` synchronously, so opening a pdf (or any
file handed off to an external viewer) leaves yazi convinced a task
is still running and it prompts 'unfinished tasks, quit anyway?' on
exit. orphan = true detaches the spawned process from yazi so the
quit is clean.
|
| |
|
|
|
|
| |
--format is not supported by this mako version. Parse the native text
output (Notification N: summary / App name: X) with awk for the picker
and grep '^Notification ' for the counter.
|
| |
|
|
|
|
| |
makoctl outputs plain text by default on this version. Use --format
strings for both the history picker (%a/%s/%b) and the counter script
(%i + wc), instead of trying to parse JSON that isn't there.
|
| |
|
|
|
|
|
| |
Previous jq path (.data[0][].summary.data) only works for one nesting
shape of mako's history JSON. Recurse to find notification objects and
unwrap dbus-typed {type,data} fields defensively. Also bump
max-history from the default of 5 so more entries are retained.
|
| |
|
|
|
|
|
| |
makoctl menu only acts on currently-visible notifications, not history
(mako has no API to re-invoke arbitrary history entries). Replace with
a small script that pipes 'makoctl history' through jq and fuzzel, then
copies the selected entry to the clipboard for reference.
|
| | |
|
| |
|
|
|
|
| |
makoctl menu <cmd> expects the command to emit just the notification
id, but fuzzel --dmenu echoes the full '<id> <summary>' line. Pipe
through cut -d' ' -f1 so mako can act on the selection.
|
| |
|
|
|
| |
- Super+Ctrl+n: makoctl restore (re-show the most recent dismissed)
- Super+Alt+n: makoctl menu fuzzel --dmenu (pick any from history)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The idle_inhibitor em-dash and bare mako '0' blended with the clock.
- mako counter: prefix 'NTF', gray when empty, aqua for history, orange
for pending.
- idle_inhibitor: 'IDL'/'INH' with gray/yellow.
- privacy: red (only visible when screensharing or mic-active).
- Add padding rules so the new modules line up with the rest.
|
| |
|
|
|
|
|
| |
On cold boot Thunderbird would race protonmail-bridge and pop up a
'failed to login to 127.0.0.1' error. Poll 127.0.0.1:1143 (bridge's
default IMAP port) for up to 15s before spawning TB. Gives up silently
if the bridge doesn't come up.
|
| |
|
|
|
|
|
|
| |
Move waybar from sway's inline bar {} block to waybar.service pulled in
by sway-session.target. Matches the pattern for mako, swayidle,
poweralertd, display-watcher, cliphist. ExecReload sends SIGUSR2 so
'systemctl --user reload waybar' picks up config changes without a
restart.
|
| |
|
|
|
| |
$mod+v is sway's default splitv; my cliphist bind was shadowing it and
emitting a warning. Move clipboard history to $mod+p / $mod+Shift+p.
|
| |
|
|
|
| |
- shfmt -i 2 -ci -s on the four updated shell scripts (tabs → 2 spaces)
- prettier --write on KEYBINDS.md and README.md
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install brightnessctl and bind all seven ThinkPad multimedia keys:
- XF86MonBrightnessUp/Down → brightnessctl ±5%
- XF86AudioMicMute → pactl source mute
- XF86Bluetooth → bt-toggle.sh (bluetoothctl + notify-send)
- XF86ScreenSaver (Fn+F2) → same as $mod+Shift+s (pause + swaylock)
- XF86Sleep → systemctl suspend
- XF86WLAN / XF86RFKill → rfkill toggle
Note: rfkill may need a passwordless doas rule
(permit nopass :wheel cmd rfkill) or group membership to write
/dev/rfkill without privileges; not wired speculatively.
|
| |
|
|
|
|
| |
Pairs with focus_follows_mouse to prevent stale-hover focus-steal after
keyboard navigation: the cursor jumps into the new focus so subsequent
small mouse movements don't bounce focus back to where it used to be.
|
| |
|
|
|
| |
Any fullscreen window now pauses swayidle's timer. Covers mpv, video
calls, fullscreen browser video, etc.
|
| |
|
|
|
|
| |
New mako-status.sh emits JSON with pending / history counts. Click to
dismiss latest, right-click to dismiss all, middle-click to restore the
last dismissed notification.
|
| |
|
|
|
| |
Shows icons while any app holds the microphone or a screen-share source
via PipeWire. No new deps on a PipeWire system.
|
| |
|
|
|
| |
Click to toggle an inhibit lock that prevents swayidle from firing.
Useful for long reads, video playback without fullscreen, etc.
|
| |
|
|
|
| |
Pipe grim through tee so Print / Shift+Print save to disk AND copy the
PNG to the Wayland clipboard via wl-copy.
|
| |
|
|
|
|
| |
Install cliphist and wire two user services (text + image watchers) into
sway-session.target. Bind $mod+v to pick an entry via fuzzel and
$mod+Shift+v to delete one.
|
| | |
|
| |
|
|
|
|
|
|
| |
Splitting the for_window 'move to scratchpad' action into a dedicated
autostart helper so that super+t launches TB tiled (not stashed) when TB
isn't already running. Previously the for_window rule would stash every
new main window, forcing the user to press super+t twice after killing
TB manually.
|
| |
|
|
|
|
|
|
|
| |
waybar's sway/workspaces has no ignore-list (that option is hyprland-only),
so the _tb workspace always leaked into the bar and into super+tab cycling.
Using sway's native scratchpad solves both: the __i3_scratch workspace is
filtered automatically. We run 'floating disable' right after 'scratchpad
show' so the window lands tiled on the current workspace, preserving the
intended UX.
|
| | |
|
| |
|
|
|
|
| |
get_tree's workspace nodes don't carry a .focused field (only con nodes
do), so current_ws was empty and the script emitted a malformed swaymsg
command. get_workspaces exposes .focused directly on each workspace.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Scratchpad is inherently floating; the user wants the main TB window to
tile normally when shown and disappear completely when hidden. Park the
main window on a hidden workspace _tb via for_window, then toggle it
with a small swaymsg+jq script that moves it between _tb and the
currently focused workspace. Child windows (compose, viewer, calendar,
prefs) are unaffected and tile wherever they spawn.
- Autostart thunderbird so the window exists on login, parked on _tb.
- Hide _tb from waybar's workspace list.
- Update KEYBINDS.md.
|
| |
|
|
|
|
|
|
|
| |
Matching only on app_id caused every TB window (compose, message
viewer, calendar event, settings) to be parked in the scratchpad,
leaving them hidden behind the main window. TB's main window title
always ends in 'Mozilla Thunderbird'; child windows don't. Narrow
both the for_window rule and the Super+t toggle with a title regex
so only the main window is managed.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Autostart thunderbird on sway launch; window rule parks it in the
scratchpad immediately so it runs in the background firing mako
notifications. Super+t toggles the window visible/hidden without
quitting the app — works around the long-standing lack of native
Linux tray support in Thunderbird.
|
| |
|
|
|
|
| |
Arch's protonmail-bridge-core ships /usr/lib/systemd/user/protonmail-bridge.service
with proper hardening. Replace custom unit with a minimal drop-in to
inject PASSWORD_STORE_DIR for the pass keychain backend.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Remove aerc, khal, khard, vdirsyncer from meta/mail.txt and delete their
configs (aerc/, vdirsyncer systemd override, aerc .desktop handler).
Point linkhandler mailto at xdg-open until a GUI client is set up.
Add systemd user unit for protonmail-bridge --noninteractive, tied to
graphical-session.target so it starts with the sway session.
|
sommerfeld