| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install Nix (multi-user daemon) on Arch and wire up direnv so any project
can declare its toolchain in a flake.nix and get a hermetic dev shell on
cd. No NixOS, no home-manager, no migration off paru/chezmoi — just one
new package manager scoped to project dev shells.
- meta/nix.txt: nix from extra repo
- meta/dev.txt: direnv (general-purpose, not nix-specific)
- systemd-units/system/nix.txt: nix-daemon.socket (socket-activated)
- etc/nix/nix.conf: enable flakes + nix-command, trusted-users=@wheel,
auto-optimise-store, keep-outputs/derivations so direnv envs survive GC
- dot_config/direnv/direnvrc: load nix-direnv 3.1.1 via source_url with
pinned sha256 (not packaged for Arch; refusing -git AUR)
- dot_config/nix/templates/{flake.nix,dev/}: flake template usable via
'nix flake init -t ~/.config/nix/templates'
- dot_config/zsh/dot_zshrc: 'eval "$(direnv hook zsh)"'
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Default-deny inbound, allow outbound. Scoped to 'inet filter' with
'destroy table' on reload so podman/netavark tables are preserved.
- meta/base.txt: add nftables
- systemd-units/system/base.txt: enable nftables.service
- etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6
essentials, DHCPv6 client, default-drop input/forward, accept output)
- etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route,
log_martians
- README.md: firewall section with reload caveat
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old etc-status scanned all of /etc (pacman -Qkk for modified
backup configs, then 'find /etc | xargs pacman -Qo' for unowned
files), producing a discovery report of things we might want to
track. That was useful when seeding the repo but is slow and
misaligned with dotfiles-status, which only reports drift on files
chezmoi already manages.
Rewrite etc-status to mirror that model: iterate etc/, render .tmpl
sources, and cmp against the live /etc file. Report 'modified' or
'missing' per tracked path. Runs in under a second and matches the
semantics of 'just status'.
Drop the now-unused etc/.ignore and update README.
|
| |
|
|
|
|
|
| |
lsblk without -d lists the partition AND its children, so on a LUKS
setup the second line (the mapper's UUID) was leaking into the
rendered cmdline and deploy script. Add -d so only the partition's
own UUID is emitted.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prompt once at 'chezmoi init' time for the LUKS root partition (e.g.
nvme0n1p2) and store it under [data].luksRootPartition in the per-machine
chezmoi config. etc/kernel/cmdline.tmpl resolves the UUID at apply time
via lsblk, so reinstalls only require re-entering the partition name.
The etc deploy script now renders *.tmpl sources through
'chezmoi execute-template' and installs them without the suffix. The
resolved UUID is folded into the onchange hash so the script re-runs
when the UUID changes even if etc/ content is unchanged.
just etc-status/diff transparently handle .tmpl sources (strip suffix
for the live-path mapping, render before diffing). etc-re-add skips
.tmpl files since template sources can't be reverse-rendered from the
live file.
|
| |
|
|
|
| |
setterm only affects the Linux console (TERM=linux); sway's KMS/DRM
session is unaffected. Wakes on any keypress.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- New dot_config/systemd/user/swayidle.service, pulled in by
sway-session.target alongside mako/display-watcher/poweralertd. Same
lifetime as the rest of the session: starts after graphical-session,
restarts on failure, stops on logout.
- Drop the swayidle exec from sway config (was unmanaged background
process with no restart, no logging hookup).
- Revert etc/systemd/logind.conf overrides: swayidle handles idle-lock
directly via Wayland ext-idle-notifier, so the logind IdleAction
belt-and-suspenders is redundant. Run just etc-reset
/etc/systemd/logind.conf on the host to restore pristine.
|
| |
|
|
|
|
|
|
|
|
|
| |
- logind: IdleAction=lock, IdleActionSec=5min. systemd emits a lock
signal at 5min idle (session becomes locked from logind PoV; swayidle
listens and invokes swaylock).
- swayidle: lock at 5min, blank display at 6min, lock before sleep.
Closes the gap where lid-close or manual suspend would wake to an
unlocked session.
- swaylock: add -i (--ignore-empty-password) to ignore accidental Enter.
- meta/wayland: add swayidle.
|
| |
|
|
|
|
| |
Arch already ships systemd-based HOOKS as default; only add sd-encrypt.
keymap is redundant with sd-vconsole but harmless, and keeping it
minimizes diff from upstream (one word changed).
|
| |
|
|
|
|
|
|
|
| |
Prerequisite for TPM2 LUKS unlock. systemd-cryptenroll stores TPM hints
in LUKS2 token metadata, so no cmdline options are needed beyond
rd.luks.name (sd-encrypt auto-discovers enrolled tokens).
After chezmoi apply: sudo mkinitcpio -P && sudo sbctl verify, then
reboot. Passphrase still works; TPM enrollment is a separate step.
|
| |
|
|
|
|
| |
Only CriticalPowerAction=PowerOff is a behaviorally meaningful change
vs pristine. Percentage tweaks (15/7/3 vs 20/5/2) are not worth the
drift.
|
| |
|
|
|
|
|
| |
- Drop ES/PT from country list (always-on VPN exits in Zurich; Iberian
mirrors are slow through that path).
- Replace --latest 5 + --sort age with --age 12 + --fastest 10 +
--threads 5 (real throughput benchmark over 5 parallel probes).
|
| |
|
|
|
| |
No behavior change; only the four overrides (PercentageLow/Critical/
Action, CriticalPowerAction=PowerOff) differ from upstream defaults.
|
| |
|
|
|
|
| |
Single-user laptop behind FDE with key-only SSH means local brute
force is not a realistic threat. Tight defaults (3 attempts, 10min
lock) mainly punish typos.
|
| |
|
|
|
|
| |
User scopes (e.g. ghostty surface containing zellij) inherit timeouts
from the user manager, not /etc/systemd/system.conf.d. Without this,
zellij sessions stall reboot for 90s before SIGKILL.
|
| |
|
|
|
|
|
| |
Replace sway exec launches with a sway-session.target that BindsTo
graphical-session.target and Wants mako, poweralertd, and a new
display-watcher.service. Services now get restart-on-failure, journal
integration, and clean shutdown when sway exits.
|
| |
|
|
|
|
|
| |
Track /etc/kernel/cmdline and enable default_uki/fallback_uki in
linux.preset. Remove create-efi helper (UKI is self-contained; only
needed once at install time). Update bootstrap to print the one-off
efibootmgr command instead of launching create-efi.
|
| |
|
|
|
| |
Cap at 8 GiB, zstd compression. Tune VM for RAM-backed swap:
high swappiness, no read-ahead clustering.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
All 44 lines are comments/section headers — zero active settings.
Tracking was useless: no real state to preserve, and 'just etc'
would surface any future drift anyway.
The live /etc/systemd/resolved.conf on the host is unaffected;
chezmoi's deploy-etc script only installs files, never removes.
|
| |
|
|
|
|
|
| |
Type=ether and Type=wlan match every interface of that class.
Add comments pointing out that future USB/Thunderbolt dongles
would get auto-enslaved into bond0, and how to narrow the match
if that becomes undesirable.
|
| |
|
|
|
|
|
| |
Having only the 'default' preset means no safety net if the main
initramfs ever fails to boot (broken firmware update, microcode
regression, hook misconfig). The fallback image is ~40 MB and
regenerates with every kernel update — cheap insurance.
|
| |
|
|
|
|
|
|
| |
Pristine /etc/xdg/reflector/reflector.conf sets '--protocol https'.
Dropping it reverts to reflector's permissive default (http, https,
rsync, ftp), which could let non-HTTPS mirrors into the mirrorlist.
Also drop '--completion-percent 100' — that's reflector's default.
|
| |
|
|
|
|
|
| |
Adopted via 'just etc-add' after 'just etc-drift' surfaced them:
locale.conf, locale.gen, mkinitcpio.conf, mkinitcpio.d/linux.preset,
pacman.conf, resolved.conf, systemd/network/30-bond*, and the shokz
udev blacklist rule.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- etc-diff: diff repo-managed etc/<path> vs live /etc (defaults to all)
- etc-upstream-diff: diff live /etc vs pristine pacman archive
(defaults to pacman -Qkk modified set)
- etc-add: copy /etc/<path> into the repo's etc/ tree
- etc-reset: restore pristine via bsdtar -xpf, or rm if unowned;
refuses managed paths without --force
- ignore /etc/fstab (host-specific UUIDs/layout)
- path-traversal guards on all recipe inputs
- regular-file-only enforcement (no symlinks/dirs)
- fail-fast with clear message if mirror can't supply installed version
|
| |
|
|
|
|
|
|
|
| |
Pacman emits lines like "backup file: <pkg>: <path> (<reason>)", not the
"(Modified backup file)" suffix format. Anchor the path extraction to
/etc/ to avoid catching stderr warnings interleaved into a line.
Also extend etc/.ignore with /etc/{passwd,group,shells} — system-managed
identity files that surfaced in the new drift output.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
- `just etc-drift` reports /etc files modified from pacman defaults
(via pacman -Qii) and user-created files (via pacman -Qo), subtracting
already-managed paths and patterns listed in etc/.ignore.
- Refactor run_onchange_after_deploy-etc.sh.tmpl to enumerate files under
etc/ automatically via find; single combined hash via chezmoi output +
sha256sum, so new files only need to be dropped into etc/.
- etc/.ignore seeds noise filters: machine-id, ssh host keys, pacman
keyring, mirrorlist, shadow/passwd backups, sbctl keys, ca-certs.
|
| | |
|
| |
|
|
|
| |
Added to the etc/ deploy loop plus a post-copy chown/chmod to 0400
root:root since doas refuses to parse otherwise.
|
| |
|
|
|
|
|
|
| |
- etc2/ only existed because stow used symlinks and reflector refused
them. Chezmoi copies files, so no reason to keep them separate.
- Run scripts are now .tmpl files with sha256sum hashes of deployed
files. chezmoi only re-runs them when file content actually changes,
avoiding unnecessary doas prompts on every apply.
|
| |
|
|
|
| |
- orphans.hook: remove commented-out alternative Exec line
- reflector.conf: strip comment bloat, keep only active settings
|
| | |
|
| |
|
sommerfeld
Arnold Sommerfeld