| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fuse-overlayfs is dog-slow on `podman commit` (and noticeably slower
than native overlay/btrfs for layer extraction in general) because every
read/write round-trips through a FUSE daemon. The kernel overlay driver
does not support btrfs as a lowerdir, so on a btrfs root fs the choices
were:
- fuse-overlayfs (slow, but works)
- btrfs (native subvolume + CoW snapshot per layer; fast)
Switching graph drivers is destructive — the on-disk layout is
incompatible, so a one-time `podman system reset --force` is required.
A migration helper script lives at the repo root (gitignored,
chezmoiignored) that snapshots stateful containers, exports images and
volumes, runs the reset, and restores everything on the new driver.
Drops fuse-overlayfs from meta/base.txt — no longer needed and pulls
in libfuse3 transitively for nothing. (Flatpak still depends on it for
its own sandbox; pacman won't actually uninstall the binary while
flatpak is around — that's fine.)
VM (nix/vm.nix) is unaffected: it sets its own storage.conf inline
with driver=overlay since its rootfs is ext4.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two breakages observed on first linux-hardened boot:
1. `podman run` failed because linux-hardened sets
kernel.unprivileged_userns_clone=0 by default (stock linux: 1).
Rootless podman requires unprivileged user namespaces. Restoring
the stock-kernel default via sysctl — this is a documented hardened
knob meant to be flipped back if you actually use rootless
containers. No-op on stock kernel.
2. "kernel does not support overlay fs: 'overlay' is not supported over
btrfs". Kernel overlayfs cannot use a btrfs subvolume as lowerdir;
podman needs fuse-overlayfs as the user-mode shim. ~10-30% slower
I/O than native overlay but works correctly and is the upstream
recommendation for btrfs-backed rootless storage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These three tools are the native (non-flatpak) network parsers in the
install set — every other internet-facing app is already flatpak'd. The
threat model is a RCE in a subtitle/extractor/muxer that walks $HOME
looking for SSH keys, GPG keyring, pass store, cloud tokens, etc.
Approach (defence in depth, not full sandboxing):
- bwrap --bind / / keeps Wayland, PipeWire, DBus, GPU, hwaccel and all
config files working transparently.
- --tmpfs over known-sensitive dirs (.ssh, .gnupg, .password-store,
.config/gh, .config/op, .aws, .local/share/keyrings) blanks them
from the sandbox view; a compromised parser literally cannot see them.
- inner PATH stripped of ~/.local/bin so streamlink's spawn of `mpv`
resolves to /usr/bin/mpv and does not re-enter the sandbox.
- --die-with-parent + --new-session for tidy lifecycle.
- Escape hatch: SANDBOX=0 mpv ... bypasses for one invocation.
- Graceful degradation if bwrap is missing (warns and execs anyway).
bubblewrap added explicitly to meta/base.txt (was implicit via flatpak).
Wrappers in ~/.local/bin shadow /usr/bin via dot_zprofile:15 PATH order.
Not symlinked into the Ubuntu VM (nix/vm.nix does not touch ~/.local/bin),
which is fine: those tools on the headless VM don't need sandboxing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Installs linux-hardened + linux-hardened-headers alongside the stock
linux kernel. Stock kernel remains the default; linux-hardened is opt-in
via efibootmgr --bootnext after the EFI entry is registered (one-time
host-side step, documented in the preset).
After first 'just pkg-apply', mkinitcpio auto-builds
/boot/EFI/Linux/arch-linux-hardened.efi from the new preset (sharing
etc/kernel/cmdline.tmpl with the stock UKI — same LUKS root, no
kernel-specific cmdline knobs).
Host-side EFI entry registration:
sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
--label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'
Roll back any time by removing both packages and the preset file; the
stock kernel and its UKI are untouched.
|
| |
|
|
|
|
|
| |
ttf-font-awesome is a virtual provided by otf-font-awesome (already
declared on the line above) — paru resolves the former to the latter,
so listing both adds nothing and confuses the mark-explicit step in
pkg-apply.
|
| |
|
|
|
|
|
|
| |
Root filesystem is btrfs; the userspace tools are needed for routine
maintenance (scrub, balance, subvolume management) and inspection
(`btrfs filesystem usage` — the only honest reporter on btrfs since
plain `df` doesn't account for metadata/profiles/unallocated). Also
used by the mkinitcpio btrfs hook at boot.
|
| |
|
|
|
|
|
|
|
| |
linux: previously installed only as an Optional Dep of base. Promote to
an explicit declaration so it stops showing up under pacopt.
dosfstools: required by udisks2 (and libblockdev-fs) for mounting FAT
volumes — USB sticks, the EFI system partition, etc. Universally useful
on any desktop install.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Migrated to Home-Manager (nix/common.nix):
cmake, ninja, ccache, sccache (build orchestrators — they only
delegate to whatever compiler is on PATH, don't ship one
themselves, so no ABI shadowing risk)
valgrind (instruments at syscall/library boundary; works fine with
pacman-built target binaries)
doxygen (source-only documentation tool; was accidentally dropped
in the previous sweep — restored here)
Dropped entirely (per-project flake.nix + direnv .envrc instead):
clang, lld, mold, rustup, npm
Rationale: these are language/toolchain-specific compilers and
linkers; when a project needs them, the project's own flake provides
the version it wants, pinned in flake.lock. base-devel still ships
gcc/ld/as/make for general-purpose system builds and one-offs.
npm is also dropped from pacman; nodejs_24 in nix/common.nix already
ships npm for the editor/AI-agent path. Project-side npm comes via
per-project flake when needed.
Updated nix/common.nix policy comment to match: only ban the actual
compilers/linkers (cc/gcc/clang/ld) and forbidden runtimes (cargo,
rustc, go, python3) — build orchestrators and instrumentation tools
are explicitly allowed.
The --- dev --- section in base.txt is now just perf and podman-*
(kernel-coupled / system-runtime-coupled).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Migrated to Home-Manager (nix/common.nix):
duf, gdu, nmap, procs, yazi, difftastic, direnv (was duplicated),
git-absorb, samply, strace, t-rec, act, pandoc, gdb, lldb
lldb stays nix-only (no longer in base.txt) — per user policy, only
ever used to debug own builds, so glibc/kernel ABI skew vs the
pacman-built system isn't a concern. Same logic could extend to
valgrind, but valgrind has tighter glibc compat needs; perf links
against kernel ABI and must match the running kernel. Both stay
pacman.
uv was already in nix; removed pacman duplicate.
Kept on pacman (cannot migrate without breaking system builds, per
nix/common.nix policy that bans compilers/linkers/build systems on
PATH):
ccache, clang, cmake, lld, mold, ninja, npm, rustup, sccache,
podman-compose, podman-docker (system runtime integration),
perf, valgrind (kernel/glibc-coupled), unzip (transitive via base),
doxygen (huge nixpkgs closure not worth it).
Dropped entirely (unused):
android-tools, go, gpg-tui, luarocks (was for Mason-managed nvim
plugin deps; Mason is gone), bash-completion (zsh-only setup),
pandoc-bin (replaced by nix pandoc).
jdk21-openjdk kept — still needed for the groovy/jenkins toolchain
paths in nvim.
Rewrote the --- dev --- section comment to explain the policy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cleanup pass following p7 review:
- pass-otp: wired via pass.withExtensions in nix/common.nix
(`pass otp ...` works against the same store).
- zsh-completions: added as a separate package next to zsh + plugins
(fpath picks it up via HM's nix-profile share/).
- wget: already in nix/common.nix; removed pacman duplicate.
- gnupg: already in nix/common.nix; removed pacman entry.
pcscd still comes from pacman pcsclite (system
service needs root + hardware access), nix gnupg's
scdaemon dials it via /run/pcscd/pcscd.comm.
- curl: removed; pulled transitively by base, base-devel,
paru and many others.
Kept on pacman:
- pcsclite, ccid : pcscd is a system daemon; libs needed by HM scdaemon
- man-db, man-pages : distro-specific
- base, base-devel : meta-packages
- pass-secret-service-bin : AUR-only
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following are now provisioned by Home-Manager via nix/common.nix
and live under ~/.nix-profile/bin (which is first in PATH per phase
p3):
ripgrep, fd, bat, glow, fzf, lsd, jq, yq (yq-go), zoxide, just, sd,
choose, dog, curlie, hyperfine, htop, fastfetch, tldr, rsync,
mergiraf, git-delta (delta), tree-sitter-cli (tree-sitter), neovim,
zellij, github-cli (gh), pass, openssh, git, zsh,
zsh-syntax-highlighting, zsh-autosuggestions,
zsh-history-substring-search, basedpyright-bin (basedpyright),
rust-analyzer
Kept:
- pass-otp, zsh-completions: no Home-Manager equivalent yet
- pcsclite: still needed by Home-Manager gnupg/scdaemon
(see nix/host.nix scdaemon.conf)
- curl, wget, man-db, man-pages, gnupg: system-fundamental, fine to
keep duplicated. git/openssh/gnupg also come back as transitive
deps of paru/sudo/etc. even if dropped here.
Added hyperfine to nix/common.nix (missed in the p5 batch).
Phase 7 of the nix-on-host migration plan.
|
| |
|
|
|
|
|
|
| |
Gradle 9.1 (and thus Mason's groovy-language-server build) doesn't
support Java 26 bytecode yet — builds fail with 'Unsupported class
file major version 70'. Nothing in the dotfiles uses a feature
beyond JDK 21, and both packages provide the same java-runtime
virtual, so dependents are unaffected.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mason's pypi distribution of basedpyright pulls nodejs-wheel-binaries
which only ships manylinux_2_28 Linux wheels. uv's python-build-
standalone interpreter is tagged manylinux2014 (glibc 2.17 for max
portability) and rejects those wheels; pip then falls back to building
Node 24 from source, which fails on Ubuntu 20.04's gcc 9.4 (needs
gcc >=10 for -std=gnu++20).
Provide basedpyright via the system package manager instead:
- pacman on Arch (added to meta/base.txt)
- pkgs.basedpyright on the VM (added to remote-dev/home.nix)
Drop it from mason-tool-installer's ensure_installed; lspconfig picks
it up from PATH. Document the exception in remote-dev/README.md.
|
| |
|
|
|
| |
Enables `pass otp insert/show` for TOTP secrets, used as the source
for the ungoogled-chromium VPN OTP autofill keybind.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vanilla sway only has splith/splitv with no auto-orientation, so new
windows always split along whatever axis the parent container is set
to (default splith). The result: opening a third window in a workspace
that's already split horizontally just keeps stacking horizontally,
even when each pane is now narrower than it is tall.
swayr's daemon (swayrd) subscribes to sway IPC and, with
[layout].auto_tile = true, issues splith or splitv on the focused
container based on its width-vs-height before sway places the next
window. The result is the i3/awesome-style spiral tiling: each new
window splits the focused pane along its longest side.
Run swayrd as a systemd user service bound to sway-session.target so
it starts/stops with the session (matching the pattern used by
waybar, swayidle, mako, etc.). No keybind changes; only the placement
algorithm.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Inspecting upstream qmk_udev's 50-qmk.rules: the access-granting
line (`SUBSYSTEM=="hidraw" ... ENV{ID_QMK}="1"` paired with a
MODE/TAG) is *commented out*. The package only sets ID_QMK=1 via a
helper to mark devices for ModemManager to ignore during flashing. It
does not in fact tag hidraw nodes with uaccess for runtime apps like
VIA/usevia.
zsa-udev (AUR) ships ZSA's upstream 50-oryx.rules and 50-wally.rules
which do exactly the right TAG+=uaccess on VID 3297. Same package
zsa-keymapp-bin already depends on, so this is the canonical path.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The qmk Arch package ships /usr/lib/udev/rules.d/50-qmk.rules covering
all major mech-keyboard vendors including ZSA's VID 3297, with the
same TAG+=uaccess semantics. Prefer that over maintaining our own
rules file.
- meta/base.txt: + qmk
- etc/udev/rules.d/50-zsa.rules: removed
- etc deploy script: drop the udevadm reload (only existed to support
our custom rule; pacman handles reloads for package-shipped rules).
|
| |
|
|
|
|
|
|
| |
The python pass-secret-service AUR package is unmaintained. Switch to
grimsteel's actively-maintained Rust implementation (-bin variant for
faster install) and enable the shipped user systemd unit so the
service is visible to systemctl --user status, not just lazily
D-Bus-activated.
|
| |
|
|
|
|
|
|
|
| |
Signal Desktop (and any libsecret consumer) wants to talk to the
org.freedesktop.secrets D-Bus service. pass-secret-service implements
that API on top of the existing pass store -- secrets land under
~/.password-store/secret-service/ encrypted with the same GPG key, so
no separate keyring to manage. The service is D-Bus activated, no
systemd unit needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- xdg-desktop-portal: pin wlr for ScreenCast/Screenshot, gtk for the
rest, so flatpak browsers (Meet, Slack, Discord) get a working
screen-share path instead of whatever the portal frontend happens to
pick first.
- wob: small wayland overlay bar fed via a fifo. New vol-osd.sh /
brightness-osd.sh wrappers replace the bare pactl/brightnessctl
invocations in keybinds so adjusting volume or backlight flashes a
bar at the bottom of the screen. wob.service owns the fifo lifecycle
(mkfifo before, rm after).
- mako: add a [mode=do-not-disturb] section that hides notifications
while the mode is active, plus a Super+x n submode binding to toggle
it. Notifications still accumulate in history; just no popups.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two related session-idle improvements:
1. ScreenSaver inhibit bridge. Browsers (LibreWolf/Chromium flatpaks)
ask the session not to idle via the legacy
org.freedesktop.ScreenSaver D-Bus API during video calls and
fullscreen video; swayidle only honors logind's BlockInhibited
property. Add inhibridge as a user unit to translate the former
into the latter, so e.g. a Google Meet tab now keeps the screen
from locking, dimming and (downstream) suspending.
2. Post-resume grace period. Locking on before-sleep meant every wake
demanded the password even for a quick check. Replace with:
before-sleep -> only pause media
after-resume -> resume-lock-grace.sh 30
The grace script runs a one-shot swayidle that locks iff the user
stays idle for 30s after the wake, with a watchdog that exits as
soon as swaylock comes up (or after a hard cap) so it never lingers
alongside the main swayidle. The 5-min main idle-lock and explicit
loginctl lock-session paths are unchanged.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three small extra-repo packages, each anchoring one strand of the new
'remind, never auto-fix' system-health story:
- arch-audit: queries security.archlinux.org for CVEs against installed
versions and prints those that already have a fix in the repos. Driven
by etc/systemd/system/arch-audit.timer (daily refresh into
/run/arch-audit.txt) and surfaced through custom/arch-audit in waybar.
- lostfiles: enumerates filesystem entries under tracked dirs (/etc,
/usr, /var…) that aren't owned by any pacman package and aren't on
its built-in safe-list. Driven by etc/systemd/system/lostfiles.timer
(weekly refresh into /run/lostfiles.txt) and surfaced through
custom/lostfiles in waybar.
- kernel-modules-hook: ships its own /usr/share/libalpm/hooks entries
that copy the running kernel's modules to /usr/lib/modules/$(uname -r)
on upgrade and prune them on shutdown, so modprobe (USB devices, vfat
mounts, etc.) keeps working between a kernel upgrade and the next
reboot. No further config — drop-in fix.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop the per-domain group fragmentation in meta/ and the parallel
group-per-file structure in systemd-units/.
meta/ (18 -> 6 groups):
keep base, flatpak (magic), intel, nvidia, work, btc
fold browser, bt, cpp, dev, extra, fonts, mail, media, nix,
sound, wayland -> base (with `# --- section ---` comments
preserving at-a-glance structure)
drop fortran (niche; install ad-hoc when needed)
systemd-units/:
flatten to a single system.txt + user.txt; .ignore files move up
one level; group concept and pairing rule removed.
justfile:
unit-list/unit-apply/unit-status no longer take a group argument.
unit-add/unit-forget infer scope by probing
`systemctl [--user] cat <unit>` (system wins on tie). Top-level
add/forget dispatcher updated: any unit-suffixed arg routes to
unit-* without requiring a leading GROUP.
docs:
.github/copilot-instructions.md and README.md updated to describe
the new flat layout. Pairing rule and group-token grammar gone.
Pure layout refactor - no package contents change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.
- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention
No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.
|
| |
|
|
|
|
|
|
|
|
| |
- XF86Display replaces F7 for display-toggle.sh (dedicated HW key)
- XF86Tools opens floating pulsemixer (audio mixer TUI)
- XF86Keyboard opens KEYBINDS.md in glow (floating pager)
- XF86Favorites takes over mako history picker (from Super+Alt+n)
Adds generic [app_id="floating"] window rule so ghostty --class=floating
windows open floating. Adds glow to meta/base.txt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Default-deny inbound, allow outbound. Scoped to 'inet filter' with
'destroy table' on reload so podman/netavark tables are preserved.
- meta/base.txt: add nftables
- systemd-units/system/base.txt: enable nftables.service
- etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6
essentials, DHCPv6 client, default-drop input/forward, accept output)
- etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route,
log_martians
- README.md: firewall section with reload caveat
|
| |
|
|
| |
fwupd-refresh; drop fstrim.timer
|
| |
|
|
|
| |
Cap at 8 GiB, zstd compression. Tune VM for RAM-backed swap:
high swappiness, no read-ahead clustering.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
- mold moves cpp→dev (broader home; used by both Rust and C++ builds)
- choose/curlie/dog restored to base (actively used)
- restore 'alias curl=curlie' to match
linux-headers stays only in nvidia.txt (pulled by nvidia-dkms; no
other DKMS packages in the set).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Structural:
- Dedupe: drop git/unzip/wget/mold from dev, linux-headers from base,
zbar from btc (kept in wayland)
- Move thermald base→intel (Intel-only daemon)
- Split wayland.txt into wayland (compositor stack), browser, office
- Sort base.txt alphabetically
Content:
- Drop stale: dog, choose, curlie (base); sloccount (dev)
- Drop redundant: pipenv, yarn (dev has uv and npm)
- Drop niche: irqbalance, libusb-compat (base); go-md2man, flamelens (dev)
- Switch doas-sudo-shim-k → doas-sudo-shim (mainline variant)
Removed packages are list-only; uninstall afterward with paru -Rsn
if they appear in 'just undeclared'.
|
| | |
|
|
|
- Convert 16 PKGBUILD metapackages to simple .txt files (one package per line)
- Delete all PKGBUILD, .SRCINFO, and .pkg.tar.zst binary artifacts
- Clean stale packages: lf→yazi, tmux→zellij, neofetch→fastfetch, stow→chezmoi
- Remove duplicate rustup in dev, duplicate mesa in intel
- Add justfile recipes: install, install-all, status (unified drift detection)
- Configure chezmoi to exclude scripts from status/diff output
- Update copilot instructions
|
sommerfeld