| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These three tools are the native (non-flatpak) network parsers in the
install set — every other internet-facing app is already flatpak'd. The
threat model is a RCE in a subtitle/extractor/muxer that walks $HOME
looking for SSH keys, GPG keyring, pass store, cloud tokens, etc.
Approach (defence in depth, not full sandboxing):
- bwrap --bind / / keeps Wayland, PipeWire, DBus, GPU, hwaccel and all
config files working transparently.
- --tmpfs over known-sensitive dirs (.ssh, .gnupg, .password-store,
.config/gh, .config/op, .aws, .local/share/keyrings) blanks them
from the sandbox view; a compromised parser literally cannot see them.
- inner PATH stripped of ~/.local/bin so streamlink's spawn of `mpv`
resolves to /usr/bin/mpv and does not re-enter the sandbox.
- --die-with-parent + --new-session for tidy lifecycle.
- Escape hatch: SANDBOX=0 mpv ... bypasses for one invocation.
- Graceful degradation if bwrap is missing (warns and execs anyway).
bubblewrap added explicitly to meta/base.txt (was implicit via flatpak).
Wrappers in ~/.local/bin shadow /usr/bin via dot_zprofile:15 PATH order.
Not symlinked into the Ubuntu VM (nix/vm.nix does not touch ~/.local/bin),
which is fine: those tools on the headless VM don't need sandboxing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Installs linux-hardened + linux-hardened-headers alongside the stock
linux kernel. Stock kernel remains the default; linux-hardened is opt-in
via efibootmgr --bootnext after the EFI entry is registered (one-time
host-side step, documented in the preset).
After first 'just pkg-apply', mkinitcpio auto-builds
/boot/EFI/Linux/arch-linux-hardened.efi from the new preset (sharing
etc/kernel/cmdline.tmpl with the stock UKI — same LUKS root, no
kernel-specific cmdline knobs).
Host-side EFI entry registration:
sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \
--label 'Arch Hardened' --loader '\\EFI\\Linux\\arch-linux-hardened.efi'
Roll back any time by removing both packages and the preset file; the
stock kernel and its UKI are untouched.
|
| |
|
|
|
|
|
| |
ttf-font-awesome is a virtual provided by otf-font-awesome (already
declared on the line above) — paru resolves the former to the latter,
so listing both adds nothing and confuses the mark-explicit step in
pkg-apply.
|
| |
|
|
|
|
|
|
| |
Root filesystem is btrfs; the userspace tools are needed for routine
maintenance (scrub, balance, subvolume management) and inspection
(`btrfs filesystem usage` — the only honest reporter on btrfs since
plain `df` doesn't account for metadata/profiles/unallocated). Also
used by the mkinitcpio btrfs hook at boot.
|
| |
|
|
|
|
|
|
|
| |
linux: previously installed only as an Optional Dep of base. Promote to
an explicit declaration so it stops showing up under pacopt.
dosfstools: required by udisks2 (and libblockdev-fs) for mounting FAT
volumes — USB sticks, the EFI system partition, etc. Universally useful
on any desktop install.
|
| | |
|
| |
|
|
|
| |
- zsh: remove ~/.local/share/nvim/mason/bin from PATH
- justfile: update comments to reflect Mason removal
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Migrated to Home-Manager (nix/common.nix):
cmake, ninja, ccache, sccache (build orchestrators — they only
delegate to whatever compiler is on PATH, don't ship one
themselves, so no ABI shadowing risk)
valgrind (instruments at syscall/library boundary; works fine with
pacman-built target binaries)
doxygen (source-only documentation tool; was accidentally dropped
in the previous sweep — restored here)
Dropped entirely (per-project flake.nix + direnv .envrc instead):
clang, lld, mold, rustup, npm
Rationale: these are language/toolchain-specific compilers and
linkers; when a project needs them, the project's own flake provides
the version it wants, pinned in flake.lock. base-devel still ships
gcc/ld/as/make for general-purpose system builds and one-offs.
npm is also dropped from pacman; nodejs_24 in nix/common.nix already
ships npm for the editor/AI-agent path. Project-side npm comes via
per-project flake when needed.
Updated nix/common.nix policy comment to match: only ban the actual
compilers/linkers (cc/gcc/clang/ld) and forbidden runtimes (cargo,
rustc, go, python3) — build orchestrators and instrumentation tools
are explicitly allowed.
The --- dev --- section in base.txt is now just perf and podman-*
(kernel-coupled / system-runtime-coupled).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Migrated to Home-Manager (nix/common.nix):
duf, gdu, nmap, procs, yazi, difftastic, direnv (was duplicated),
git-absorb, samply, strace, t-rec, act, pandoc, gdb, lldb
lldb stays nix-only (no longer in base.txt) — per user policy, only
ever used to debug own builds, so glibc/kernel ABI skew vs the
pacman-built system isn't a concern. Same logic could extend to
valgrind, but valgrind has tighter glibc compat needs; perf links
against kernel ABI and must match the running kernel. Both stay
pacman.
uv was already in nix; removed pacman duplicate.
Kept on pacman (cannot migrate without breaking system builds, per
nix/common.nix policy that bans compilers/linkers/build systems on
PATH):
ccache, clang, cmake, lld, mold, ninja, npm, rustup, sccache,
podman-compose, podman-docker (system runtime integration),
perf, valgrind (kernel/glibc-coupled), unzip (transitive via base),
doxygen (huge nixpkgs closure not worth it).
Dropped entirely (unused):
android-tools, go, gpg-tui, luarocks (was for Mason-managed nvim
plugin deps; Mason is gone), bash-completion (zsh-only setup),
pandoc-bin (replaced by nix pandoc).
jdk21-openjdk kept — still needed for the groovy/jenkins toolchain
paths in nvim.
Rewrote the --- dev --- section comment to explain the policy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cleanup pass following p7 review:
- pass-otp: wired via pass.withExtensions in nix/common.nix
(`pass otp ...` works against the same store).
- zsh-completions: added as a separate package next to zsh + plugins
(fpath picks it up via HM's nix-profile share/).
- wget: already in nix/common.nix; removed pacman duplicate.
- gnupg: already in nix/common.nix; removed pacman entry.
pcscd still comes from pacman pcsclite (system
service needs root + hardware access), nix gnupg's
scdaemon dials it via /run/pcscd/pcscd.comm.
- curl: removed; pulled transitively by base, base-devel,
paru and many others.
Kept on pacman:
- pcsclite, ccid : pcscd is a system daemon; libs needed by HM scdaemon
- man-db, man-pages : distro-specific
- base, base-devel : meta-packages
- pass-secret-service-bin : AUR-only
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following are now provisioned by Home-Manager via nix/common.nix
and live under ~/.nix-profile/bin (which is first in PATH per phase
p3):
ripgrep, fd, bat, glow, fzf, lsd, jq, yq (yq-go), zoxide, just, sd,
choose, dog, curlie, hyperfine, htop, fastfetch, tldr, rsync,
mergiraf, git-delta (delta), tree-sitter-cli (tree-sitter), neovim,
zellij, github-cli (gh), pass, openssh, git, zsh,
zsh-syntax-highlighting, zsh-autosuggestions,
zsh-history-substring-search, basedpyright-bin (basedpyright),
rust-analyzer
Kept:
- pass-otp, zsh-completions: no Home-Manager equivalent yet
- pcsclite: still needed by Home-Manager gnupg/scdaemon
(see nix/host.nix scdaemon.conf)
- curl, wget, man-db, man-pages, gnupg: system-fundamental, fine to
keep duplicated. git/openssh/gnupg also come back as transitive
deps of paru/sudo/etc. even if dropped here.
Added hyperfine to nix/common.nix (missed in the p5 batch).
Phase 7 of the nix-on-host migration plan.
|
| |
|
|
|
|
|
|
| |
Gradle 9.1 (and thus Mason's groovy-language-server build) doesn't
support Java 26 bytecode yet — builds fail with 'Unsupported class
file major version 70'. Nothing in the dotfiles uses a feature
beyond JDK 21, and both packages provide the same java-runtime
virtual, so dependents are unaffected.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mason's pypi distribution of basedpyright pulls nodejs-wheel-binaries
which only ships manylinux_2_28 Linux wheels. uv's python-build-
standalone interpreter is tagged manylinux2014 (glibc 2.17 for max
portability) and rejects those wheels; pip then falls back to building
Node 24 from source, which fails on Ubuntu 20.04's gcc 9.4 (needs
gcc >=10 for -std=gnu++20).
Provide basedpyright via the system package manager instead:
- pacman on Arch (added to meta/base.txt)
- pkgs.basedpyright on the VM (added to remote-dev/home.nix)
Drop it from mason-tool-installer's ensure_installed; lspconfig picks
it up from PATH. Document the exception in remote-dev/README.md.
|
| |
|
|
|
| |
Enables `pass otp insert/show` for TOTP secrets, used as the source
for the ungoogled-chromium VPN OTP autofill keybind.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vanilla sway only has splith/splitv with no auto-orientation, so new
windows always split along whatever axis the parent container is set
to (default splith). The result: opening a third window in a workspace
that's already split horizontally just keeps stacking horizontally,
even when each pane is now narrower than it is tall.
swayr's daemon (swayrd) subscribes to sway IPC and, with
[layout].auto_tile = true, issues splith or splitv on the focused
container based on its width-vs-height before sway places the next
window. The result is the i3/awesome-style spiral tiling: each new
window splits the focused pane along its longest side.
Run swayrd as a systemd user service bound to sway-session.target so
it starts/stops with the session (matching the pattern used by
waybar, swayidle, mako, etc.). No keybind changes; only the placement
algorithm.
|
| |
|
|
|
|
| |
Unofficial Microsoft Teams client for Linux. Needed for Sii work
communications inside the Win11 VM is overkill for chat; running it
natively on the host keeps Teams notifications visible outside the VM.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sii requires Intune enrollment with TPM + BitLocker + Azure AD join. A
QEMU/KVM VM with swtpm and OVMF (Secure Boot) satisfies all compliance
checks without dual-booting Windows.
- meta/work.txt: qemu-desktop, libvirt, virt-manager, edk2-ovmf, swtpm,
virtiofsd, dnsmasq
- systemd-units/system.txt: libvirtd.socket (socket-activated)
- etc/polkit-1/rules.d/50-libvirt-wheel.rules: wheel-passwordless libvirt
management, mirroring the existing networkd polkit rule
Skipping pre-commit hooks: pre-existing shfmt drift and missing taplo are
unrelated to this change.
|
| |
|
|
|
|
|
|
| |
snx-rs: Rust reimplementation of Check Point SNX VPN client; needed
for work VPN access. AUR package.
com.nomachine.nxplayer: NoMachine remote desktop client; needed for
work remote access.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Inspecting upstream qmk_udev's 50-qmk.rules: the access-granting
line (`SUBSYSTEM=="hidraw" ... ENV{ID_QMK}="1"` paired with a
MODE/TAG) is *commented out*. The package only sets ID_QMK=1 via a
helper to mark devices for ModemManager to ignore during flashing. It
does not in fact tag hidraw nodes with uaccess for runtime apps like
VIA/usevia.
zsa-udev (AUR) ships ZSA's upstream 50-oryx.rules and 50-wally.rules
which do exactly the right TAG+=uaccess on VID 3297. Same package
zsa-keymapp-bin already depends on, so this is the canonical path.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The qmk Arch package ships /usr/lib/udev/rules.d/50-qmk.rules covering
all major mech-keyboard vendors including ZSA's VID 3297, with the
same TAG+=uaccess semantics. Prefer that over maintaining our own
rules file.
- meta/base.txt: + qmk
- etc/udev/rules.d/50-zsa.rules: removed
- etc deploy script: drop the udevadm reload (only existed to support
our custom rule; pacman handles reloads for package-shipped rules).
|
| |
|
|
|
|
|
|
| |
The python pass-secret-service AUR package is unmaintained. Switch to
grimsteel's actively-maintained Rust implementation (-bin variant for
faster install) and enable the shipped user systemd unit so the
service is visible to systemctl --user status, not just lazily
D-Bus-activated.
|
| |
|
|
|
|
|
|
|
| |
Signal Desktop (and any libsecret consumer) wants to talk to the
org.freedesktop.secrets D-Bus service. pass-secret-service implements
that API on top of the existing pass store -- secrets land under
~/.password-store/secret-service/ encrypted with the same GPG key, so
no separate keyring to manage. The service is D-Bus activated, no
systemd unit needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- xdg-desktop-portal: pin wlr for ScreenCast/Screenshot, gtk for the
rest, so flatpak browsers (Meet, Slack, Discord) get a working
screen-share path instead of whatever the portal frontend happens to
pick first.
- wob: small wayland overlay bar fed via a fifo. New vol-osd.sh /
brightness-osd.sh wrappers replace the bare pactl/brightnessctl
invocations in keybinds so adjusting volume or backlight flashes a
bar at the bottom of the screen. wob.service owns the fifo lifecycle
(mkfifo before, rm after).
- mako: add a [mode=do-not-disturb] section that hides notifications
while the mode is active, plus a Super+x n submode binding to toggle
it. Notifications still accumulate in history; just no popups.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two related session-idle improvements:
1. ScreenSaver inhibit bridge. Browsers (LibreWolf/Chromium flatpaks)
ask the session not to idle via the legacy
org.freedesktop.ScreenSaver D-Bus API during video calls and
fullscreen video; swayidle only honors logind's BlockInhibited
property. Add inhibridge as a user unit to translate the former
into the latter, so e.g. a Google Meet tab now keeps the screen
from locking, dimming and (downstream) suspending.
2. Post-resume grace period. Locking on before-sleep meant every wake
demanded the password even for a quick check. Replace with:
before-sleep -> only pause media
after-resume -> resume-lock-grace.sh 30
The grace script runs a one-shot swayidle that locks iff the user
stays idle for 30s after the wake, with a watchdog that exits as
soon as swaylock comes up (or after a hard cap) so it never lingers
alongside the main swayidle. The 5-min main idle-lock and explicit
loginctl lock-session paths are unchanged.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three small extra-repo packages, each anchoring one strand of the new
'remind, never auto-fix' system-health story:
- arch-audit: queries security.archlinux.org for CVEs against installed
versions and prints those that already have a fix in the repos. Driven
by etc/systemd/system/arch-audit.timer (daily refresh into
/run/arch-audit.txt) and surfaced through custom/arch-audit in waybar.
- lostfiles: enumerates filesystem entries under tracked dirs (/etc,
/usr, /var…) that aren't owned by any pacman package and aren't on
its built-in safe-list. Driven by etc/systemd/system/lostfiles.timer
(weekly refresh into /run/lostfiles.txt) and surfaced through
custom/lostfiles in waybar.
- kernel-modules-hook: ships its own /usr/share/libalpm/hooks entries
that copy the running kernel's modules to /usr/lib/modules/$(uname -r)
on upgrade and prune them on shutdown, so modprobe (USB devices, vfat
mounts, etc.) keeps working between a kernel upgrade and the next
reboot. No further config — drop-in fix.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop the per-domain group fragmentation in meta/ and the parallel
group-per-file structure in systemd-units/.
meta/ (18 -> 6 groups):
keep base, flatpak (magic), intel, nvidia, work, btc
fold browser, bt, cpp, dev, extra, fonts, mail, media, nix,
sound, wayland -> base (with `# --- section ---` comments
preserving at-a-glance structure)
drop fortran (niche; install ad-hoc when needed)
systemd-units/:
flatten to a single system.txt + user.txt; .ignore files move up
one level; group concept and pairing rule removed.
justfile:
unit-list/unit-apply/unit-status no longer take a group argument.
unit-add/unit-forget infer scope by probing
`systemctl [--user] cat <unit>` (system wins on tie). Top-level
add/forget dispatcher updated: any unit-suffixed arg routes to
unit-* without requiring a leading GROUP.
docs:
.github/copilot-instructions.md and README.md updated to describe
the new flat layout. Pairing rule and group-token grammar gone.
Pure layout refactor - no package contents change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.
- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention
No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- wofi config: key_up/key_down accept Up,k / Down,j; Ctrl-u/Ctrl-d for
page jumps. Picker scripts auto-load this since they only pass --style.
- waybar webcam glyph: U+F0D5D (camera/photo, looked Instagram-y) ->
U+F0567 nf-md-video (handheld video camera).
- Clipboard picker migrated from fuzzel to wofi for consistency with the
notification picker. New driver dot_config/waybar/clip-picker.sh:
pick (Mod+p) Enter pastes, Alt-d deletes
delete (Mod+Shift+p) Enter deletes
No clipboard "read" indicator: Wayland has no API for observing reads.
- Emoji picker: bemoji on Mod+period, driven through wofi (so vim nav
applies there too) and configured to type + copy via wtype.
- LibreWolf flatpak: --device=all override so v4l2 webcams work. Flatpak
has no finer-grained device flag.
- KEYBINDS.md updated: Mod+p / Mod+Shift+p now describe wofi behavior;
Mod+period documented.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notifications now behave like a phone: pop briefly, auto-disappear, and
remain "pending" until the user explicitly acknowledges them. The waybar
count reflects pending only; idle uses a quieter glyph.
State model:
pending = ids in mako history/list MINUS dismissed-set
state file: $XDG_RUNTIME_DIR/mako-dismissed (per-session id list)
Glyph change:
idle (0 pending) bell_outline U+F009C
has pending bell_ring U+F009E
(the previous bell_check_outline U+F11E8 "history present but nothing
pending" branch is gone — there is no separate history concept now)
Bindings (all now go through wrappers that maintain the dismissed-set):
Super+n dismiss top visible + mark seen
Super+Shift+n dismiss all visible + mark seen
Super+Ctrl+n restore most recent + pop it from dismissed-set
XF86Favorites history picker (rewritten on wofi)
History picker (dot_config/waybar/executable_mako-history.py):
- wofi --hide-search: arrow-only navigation, no fuzzy input
- lines tagged [pending] / [seen] with app + summary + body
- Enter re-emit via notify-send (re-shows the bubble) + mark seen
- Alt-c copy "summary\nbody" to clipboard via wl-copy
- Alt-d mark seen without re-showing
- empty history shows a sentinel, no-op on Enter
New scripts:
executable_dismiss-visible.sh capture id(s) then makoctl dismiss
executable_restore-pending.sh capture top-of-history id, restore,
then drop that id from dismissed-set
executable_mako-history.py Python rewrite (parses makoctl text
output, drives wofi)
Other:
meta/wayland.txt add wofi (only used by this picker)
dot_config/wofi/style.css minimal gruvbox style; hides input row
as belt-and-suspenders even though
--hide-search already does it
|
| | |
|
| |
|
|
|
|
|
|
| |
Same sandbox model, but the Google-phone-home bits (Safe Browsing
pings, sync, FLoC/topics, variation seed, etc.) are patched out at
build time. Better aligned with the LibreWolf+arkenfox philosophy
applied to the primary browser. Update lag vs upstream Chromium is
acceptable since this is only the fallback browser.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Defense-in-depth for the cross-sandbox handoff vector: when the
LibreWolf/Thunderbird flatpaks open a downloaded PDF or video via the
OpenURI portal, the receiving app currently runs natively with full
$HOME access — defeating part of the browser/mail isolation.
- meta/flatpak.txt: add org.pwmt.zathura, io.mpv.Mpv
- meta/wayland.txt: drop native zathura + zathura-pdf-mupdf
- meta/media.txt: keep native mpv (streamlink, /tmp/mpvsocket IPC,
fast yt-dlp) — flatpak mpv is *additional*, only as the mimeapps
default for video/audio to receive sandboxed handoffs
- dot_config/mimeapps.list: rewrite mpv.desktop -> io.mpv.Mpv.desktop,
zathura-pdf-mupdf.desktop -> org.pwmt.zathura.desktop, and replace
stale userapp-Thunderbird-* entries with org.mozilla.Thunderbird.desktop
- run_onchange_after_deploy-flatpak-overrides.sh.tmpl (new):
--filesystem=xdg-config/{zathura,mpv}:ro so the flatpaks read our
chezmoi-managed configs as a single source of truth
- README: media row + new deploy-script row
Manual one-shot on host: chezmoi apply -v.
The pteid bridge already iterates a flatpak app list, so cartão de
cidadão remains correctly registered for the Mozilla flatpaks. Native
mpv config (input-ipc-server) keeps working since each flatpak has its
own /tmp; no socket collision.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak,
mirroring the LibreWolf migration. Bubblewrap isolates the mail client from
the rest of $HOME (ssh keys, password store, gpg sockets); intra-process
isolation regression is real but minor (same tradeoff as the browser).
Three cross-sandbox glue points handled in repo:
- run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from
~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird
- run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate
over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so
cartão de cidadão signing/encryption works for S/MIME in TB
- run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges
external-editor-revived's native messaging host into the sandbox via
a flatpak-spawn --host wrapper + relocated manifest
Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered
by Flathub default permissions.
Manual one-shot migration on host (after pulling + just sync): close TB,
copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/,
chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop
x-scheme-handler/mailto. Once verified working, archive the old profile
via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cartão de cidadão web authentication needs the libpteidpkcs11.so module
loaded into LibreWolf's NSS database. With both apps now sandboxed in
separate flatpaks, neither can see the other by default.
Add a chezmoi onchange script that, when both flatpaks are installed:
- Resolves the pt.gov.autenticacao install dir + .so path on the host
- Grants LibreWolf flatpak read-only filesystem access to that dir,
--socket=pcsc, and an LD_LIBRARY_PATH so the bundled deps (libxerces,
libcjose, etc.) resolve at dlopen time
- Registers the module in each LibreWolf NSS profile via modutil, with
the path rewritten to /run/host/... as seen from inside the sandbox
- Skips silently when LibreWolf is running (modutil would corrupt the DB)
Hash gate includes the pt.gov.autenticacao line from meta/flatpak.txt so
the override + registration auto-refresh on bundle bumps. Idempotent.
Also explicit pcsc-lite + ccid in meta/extra.txt — they were transitive
deps of the removed autenticacao-gov-pt-bin AUR package; pcscd.socket
in systemd-units/system/base.txt would otherwise fail to activate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend meta/flatpak.txt format to allow per-line URL for non-Flathub
.flatpak bundles. Lines are now either '<id>' (Flathub) or '<id> <url>'
(downloaded + installed via 'flatpak install <file>'). Bundle entries
are skipped on pkg-apply/pkg-fix when already installed, and re-fetched
on flatpak-update only when the version embedded in the URL differs
from the installed version.
Use this to migrate Portuguese Citizen Card (pteid-mw) off the AUR
'autenticacao-gov-pt-bin' pseudo-flatpak unpack to the upstream-shipped
flatpak bundle from amagovpt/autenticacao.gov GitHub releases — same
codebase the AUR PKGBUILD already vendors, but properly sandboxed.
Refactors duplicated install logic in pkg-apply/pkg-fix into a private
_flatpak-install helper. ID-only contexts (pkg-status, undeclared,
pkg-list) now extract the first whitespace-separated token instead of
treating each line as a single ID.
Caveat: PKCS#11-based Citizen Card web auth in the LibreWolf flatpak
remains unsolved — the .so lives inside the autenticacao-gov sandbox
and would need a 'flatpak override' + 'modutil' bridge to be loaded
across sandboxes. The CLI/GUI eID app works as expected.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move LibreWolf from native librewolf-bin to Flathub
io.gitlab.librewolf-community. Bubblewrap isolates the browser from
$HOME (\\.ssh, password-store, gnupg, ssh-agent socket) at the cost
of namespace chroot + IPC/network namespace isolation between content
processes (mozilla bug 1756236, P3, considered defense-in-depth).
seccomp-bpf — the dominant sandbox layer — is preserved.
- meta/flatpak.txt: + io.gitlab.librewolf-community
- meta/browser.txt: - librewolf-bin
- run_onchange_after_deploy-firefox.sh.tmpl: profile path moves to
~/.var/app/io.gitlab.librewolf-community/.librewolf
- dot_config/mimeapps.list: librewolf.desktop -> flatpak app id
- dot_local/bin/executable_linkhandler: flatpak run wrapper
- README.md: blurb + new profile path
arkenfox-user.js + chezmoi user-overrides.js deploy keep working
unchanged because the flatpak profile is still on the host fs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Delete meta/gaming.txt entirely (no longer used; takes discord with it)
- Delete now-empty meta/office.txt; LibreOffice and Okular move to flatpak
- Trim meta/browser.txt: chromium and torbrowser-launcher now flatpaks
- New meta/flatpak.txt: 4 Flathub app IDs (chromium, okular, libreoffice,
torbrowser-launcher), under --user scope
- Add flatpak runtime to meta/extra.txt
- Teach pkg-apply / pkg-list / pkg-fix / pkg-add / pkg-status / undeclared
to branch on the magic 'flatpak' group name (no parallel recipe namespace)
- New flatpak-update recipe; update aggregate now refreshes flatpaks too
- _active-packages now skips flatpak.txt (it remains pacman-only)
- pkg-apply (no args) installs pacman groups together, then flatpaks
- First flatpak install auto-adds the flathub --user remote
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install Nix (multi-user daemon) on Arch and wire up direnv so any project
can declare its toolchain in a flake.nix and get a hermetic dev shell on
cd. No NixOS, no home-manager, no migration off paru/chezmoi — just one
new package manager scoped to project dev shells.
- meta/nix.txt: nix from extra repo
- meta/dev.txt: direnv (general-purpose, not nix-specific)
- systemd-units/system/nix.txt: nix-daemon.socket (socket-activated)
- etc/nix/nix.conf: enable flakes + nix-command, trusted-users=@wheel,
auto-optimise-store, keep-outputs/derivations so direnv envs survive GC
- dot_config/direnv/direnvrc: load nix-direnv 3.1.1 via source_url with
pinned sha256 (not packaged for Arch; refusing -git AUR)
- dot_config/nix/templates/{flake.nix,dev/}: flake template usable via
'nix flake init -t ~/.config/nix/templates'
- dot_config/zsh/dot_zshrc: 'eval "$(direnv hook zsh)"'
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds the AUR package which deploys both the Thunderbird XPI (as a
system extension under /usr/lib/thunderbird/extensions) and the
native messaging host. After restart, TB picks up the extension
automatically.
Use case: review kernel-style patches received by email and reply
with inline review comments without TB mangling tabs/spaces or
auto-wrapping. The addon bypasses TB's compose editor entirely, so
the existing format=flowed/wraplength=72/reply_on_top prefs don't
apply to messages composed through it.
A pointer comment in thunderbird/user.js explains the relationship.
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a [sendemail] block targeting the local Bridge SMTP listener
(127.0.0.1:1025, STARTTLS) and a credential helper scoped to that URL
that fetches the password from pass (proton/bridge-smtp). The helper
command is public; the secret stays in the password store. The bridge
SMTP username (sensitive but not secret) goes in the per-identity
private overlay (~/doxfiles), not here.
Also pull in the Perl SMTP modules git send-email needs at runtime.
|
| |
|
|
|
|
| |
Drops the libggml-git transitive dependency in favor of llama.cpp-vulkan
(versioned release). Vulkan acceleration on UHD 620 is unlikely to help
with the base model, but this gets us off a rolling -git package.
|
| |
|
|
|
|
|
|
|
|
| |
large-v3-turbo-q5_0 ran ~1-2x realtime on the T490's CPU, making
push-to-talk feel sluggish. The base multilingual model is ~142 MB
(vs 547 MB) and runs ~7-10x realtime, dropping perceived latency on
short utterances from a few seconds to near-instant.
Quality on short EN/PT dictation remains usable; bump WHISPER_MODEL
to small or large-v3-turbo if accuracy matters more than latency.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Push-to-talk dictation toggle on Super+i: parecord captures 16 kHz mono
WAV, whisper-cli transcribes (auto language), output is typed via wtype
and copied to the clipboard.
Region OCR on Super+Shift+o: slurp + grim feed tesseract (eng+por),
result lands in the clipboard with a notification preview.
Adds wtype to wayland.txt; tesseract (+eng/por data) and whisper.cpp +
the large-v3-turbo-q5_0 model package to extra.txt.
|
| |
|
|
|
|
|
|
|
|
| |
- XF86Display replaces F7 for display-toggle.sh (dedicated HW key)
- XF86Tools opens floating pulsemixer (audio mixer TUI)
- XF86Keyboard opens KEYBINDS.md in glow (floating pager)
- XF86Favorites takes over mako history picker (from Super+Alt+n)
Adds generic [app_id="floating"] window rule so ghostty --class=floating
windows open floating. Adds glow to meta/base.txt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Default-deny inbound, allow outbound. Scoped to 'inet filter' with
'destroy table' on reload so podman/netavark tables are preserved.
- meta/base.txt: add nftables
- systemd-units/system/base.txt: enable nftables.service
- etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6
essentials, DHCPv6 client, default-drop input/forward, accept output)
- etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route,
log_martians
- README.md: firewall section with reload caveat
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install brightnessctl and bind all seven ThinkPad multimedia keys:
- XF86MonBrightnessUp/Down → brightnessctl ±5%
- XF86AudioMicMute → pactl source mute
- XF86Bluetooth → bt-toggle.sh (bluetoothctl + notify-send)
- XF86ScreenSaver (Fn+F2) → same as $mod+Shift+s (pause + swaylock)
- XF86Sleep → systemctl suspend
- XF86WLAN / XF86RFKill → rfkill toggle
Note: rfkill may need a passwordless doas rule
(permit nopass :wheel cmd rfkill) or group membership to write
/dev/rfkill without privileges; not wired speculatively.
|
| |
|
|
|
|
| |
zprofile already exports QT_QPA_PLATFORMTHEME=qt6ct, so installing the
package is all that's needed for Qt6 apps to pick up the theme. Run
qt6ct once to configure fonts/icons.
|
| |
|
|
|
|
|
| |
Complements xdg-desktop-portal-wlr: wlr covers Screenshot/ScreenCast
(Wayland-native), gtk covers FileChooser/Print/Settings/AppChooser. With
both installed, portal auto-discovery picks the right backend per
interface. No routing file needed unless conflicts show up.
|
sommerfeld