aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/systemd-units/system
Commit message (Collapse)AuthorAgeFilesLines
* feat(nix): hybrid setup with flakes + direnv for per-project dev shellsLibravatar sommerfeld2026-05-131-0/+3
| | | | | | | | | | | | | | | | | | Install Nix (multi-user daemon) on Arch and wire up direnv so any project can declare its toolchain in a flake.nix and get a hermetic dev shell on cd. No NixOS, no home-manager, no migration off paru/chezmoi — just one new package manager scoped to project dev shells. - meta/nix.txt: nix from extra repo - meta/dev.txt: direnv (general-purpose, not nix-specific) - systemd-units/system/nix.txt: nix-daemon.socket (socket-activated) - etc/nix/nix.conf: enable flakes + nix-command, trusted-users=@wheel, auto-optimise-store, keep-outputs/derivations so direnv envs survive GC - dot_config/direnv/direnvrc: load nix-direnv 3.1.1 via source_url with pinned sha256 (not packaged for Arch; refusing -git AUR) - dot_config/nix/templates/{flake.nix,dev/}: flake template usable via 'nix flake init -t ~/.config/nix/templates' - dot_config/zsh/dot_zshrc: 'eval "$(direnv hook zsh)"'
* feat(net): nftables laptop firewallLibravatar sommerfeld2026-05-131-0/+1
| | | | | | | | | | | | | Default-deny inbound, allow outbound. Scoped to 'inet filter' with 'destroy table' on reload so podman/netavark tables are preserved. - meta/base.txt: add nftables - systemd-units/system/base.txt: enable nftables.service - etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6 essentials, DHCPv6 client, default-drop input/forward, accept output) - etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route, log_martians - README.md: firewall section with reload caveat
* refactor(units): split systemd-units into system/ and user/ treesLibravatar sommerfeld2026-05-133-0/+36
Move the three existing files into systemd-units/system/ and seed systemd-units/user/ with a .ignore stub. Teach the unit-* recipes a user:/system: group-token prefix (bare names keep system semantics for back-compat). unit-apply and unit-status now walk both scopes; user units go through 'systemctl --user' (no sudo), system units via 'sudo systemctl' as before. Soft-fail per unit preserved for both scopes. Top-level add/forget dispatchers need no changes: the unit-extension sniff already routes anything ending in .service/.timer/etc to unit-*, and user:base passes through as the group token. Docs updated in README.md and .github/copilot-instructions.md.
generated by cgit v1.3.1 (git 2.54.0) at 2026-06-01 20:04:11 +0000