From bb607b3cdb027a2d02cf2111b8ee12dab172efad Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Mon, 15 Jun 2026 00:55:43 +0100 Subject: Reduce AUR package surface Move pass-secret-service, snx-rs, and Sparrow under Nix/Home Manager. Track the snx-rs system unit, pass-secret-service user unit, and pacman cache cleanup hook in the repo. Drop the mkinitcpio firmware metapackage, overdue, pacman-cleanup-hook, and the standalone btc package group. --- .../systemd/user/pass-secret-service.service | 10 +++++++++ etc/pacman.d/hooks/pacman-cache-cleanup.hook | 11 ++++++++++ etc/systemd/system-sleep/50-snx-rs | 25 ++++++---------------- etc/systemd/system/snx-rs.service | 13 +++++++++++ meta/base.txt | 25 +++++++++++----------- meta/btc.txt | 3 --- meta/work.txt | 1 - nix/host.nix | 21 ++++++++++++++++-- systemd-units/system.txt | 5 ++++- 9 files changed, 76 insertions(+), 38 deletions(-) create mode 100644 dot_config/systemd/user/pass-secret-service.service create mode 100644 etc/pacman.d/hooks/pacman-cache-cleanup.hook create mode 100644 etc/systemd/system/snx-rs.service delete mode 100644 meta/btc.txt diff --git a/dot_config/systemd/user/pass-secret-service.service b/dot_config/systemd/user/pass-secret-service.service new file mode 100644 index 0000000..7880170 --- /dev/null +++ b/dot_config/systemd/user/pass-secret-service.service @@ -0,0 +1,10 @@ +[Unit] +Description=Expose the libsecret D-Bus API with pass as backend + +[Service] +BusName=org.freedesktop.secrets +ExecStart=%h/.nix-profile/bin/pass_secret_service + +[Install] +WantedBy=default.target +Alias=dbus-org.freedesktop.secrets.service diff --git a/etc/pacman.d/hooks/pacman-cache-cleanup.hook b/etc/pacman.d/hooks/pacman-cache-cleanup.hook new file mode 100644 index 0000000..a22ff15 --- /dev/null +++ b/etc/pacman.d/hooks/pacman-cache-cleanup.hook @@ -0,0 +1,11 @@ +[Trigger] +Type = Package +Operation = Remove +Operation = Install +Operation = Upgrade +Target = * + +[Action] +Description = Removing obsolete cached package files (keeping the latest two)... +When = PostTransaction +Exec = /usr/bin/paccache -rvk2 diff --git a/etc/systemd/system-sleep/50-snx-rs b/etc/systemd/system-sleep/50-snx-rs index 5241126..3738f72 100755 --- a/etc/systemd/system-sleep/50-snx-rs +++ b/etc/systemd/system-sleep/50-snx-rs @@ -1,5 +1,5 @@ #!/bin/sh -# Bounce the user-scope snx-rs (Check Point) tunnel around suspend/hibernate. +# Bounce the system-scope snx-rs (Check Point) tunnel around suspend/hibernate. # # Problem: during suspend the IKE SA keepalive is interrupted and the SAML # session cookie may expire. snx-rs doesn't detect this — the daemon @@ -25,21 +25,8 @@ case "$1" in *) exit 0 ;; esac -# Iterate over every logged-in user that has the snx-rs.service enabled. -# loginctl list-users gives us "UID USER" pairs. -loginctl list-users --no-legend 2>/dev/null | - awk '{print $1, $2}' | - while read -r uid user; do - [ -n "$uid" ] && [ -n "$user" ] || continue - runtime="/run/user/$uid" - [ -d "$runtime" ] || continue - # Skip users without snx-rs enabled to avoid spurious "Unit not found". - runuser -u "$user" -- env \ - "XDG_RUNTIME_DIR=$runtime" \ - "DBUS_SESSION_BUS_ADDRESS=unix:path=$runtime/bus" \ - systemctl --user is-enabled snx-rs.service >/dev/null 2>&1 || continue - runuser -u "$user" -- env \ - "XDG_RUNTIME_DIR=$runtime" \ - "DBUS_SESSION_BUS_ADDRESS=unix:path=$runtime/bus" \ - systemctl --user "$action" snx-rs.service || true - done +# The command-mode daemon runs as a system service because it configures +# routes, DNS, and tunnel interfaces. Ignore missing/disabled states so this +# hook remains harmless on non-work profiles. +systemctl is-enabled snx-rs.service >/dev/null 2>&1 || exit 0 +systemctl "$action" snx-rs.service || true diff --git a/etc/systemd/system/snx-rs.service b/etc/systemd/system/snx-rs.service new file mode 100644 index 0000000..6e8953c --- /dev/null +++ b/etc/systemd/system/snx-rs.service @@ -0,0 +1,13 @@ +[Unit] +Description=SNX-RS VPN client +After=network.target network-online.target +Wants=network-online.target + +[Service] +Type=simple +ExecStart=/home/sommerfeld/.nix-profile/bin/snx-rs -m command -l info +Restart=on-failure +RestartPreventExitStatus=1 2 255 + +[Install] +WantedBy=multi-user.target diff --git a/meta/base.txt b/meta/base.txt index ac7a749..bb72992 100644 --- a/meta/base.txt +++ b/meta/base.txt @@ -5,8 +5,9 @@ # What stays on pacman in this section is the pieces tightly coupled to # the distro (man-db/man-pages files), the system runtime (sudo-rs, # base/base-devel), and things needed pre-bootstrap or by other system -# packages transitively. User-leaf CLIs (chezmoi, paru, qrencode, -# torsocks, lshw, xdg-utils, syncthing) now come from nix/host.nix. +# packages transitively. User-leaf CLIs/daemons (chezmoi, paru, qrencode, +# torsocks, lshw, xdg-utils, syncthing, pass-secret-service) now come +# from nix/host.nix. acpid arch-audit base @@ -18,7 +19,6 @@ fwupd iwd kernel-modules-hook linux-firmware -mkinitcpio-firmware linux-hardened linux-hardened-headers linux-lts @@ -29,8 +29,8 @@ man-pages nfs-utils nftables ocl-icd -overdue -pacman-cleanup-hook +# Provides paccache for the repo-owned cache cleanup hook under +# etc/pacman.d/hooks/. pacman-contrib pbzip2 pigz @@ -115,12 +115,9 @@ libnotify # Lock screen (setuid; PAM-coupled) swaylock -# org.freedesktop.secrets D-Bus implementation backed by pass. Required -# by Signal Desktop (flatpak) and other libsecret consumers. Ships both -# a D-Bus activation file and a systemd user unit; we enable the unit -# explicitly so it's visible in `systemctl --user status`. Stores -# secrets under ~/.password-store/secret-service/. -pass-secret-service-bin +# org.freedesktop.secrets D-Bus implementation backed by pass now comes +# from nix/host.nix. The repo-owned user unit remains tracked under +# dot_config/systemd/user/pass-secret-service.service. # Ships ZSA's upstream udev rules (50-oryx.rules, 50-wally.rules) to # /usr/lib/udev/rules.d/ so VID 3297 hidraw nodes get TAG+=uaccess. @@ -128,6 +125,9 @@ pass-secret-service-bin # ErgoDox EZ / Moonlander / Voyager. zsa-udev +# Udev rules for BitBox hardware wallet access from Sparrow. +bitbox-udev + # QR (system lib used by zbarcam; the qrencode CLI is in nix/host.nix) zbar xorg-xwayland # needed for zbarcam's X11 preview @@ -163,10 +163,11 @@ arkenfox-user.js # --- media (mpv is the io.mpv.Mpv flatpak in meta/flatpak.txt; streamlink # and yt-dlp now come from nix/host.nix and pipe/launch into the flatpak # mpv via `flatpak run io.mpv.Mpv`, see dot_config/streamlink/config. -# Bitcoin wallet — sparrow-wallet — lives in meta/btc.txt.) --- +# Bitcoin wallet comes from nix/host.nix.) --- # --- desktop extras --- udisks2 +tor # Flatpak runtime (apps tracked in meta/flatpak.txt) flatpak diff --git a/meta/btc.txt b/meta/btc.txt deleted file mode 100644 index cbfd863..0000000 --- a/meta/btc.txt +++ /dev/null @@ -1,3 +0,0 @@ -bitbox-udev -sparrow-wallet -tor diff --git a/meta/work.txt b/meta/work.txt index 59c5e66..50a54dc 100644 --- a/meta/work.txt +++ b/meta/work.txt @@ -2,7 +2,6 @@ dnsmasq edk2-ovmf libvirt qemu-desktop -snx-rs swtpm virt-manager virt-viewer diff --git a/nix/host.nix b/nix/host.nix index dff9aef..5296af6 100644 --- a/nix/host.nix +++ b/nix/host.nix @@ -71,6 +71,12 @@ in # `protonmail-bridge-core`. protonmail-bridge + # ── Secrets portal ──────────────────────────────────────────────────────── + # D-Bus org.freedesktop.secrets implementation backed by pass. The explicit + # user unit lives in dot_config/systemd/user/pass-secret-service.service so + # it can keep the stable unit name and PASSWORD_STORE_DIR drop-in. + pass-secret-service + # ── Wayland session: bars, launchers, notifiers, daemons ────────────────── # Pure user-session GUIs/daemons — no system unit, no D-Bus activation # file under /usr/share/dbus-1, no login-manager session entry. The @@ -104,12 +110,13 @@ in playerctl # MPRIS over session bus pulsemixer # TUI for PipeWire/PulseAudio - # NOTE: GPU/OpenGL & EGL apps (ghostty, imv, wl-mirror, sparrow) are + # NOTE: GPU/OpenGL & EGL apps (ghostty, imv, wl-mirror) are # intentionally NOT here — they stay on pacman/AUR. Nix-built GL apps on # a non-NixOS host can't locate the system Mesa/DRI driver (the FHS # /usr/lib drivers don't match nix's search paths) and fail at startup # with "missing OpenGL context". On pacman they link against system Mesa. - # ghostty/imv/wl-mirror live in meta/base.txt; sparrow in meta/btc.txt. + # ghostty/imv/wl-mirror live in meta/base.txt. Sparrow is JavaFX-based and + # runs correctly from nix on the host. # ── General CLIs migrated off pacman ────────────────────────────────────── qrencode @@ -125,6 +132,16 @@ in # and backed by etc/systemd/system/syncthing@.service. syncthing + # ── Work VPN ────────────────────────────────────────────────────────────── + # Check Point VPN client. The command-mode system service is repo-owned at + # etc/systemd/system/snx-rs.service and exposes the daemon that snxctl uses. + snx-rs + + # ── Bitcoin wallet ─────────────────────────────────────────────────────── + # Replaces the former AUR wallet package after host GUI + BitBox smoke + # testing. + sparrow + # chezmoi & paru — both are pure user CLIs. `paru` wraps pacman+makepkg # but doesn't link them; it just shells out. bootstrap.sh installs a # one-shot pacman `chezmoi` for the very first `chezmoi init --apply`, diff --git a/systemd-units/system.txt b/systemd-units/system.txt index 16a204c..03abe71 100644 --- a/systemd-units/system.txt +++ b/systemd-units/system.txt @@ -24,7 +24,7 @@ lostfiles.timer # --- bluetooth --- bluetooth.service -# --- btc --- +# --- privacy network --- tor.service # --- nix (socket-activated builder daemon; the .service spawns on first @@ -35,5 +35,8 @@ nix-daemon.socket # connect, the .socket is what gets enabled) --- libvirtd.socket +# --- work VPN (command-mode daemon; binary comes from the user's nix profile) --- +snx-rs.service + # --- file sync (system template; binary comes from the user's nix profile) --- syncthing@sommerfeld.service -- cgit v1.3.1