From 3fc4705b6c711871a920290feef138694e72d29a Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Thu, 14 May 2026 10:58:37 +0100 Subject: feat: teams autostart, llama-cpp-vulkan ignore, snxctl-chromium wrapper MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit systemd/user/teams-{sii,xsight}.service: autostart both Teams flatpak profiles on sway-session.target login. KillMode=mixed so SIGTERM hits only the wrapper process — both instances share the same flatpak app id, so killing by app id would take down the sibling instance. A 15s SIGKILL fallback covers the case where Electron tray-hides instead of quitting. Both units listed in systemd-units/user.txt. etc/pacman.conf: IgnorePkg = llama-cpp-vulkan. The AUR package rebuilds on every llama.cpp commit (multi-hour build). Update manually with `paru -S llama-cpp-vulkan` when intended. snxctl-chromium wrapper: - dot_local/share/snx-rs/bin/xdg-open: shim that flatpak-runs ungoogled-chromium, used only by snx-rs. - dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf: drop-in prepending that dir to the daemon's PATH so snx-rs's opener-crate call to xdg-open lands in chromium, without affecting xdg-open for any other process. - dot_local/bin/snxctl-chromium: convenience wrapper that daemon-reloads and restarts snx-rs.service if the drop-in isn't yet applied, then execs `snxctl connect`. firefox/user-overrides.js: revert the dom.security.https_only_mode. upgrade_local and network.lna.local-network-to-localhost.skip-checks prefs — they didn't actually fix the SAML flow. Replaced with a comment pointing to the wrapper instead. --- firefox/user-overrides.js | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'firefox') diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index 6265f95..52059c2 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -29,14 +29,16 @@ user_pref("media.gmp-manager.url", "https://aus5.mozilla.org/update/3/GMP/%VERSI /** Network **/ user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled -/** Loopback callbacks (VPN/SSO clients like snx-rs, Forticlient) **/ -// snx-rs and similar VPN clients land SAML callbacks on http://127.0.0.1:/. -// LibreWolf hardens beyond arkenfox by force-upgrading loopback to HTTPS and enabling -// LNA blocking; both break the plain-HTTP loopback handoff. Restoring stock Firefox / -// arkenfox behaviour for loopback only. arkenfox 1245 deliberately leaves upgrade_local -// commented out and does not touch network.lna.*. See LibreWolf issues #2954, #2962. -user_pref("dom.security.https_only_mode.upgrade_local", false); -user_pref("network.lna.local-network-to-localhost.skip-checks", true); +// NOTE on snx-rs SAML loopback callbacks (Check Point VPN): +// LibreWolf force-upgrades http://127.0.0.1:/ to HTTPS and +// enables LNA blocking, which both break the snx-rs SAML handoff. +// `dom.security.https_only_mode.upgrade_local = false` and +// `network.lna.local-network-to-localhost.skip-checks = true` were tried +// here and did NOT actually fix the SAML flow — left disabled. The +// working fix is the wrapper script ~/.local/bin/snxctl-chromium, which +// routes snx-rs's xdg-open through flatpak ungoogled-chromium via a +// systemd --user drop-in. See dot_local/share/snx-rs/bin/xdg-open and +// dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf. /** Resist Fingerprinting **/ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); -- cgit v1.3.1