# --- core --- # Leaf CLI / editor / multiplexer / git stack / json+yaml / system viewers / # net / debug+trace / docs / secrets — all provisioned via Home-Manager # from nix/common.nix and live under ~/.nix-profile/bin (first in PATH). # What stays on pacman in this section is the pieces tightly coupled to # the distro (man-db/man-pages files), the system runtime (sudo-rs, # base/base-devel), and things needed pre-bootstrap or by other system # packages transitively. User-leaf CLIs (chezmoi, paru, qrencode, # torsocks, lshw) now come from nix/host.nix. acpid arch-audit base base-devel btrfs-progs cpupower dashbinsh dosfstools fwupd iwd kernel-modules-hook linux-firmware mkinitcpio-firmware linux-hardened linux-hardened-headers linux-lts linux-lts-headers lostfiles man-db man-pages nfs-utils nftables ocl-icd overdue pacman-cleanup-hook pacman-contrib pbzip2 pigz pkgstats rebuild-detector reflector sbctl smartmontools sudo-rs systemd-resolvconf tlp wireguard-tools zram-generator # --- bluetooth --- bluez bluez-utils ell # --- thunderbolt --- bolt # --- nix (multi-user daemon mode for hermetic per-project dev shells via # `nix develop` + direnv `use flake`. Not a replacement for paru/pacman, # not home-manager, not NixOS — just a sandboxed second package manager # that gives every project a reproducible toolchain pinned in its own # flake.lock. Pairs with: systemd-units/system.txt (enables # nix-daemon.socket), etc/nix/nix.conf, dot_config/direnv/direnvrc, # dot_config/nix/templates/. nix-direnv itself is loaded at runtime via # direnv's source_url with a content hash, so no extra package needed.) --- nix # --- dev (system-coupled runtimes only — base-devel ships gcc/ld/as/make # for general-purpose builds; the orchestrators (cmake/ninja/ccache/ # sccache), debuggers and toolchain-specific compilers/linkers live in # nix instead. clang/lld/mold/rustup/go are intentionally absent — when # a project needs them, the project's flake.nix + direnv `.envrc` # provide them. The podman stack (podman, crun, conmon, netavark, # aardvark-dns, slirp4netns, passt, podman-compose, podman-docker) now # comes from nix/common.nix — unified across host and VM.) --- perf # links against running kernel ABI; must match kernel pkg # --- sound --- alsa-utils pipewire pipewire-alsa pipewire-jack pipewire-pulse # noisetorch # optional # --- fonts --- noto-fonts-emoji otf-font-awesome otf-latinmodern-math ttf-dejavu ttf-fira-code ttf-noto-nerd woff2-font-awesome # --- wayland session --- # Compositor (ships /usr/share/wayland-sessions/sway.desktop — login-manager # coupled, must stay on pacman). The user-leaf session tools — waybar, # fuzzel, wofi, mako, swayidle, swayr, inhibridge, bemoji, ghostty, grim, # slurp, wf-recorder, wtype, wl-clipboard, cliphist, imv, wl-mirror, wob, # poweralertd, playerctl, pulsemixer — now come from nix/host.nix. sway xdg-desktop-portal-wlr xdg-desktop-portal-gtk qt5-wayland qt6-wayland # Notifications: libnotify provides the system shared lib that other # pacman packages link against; the user-facing mako daemon is nix. libnotify # Lock screen (setuid; PAM-coupled) swaylock # org.freedesktop.secrets D-Bus implementation backed by pass. Required # by Signal Desktop (flatpak) and other libsecret consumers. Ships both # a D-Bus activation file and a systemd user unit; we enable the unit # explicitly so it's visible in `systemctl --user status`. Stores # secrets under ~/.password-store/secret-service/. pass-secret-service-bin # Ships ZSA's upstream udev rules (50-oryx.rules, 50-wally.rules) to # /usr/lib/udev/rules.d/ so VID 3297 hidraw nodes get TAG+=uaccess. # Required for VIA / usevia.app (WebHID) and Wally flashing of the # ErgoDox EZ / Moonlander / Voyager. zsa-udev # QR (system lib used by zbarcam; the qrencode CLI is in nix/host.nix) zbar xorg-xwayland # needed for zbarcam's X11 preview # Document viewer is the org.pwmt.zathura flatpak (see meta/flatpak.txt) so # PDFs handed off from the browser/mail sandbox stay sandboxed. # Misc brightnessctl # Userspace sandbox helper (firejail-less). Used by ~/.local/bin wrappers # for mpv/yt-dlp/streamlink to hide secrets from network parsers; also # pulled transitively by flatpak. bubblewrap libfido2 perl-file-mimeinfo qt5ct qt6ct xdg-user-dirs # --- browser (LibreWolf flatpak; arkenfox-user.js is the host-side # hardening overlay deployed by run_onchange_after_deploy-firefox.sh.tmpl) --- arkenfox-user.js # --- mail (host-side bits the org.mozilla.thunderbird flatpak depends on) --- protonmail-bridge-core # git send-email Perl prereqs (SMTP via local Bridge on 127.0.0.1:1025) perl-authen-sasl perl-mime-tools perl-net-smtp-ssl # (External Editor Revived's native-messaging host is installed via nix # on the host — see nix/host.nix — so we don't pay the AUR variant's # hard `thunderbird` dependency. The bridge into the TB flatpak is # wired up by run_onchange_after_deploy-tb-eer.sh.tmpl.) # --- media (mpv is the io.mpv.Mpv flatpak in meta/flatpak.txt; streamlink # and yt-dlp now come from nix/host.nix and pipe/launch into the flatpak # mpv via `flatpak run io.mpv.Mpv`, see dot_config/streamlink/config. # Bitcoin wallet — sparrow — also lives in nix/host.nix.) --- # --- desktop extras --- syncthing udisks2 # Flatpak runtime (apps tracked in meta/flatpak.txt) flatpak # Smartcard stack (cartão de cidadão reader + PKCS#11 bridge into flatpak # browsers). pcscd.socket is enabled by systemd-units/system.txt. pcsclite # itself is also needed by Home-Manager's gnupg/scdaemon (see nix/host.nix's # scdaemon.conf — points scdaemon at /usr/lib/libpcsclite.so.1). pcsclite ccid # --- OCR + STT moved to nix/host.nix --- # tesseract (+ eng/por language data merged via override) and whisper-cpp # (+ vulkan support, + inline ggml-base.bin model derivation) now come # from nix/host.nix. The ~/.local/bin/dictate script defaults to # ~/.nix-profile/share/whisper-cpp-models/ggml-base.bin (overridable via # WHISPER_MODEL).