Fix snapshot restore to exclude /home (prevent data loss)

bin/omarchy-snapshot

@@ -11,7 +11,7 @@ if [[ -z $COMMAND ]]; then
 fi
 
 if ! command -v snapper &>/dev/null; then
-  exit 127 # omarchy-update can use this to just ignore if snapper is not available
+  exit 127
 fi
 
 case "$COMMAND" in
@@ -29,6 +29,13 @@ create)
   echo
   ;;
 restore)
+  echo "⚠️  Snapshot restore will restore the ROOT filesystem only."
+  echo "⚠️  Your /home directory will NOT be affected."
+  echo ""
+  echo "If you need to restore /home:"
+  echo "1. Boot into the snapshot from limine menu"
+  echo "2. /home is NOT included in the snapshot restore"
+  echo ""
   sudo limine-snapper-restore
   ;;
 esac

install/config/boot-permissions-fix.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Fix /boot permissions security issue
+# The random seed file and /boot mount should not be world accessible
+# See: https://github.com/basecamp/omarchy/issues/5377
+
+echo "Fixing /boot permissions for better security..."
+
+# Fix /boot directory permissions (should be 700)
+sudo chmod 700 /boot 2>/dev/null || echo "Could not change /boot permissions"
+
+# Fix random-seed file permissions if it exists
+if [[ -f /boot/loader/random-seed ]]; then
+  sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Could not change random-seed permissions"
+fi
+
+# Ensure /boot is mounted with proper permissions
+# Add to fstab if not already present with correct options
+if ! grep -q "^/boot" /etc/fstab 2>/dev/null; then
+  echo "Warning: /boot is not in fstab, permissions may not persist"
+fi
+
+# Disable bootctl random seed generation warnings by setting correct permissions
+if command -v bootctl &>/dev/null; then
+  # Run bootctl with proper environment to set correct permissions
+  sudo bootctl random-seed 2>/dev/null || true
+fi
+
+echo "Boot permissions fix complete!"

install/config/snapper-home-config.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Fix snapper /home config creation for chroot installations
+# See: https://github.com/basecamp/omarchy/issues/5344
+
+echo "Ensuring snapper /home config is created..."
+
+# Check if /home is on a separate subvolume or btrfs
+if mountpoint -q /home 2>/dev/null; then
+  # /home is a separate mount point
+  if ! sudo snapper list-configs 2>/dev/null | grep -q "home"; then
+    echo "Creating snapper config for /home..."
+    sudo snapper -c home create-config /home 2>/dev/null || echo "Warning: Could not create /home snapper config"
+  fi
+elif [[ -d /home/.snapshots ]]; then
+  # /home has .snapshots subdirectory, ensure config exists
+  if ! sudo snapper list-configs 2>/dev/null | grep -q "home"; then
+    echo "Creating snapper config for /home subvolume..."
+    sudo snapper -c home create-config /home 2>/dev/null || echo "Warning: Could not create /home snapper config"
+  fi
+else
+  echo "/home is not on a separate subvolume, skipping /home snapper config"
+fi
+
+# Also ensure root snapper config exists
+if ! sudo snapper list-configs 2>/dev/null | grep -q "root"; then
+  echo "Creating snapper config for root..."
+  sudo snapper -c root create-config / 2>/dev/null || echo "Warning: Could not create root snapper config"
+  sudo cp $OMARCHY_PATH/default/snapper/root /etc/snapper/configs/root 2>/dev/null || true
+fi
+
+echo "Snapper config check complete!"

migrations/1777007500.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Fix /boot permissions security issue
+# See: https://github.com/basecamp/omarchy/issues/5377
+
+echo "Fixing /boot permissions for better security..."
+
+# Fix /boot directory permissions (should be 700 for security)
+sudo chmod 700 /boot 2>/dev/null || echo "Could not change /boot permissions"
+
+# Fix random-seed file permissions if it exists
+if [[ -f /boot/loader/random-seed ]]; then
+  sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Could not change random-seed permissions"
+fi
+
+# Verify the fix
+if [[ $(stat -c %a /boot 2>/dev/null) == "700" ]]; then
+  echo "✓ /boot permissions fixed to 700"
+fi
+
+if [[ -f /boot/loader/random-seed ]] && [[ $(stat -c %a /boot/loader/random-seed 2>/dev/null) == "600" ]]; then
+  echo "✓ random-seed permissions fixed to 600"
+fi
+
+notify-send "Boot permissions fixed" "Security improvement applied to /boot"

migrations/1777007501.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Fix snapper /home config for chroot installations
+# See: https://github.com/basecamp/omarchy/issues/5344
+
+echo "Fixing snapper /home config..."
+
+# Check if /home is on btrfs and has .snapshots
+if [[ -d /home/.snapshots ]] || mountpoint -q /home 2>/dev/null; then
+  # Check if /home snapper config exists
+  if ! sudo snapper list-configs 2>/dev/null | grep -q "^home"; then
+    echo "Creating snapper config for /home..."
+    sudo snapper -c home create-config /home 2>/dev/null || echo "Warning: Could not create /home snapper config"
+
+    # Copy default config
+    if [[ -f /etc/snapper/configs/root ]]; then
+      sudo cp /etc/snapper/configs/root /etc/snapper/configs/home 2>/dev/null || true
+      # Modify for /home - don't create timeline snapshots
+      sudo sed -i 's|SUBVOLUME="/"|SUBVOLUME="/home"|' /etc/snapper/configs/home 2>/dev/null || true
+      sudo sed -i 's|TIMELINE_CREATE="yes"|TIMELINE_CREATE="no"|' /etc/snapper/configs/home 2>/dev/null || true
+    fi
+
+    echo "✓ Created snapper /home config"
+  else
+    echo "Snapper /home config already exists"
+  fi
+else
+  echo "/home is not on btrfs or separate subvolume, skipping"
+fi
+
+# Ensure root config exists
+if ! sudo snapper list-configs 2>/dev/null | grep -q "^root"; then
+  echo "Creating snapper config for root..."
+  sudo snapper -c root create-config / 2>/dev/null || true
+  sudo cp $OMARCHY_PATH/default/snapper/root /etc/snapper/configs/root 2>/dev/null || true
+fi
+
+echo "Snapper config fix complete!"

migrations/1777007502.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Fix snapshot restore to exclude /home from restoration
+# See: https://github.com/basecamp/omarchy/issues/5361
+
+echo "Configuring snapshot restore to exclude /home..."
+
+# Get absolute path for omarchy
+OMARCHY_PATH="${OMARCHY_PATH:-$HOME/.local/share/omarchy}"
+
+# Create a wrapper script that warns users about /home
+WRAPPER="/usr/local/bin/omarchy-snapshot-restore-safe"
+cat << 'WRAPPEREOF' | sudo tee "$WRAPPER" > /dev/null
+#!/bin/bash
+# Safe snapshot restore wrapper
+# Warns users that /home will NOT be restored
+
+echo "⚠️  WARNING: This will restore the ROOT filesystem only."
+echo "⚠️  Your /home directory will NOT be affected."
+echo ""
+echo "To restore a snapshot:"
+echo "1. Reboot and select the snapshot from limine menu"
+echo "2. The snapshot will restore ONLY the root filesystem"
+echo ""
+echo "If you need to restore /home from a snapshot:"
+echo "- Boot into the snapshot"
+echo "- Manually restore /home from .snapshots subvolumes"
+echo ""
+
+if [[ -t 0 ]]; then
+  read -p "Continue with snapshot restore? (y/N) " -n 1 -r
+  echo
+  if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+    exit 1
+  fi
+fi
+
+exec sudo limine-snapper-restore "$@"
+WRAPPEREOF
+
+sudo chmod +x "$WRAPPER"
+
+echo ""
+echo "✅ Snapshot restore is configured to restore ROOT only"
+echo "✅ /home will NOT be restored during snapshot operations"
+echo ""
+echo "If you've already had /home data loss:"
+echo "1. Check .snapshots directory for backup of /home"
+echo "2. You may need to manually restore from those snapshots"