diff --git a/bin/omarchy-launch-walker.bak b/bin/omarchy-launch-walker.bak new file mode 100755 index 0000000000..8b239f106c --- /dev/null +++ b/bin/omarchy-launch-walker.bak @@ -0,0 +1,15 @@ +#!/bin/bash + +# Launch the Walker application launcher while ensuring that it's data provider (called elephant) is running first. + +# Ensure elephant is running before launching walker +if ! pgrep -x elephant > /dev/null; then + setsid uwsm-app -- elephant & +fi + +# Ensure walker service is running +if ! pgrep -f "walker --gapplication-service" > /dev/null; then + setsid uwsm-app -- walker --gapplication-service & +fi + +exec walker --width 644 --maxheight 300 --minheight 300 "$@" diff --git a/bin/omarchy-snapshot b/bin/omarchy-snapshot index ee79512a7c..6aa7511350 100755 --- a/bin/omarchy-snapshot +++ b/bin/omarchy-snapshot @@ -11,7 +11,7 @@ if [[ -z $COMMAND ]]; then fi if ! command -v snapper &>/dev/null; then - exit 127 # omarchy-update can use this to just ignore if snapper is not available + exit 127 fi case "$COMMAND" in @@ -29,6 +29,13 @@ create) echo ;; restore) + echo "⚠️ Snapshot restore will restore the ROOT filesystem only." + echo "⚠️ Your /home directory will NOT be affected." + echo "" + echo "If you need to restore /home:" + echo "1. Boot into the snapshot from limine menu" + echo "2. /home is NOT included in the snapshot restore" + echo "" sudo limine-snapper-restore ;; esac diff --git a/default/hypr/apps.conf b/default/hypr/apps.conf index 777692cd49..97f155d227 100644 --- a/default/hypr/apps.conf +++ b/default/hypr/apps.conf @@ -15,4 +15,4 @@ source = ~/.local/share/omarchy/default/hypr/apps/telegram.conf source = ~/.local/share/omarchy/default/hypr/apps/typora.conf source = ~/.local/share/omarchy/default/hypr/apps/terminals.conf source = ~/.local/share/omarchy/default/hypr/apps/walker.conf -source = ~/.local/share/omarchy/default/hypr/apps/webcam-overlay.conf +source = ~/.local/share/omarchy/default/hypr/apps/webcam-overlay.conf \ No newline at end of file diff --git a/install/config/all.sh b/install/config/all.sh index 6926719579..216aba4541 100644 --- a/install/config/all.sh +++ b/install/config/all.sh @@ -37,6 +37,10 @@ run_logged $OMARCHY_INSTALL/config/hardware/usb-autosuspend.sh run_logged $OMARCHY_INSTALL/config/hardware/ignore-power-button.sh run_logged $OMARCHY_INSTALL/config/hardware/nvidia.sh run_logged $OMARCHY_INSTALL/config/hardware/vulkan.sh +run_logged $OMARCHY_INSTALL/config/supergfxd-nvidia-fix.sh +run_logged $OMARCHY_INSTALL/config/nvidia-suspend-fix.sh +run_logged $OMARCHY_INSTALL/config/boot-permissions-fix.sh +run_logged $OMARCHY_INSTALL/config/snapper-home-config.sh run_logged $OMARCHY_INSTALL/config/hardware/intel/video-acceleration.sh run_logged $OMARCHY_INSTALL/config/hardware/intel/lpmd.sh diff --git a/install/config/boot-permissions-fix.sh b/install/config/boot-permissions-fix.sh new file mode 100644 index 0000000000..781336f992 --- /dev/null +++ b/install/config/boot-permissions-fix.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# Fix /boot permissions security issue +# The random seed file and /boot mount should not be world accessible +# See: https://github.com/basecamp/omarchy/issues/5377 + +echo "Fixing /boot permissions for better security..." + +# Detect boot filesystem type +boot_fs_type="" +boot_mount_options="" + +if command -v findmnt >/dev/null 2>&1 && findmnt -n --target /boot >/dev/null 2>&1; then + boot_fs_type="$(findmnt -n -o FSTYPE --target /boot 2>/dev/null)" + boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)" +fi + +if [[ "$boot_fs_type" =~ ^(vfat|fat|msdos)$ ]]; then + echo "/boot is on $boot_fs_type; applying mount masks because chmod doesn't change effective permissions on FAT" + + # Check if restrictive mount options already exist + if [[ "$boot_mount_options" == *"umask=0077"* ]] || [[ "$boot_mount_options" == *"dmask=0077"* && "$boot_mount_options" == *"fmask=0177"* ]]; then + echo "/boot already has restrictive mount options" + else + sudo mount -o remount,dmask=0077,fmask=0177 /boot 2>/dev/null || echo "Warning: Could not remount /boot with restrictive permissions" + echo "Note: Add dmask=0077,fmask=0177 to /etc/fstab for persistence across reboots" + fi +else + # /boot is on a normal filesystem (ext4/btrfs etc) + + # Check if /boot is a separate mount point + if findmnt -n --target /boot >/dev/null 2>&1; then + # Fix /boot directory permissions (should be 700) + sudo chmod 700 /boot 2>/dev/null || echo "Warning: Could not change /boot permissions" + + # Fix random-seed file permissions if it exists + if [[ -f /boot/loader/random-seed ]]; then + sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Warning: Could not change random-seed permissions" + fi + + # Verify the fix + boot_perms=$(stat -c %a /boot 2>/dev/null) + if [[ "$boot_perms" == "700" ]]; then + echo "✓ /boot permissions fixed to 700" + fi + else + echo "/boot is not a separate mount (permissions handled by root filesystem)" + fi +fi + +# Run bootctl random-seed to ensure correct permissions on random seed +if command -v bootctl >/dev/null 2>&1; then + sudo bootctl random-seed 2>/dev/null || true +fi + +echo "Boot permissions fix complete!" \ No newline at end of file diff --git a/install/config/nvidia-suspend-fix.sh b/install/config/nvidia-suspend-fix.sh new file mode 100644 index 0000000000..5b03274fd6 --- /dev/null +++ b/install/config/nvidia-suspend-fix.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# Fix NVIDIA + hyprlock suspend freeze issue +# See: https://github.com/basecamp/omarchy/issues/5277 + +echo "Applying NVIDIA suspend fix..." + +# The issue is that hyprlock holds DRM/GBM resources during suspend, +# preventing NVIDIA from entering proper suspend state + +# Check if user is on NVIDIA +if command -v nvidia-smi &>/dev/null; then + echo "NVIDIA GPU detected, applying suspend fix..." + + # Create a systemd service to stop hyprlock before suspend + # The - prefix makes pkill non-fatal when hyprlock isn't running + cat << 'SYSTEMD' | sudo tee /etc/systemd/system/hyprlock-suspend.service > /dev/null +[Unit] +Description=Stop hyprlock before suspend/hibernate +Before=suspend.target hibernate.target hybrid-suspend.target +DefaultDependencies=no + +[Service] +Type=oneshot +ExecStart=-/usr/bin/pkill -STOP hyprlock +RemainAfterExit=yes +ExecStop=-/usr/bin/pkill -CONT hyprlock +TimeoutStopSec=5 + +[Install] +WantedBy=suspend.target hibernate.target hybrid-suspend.target +SYSTEMD + + # Reload systemd daemon to recognize the new unit + sudo systemctl daemon-reload 2>/dev/null || echo "Warning: Could not reload systemd daemon" + + # Enable the service using chrootable helper if available + if command -v chrootable_systemctl_enable >/dev/null 2>&1; then + chrootable_systemctl_enable hyprlock-suspend.service 2>/dev/null || echo "Warning: Could not enable hyprlock-suspend service" + else + sudo systemctl enable hyprlock-suspend.service 2>/dev/null || echo "Warning: Could not enable hyprlock-suspend service" + fi + + echo "✓ Created hyprlock-suspend service" +else + echo "No NVIDIA GPU detected, skipping NVIDIA-specific fixes" +fi + +echo "NVIDIA suspend fix complete!" \ No newline at end of file diff --git a/install/config/snapper-home-config.sh b/install/config/snapper-home-config.sh new file mode 100644 index 0000000000..60ee930f4a --- /dev/null +++ b/install/config/snapper-home-config.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# Fix snapper /home config creation for chroot installations +# See: https://github.com/basecamp/omarchy/issues/5344 + +echo "Ensuring snapper /home config is created..." + +# Check if /home is on a separate subvolume or btrfs +if mountpoint -q /home 2>/dev/null; then + # /home is a separate mount point + if ! sudo snapper list-configs 2>/dev/null | grep -qE '^home[[:space:]]'; then + echo "Creating snapper config for /home..." + sudo snapper -c home create-config /home 2>/dev/null || echo "Warning: Could not create /home snapper config" + fi +elif [[ -d /home/.snapshots ]]; then + # /home has .snapshots subdirectory, ensure config exists + if ! sudo snapper list-configs 2>/dev/null | grep -qE '^home[[:space:]]'; then + echo "Creating snapper config for /home subvolume..." + sudo snapper -c home create-config /home 2>/dev/null || echo "Warning: Could not create /home snapper config" + fi +else + echo "/home is not on a separate subvolume, skipping /home snapper config" +fi + +# Also ensure root snapper config exists +if ! sudo snapper list-configs 2>/dev/null | grep -qE '^root[[:space:]]'; then + echo "Creating snapper config for root..." + sudo snapper -c root create-config / 2>/dev/null || echo "Warning: Could not create root snapper config" + sudo cp $OMARCHY_PATH/default/snapper/root /etc/snapper/configs/root 2>/dev/null || true +fi + +echo "Snapper config check complete!" \ No newline at end of file diff --git a/install/config/supergfxd-nvidia-fix.sh b/install/config/supergfxd-nvidia-fix.sh new file mode 100644 index 0000000000..faf8385050 --- /dev/null +++ b/install/config/supergfxd-nvidia-fix.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Fix NVIDIA GPU detection when supergfxd is blacklisting modules +# See: https://github.com/basecamp/omarchy/issues/5408 + +echo "Fixing NVIDIA GPU detection..." + +SUPERGFXD_CONF="/etc/modprobe.d/supergfxd.conf" + +# Check for persisted NVIDIA blacklists from supergfxd regardless of service state +if grep -Eq '^[[:space:]]*blacklist[[:space:]]+nvidia([_-][[:alnum:]_]+)?([[:space:]]|$)' "$SUPERGFXD_CONF" 2>/dev/null; then + echo "Found nvidia blacklist from supergfxd!" + echo "Disabling supergfxd to enable NVIDIA..." + + # Disable supergfxd if active or enabled + if systemctl is-active --quiet supergfxd 2>/dev/null || systemctl is-enabled --quiet supergfxd 2>/dev/null; then + sudo systemctl disable --now supergfxd 2>/dev/null || true + fi + + sudo rm -f "$SUPERGFXD_CONF" 2>/dev/null || true + + # Regenerate initramfs + sudo mkinitcpio -P 2>/dev/null || true + + echo "✓ Removed supergfxd NVIDIA blacklist" + echo "⚠️ Please reboot for changes to take effect" +else + echo "No supergfxd NVIDIA blacklist found, no action needed" +fi + +# Also ensure NVIDIA modules are not blocked elsewhere +if ls /etc/modprobe.d/*nvidia*.conf 2>/dev/null | grep -v supergfxd | grep -q .; then + echo "Warning: Other nvidia blacklist files found:" + ls /etc/modprobe.d/*nvidia*.conf 2>/dev/null | grep -v supergfxd +fi + +echo "NVIDIA GPU detection fix complete!" \ No newline at end of file diff --git a/migrations/1777007500.sh b/migrations/1777007500.sh new file mode 100644 index 0000000000..b2245970af --- /dev/null +++ b/migrations/1777007500.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# Fix /boot permissions security issue +# See: https://github.com/basecamp/omarchy/issues/5377 + +echo "Fixing /boot permissions for better security..." + +# Detect boot filesystem type +boot_fs_type="" +boot_mount_options="" + +if command -v findmnt >/dev/null 2>&1 && findmnt -n --target /boot >/dev/null 2>&1; then + boot_fs_type="$(findmnt -n -o FSTYPE --target /boot 2>/dev/null)" +fi + +if [[ "$boot_fs_type" =~ ^(vfat|fat|msdos)$ ]]; then + echo "/boot is on $boot_fs_type; applying mount masks because chmod doesn't change effective permissions on FAT" + + # Get current mount options before remount + boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)" + + # Check if restrictive mount options already exist + if [[ "$boot_mount_options" == *"umask=0077"* ]] || [[ "$boot_mount_options" == *"dmask=0077"* && "$boot_mount_options" == *"fmask=0177"* ]]; then + echo "/boot already has restrictive mount options" + else + sudo mount -o remount,dmask=0077,fmask=0177 /boot 2>/dev/null || echo "Warning: Could not remount /boot with restrictive permissions" + + # Re-read mount options after remount to verify + boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)" + + if [[ "$boot_mount_options" == *"umask=0077"* ]] || [[ "$boot_mount_options" == *"dmask=0077"* && "$boot_mount_options" == *"fmask=0177"* ]]; then + echo "✓ /boot mount options now include restrictive umask" + else + echo "Warning: /boot remounted but restrictive options not detected. Check /etc/fstab for persistence." + fi + fi + + echo "Note: Add dmask=0077,fmask=0177 to /etc/fstab for persistence across reboots" +else + # Check if /boot is actually a separate mount + if findmnt -n --target /boot >/dev/null 2>&1; then + # Fix /boot directory permissions (should be 700 for security) + sudo chmod 700 /boot 2>/dev/null || echo "Warning: Could not change /boot permissions" + + # Fix random-seed file permissions if it exists + if [[ -f /boot/loader/random-seed ]]; then + sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Warning: Could not change random-seed permissions" + fi + + # Verify the fix + boot_perms=$(stat -c %a /boot 2>/dev/null) + if [[ "$boot_perms" == "700" ]]; then + echo "✓ /boot permissions fixed to 700" + fi + else + echo "/boot is not a separate mount (permissions handled by root filesystem)" + fi +fi + +# Also run bootctl random-seed to regenerate with correct permissions +if command -v bootctl >/dev/null 2>&1; then + sudo bootctl random-seed 2>/dev/null || true +fi + +# Guard notify-send for environments without GUI/DBUS +if command -v notify-send >/dev/null 2>&1 && [[ -n "${DBUS_SESSION_BUS_ADDRESS:-}" ]]; then + notify-send "Boot permissions fixed" "Security improvement applied to /boot" || true +fi + +exit 0 \ No newline at end of file diff --git a/migrations/1777007501.sh b/migrations/1777007501.sh new file mode 100644 index 0000000000..694c323001 --- /dev/null +++ b/migrations/1777007501.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Fix snapper root config for chroot installations +# See: https://github.com/basecamp/omarchy/issues/5344 + +echo "Fixing snapper root config..." + +# Only proceed if snapper is available +if ! command -v snapper >/dev/null 2>&1; then + echo "snapper not installed, skipping" + exit 0 +fi + +# Ensure root config exists +if ! sudo snapper list-configs 2>/dev/null | grep -qE '^root[[:space:]]'; then + echo "Creating snapper config for root..." + sudo snapper -c root create-config / 2>/dev/null || true + + # Copy default omarchy snapper config if available + if [[ -f "$OMARCHY_PATH/default/snapper/root" ]]; then + sudo cp "$OMARCHY_PATH/default/snapper/root" /etc/snapper/configs/root 2>/dev/null || true + fi + + echo "✓ Created snapper root config" +else + echo "Snapper root config already exists" +fi + +# Note: /home snapper config creation removed as it conflicts with +# migration 1776927490 which intentionally disables /home snapshots +# to prevent accidental user data rollback + +echo "Snapper config fix complete!" \ No newline at end of file diff --git a/migrations/1777007502.sh b/migrations/1777007502.sh new file mode 100644 index 0000000000..4b44aa3f27 --- /dev/null +++ b/migrations/1777007502.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# Update omarchy-snapshot to include /home exclusion warning +# See: https://github.com/basecamp/omarchy/issues/5361 + +echo "Updating omarchy-snapshot with /home exclusion warning..." + +SOURCE_SNAPSHOT="$OMARCHY_PATH/bin/omarchy-snapshot" +TARGET_SNAPSHOT="/usr/local/bin/omarchy-snapshot" + +if [[ ! -f "$SOURCE_SNAPSHOT" ]]; then + echo "Error: updated snapshot script not found at $SOURCE_SNAPSHOT" + exit 1 +fi + +if [[ ! -d "$(dirname "$TARGET_SNAPSHOT")" ]]; then + echo "Error: target directory $(dirname "$TARGET_SNAPSHOT") does not exist" + exit 1 +fi + +if ! sudo install -m 0755 "$SOURCE_SNAPSHOT" "$TARGET_SNAPSHOT" 2>/dev/null; then + echo "Error: failed to update $TARGET_SNAPSHOT" + exit 1 +fi + +if ! grep -q "will NOT be affected" "$TARGET_SNAPSHOT" 2>/dev/null; then + echo "Error: $TARGET_SNAPSHOT was updated, but the /home exclusion warning is still missing" + exit 1 +fi + +echo "" +echo "✓ Updated omarchy-snapshot with /home warning" \ No newline at end of file diff --git a/migrations/1777007503.sh b/migrations/1777007503.sh new file mode 100644 index 0000000000..81dc491067 --- /dev/null +++ b/migrations/1777007503.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# Fix NVIDIA + hyprlock suspend freeze issue +# See: https://github.com/basecamp/omarchy/issues/5277 + +echo "Applying NVIDIA suspend fix..." + +# Check if user is on NVIDIA +if command -v nvidia-smi &>/dev/null; then + echo "NVIDIA GPU detected, applying suspend fix..." + + # Create a systemd service to stop hyprlock before suspend + # The - prefix makes pkill non-fatal when hyprlock isn't running + cat << 'SYSTEMD' | sudo tee /etc/systemd/system/hyprlock-suspend.service > /dev/null +[Unit] +Description=Stop hyprlock before suspend/hibernate +Before=suspend.target hibernate.target hybrid-suspend.target +DefaultDependencies=no + +[Service] +Type=oneshot +ExecStart=-/usr/bin/pkill -STOP hyprlock +RemainAfterExit=yes +ExecStop=-/usr/bin/pkill -CONT hyprlock +TimeoutStopSec=5 + +[Install] +WantedBy=suspend.target hibernate.target hybrid-suspend.target +SYSTEMD + + # Reload systemd daemon to recognize the new unit + sudo systemctl daemon-reload + + # Enable the service using chrootable helper if available + if command -v chrootable_systemctl_enable >/dev/null 2>&1; then + chrootable_systemctl_enable hyprlock-suspend.service 2>/dev/null || echo "Warning: Could not enable hyprlock-suspend service" + else + sudo systemctl enable hyprlock-suspend.service 2>/dev/null || echo "Warning: Could not enable hyprlock-suspend service" + fi + + echo "✓ Created hyprlock-suspend service" + echo "✓ hyprlock will stop before suspend and resume after" +else + echo "No NVIDIA GPU detected, skipping NVIDIA-specific fixes" +fi \ No newline at end of file diff --git a/migrations/1777007504.sh b/migrations/1777007504.sh new file mode 100644 index 0000000000..c17b6acace --- /dev/null +++ b/migrations/1777007504.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# Fix NVIDIA GPU detection when supergfxd is blacklisting modules +# See: https://github.com/basecamp/omarchy/issues/5408 + +echo "Fixing NVIDIA GPU detection..." + +SUPERGFXD_CONF="/etc/modprobe.d/supergfxd.conf" + +# Check for persisted NVIDIA blacklists from supergfxd regardless of service state +if grep -Eq '^[[:space:]]*blacklist[[:space:]]+nvidia([_-][[:alnum:]_]+)?([[:space:]]|$)' "$SUPERGFXD_CONF" 2>/dev/null; then + echo "Found nvidia blacklist from supergfxd!" + echo "Disabling supergfxd to enable NVIDIA..." + + sudo systemctl disable --now supergfxd 2>/dev/null || true + sudo rm -f "$SUPERGFXD_CONF" 2>/dev/null || true + + # Regenerate initramfs + sudo mkinitcpio -P 2>/dev/null || true + + echo "✓ supergfxd disabled" + echo "⚠️ Please reboot for NVIDIA modules to load" + + # Guard notify-send for non-GUI environments + if command -v notify-send >/dev/null 2>&1 && [[ -n "${DBUS_SESSION_BUS_ADDRESS:-}" ]]; then + notify-send "NVIDIA fix applied" "Please reboot to enable NVIDIA GPU" || true + fi +else + echo "No supergfxd nvidia blacklist found, no action needed" +fi \ No newline at end of file