Fix NVIDIA GPU detection when supergfxd blacklists modules

bin/omarchy-launch-walker.bak

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Launch the Walker application launcher while ensuring that it's data provider (called elephant) is running first.
+
+# Ensure elephant is running before launching walker
+if ! pgrep -x elephant > /dev/null; then
+  setsid uwsm-app -- elephant &
+fi
+
+# Ensure walker service is running
+if ! pgrep -f "walker --gapplication-service" > /dev/null; then
+  setsid uwsm-app -- walker --gapplication-service &
+fi
+
+exec walker --width 644 --maxheight 300 --minheight 300 "$@"

bin/omarchy-snapshot

@@ -11,7 +11,7 @@ if [[ -z $COMMAND ]]; then
 fi
 
 if ! command -v snapper &>/dev/null; then
-  exit 127 # omarchy-update can use this to just ignore if snapper is not available
+  exit 127
 fi
 
 case "$COMMAND" in
@@ -29,6 +29,13 @@ create)
   echo
   ;;
 restore)
+  echo "⚠️  Snapshot restore will restore the ROOT filesystem only."
+  echo "⚠️  Your /home directory will NOT be affected."
+  echo ""
+  echo "If you need to restore /home:"
+  echo "1. Boot into the snapshot from limine menu"
+  echo "2. /home is NOT included in the snapshot restore"
+  echo ""
   sudo limine-snapper-restore
   ;;
 esac

default/hypr/apps.conf

@@ -15,4 +15,4 @@ source = ~/.local/share/omarchy/default/hypr/apps/telegram.conf
 source = ~/.local/share/omarchy/default/hypr/apps/typora.conf
 source = ~/.local/share/omarchy/default/hypr/apps/terminals.conf
 source = ~/.local/share/omarchy/default/hypr/apps/walker.conf
-source = ~/.local/share/omarchy/default/hypr/apps/webcam-overlay.conf
+source = ~/.local/share/omarchy/default/hypr/apps/webcam-overlay.conf

install/config/all.sh

@@ -37,6 +37,10 @@ run_logged $OMARCHY_INSTALL/config/hardware/usb-autosuspend.sh
 run_logged $OMARCHY_INSTALL/config/hardware/ignore-power-button.sh
 run_logged $OMARCHY_INSTALL/config/hardware/nvidia.sh
 run_logged $OMARCHY_INSTALL/config/hardware/vulkan.sh
+run_logged $OMARCHY_INSTALL/config/supergfxd-nvidia-fix.sh
+run_logged $OMARCHY_INSTALL/config/nvidia-suspend-fix.sh
+run_logged $OMARCHY_INSTALL/config/boot-permissions-fix.sh
+run_logged $OMARCHY_INSTALL/config/snapper-home-config.sh
 
 run_logged $OMARCHY_INSTALL/config/hardware/intel/video-acceleration.sh
 run_logged $OMARCHY_INSTALL/config/hardware/intel/lpmd.sh

install/config/boot-permissions-fix.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Fix /boot permissions security issue
+# The random seed file and /boot mount should not be world accessible
+# See: https://github.com/basecamp/omarchy/issues/5377
+
+echo "Fixing /boot permissions for better security..."
+
+# Detect boot filesystem type
+boot_fs_type=""
+boot_mount_options=""
+
+if command -v findmnt >/dev/null 2>&1 && findmnt -n --target /boot >/dev/null 2>&1; then
+  boot_fs_type="$(findmnt -n -o FSTYPE --target /boot 2>/dev/null)"
+  boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)"
+fi
+
+if [[ "$boot_fs_type" =~ ^(vfat|fat|msdos)$ ]]; then
+  echo "/boot is on $boot_fs_type; applying mount masks because chmod doesn't change effective permissions on FAT"
+
+  # Check if restrictive mount options already exist
+  if [[ "$boot_mount_options" == *"umask=0077"* ]] || [[ "$boot_mount_options" == *"dmask=0077"* && "$boot_mount_options" == *"fmask=0177"* ]]; then
+    echo "/boot already has restrictive mount options"
+  else
+    sudo mount -o remount,dmask=0077,fmask=0177 /boot 2>/dev/null || echo "Warning: Could not remount /boot with restrictive permissions"
+    echo "Note: Add dmask=0077,fmask=0177 to /etc/fstab for persistence across reboots"
+  fi
+else
+  # /boot is on a normal filesystem (ext4/btrfs etc)
+
+  # Check if /boot is a separate mount point
+  if findmnt -n --target /boot >/dev/null 2>&1; then
+    # Fix /boot directory permissions (should be 700)
+    sudo chmod 700 /boot 2>/dev/null || echo "Warning: Could not change /boot permissions"
+
+    # Fix random-seed file permissions if it exists
+    if [[ -f /boot/loader/random-seed ]]; then
+      sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Warning: Could not change random-seed permissions"
+    fi
+
+    # Verify the fix
+    boot_perms=$(stat -c %a /boot 2>/dev/null)
+    if [[ "$boot_perms" == "700" ]]; then
+      echo "✓ /boot permissions fixed to 700"
+    fi
+  else
+    echo "/boot is not a separate mount (permissions handled by root filesystem)"
+  fi
+fi
+
+# Run bootctl random-seed to ensure correct permissions on random seed
+if command -v bootctl >/dev/null 2>&1; then
+  sudo bootctl random-seed 2>/dev/null || true
+fi
+
+echo "Boot permissions fix complete!"

install/config/nvidia-suspend-fix.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Fix NVIDIA + hyprlock suspend freeze issue
+# See: https://github.com/basecamp/omarchy/issues/5277
+
+echo "Applying NVIDIA suspend fix..."
+
+# The issue is that hyprlock holds DRM/GBM resources during suspend,
+# preventing NVIDIA from entering proper suspend state
+
+# Check if user is on NVIDIA
+if command -v nvidia-smi &>/dev/null; then
+  echo "NVIDIA GPU detected, applying suspend fix..."
+
+  # Create a systemd service to stop hyprlock before suspend
+  # The - prefix makes pkill non-fatal when hyprlock isn't running
+  cat << 'SYSTEMD' | sudo tee /etc/systemd/system/hyprlock-suspend.service > /dev/null
+[Unit]
+Description=Stop hyprlock before suspend/hibernate
+Before=suspend.target hibernate.target hybrid-suspend.target
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=-/usr/bin/pkill -STOP hyprlock
+RemainAfterExit=yes
+ExecStop=-/usr/bin/pkill -CONT hyprlock
+TimeoutStopSec=5
+
+[Install]
+WantedBy=suspend.target hibernate.target hybrid-suspend.target
+SYSTEMD
+
+  # Reload systemd daemon to recognize the new unit
+  sudo systemctl daemon-reload 2>/dev/null || echo "Warning: Could not reload systemd daemon"
+
+  # Enable the service using chrootable helper if available
+  if command -v chrootable_systemctl_enable >/dev/null 2>&1; then
+    chrootable_systemctl_enable hyprlock-suspend.service 2>/dev/null || echo "Warning: Could not enable hyprlock-suspend service"
+  else
+    sudo systemctl enable hyprlock-suspend.service 2>/dev/null || echo "Warning: Could not enable hyprlock-suspend service"
+  fi
+
+  echo "✓ Created hyprlock-suspend service"
+else
+  echo "No NVIDIA GPU detected, skipping NVIDIA-specific fixes"
+fi
+
+echo "NVIDIA suspend fix complete!"

install/config/snapper-home-config.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Fix snapper /home config creation for chroot installations
+# See: https://github.com/basecamp/omarchy/issues/5344
+
+echo "Ensuring snapper /home config is created..."
+
+# Check if /home is on a separate subvolume or btrfs
+if mountpoint -q /home 2>/dev/null; then
+  # /home is a separate mount point
+  if ! sudo snapper list-configs 2>/dev/null | grep -qE '^home[[:space:]]'; then
+    echo "Creating snapper config for /home..."
+    sudo snapper -c home create-config /home 2>/dev/null || echo "Warning: Could not create /home snapper config"
+  fi
+elif [[ -d /home/.snapshots ]]; then
+  # /home has .snapshots subdirectory, ensure config exists
+  if ! sudo snapper list-configs 2>/dev/null | grep -qE '^home[[:space:]]'; then
+    echo "Creating snapper config for /home subvolume..."
+    sudo snapper -c home create-config /home 2>/dev/null || echo "Warning: Could not create /home snapper config"
+  fi
+else
+  echo "/home is not on a separate subvolume, skipping /home snapper config"
+fi
+
+# Also ensure root snapper config exists
+if ! sudo snapper list-configs 2>/dev/null | grep -qE '^root[[:space:]]'; then
+  echo "Creating snapper config for root..."
+  sudo snapper -c root create-config / 2>/dev/null || echo "Warning: Could not create root snapper config"
+  sudo cp $OMARCHY_PATH/default/snapper/root /etc/snapper/configs/root 2>/dev/null || true
+fi
+
+echo "Snapper config check complete!"

install/config/supergfxd-nvidia-fix.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Fix NVIDIA GPU detection when supergfxd is blacklisting modules
+# See: https://github.com/basecamp/omarchy/issues/5408
+
+echo "Fixing NVIDIA GPU detection..."
+
+SUPERGFXD_CONF="/etc/modprobe.d/supergfxd.conf"
+
+# Check for persisted NVIDIA blacklists from supergfxd regardless of service state
+if grep -Eq '^[[:space:]]*blacklist[[:space:]]+nvidia([_-][[:alnum:]_]+)?([[:space:]]|$)' "$SUPERGFXD_CONF" 2>/dev/null; then
+  echo "Found nvidia blacklist from supergfxd!"
+  echo "Disabling supergfxd to enable NVIDIA..."
+
+  # Disable supergfxd if active or enabled
+  if systemctl is-active --quiet supergfxd 2>/dev/null || systemctl is-enabled --quiet supergfxd 2>/dev/null; then
+    sudo systemctl disable --now supergfxd 2>/dev/null || true
+  fi
+
+  sudo rm -f "$SUPERGFXD_CONF" 2>/dev/null || true
+
+  # Regenerate initramfs
+  sudo mkinitcpio -P 2>/dev/null || true
+
+  echo "✓ Removed supergfxd NVIDIA blacklist"
+  echo "⚠️  Please reboot for changes to take effect"
+else
+  echo "No supergfxd NVIDIA blacklist found, no action needed"
+fi
+
+# Also ensure NVIDIA modules are not blocked elsewhere
+if ls /etc/modprobe.d/*nvidia*.conf 2>/dev/null | grep -v supergfxd | grep -q .; then
+  echo "Warning: Other nvidia blacklist files found:"
+  ls /etc/modprobe.d/*nvidia*.conf 2>/dev/null | grep -v supergfxd
+fi
+
+echo "NVIDIA GPU detection fix complete!"

migrations/1777007500.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Fix /boot permissions security issue
+# See: https://github.com/basecamp/omarchy/issues/5377
+
+echo "Fixing /boot permissions for better security..."
+
+# Detect boot filesystem type
+boot_fs_type=""
+boot_mount_options=""
+
+if command -v findmnt >/dev/null 2>&1 && findmnt -n --target /boot >/dev/null 2>&1; then
+  boot_fs_type="$(findmnt -n -o FSTYPE --target /boot 2>/dev/null)"
+fi
+
+if [[ "$boot_fs_type" =~ ^(vfat|fat|msdos)$ ]]; then
+  echo "/boot is on $boot_fs_type; applying mount masks because chmod doesn't change effective permissions on FAT"
+
+  # Get current mount options before remount
+  boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)"
+
+  # Check if restrictive mount options already exist
+  if [[ "$boot_mount_options" == *"umask=0077"* ]] || [[ "$boot_mount_options" == *"dmask=0077"* && "$boot_mount_options" == *"fmask=0177"* ]]; then
+    echo "/boot already has restrictive mount options"
+  else
+    sudo mount -o remount,dmask=0077,fmask=0177 /boot 2>/dev/null || echo "Warning: Could not remount /boot with restrictive permissions"
+
+    # Re-read mount options after remount to verify
+    boot_mount_options="$(findmnt -n -o OPTIONS --target /boot 2>/dev/null)"
+
+    if [[ "$boot_mount_options" == *"umask=0077"* ]] || [[ "$boot_mount_options" == *"dmask=0077"* && "$boot_mount_options" == *"fmask=0177"* ]]; then
+      echo "✓ /boot mount options now include restrictive umask"
+    else
+      echo "Warning: /boot remounted but restrictive options not detected. Check /etc/fstab for persistence."
+    fi
+  fi
+
+  echo "Note: Add dmask=0077,fmask=0177 to /etc/fstab for persistence across reboots"
+else
+  # Check if /boot is actually a separate mount
+  if findmnt -n --target /boot >/dev/null 2>&1; then
+    # Fix /boot directory permissions (should be 700 for security)
+    sudo chmod 700 /boot 2>/dev/null || echo "Warning: Could not change /boot permissions"
+
+    # Fix random-seed file permissions if it exists
+    if [[ -f /boot/loader/random-seed ]]; then
+      sudo chmod 600 /boot/loader/random-seed 2>/dev/null || echo "Warning: Could not change random-seed permissions"
+    fi
+
+    # Verify the fix
+    boot_perms=$(stat -c %a /boot 2>/dev/null)
+    if [[ "$boot_perms" == "700" ]]; then
+      echo "✓ /boot permissions fixed to 700"
+    fi
+  else
+    echo "/boot is not a separate mount (permissions handled by root filesystem)"
+  fi
+fi
+
+# Also run bootctl random-seed to regenerate with correct permissions
+if command -v bootctl >/dev/null 2>&1; then
+  sudo bootctl random-seed 2>/dev/null || true
+fi
+
+# Guard notify-send for environments without GUI/DBUS
+if command -v notify-send >/dev/null 2>&1 && [[ -n "${DBUS_SESSION_BUS_ADDRESS:-}" ]]; then
+  notify-send "Boot permissions fixed" "Security improvement applied to /boot" || true
+fi
+
+exit 0

migrations/1777007501.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Fix snapper root config for chroot installations
+# See: https://github.com/basecamp/omarchy/issues/5344
+
+echo "Fixing snapper root config..."
+
+# Only proceed if snapper is available
+if ! command -v snapper >/dev/null 2>&1; then
+  echo "snapper not installed, skipping"
+  exit 0
+fi
+
+# Ensure root config exists
+if ! sudo snapper list-configs 2>/dev/null | grep -qE '^root[[:space:]]'; then
+  echo "Creating snapper config for root..."
+  sudo snapper -c root create-config / 2>/dev/null || true
+
+  # Copy default omarchy snapper config if available
+  if [[ -f "$OMARCHY_PATH/default/snapper/root" ]]; then
+    sudo cp "$OMARCHY_PATH/default/snapper/root" /etc/snapper/configs/root 2>/dev/null || true
+  fi
+
+  echo "✓ Created snapper root config"
+else
+  echo "Snapper root config already exists"
+fi
+
+# Note: /home snapper config creation removed as it conflicts with
+# migration 1776927490 which intentionally disables /home snapshots
+# to prevent accidental user data rollback
+
+echo "Snapper config fix complete!"

migrations/1777007502.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Update omarchy-snapshot to include /home exclusion warning
+# See: https://github.com/basecamp/omarchy/issues/5361
+
+echo "Updating omarchy-snapshot with /home exclusion warning..."
+
+SOURCE_SNAPSHOT="$OMARCHY_PATH/bin/omarchy-snapshot"
+TARGET_SNAPSHOT="/usr/local/bin/omarchy-snapshot"
+
+if [[ ! -f "$SOURCE_SNAPSHOT" ]]; then
+  echo "Error: updated snapshot script not found at $SOURCE_SNAPSHOT"
+  exit 1
+fi
+
+if [[ ! -d "$(dirname "$TARGET_SNAPSHOT")" ]]; then
+  echo "Error: target directory $(dirname "$TARGET_SNAPSHOT") does not exist"
+  exit 1
+fi
+
+if ! sudo install -m 0755 "$SOURCE_SNAPSHOT" "$TARGET_SNAPSHOT" 2>/dev/null; then
+  echo "Error: failed to update $TARGET_SNAPSHOT"
+  exit 1
+fi
+
+if ! grep -q "will NOT be affected" "$TARGET_SNAPSHOT" 2>/dev/null; then
+  echo "Error: $TARGET_SNAPSHOT was updated, but the /home exclusion warning is still missing"
+  exit 1
+fi
+
+echo ""
+echo "✓ Updated omarchy-snapshot with /home warning"