Enable the netboot buildmode in profiledef.sh so mkarchiso produces a
netboot tarball (kernel + initrd + squashfs) alongside the ISO. Add
--netboot-url flag to build.sh which generates a ready-to-chainload
m-archy-netboot.ipxe script. Document the full netboot.xyz deployment
workflow in docs/md/archiso.md.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- docs/md/niri.md: full reference for the Niri DE — overview table,
config file map, Niri vs Hyprland comparison, complete keybindings
reference, EWW bar, wallpaper/lock/idle, screen rotation, installer
instructions
- docs/md/index.md: updated tagline (Hyprland → Wayland), added Niri
to the doc index table, updated repo layout tree
- docs/md/installation.md: Niri added to DE list; answerfile example
updated to hyprlua
- docs/md/modules.md: hyprlua and niri added to DE table with links;
hyprlua marked as recommended
- docs/md/hyprland.md: cross-reference to Niri docs added
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
policy-scan-notify is now a FreeIPA *user* group instead of a host group,
so alert notifications follow the user to every enrolled machine. The
fetch-alerts timer is installed fleet-wide on any host where the group exists;
the profile.d snippet gates notification daemon start on runtime group
membership (id(1) / SSSD) so non-members log in unaffected.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
policy-block-binary-<name> is now a FreeIPA *user* group instead of a host group,
so restrictions follow the user to every enrolled machine. The PATH wrapper is
installed on all hosts and checks group membership at runtime via id(1)/SSSD,
passing non-members through transparently. __ in the group name decodes to .
so Flatpak app IDs are supported (flatpak run fallback included). AppArmor layer
removed since per-user confinement requires a different approach and the wrapper
alone is sufficient. Adds local_sudo_<username> host group policy which writes
a sudoers drop-in granting that user full sudo on the specific device, reverted
on group leave.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a new host group policy `no_local_users` that locks the passwords of root
and all local users (UID >= 1000) via `passwd -l`, ensuring only FreeIPA domain
accounts with centrally-managed sudo rules can authenticate and gain elevated
privileges. Leaving the group reverts by unlocking every account tracked in the
state file. Updates docs with group reference entry and Local User Lockdown section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
9 Markdown pages covering installation, theming, Hyprland, editors,
modules, archiso, FreeIPA/Ansible, and utilities. md-to-html.sh
converts them to self-contained styled HTML using the live palette
from colors.conf with inline CyberQueer CSS.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Amir Alexander Abdelbaki