Thunderbird, KMail, GnuPG, Proton Mail, and a growing list of clients support it out of the box. Once set up, anyone composing an encrypted email to you gets your key automatically.

Here’s how I set it up for mail@gofranz.com, hosted on S3 with CloudFront.

How WKD works

WKD maps an email address to a URL. The local part (before the @) gets SHA-1 hashed and Z-Base-32 encoded into a 32-character string. That string becomes the filename, served from a well-known path on your domain.

There are two methods:

The direct method is simpler — no subdomain, no extra TLS certificate. Most clients try the advanced method first, then fall back to direct.

Prerequisites

• A domain with HTTPS (required — WKD won’t work without it)
• GnuPG 2.1.12+ installed locally
• Your PGP key in your local keyring
• An S3 bucket + CloudFront distribution serving your site

Step 1: Get your WKD hash

GnuPG can compute the hash for you:

gpg --with-wkd-hash -k yourmail@example.com

In the output, look for a line formatted as hash@domain right below your uid — the part before the @ is your WKD hash. For mail@gofranz.com, mine is dizb37aqa5h4skgu7jf1xjr4q71w4paq.

Step 2: Create the directory structure

mkdir -p .well-known/openpgpkey/hu
touch .well-known/openpgpkey/policy

The empty policy file signals that WKD is available on this domain. Without it, clients won’t look further.

Step 3: Export your key

Export the binary format — not ASCII-armored:

gpg --export yourmail@example.com > .well-known/openpgpkey/hu/<your-hash>

Step 4: Jekyll configuration

If you’re using Jekyll (or any static site generator that ignores dotfiles), make sure .well-known gets included in the build output. For Jekyll, add to _config.yml:

include:
  - .well-known

Step 5: S3 upload with correct Content-Type

S3 won’t guess the right content type for an extensionless binary file. Upload the WKD files with an explicit content type before your general s3 sync — this way sync sees the files already exist and skips them, preserving the correct metadata:

aws s3 cp _site/.well-known/openpgpkey/hu/ s3://your-bucket/.well-known/openpgpkey/hu/ \
  --recursive --content-type "application/octet-stream" --profile your-profile
aws s3 sync _site/ s3://your-bucket/ --delete --profile your-profile

Step 6: CloudFront CORS headers

WKD requires Access-Control-Allow-Origin: * on responses. CloudFront doesn’t add this by default.

1. Go to CloudFront → Policies → Response headers policies and create a new policy (I called mine WKD-CORS)
2. Enable CORS and set Access-Control-Allow-Origin to all origins
3. Go to your Distribution → Behaviors and create a new behavior:
   • Path pattern: /.well-known/openpgpkey/*
   • Origin: your S3 origin
   • Response headers policy: WKD-CORS

Step 7: DNS — wildcard gotcha

If your domain has a wildcard DNS record (*.example.com), clients trying the advanced method will get a response from the wildcard instead of a proper “not found.” This can break the fallback to the direct method.

The fix: add a TXT record for _openpgpkey.example.com (the value can be empty). This tells clients that the advanced method isn’t available, and they should use direct.

Verify

Deploy your site, invalidate CloudFront, and test:

gpg --auto-key-locate clear,wkd --locate-keys yourmail@example.com

There are also web-based checkers — wkd.dp42.dev (open-source) and webkeydirectory.com. Note that some checkers report a missing CORS header even when it’s working — CloudFront only returns Access-Control-Allow-Origin when the request includes an Origin header, which is standard behavior. Real email clients send this header.

Who supports WKD?

Adoption is broader than you might expect:

Proton Mail is probably the largest deployment — every @protonmail.com and @proton.me address has WKD set up automatically.

Caveats

• One key per email. WKD serves a single key per address. If you have multiple keys, only one gets published.
• No revocation propagation. If you revoke your key, you need to manually update or remove the file. There’s no automatic mechanism.
• HTTPS required. Self-signed certificates won’t work.
• The advanced method needs a subdomain. If you want to support it, you need openpgpkey.example.com with a valid TLS certificate. For most personal domains, the direct method is sufficient.

It took about 15 minutes to set up, and now anyone with a WKD-capable client can find my key automatically. One less reason to skip encryption.

The main change: Niri implements the org.gnome.Mutter.ScreenCast D-Bus interface, so you use xdg-desktop-portal-gnome instead of the wlr portal.

1. Portal Configuration

Create or update your portals.conf:

[preferred]
default=gtk
# use gnome portal for screen sharing (niri compatible)
org.freedesktop.impl.portal.ScreenCast=gnome
org.freedesktop.impl.portal.Screenshot=gnome

2. Niri Startup Commands

In your niri.kdl config, add these startup commands:

// Export Wayland display and desktop session to D-Bus
spawn-at-startup "dbus-update-activation-environment" "--systemd" "WAYLAND_DISPLAY" "XDG_CURRENT_DESKTOP=niri"

// Restart portal-gnome after niri's ScreenCast D-Bus interface is ready
spawn-at-startup "sh" "-c" "while ! busctl --user status org.gnome.Mutter.ScreenCast >/dev/null 2>&1; do sleep 0.2; done; pkill -f xdg-desktop-portal-gnome"

The second command is the critical bit: xdg-desktop-portal-gnome often starts before Niri’s ScreenCast interface is available. This polls until the interface is ready, then restarts the portal so it picks up the screencasting capability.

3. Required Packages

xdg-desktop-portal-gnome
xdg-desktop-portal-gtk
wayland-protocols
slurp

4. Chrome / WebRTC Black Screen Fix

If you’re getting a black screen when sharing in Chrome or other Chromium-based browsers, it’s because they don’t handle DMA-BUF formats properly. There’s a Niri PR #1791 that adds a SHM (Shared Memory) fallback for PipeWire screencasting.

I’ve packaged this as niri-shm in my panther Guix channel:

;; in px/packages/wm.scm
(define-public niri-shm
  (package
    (inherit niri)
    (name "niri-shm")
    (source
     (origin
       (inherit (package-source niri))
       (patches (list (local-file "patches/niri-shm-support.patch")))))
    (synopsis "Niri with SHM screencast support")
    (description
     "Niri scrollable-tiling Wayland compositor with shared memory (SHM)
fallback for PipeWire screencasting.  This fixes screen sharing in browsers
like Chrome that cannot handle DMA-BUF formats.")))

Use niri-shm in place of niri in your Guix Home config.

5. Guix Home

Putting it all together:

(home-environment
 (packages
  (cons* niri-shm
  (specifications->packages
   (list
         "xdg-desktop-portal-gnome"
         "xdg-desktop-portal-gtk"
         "wayland-protocols"
         "slurp"
         "pipewire"
         "wireplumber"
         ;; ...
         ))))
 (services
  (append (list
        (service home-xdg-configuration-files-service-type
                  `(("niri/config.kdl" ,(local-file "niri.kdl"))
                    ("xdg-desktop-portal/portals.conf" ,(local-file "portals.conf"))))
        (simple-service 'env-vars home-environment-variables-service-type
                        `(("XDG_CURRENT_DESKTOP" . "niri")
                          ("XDG_SESSION_DESKTOP" . "niri")
                          ("XDG_SESSION_TYPE" . "wayland")
                          ("ELECTRON_OZONE_PLATFORM_HINT" . "wayland")
                          ("MOZ_ENABLE_WAYLAND" . "1")
                          ("NIXOS_OZONE_WL" . "1")
                          ("GDK_BACKEND" . "wayland")
                          ("CLUTTER_BACKEND" . "wayland")))
        (service home-dbus-service-type)
        (service home-pipewire-service-type
                 (home-pipewire-configuration
                  (pipewire pipewire)
                  (wireplumber wireplumber))))
        %base-home-services)))

Testing

Use the Mozilla WebRTC Test Page to verify screen sharing works. You should get a prompt to select a screen or window — if the preview shows your desktop, you’re good.

For my full config, checkout my dotfiles.

Iced is a Rust GUI framework that’s been gaining traction. It’s declarative, Elm-inspired, and compiles to native code. What it doesn’t have is a built-in way to render HTML. I wanted to fix that.

I picked up an existing project that had integrated Ultralight — a proprietary rendering engine — and started building iced_webview. I ended up integrating four different rendering backends, which gave me a pretty good picture of where web rendering in Rust actually stands.

The Backends

1. litehtml — The Lightweight Option

litehtml is a lightweight C++ HTML/CSS renderer. I built Rust bindings for it and published them to crates.io — so it’s a pure crates.io dependency, just cargo build and go.

I built out HTTP fetching, image loading, link navigation, text selection, and CSS @import resolution on top of it. For simple content, it’s pretty decent. Think HTML emails, documentation pages, basic content display.

The thing is — litehtml renders a subset of CSS. It has basic flexbox support but no grid, no JavaScript. It draws the full document to a pixel buffer, and the Iced widget handles scrolling from there.

Things like litehtml are lightweight and capable — until you need anything more complex. For a help viewer or a formatted content panel, it’s a solid choice. For anything resembling a modern web page, you’ll hit walls fast.

[dependencies]
iced_webview_v2 = { version = "0.1", features = ["litehtml"] }

2. Blitz — Pure Rust, Modern CSS

Blitz is DioxusLabs’ Rust-native renderer. It uses Firefox’s Stylo engine for CSS resolution and Taffy for layout. That means flexbox and grid support out of the box, all in pure Rust.

Like litehtml, Blitz renders the full document to a buffer and the widget handles scrolling. No JavaScript, no incremental rendering, and :hover CSS styles aren’t visually applied — the hover state is tracked (cursor changes work), but the full CPU re-render is skipped for performance. For static content with modern layouts, it’s a significant step up from litehtml.

Blitz is a git-only dependency — you need to build from the repo, not crates.io:

[dependencies]
iced_webview_v2 = { version = "0.1", default-features = false, features = ["blitz"] }

3. Servo — The Full Browser Engine

Servo is an experimental browser engine, originally from Mozilla Research and now hosted at Linux Foundation Europe. HTML5, CSS3, JavaScript via SpiderMonkey — the full stack. I thought Servo would be the answer. It turns out the story is more nuanced than that.

Servo required a fundamentally different rendering approach. Instead of rendering to a pixel buffer that the widget scrolls, Servo manages its own viewport — I had to build a shader widget that uploads the engine’s pixel buffers to a persistent GPU texture whenever Servo signals a new frame is ready.

When it works, it works great. Pages render correctly, JavaScript executes, the layout matches what you’d expect from a browser. But SpiderMonkey crashes on pages with heavy JavaScript. Not every time - just often enough that you can’t ship it for general use.

On top of that, Servo pulls in a massive dependency tree and produces binaries in the 50-150 MB range. Text selection works visually within Servo (including Ctrl+C via its internal clipboard handling), but the selection can’t be queried from the embedding API. And since both Servo and Blitz depend on Stylo, I had to use Blitz from source instead of crates.io to get matching versions.

Like Blitz, Servo is a git-only dependency — build from the repo:

[dependencies]
iced_webview_v2 = { version = "0.1", default-features = false, features = ["servo"] }

4. CEF / Chromium — The Pragmatic Choice

The Chromium Embedded Framework, accessed through Tauri’s cef-rs bindings, is the fourth backend. It’s not Rust-native. It downloads 200-300 MB of Chromium binaries at build time. It runs a multi-process architecture that requires subprocess handling. And it’s the only option right now if you need full web compatibility in Iced without proprietary licensing.

Like Servo, CEF uses the shader widget path — off-screen rendering mode where the engine manages scrolling and sends viewport-sized frames to the GPU. I had to disable GPU compositing for OSR mode and handle Wayland detection to get it running reliably. On Guix, I created a separate manifest with FHS emulation because CEF’s binaries expect standard library paths.

It’s heavy. It’s not elegant. But it renders everything.

[dependencies]
iced_webview_v2 = { version = "0.1", features = ["cef"] }

Two Rendering Paths

There are two fundamentally different rendering approaches across these backends:

1. Image handle path (litehtml, Blitz): The engine renders the entire document to a pixel buffer. The Iced widget handles scrolling by adjusting which portion of the buffer is visible. Simple, predictable, easy to integrate.
2. Shader widget path (Servo, CEF): The engine manages its own viewport and scrolling. The widget receives viewport-sized frames via direct GPU texture updates.

The split exists because lightweight engines are just layout libraries — they produce pixels and that’s it. Full browser engines have their own event loops, compositing, and need to own the viewport for things like JS scroll events, position: fixed, and sticky elements.

The Engine trait abstraction in iced_webview handles this difference. You swap backends with a feature flag and the widget handles whichever path the backend uses.

Comparison

Where Things Stand

I’ve published iced_webview to crates.io with litehtml as the default backend. It’s the only option for a pure crates.io dependency. For anything beyond basic HTML/CSS, you opt into Blitz, Servo, or CEF via feature flags.

Litehtml is good enough for simple content. Blitz covers the modern CSS gap without leaving the Rust ecosystem. Servo has the most promise long-term but isn’t stable enough yet. CEF is the pragmatic choice when you need things to just work.

If you’re building an Iced application that needs to display web content, you now have options. Do take these with a grain of salt — this is early-stage work, and each backend has its rough edges and things are changing fast.

Check out the GitHub repo or grab it from crates.io.

Networks

IOTA runs three networks:

Setup

Create the config directory and get the starter config:

mkdir -p /etc/iota && cd /etc/iota
curl -L https://fullnode-docker-setup.iota.org/mainnet | tar -zx
mv data/config/fullnode.yaml .

Download the genesis and migration files:

# mainnet, testnet
curl -fLJ https://dbfiles.mainnet.iota.cafe/genesis.blob -o genesis.blob
# mainnet
curl -fLJ https://dbfiles.mainnet.iota.cafe/migration.blob -o migration.blob

For testnet, replace mainnet with testnet in the URLs above. Testnet doesn’t need the migration.blob.

Configuration

The default config uses /opt/iota which is a Docker convention. On Guix, we use /var/lib for service data. Edit /etc/iota/fullnode.yaml:

# Database
db-path: "/var/lib/iota/db"

# Genesis files
genesis:
  genesis-file-location: "/etc/iota/genesis.blob"
migration-tx-data-path: "/etc/iota/migration.blob"  # mainnet only

# Your public hostname - peers need this to find you
p2p-config:
  external-address: /dns/your-hostname.example.com/udp/8084

Leave the rest (seed peers, archive fallback) as-is.

Ports

Make sure these are open:

Test Run

Before setting up the service, you can run the node manually to make sure everything works:

guix shell iota -- iota-node --config-path /etc/iota/fullnode.yaml

Or with debug logging:

guix shell iota -- sh -c 'RUST_LOG="info,iota_core=debug,consensus=debug" iota-node --config-path /etc/iota/fullnode.yaml'

Once you see checkpoints coming in, you’re good to set up the service.

System Service

Add the service:

(use-modules (px services iota))

(services
 (cons* (service iota-node-service-type
                 (iota-node-configuration
                  (config-file "/etc/iota/fullnode.yaml")))
        %base-services))

The service creates an iota user, sets up directories, and handles log rotation.

Start

sudo guix system reconfigure /etc/system.scm

The node starts automatically. Check on it:

sudo herd status iota-node
sudo tail -f /var/log/iota-node.log

Verify

Query the node to see if it’s syncing:

curl -X POST http://localhost:9000 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"iota_getLatestCheckpointSequenceNumber","id":1}'

The checkpoint number should increase over time. Initial sync from genesis is slow - IOTA provides snapshots at dbfiles.iota.org if you want to speed things up.

CLI

The package also includes the iota CLI:

guix shell iota -- iota client

For validator nodes (staking, key generation), see the IOTA operator docs.
The IOTA package is available from my Guix channel: panther.

Guix has a neat trick: guix shell --container --emulate-fhs. Android SDK binaries expect libraries at standard paths like /lib64/ld-linux-x86-64.so.2, which don’t exist on Guix. The --emulate-fhs flag creates these paths, so cmake, ninja, and the NDK toolchain just work. No Docker required.

Setup

First, download the Android SDK. Guix packages sdkmanager from the F-Droid project:

export ANDROID_HOME=$PWD/android-sdk
mkdir -p $ANDROID_HOME

guix shell sdkmanager -- sh -c "
  export ANDROID_HOME='$ANDROID_HOME'
  echo y | sdkmanager --licenses
  sdkmanager 'platforms;android-36' 'build-tools;35.0.0' 'ndk;27.1.12297006'
"

Build

Now build your APK or AAB:

guix shell --container --emulate-fhs --network --pure \
  --share="$HOME/.gradle"="$HOME/.gradle" \
  --share="$ANDROID_HOME"="$ANDROID_HOME" \
  --share="$PWD"="$PWD" \
  openjdk@17:jdk node pnpm coreutils bash grep sed \
  glibc gcc-toolchain zlib which findutils diffutils \
  -- sh -c "
    cd '$PWD'
    export ANDROID_HOME='$ANDROID_HOME'
    export JAVA_HOME=\$(dirname \$(dirname \$(readlink -f \$(which java))))
    unset C_INCLUDE_PATH CPLUS_INCLUDE_PATH CPATH
    pnpm install
    cd android && ./gradlew --no-daemon assembleRelease
"

Output: android/app/build/outputs/apk/release/app-release.apk

For an AAB (Play Store), use bundleRelease instead of assembleRelease.

Run on Device

For live development with hot reload, you need three things: ADB server on the host, Metro bundler, and the app running on your device.

First, download platform-tools and start the ADB server on your host:

guix shell sdkmanager -- sh -c "
  export ANDROID_HOME='$ANDROID_HOME'
  sdkmanager 'platform-tools'
"

$ANDROID_HOME/platform-tools/adb start-server
$ANDROID_HOME/platform-tools/adb devices  # verify device is connected

Start Metro bundler in one terminal:

guix shell node pnpm -- npx react-native start

Run on device in another terminal:

guix shell --container --emulate-fhs --network --pure \
  --share="$HOME/.gradle"="$HOME/.gradle" \
  --share="$ANDROID_HOME"="$ANDROID_HOME" \
  --share="$PWD"="$PWD" \
  --share=/tmp=/tmp \
  openjdk@17:jdk node pnpm coreutils bash grep sed \
  glibc gcc-toolchain zlib which findutils diffutils \
  -- sh -c "
    cd '$PWD'
    export ANDROID_HOME='$ANDROID_HOME'
    export JAVA_HOME=\$(dirname \$(dirname \$(readlink -f \$(which java))))
    export ADB_SERVER_SOCKET=tcp:localhost:5037
    unset C_INCLUDE_PATH CPLUS_INCLUDE_PATH CPATH
    npx react-native run-android
"

The key additions here:

• --share=/tmp=/tmp shares the tmp directory where ADB stores socket info
• ADB_SERVER_SOCKET=tcp:localhost:5037 tells ADB inside the container to connect to the host’s running server instead of starting its own

The app will build, install to your device, and connect to Metro for live reload.

What’s happening?

A few key flags make this work:

• --emulate-fhs creates /lib64/ld-linux-x86-64.so.2 and standard FHS paths that Android SDK binaries expect
• --pure gives you a clean environment without inherited variables
• --network allows Gradle to download dependencies
• unset C_INCLUDE_PATH is extra insurance against header conflicts

The container shares your gradle cache, SDK, and project directory, so subsequent builds are fast.

Signed Release

For a signed release, pass the keystore details as Gradle properties:

guix shell --container --emulate-fhs --network --pure \
  --share="$HOME/.gradle"="$HOME/.gradle" \
  --share="$ANDROID_HOME"="$ANDROID_HOME" \
  --share="$PWD"="$PWD" \
  --share="/path/to/keys"="/path/to/keys" \
  openjdk@17:jdk node pnpm coreutils bash grep sed \
  glibc gcc-toolchain zlib which findutils diffutils \
  -- sh -c "
    cd '$PWD'
    export ANDROID_HOME='$ANDROID_HOME'
    export JAVA_HOME=\$(dirname \$(dirname \$(readlink -f \$(which java))))
    unset C_INCLUDE_PATH CPLUS_INCLUDE_PATH CPATH
    pnpm install
    cd android && ./gradlew --no-daemon \
      -PMYAPP_UPLOAD_STORE_FILE=/path/to/keys/release.keystore \
      -PMYAPP_UPLOAD_STORE_PASSWORD=yourpassword \
      -PMYAPP_UPLOAD_KEY_ALIAS=youralias \
      -PMYAPP_UPLOAD_KEY_PASSWORD=yourpassword \
      -PuseReleaseSigning=true \
      bundleRelease
"

Troubleshooting

Gradle permission errors: If you’ve previously run Docker builds as root, the gradle cache may have wrong permissions:

sudo rm -rf ~/.gradle/native/

CMake crashes (exit 139): Re-download the SDK cmake:

rm -rf android-sdk/cmake
# It re-downloads on next build

Header conflicts / stubs-32.h errors: Make sure you’re using --pure and unsetting the C include paths.

Conclusion

This approach eliminates Docker from the React Native build process on Guix. The FHS container gives you the compatibility you need, while keeping everything in user space. Build times are comparable to Docker, and you have one less layer to debug.

Here’s the stack that makes it happen.

Guix System and Home

GNU Guix is both the operating system and the secret sauce. Unlike traditional distros where configuration sprawls across /etc, shell scripts, and .config files, Guix declares everything in Scheme. The entire system state - services, packages, dotfiles - lives in version-controlled .scm files.

This makes sharing configuration between machines trivial. My ThinkPad and Framework both inherit from a common base:

(use-modules (px system config))

(px-desktop-os
 (operating-system
  (host-name "framework")
  (timezone "Europe/Lisbon")
  ;; Machine-specific bits go here
  ))

The machine-specific stuff (AMD vs Intel GPU, LUKS encryption, power profiles) layers on top.

Fingerprint Login

The Framework’s fingerprint reader works with fprintd, but requires PAM configuration to actually use it for login. In Guix, this means adding a PAM extension:

(simple-service 'fprintd-pam-login
  pam-root-service-type
  (list (pam-extension
         (transformer
          (lambda (pam)
            (if (member (pam-service-name pam) '("greetd" "swaylock"))
                (pam-service
                 (inherit pam)
                 (auth (cons (pam-entry
                              (control "sufficient")
                              (module (file-append fprintd "/lib/security/pam_fprintd.so")))
                             (pam-service-auth pam))))
                pam))))))

After enrolling prints with fprintd-enroll, login and screen unlock accept my fingerprint.

Sudo with YubiKey

For elevated commands, I’ve configured PAM to accept a YubiKey challenge-response instead of typing a password. First, program slot 2 with a challenge-response credential:

guix shell python-yubikey-manager -- ykman otp chalresp --touch 2 <your-secret-hex>

Then add the PAM extension for sudo:

(simple-service 'yubico-pam-sudo
  pam-root-service-type
  (list (pam-extension
         (transformer
          (lambda (pam)
            (if (member (pam-service-name pam) '("sudo"))
                (pam-service
                 (inherit pam)
                 (auth (cons (pam-entry
                              (control "sufficient")
                              (module (file-append yubico-pam "/lib/security/pam_yubico.so"))
                              (arguments '("mode=challenge-response")))
                             (pam-service-auth pam))))
                pam))))))

Now sudo just needs a tap - more secure and more convenient than passwords.

Automatic Dark/Light Themes

I wrote about this previously - Darkman switches themes at sunrise and sunset. What’s changed since then is coverage. The theme switch now propagates to:

• GTK apps (Thunar, GNOME apps) via gsettings
• Foot terminal with custom shell scripts
• Dunst notifications
• VSCode via jq-based settings manipulation
• Waybar with separate CSS files
• Niri window manager focus rings
• Swaylock

Everything shifts from light to dark at sunset without any manual intervention. The scripts live in ~/.local/share/dark-mode.d/ and ~/.local/share/light-mode.d/.

Chrome Hardware Acceleration

Getting Chrome to actually use the GPU on Linux takes some trial and error. I’ve got a custom .desktop launcher that forces Vulkan and VA-API:

google-chrome \
  --use-angle=vulkan \
  --enable-features=VaapiVideoDecoder,VaapiVideoEncoder,VaapiIgnoreDriverChecks,Vulkan,VulkanFromANGLE,DefaultANGLEVulkan,UseMultiPlaneFormatForHardwareVideo

Combined with environment variables for the AMD GPU:

("LIBVA_DRIVER_NAME" . "radeonsi")
("ANGLE_DEFAULT_PLATFORM" . "vulkan")

This enables things like blurred backgrounds in Google Meets and smooth video playback.

Bluetooth Audio That Works

Bluetooth headphones on Linux have historically been painful. WirePlumber’s default configuration often picks the wrong codec or profile. I’ve tuned it for high-quality audio:

bluez_monitor.properties = {
  ["bluez5.enable-sbc-xq"] = true,
  ["bluez5.enable-msbc"] = true,
  ["bluez5.enable-hw-volume"] = true,
  ["bluez5.codecs"] = "[ sbc sbc_xq aac ]",
  ["bluez5.profile"] = "a2dp-sink",
}

After initial pairing, my Nothing Ear (2024) Bluetooth headphones connect automatically, and the audio codec changes depending on whether I’m on a call, or listening to music.

Power Management

The Framework AMD runs the Power Profiles Daemon with aggressive power saving:

(kernel-arguments
 '("pcie_aspm.policy=powersupersave"
   "amdgpu.ppfeaturemask=0xffffffff"))

After 60 minutes of suspend, it hibernates to disk automatically.

On the ThinkPad, TLP handles the same job with Intel-specific tweaks.

Secrets with Tomb

Both machines need access to the same secrets - GPG keys, KeePass database, AWS credentials. I use Tomb to store these in an encrypted container that syncs between machines via Syncthing.

The tomb is encrypted with a GPG key stored on my YubiKey, so unlocking is just another tap:

tomb open .secrets.tomb -k .secrets.tomb.key -gR A1B2C3D4E5F6G7H8 -f

Once mounted, bind mounts put everything in place - ~/.gnupg, ~/.aws, the KeePass database. Same secrets, same workflow, on either machine.

What’s Shared, What’s Not

Both machines pull from the same dotfiles repo. Common configuration includes:

• Darkman theme scripts
• Niri compositor config
• Mail stack (aerc + isync + msmtp)
• Bluetooth audio tuning
• GTK themes and fonts

Machine-specific config stays in separate files:

• GPU drivers and firmware
• Power management (TLP vs PPD)
• Display scaling (Framework’s 3:2 screen needs 1.5x)
• Encryption keys and hardware IDs

Guix’s module system makes this separation clean.

The Result

My laptop boots, I scan my finger, and I’m in a consistent environment whether I’m on the Framework or ThinkPad. Updates pull automatically via unattended upgrades. Theme switches happen without thinking about it. Hardware acceleration works. Audio sounds good.

Is it perfect? Probably not - there’s always something to tweak. But it’s the closest I’ve gotten to a Linux setup that stays out of my way.

The full configuration lives at github.com/franzos/dotfiles.

Why Isolate?

Claude Code has broad file system access by default. While useful, it can easily go sideways. Containers limit the blast radius.

The Command

guix shell --container \
  --expose=$HOME/.gitconfig=$HOME/.gitconfig \
  --share=$HOME/.claude=$HOME/.claude \
  --share=$HOME/.claude.json=$HOME/.claude.json \
  --share=$HOME/.config/claude=$HOME/.config/claude \
  --share=$HOME/.cache/pnpm=$HOME/.cache/pnpm \
  --share=$HOME/.local/share/pnpm=$HOME/.local/share/pnpm \
  --expose=$XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR \
  --preserve='^DBUS_SESSION_BUS_ADDRESS' \
  --preserve='^COLORTERM' \
  --share=$PWD=$PWD \
  --network \
  coreutils bash grep sed gawk git node pnpm gh dunst \
  -- pnpm dlx @anthropic-ai/claude-code --dangerously-skip-permissions

What Each Flag Does

Container Basics

• --container: Creates an isolated environment with its own filesystem view
• --network: Enables network access (required for API calls)
• --share=$PWD=$PWD: Gives Claude read/write access to your current project directory

Claude Configuration (Required)

• --share=$HOME/.claude: Claude’s persistent configuration
• --share=$HOME/.claude.json: Claude’s settings file
• --share=$HOME/.config/claude: Additional Claude config

Git Access

• --expose=$HOME/.gitconfig: Read-only access to git config (for commits, author info)

Optional: Avoid Re-downloading Claude

• --share=$HOME/.cache/pnpm: Shares pnpm cache
• --share=$HOME/.local/share/pnpm: Shares pnpm store

Without these, pnpm dlx downloads Claude Code fresh each time.

Optional: Desktop Notifications

• --expose=$XDG_RUNTIME_DIR: Exposes the runtime directory
• --preserve='^DBUS_SESSION_BUS_ADDRESS': Preserves D-Bus for notifications
• dunst in packages: Notification daemon

These let Claude trigger desktop notifications when tasks complete.

Terminal Colors

• --preserve='^COLORTERM': Maintains color support in the container

The Result

Claude Code runs with full access to your project directory but nothing else. It can’t touch your home directory, other projects, or system files. If something goes wrong, the damage stays contained.

Guix Home Alias

Add an alias to your home-bash-service-type configuration:

(service home-bash-service-type
  (home-bash-configuration
    (aliases
      '(("ccj" . "guix shell --container --expose=$HOME/.gitconfig=$HOME/.gitconfig --share=$HOME/.claude=$HOME/.claude --share=$HOME/.claude.json=$HOME/.claude.json --share=$HOME/.config/claude=$HOME/.config/claude --share=$HOME/.cache/pnpm=$HOME/.cache/pnpm --share=$HOME/.local/share/pnpm=$HOME/.local/share/pnpm --expose=$XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR --preserve='^DBUS_SESSION_BUS_ADDRESS$' --preserve='^COLORTERM$' --share=$PWD=$PWD --network coreutils bash grep sed gawk git node pnpm gh dunst -- pnpm dlx @anthropic-ai/claude-code --dangerously-skip-permissions")))))

Reconfigure with guix home reconfigure, then run ccj from any project directory.

Enter direnv.

What is direnv?

direnv is a shell extension that loads and unloads environment variables based on the current directory. When you cd into a project with an .envrc file, direnv automatically sets up the environment. When you leave, it cleans up.

For Guix users, this means automatic shell environments per project - no more typing guix shell every time.

Setup

First, install direnv. On Guix, add it to your profile or system packages:

(packages
 (cons* direnv
        ;; your other packages
        %base-packages))

Then, hook direnv into your shell. Add the following to your .bashrc:

# direnv (.envrc)
_direnv_hook() {
  local previous_exit_status=$?;
  trap -- '' SIGINT;
  eval "$(direnv export bash)";
  trap - SIGINT;
  return $previous_exit_status;
};
if [[ ";${PROMPT_COMMAND[*]:-};" != *";_direnv_hook;"* ]]; then
  if [[ "$(declare -p PROMPT_COMMAND 2>&1)" == "declare -a"* ]]; then
    PROMPT_COMMAND=(_direnv_hook "${PROMPT_COMMAND[@]}")
  else
    PROMPT_COMMAND="_direnv_hook${PROMPT_COMMAND:+;$PROMPT_COMMAND}"
  fi
fi

Restart your shell or run source ~/.bashrc.

Simple Example

For projects with straightforward dependencies, a one-liner .envrc does the trick:

# Guix development environment with node and pnpm
eval "$(guix shell node pnpm --search-paths)"

When you cd into this directory, direnv will prompt you to allow the .envrc:

direnv: error .envrc is blocked. Run `direnv allow` to approve its content.

Run direnv allow once, and you’re set. Every subsequent visit automatically loads the environment.

Complex Example with Manifests

For projects with custom package configurations (like the OpenSSL trick from my previous post), combine direnv with a manifest:

Create a manifest.scm:

(use-modules (guix profiles)
             (guix packages)
             (guix search-paths)
             (gnu packages node)
             (gnu packages rust)
             (gnu packages commencement)
             (gnu packages tls)
             (gnu packages databases))

;; Create a custom OpenSSL package that exports OPENSSL_DIR
(define openssl-with-env-dir
  (package
    (inherit openssl)
    (name "openssl")
    (native-search-paths
     (append (package-native-search-paths openssl)
             (list (search-path-specification
                    (variable "OPENSSL_DIR")
                    (files '("."))
                    (file-type 'directory)
                    (separator #f)))))))

;; Create a custom GCC package that exports CC and LD_LIBRARY_PATH
(define gcc-with-env-cc
  (package
    (inherit gcc-toolchain)
    (name "gcc-toolchain")
    (native-search-paths
     (append (package-native-search-paths gcc-toolchain)
             (list (search-path-specification
                    (variable "CC")
                    (files '("bin/gcc"))
                    (file-type 'regular)
                    (separator #f))
                   (search-path-specification
                    (variable "LD_LIBRARY_PATH")
                    (files '("lib"))
                    (file-type 'directory)
                    (separator ":")))))))

(packages->manifest
 (list node
       pnpm
       rust
       (list rust "cargo")
       rust-analyzer
       gcc-with-env-cc
       openssl-with-env-dir
       postgresql))

Then reference it in your .envrc:

# Guix development environment
if [[ -d /run/current-system ]]; then
  eval "$(guix shell -m manifest.scm --search-paths)"
fi

The /run/current-system check ensures this only runs on Guix systems - useful if you share your project with developers on other distros.

Conclusion

The combination of direnv and Guix shell environments removes the friction from project-specific tooling. You define your dependencies once, and they’re automatically available whenever you work on the project.

What is Darkman?

Darkman is a framework for dark-mode and light-mode transitions. It automatically switches themes at sunrise and sunset based on your location, and lets you manually toggle when needed. The beauty is in its simplicity: it runs scripts when switching modes, so you can control exactly what changes.

Guix Home Setup

On Guix, darkman integrates via a home service. Add this to your home configuration:

(service home-darkman-service-type
         (home-darkman-configuration
          (latitude 38.7)
          (longitude -9.2)
          (use-geoclue? #f)))

Set your latitude and longitude to get accurate sunrise/sunset times. I disable geoclue since I don’t need dynamic location tracking.

What Gets Switched

Darkman will handle:

• GTK applications: LibreOffice, Thunar, file managers (Yaru-dark ↔ Yaru theme)
• Foot terminal: Instant color switching via UNIX signals
• Dunst notifications: Background and foreground colors

The Implementation

Darkman executes scripts from two directories:

• ~/.local/share/dark-mode.d/ - runs when switching to dark mode
• ~/.local/share/light-mode.d/ - runs when switching to light mode

For GTK apps, two separate mechanisms are needed - not all applications respect both:

1. Portal/D-Bus (for modern apps)

gsettings set org.gnome.desktop.interface color-scheme 'prefer-dark'
gsettings set org.gnome.desktop.interface gtk-theme 'Yaru-dark'

The color-scheme setting broadcasts via D-Bus to the FreeDesktop portal (org.freedesktop.appearance.color-scheme). Modern applications - Firefox, Chrome, VSCode, Electron apps - listen to this portal and switch automatically.

The gtk-theme setting tells GTK applications which theme to use (e.g., Yaru-dark vs Yaru). For light mode, use prefer-light and remove the -dark suffix from the theme name.

2. GTK-3 settings.ini (for legacy apps)

Some applications like Thunar read ~/.config/gtk-3.0/settings.ini directly instead of using D-Bus:

[Settings]
gtk-theme-name = Yaru-dark
gtk-application-prefer-dark-theme = 1

The darkman script copies a template to this location:

TEMPLATE="$HOME/.local/share/gtk-themes/settings-dark.ini"
GTK3_CONFIG="$HOME/.config/gtk-3.0/settings.ini"
cp "$TEMPLATE" "$GTK3_CONFIG"

For light mode, set gtk-theme-name = Yaru and gtk-application-prefer-dark-theme = 0.

For the Foot terminal I run foot --server and connect with footclient. This lets me use signals for instant theme switching - one signal updates the server and all connected terminals without restart:

# Dark mode: SIGUSR1 switches to [colors] section
kill -SIGUSR1 $(pgrep -x foot) 2>/dev/null || true

# Light mode: SIGUSR2 switches to [colors2] section
kill -SIGUSR2 $(pgrep -x foot) 2>/dev/null || true

Your foot.ini just needs both color sections defined, with initial-color-theme=1 to start dark.

Usage

Once configured, darkman runs automatically:

• Switches to light mode at sunrise
• Switches to dark mode at sunset
• Manual toggle with darkman toggle (I bind this to Mod+T in Sway)

Test it works:

darkman toggle

Everything should switch instantly - GTK apps, terminal colors, notifications.

Full Implementation

The complete setup with all scripts and configurations is in my dotfiles repository.

(1) Include this in your sway config:

exec systemctl --user import-environment WAYLAND_DISPLAY XDG_CURRENT_DESKTOP
exec dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway

(2) Make sure these packages are installed:

• xdg-desktop-portal-wlr
• xdg-desktop-portal-gtk (probably not necessary)
• slurp: helper to select the screen to share

(3) Create portals.conf config:

[preferred]
# use xdg-desktop-portal-gtk for every portal interface
default=gtk
# Settings portal for theme detection
org.freedesktop.impl.portal.Settings=gtk
# except for the xdg-desktop-portal-wlr supplied interfaces
org.freedesktop.impl.portal.ScreenCast=wlr
org.freedesktop.impl.portal.Screenshot=wlr

(4) Tie it all together, using guix home (or manually):

(services
(append (list
      ;; other services
      (service home-xdg-configuration-files-service-type
                `(("sway/config" ,(local-file "sway"))
                  ("xdg-desktop-portal/portals.conf" ,(local-file "portals.conf"))))
      (simple-service 'env-vars home-environment-variables-service-type
                      `(("QT_QPA_PLATFORM" . "wayland;xcb")
                        ("SDL_VIDEODRIVER" . "wayland")
                        ("XDG_CURRENT_DESKTOP" . "sway")
                        ("XDG_SESSION_DESKTOP" . "sway")
                        ("XDG_SESSION_TYPE" . "wayland")
                        ("ELECTRON_OZONE_PLATFORM_HINT" . "wayland")
                        ("MOZ_ENABLE_WAYLAND" . "1")
                        ("NIXOS_OZONE_WL" . "1")
                        ("GDK_BACKEND" . "wayland")
                        ("CLUTTER_BACKEND" . "wayland")))
      (service home-dbus-service-type)
      (service home-pipewire-service-type))
      %base-home-services))

To test if it’s working, use this Test Page.

Feel free to checkout my dotfiles for more details.