Add targeted Gufw compatibility for Sway sessions

- Remove the global xhost call from start-sway-session to keep Wayland startup clean
- Add a dedicated gufw wrapper and desktop override that temporarily grants Xwayland access only for gufw

ansible/inventory/group_vars/desktop.yml

@@ -66,8 +66,8 @@ desktop_sway_packages:
   - slurp
   - swayfx
   - wl-clipboard
-  - xdg-desktop-portal-wlr
   - xhost
+  - xdg-desktop-portal-wlr
   - xorg-server-xwayland
 
 profile_packages:
@@ -247,10 +247,18 @@ desktop_common_dotfiles:
     src: .local/bin/update-turnstile-env
     dest: .local/bin/update-turnstile-env
     mode: "0755"
+  - name: Gufw Sway wrapper
+    src: .local/bin/run-gufw
+    dest: .local/bin/run-gufw
+    mode: "0755"
   - name: Udiskie password helper
     src: .local/bin/udiskie-password
     dest: .local/bin/udiskie-password
     mode: "0755"
+  - name: Desktop application overrides
+    src: .local/share/applications/
+    dest: .local/share/applications/
+    mode: preserve
   - name: SSH config
     src: .ssh/config
     dest: .ssh/config

ansible/roles/profile_desktop_common/tasks/main.yml

@@ -20,6 +20,8 @@
     - "{{ user_home }}/.config/autostart"
     - "{{ user_home }}/.config/alacritty"
     - "{{ user_home }}/.config/Thunar"
+    - "{{ user_home }}/.local/share"
+    - "{{ user_home }}/.local/share/applications"
     - "{{ user_home }}/.tmux"
     - "{{ user_home }}/.tmux/bin"
     - "{{ user_home }}/.tmux/plugins"

dotfiles/desktop/.local/bin/run-gufw

@@ -0,0 +1,22 @@
+#!/usr/bin/env sh
+
+set -eu
+
+if [ -z "${DISPLAY:-}" ]; then
+  printf 'Error: DISPLAY is not set; cannot launch gufw under Xwayland.\n' >&2
+  exit 1
+fi
+
+if ! command -v xhost >/dev/null 2>&1; then
+  printf 'Error: xhost is required to launch gufw from a Wayland session.\n' >&2
+  exit 1
+fi
+
+cleanup() {
+  xhost -si:localuser:root >/dev/null 2>&1 || true
+}
+
+trap cleanup EXIT INT TERM HUP
+
+xhost si:localuser:root >/dev/null
+exec gufw "$@"

dotfiles/desktop/.local/bin/start-sway-session

@@ -24,6 +24,5 @@ exec dbus-run-session sh -eu -c '
   printf "%s\n" "$DBUS_SESSION_BUS_ADDRESS" > "$HOME/.dbus-session-bus-address"
   gpgconf --launch gpg-agent
   "$HOME/.local/bin/update-turnstile-env"
-  xhost +local:
   exec "$@"
 ' sh "$@"

dotfiles/desktop/.local/share/applications/gufw.desktop

@@ -0,0 +1,13 @@
+[Desktop Entry]
+Version=1.0
+Type=Application
+Name=Firewall Configuration
+Comment=An easy way to configure your firewall
+Keywords=gufw;security;firewall;network;
+Categories=GNOME;GTK;Settings;Security;X-GNOME-Settings-Panel;X-GNOME-SystemSettings;X-Unity-Settings-Panel;X-XFCE-SettingsDialog;X-XFCE-SystemSettings;
+Exec=/home/fscotto/.local/bin/run-gufw
+Icon=gufw
+Terminal=false
+X-GNOME-Settings-Panel=gufw
+X-Unity-Settings-Panel=gufw
+X-Ubuntu-Gettext-Domain=gufw