Day two — Shield toggles, login background, fewer false alarms
Quick round of fixes from dogfooding the install. Fresh ISO on the site (new SHA256 published alongside the signature as always).
The Firewall button in Cerberix Shield actually does something
Before today, clicking the Firewall button in Shield ran
sudo -n ufw — passwordless sudo that almost nobody has configured, so
the click failed silently. Frustrating because the indicator looked
like a toggle but wasn't wired to a usable privilege escalation path.
Now it works:
- Click while UFW is inactive → polkit authentication popup (the same
one you already see for other privileged GUI actions) → a single
escalation runs:
ufw default deny incomingufw default allow outgoingufw allow sshufw --force enablesystemctl enable ufw
Then Shield re-checks and the Firewall row flips green.
- Click while UFW is active → polkit popup →
ufw disable.
No passwordless sudo rules required, no terminal needed. Implementation
is a new helper at /usr/local/bin/cerberix-fw-setup invoked via
pkexec, so the auth flow plays nicely with XFCE's polkit agent.
LightDM login screen has a background
The greeter was just a flat color before — passable but not great as a
first impression. Now it loads one of the bundled Cerberix wallpapers
(cerberix-desktop-background-moon.png by default) via
/etc/lightdm/lightdm-gtk-greeter.conf.
This is a separate file from lightdm.conf by design: greeter
appearance settings shouldn't live in the session-manager config, and
keeping them apart means future tweaks to one don't risk breaking the
other.
Defaults in the greeter conf:
- Background: Cerberix moon wallpaper
- Theme: Adwaita-dark
- Icons: Papirus-Dark
- Font: Inter 11
Change any of these by editing /etc/lightdm/lightdm-gtk-greeter.conf
and logging out.
cerberix-update.service no longer shows as failed
If you checked systemctl --failed on a fresh install you'd see
cerberix-update.service in red. Not actually broken — just a systemd
quirk. pacman-contrib's checkupdates tool exits with status 2 when
there are no pending updates. That's intentional behavior from the tool
author (exit 0 = "updates found", exit 2 = "no updates"). systemd
interprets any non-zero exit as failure by default.
One-line fix — the service unit now has:
SuccessExitStatus=0 2
systemd treats both as success. The failed-units list stays empty when there are no updates, and the timer still works for when there are.
New default wallpaper + three new options
The default desktop wallpaper now matches the site's palette more
directly. Three additional wallpapers ship in
/usr/share/backgrounds/cerberix/ so right-clicking the desktop →
Desktop Settings gives you real choices instead of one option.
Shield VPN check: works with any WireGuard interface
Shield was hardcoded to look for wg0. If your NetworkManager-managed
WireGuard connection ended up named cerberix-vpn, mullvad-*, or
anything else, Shield reported "Disconnected" even when the tunnel was
up. Fixed — Shield now runs ip -o link show type wireguard to catch
anything the kernel tags as WireGuard, regardless of name. Toggle logic
prefers NetworkManager (nmcli connection up/down) and falls back to
wg-quick for /etc/wireguard/*.conf setups.
What's still in progress
- Tokyo Night Firefox theme as default — want this shipped as part
of the install, blocked on getting the theme's
.xpiidentified. Next build.
If something breaks on your end, mail hello@cerberix.org — bug reports in the first couple weeks are how this gets genuinely polished.