moving everything to active or retired vs incubating and graduated

active/os_arch/deprecated.md

@@ -0,0 +1,61 @@
+# Deprecated
+
+## Firejail
+
+Don't use firejail, it's a suid binary which only runs in userspace. Apparmor does
+almost exactly the same thing but runs in the kernel at boot and protects you more
+completely. I'm leaving this here in case you're interested but realistically you
+should just learn apparmor.
+
+Firejail launches supported applications in a sandboxed environment where it limits access
+to system files and resources.
+
+For example:
+
+- Firefox will not be able to access more than a small subset of your home directory.
+- VSCode will not be able to acces ~/.config/autostart.
+
+1. `sudo pacman -S firejail`
+2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
+3. `sudo firecfg`
+4. `firecfg --fix`
+5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
+6. Add a pacman hook to apply firejail on install
+
+    /etc/pacman.d/hooks/firejail.hook
+
+    ```conf
+    [Trigger]
+    Type = Path
+    Operation = Install
+    Operation = Upgrade
+    Operation = Remove
+    Target = usr/bin/*
+    Target = usr/share/applications/*.desktop
+
+    [Action]
+    Description = Configure symlinks in /usr/local/bin based on firecfg.config...
+    When = PostTransaction
+    Depends = firejail
+    Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
+    ```
+
+You can run firejail with noprofile to fix access issues (like firefox gnome connector)
+
+```bash
+firejail --noprofile firefox
+```
+
+You'll probably want to enable the following
+
+`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
+
+/etc/firejail/firejail.config
+
+```conf
+browser-disable-u2f no
+chroot yes
+firejail-prompt yes
+force-nonewprivs yes
+tracelog yes
+```