keyd primer
I recently installed Fedora Asahi Remix on my Macbook Air M1 and wanted to swap my alt and command keys, plus rebind my caps-lock key as control. I’m still new to wayland (with plasma6 in this case) so I googled what tools to use and found rvaiya/keyd.
Table of Contents
Basic setup #
Installation was easy, quoting the project README:
git clone https://github.com/rvaiya/keyd
cd keyd
make && sudo make install
sudo systemctl enable --now keyd
Below is a configuration that Works For Me™:
# /etc/keyd/default.conf
[ids]
*
[main]
capslock = overload(control, capslock)
meta = layer(alt)
leftalt = layer(meta)
We swap alt/command, and we make caps-lock behave like normal when tapped, but when held it acts like a control key.
CAPSLOCK as control / escape #
I’ve seen another configuration which makes caps-lock act like escape when tapped and control otherwise, plus remapping caps-lock to the normal escape key – but I’m not a vim user so not as useful for me.
That setup would look something like this:
[ids]
*
[main]
capslock = overload(control, escape)
escape = capslock
meta = layer(alt)
leftalt = layer(meta)
Edit: This is what I use now, it’s a quite nice setup!
Limit remapping to built-in keyboard #
I tried connecting an external keyboard1 to my Macbook and things got really wierd. Fortunately there is built in support for matching hardware IDs in keyd, start by finding the ID of the keyboard you want to affect:
# keyd monitor
device added: 0fac:1ade:d2b36ae6 keyd virtual pointer (/dev/input/event5)
device added: 0fac:0ade:12345678 keyd virtual keyboard (/dev/input/event4)
device added: 05ac:0281:2bd1f3de Apple SPI Keyboard (/dev/input/event1)
device added: 05ac:0281:2782280b Apple SPI Trackpad (/dev/input/event0)
keyd virtual keyboard 0fac:0ade:12345678 enter up
keyd virtual keyboard 0fac:0ade:12345678 leftcontrol down
keyd virtual keyboard 0fac:0ade:12345678 c down
In my case, I wanted to limit keyd to work on 0fac:0ade:12345678
as
that’s the built-in keyboard on my Macbook.
Change the keyd configuration to something like this:
[ids]
0fac:0ade:12345678
[main]
capslock = overload(control, escape)
escape = capslock
meta = layer(alt)
leftalt = layer(meta)
See the manpage for more details.
Make service security posture less terrible #
Found this in PR616, it adds some security restrictions to the default systemd unit. The file in it’s entirety:
[Unit]
Description=key remapping daemon
Requires=local-fs.target
After=local-fs.target
[Service]
Type=simple
ExecStart=/usr/bin/keyd
ProtectProc=invisible
ProcSubset=pid
ProtectSystem=strict
ProtectHome=true
ReadOnlyPaths=/etc/keyd
PrivateTmp=true
DeviceAllow=char-input
DeviceAllow=/dev/uinput
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictNamespaces=true
RemoveIPC=true
RestrictAddressFamilies=AF_UNIX
PrivateNetwork=true
IPAddressDeny=any
NoNewPrivileges=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
CapabilityBoundingSet=CAP_SETGID CAP_SYS_NICE
UMask=177
[Install]
WantedBy=sysinit.target
I typically use QMK on my keyboards, and have already remapped capslock to control, I have OS based alt/meta remapping et c ↩︎