The core, hyprlua and hyprland package installs used backslash-continued
`pacman` commands with inline `#` comments. Bash treats the first inline
comment as the end of the command, so pacman ran with only the packages
before it and every later name (7zip, cronie, nwg-dock-hyprland, …) was
executed as a shell command — failing under `set -e`. Move all three lists
into arrays, where per-item comments are valid, and install with `--`.
Also:
- himalaya: install the official `himalaya` package (AUR `himalaya-bin` is gone).
- mail-notmuch / caldav-sync: make the systemd *user* timer setup and the
initial sync best-effort. A bare TTY/chroot install has no user session bus
(and ~/.config may not be writable yet), so `systemctl --user` and the mkdir
could abort the module; warn and continue instead.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
opendeck is not in the official repos, so install the native AUR package
with yay (matching the repo's other AUR modules) and drop the Flatpak
path. Wire `opendeck` into Hyprland autostart instead of
`flatpak run com.mairtech.OpenDeck`, and update the idempotency guard.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
apps/ is for modules that install software during setup. freeipa-image is
support tooling for the ansipa controller, run manually before installation,
so it has no place in the TUI module picker.
- git mv optional-Modules/plymouth.sh → apps/plymouth.sh
- git mv apps/freeipa-image.sh → setup/tools/freeipa-image.sh
- modules.conf: add plymouth (default=on, excludes=plymouth-custom); remove freeipa-image
- generate-modules.sh: regenerate all sentinel regions (81 → 81 active modules,
freeipa-image dropped from checklist/summary/dispatch, plymouth added with on default,
conflict block gains plymouth ↔ plymouth-custom pair)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs io.github.suchnsuch.Tangent via Flatpak with cyberqueer theme
applied. Registered in TUI installer, answerfile generator, and docs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs md.obsidian.Obsidian via Flatpak with cyberqueer theme applied.
Registered in TUI installer, answerfile generator, and docs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs com.github.flxzt.rnote via Flatpak with cyberqueer theme
applied. Registered in TUI installer, answerfile generator, and docs
alongside xournal++ in the Productivity section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs ydotool via pacman and OpenDeck via Flatpak, wires ydotoold
and OpenDeck into the Hyprland autostart. Registers the module in the
TUI installer, answerfile generator, and docs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- plymouth.sh: accepts PLYMOUTH_LOGO_SRC env var; PNG used as-is, SVG
converted via rsvg-convert (librsvg only installed when needed)
- apps/plymouth-custom.sh: thin wrapper that validates the caller-supplied
path and delegates to plymouth.sh with PLYMOUTH_LOGO_SRC exported
- install-modules.sh: adds 'Plymouth (custom)' checklist entry; prompts
for image path via inputbox before the confirmation dialog; exports
PLYMOUTH_LOGO_SRC into the module run
- generate-answerfile.sh: adds 'plymouth' (on by default) to the
components checklist to match tui-install.sh
- docs: installation.md and modules.md updated with Plymouth component,
answerfile schema, mkinitcpio note, and custom-logo module entry
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SyBNiWy3wpawrWb9ryVk7p
Move the splash logo into resources/bg-skull.svg so it's tracked in git
and always available alongside the dotfiles. build.sh now copies
resources/ into /root/installer/resources/ on the ISO. The Plymouth
module resolves the SVG from the repo copy first, ISO copy second —
no user intervention or ~/Pictures setup required.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SyBNiWy3wpawrWb9ryVk7p
Installs a custom Plymouth theme (m-archy) with bg-skull.svg converted
to PNG (Plymouth is PNG-only via libpng — no SVG support) and a 12-dot
magenta spinner animation. Enabled by default in tui-install.sh; also
available as an optional module in install-modules.sh. Archiso image
remains Plymouth-free.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SyBNiWy3wpawrWb9ryVk7p
Policy change: graphical apps now prefer Flatpak > pacman > AUR. Non-graphical
tools keep pacman > AUR > source. This makes installed apps sandboxed, keeps
system packages clean, and gives us a single hook point (apply_flatpak_theme)
to theme every GUI app consistently.
lib/logging.sh — two new helper functions sourced by every module:
ensure_flatpak()
Checks if flatpak is installed (pacman installs it if not) and ensures the
Flathub remote is registered. Called at the top of every Flatpak script so
the module is self-contained and safe to run in any order.
apply_flatpak_theme(app_id)
Copies gtk-themes/cyberqueer/ from the Dotfiles repo into ~/.themes/, then
calls `flatpak override --user --filesystem=~/.themes:ro <id>` so the
sandbox can read it, and `flatpak override --user --env=GTK_THEME=cyberqueer
<id>` to activate it. Gracefully skips with a warning if the theme source
directory is absent.
App scripts converted (pacman/AUR → Flatpak + theme):
ardour org.ardour.Ardour
audacity org.audacityteam.Audacity
chromium org.chromium.Chromium
firefox org.mozilla.firefox
geany org.geany.Geany
gimp org.gimp.GIMP
inkscape org.inkscape.Inkscape
kate org.kde.kate
kdenlive org.kde.kdenlive
krita org.kde.krita
librewolf io.gitlab.librewolf-community.librewolf
lmms io.lmms.LMMS
localsend org.localsend.localsend
min-browser com.github.minbrowser.min
mixxx org.mixxx.Mixxx
onlyoffice org.onlyoffice.desktopeditors
openshot org.openshot.OpenShot
rdp-client org.remmina.Remmina (was pacman remmina + freerdp + libvncserver;
Flatpak bundles all protocols, including VNC and SSH tunnels)
shotcut org.shotcut.Shotcut
steam com.valvesoftware.Steam
vscodium com.vscodium.codium
wireshark org.wireshark.Wireshark
xournal com.github.xournalpp.xournalpp
zed dev.zed.Zed
zen-browser io.github.zen_browser.zen
Special cases:
blender-povray: Blender → Flatpak (org.blender.Blender) + theme; POV-Ray
stays pacman because it has no Flatpak and is a CLI renderer, not a GUI app.
prismlauncher / stuntrally: were already Flatpak installs; added
apply_flatpak_theme so they pick up the cyberqueer theme like everything else.
vesktop: switched from AUR vesktop to Flatpak dev.vencord.Vesktop. The AUR
build requires cargo and takes several minutes; the Flatpak is pre-built.
Vencord config is now deployed to ~/.var/app/dev.vencord.Vesktop/config/
(both Vencord/ and vesktop/ sub-dirs) instead of ~/.config/, which is where
the Flatpak sandbox exposes its config directory.
k8s: kubectl stays pacman (it is a CLI tool with no GUI, no Flatpak needed);
podman-desktop switches from pacman podman-desktop to Flatpak
io.podman_desktop.PodmanDesktop + theme, because it is a full GUI app.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add presence-detect.sh daemon: checks webcam every 2 min via OpenCV haar
cascade (presence_detect.py); holds systemd-inhibit --what=idle lock while a
face is detected so hypridle never fires during an active session
- Add enroll-biometrics.sh: Cyberqueer dialog TUI for camera configuration/test
and howdy face auth enrollment (add/list/remove/test models)
- Rewrite caffeine.sh (hyprlua + niri): replace kill/restart of idle daemon with
systemd-inhibit --what=idle:sleep + PID file; idle daemon stays running
- Fix hypridle.conf: correct ;; → ; in after_sleep_cmd, add
ignore_dbus_inhibit=false, bump lock timeout 120s→180s to account for the
2-min presence detection cycle
- Wire Super+Shift+B keybind for enrollment TUI in both hyprlua and niri
- Fix niri/scripts/python: was real dir with inner symlink causing cp -rL to
create a nested python/python/ hierarchy; replaced with direct symlink
- Add python-opencv and v4l-utils to hyprlua + niri installers
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Reverts incorrect touch_long_press_time option (not a real Hyprland setting).
Adds evdev-right-click-emulation install + systemd enable to the tablet (T)
eww bar selection in the hyprlua installer.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds w3m to the install list and appends the text/html mailcap entry
so alot renders HTML emails as plain text via w3m -dump.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The glob path = .../calendars/* was not expanded by khal, so no events
were visible. Now caldav-sync.sh and ics-to-calendarim both generate
explicit [[name]]/path entries per calendar and regenerate the config
on every sync so newly discovered calendars are picked up automatically.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs vdirsyncer + khal, writes vdirsyncer/khal configs, creates
ics-to-calendarim converter to populate calendar.vim local JSON cache,
and sets up a systemd user timer for 15-minute periodic sync.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- x now opens a full-screen overlay: alot left (55%), abook top-right,
calendar bottom-right
- Add esc = exit bindings to alot config for search/thread/taglist/
bufferlist modes, applied to live ~/.config/alot/config and to the
mail-notmuch.sh setup script
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace tab/vsplit PIM approach with nvim_open_win floating windows:
r opens a tiled full-screen overlay (alot top, calendar+abook bottom)
n/g/f open individual centered floats with rounded border
- Add setup/modules/optional-Modules/apps/mail-notmuch.sh:
configures mbsync, msmtp, notmuch, alot from interactive prompts
installs a systemd user timer for 5-min periodic mail sync
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Pin pamu2fcfg enrollment to the target hostname (-o/-i pam://$HOSTNAME)
so the credential origin matches pam_u2f.so at runtime; enrolling outside
the chroot previously used the live ISO hostname, causing auth to fail
- Add `cue` to the pam_u2f.so PAM line so ly prompts the user to touch
the key after password entry
- Add --needed to hyprlua AUR yay call to survive re-runs
- Degrade gracefully in lamco-rdp-server when no user D-Bus session is
active (systemctl --user enable would abort the module under set -e)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add modules/lib/logging.sh with log(), skip(), warn(), err() helpers.
Source it in all 84 scripts (core, DEs, optional apps) and replace bare
echo calls with structured log messages. Add log file capture to install.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sauerbraten: open-source Cube 2 FPS (pacman)
stuntrally: rally racing game via Flatpak (io.github.stuntrally.StuntRally3)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
openarena: open-source Quake III Arena (pacman)
tetris: bastet + vitetris (pacman + AUR)
doom: Chocolate Doom + Freedoom game data (pacman)
Wired up in simple-install.sh, tui-install.sh, and install-modules.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
policy-scan-notify is now a FreeIPA *user* group instead of a host group,
so alert notifications follow the user to every enrolled machine. The
fetch-alerts timer is installed fleet-wide on any host where the group exists;
the profile.d snippet gates notification daemon start on runtime group
membership (id(1) / SSSD) so non-members log in unaffected.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
policy-block-binary-<name> is now a FreeIPA *user* group instead of a host group,
so restrictions follow the user to every enrolled machine. The PATH wrapper is
installed on all hosts and checks group membership at runtime via id(1)/SSSD,
passing non-members through transparently. __ in the group name decodes to .
so Flatpak app IDs are supported (flatpak run fallback included). AppArmor layer
removed since per-user confinement requires a different approach and the wrapper
alone is sufficient. Adds local_sudo_<username> host group policy which writes
a sudoers drop-in granting that user full sudo on the specific device, reverted
on group leave.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a new host group policy `no_local_users` that locks the passwords of root
and all local users (UID >= 1000) via `passwd -l`, ensuring only FreeIPA domain
accounts with centrally-managed sudo rules can authenticate and gain elevated
privileges. Leaving the group reverts by unlocking every account tracked in the
state file. Updates docs with group reference entry and Local User Lockdown section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ansipa-smb-setup.sh:
- Adds KeyAdmin Linux group and luks-upload service account (member of
KeyAdmin) on the IPA container, both persisted across restarts.
- LUKS base dir /data/luks-keys owned root:KeyAdmin, mode 2750 (setgid
so new files inherit the group).
- New [ansipa-luks-keys] SMB share: valid users = @KeyAdmin, read only,
write list = luks-upload. Human admins gain read access by being added
to KeyAdmin: useradd -r -G KeyAdmin <user> && smbpasswd -a <user>.
- LUKS_KEY_UPLOAD_PASSWORD sourced from env / /data/samba/ansipa-smb.env
alongside the existing SMB_SCAN_PASSWORD.
collect-luks-keys.yml:
- After fetching /_LUKS_BACKUP_KEY from each client, uploads it to the
ansipa-luks-keys share via smbclient using a temp credentials file
(no_log, deleted in post_tasks).
- Local staging copy is removed after a successful upload.
- SMB credentials file uses an epoch-stamped path to avoid collisions.
.env.example: documents LUKS_KEY_UPLOAD_PASSWORD.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Host groups named policy-daemon-enable-<unit> and
policy-daemon-disable-<unit> are now matched by a wildcard case arm in
the group parser — no per-service configuration required.
Enforcement (every 30 min via existing timer):
enable: systemctl enable --now <unit>; state written to
/var/lib/ansipa-policies/daemon-enabled
disable: systemctl disable --now <unit>; state written to
/var/lib/ansipa-policies/daemon-disabled
revert: when a host leaves a group the opposite action is applied
on the next run (enable→disable, disable→enable)
conflict: unit in both lists is skipped with a warning
The .service suffix is optional — _svc_unit() appends it when the name
contains no dot, so all systemd unit types work as-is.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs lamco-rdp-server from AUR (native Wayland RDP server, Rust,
H.264/VA-API). Enables lamco-rdp-server.service as a systemd user
service. Wired into tui-install.sh alongside the existing rdp-client
and qemu entries.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
rdp-client.sh: installs Remmina with the FreeRDP and libvncserver plugins
for RDP and VNC sessions.
qemu.sh: installs the full QEMU/KVM stack (qemu-full, libvirt, virt-manager,
virt-viewer, dnsmasq, bridge-utils, edk2-ovmf, swtpm, vde2), enables and
starts libvirtd, auto-starts the default NAT network, and adds the user to
the libvirt and kvm groups.
Both modules are wired into tui-install.sh: count_steps, checklist,
confirmation summary, and run_module dispatch.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ansipa-smb.service: WantedBy=multi-user.target (was smb.service) so the
setup service always runs at boot, not only when smb.service pulls it in
docker-compose.yml: add NetBIOS UDP ports 137/138 to match Dockerfile EXPOSE
and nmb.service being enabled
ansipa-smb-setup.sh:
- use printf '%q' when writing SMB_SCAN_PASSWORD to ansipa-smb.env so
passwords with spaces or shell-special chars are correctly quoted
- always write /etc/cron.d/ansipa-check-scans (remove the [[ ! -f ]] guard)
since /etc/cron.d is on the ephemeral container layer and is lost on
container recreation; the service runs on every start anyway
Dockerfile: add -e SMB_SCAN_PASSWORD and -p 445:445 to the quick-test comment
ansipa-fetch-alerts.sh: replace $NEW && log with [[ "$NEW" == true ]] && log
to avoid set -e ambiguity with the 'false' builtin
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Container (ansipa image):
- Add samba + cronie to Dockerfile; expose ports 445/139
- ansipa-smb-setup.sh: idempotent setup of smbd + scanupload user +
/data/scan-results/{archive,alerts}/ on every container start
- ansipa-smb.service: runs setup before smb.service on each boot
- ansipa-check-scans.sh: hourly cron on server; analyses archive logs for
ClamAV/rkhunter/chkrootkit findings and writes <host>/<date>.alert files
- docker-compose.yml: add SMB_SCAN_PASSWORD env var + port mappings
- .env.example: document SMB_SCAN_PASSWORD
Client (policy-security-scan):
- Scan script now uploads log to //ipa-server/ansipa-scans/archive/<host>/
via smbclient after each run
Client (policy-scan-notify — new policy group):
- ansipa-fetch-alerts.sh: root timer (10 min) downloads alerts from SMB into
~/administration/<hostname>/ for each active login session; deletes server
alert when user removes local file (acknowledgment)
- ansipa-scan-notify.sh: user daemon started via /etc/profile.d/ansipa-notify.sh;
sends notify-send every 10 min while *.alert files remain in ~/administration/
- deploy-ansipa-policies.yml: installs samba-client, deploys SMB creds file
(/etc/ansipa-smb.creds, 0600), and deploys both notification scripts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Binary blocking now applies two layers:
1. PATH-priority wrapper in /usr/local/bin/ (existing)
2. Empty AppArmor profile in /etc/apparmor.d/ loaded in enforce mode
An empty AppArmor profile denies all access — the blocked binary cannot
load shared libraries and exits immediately with a permission error,
covering callers that use absolute paths and bypassed the wrapper.
AppArmor layer is skipped silently when apparmor_parser is not present,
and deferred with a warning if the real binary is not yet installed.
Profiles are unloaded and deleted when the host leaves the policy group.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Qt: replace QT_STYLE_OVERRIDE/QT_STYLE_SHEET env vars with QT_QPA_PLATFORMTHEME=qt6ct +
QT_QUICK_CONTROLS_STYLE=Fusion; add cyberqueer Qt6 style plugin (QProxyStyle wrapping
Fusion with hardcoded dark palette); enable custom_palette in qt6ct.conf so qt6ct applies
the dark QPalette directly for both Qt Widgets and Qt Quick apps.
GTK: fix dark mode not applying — set gtk-application-prefer-dark-theme=1 in GTK3
settings.ini; add gsettings color-scheme=prefer-dark to install script (required by
libadwaita apps which ignore gtk-theme-name); add index.theme so the theme is recognized
by GTK theme discovery.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
airline#themes#cyberqueer#palette was undefined because the theme file was
being copied under the wrong name (cyberqueer-airline.vim instead of
cyberqueer.vim). Fixed by adding the file at the proper rtp-relative path
nvim/autoload/airline/themes/cyberqueer.vim — picked up automatically via
the ~/.config/nvim symlink, no extra copy step needed. Removed the now-
redundant manual cp from shell-setup.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Renames nvim/ → nvim.old/ (preserving init.vim + incomplete prior attempts)
and creates a fresh nvim/ with init.lua. All settings, keymaps, and plugin
declarations are converted from VimScript to Lua idioms. Plugin manager
migrated from vim-plug to lazy.nvim, which self-bootstraps on first launch.
shell-setup.sh updated to drop the vim-plug curl install; the symlink and
airline theme copy are retained (path updated for lazy's data directory).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
