ansipa-smb-setup.sh:
- Adds KeyAdmin Linux group and luks-upload service account (member of
KeyAdmin) on the IPA container, both persisted across restarts.
- LUKS base dir /data/luks-keys owned root:KeyAdmin, mode 2750 (setgid
so new files inherit the group).
- New [ansipa-luks-keys] SMB share: valid users = @KeyAdmin, read only,
write list = luks-upload. Human admins gain read access by being added
to KeyAdmin: useradd -r -G KeyAdmin <user> && smbpasswd -a <user>.
- LUKS_KEY_UPLOAD_PASSWORD sourced from env / /data/samba/ansipa-smb.env
alongside the existing SMB_SCAN_PASSWORD.
collect-luks-keys.yml:
- After fetching /_LUKS_BACKUP_KEY from each client, uploads it to the
ansipa-luks-keys share via smbclient using a temp credentials file
(no_log, deleted in post_tasks).
- Local staging copy is removed after a successful upload.
- SMB credentials file uses an epoch-stamped path to avoid collisions.
.env.example: documents LUKS_KEY_UPLOAD_PASSWORD.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Host groups named policy-daemon-enable-<unit> and
policy-daemon-disable-<unit> are now matched by a wildcard case arm in
the group parser — no per-service configuration required.
Enforcement (every 30 min via existing timer):
enable: systemctl enable --now <unit>; state written to
/var/lib/ansipa-policies/daemon-enabled
disable: systemctl disable --now <unit>; state written to
/var/lib/ansipa-policies/daemon-disabled
revert: when a host leaves a group the opposite action is applied
on the next run (enable→disable, disable→enable)
conflict: unit in both lists is skipped with a warning
The .service suffix is optional — _svc_unit() appends it when the name
contains no dot, so all systemd unit types work as-is.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs lamco-rdp-server from AUR (native Wayland RDP server, Rust,
H.264/VA-API). Enables lamco-rdp-server.service as a systemd user
service. Wired into tui-install.sh alongside the existing rdp-client
and qemu entries.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
rdp-client.sh: installs Remmina with the FreeRDP and libvncserver plugins
for RDP and VNC sessions.
qemu.sh: installs the full QEMU/KVM stack (qemu-full, libvirt, virt-manager,
virt-viewer, dnsmasq, bridge-utils, edk2-ovmf, swtpm, vde2), enables and
starts libvirtd, auto-starts the default NAT network, and adds the user to
the libvirt and kvm groups.
Both modules are wired into tui-install.sh: count_steps, checklist,
confirmation summary, and run_module dispatch.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ansipa-smb.service: WantedBy=multi-user.target (was smb.service) so the
setup service always runs at boot, not only when smb.service pulls it in
docker-compose.yml: add NetBIOS UDP ports 137/138 to match Dockerfile EXPOSE
and nmb.service being enabled
ansipa-smb-setup.sh:
- use printf '%q' when writing SMB_SCAN_PASSWORD to ansipa-smb.env so
passwords with spaces or shell-special chars are correctly quoted
- always write /etc/cron.d/ansipa-check-scans (remove the [[ ! -f ]] guard)
since /etc/cron.d is on the ephemeral container layer and is lost on
container recreation; the service runs on every start anyway
Dockerfile: add -e SMB_SCAN_PASSWORD and -p 445:445 to the quick-test comment
ansipa-fetch-alerts.sh: replace $NEW && log with [[ "$NEW" == true ]] && log
to avoid set -e ambiguity with the 'false' builtin
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Container (ansipa image):
- Add samba + cronie to Dockerfile; expose ports 445/139
- ansipa-smb-setup.sh: idempotent setup of smbd + scanupload user +
/data/scan-results/{archive,alerts}/ on every container start
- ansipa-smb.service: runs setup before smb.service on each boot
- ansipa-check-scans.sh: hourly cron on server; analyses archive logs for
ClamAV/rkhunter/chkrootkit findings and writes <host>/<date>.alert files
- docker-compose.yml: add SMB_SCAN_PASSWORD env var + port mappings
- .env.example: document SMB_SCAN_PASSWORD
Client (policy-security-scan):
- Scan script now uploads log to //ipa-server/ansipa-scans/archive/<host>/
via smbclient after each run
Client (policy-scan-notify — new policy group):
- ansipa-fetch-alerts.sh: root timer (10 min) downloads alerts from SMB into
~/administration/<hostname>/ for each active login session; deletes server
alert when user removes local file (acknowledgment)
- ansipa-scan-notify.sh: user daemon started via /etc/profile.d/ansipa-notify.sh;
sends notify-send every 10 min while *.alert files remain in ~/administration/
- deploy-ansipa-policies.yml: installs samba-client, deploys SMB creds file
(/etc/ansipa-smb.creds, 0600), and deploys both notification scripts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Binary blocking now applies two layers:
1. PATH-priority wrapper in /usr/local/bin/ (existing)
2. Empty AppArmor profile in /etc/apparmor.d/ loaded in enforce mode
An empty AppArmor profile denies all access — the blocked binary cannot
load shared libraries and exits immediately with a permission error,
covering callers that use absolute paths and bypassed the wrapper.
AppArmor layer is skipped silently when apparmor_parser is not present,
and deferred with a warning if the real binary is not yet installed.
Profiles are unloaded and deleted when the host leaves the policy group.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Qt: replace QT_STYLE_OVERRIDE/QT_STYLE_SHEET env vars with QT_QPA_PLATFORMTHEME=qt6ct +
QT_QUICK_CONTROLS_STYLE=Fusion; add cyberqueer Qt6 style plugin (QProxyStyle wrapping
Fusion with hardcoded dark palette); enable custom_palette in qt6ct.conf so qt6ct applies
the dark QPalette directly for both Qt Widgets and Qt Quick apps.
GTK: fix dark mode not applying — set gtk-application-prefer-dark-theme=1 in GTK3
settings.ini; add gsettings color-scheme=prefer-dark to install script (required by
libadwaita apps which ignore gtk-theme-name); add index.theme so the theme is recognized
by GTK theme discovery.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
airline#themes#cyberqueer#palette was undefined because the theme file was
being copied under the wrong name (cyberqueer-airline.vim instead of
cyberqueer.vim). Fixed by adding the file at the proper rtp-relative path
nvim/autoload/airline/themes/cyberqueer.vim — picked up automatically via
the ~/.config/nvim symlink, no extra copy step needed. Removed the now-
redundant manual cp from shell-setup.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Renames nvim/ → nvim.old/ (preserving init.vim + incomplete prior attempts)
and creates a fresh nvim/ with init.lua. All settings, keymaps, and plugin
declarations are converted from VimScript to Lua idioms. Plugin manager
migrated from vim-plug to lazy.nvim, which self-bootstraps on first launch.
shell-setup.sh updated to drop the vim-plug curl install; the symlink and
airline theme copy are retained (path updated for lazy's data directory).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Duplicates desktopenvs/hyprland/ as desktopenvs/hyprlua/ and converts all
Hyprland-specific configs (.conf) to Lua (.lua) using the 0.55+ hl.* API:
hyprland.lua, envvars.lua, monitors.lua, input.lua, autostart.lua,
windowrules.lua, binds.lua. Non-Hyprland tool configs (hyprpaper, hyprlock,
hypridle, hyprtoolkit) remain as .conf. Adds hyprlua.sh installer (user-side
.lua files install to ~/.config/hypr/ for require() resolution) and registers
HyprLua as the recommended DE option in tui-install.sh, marking the old
hyprlang-based Hyprland install as legacy.
Also consolidates hyprland (legacy) env vars into hypr-usr/envvars.conf,
removing duplicates from hyprland.conf and monitors.conf.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New playbook collect-luks-keys.yml connects to all enrolled FreeIPA
clients, checks for /_LUKS_BACKUP_KEY (placed there by the installer
when encryption is enabled), and fetches each key to the Ansible
controller as luks-keys/<HOSTNAME>_LUKS_BACKUP_KEY (mode 0400).
Hosts without the file are reported but not treated as errors.
The luks-keys/ store directory is created with mode 0700.
Usage:
ansible-playbook -i inventory collect-luks-keys.yml
Can be scheduled via cron on the controller for automatic collection.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New optional modules (browsers): chromium, firefox, zen-browser,
nyxt, librewolf, min-browser.
New optional modules (editors/IDEs): vscodium, zed, geany,
codeblocks, kate.
Add lynx to default core packages.
All 11 modules wired into both install-modules.sh and tui-install.sh
(the archiso-embedded installer) with consistent count_steps,
checklist, summary, and dispatch entries. Every module path verified
to exist; all scripts pass bash -n syntax check.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add bc, dmidecode, dosfstools, e2fsprogs, fzf, git, hdparm, lshw, lsof,
openbsd-netcat, parted, ripgrep, rsync, strace, sysstat, tmux, and whois —
utilities that ship by default on most distros or are now effectively standard.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Each script installs the DE meta-package, an appropriate display manager,
PipeWire audio, NetworkManager, Bluetooth, and Flatpak, then enables the
relevant services (sddm/gdm/lightdm/cosmic-greeter).
COSMIC falls back to sddm if cosmic-greeter is not installed.
tui-install.sh: DE menu expanded from 3 to 8 entries (height 20×70).
install-modules.sh: DEs added to checklist, summary, and dispatch so
they can be installed standalone on an existing system.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
IPA group naming: fp_install_org__mozilla__firefox (dots encoded as __)
Decoding: sed strips prefix, then s/__/./g restores the Flatpak app ID.
Single underscores in app IDs are preserved unambiguously.
ansipa-install-flatpaks.sh:
- kinit with host keytab, queries ipa group-find --pkey-only with awk $NF
- Validates decoded ID against reverse-domain regex before installing
- Ensures flathub system remote exists
- System-scope install (flatpak install --system) since service runs as root
- Timer offset to 4 min (after packages at 2 min) to avoid contention
deploy-ansipa-install.yml updated to deploy the Flatpak script, service,
and timer alongside the existing package installer.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Presents a Cyberqueer-themed menu after package install:
- Answerfile: prompts for path (defaults to FreeipaAnsible/freeipa-client-answerfile.json),
offers to create one with defaults if it doesn't exist
- Manual: dialog inputboxes for domain, realm, server, hostname, principal,
passwordbox for the admin password, yes/no for mkhomedir/sudo/dns/fido2
- Skip: prints post-install hints
Falls back to ipa-client-install directly if freeipa-client.sh is not
available (standalone install outside the dotfiles repo).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add freeipa-client module (sssd, cyrus-sasl-gssapi, freeipa-client AUR)
with post-install enrollment hints; wired into tui-install.sh and
install-modules.sh
- Add ansipa-install-modules.sh: reads IPA host groups named
ansipa-module-<name>, applies matching module scripts via a yay wrapper
that drops to ANSIPA_USER so AUR builds work from the root service
- Add ansipa-install-modules.service + .timer (boot + 30 min)
- Add deploy-ansipa-modules.yml Ansible playbook that deploys scripts,
writes /etc/ansipa-modules.conf, and enables the timer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous proxmox-vm target (virt-customize + QCOW2) is replaced with
a proper Proxmox LXC CT template builder:
- Exports container rootfs as .tar.zst (same mechanism as the lxc target)
- Asks for CT ID, storage, bridge, memory, cores, disk size
- Generates pve-ct-<VMID>.conf with the required FreeIPA LXC options:
unprivileged: 0
lxc.apparmor.profile: unconfined
lxc.cap.drop:
lxc.mount.auto: proc:rw sys:rw cgroup:rw
lxc.cgroup2.devices.allow: a
- Generates proxmox-lxc-setup.txt with the full 6-step setup guide
(upload, pct create, apply LXC opts, set env vars, start, Keycloak)
- Optionally uploads template + conf to Proxmox host via SCP if a
host is provided
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
freeipa-image-builder.sh: TUI chooser that builds a FreeIPA server image
and exports it to four target formats:
docker — builds via podman/docker, optional registry push
lxc — exports container rootfs as .tar.zst Proxmox CT template,
generates pct import instructions
proxmox-vm — downloads Rocky/Fedora cloud image, customizes with
virt-customize, outputs QCOW2 + cloud-init user-data.yml
oci-archive — skopeo OCI tarball for air-gapped import
Keycloak TUI option generates the full constellation:
docker-compose.yml FreeIPA + Keycloak + PostgreSQL stack
.env pre-filled env template (passwords placeholder)
keycloak-configure.sh post-start Keycloak REST API config script
image/Dockerfile: Fedora 41 + freeipa-server-dns + ansible-core,
systemd-enabled container (CMD /sbin/init).
image/ipa-first-boot.{sh,service}: systemd oneshot that runs
ipa-server-install on first container/VM boot from env vars
(IPA_DOMAIN, IPA_ADMIN_PASSWORD, IPA_DM_PASSWORD, and optionals).
ConditionPathExists=!/etc/ipa/default.conf makes it idempotent.
image/keycloak-configure.sh: Keycloak REST API automation that:
- waits for Keycloak readiness
- creates a realm
- wires FreeIPA LDAP user federation (READ_ONLY, vendor=rhds)
- adds attribute mappers: email, firstName, lastName, uidNumber
- adds group mapper (IPA groups → Keycloak groups, cn=groups,cn=accounts)
- triggers an initial full user sync
image/docker-compose.yml: freeipa + postgres + keycloak services on
a private 172.30.0.0/24 bridge; FreeIPA has a fixed IP so Keycloak
can resolve it via extra_hosts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs open-webui from AUR and enables open-webui.service.
Serves the browser UI at http://localhost:8080; Ollama module
should be installed first for full LLM backend functionality.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
podman, podman-compose, cockpit, cockpit-files, cockpit-podman all have
dedicated optional modules — no reason to install them on every system.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ollama.sh: installs from official repos, enables ollama.service, notes
GPU sharing caveat with llama.cpp. For NVIDIA/AMD GPU variants use
ollama-cuda or ollama-rocm from AUR instead.
llama-cpp.sh: standalone inference CLI and server via yay (covers both
official repos and AUR). Both modules coexist at the package level;
docker/podman/cockpit modules confirmed conflict-free (all use --needed,
podman+cockpit base packages already in core-packages.sh).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs @anthropic-ai/claude-code via npm, sourcing nvm if npm is not
already in PATH. Wired into tui-install.sh and install-modules.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- New optional modules: ssh-server (openssh, key auth hardened), docker
(+ compose, docker group), podman (rootless, buildah, skopeo, lingering),
cockpit (+ cockpit-machines, cockpit-podman, cockpit-navigator via AUR)
- openssh added to archiso packages.extra for live-env SSH access
- less added to pacstrap base install
- tui-install.sh wired up for all four new modules (checklist, count,
summary, run); dialog dimensions bumped to fit 17 items
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pamtester and pinta are AUR-only; kew is now in the extra repo.
Move them to the correct install commands across audit-packages.sh,
core-packages.sh, and hyprland.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- amssh: use dedicated /etc/pam.d/amssh service instead of login (pam_u2f
was commented out in login); auto-create service and register key on
first-launch FIDO selection
- amssh: redirect pamtester stdout+stderr to /dev/tty so the tap prompt is
visible and the success message doesn't contaminate pass=$(_get_passphrase)
- amssh: split _fido_pam_available into _fido_hardware_available (for dialog
gating) and _fido_pam_available (runtime — requires keys file + PAM service)
- setup: add pamtester to core-packages.sh
- setup: add audit-packages.sh to verify installed packages come from the
expected source (pacman/AUR/flatpak)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Apps (new individual scripts):
wireshark, localsend, onlyoffice, vintagestory
core-packages.sh: add nmap mtr tcpdump net-tools iputils ipcalc
(bind + traceroute were already present; wireshark is now optional)
hyprland.sh:
- pinta moved from yay to pacman (available in extra)
- localsend removed from mandatory yay install (now an optional app)
Deprecate nettools.sh — all its packages are now in core or split out.
tui-install.sh: apps checklist gains wireshark, localsend, onlyoffice,
vintagestory; drops nettools; dialog sized for 12 items.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Break up gaming-packages.sh and network-developer-packages.sh into
individual scripts under optional-Modules/apps/:
steam, vesktop (+ Vencord config), spotify (+ Spicetify config),
prismlauncher, nettools, k8s
tui-install.sh:
- Simplify component checklist to 5 items: pkg/core/svc/shell/de
- Add dedicated "Applications" checklist phase after DE selection,
covering all 9 optional apps independently
- count_steps accounts for each selected app as a separate step
- Confirmation summary shows components and apps in separate sections
install.sh: replace unconditional bundle calls with commented-out
individual app lines (opt-in)
Deprecate gaming-packages.sh and network-developer-packages.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove all shell components (zsh, oh-my-zsh, starship, dotfile
symlinks) — shell-setup.sh covers these and can now run independently
of any DE selection
- Replace ln -sf DE config links with a CONFIGS copy loop (consistent
with hyprland.sh)
- Add colors.conf and apply-theme.sh to the config deployment section
- Drop packages already handled by core/shell modules (base, git, yay,
micro, nano, zsh, fastfetch, etc.)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Desktop-Enviroments/ → Desktop-Environments/ (fix typo)
- hyprland-new.sh → hyprland.sh (drop -new suffix now that it's the only installer)
- Move old symlink-based hyprland.sh to deprecated/
- Move aur-yay.sh to deprecated/ (superseded by package-managers.sh)
- Delete binary blobs: Nordzy-cursors-lefthand.tar.gz, fastfetch-linux-amd64.deb.1.old
- install.sh: fix broken shell.sh ref → shell-setup.sh; update DE paths
- tui-install.sh: update DE paths to match new names
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Consistent with hyprland installers — prevents apply-theme.sh from
writing through a symlink back into the git repo.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- New apply-theme.sh: reads colors.conf, diffs against saved state,
applies changed hex values across all 26 theme files via sed.
Refuses to run when any deployed config is symlinked back to ~/Dotfiles
to prevent theme changes from propagating into the git repo.
- New colors.conf: editable color source with the default CyberQueer palette.
- hyprland.sh + hyprland-new.sh: copy colors.conf to ~/.config/ and
apply-theme.sh to ~/ at install (instead of symlinking colors.conf).
- sway.sh: wire colors.conf into the sway install path.
- doc/colorcodes.md: rewritten as structured color reference with format table.
Theme source files in the repo are unchanged from upstream (E40046 palette).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the hardcoded inline-generated ~/update-hypr-configs.sh with
a proper dotfiles-resident script + config file:
config-updater/update-configs.sh — reads updater.conf, applies
configs, warns about untracked source items and manifest drift
config-updater/updater.conf — declares config/flat/ignore
entries and SOURCE_BASE; hypr-usr is flat (contents → ~/.config/)
hyprland-new.sh step 15 now symlinks both into place instead of
generating a hardcoded script inline. The output is renamed from
~/update-hypr-configs.sh to ~/update-configs.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Module fixes across the board:
- package-managers.sh: add sudo, --noconfirm, idempotency guards for
yay/rustup/nvm, mkdir -p, remove stale version comments
- core-packages.sh: add --noconfirm --needed, remove invalid 'nvim'
package name, deduplicate ~15 repeated entries
- shell-setup.sh: move color vars to top (were defined after use, RESET
never defined), RUNZSH=no CHSH=no for oh-my-zsh (was spawning new
shell and halting script), --yes for starship installer
- hyprland-new.sh: mkdir -p before cd, ln -sf for xdg-terminal-exec and
ssh-askpass, remove flatpak-system-helper enable, comment out hyprpm
and WallRizz -w (require live session), mkdir -p ~/Pictures, add
walker-bin/ulauncher to yay installs, --noconfirm on yay
- sway.sh: fix gitgreetd-tuigreet typo, --noconfirm --needed, yay
idempotency, rm -f for bashrc/zshrc, ln -sf everywhere, mkdir -p for
spotify-tui, remove hard reboot, RUNZSH=no/--yes for shell tools
- gaming-packages.sh: add missing shebang, --noconfirm, flatpak -y
- network-developer-packages.sh: --noconfirm --needed, fix inline comment
- zfs.sh / wprs.sh: add yay --noconfirm flags
- All scripts: set -euo pipefail
New: setup/tui-install.sh — dialog-based TUI installer with Cyberqueer
theme, component checklist, DE submenu, step counter, and per-module
error handling
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
