Adds a post-keymap action selection to launch.sh (Install vs Reset).
The reset routine (reset-arch.sh) unlocks LUKS via FIDO2 token and/or
passphrase, snapshots /etc credentials and config, wipes and recreates
the @ btrfs subvolume, reinstalls base packages via pacstrap, restores
auth files (passwd/shadow/pam.d/sudoers) and system config, then
regenerates the initramfs and GRUB menu from chroot. User home data is
preserved; ~/.config is cleared except Yubico/ auth keys so FIDO2 PAM
login continues to work. libfido2 added to packages.extra for live-env
token unlock support.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ansipa-smb.service: WantedBy=multi-user.target (was smb.service) so the
setup service always runs at boot, not only when smb.service pulls it in
docker-compose.yml: add NetBIOS UDP ports 137/138 to match Dockerfile EXPOSE
and nmb.service being enabled
ansipa-smb-setup.sh:
- use printf '%q' when writing SMB_SCAN_PASSWORD to ansipa-smb.env so
passwords with spaces or shell-special chars are correctly quoted
- always write /etc/cron.d/ansipa-check-scans (remove the [[ ! -f ]] guard)
since /etc/cron.d is on the ephemeral container layer and is lost on
container recreation; the service runs on every start anyway
Dockerfile: add -e SMB_SCAN_PASSWORD and -p 445:445 to the quick-test comment
ansipa-fetch-alerts.sh: replace $NEW && log with [[ "$NEW" == true ]] && log
to avoid set -e ambiguity with the 'false' builtin
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Container (ansipa image):
- Add samba + cronie to Dockerfile; expose ports 445/139
- ansipa-smb-setup.sh: idempotent setup of smbd + scanupload user +
/data/scan-results/{archive,alerts}/ on every container start
- ansipa-smb.service: runs setup before smb.service on each boot
- ansipa-check-scans.sh: hourly cron on server; analyses archive logs for
ClamAV/rkhunter/chkrootkit findings and writes <host>/<date>.alert files
- docker-compose.yml: add SMB_SCAN_PASSWORD env var + port mappings
- .env.example: document SMB_SCAN_PASSWORD
Client (policy-security-scan):
- Scan script now uploads log to //ipa-server/ansipa-scans/archive/<host>/
via smbclient after each run
Client (policy-scan-notify — new policy group):
- ansipa-fetch-alerts.sh: root timer (10 min) downloads alerts from SMB into
~/administration/<hostname>/ for each active login session; deletes server
alert when user removes local file (acknowledgment)
- ansipa-scan-notify.sh: user daemon started via /etc/profile.d/ansipa-notify.sh;
sends notify-send every 10 min while *.alert files remain in ~/administration/
- deploy-ansipa-policies.yml: installs samba-client, deploys SMB creds file
(/etc/ansipa-smb.creds, 0600), and deploys both notification scripts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Binary blocking now applies two layers:
1. PATH-priority wrapper in /usr/local/bin/ (existing)
2. Empty AppArmor profile in /etc/apparmor.d/ loaded in enforce mode
An empty AppArmor profile denies all access — the blocked binary cannot
load shared libraries and exits immediately with a permission error,
covering callers that use absolute paths and bypassed the wrapper.
AppArmor layer is skipped silently when apparmor_parser is not present,
and deferred with a warning if the real binary is not yet installed.
Profiles are unloaded and deleted when the host leaves the policy group.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Keymap selection was unreachable because user input ran after pacman/partition
steps that could fail under set -e. Move the entire user input block (kernel,
hostname, username, encryption, keymap) to before lsblk and drive selection.
Also remove the redundant live-env keymap section (launch.sh handles that).
Drop exec from .zlogin so quitting the installer returns to a bash shell
instead of ending the session.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
arch-autoinstall.sh was missing the keymap handling added to the guided
installer in the previous two commits, so booting the ISO in auto mode
(answerfile embedded) never called loadkeys and left the installed system
with no /etc/vconsole.conf.
- Add the same KEYMAPS array + selection logic to arch-autoinstall.sh
(AF mode reads .keymap, interactive mode prompts)
- Call loadkeys and export KEYMAP into the chroot
- Write /etc/vconsole.conf inside the chroot
- Add keymap dialog to generate-answerfile.sh so the field is populated
- Document .keymap in the arch-autoinstall.sh answerfile field list
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Both the live-environment prompt and the installed-system prompt now
loop over a single KEYMAPS array, so adding a new layout is a
one-line change.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prompts for us/de keymap interactively; reads .keymap from answerfile in unattended mode. Writes /etc/vconsole.conf in chroot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
.zlogin execs .automated_script.sh on login, which checks for /answerfile.json;
if present it runs the auto installer (passing the path), otherwise launches the
guided installer directly — no manual invocation needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pumvisible() checks the native Vim pum, which coc.nvim bypasses in
favour of its own popup — so the confirm never fired. Switch to
coc#pum#visible() / coc#pum#confirm() to match the Tab/S-Tab bindings.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace hyprctl dispatch with hyprctl eval using hl.dsp.* in all
three eww variants. Workspace switching uses hl.dsp.focus with r+/r-
relative prefixes; killactive becomes hl.dsp.window.close(); exec
uses hl.dsp.exec_cmd.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace hyprctl dispatch exec with direct daemon invocation in caffeine.sh,
and replace defunct \$LAPTOP_KB_ENABLED .conf variable with the actual
device key path in hyprland-toggle-touchpad.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The cyberqueer style plugin only overrode polish(QPalette&) with colors
identical to those already in cyberqueer.conf. Qt failed to load the
plugin for apps after the first, falling back to Fusion Light entirely.
Switching to the built-in Fusion style with qt6ct's custom_palette
mechanism gives the same result reliably for every app.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Qt: replace QT_STYLE_OVERRIDE/QT_STYLE_SHEET env vars with QT_QPA_PLATFORMTHEME=qt6ct +
QT_QUICK_CONTROLS_STYLE=Fusion; add cyberqueer Qt6 style plugin (QProxyStyle wrapping
Fusion with hardcoded dark palette); enable custom_palette in qt6ct.conf so qt6ct applies
the dark QPalette directly for both Qt Widgets and Qt Quick apps.
GTK: fix dark mode not applying — set gtk-application-prefer-dark-theme=1 in GTK3
settings.ini; add gsettings color-scheme=prefer-dark to install script (required by
libadwaita apps which ignore gtk-theme-name); add index.theme so the theme is recognized
by GTK theme discovery.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move settings.json out of the wrong vicinae/vicinae/ subdir so it deploys
to ~/.config/vicinae/settings.json where vicinae actually reads it, enabling
the cyberqueer theme. Add GTK_THEME=cyberqueer on launch for correct font
rendering. Add float=true to the launcher window rule so the cursor-position
move formula is applied.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds greggh/claude-code.nvim with plenary.nvim as a required dependency.
Provides :ClaudeCode toggle, continue/resume/verbose commands, and
<C-,> / <leader>cC keybinds out of the box.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
airline#themes#cyberqueer#palette was undefined because the theme file was
being copied under the wrong name (cyberqueer-airline.vim instead of
cyberqueer.vim). Fixed by adding the file at the proper rtp-relative path
nvim/autoload/airline/themes/cyberqueer.vim — picked up automatically via
the ~/.config/nvim symlink, no extra copy step needed. Removed the now-
redundant manual cp from shell-setup.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Renames nvim/ → nvim.old/ (preserving init.vim + incomplete prior attempts)
and creates a fresh nvim/ with init.lua. All settings, keymaps, and plugin
declarations are converted from VimScript to Lua idioms. Plugin manager
migrated from vim-plug to lazy.nvim, which self-bootstraps on first launch.
shell-setup.sh updated to drop the vim-plug curl install; the symlink and
airline theme copy are retained (path updated for lazy's data directory).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Duplicates desktopenvs/hyprland/ as desktopenvs/hyprlua/ and converts all
Hyprland-specific configs (.conf) to Lua (.lua) using the 0.55+ hl.* API:
hyprland.lua, envvars.lua, monitors.lua, input.lua, autostart.lua,
windowrules.lua, binds.lua. Non-Hyprland tool configs (hyprpaper, hyprlock,
hypridle, hyprtoolkit) remain as .conf. Adds hyprlua.sh installer (user-side
.lua files install to ~/.config/hypr/ for require() resolution) and registers
HyprLua as the recommended DE option in tui-install.sh, marking the old
hyprlang-based Hyprland install as legacy.
Also consolidates hyprland (legacy) env vars into hypr-usr/envvars.conf,
removing duplicates from hyprland.conf and monitors.conf.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
9 Markdown pages covering installation, theming, Hyprland, editors,
modules, archiso, FreeIPA/Ansible, and utilities. md-to-html.sh
converts them to self-contained styled HTML using the live palette
from colors.conf with inline CyberQueer CSS.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New playbook collect-luks-keys.yml connects to all enrolled FreeIPA
clients, checks for /_LUKS_BACKUP_KEY (placed there by the installer
when encryption is enabled), and fetches each key to the Ansible
controller as luks-keys/<HOSTNAME>_LUKS_BACKUP_KEY (mode 0400).
Hosts without the file are reported but not treated as errors.
The luks-keys/ store directory is created with mode 0700.
Usage:
ansible-playbook -i inventory collect-luks-keys.yml
Can be scheduled via cron on the controller for automatic collection.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tui-install.sh:
- Reads /answerfile.json if present (ANSWERFILE_MODE)
- All dialog selections (components, DE, apps) sourced from file
- Hostname from answerfile gets MAC address suffix appended to
prevent conflicts when deploying one image to multiple machines
- Interactive hostname inputbox added to the normal TUI flow
- Colorway dialog added as final step; skipped if no colors differ
from defaults and no answerfile colors are set
- Answerfile mode: runs non-interactively, logs warnings on failure
generate-answerfile.sh (new):
- Dry-runs the full installer dialog flow (OS + dotfiles)
- Writes selections to ~/answerfile.json (or a given path)
- No software is installed; passwords are never written to the file
build.sh:
- New --preconf [FILE] flag embeds an answerfile into the ISO at
/answerfile.json; omitting the flag leaves the ISO clean
- Validates JSON with jq if available before embedding
- Reworked arg parsing to handle the new flag alongside OUT_DIR
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Both arch-autoinstall.sh and archbaseos-guided-install.sh now ask
whether to enable disk encryption. If skipped, btrfs is formatted
directly on the root partition with an appropriate plain GRUB cmdline
(root=UUID=... rootflags=subvol=@).
When encryption is chosen, a 64-byte random key is generated, enrolled
as a second LUKS keyslot, and written to /_LUKS_BACKUP_KEY inside the
new system (mode 400, root-owned, inside the encrypted container).
Also fixes: duplicate 'encrypt' hook in original mkinitcpio HOOKS
strings, missing KERNEL export into arch-autoinstall chroot heredoc.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/tmp in WSL is a RAM-backed tmpfs that fills up during the build,
leaving xorriso with no room to write the ISO.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New optional modules (browsers): chromium, firefox, zen-browser,
nyxt, librewolf, min-browser.
New optional modules (editors/IDEs): vscodium, zed, geany,
codeblocks, kate.
Add lynx to default core packages.
All 11 modules wired into both install-modules.sh and tui-install.sh
(the archiso-embedded installer) with consistent count_steps,
checklist, summary, and dispatch entries. Every module path verified
to exist; all scripts pass bash -n syntax check.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/tmp fills up during large builds; allow redirecting both dirs without
editing the script (WORK_DIR=~/iso-work ./build.sh ~/iso-out).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace five deprecated boot mode names with the canonical 'bios.syslinux'
and 'uefi.systemd-boot', removing the ia32 grub mode that required grub
installed and conflicted with systemd-boot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
