- x now opens a full-screen overlay: alot left (55%), abook top-right,
calendar bottom-right
- Add esc = exit bindings to alot config for search/thread/taglist/
bufferlist modes, applied to live ~/.config/alot/config and to the
mail-notmuch.sh setup script
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace tab/vsplit PIM approach with nvim_open_win floating windows:
r opens a tiled full-screen overlay (alot top, calendar+abook bottom)
n/g/f open individual centered floats with rounded border
- Add setup/modules/optional-Modules/apps/mail-notmuch.sh:
configures mbsync, msmtp, notmuch, alot from interactive prompts
installs a systemd user timer for 5-min periodic mail sync
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When running as root (archiso chroot context), all three TUI installers
previously died immediately. Replace the hard die with a sudo passthrough
shim ($TMP_D/bin/sudo → exec "$@") prepended to PATH, so every module's
`sudo pacman`, `sudo systemctl` etc. just executes directly as root.
The shim lives in TMP_D and is cleaned up by the existing EXIT trap.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Pin pamu2fcfg enrollment to the target hostname (-o/-i pam://$HOSTNAME)
so the credential origin matches pam_u2f.so at runtime; enrolling outside
the chroot previously used the live ISO hostname, causing auth to fail
- Add `cue` to the pam_u2f.so PAM line so ly prompts the user to touch
the key after password entry
- Add --needed to hyprlua AUR yay call to survive re-runs
- Degrade gracefully in lamco-rdp-server when no user D-Bus session is
active (systemctl --user enable would abort the module under set -e)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add modules/lib/logging.sh with log(), skip(), warn(), err() helpers.
Source it in all 84 scripts (core, DEs, optional apps) and replace bare
echo calls with structured log messages. Add log file capture to install.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sauerbraten: open-source Cube 2 FPS (pacman)
stuntrally: rally racing game via Flatpak (io.github.stuntrally.StuntRally3)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
openarena: open-source Quake III Arena (pacman)
tetris: bastet + vitetris (pacman + AUR)
doom: Chocolate Doom + Freedoom game data (pacman)
Wired up in simple-install.sh, tui-install.sh, and install-modules.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nmtui is not available on the archiso live environment; direct users to
iwctl (WiFi) or ethernet instead, and pause for input before re-checking.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Arrow keys navigate a viewport-bounded list, Space toggles items,
Enter/n confirms — fixes overflow on the app selection screen.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rewrites simple-install.sh to use ANSI/read-based TUI primitives
(tui_msg, tui_yesno, tui_input, tui_checklist, tui_menu) instead of
dialog, removing the dialog dependency entirely.
Updates archbaseos-guided-install.sh to invoke simple-install.sh and
drops dialog from the archiso package list; error_handler now uses the
plain read-based croc prompt unconditionally.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tui-install.sh: dialog height=40 apps checklist and height=24 confirm
dialog both exceeded the standard 24-row VT console, causing dialog to
exit with code 1 and silently skip all apps. Make both heights
terminal-adaptive via tput lines/cols. Also extend the EXIT trap to
reset the terminal so Ctrl-C during a dialog doesn't leave the console
in raw/no-echo mode.
arch-autoinstall.sh, archbaseos-guided-install.sh: add a ping 1.1.1.1
check early in both scripts. In interactive mode, launches nmtui if
offline, then re-checks; prompts to abort if still down. Answerfile
mode logs a warning and continues.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove -s flag from read so the password is visible while typing,
enabling piped input to work visibly on the ISO installer.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Inside the chroot the host's udev manages /dev/hidraw* with permissions
scoped to live-system groups; the new user has none of them, so pamu2fcfg
timed out with "No FIDO authenticator found". Move enrollment to after
CHROOT_EOF where it runs as root on the live system, then fix ownership
using the new system's UID/GID.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On any ERR, both installers now trap the failure, log the line/exit
code, and pop a dialog yes/no asking whether to send the log to another
system via croc. Falls back to a plain read prompt if dialog is absent.
Added dialog and croc to packages.extra so they are present in the live ISO.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add full session logging (tee to logfile) to archbaseos-guided-install.sh,
matching the pattern already in arch-autoinstall.sh; copy log to /mnt/boot/
at the end so it survives into the new system
- Add part() helper to both installers so NVMe/eMMC drives use the correct
'p' separator (e.g. /dev/nvme0n1p1 instead of the broken /dev/nvme0n11)
- Add disk size guard to arch-autoinstall.sh: fail early with a clear message
if ROOT_GIB would be < 8GiB instead of passing a nonsense value to parted
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
policy-scan-notify is now a FreeIPA *user* group instead of a host group,
so alert notifications follow the user to every enrolled machine. The
fetch-alerts timer is installed fleet-wide on any host where the group exists;
the profile.d snippet gates notification daemon start on runtime group
membership (id(1) / SSSD) so non-members log in unaffected.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
policy-block-binary-<name> is now a FreeIPA *user* group instead of a host group,
so restrictions follow the user to every enrolled machine. The PATH wrapper is
installed on all hosts and checks group membership at runtime via id(1)/SSSD,
passing non-members through transparently. __ in the group name decodes to .
so Flatpak app IDs are supported (flatpak run fallback included). AppArmor layer
removed since per-user confinement requires a different approach and the wrapper
alone is sufficient. Adds local_sudo_<username> host group policy which writes
a sudoers drop-in granting that user full sudo on the specific device, reverted
on group leave.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a new host group policy `no_local_users` that locks the passwords of root
and all local users (UID >= 1000) via `passwd -l`, ensuring only FreeIPA domain
accounts with centrally-managed sudo rules can authenticate and gain elevated
privileges. Leaving the group reverts by unlocking every account tracked in the
state file. Updates docs with group reference entry and Local User Lockdown section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ansipa-smb-setup.sh:
- Adds KeyAdmin Linux group and luks-upload service account (member of
KeyAdmin) on the IPA container, both persisted across restarts.
- LUKS base dir /data/luks-keys owned root:KeyAdmin, mode 2750 (setgid
so new files inherit the group).
- New [ansipa-luks-keys] SMB share: valid users = @KeyAdmin, read only,
write list = luks-upload. Human admins gain read access by being added
to KeyAdmin: useradd -r -G KeyAdmin <user> && smbpasswd -a <user>.
- LUKS_KEY_UPLOAD_PASSWORD sourced from env / /data/samba/ansipa-smb.env
alongside the existing SMB_SCAN_PASSWORD.
collect-luks-keys.yml:
- After fetching /_LUKS_BACKUP_KEY from each client, uploads it to the
ansipa-luks-keys share via smbclient using a temp credentials file
(no_log, deleted in post_tasks).
- Local staging copy is removed after a successful upload.
- SMB credentials file uses an epoch-stamped path to avoid collisions.
.env.example: documents LUKS_KEY_UPLOAD_PASSWORD.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Host groups named policy-daemon-enable-<unit> and
policy-daemon-disable-<unit> are now matched by a wildcard case arm in
the group parser — no per-service configuration required.
Enforcement (every 30 min via existing timer):
enable: systemctl enable --now <unit>; state written to
/var/lib/ansipa-policies/daemon-enabled
disable: systemctl disable --now <unit>; state written to
/var/lib/ansipa-policies/daemon-disabled
revert: when a host leaves a group the opposite action is applied
on the next run (enable→disable, disable→enable)
conflict: unit in both lists is skipped with a warning
The .service suffix is optional — _svc_unit() appends it when the name
contains no dot, so all systemd unit types work as-is.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs lamco-rdp-server from AUR (native Wayland RDP server, Rust,
H.264/VA-API). Enables lamco-rdp-server.service as a systemd user
service. Wired into tui-install.sh alongside the existing rdp-client
and qemu entries.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
rdp-client.sh: installs Remmina with the FreeRDP and libvncserver plugins
for RDP and VNC sessions.
qemu.sh: installs the full QEMU/KVM stack (qemu-full, libvirt, virt-manager,
virt-viewer, dnsmasq, bridge-utils, edk2-ovmf, swtpm, vde2), enables and
starts libvirtd, auto-starts the default NAT network, and adds the user to
the libvirt and kvm groups.
Both modules are wired into tui-install.sh: count_steps, checklist,
confirmation summary, and run_module dispatch.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a post-keymap action selection to launch.sh (Install vs Reset).
The reset routine (reset-arch.sh) unlocks LUKS via FIDO2 token and/or
passphrase, snapshots /etc credentials and config, wipes and recreates
the @ btrfs subvolume, reinstalls base packages via pacstrap, restores
auth files (passwd/shadow/pam.d/sudoers) and system config, then
regenerates the initramfs and GRUB menu from chroot. User home data is
preserved; ~/.config is cleared except Yubico/ auth keys so FIDO2 PAM
login continues to work. libfido2 added to packages.extra for live-env
token unlock support.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ansipa-smb.service: WantedBy=multi-user.target (was smb.service) so the
setup service always runs at boot, not only when smb.service pulls it in
docker-compose.yml: add NetBIOS UDP ports 137/138 to match Dockerfile EXPOSE
and nmb.service being enabled
ansipa-smb-setup.sh:
- use printf '%q' when writing SMB_SCAN_PASSWORD to ansipa-smb.env so
passwords with spaces or shell-special chars are correctly quoted
- always write /etc/cron.d/ansipa-check-scans (remove the [[ ! -f ]] guard)
since /etc/cron.d is on the ephemeral container layer and is lost on
container recreation; the service runs on every start anyway
Dockerfile: add -e SMB_SCAN_PASSWORD and -p 445:445 to the quick-test comment
ansipa-fetch-alerts.sh: replace $NEW && log with [[ "$NEW" == true ]] && log
to avoid set -e ambiguity with the 'false' builtin
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Container (ansipa image):
- Add samba + cronie to Dockerfile; expose ports 445/139
- ansipa-smb-setup.sh: idempotent setup of smbd + scanupload user +
/data/scan-results/{archive,alerts}/ on every container start
- ansipa-smb.service: runs setup before smb.service on each boot
- ansipa-check-scans.sh: hourly cron on server; analyses archive logs for
ClamAV/rkhunter/chkrootkit findings and writes <host>/<date>.alert files
- docker-compose.yml: add SMB_SCAN_PASSWORD env var + port mappings
- .env.example: document SMB_SCAN_PASSWORD
Client (policy-security-scan):
- Scan script now uploads log to //ipa-server/ansipa-scans/archive/<host>/
via smbclient after each run
Client (policy-scan-notify — new policy group):
- ansipa-fetch-alerts.sh: root timer (10 min) downloads alerts from SMB into
~/administration/<hostname>/ for each active login session; deletes server
alert when user removes local file (acknowledgment)
- ansipa-scan-notify.sh: user daemon started via /etc/profile.d/ansipa-notify.sh;
sends notify-send every 10 min while *.alert files remain in ~/administration/
- deploy-ansipa-policies.yml: installs samba-client, deploys SMB creds file
(/etc/ansipa-smb.creds, 0600), and deploys both notification scripts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Binary blocking now applies two layers:
1. PATH-priority wrapper in /usr/local/bin/ (existing)
2. Empty AppArmor profile in /etc/apparmor.d/ loaded in enforce mode
An empty AppArmor profile denies all access — the blocked binary cannot
load shared libraries and exits immediately with a permission error,
covering callers that use absolute paths and bypassed the wrapper.
AppArmor layer is skipped silently when apparmor_parser is not present,
and deferred with a warning if the real binary is not yet installed.
Profiles are unloaded and deleted when the host leaves the policy group.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Keymap selection was unreachable because user input ran after pacman/partition
steps that could fail under set -e. Move the entire user input block (kernel,
hostname, username, encryption, keymap) to before lsblk and drive selection.
Also remove the redundant live-env keymap section (launch.sh handles that).
Drop exec from .zlogin so quitting the installer returns to a bash shell
instead of ending the session.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
arch-autoinstall.sh was missing the keymap handling added to the guided
installer in the previous two commits, so booting the ISO in auto mode
(answerfile embedded) never called loadkeys and left the installed system
with no /etc/vconsole.conf.
- Add the same KEYMAPS array + selection logic to arch-autoinstall.sh
(AF mode reads .keymap, interactive mode prompts)
- Call loadkeys and export KEYMAP into the chroot
- Write /etc/vconsole.conf inside the chroot
- Add keymap dialog to generate-answerfile.sh so the field is populated
- Document .keymap in the arch-autoinstall.sh answerfile field list
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Both the live-environment prompt and the installed-system prompt now
loop over a single KEYMAPS array, so adding a new layout is a
one-line change.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prompts for us/de keymap interactively; reads .keymap from answerfile in unattended mode. Writes /etc/vconsole.conf in chroot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
.zlogin execs .automated_script.sh on login, which checks for /answerfile.json;
if present it runs the auto installer (passing the path), otherwise launches the
guided installer directly — no manual invocation needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Qt: replace QT_STYLE_OVERRIDE/QT_STYLE_SHEET env vars with QT_QPA_PLATFORMTHEME=qt6ct +
QT_QUICK_CONTROLS_STYLE=Fusion; add cyberqueer Qt6 style plugin (QProxyStyle wrapping
Fusion with hardcoded dark palette); enable custom_palette in qt6ct.conf so qt6ct applies
the dark QPalette directly for both Qt Widgets and Qt Quick apps.
GTK: fix dark mode not applying — set gtk-application-prefer-dark-theme=1 in GTK3
settings.ini; add gsettings color-scheme=prefer-dark to install script (required by
libadwaita apps which ignore gtk-theme-name); add index.theme so the theme is recognized
by GTK theme discovery.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
airline#themes#cyberqueer#palette was undefined because the theme file was
being copied under the wrong name (cyberqueer-airline.vim instead of
cyberqueer.vim). Fixed by adding the file at the proper rtp-relative path
nvim/autoload/airline/themes/cyberqueer.vim — picked up automatically via
the ~/.config/nvim symlink, no extra copy step needed. Removed the now-
redundant manual cp from shell-setup.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Renames nvim/ → nvim.old/ (preserving init.vim + incomplete prior attempts)
and creates a fresh nvim/ with init.lua. All settings, keymaps, and plugin
declarations are converted from VimScript to Lua idioms. Plugin manager
migrated from vim-plug to lazy.nvim, which self-bootstraps on first launch.
shell-setup.sh updated to drop the vim-plug curl install; the symlink and
airline theme copy are retained (path updated for lazy's data directory).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Duplicates desktopenvs/hyprland/ as desktopenvs/hyprlua/ and converts all
Hyprland-specific configs (.conf) to Lua (.lua) using the 0.55+ hl.* API:
hyprland.lua, envvars.lua, monitors.lua, input.lua, autostart.lua,
windowrules.lua, binds.lua. Non-Hyprland tool configs (hyprpaper, hyprlock,
hypridle, hyprtoolkit) remain as .conf. Adds hyprlua.sh installer (user-side
.lua files install to ~/.config/hypr/ for require() resolution) and registers
HyprLua as the recommended DE option in tui-install.sh, marking the old
hyprlang-based Hyprland install as legacy.
Also consolidates hyprland (legacy) env vars into hypr-usr/envvars.conf,
removing duplicates from hyprland.conf and monitors.conf.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New playbook collect-luks-keys.yml connects to all enrolled FreeIPA
clients, checks for /_LUKS_BACKUP_KEY (placed there by the installer
when encryption is enabled), and fetches each key to the Ansible
controller as luks-keys/<HOSTNAME>_LUKS_BACKUP_KEY (mode 0400).
Hosts without the file are reported but not treated as errors.
The luks-keys/ store directory is created with mode 0700.
Usage:
ansible-playbook -i inventory collect-luks-keys.yml
Can be scheduled via cron on the controller for automatic collection.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tui-install.sh:
- Reads /answerfile.json if present (ANSWERFILE_MODE)
- All dialog selections (components, DE, apps) sourced from file
- Hostname from answerfile gets MAC address suffix appended to
prevent conflicts when deploying one image to multiple machines
- Interactive hostname inputbox added to the normal TUI flow
- Colorway dialog added as final step; skipped if no colors differ
from defaults and no answerfile colors are set
- Answerfile mode: runs non-interactively, logs warnings on failure
generate-answerfile.sh (new):
- Dry-runs the full installer dialog flow (OS + dotfiles)
- Writes selections to ~/answerfile.json (or a given path)
- No software is installed; passwords are never written to the file
build.sh:
- New --preconf [FILE] flag embeds an answerfile into the ISO at
/answerfile.json; omitting the flag leaves the ISO clean
- Validates JSON with jq if available before embedding
- Reworked arg parsing to handle the new flag alongside OUT_DIR
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Both arch-autoinstall.sh and archbaseos-guided-install.sh now ask
whether to enable disk encryption. If skipped, btrfs is formatted
directly on the root partition with an appropriate plain GRUB cmdline
(root=UUID=... rootflags=subvol=@).
When encryption is chosen, a 64-byte random key is generated, enrolled
as a second LUKS keyslot, and written to /_LUKS_BACKUP_KEY inside the
new system (mode 400, root-owned, inside the encrypted container).
Also fixes: duplicate 'encrypt' hook in original mkinitcpio HOOKS
strings, missing KERNEL export into arch-autoinstall chroot heredoc.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/tmp in WSL is a RAM-backed tmpfs that fills up during the build,
leaving xorriso with no room to write the ISO.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New optional modules (browsers): chromium, firefox, zen-browser,
nyxt, librewolf, min-browser.
New optional modules (editors/IDEs): vscodium, zed, geany,
codeblocks, kate.
Add lynx to default core packages.
All 11 modules wired into both install-modules.sh and tui-install.sh
(the archiso-embedded installer) with consistent count_steps,
checklist, summary, and dispatch entries. Every module path verified
to exist; all scripts pass bash -n syntax check.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/tmp fills up during large builds; allow redirecting both dirs without
editing the script (WORK_DIR=~/iso-work ./build.sh ~/iso-out).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace five deprecated boot mode names with the canonical 'bios.syslinux'
and 'uefi.systemd-boot', removing the ia32 grub mode that required grub
installed and conflicted with systemd-boot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add bc, dmidecode, dosfstools, e2fsprogs, fzf, git, hdparm, lshw, lsof,
openbsd-netcat, parted, ripgrep, rsync, strace, sysstat, tmux, and whois —
utilities that ship by default on most distros or are now effectively standard.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove the 'de' checkbox from the component checklist and always show
the desktop environment menu as a dedicated step between component and
app selection. Choosing 'none' or pressing Esc skips DE installation.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Each script installs the DE meta-package, an appropriate display manager,
PipeWire audio, NetworkManager, Bluetooth, and Flatpak, then enables the
relevant services (sddm/gdm/lightdm/cosmic-greeter).
COSMIC falls back to sddm if cosmic-greeter is not installed.
tui-install.sh: DE menu expanded from 3 to 8 entries (height 20×70).
install-modules.sh: DEs added to checklist, summary, and dispatch so
they can be installed standalone on an existing system.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
IPA group naming: fp_install_org__mozilla__firefox (dots encoded as __)
Decoding: sed strips prefix, then s/__/./g restores the Flatpak app ID.
Single underscores in app IDs are preserved unambiguously.
ansipa-install-flatpaks.sh:
- kinit with host keytab, queries ipa group-find --pkey-only with awk $NF
- Validates decoded ID against reverse-domain regex before installing
- Ensures flathub system remote exists
- System-scope install (flatpak install --system) since service runs as root
- Timer offset to 4 min (after packages at 2 min) to avoid contention
deploy-ansipa-install.yml updated to deploy the Flatpak script, service,
and timer alongside the existing package installer.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Presents a Cyberqueer-themed menu after package install:
- Answerfile: prompts for path (defaults to FreeipaAnsible/freeipa-client-answerfile.json),
offers to create one with defaults if it doesn't exist
- Manual: dialog inputboxes for domain, realm, server, hostname, principal,
passwordbox for the admin password, yes/no for mkhomedir/sudo/dns/fido2
- Skip: prints post-install hints
Falls back to ipa-client-install directly if freeipa-client.sh is not
available (standalone install outside the dotfiles repo).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add freeipa-client module (sssd, cyrus-sasl-gssapi, freeipa-client AUR)
with post-install enrollment hints; wired into tui-install.sh and
install-modules.sh
- Add ansipa-install-modules.sh: reads IPA host groups named
ansipa-module-<name>, applies matching module scripts via a yay wrapper
that drops to ANSIPA_USER so AUR builds work from the root service
- Add ansipa-install-modules.service + .timer (boot + 30 min)
- Add deploy-ansipa-modules.yml Ansible playbook that deploys scripts,
writes /etc/ansipa-modules.conf, and enables the timer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous proxmox-vm target (virt-customize + QCOW2) is replaced with
a proper Proxmox LXC CT template builder:
- Exports container rootfs as .tar.zst (same mechanism as the lxc target)
- Asks for CT ID, storage, bridge, memory, cores, disk size
- Generates pve-ct-<VMID>.conf with the required FreeIPA LXC options:
unprivileged: 0
lxc.apparmor.profile: unconfined
lxc.cap.drop:
lxc.mount.auto: proc:rw sys:rw cgroup:rw
lxc.cgroup2.devices.allow: a
- Generates proxmox-lxc-setup.txt with the full 6-step setup guide
(upload, pct create, apply LXC opts, set env vars, start, Keycloak)
- Optionally uploads template + conf to Proxmox host via SCP if a
host is provided
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
freeipa-image-builder.sh: TUI chooser that builds a FreeIPA server image
and exports it to four target formats:
docker — builds via podman/docker, optional registry push
lxc — exports container rootfs as .tar.zst Proxmox CT template,
generates pct import instructions
proxmox-vm — downloads Rocky/Fedora cloud image, customizes with
virt-customize, outputs QCOW2 + cloud-init user-data.yml
oci-archive — skopeo OCI tarball for air-gapped import
Keycloak TUI option generates the full constellation:
docker-compose.yml FreeIPA + Keycloak + PostgreSQL stack
.env pre-filled env template (passwords placeholder)
keycloak-configure.sh post-start Keycloak REST API config script
image/Dockerfile: Fedora 41 + freeipa-server-dns + ansible-core,
systemd-enabled container (CMD /sbin/init).
image/ipa-first-boot.{sh,service}: systemd oneshot that runs
ipa-server-install on first container/VM boot from env vars
(IPA_DOMAIN, IPA_ADMIN_PASSWORD, IPA_DM_PASSWORD, and optionals).
ConditionPathExists=!/etc/ipa/default.conf makes it idempotent.
image/keycloak-configure.sh: Keycloak REST API automation that:
- waits for Keycloak readiness
- creates a realm
- wires FreeIPA LDAP user federation (READ_ONLY, vendor=rhds)
- adds attribute mappers: email, firstName, lastName, uidNumber
- adds group mapper (IPA groups → Keycloak groups, cn=groups,cn=accounts)
- triggers an initial full user sync
image/docker-compose.yml: freeipa + postgres + keycloak services on
a private 172.30.0.0/24 bridge; FreeIPA has a fixed IP so Keycloak
can resolve it via extra_hosts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs open-webui from AUR and enables open-webui.service.
Serves the browser UI at http://localhost:8080; Ollama module
should be installed first for full LLM backend functionality.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
podman, podman-compose, cockpit, cockpit-files, cockpit-podman all have
dedicated optional modules — no reason to install them on every system.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ollama.sh: installs from official repos, enables ollama.service, notes
GPU sharing caveat with llama.cpp. For NVIDIA/AMD GPU variants use
ollama-cuda or ollama-rocm from AUR instead.
llama-cpp.sh: standalone inference CLI and server via yay (covers both
official repos and AUR). Both modules coexist at the package level;
docker/podman/cockpit modules confirmed conflict-free (all use --needed,
podman+cockpit base packages already in core-packages.sh).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs @anthropic-ai/claude-code via npm, sourcing nvm if npm is not
already in PATH. Wired into tui-install.sh and install-modules.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- New optional modules: ssh-server (openssh, key auth hardened), docker
(+ compose, docker group), podman (rootless, buildah, skopeo, lingering),
cockpit (+ cockpit-machines, cockpit-podman, cockpit-navigator via AUR)
- openssh added to archiso packages.extra for live-env SSH access
- less added to pacstrap base install
- tui-install.sh wired up for all four new modules (checklist, count,
summary, run); dialog dimensions bumped to fit 17 items
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Populate /etc/skel with the Dotfiles repo and standard XDG directories
(Desktop, Documents, Downloads, Music, Pictures, Public, Templates, Videos)
before useradd -m, so the new user's home is fully set up at creation time.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace all /home/themiro/ path references with $HOME equivalents
across .zshrc, monitorhandler.sh (now derives path from script
location), gtk bookmarks, spicetify config, ulauncher generated CSS,
and nvim init.lua.old.
Delete commented-out AWS signed URL with embedded credentials from
setup/deprecated/hyprland.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add setup/archiso/ with build.sh, releng overlay, motd, and
install-arch launcher command for the live ISO
- Fix cryptroot mapper name in arch-autoinstall.sh (was 'root',
breaking all subsequent mounts)
- Add base-devel to pacstrap in both installers (required for yay/makepkg)
- Clone dotfiles inside chroot so tui-install.sh is available immediately
- After base install, offer to run tui-install.sh as the regular user
inside the chroot via runuser, with a temporary NOPASSWD sudoers rule;
skip option available for base-only installs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pamtester and pinta are AUR-only; kew is now in the extra repo.
Move them to the correct install commands across audit-packages.sh,
core-packages.sh, and hyprland.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- amssh: use dedicated /etc/pam.d/amssh service instead of login (pam_u2f
was commented out in login); auto-create service and register key on
first-launch FIDO selection
- amssh: redirect pamtester stdout+stderr to /dev/tty so the tap prompt is
visible and the success message doesn't contaminate pass=$(_get_passphrase)
- amssh: split _fido_pam_available into _fido_hardware_available (for dialog
gating) and _fido_pam_available (runtime — requires keys file + PAM service)
- setup: add pamtester to core-packages.sh
- setup: add audit-packages.sh to verify installed packages come from the
expected source (pacman/AUR/flatpak)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Apps (new individual scripts):
wireshark, localsend, onlyoffice, vintagestory
core-packages.sh: add nmap mtr tcpdump net-tools iputils ipcalc
(bind + traceroute were already present; wireshark is now optional)
hyprland.sh:
- pinta moved from yay to pacman (available in extra)
- localsend removed from mandatory yay install (now an optional app)
Deprecate nettools.sh — all its packages are now in core or split out.
tui-install.sh: apps checklist gains wireshark, localsend, onlyoffice,
vintagestory; drops nettools; dialog sized for 12 items.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Break up gaming-packages.sh and network-developer-packages.sh into
individual scripts under optional-Modules/apps/:
steam, vesktop (+ Vencord config), spotify (+ Spicetify config),
prismlauncher, nettools, k8s
tui-install.sh:
- Simplify component checklist to 5 items: pkg/core/svc/shell/de
- Add dedicated "Applications" checklist phase after DE selection,
covering all 9 optional apps independently
- count_steps accounts for each selected app as a separate step
- Confirmation summary shows components and apps in separate sections
install.sh: replace unconditional bundle calls with commented-out
individual app lines (opt-in)
Deprecate gaming-packages.sh and network-developer-packages.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove all shell components (zsh, oh-my-zsh, starship, dotfile
symlinks) — shell-setup.sh covers these and can now run independently
of any DE selection
- Replace ln -sf DE config links with a CONFIGS copy loop (consistent
with hyprland.sh)
- Add colors.conf and apply-theme.sh to the config deployment section
- Drop packages already handled by core/shell modules (base, git, yay,
micro, nano, zsh, fastfetch, etc.)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Desktop-Enviroments/ → Desktop-Environments/ (fix typo)
- hyprland-new.sh → hyprland.sh (drop -new suffix now that it's the only installer)
- Move old symlink-based hyprland.sh to deprecated/
- Move aur-yay.sh to deprecated/ (superseded by package-managers.sh)
- Delete binary blobs: Nordzy-cursors-lefthand.tar.gz, fastfetch-linux-amd64.deb.1.old
- install.sh: fix broken shell.sh ref → shell-setup.sh; update DE paths
- tui-install.sh: update DE paths to match new names
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Consistent with hyprland installers — prevents apply-theme.sh from
writing through a symlink back into the git repo.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- New apply-theme.sh: reads colors.conf, diffs against saved state,
applies changed hex values across all 26 theme files via sed.
Refuses to run when any deployed config is symlinked back to ~/Dotfiles
to prevent theme changes from propagating into the git repo.
- New colors.conf: editable color source with the default CyberQueer palette.
- hyprland.sh + hyprland-new.sh: copy colors.conf to ~/.config/ and
apply-theme.sh to ~/ at install (instead of symlinking colors.conf).
- sway.sh: wire colors.conf into the sway install path.
- doc/colorcodes.md: rewritten as structured color reference with format table.
Theme source files in the repo are unchanged from upstream (E40046 palette).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the hardcoded inline-generated ~/update-hypr-configs.sh with
a proper dotfiles-resident script + config file:
config-updater/update-configs.sh — reads updater.conf, applies
configs, warns about untracked source items and manifest drift
config-updater/updater.conf — declares config/flat/ignore
entries and SOURCE_BASE; hypr-usr is flat (contents → ~/.config/)
hyprland-new.sh step 15 now symlinks both into place instead of
generating a hardcoded script inline. The output is renamed from
~/update-hypr-configs.sh to ~/update-configs.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Module fixes across the board:
- package-managers.sh: add sudo, --noconfirm, idempotency guards for
yay/rustup/nvm, mkdir -p, remove stale version comments
- core-packages.sh: add --noconfirm --needed, remove invalid 'nvim'
package name, deduplicate ~15 repeated entries
- shell-setup.sh: move color vars to top (were defined after use, RESET
never defined), RUNZSH=no CHSH=no for oh-my-zsh (was spawning new
shell and halting script), --yes for starship installer
- hyprland-new.sh: mkdir -p before cd, ln -sf for xdg-terminal-exec and
ssh-askpass, remove flatpak-system-helper enable, comment out hyprpm
and WallRizz -w (require live session), mkdir -p ~/Pictures, add
walker-bin/ulauncher to yay installs, --noconfirm on yay
- sway.sh: fix gitgreetd-tuigreet typo, --noconfirm --needed, yay
idempotency, rm -f for bashrc/zshrc, ln -sf everywhere, mkdir -p for
spotify-tui, remove hard reboot, RUNZSH=no/--yes for shell tools
- gaming-packages.sh: add missing shebang, --noconfirm, flatpak -y
- network-developer-packages.sh: --noconfirm --needed, fix inline comment
- zfs.sh / wprs.sh: add yay --noconfirm flags
- All scripts: set -euo pipefail
New: setup/tui-install.sh — dialog-based TUI installer with Cyberqueer
theme, component checklist, DE submenu, step counter, and per-module
error handling
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
