New optional modules (browsers): chromium, firefox, zen-browser,
nyxt, librewolf, min-browser.
New optional modules (editors/IDEs): vscodium, zed, geany,
codeblocks, kate.
Add lynx to default core packages.
All 11 modules wired into both install-modules.sh and tui-install.sh
(the archiso-embedded installer) with consistent count_steps,
checklist, summary, and dispatch entries. Every module path verified
to exist; all scripts pass bash -n syntax check.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Presents a Cyberqueer-themed menu after package install:
- Answerfile: prompts for path (defaults to FreeipaAnsible/freeipa-client-answerfile.json),
offers to create one with defaults if it doesn't exist
- Manual: dialog inputboxes for domain, realm, server, hostname, principal,
passwordbox for the admin password, yes/no for mkhomedir/sudo/dns/fido2
- Skip: prints post-install hints
Falls back to ipa-client-install directly if freeipa-client.sh is not
available (standalone install outside the dotfiles repo).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add freeipa-client module (sssd, cyrus-sasl-gssapi, freeipa-client AUR)
with post-install enrollment hints; wired into tui-install.sh and
install-modules.sh
- Add ansipa-install-modules.sh: reads IPA host groups named
ansipa-module-<name>, applies matching module scripts via a yay wrapper
that drops to ANSIPA_USER so AUR builds work from the root service
- Add ansipa-install-modules.service + .timer (boot + 30 min)
- Add deploy-ansipa-modules.yml Ansible playbook that deploys scripts,
writes /etc/ansipa-modules.conf, and enables the timer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous proxmox-vm target (virt-customize + QCOW2) is replaced with
a proper Proxmox LXC CT template builder:
- Exports container rootfs as .tar.zst (same mechanism as the lxc target)
- Asks for CT ID, storage, bridge, memory, cores, disk size
- Generates pve-ct-<VMID>.conf with the required FreeIPA LXC options:
unprivileged: 0
lxc.apparmor.profile: unconfined
lxc.cap.drop:
lxc.mount.auto: proc:rw sys:rw cgroup:rw
lxc.cgroup2.devices.allow: a
- Generates proxmox-lxc-setup.txt with the full 6-step setup guide
(upload, pct create, apply LXC opts, set env vars, start, Keycloak)
- Optionally uploads template + conf to Proxmox host via SCP if a
host is provided
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
freeipa-image-builder.sh: TUI chooser that builds a FreeIPA server image
and exports it to four target formats:
docker — builds via podman/docker, optional registry push
lxc — exports container rootfs as .tar.zst Proxmox CT template,
generates pct import instructions
proxmox-vm — downloads Rocky/Fedora cloud image, customizes with
virt-customize, outputs QCOW2 + cloud-init user-data.yml
oci-archive — skopeo OCI tarball for air-gapped import
Keycloak TUI option generates the full constellation:
docker-compose.yml FreeIPA + Keycloak + PostgreSQL stack
.env pre-filled env template (passwords placeholder)
keycloak-configure.sh post-start Keycloak REST API config script
image/Dockerfile: Fedora 41 + freeipa-server-dns + ansible-core,
systemd-enabled container (CMD /sbin/init).
image/ipa-first-boot.{sh,service}: systemd oneshot that runs
ipa-server-install on first container/VM boot from env vars
(IPA_DOMAIN, IPA_ADMIN_PASSWORD, IPA_DM_PASSWORD, and optionals).
ConditionPathExists=!/etc/ipa/default.conf makes it idempotent.
image/keycloak-configure.sh: Keycloak REST API automation that:
- waits for Keycloak readiness
- creates a realm
- wires FreeIPA LDAP user federation (READ_ONLY, vendor=rhds)
- adds attribute mappers: email, firstName, lastName, uidNumber
- adds group mapper (IPA groups → Keycloak groups, cn=groups,cn=accounts)
- triggers an initial full user sync
image/docker-compose.yml: freeipa + postgres + keycloak services on
a private 172.30.0.0/24 bridge; FreeIPA has a fixed IP so Keycloak
can resolve it via extra_hosts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs open-webui from AUR and enables open-webui.service.
Serves the browser UI at http://localhost:8080; Ollama module
should be installed first for full LLM backend functionality.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ollama.sh: installs from official repos, enables ollama.service, notes
GPU sharing caveat with llama.cpp. For NVIDIA/AMD GPU variants use
ollama-cuda or ollama-rocm from AUR instead.
llama-cpp.sh: standalone inference CLI and server via yay (covers both
official repos and AUR). Both modules coexist at the package level;
docker/podman/cockpit modules confirmed conflict-free (all use --needed,
podman+cockpit base packages already in core-packages.sh).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Installs @anthropic-ai/claude-code via npm, sourcing nvm if npm is not
already in PATH. Wired into tui-install.sh and install-modules.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- New optional modules: ssh-server (openssh, key auth hardened), docker
(+ compose, docker group), podman (rootless, buildah, skopeo, lingering),
cockpit (+ cockpit-machines, cockpit-podman, cockpit-navigator via AUR)
- openssh added to archiso packages.extra for live-env SSH access
- less added to pacstrap base install
- tui-install.sh wired up for all four new modules (checklist, count,
summary, run); dialog dimensions bumped to fit 17 items
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Apps (new individual scripts):
wireshark, localsend, onlyoffice, vintagestory
core-packages.sh: add nmap mtr tcpdump net-tools iputils ipcalc
(bind + traceroute were already present; wireshark is now optional)
hyprland.sh:
- pinta moved from yay to pacman (available in extra)
- localsend removed from mandatory yay install (now an optional app)
Deprecate nettools.sh — all its packages are now in core or split out.
tui-install.sh: apps checklist gains wireshark, localsend, onlyoffice,
vintagestory; drops nettools; dialog sized for 12 items.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Break up gaming-packages.sh and network-developer-packages.sh into
individual scripts under optional-Modules/apps/:
steam, vesktop (+ Vencord config), spotify (+ Spicetify config),
prismlauncher, nettools, k8s
tui-install.sh:
- Simplify component checklist to 5 items: pkg/core/svc/shell/de
- Add dedicated "Applications" checklist phase after DE selection,
covering all 9 optional apps independently
- count_steps accounts for each selected app as a separate step
- Confirmation summary shows components and apps in separate sections
install.sh: replace unconditional bundle calls with commented-out
individual app lines (opt-in)
Deprecate gaming-packages.sh and network-developer-packages.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The_miro