From 70c042bf6a87658bf9427bec75e2a29b045730e0 Mon Sep 17 00:00:00 2001
From: Tobias Strobel <code@strobel.one>
Date: Sun, 6 Mar 2022 13:34:13 +0100
Subject: [PATCH] base system setup

---
 dot_config/sway/config                        |   4 +-
 etc/kernel/cmdline                            |   1 +
 etc/mkinitcpio.conf                           |   2 +-
 etc/modprobe.d/i915.conf                      |   1 +
 etc/sudoers.d/override                        |   1 +
 etc/sysctl.d/20-quiet-printk.conf             |   1 +
 .../system/getty@tty1.service.d/override.conf |   2 +-
 install.sh                                    | 346 ++++++++++++++++++
 setup-system.sh                               |  21 +-
 setup-user.sh                                 | 223 +++++++++++
 10 files changed, 596 insertions(+), 6 deletions(-)
 create mode 100644 etc/kernel/cmdline
 create mode 100644 etc/modprobe.d/i915.conf
 create mode 100644 etc/sysctl.d/20-quiet-printk.conf
 create mode 100644 install.sh
 create mode 100755 setup-user.sh

diff --git a/dot_config/sway/config b/dot_config/sway/config
index 6947bdf..1941c92 100644
--- a/dot_config/sway/config
+++ b/dot_config/sway/config
@@ -36,9 +36,9 @@ output * bg /usr/share/backgrounds/sway/Sway_Wallpaper_Blue_1920x1080.png fill
 # Example configuration:
 #
 exec swayidle -w \
-         timeout 300 'swaylock -f -c d3d3d3' \
+         timeout 300 'swaylock -f -c 3c3c3c' \
          timeout 600 'swaymsg "output * dpms off"' resume 'swaymsg "output * dpms on"' \
-         before-sleep 'swaylock -f -c d3d3d3'
+         before-sleep 'swaylock -f -c 3c3c3c'
 #
 # This will lock your screen after 300 seconds of inactivity, then turn off
 # your displays after another 300 seconds, and turn your screens back on when
diff --git a/etc/kernel/cmdline b/etc/kernel/cmdline
new file mode 100644
index 0000000..7e65a67
--- /dev/null
+++ b/etc/kernel/cmdline
@@ -0,0 +1 @@
+rd.luks.name=a4a8535e-cd13-4656-8de3-5394281cb369=luks rd.luks.options=fido2-device=auto root=LABEL=btrfs rootflags=subvol=root rw quiet loglevel=3 rd.udev.log_level=3 fbconf=nodefer splash vt.global_cursor_default=0 mem_sleep_default=deep
diff --git a/etc/mkinitcpio.conf b/etc/mkinitcpio.conf
index ad5428b..b24d47d 100644
--- a/etc/mkinitcpio.conf
+++ b/etc/mkinitcpio.conf
@@ -1,4 +1,4 @@
 MODULES=(i915)
 BINARIES=(/usr/bin/btrfs)
 FILES=()
-HOOKS=(base consolefont udev autodetect keyboard keymap modconf block encrypt filesystems fsck shutdown)
+HOOKS=(base systemd sd-plymouth keyboard autodetect sd-vconsole modconf block sd-encrypt filesystems fsck)
diff --git a/etc/modprobe.d/i915.conf b/etc/modprobe.d/i915.conf
new file mode 100644
index 0000000..532328c
--- /dev/null
+++ b/etc/modprobe.d/i915.conf
@@ -0,0 +1 @@
+options i915 fastboot=1
diff --git a/etc/sudoers.d/override b/etc/sudoers.d/override
index 40695bb..8a29608 100644
--- a/etc/sudoers.d/override
+++ b/etc/sudoers.d/override
@@ -1 +1,2 @@
+# Allow members of group wheel to execute any command
 %wheel ALL=(ALL:ALL) ALL
diff --git a/etc/sysctl.d/20-quiet-printk.conf b/etc/sysctl.d/20-quiet-printk.conf
new file mode 100644
index 0000000..47146d2
--- /dev/null
+++ b/etc/sysctl.d/20-quiet-printk.conf
@@ -0,0 +1 @@
+kernel.printk = 3 3 3 3
diff --git a/etc/systemd/system/getty@tty1.service.d/override.conf b/etc/systemd/system/getty@tty1.service.d/override.conf
index 39574df..01be9de 100644
--- a/etc/systemd/system/getty@tty1.service.d/override.conf
+++ b/etc/systemd/system/getty@tty1.service.d/override.conf
@@ -1,3 +1,3 @@
 [Service]
 ExecStart=
-ExecStart=/usr/bin/agetty --autologin tobias --noclear %I $TERM
+ExecStart=/usr/bin/agetty --skip-login --nonewline --noissue --autologin tobias --noclear %I $TERM
diff --git a/install.sh b/install.sh
new file mode 100644
index 0000000..d109320
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,346 @@
+#!/usr/bin/env bash
+#
+# Arch Linux installation
+#
+# Bootable USB:
+# - [Download](https://archlinux.org/download/) ISO and GPG files
+# - Verify the ISO file: `$ pacman-key -v archlinux-<version>-x86_64.iso.sig`
+# - Create a bootable USB with: `# dd if=archlinux*.iso of=/dev/sdX && sync`
+#
+# UEFI setup:
+#
+# - Set boot mode to UEFI, disable Legacy mode entirely.
+# - Temporarily disable Secure Boot.
+# - Make sure a strong UEFI administrator password is set.
+# - Delete preloaded OEM keys for Secure Boot, allow custom ones.
+# - Set SATA operation to AHCI mode.
+#
+# Run installation:
+#
+# - Connect to wifi via: `# iwctl station wlan0 connect WIFI-NETWORK`
+# - Run: `# bash <(curl -sL https://link.rafe.li/dot)`
+#
+# WARNING: this script will destroy data on the selected disk.
+#
+
+set -uo pipefail
+trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
+
+exec 1> >(tee "stdout.log")
+exec 2> >(tee "stderr.log" >&2)
+
+export SNAP_PAC_SKIP=y
+
+# Dialog
+BACKTITLE="Arch Linux installation"
+
+get_input() {
+    title="$1"
+    description="$2"
+
+    input=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --inputbox "$description" 0 0)
+    echo "$input"
+}
+
+get_password() {
+    title="$1"
+    description="$2"
+    while : ; do
+        init_pass=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --passwordbox "$description" 0 0)
+        : "${init_pass:?dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --msgbox "Password cannot be empty.\nTry again." 0 0}"
+
+        test_pass=$(dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --passwordbox "$description again" 0 0)
+        if [[ "$init_pass" != "$test_pass" ]]; then
+            dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --msgbox "Passwords did not match.\nTry again." 0 0
+        else
+            break
+        fi
+    done
+    echo "$init_pass"
+}
+
+get_choice() {
+    title="$1"
+    description="$2"
+    shift 2
+    options=("$@")
+    dialog --clear --stdout --backtitle "$BACKTITLE" --title "$title" --menu "$description" 0 0 0 "${options[@]}"
+}
+
+
+echo -e "\n### Checking UEFI boot mode"
+if [ ! -f /sys/firmware/efi/fw_platform_size ]; then
+    echo >&2 "You must boot in UEFI mode to continue"
+    exit 2
+fi
+
+echo -e "\n### Ensure the system clock is accurate"
+timedatectl set-ntp true
+hwclock --systohc --utc
+
+echo -e "\n### Setting keyboard layout to de-latin1"
+loadkeys de-latin1
+
+echo -e "\n### Installing additional tools"
+pacman -Sy --noconfirm --needed git reflector terminus-font dialog wget
+
+echo -e "\n### HiDPI screens"
+noyes=("Yes" "The font is too small" "No" "The font size is just fine")
+hidpi=$(get_choice "Font size" "Is your screen HiDPI?" "${noyes[@]}") || exit 1
+clear
+[[ "$hidpi" == "Yes" ]] && font="ter-132n" || font="ter-716n"
+setfont "$font"
+
+hostname=$(get_input "Hostname" "Enter hostname") || exit 1
+clear
+: "${hostname:?"hostname cannot be empty"}"
+
+user=$(get_input "User" "Enter username") || exit 1
+clear
+: "${user:?"user cannot be empty"}"
+
+password=$(get_password "User" "Enter password") || exit 1
+clear
+: "${password:?"password cannot be empty"}"
+
+devicelist=$(lsblk -dplnx size -o name,size | grep -Ev "boot|rpmb|loop" | tac | tr '\n' ' ')
+read -r -a devicelist <<< "$devicelist"
+
+device=$(get_choice "Installation" "Select installation disk" "${devicelist[@]}") || exit 1
+
+clear
+
+echo -e "\n### Setting up fastest mirrors"
+reflector --country 'Germany,France,' --protocol https --sort rate --save /etc/pacman.d/mirrorlist
+
+echo -e "\n### Setting up partitions"
+umount -R /mnt 2> /dev/null || true
+cryptsetup luksClose luks 2> /dev/null || true
+
+lsblk -plnx size -o name "${device}" | xargs -n1 wipefs --all
+sgdisk --clear "${device}" --new 1::-551MiB "${device}" --new 2::0 --typecode 2:ef00 "${device}"
+sgdisk --change-name=1:primary --change-name=2:ESP "${device}"
+
+part_root="$(ls "${device}"* | grep -E "^${device}p?1$")"
+part_boot="$(ls "${device}"* | grep -E "^${device}p?2$")"
+
+echo -e "\n### Formatting partitions"
+mkfs.vfat -n "EFI" -F 32 "${part_boot}"
+echo -n "${password}" | cryptsetup luksFormat --type luks2 --pbkdf argon2id --label luks "${part_root}"
+echo -n "${password}" | cryptsetup luksOpen --allow-discards --persistent "${part_root}" luks
+mkfs.btrfs -L btrfs /dev/mapper/luks
+
+echo -e "\n### Setting up BTRFS subvolumes"
+mount /dev/mapper/luks /mnt
+btrfs subvolume create /mnt/root
+btrfs subvolume create /mnt/home
+btrfs subvolume create /mnt/pkgs
+btrfs subvolume create /mnt/aurbuild
+btrfs subvolume create /mnt/archbuild
+btrfs subvolume create /mnt/docker
+btrfs subvolume create /mnt/logs
+btrfs subvolume create /mnt/temp
+btrfs subvolume create /mnt/swap
+btrfs subvolume create /mnt/snapshots
+umount /mnt
+
+mount -o noatime,compress=zstd,subvol=root /dev/mapper/luks /mnt
+mkdir -p /mnt/{mnt/btrfs-root,efi,home,var/{cache/pacman,log,tmp,lib/{aurbuild,archbuild,docker}},swap,.snapshots}
+mount "${part_boot}" /mnt/efi
+mount -o noatime,compress=zstd,subvol=/ /dev/mapper/luks /mnt/mnt/btrfs-root
+mount -o noatime,compress=zstd,subvol=home /dev/mapper/luks /mnt/home
+mount -o noatime,compress=zstd,subvol=pkgs /dev/mapper/luks /mnt/var/cache/pacman
+mount -o noatime,compress=zstd,subvol=aurbuild /dev/mapper/luks /mnt/var/lib/aurbuild
+mount -o noatime,compress=zstd,subvol=archbuild /dev/mapper/luks /mnt/var/lib/archbuild
+mount -o noatime,compress=zstd,subvol=docker /dev/mapper/luks /mnt/var/lib/docker
+mount -o noatime,compress=zstd,subvol=logs /dev/mapper/luks /mnt/var/log
+mount -o noatime,compress=zstd,subvol=temp /dev/mapper/luks /mnt/var/tmp
+mount -o noatime,compress=zstd,subvol=swap /dev/mapper/luks /mnt/swap
+mount -o noatime,compress=zstd,subvol=snapshots /dev/mapper/luks /mnt/.snapshots
+
+echo -e "\n### Configuring custom repo"
+mkdir "/mnt/var/cache/pacman/${user}-local"
+
+# if [[ "${user}" == "maximbaz" && "${hostname}" == "home-"* ]]; then
+#     wget -m -nH -np -q --show-progress --progress=bar:force --reject='index.html*' --cut-dirs=2 -P "/mnt/var/cache/pacman/${user}-local" 'https://pkgbuild.com/~maximbaz/repo/'
+#     rename -- 'maximbaz.' "${user}-local." "/mnt/var/cache/pacman/${user}-local"/*
+# else
+    repo-add "/mnt/var/cache/pacman/${user}-local/${user}-local.db.tar"
+# fi
+
+if ! grep "${user}" /etc/pacman.conf > /dev/null; then
+    cat >> /etc/pacman.conf << EOF
+
+[${user}-local]
+Server = file:///mnt/var/cache/pacman/${user}-local
+
+[maximbaz]
+Server = https://pkgbuild.com/~maximbaz/repo
+
+[options]
+CacheDir = /mnt/var/cache/pacman/pkg
+CacheDir = /mnt/var/cache/pacman/${user}-local
+EOF
+fi
+
+echo -e "\n### Installing packages"
+kernel_packages=(
+    "linux"
+    "linux-headers"
+    "linux-lts"
+    "linux-firmware"
+    "intel-ucode"
+)
+fs_packages=(
+    "btrfs-progs"
+    "dosfstools"
+    "e2fsprogs"
+)
+network_packages=(
+    "iwd"
+    "systemd-resolvconf"
+)
+basic_packages=(
+    "man-db"
+    "man-pages"
+    "pacman-contrib"
+    "neovim"
+    "bash-completion"
+    "git"
+    "rsync"
+    "openssh"
+    "htop"
+    "fzf"
+    "sudo"
+    "pipewire"
+    "pipewire-pulse"
+    "pipewire-jack"
+    "wireplumber"
+    "firefox"
+    "firefox-i18n-de"
+    "firefox-ublock-origin"
+    "firefox-dark-reader"
+    "aurutils" # from maximbaz repo
+    "devtools" # tools for aurutils
+    "docbook-xls" # depenency of plymouth-git
+    "efitools" # provides KeyTool
+    "libfido2" # for systemd-cryptenroll
+)
+all_packages=(
+	${kernel_packages[@]}
+	${fs_packages[@]}
+	${network_packages[@]}
+	${basic_packages[@]}
+)
+
+pacstrap /mnt base base-devel arch-secure-boot ${all_packages[@]}
+
+echo -e "\n### Generating base config files"
+echo "cryptdevice=PARTLABEL=primary:luks:allow-discards root=LABEL=btrfs rootflags=subvol=root rw quiet mem_sleep_default=deep" > /mnt/etc/kernel/cmdline
+
+genfstab -L /mnt >> /mnt/etc/fstab
+
+echo "FONT=$font" > /mnt/etc/vconsole.conf
+echo "KEYMAP=de-latin1" >> /mnt/etc/vconsole.conf
+echo "${hostname}" > /mnt/etc/hostname
+sed -i 's/^#en_US\.UTF-8/en_US\.UTF-8/' /mnt/etc/locale.gen
+sed -i 's/^#de_DE\.UTF-8/de_DE\.UTF-8/' /mnt/etc/locale.gen
+echo "LANG=en_US.UTF-8" > /mnt/etc/locale.conf
+arch-chroot /mnt locale-gen
+
+ln -sf /usr/share/zoneinfo/Europe/Berlin /mnt/etc/localtime
+
+echo "$hostname" > /mnt/etc/hostname
+echo -e "127.0.0.1\tlocalhost" >>/mnt/etc/hosts
+echo -e "127.0.1.1\t$hostname" >>/mnt/etc/hosts
+echo -e "\n::1\tlocalhost" >>/mnt/etc/hosts
+
+# Propagate the systemd-resolved managed configuration to all clients (stub mode)
+ln -sf /run/systemd/resolve/stub-resolv.conf /mnt/etc/resolv.conf
+
+cat >/mnt/etc/systemd/network/20-wired.network <<EOF
+[Match]
+Name=en*
+
+[Network]
+DHCP=yes
+
+[DHCPv4]
+RouteMetric=10
+UseDomains=true
+
+[IPv6AcceptRA]
+RouteMetric=10
+UseDomains=yes
+EOF
+
+cat >/mnt/etc/systemd/network/25-wireless.network <<EOF
+[Match]
+Name=wl*
+
+[Network]
+DHCP=yes
+
+[DHCPv4]
+RouteMetric=20
+UseDomains=true
+
+[IPv6AcceptRA]
+RouteMetric=20
+UseDomains=yes
+EOF
+
+mkdir -p /mnt/etc/iwd
+cat >/mnt/etc/iwd/main.conf <<EOF
+[General]
+EnableNetworkConfiguration=true
+
+[Network]
+EnableIPv6=true
+EOF
+
+arch-chroot /mnt systemctl enable systemd-timesyncd fstrim.timer systemd-networkd systemd-resolved iwd
+
+cat >/mnt/etc/mkinitcpio.conf <<EOF
+MODULES=(i915)
+BINARIES=(/usr/bin/btrfs)
+FILES=()
+HOOKS=(base consolefont udev autodetect keyboard keymap modconf block encrypt filesystems fsck shutdown)
+EOF
+
+arch-chroot /mnt mkinitcpio -p linux
+arch-chroot /mnt arch-secure-boot initial-setup
+
+echo -e "\n### Configuring swap file"
+swap_size=$(free --mebi | awk '/Mem:/ {print $2}')
+swap_end=$(( $swap_size + 129 + 1 ))MiB
+truncate -s 0 /mnt/swap/swapfile
+chattr +C /mnt/swap/swapfile
+btrfs property set /mnt/swap/swapfile compression none
+fallocate -l $swap_end /mnt/swap/swapfile
+chmod 600 /mnt/swap/swapfile
+mkswap /mnt/swap/swapfile
+echo "/swap/swapfile none swap defaults 0 0" >> /mnt/etc/fstab
+
+echo -e "\n### Creating user"
+arch-chroot /mnt useradd -m "$user"
+for group in wheel network video audio input storage power; do
+    arch-chroot /mnt groupadd -rf "$group"
+    arch-chroot /mnt gpasswd -a "$user" "$group"
+done
+echo "$user:$password" | arch-chroot /mnt chpasswd
+
+echo -e "\n### Disabling root login"
+arch-chroot /mnt passwd -dl root
+
+echo -e "\n### Setting permissions on the custom repo"
+arch-chroot /mnt chown -R "$user:$user" "/var/cache/pacman/${user}-local/"
+
+echo -e "\n### Cloning dotfiles"
+arch-chroot /mnt sudo -u $user bash -c 'git clone --recursive https://code.strobeto.de/strobeltobias/dotfiles.git ~/.dotfiles'
+
+echo -e "\n### Running initial setup"
+arch-chroot /mnt /home/$user/.dotfiles/setup-system.sh
+arch-chroot /mnt sudo -u $user /home/$user/.dotfiles/setup-user.sh
+
+echo -e "\n### DONE - reboot and re-run both ~/.local/share/chezmoi/setup-*.sh scripts"
diff --git a/setup-system.sh b/setup-system.sh
index 5219504..e4dd19f 100755
--- a/setup-system.sh
+++ b/setup-system.sh
@@ -63,6 +63,9 @@ echo "=========================="
 echo "Setting up /etc configs..."
 echo "=========================="
 
+copy "etc/kernel/cmdline"
+copy "etc/sysctl.d/20-quiet-printk.conf"
+copy "etc/modprobe.d/i915.conf"
 #copy "etc/aurutils/pacman-x86_64.conf"
 #copy "etc/bluetooth/main.conf"
 #copy "etc/conf.d/snapper"
@@ -170,5 +173,19 @@ fi
 echo "Configuring NTP"
 timedatectl set-ntp true
 
-#echo "Configuring aurutils"
-#ln -sf /etc/pacman.conf /etc/aurutils/pacman-maximbaz-local.conf
+echo "Configuring aurutils"
+ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf
+
+echo "Configuring plymouth"
+plymouth-set-default-theme -R spinner && arch-secure-boot generate-efi
+
+echo "Preparing KeyTool to allow install PK key"
+mkdir -p /efi/EFI/secureboot
+sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
+cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth
+mount="$(findmnt -n -o SOURCE -T "/efi")"
+partition="${mount##*[!0-9]}"
+entry="/EFI/secureboot/KeyTool-signed.efi"
+efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool"
+
+echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI"
diff --git a/setup-user.sh b/setup-user.sh
new file mode 100755
index 0000000..a30f8b2
--- /dev/null
+++ b/setup-user.sh
@@ -0,0 +1,223 @@
+#!/bin/bash
+
+set -e
+exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
+
+MY_PGP_KEY_ID="A3F9CE82F38FC1F220CC2A1D63CCF3229371555E"
+
+dotfiles_dir="$(
+    cd "$(dirname "$0")"
+    pwd
+)"
+cd "$dotfiles_dir"
+
+link() {
+    orig_file="$dotfiles_dir/$1"
+    if [ -n "$2" ]; then
+        dest_file="$HOME/$2"
+    else
+        dest_file="$HOME/$1"
+    fi
+
+    mkdir -p "$(dirname "$orig_file")"
+    mkdir -p "$(dirname "$dest_file")"
+
+    rm -rf "$dest_file"
+    ln -s "$orig_file" "$dest_file"
+    echo "$dest_file -> $orig_file"
+}
+
+is_chroot() {
+    ! cmp -s /proc/1/mountinfo /proc/self/mountinfo
+}
+
+systemctl_enable_start() {
+    echo "systemctl --user enable --now "$1""
+    systemctl --user enable --now "$1"
+}
+
+#echo "==========================="
+#echo "Setting up user dotfiles..."
+#echo "==========================="
+
+#link ".gnupg/$(cut -d'-' -f1 /etc/hostname)-gpg.conf" ".gnupg/gpg.conf"
+#link ".gnupg/gpg-agent.conf"
+#link ".ignore"
+#link ".magic"
+#link ".p10k.zsh"
+#link ".p10k.zsh" ".p10k-ascii-8color.zsh"
+#link ".zprofile"
+#link ".zsh-aliases"
+#link ".zshenv"
+#link ".zshrc"
+#
+#link ".config/bat"
+#link ".config/chromium-flags.conf"
+#link ".config/environment.d"
+#link ".config/flashfocus"
+#link ".config/git/$(cut -d'-' -f1 /etc/hostname)" ".config/git/config"
+#link ".config/git/common"
+#link ".config/git/home"
+#link ".config/git/ignore"
+#link ".config/git/work"
+#link ".config/gtk-3.0"
+#link ".config/htop"
+#link ".config/imapnotify/archlinux.conf"
+#link ".config/imapnotify/maximbaz.conf"
+#link ".config/kak"
+#link ".config/kak-lsp"
+#link ".config/kitty"
+#link ".config/libinput-gestures.conf"
+#link ".config/mako"
+#link ".config/mimeapps.list"
+#link ".config/mpv"
+#link ".config/neomutt/colors"
+#link ".config/neomutt/mailcap"
+#link ".config/neomutt/neomuttrc"
+#link ".config/neomutt/signature"
+#link ".config/notmuch"
+#link ".config/pacman"
+#link ".config/pgcli/config"
+#link ".config/pylint"
+#link ".config/qalculate/qalc.cfg"
+#link ".config/qalculate/qalculate-gtk.cfg"
+#link ".config/qutebrowser"
+#link ".config/repoctl"
+#link ".config/sclirc"
+#link ".config/stylua"
+#link ".config/swappy"
+#link ".config/sway"
+#link ".config/swaylock"
+#link ".config/systemd/user/backup-packages.service"
+#link ".config/systemd/user/backup-packages.timer"
+#link ".config/systemd/user/battery-low-notify.service"
+#link ".config/systemd/user/mbsync.service"
+#link ".config/systemd/user/mbsync.timer"
+#link ".config/systemd/user/polkit-gnome.service"
+#link ".config/systemd/user/qutebrowser-update-useragent.service"
+#link ".config/systemd/user/qutebrowser-update-useragent.timer"
+#link ".config/systemd/user/sway-autoname-workspaces.service"
+#link ".config/systemd/user/sway-inactive-window-transparency.service"
+#link ".config/systemd/user/sway-session.target"
+#link ".config/systemd/user/swayr.service"
+#link ".config/systemd/user/systembus-notify.service"
+#link ".config/systemd/user/udiskie.service"
+#link ".config/systemd/user/waybar.service"
+#link ".config/systemd/user/waybar-updates.service"
+#link ".config/systemd/user/waybar-updates.timer"
+#link ".config/systemd/user/wl-clipboard-manager.service"
+#link ".config/systemd/user/wlsunset.service"
+#link ".config/tig"
+#link ".config/transmission/settings.json"
+#link ".config/udiskie"
+#link ".config/USBGuard"
+#link ".config/user-tmpfiles.d"
+#link ".config/vimiv"
+#link ".config/waybar"
+#link ".config/wldash"
+#link ".config/xdg-desktop-portal-wlr"
+#link ".config/xkb"
+#link ".config/xplr"
+#link ".config/zathura"
+#
+#link ".local/bin"
+#link ".local/share/applications"
+#link ".local/share/qutebrowser/greasemonkey"
+#link ".local/share/dbus-1/services/fr.emersion.mako.service"
+
+if is_chroot; then
+    echo >&2 "=== Running in chroot, skipping user services..."
+else
+    echo ""
+    echo "================================="
+    echo "Enabling and starting services..."
+    echo "================================="
+
+    systemctl --user daemon-reload
+    systemctl_enable_start pipewire
+    systemctl_enable_start pipewire-pulse
+    #systemctl_enable_start "backup-packages.timer"
+    #systemctl_enable_start "battery-low-notify.service"
+    #systemctl_enable_start "flashfocus.service"
+    #systemctl_enable_start "libinput-gestures.service"
+    #systemctl_enable_start "mako.service"
+    #systemctl_enable_start "polkit-gnome.service"
+    #systemctl_enable_start "qutebrowser-update-useragent.timer"
+    #systemctl_enable_start "sway-autoname-workspaces.service"
+    #systemctl_enable_start "sway-inactive-window-transparency.service"
+    #systemctl_enable_start "swayr.service"
+    #systemctl_enable_start "systembus-notify.service"
+    #systemctl_enable_start "systemd-tmpfiles-setup.service"
+    #systemctl_enable_start "udiskie.service"
+    #systemctl_enable_start "waybar.service"
+    #systemctl_enable_start "waybar-updates.timer"
+    #systemctl_enable_start "wl-clipboard-manager.service"
+    #systemctl_enable_start "wlsunset.service"
+    #systemctl_enable_start "wluma.service"
+    #systemctl_enable_start "yubikey-touch-detector.socket"
+
+    #if [[ $HOSTNAME == home-* ]]; then
+    #    if [ -d "$HOME/.mail" ]; then
+    #        systemctl_enable_start "mbsync.timer"
+    #        systemctl_enable_start "goimapnotify@archlinux.service"
+    #        systemctl_enable_start "goimapnotify@maximbaz.service"
+    #    else
+    #        echo >&2 -e "
+    #        === Mail is not configured, skipping...
+    #        === Consult \$MBSYNC_CONFIG for initial setup, and then sync everything using:
+    #        === while ! mbsync -c "\$MBSYNC_CONFIG" -a; do echo 'restarting...'; done
+    #        "
+    #    fi
+    #fi
+fi
+
+echo ""
+echo "======================================="
+echo "Finishing various user configuration..."
+echo "======================================="
+
+#echo "Configuring MIME types"
+#file --compile --magic-file "$HOME/.magic"
+
+if ! gpg -k | grep "$MY_PGP_KEY_ID" > /dev/null; then
+    echo "Importing my public PGP key"
+    curl -s --tlsv1.3 https://tobias.strobel.one/pubkey.txt | gpg --import
+    echo "5\ny\n" | gpg --command-fd 0 --no-tty --batch --edit-key "$MY_PGP_KEY_ID" trust
+fi
+
+find "$HOME/.gnupg" -type f -not -path "*#*" -exec chmod 600 {} \;
+find "$HOME/.gnupg" -type d -exec chmod 700 {} \;
+
+#if is_chroot; then
+#    echo >&2 "=== Running in chroot, skipping YubiKey configuration..."
+#else
+#    if [ ! -s "$HOME/.config/Yubico/u2f_keys" ]; then
+#        echo "Configuring YubiKey for passwordless sudo (touch it now)"
+#        mkdir -p "$HOME/.config/Yubico"
+#        pamu2fcfg -umaximbaz > "$HOME/.config/Yubico/u2f_keys"
+#    fi
+#fi
+
+#if [ -d "$HOME/.password-store" ]; then
+#    echo "Configuring automatic git push for pass"
+#    echo -e "#!/bin/sh\n\npass git push" > "$HOME/.password-store/.git/hooks/post-commit"
+#    chmod +x "$HOME/.password-store/.git/hooks/post-commit"
+#else
+#    echo >&2 "=== Password store is not configured yet, skipping..."
+#fi
+
+#if is_chroot; then
+#    echo >&2 "=== Running in chroot, skipping GTK file chooser dialog configuration..."
+#else
+#    echo "Configuring GTK file chooser dialog"
+#    gsettings set org.gtk.Settings.FileChooser sort-directories-first true
+#fi
+
+#echo "Ignoring further changes to often changing config"
+#git update-index --assume-unchanged ".config/transmission/settings.json"
+
+#echo "Configure repo-local git settings"
+#git config user.email "code@strobel.one"
+#git config user.signingkey "$MY_PGP_KEY_ID"
+#git config commit.gpgsign true
+#git remote set-url origin "git@github.com:maximbaz/dotfiles.git"