From 949b65ac8b894f8a9ed8661a161b34890d8630d0 Mon Sep 17 00:00:00 2001 From: Tobias Strobel Date: Fri, 25 Nov 2022 21:15:34 +0100 Subject: [PATCH] System setup --- dot_bash_logout | 7 + dot_bashrc | 26 +++ dot_config/environment.d/50-progs.conf | 2 +- .../yubikey-touch-detector/service.conf | 1 + install.sh | 36 +++- private_dot_gnupg/gpg-agent.conf | 2 +- private_dot_ssh/private_config | 165 ++++++++++++++++++ private_dot_ssh/private_id_rsa_yubikey.pub | 1 + run_once_firewalld-zones.sh | 11 ++ run_once_gnome-extensions.sh | 15 ++ run_once_pop-shell-keybindings.sh | 2 + run_once_systemd-user.sh | 6 + 12 files changed, 265 insertions(+), 9 deletions(-) create mode 100644 dot_bash_logout create mode 100644 dot_bashrc create mode 100644 dot_config/yubikey-touch-detector/service.conf create mode 100644 private_dot_ssh/private_config create mode 100644 private_dot_ssh/private_id_rsa_yubikey.pub create mode 100644 run_once_firewalld-zones.sh create mode 100644 run_once_gnome-extensions.sh create mode 100644 run_once_pop-shell-keybindings.sh create mode 100644 run_once_systemd-user.sh diff --git a/dot_bash_logout b/dot_bash_logout new file mode 100644 index 0000000..c950b08 --- /dev/null +++ b/dot_bash_logout @@ -0,0 +1,7 @@ +# +# ~/.bash_logout +# + +# Clear the screen after logging out +clear +reset diff --git a/dot_bashrc b/dot_bashrc new file mode 100644 index 0000000..a41c224 --- /dev/null +++ b/dot_bashrc @@ -0,0 +1,26 @@ +# +# ~/.bashrc +# + +# If not running interactively, don't do anything +[[ $- != *i* ]] && return + +## Shell options +shopt -s autocd # Auto "cd" when entering just a path +set -o noclobber # Prevent overwrite of existing files +shopt -s checkwinsize # Line wrap on window resize + +## History +export HISTCONTROL='erasedups:ignorespace' + +## Prompt +PS1='[\u@\h \W]\$ ' + +## Aliases +alias ls='ls --color=auto' +alias e='nvim' + +# gpg-agent +export GPG_TTY="$(tty)" +export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" +gpg-connect-agent updatestartuptty /bye > /dev/null diff --git a/dot_config/environment.d/50-progs.conf b/dot_config/environment.d/50-progs.conf index 9b7fb6c..a5851a7 100644 --- a/dot_config/environment.d/50-progs.conf +++ b/dot_config/environment.d/50-progs.conf @@ -1,4 +1,4 @@ EDITOR=nvim VISUAL=nvim MANPAGER=less -AUR_PAGER=aurutils-review +AUR_PAGER='nnn -e' diff --git a/dot_config/yubikey-touch-detector/service.conf b/dot_config/yubikey-touch-detector/service.conf new file mode 100644 index 0000000..9078e70 --- /dev/null +++ b/dot_config/yubikey-touch-detector/service.conf @@ -0,0 +1 @@ +YUBIKEY_TOUCH_DETECTOR_LIBNOTIFY=true diff --git a/install.sh b/install.sh index dd79841..7eabf73 100755 --- a/install.sh +++ b/install.sh @@ -105,6 +105,9 @@ packages=( shfmt # Other development tools jq # Process JSON on command line + ansible-core + ansible + ansible-lint # Desktop tools wl-clipboard dconf-editor @@ -119,6 +122,7 @@ packages=( sane pipewire-pulse # Pipewire-based pulse-audio, replaces pulseaudio wireplumber # Recommended pipewire session & policy manager + playerctl firefox # Browser firefox-i18n-de firefox-dark-reader @@ -186,6 +190,9 @@ packages=( gst-plugins-good gst-plugins-bad gst-plugins-ugly + bitwarden # Password manager + yubikey-touch-detector + ) optdeps=( @@ -214,8 +221,10 @@ optdeps=( gtkspell3 # inkscape: optimized SVGs scour - # kiconthemes: Additional icons for KDE apps - #breeze-icons + # gnome-shell: Screen recording + gst-plugin-pipewire + # gnome-control-center: Applications + malcontent ) pacman -Syu --noconfirm --needed "${packages[@]}" @@ -283,6 +292,10 @@ sed -i '/^hosts: /s/^hosts: .*/'"hosts: ${NSS_HOSTS[*]}/" /etc/nsswitch.conf # Bootloader and initrd configuration install -pm644 "$DIR/etc/dracut.conf" /etc/dracut.conf.d/50-custom.conf install -pm644 "$DIR/etc/loader.conf" /efi/loader/loader.conf +if [[ ! -f /usr/share/secureboot/keys/db/db.pem ]]; then + sbctl create-keys + sbctl enroll-keys +fi if [[ -f /usr/share/secureboot/keys/db/db.key ]] && [[ -f /usr/share/secureboot/keys/db/db.pem ]]; then install -pm644 "$DIR/etc/dracut-sbctl.conf" /etc/dracut.conf.d/90-sbctl-signing.conf else @@ -334,7 +347,8 @@ systemctl start firewalld.service firewall-cmd --permanent --zone=home \ --add-service=upnp-client \ --add-service=rdp \ - --add-service=ssh + --add-service=ssh \ + --add-service gsconnect # Don't allow incoming SSH connections on public networks (this is a weird default imho) firewall-cmd --permanent --zone=public --remove-service=ssh firewall-cmd --reload @@ -402,7 +416,17 @@ aur_packages=( # Splash screen at boot plymouth # Gnome extensions - gnome-shell-extension-nasa-apod + gnome-shell-extension-arch-update # Indicator for system update gnome-shell-extension-arch-update # Indicator for system updatess + gnome-shell-extension-nasa-apod # NASA's astronomy picture of the day as wallpaper + gnome-shell-extension-gsconnect # Connect phone and desktop system + gnome-shell-extension-pop-shell-bin # Sway-like feeling + gnome-shell-extension-clipboard-history # Searchable history panel of clipboard + gnome-shell-extension-bluetooth-quick-connect + gnome-shell-extension-quick-settings-tweaks-git + gnome-shell-extension-nightthemeswitcher + gnome-shell-extension-mpris-indicator-button + # Firefox extensions + firefox-extension-bitwarden # Dracut hook to build kernel images for systemd boot dracut-hook-uefi # Additional fonts @@ -410,9 +434,7 @@ aur_packages=( ttf-fira-go # A nice font for presentations # Additional tools git-gone - # Connect phone and desktop system - gnome-shell-extension-gsconnect - firefox-extension-https-everywhere + dnscontrol-bin ) aur_optdeps=( diff --git a/private_dot_gnupg/gpg-agent.conf b/private_dot_gnupg/gpg-agent.conf index e375849..267f30e 100644 --- a/private_dot_gnupg/gpg-agent.conf +++ b/private_dot_gnupg/gpg-agent.conf @@ -4,4 +4,4 @@ enable-ssh-support ttyname $GPG_TTY default-cache-ttl 60 max-cache-ttl 120 -pinentry-program /usr/bin/pinentry-gtk4 +pinentry-program /usr/bin/pinentry diff --git a/private_dot_ssh/private_config b/private_dot_ssh/private_config new file mode 100644 index 0000000..cfebc01 --- /dev/null +++ b/private_dot_ssh/private_config @@ -0,0 +1,165 @@ +Host finn + User ansible + HostName finn.strobeto.de + IdentitiesOnly yes + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host xj2jx027@xj2jx027.repo.borgbase.com + IdentitiesOnly yes + IdentityFile ~/.ssh/id_ed25519 + +Host maxh + HostName 192.168.178.47 + #HostName helios64 + User root + IdentityFile ~/max-publickey + UserKnownHostsFile /dev/null +Host max-unlock + HostName 192.168.178.47 + User root + IdentityFile ~/max-publickey + UserKnownHostsFile /dev/null + Ciphers aes256-ctr + MACs hmac-sha2-256 + HostKeyAlgorithms ecdsa-sha2-nistp256 + + +# Server +Host aech aech.strobeto.de + #HostName 185.244.194.96 + HostName aech.strobeto.de + #User art3m1s + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub + RemoteCommand TERM=xterm-256color $SHELL + RequestTTY yes +Host aech-unlock + HostName 185.244.194.96 + #HostName aech.strobeto.de + Port 2222 + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub + UserKnownHostsFile ~/.ssh/known_hosts.initramfs + Ciphers aes256-ctr + MACs hmac-sha2-256 + HostKeyAlgorithms ssh-rsa + +Host oscar oscar.strobeto.de + #HostName 176.96.139.165 + HostName oscar.strobeto.de + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub + StrictHostKeyChecking no + VerifyHostKeyDNS no +Host oscar-unlock + HostName 176.96.139.165 + #HostName oscar.strobeto.de + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub + UserKnownHostsFile ~/.ssh/known_hosts.initramfs + Ciphers aes256-ctr + MACs hmac-sha2-256 + +Host code.strobeto.de + HostName code.strobeto.de + User git + IdentityFile ~/.ssh/id_rsa_yubikey.pub + +# HomeNet +Host gate + #HostName 192.168.120.1 + HostName gate.home.strobel.one + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host pi + #HostName 192.168.30.30 + HostName pi.home.strobel.one + #User dietpi + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host s storage + #HostName 192.168.130.10 + HostName storage.home.strobel.one + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host helios + #HostName 192.168.130.20 + HostName helios.home.strobel.one + User anorak + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host helios-unlock + HostName 192.168.130.20 + #HostName helios.home.strobel.one + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub + UserKnownHostsFile ~/.ssh/known_hosts.initramfs + Ciphers aes256-ctr + MACs hmac-sha2-256 + HostKeyAlgorithms ecdsa-sha2-nistp256 + +Host owrt + HostName 192.168.1.1 + Port 22 + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub +# PasswordAuthentication yes + Ciphers aes256-ctr + MACs hmac-sha2-256 + HostKeyAlgorithms ssh-rsa + UserKnownHostsFile /dev/null + +# Offsite Backup +Host rnet + #HostName 82.197.184.220 + HostName ch-s012.rsync.net + User 14119 + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host bbaech + HostName ks5y910n.repo.borgbase.com + User ks5y910n + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host bbarchaide + HostName xj2jx027.repo.borgbase.com + User xj2jx027 + IdentityFile ~/.ssh/id_rsa_yubikey.pub + +# Git services +Host github.com + User git + ControlMaster no + IdentityFile ~/.ssh/id_rsa_yubikey.pub + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# Friends +Host max + HostName multimax.haedicke.one + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host torsten + HostName zero.roost.one + User root + IdentityFile ~/.ssh/id_rsa_yubikey.pub +Host raphael + HostName saphie.de + User root + Port 9001 + #IdentityFile ~/.ssh/id_rsa_yubikey.pub + +Host * + ControlMaster auto + ControlPersist 300 + ControlPath ~/.ssh/socket-%r@%h:%p + IdentitiesOnly yes + HashKnownHosts yes +# PasswordAuthentication no + ChallengeResponseAuthentication no + StrictHostKeyChecking ask + VerifyHostKeyDNS yes + ForwardAgent no + ForwardX11 no + ForwardX11Trusted no + ServerAliveInterval 60 + ServerAliveCountMax 3 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 + MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com + HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/private_dot_ssh/private_id_rsa_yubikey.pub b/private_dot_ssh/private_id_rsa_yubikey.pub new file mode 100644 index 0000000..827a496 --- /dev/null +++ b/private_dot_ssh/private_id_rsa_yubikey.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDotLcl5BNYr9driaP353pwejAur6cQaXQFk2d+OuR5cKbCpD2f7TH9lMTIh/pUZt9jJUxV/1hc/IQ9jIww1Cqdh1wH10rclLwRhJIUk/7/ng74kD90ohOGD8Hh1OLnQYk549hfivarYVsGfVI2I6rYbTCeoiZfFYuYMvqrEKlfZ9C+vaBtmqBaDQooD6nv4lnpo1y7/UpbeH/KqQzY8nFvxsjfD/gfm43gi5KU3yuoxIkmXxYdcHLJt9YA2Eov6DSgqvIBJQFzaxgxcfaWDwdPBAhR0dvwZ1I97G3bV/DXidJSMtm7VC21Ua9AGGGvPG5pkPWlOQKv6MRwRLaAJeWh+ZsLSNslrj3PENy/wMdOnahJKcPYxt3heHtGRVB89qMcECyqjKoCE+Gb/M5jEuQQJK7SIjvrVJLZ7PU2l+WWuSDGzbBbmAVa3w0r3HbaWUeeOmgPk+vgLp5fujgBe2D0dl55qTQqnwhGKnLyOeAA4jTcgqGMOfax5jqfGBUNK96HWAUOynP5Dx0/JWwBgB44OyFei+p9OQ4huWRfBq7fGS99B+bN1F/mkOgiPZ1oghOfZxdQ4EGQ37yH+CqGFlHOo2fKSsqtdx60ZeT1sqklk0lU4m8ga+3HunJUOCCMfZyB1atRBv9Pqhjkgt46m8nPrAZ9D3HomhpULgn3J0K8ew== cardno:000611119026 diff --git a/run_once_firewalld-zones.sh b/run_once_firewalld-zones.sh new file mode 100644 index 0000000..b35f9e0 --- /dev/null +++ b/run_once_firewalld-zones.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e +exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done) + +nmcli connection modify HomeNet connection.zone home + +firewall-cmd --permanent --zone=home \ + --add-service ausweisapp2 \ + --add-service gsconnect +firewall-cmd --reload diff --git a/run_once_gnome-extensions.sh b/run_once_gnome-extensions.sh new file mode 100644 index 0000000..48fc07e --- /dev/null +++ b/run_once_gnome-extensions.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e +exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done) + +gnome-extensions enable appindicatorsupport@rgcjonas.gmail.com +gnome-extensions enable gsconnect@andyholmes.github.io +gnome-extensions enable arch-update@RaphaelRochet +gnome-extensions enable nasa_apod@elinvention.ovh +gnome-extensions enable pop-shell@system76.com +gnome-extensions enable clipboard-history@alexsaveau.dev +gnome-extensions enable bluetooth-quick-connect@bjarosze.gmail.com +gnome-extensions enable quick-settings-tweaks@qwreey +gnome-extensions enable nightthemeswitcher@romainvigier.fr +gnome-extensions enable mprisindicatorbutton@JasonLG1979.github.io diff --git a/run_once_pop-shell-keybindings.sh b/run_once_pop-shell-keybindings.sh new file mode 100644 index 0000000..127d5fc --- /dev/null +++ b/run_once_pop-shell-keybindings.sh @@ -0,0 +1,2 @@ +#!/bin/bash +exec /usr/share/gnome-shell/extensions/pop-shell@system76.com/scripts/configure.sh diff --git a/run_once_systemd-user.sh b/run_once_systemd-user.sh new file mode 100644 index 0000000..b5c0db2 --- /dev/null +++ b/run_once_systemd-user.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e +exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done) + +systemctl --user enable --now yubikey-touch-detector.service