System setup

dot_bash_logout

@@ -0,0 +1,7 @@
+#
+# ~/.bash_logout
+#
+
+# Clear the screen after logging out
+clear
+reset

dot_bashrc

@@ -0,0 +1,26 @@
+#
+# ~/.bashrc
+#
+
+# If not running interactively, don't do anything
+[[ $- != *i* ]] && return
+
+## Shell options
+shopt -s autocd # Auto "cd" when entering just a path
+set -o noclobber # Prevent overwrite of existing files
+shopt -s checkwinsize # Line wrap on window resize
+
+## History
+export HISTCONTROL='erasedups:ignorespace'
+
+## Prompt
+PS1='[\u@\h \W]\$ '
+
+## Aliases
+alias ls='ls --color=auto'
+alias e='nvim'
+
+# gpg-agent
+export GPG_TTY="$(tty)"
+export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
+gpg-connect-agent updatestartuptty /bye > /dev/null

dot_config/environment.d/50-progs.conf

@@ -1,4 +1,4 @@
 EDITOR=nvim
 VISUAL=nvim
 MANPAGER=less
-AUR_PAGER=aurutils-review
+AUR_PAGER='nnn -e'

dot_config/yubikey-touch-detector/service.conf

@@ -0,0 +1 @@
+YUBIKEY_TOUCH_DETECTOR_LIBNOTIFY=true

install.sh

@@ -105,6 +105,9 @@ packages=(
     shfmt
     # Other development tools
     jq # Process JSON on command line
+    ansible-core
+    ansible
+    ansible-lint
     # Desktop tools
     wl-clipboard
     dconf-editor
@@ -119,6 +122,7 @@ packages=(
     sane
     pipewire-pulse # Pipewire-based pulse-audio, replaces pulseaudio
     wireplumber # Recommended pipewire session & policy manager
+    playerctl
     firefox # Browser
     firefox-i18n-de
     firefox-dark-reader
@@ -186,6 +190,9 @@ packages=(
     gst-plugins-good
     gst-plugins-bad
     gst-plugins-ugly
+    bitwarden # Password manager
+    yubikey-touch-detector
+
 )
 
 optdeps=(
@@ -214,8 +221,10 @@ optdeps=(
     gtkspell3
     # inkscape: optimized SVGs
     scour
-    # kiconthemes: Additional icons for KDE apps
-    #breeze-icons
+    # gnome-shell: Screen recording
+    gst-plugin-pipewire
+    # gnome-control-center: Applications
+    malcontent
 )
 
 pacman -Syu --noconfirm --needed "${packages[@]}"
@@ -283,6 +292,10 @@ sed -i '/^hosts: /s/^hosts: .*/'"hosts: ${NSS_HOSTS[*]}/" /etc/nsswitch.conf
 # Bootloader and initrd configuration
 install -pm644 "$DIR/etc/dracut.conf" /etc/dracut.conf.d/50-custom.conf
 install -pm644 "$DIR/etc/loader.conf" /efi/loader/loader.conf
+if [[ ! -f /usr/share/secureboot/keys/db/db.pem ]]; then
+    sbctl create-keys
+    sbctl enroll-keys
+fi
 if [[ -f /usr/share/secureboot/keys/db/db.key ]] && [[ -f /usr/share/secureboot/keys/db/db.pem ]]; then
     install -pm644 "$DIR/etc/dracut-sbctl.conf" /etc/dracut.conf.d/90-sbctl-signing.conf
 else
@@ -334,7 +347,8 @@ systemctl start firewalld.service
 firewall-cmd --permanent --zone=home \
     --add-service=upnp-client \
     --add-service=rdp \
-    --add-service=ssh
+    --add-service=ssh \
+    --add-service gsconnect
 # Don't allow incoming SSH connections on public networks (this is a weird default imho)
 firewall-cmd --permanent --zone=public --remove-service=ssh
 firewall-cmd --reload
@@ -402,7 +416,17 @@ aur_packages=(
     # Splash screen at boot
     plymouth
     # Gnome extensions
-    gnome-shell-extension-nasa-apod
+    gnome-shell-extension-arch-update # Indicator for system update    gnome-shell-extension-arch-update # Indicator for system updatess
+    gnome-shell-extension-nasa-apod # NASA's astronomy picture of the day as wallpaper
+    gnome-shell-extension-gsconnect # Connect phone and desktop system
+    gnome-shell-extension-pop-shell-bin # Sway-like feeling
+    gnome-shell-extension-clipboard-history # Searchable history panel of clipboard
+    gnome-shell-extension-bluetooth-quick-connect
+    gnome-shell-extension-quick-settings-tweaks-git
+    gnome-shell-extension-nightthemeswitcher
+    gnome-shell-extension-mpris-indicator-button
+    # Firefox extensions
+    firefox-extension-bitwarden
     # Dracut hook to build kernel images for systemd boot
     dracut-hook-uefi
     # Additional fonts
@@ -410,9 +434,7 @@ aur_packages=(
     ttf-fira-go # A nice font for presentations
     # Additional tools
     git-gone
-    # Connect phone and desktop system
-    gnome-shell-extension-gsconnect
-    firefox-extension-https-everywhere
+    dnscontrol-bin
 )
 
 aur_optdeps=(

private_dot_gnupg/gpg-agent.conf

@@ -4,4 +4,4 @@ enable-ssh-support
 ttyname $GPG_TTY
 default-cache-ttl 60
 max-cache-ttl 120
-pinentry-program /usr/bin/pinentry-gtk4
+pinentry-program /usr/bin/pinentry

private_dot_ssh/private_config

@@ -0,0 +1,165 @@
+Host finn
+    User ansible
+    HostName finn.strobeto.de
+    IdentitiesOnly yes
+    IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host xj2jx027@xj2jx027.repo.borgbase.com
+    IdentitiesOnly yes
+    IdentityFile ~/.ssh/id_ed25519
+
+Host maxh
+  HostName 192.168.178.47
+  #HostName helios64
+  User root
+  IdentityFile ~/max-publickey
+  UserKnownHostsFile /dev/null
+Host max-unlock
+  HostName 192.168.178.47
+  User root
+  IdentityFile ~/max-publickey
+  UserKnownHostsFile /dev/null
+  Ciphers aes256-ctr
+  MACs hmac-sha2-256
+  HostKeyAlgorithms ecdsa-sha2-nistp256
+
+
+# Server
+Host aech aech.strobeto.de
+  #HostName 185.244.194.96
+  HostName aech.strobeto.de
+  #User art3m1s
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+  RemoteCommand TERM=xterm-256color $SHELL
+  RequestTTY yes
+Host aech-unlock
+  HostName 185.244.194.96
+  #HostName aech.strobeto.de
+  Port 2222
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+  UserKnownHostsFile ~/.ssh/known_hosts.initramfs
+  Ciphers aes256-ctr
+  MACs hmac-sha2-256
+  HostKeyAlgorithms ssh-rsa
+
+Host oscar oscar.strobeto.de
+  #HostName 176.96.139.165
+  HostName oscar.strobeto.de
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+  StrictHostKeyChecking no
+  VerifyHostKeyDNS no
+Host oscar-unlock
+  HostName 176.96.139.165
+  #HostName oscar.strobeto.de
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+  UserKnownHostsFile ~/.ssh/known_hosts.initramfs
+  Ciphers aes256-ctr
+  MACs hmac-sha2-256
+
+Host code.strobeto.de
+  HostName code.strobeto.de
+  User git
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+
+# HomeNet
+Host gate
+  #HostName 192.168.120.1
+  HostName gate.home.strobel.one
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host pi
+  #HostName 192.168.30.30
+  HostName pi.home.strobel.one
+  #User dietpi
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host s storage
+  #HostName 192.168.130.10
+  HostName storage.home.strobel.one
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host helios
+  #HostName 192.168.130.20
+  HostName helios.home.strobel.one
+  User anorak
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host helios-unlock
+  HostName 192.168.130.20
+  #HostName helios.home.strobel.one
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+  UserKnownHostsFile ~/.ssh/known_hosts.initramfs
+  Ciphers aes256-ctr
+  MACs hmac-sha2-256
+  HostKeyAlgorithms ecdsa-sha2-nistp256
+
+Host owrt
+  HostName 192.168.1.1
+  Port 22
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+#  PasswordAuthentication yes
+  Ciphers aes256-ctr
+  MACs hmac-sha2-256
+  HostKeyAlgorithms ssh-rsa
+  UserKnownHostsFile /dev/null
+
+# Offsite Backup
+Host rnet
+  #HostName 82.197.184.220
+  HostName ch-s012.rsync.net
+  User 14119
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host bbaech
+  HostName ks5y910n.repo.borgbase.com
+  User ks5y910n
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host bbarchaide
+  HostName xj2jx027.repo.borgbase.com
+  User xj2jx027
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+
+# Git services
+Host github.com
+  User git
+  ControlMaster no
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# Friends
+Host max
+  HostName multimax.haedicke.one
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host torsten
+  HostName zero.roost.one
+  User root
+  IdentityFile ~/.ssh/id_rsa_yubikey.pub
+Host raphael
+  HostName saphie.de
+  User root
+  Port 9001
+  #IdentityFile ~/.ssh/id_rsa_yubikey.pub
+
+Host *
+  ControlMaster auto
+  ControlPersist 300
+  ControlPath ~/.ssh/socket-%r@%h:%p
+  IdentitiesOnly yes
+  HashKnownHosts yes
+#  PasswordAuthentication no
+  ChallengeResponseAuthentication no
+  StrictHostKeyChecking ask
+  VerifyHostKeyDNS yes
+  ForwardAgent no
+  ForwardX11 no
+  ForwardX11Trusted no
+  ServerAliveInterval 60
+  ServerAliveCountMax 3
+  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+  KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+  MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+  HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com

private_dot_ssh/private_id_rsa_yubikey.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDotLcl5BNYr9driaP353pwejAur6cQaXQFk2d+OuR5cKbCpD2f7TH9lMTIh/pUZt9jJUxV/1hc/IQ9jIww1Cqdh1wH10rclLwRhJIUk/7/ng74kD90ohOGD8Hh1OLnQYk549hfivarYVsGfVI2I6rYbTCeoiZfFYuYMvqrEKlfZ9C+vaBtmqBaDQooD6nv4lnpo1y7/UpbeH/KqQzY8nFvxsjfD/gfm43gi5KU3yuoxIkmXxYdcHLJt9YA2Eov6DSgqvIBJQFzaxgxcfaWDwdPBAhR0dvwZ1I97G3bV/DXidJSMtm7VC21Ua9AGGGvPG5pkPWlOQKv6MRwRLaAJeWh+ZsLSNslrj3PENy/wMdOnahJKcPYxt3heHtGRVB89qMcECyqjKoCE+Gb/M5jEuQQJK7SIjvrVJLZ7PU2l+WWuSDGzbBbmAVa3w0r3HbaWUeeOmgPk+vgLp5fujgBe2D0dl55qTQqnwhGKnLyOeAA4jTcgqGMOfax5jqfGBUNK96HWAUOynP5Dx0/JWwBgB44OyFei+p9OQ4huWRfBq7fGS99B+bN1F/mkOgiPZ1oghOfZxdQ4EGQ37yH+CqGFlHOo2fKSsqtdx60ZeT1sqklk0lU4m8ga+3HunJUOCCMfZyB1atRBv9Pqhjkgt46m8nPrAZ9D3HomhpULgn3J0K8ew== cardno:000611119026

run_once_firewalld-zones.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
+
+nmcli connection modify HomeNet connection.zone home
+
+firewall-cmd --permanent --zone=home \
+    --add-service ausweisapp2 \
+    --add-service gsconnect
+firewall-cmd --reload

run_once_gnome-extensions.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
+
+gnome-extensions enable appindicatorsupport@rgcjonas.gmail.com
+gnome-extensions enable gsconnect@andyholmes.github.io
+gnome-extensions enable arch-update@RaphaelRochet
+gnome-extensions enable nasa_apod@elinvention.ovh
+gnome-extensions enable pop-shell@system76.com
+gnome-extensions enable clipboard-history@alexsaveau.dev
+gnome-extensions enable bluetooth-quick-connect@bjarosze.gmail.com
+gnome-extensions enable quick-settings-tweaks@qwreey
+gnome-extensions enable nightthemeswitcher@romainvigier.fr
+gnome-extensions enable mprisindicatorbutton@JasonLG1979.github.io

run_once_pop-shell-keybindings.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+exec /usr/share/gnome-shell/extensions/pop-shell@system76.com/scripts/configure.sh

run_once_systemd-user.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
+
+systemctl --user enable --now yubikey-touch-detector.service