From b861420f72da294ff3cd726734b286455877cf22 Mon Sep 17 00:00:00 2001
From: Tobias Strobel <code@strobel.one>
Date: Thu, 5 May 2022 20:40:24 +0200
Subject: [PATCH] Add Configs for Sway + YubiKey for GPG/SSH

---
 dot_bash_profile                              |   3 -
 dot_config/sway/config                        |  19 ++
 private_dot_gnupg/gpg-agent.conf              |   7 +
 private_dot_gnupg/private_gpg.conf            |  59 +++++
 .../chezmoi/executable_setup-system.sh        | 206 ++++++++++++++++++
 setup-system.sh                               |   2 +-
 6 files changed, 292 insertions(+), 4 deletions(-)
 create mode 100644 private_dot_gnupg/gpg-agent.conf
 create mode 100644 private_dot_gnupg/private_gpg.conf
 create mode 100644 private_dot_local/private_share/chezmoi/executable_setup-system.sh

diff --git a/dot_bash_profile b/dot_bash_profile
index bdc9999..8aad132 100644
--- a/dot_bash_profile
+++ b/dot_bash_profile
@@ -1,9 +1,6 @@
 #
 # ~/.bash_profile
 #
-
-[[ "$TTY" == /dev/tty* ]] || return 0
-
 export $(systemctl --user show-environment)
 
 export GPG_TTY="$TTY"
diff --git a/dot_config/sway/config b/dot_config/sway/config
index 624538f..518d7a8 100644
--- a/dot_config/sway/config
+++ b/dot_config/sway/config
@@ -63,6 +63,25 @@ input type:touchpad {
 	natural_scroll enabled
 }
 
+seat * hide_cursor 10000
+
+# Gaps
+gaps inner 5
+smart_gaps on
+
+# Borders
+default_border pixel 2
+default_floating_border none
+hide_edge_borders --i3 none
+
+# Disable cursor jumping
+mouse_warping none
+focus_follows_mouse no
+tiling_drag disable
+
+for_window [app_id=".*"] sticky enable
+for_window [window_role="pop-up"] floating enable
+
 ### Key bindings
 #
 # Basics:
diff --git a/private_dot_gnupg/gpg-agent.conf b/private_dot_gnupg/gpg-agent.conf
new file mode 100644
index 0000000..7c55520
--- /dev/null
+++ b/private_dot_gnupg/gpg-agent.conf
@@ -0,0 +1,7 @@
+# https://github.com/drduh/config/blob/master/gpg-agent.conf
+# https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
+enable-ssh-support
+ttyname $GPG_TTY
+default-cache-ttl 60
+max-cache-ttl 120
+pinentry-program /usr/bin/pinentry-curses
diff --git a/private_dot_gnupg/private_gpg.conf b/private_dot_gnupg/private_gpg.conf
new file mode 100644
index 0000000..e68ce36
--- /dev/null
+++ b/private_dot_gnupg/private_gpg.conf
@@ -0,0 +1,59 @@
+# https://github.com/drduh/config/blob/master/gpg.conf
+# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
+# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html
+# Use AES256, 192, or 128 as cipher
+personal-cipher-preferences AES256 AES192 AES
+# Use SHA512, 384, or 256 as digest
+personal-digest-preferences SHA512 SHA384 SHA256
+# Use ZLIB, BZIP2, ZIP, or no compression
+personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
+# Default preferences for new keys
+default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
+# SHA512 as digest to sign keys
+cert-digest-algo SHA512
+# SHA512 as digest for symmetric ops
+s2k-digest-algo SHA512
+# AES256 as cipher for symmetric ops
+s2k-cipher-algo AES256
+# UTF-8 support for compatibility
+charset utf-8
+# Show Unix timestamps
+fixed-list-mode
+# No comments in signature
+no-comments
+# No version in output
+no-emit-version
+# Disable banner
+no-greeting
+# Long hexidecimal key format
+keyid-format 0xlong
+# Display UID validity
+list-options show-uid-validity
+verify-options show-uid-validity
+# Display all keys and their fingerprints
+with-fingerprint
+# Display key origins and updates
+#with-key-origin
+# Cross-certify subkeys are present and valid
+require-cross-certification
+# Disable caching of passphrase for symmetrical ops
+no-symkey-cache
+# Enable smartcard
+use-agent
+# Disable recipient key ID in messages
+#throw-keyids
+# Default key ID to use
+default-key 0xA3F9CE82F38FC1F220CC2A1D63CCF3229371555E
+# Keyserver URL
+keyserver hkps://keys.openpgp.org
+#keyserver hkps://keyserver.ubuntu.com:443
+#keyserver hkps://hkps.pool.sks-keyservers.net
+#keyserver hkps://pgp.ocf.berkeley.edu
+keyserver-options auto-key-retrieve
+# Proxy to use for keyservers
+#keyserver-options http-proxy=http://127.0.0.1:8118
+#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
+# Verbose output
+#verbose
+# Show expired subkeys
+#list-options show-unusable-subkeys
diff --git a/private_dot_local/private_share/chezmoi/executable_setup-system.sh b/private_dot_local/private_share/chezmoi/executable_setup-system.sh
new file mode 100644
index 0000000..15536fc
--- /dev/null
+++ b/private_dot_local/private_share/chezmoi/executable_setup-system.sh
@@ -0,0 +1,206 @@
+#!/bin/bash
+
+set -e
+exec 2> >(while read line; do echo -e "\e[01;31m$line\e[0m"; done)
+
+script_name="$(basename "$0")"
+dotfiles_dir="$(
+    cd "$(dirname "$0")"
+    pwd
+)"
+cd "$dotfiles_dir"
+
+if (("$EUID")); then
+    sudo -s "$dotfiles_dir/$script_name" "$@"
+    exit 0
+fi
+
+if [ "$1" = "-r" ]; then
+    echo >&2 "Running in reverse mode!"
+    reverse=1
+fi
+
+copy() {
+    if [ -z "$reverse" ]; then
+        orig_file="$dotfiles_dir/$1"
+        dest_file="/$1"
+    else
+        orig_file="/$1"
+        dest_file="$dotfiles_dir/$1"
+    fi
+
+    mkdir -p "$(dirname "$orig_file")"
+    mkdir -p "$(dirname "$dest_file")"
+
+    rm -rf "$dest_file"
+
+    cp -R "$orig_file" "$dest_file"
+    if [ -z "$reverse" ]; then
+        [ -n "$2" ] && chmod "$2" "$dest_file"
+    else
+        chown -R $USER "$dest_file"
+    fi
+    echo "$dest_file <= $orig_file"
+}
+
+is_chroot() {
+    ! cmp -s /proc/1/mountinfo /proc/self/mountinfo
+}
+
+systemctl_enable() {
+    echo "systemctl enable "$1""
+    systemctl enable "$1"
+}
+
+systemctl_enable_start() {
+    echo "systemctl enable --now "$1""
+    systemctl enable "$1"
+    systemctl start "$1"
+}
+
+echo ""
+echo "=========================="
+echo "Setting up /etc configs..."
+echo "=========================="
+
+copy "etc/kernel/cmdline"
+copy "etc/sysctl.d/20-quiet-printk.conf"
+copy "etc/modprobe.d/i915.conf"
+#copy "etc/aurutils/pacman-x86_64.conf"
+copy "etc/bluetooth/main.conf"
+#copy "etc/conf.d/snapper"
+#copy "etc/default/earlyoom"
+#copy "etc/docker/daemon.json"
+#copy "etc/fwupd/uefi_capsule.conf"
+#copy "etc/modules-load.d/v4l2loopback.conf"
+#copy "etc/modprobe.d/v4l2loopback.conf"
+#copy "etc/nftables.conf"
+#copy "etc/pacman.conf"
+#copy "etc/pacman.d/hooks"
+#copy "etc/pam.d/polkit-1"
+#copy "etc/pam.d/sudo"
+copy "etc/snap-pac.ini"
+copy "etc/snapper/configs/root"
+#copy "etc/ssh/ssh_config"
+copy "etc/sudoers.d/override"
+#copy "etc/sysctl.d/99-sysctl.conf"
+#copy "etc/systemd/journald.conf.d/override.conf"
+#copy "etc/systemd/logind.conf.d/override.conf"
+copy "etc/systemd/network/20-wired.network"
+copy "etc/systemd/network/25-wireless.network"
+copy "etc/iwd/main.conf"
+copy "etc/mkinitcpio.conf"
+#copy "etc/systemd/resolved.conf.d/dnssec.conf"
+copy "etc/systemd/system/getty@tty1.service.d/override.conf"
+#copy "etc/systemd/system/usbguard.service.d/override.conf"
+#copy "etc/systemd/system/reflector.service"
+#copy "etc/systemd/system/reflector.timer"
+#copy "etc/systemd/system/system-dotfiles-sync.service"
+#copy "etc/systemd/system/system-dotfiles-sync.timer"
+#copy "etc/systemd/system.conf.d/kill-fast.conf"
+#copy "etc/usbguard/usbguard-daemon.conf" 600
+#copy "etc/systemd/system/backup-repo@pkgbuild"
+#copy "etc/systemd/system/backup-repo@.service"
+#copy "etc/systemd/system/backup-repo@.timer"
+
+(("$reverse")) && exit 0
+
+echo ""
+echo "================================="
+echo "Enabling and starting services..."
+echo "================================="
+
+sysctl --system > /dev/null
+
+systemctl daemon-reload
+systemctl_enable_start "bluetooth.service"
+#systemctl_enable_start "btrfs-scrub@-.timer"
+#systemctl_enable_start "btrfs-scrub@mnt-btrfs\x2droot.timer"
+#systemctl_enable_start "btrfs-scrub@home.timer"
+#systemctl_enable_start "btrfs-scrub@var-cache-pacman.timer"
+#systemctl_enable_start "btrfs-scrub@var-log.timer"
+#systemctl_enable_start "btrfs-scrub@var-tmp.timer"
+#systemctl_enable_start "btrfs-scrub@\x2esnapshots.timer"
+#systemctl_enable_start "btrfs-scrub@var-lib-aurbuild.timer"
+#systemctl_enable_start "btrfs-scrub@var-lib-archbuild.timer"
+#systemctl_enable_start "btrfs-scrub@var-lib-docker.timer"
+#systemctl_enable_start "docker.socket"
+#systemctl_enable_start "earlyoom.service"
+systemctl_enable_start "fstrim.timer"
+systemctl_enable_start "iwd.service"
+#systemctl_enable_start "linux-modules-cleanup.service"
+#systemctl_enable_start "lenovo_fix.service"
+#systemctl_enable_start "nftables.service"
+systemctl_enable_start "pcscd.socket"
+#systemctl_enable_start "reflector.timer"
+#systemctl_enable_start "snapper-cleanup.timer"
+#systemctl_enable_start "system-dotfiles-sync.timer"
+systemctl_enable_start "systemd-networkd.socket"
+systemctl_enable_start "systemd-resolved.service"
+systemctl_enable_start "systemd-timesyncd"
+#systemctl_enable_start "tlp.service"
+
+#if [ ! -s "/etc/usbguard/rules.conf" ]; then
+#    echo >&2 "=== Remember to set usbguard rules: usbguard generate-policy >! /etc/usbguard/rules.conf"
+#else
+#    chmod 600 /etc/usbguard/rules.conf
+#    systemctl_enable_start "usbguard.service"
+#    systemctl_enable_start "usbguard-dbus.service"
+#fi
+
+#systemctl_enable_start "backup-repo@pkgbuild.timer"
+
+#echo ""
+#echo "==============================="
+#echo "Creating top level Trash dir..."
+#echo "==============================="
+#mkdir --parent /.Trash
+#chmod a+rw /.Trash
+#chmod +t /.Trash
+#echo "Done"
+
+echo ""
+echo "======================================="
+echo "Finishing various user configuration..."
+echo "======================================="
+
+if is_chroot; then
+    echo >&2 "=== Running in chroot, skipping /etc/resolv.conf setup..."
+else
+    echo "Configuring /etc/resolv.conf"
+    ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+fi
+
+echo "Configuring NTP"
+timedatectl set-ntp true
+
+echo "Configuring aurutils"
+ln -sf /etc/pacman.conf /etc/aurutils/pacman-tobias-local.conf
+
+PLYMOUTH_THEME="spinner"
+if [ "$(plymouth-set-default-theme)" != "$PLYMOUTH_THEME" ]; then
+    echo "Configuring plymouth"
+    plymouth-set-default-theme "$PLYMOUTH_THEME"
+fi
+
+echo "Configuring mkinitcpio + secure boot"
+
+mkinitcpio -P
+
+if [ ! -s "/etc/arch-secure-boot/keys/PK.auth" ]; then
+    arch-secure-boot initial-setup
+else
+    arch-secure-boot generate-efi
+fi
+
+if [ ! -f /efi/EFI/secureboot/KeyTool-signed.efi ];  then
+    echo "Preparing KeyTool to allow install PK key"
+    mkdir -p /efi/EFI/secureboot
+    sbsign --key /etc/arch-secure-boot/keys/db.key --cert /etc/arch-secure-boot/keys/db.crt --output /efi/EFI/secureboot/KeyTool-signed.efi /usr/share/efitools/efi/KeyTool.efi
+    cp /etc/secureboot/keys/PK/PK.auth /efi/EFI/secureboot/PK.auth
+    mount="$(findmnt -n -o SOURCE -T "/efi")"
+    partition="${mount##*[!0-9]}"
+    entry="/EFI/secureboot/KeyTool-signed.efi"
+    efibootmgr -d "$mount" -p "$partition" -c -l "${entry//\//\\}" -L "KeyTool"
+    echo "Reboot into KeyTool and install PK key (EFI/secureboot/PK.auth) to UEFI"
+fi
diff --git a/setup-system.sh b/setup-system.sh
index fe6b8a8..15536fc 100755
--- a/setup-system.sh
+++ b/setup-system.sh
@@ -131,7 +131,7 @@ systemctl_enable_start "iwd.service"
 #systemctl_enable_start "linux-modules-cleanup.service"
 #systemctl_enable_start "lenovo_fix.service"
 #systemctl_enable_start "nftables.service"
-#systemctl_enable_start "pcscd.socket"
+systemctl_enable_start "pcscd.socket"
 #systemctl_enable_start "reflector.timer"
 #systemctl_enable_start "snapper-cleanup.timer"
 #systemctl_enable_start "system-dotfiles-sync.timer"