efistub -> UKI migration

Track /etc/kernel/cmdline and enable default_uki/fallback_uki in
linux.preset. Remove create-efi helper (UKI is self-contained; only
needed once at install time). Update bootstrap to print the one-off
efibootmgr command instead of launching create-efi.

6 files changed, 16 insertions, 66 deletions

diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index e7e3b7d..0f384aa 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -17,8 +17,8 @@ The repo root is a chezmoi source directory. Files targeting `$HOME` use chezmoi
 - `meta/` contains plain text package lists for Arch Linux (one package per line, `#` comments). Each `.txt` file represents a group (e.g. `base.txt`, `dev.txt`, `wayland.txt`). Install with `just pkg-apply base dev` or `just pkg-apply` (all groups). Detect drift with `just pkg-status` (or `just status` for the aggregate).
 - `systemd-units/` contains plain text systemd unit lists paired by name with `meta/` groups (e.g. `systemd-units/base.txt` ↔ `meta/base.txt`). Units listed here are enabled by `just unit-apply` (run automatically by `just init`). Inspect with `just unit-list`, detect drift with `just unit-status`.
 - `firefox/` contains Firefox/LibreWolf hardening overrides (`user-overrides.js`) and custom CSS (`chrome/userChrome.css`). Deployed by `run_onchange_after_deploy-firefox.sh.tmpl`.
-- `dot_local/bin/executable_create-efi` is an interactive EFI boot entry creation script using `efibootmgr` (deployed to `~/.local/bin/create-efi`).
-- `bootstrap.sh` at the repo root is a POSIX shell script that takes a fresh minimal Arch install (only `base`) to a fully deployed state. It installs prerequisites, enables `%wheel` sudoers, bootstraps `paru-bin` from the AUR, clones the repo, runs `just init`, and optionally invokes `create-efi`. Designed to be curlable: `curl -fsSL .../bootstrap.sh | sh`.
+- `dot_local/bin/executable_doasedit` (deployed to `~/.local/bin/doasedit`) is a small wrapper that emulates `sudoedit` for `doas`.
+- `bootstrap.sh` at the repo root is a POSIX shell script that takes a fresh minimal Arch install (only `base`) to a fully deployed state. It installs prerequisites, enables `%wheel` sudoers, bootstraps `paru-bin` from the AUR, clones the repo, and runs `just init`. On EFI systems missing an Arch boot entry it prints the `efibootmgr` command to register the UKI. Designed to be curlable: `curl -fsSL .../bootstrap.sh | sh`.
 - `.chezmoiignore` excludes non-home files (`etc/`, `meta/`, `systemd-units/`, `firefox/`, docs) from deployment to `$HOME`.
 - `.githooks/` contains git hooks: `pre-commit` runs `just check` as a code quality gate (bypass with `--no-verify`); `post-commit` runs `chezmoi apply`. Activated by `just init`.
 - `justfile` uses a `DOMAIN-VERB` scheme across four domains (`dotfiles`, `etc`, `pkg`, `unit`) with chezmoi-aligned verbs (`add`, `forget`, `re-add`, `apply`, `diff`, `merge`, `status`). Top-level dispatchers (`add`, `forget`, `re-add`, `diff`, `merge`) sniff argument shape and delegate: args containing `/` → path (prefix `/?etc` → etc, else dotfiles); args ending in `.service`/`.timer`/`.socket`/`.mount`/`.target`/`.path` → unit; otherwise bare words → pkg. Full list: `init`, `sync`, `apply`, top-level `add`/`forget`/`re-add`/`diff`/`merge`/`status`; `dotfiles-add`/`forget`/`re-add`/`diff`/`merge`/`status`; `etc-add`/`forget`/`re-add`/`diff`/`merge`/`status`/`reset`/`restore`/`untrack`/`upstream-diff`; `pkg-add`/`forget`/`apply`/`fix`/`list`/`status` + `undeclared`; `unit-add`/`forget`/`apply`/`list`/`status`; `fmt`, `check-fmt`, `lint`, `check`, `doctor`. Run `just` or `just --list` for the menu.
diff --git a/README.md b/README.md
index aee0b95..77b5da9 100644
--- a/README.md
+++ b/README.md
@@ -58,9 +58,10 @@ The script installs pacman prerequisites, enables `%wheel` in sudoers,
 builds `paru-bin` from the AUR, clones this repo to `~/dotfiles`, runs
 `just init`, enables recommended systemd units (fstrim, timesyncd,
 resolved, reflector, paccache, pkgstats, acpid, cpupower, iwd, plus tlp
-on laptops), refreshes the pacman mirrorlist, creates XDG user
-directories, and — on EFI systems missing an Arch boot entry —
-launches `create-efi`.
+on laptops), refreshes the pacman mirrorlist, and creates XDG user
+directories. On EFI systems missing an Arch boot entry, it prints the
+`efibootmgr` command to register the UKI (run after your first
+`mkinitcpio -P`).
 
 ## Setup on an existing system
 
diff --git a/bootstrap.sh b/bootstrap.sh
index cbd10a3..dbc49a9 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -88,8 +88,11 @@ fi
 # 8. optional: create an Arch EFI boot entry if none exists
 if [ -d /sys/firmware/efi ]; then
   if ! sudo efibootmgr 2>/dev/null | grep -iq arch; then
-    log 'no Arch Linux EFI boot entry found; launching create-efi'
-    "$HOME/.local/bin/create-efi"
+    warn 'no Arch Linux EFI boot entry found'
+    warn 'after first kernel install, run: sudo mkinitcpio -P'
+    warn 'then register the UKI with efibootmgr, for example:'
+    warn "  sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 \\"
+    warn "      --label 'Arch UKI' --loader '\\EFI\\Linux\\arch-linux.efi'"
   fi
 fi
 
diff --git a/dot_local/bin/executable_create-efi b/dot_local/bin/executable_create-efi
deleted file mode 100755
index 70cf1cc..0000000
--- a/dot_local/bin/executable_create-efi
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env sh
-set -e
-
-lsblk
-
-printf "Boot disk [sda]: " && read -r boot_disk
-if [ -z "$boot_disk" ]; then
-  boot_disk='sda'
-fi
-
-printf "Boot partition number [1]: " && read -r boot_partition_number
-if [ -z "$boot_partition_number" ]; then
-  boot_partition_number='1'
-fi
-
-printf "Root partition [sda2]: " && read -r root_partition
-if [ -z "$root_partition" ]; then
-  root_partition='sda2'
-fi
-root_uuid="UUID=$(blkid -s UUID -o value /dev/"$root_partition")"
-
-printf "Kernel name [linux]: " && read -r kernel_name
-if [ -z "$kernel_name" ]; then
-  kernel_name='linux'
-fi
-
-printf "CPU vendor (intel/amd) [intel]: " && read -r cpu_vendor
-if [ -z "$cpu_vendor" ]; then
-  cpu_vendor='intel'
-fi
-
-printf "ESP (boot/efi) [boot]: " && read -r esp
-if [ -z "$esp" ]; then
-  esp='boot'
-fi
-
-printf "extra kernel parameters (e.g. mitigations=off): " && read -r extra_kernel_params
-
-printf "label [archlinux]: " && read -r label
-if [ -z "$label" ]; then
-  label='archlinux'
-fi
-rel_path=""
-rel_path2=""
-if [ "$esp" = "efi" ]; then
-  rel_path='\EFI\arch'
-  rel_path2="/EFI/arch"
-fi
-
-unicode_arg="cryptdevice=$root_uuid:root root=/dev/mapper/root rw initrd=$rel_path\\$cpu_vendor-ucode.img initrd=$rel_path\\initramfs-$kernel_name.img quiet $extra_kernel_params"
-
-set -x
-pacman -S --needed "$cpu_vendor"-ucode
-pacman -S --asdeps --needed efibootmgr
-efibootmgr --disk /dev/"$boot_disk" --part "$boot_partition_number" --create --label "$label" --loader "$rel_path2"/vmlinuz-"$kernel_name" --unicode "$unicode_arg"
diff --git a/etc/kernel/cmdline b/etc/kernel/cmdline
new file mode 100644
index 0000000..d396f1e
--- /dev/null
+++ b/etc/kernel/cmdline
@@ -0,0 +1 @@
+cryptdevice=UUID=81520bbc-1e7a-45e6-9465-cfc2e8b18945:root root=/dev/mapper/root rw quiet
diff --git a/etc/mkinitcpio.d/linux.preset b/etc/mkinitcpio.d/linux.preset
index d129cf6..c6e8929 100644
--- a/etc/mkinitcpio.d/linux.preset
+++ b/etc/mkinitcpio.d/linux.preset
@@ -7,11 +7,11 @@ ALL_kver="/boot/vmlinuz-linux"
 PRESETS=('default' 'fallback')
 
 #default_config="/etc/mkinitcpio.conf"
-default_image="/boot/initramfs-linux.img"
-#default_uki="/efi/EFI/Linux/arch-linux.efi"
+#default_image="/boot/initramfs-linux.img"
+default_uki="/boot/EFI/Linux/arch-linux.efi"
 #default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
 
 #fallback_config="/etc/mkinitcpio.conf"
-fallback_image="/boot/initramfs-linux-fallback.img"
-#fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
+#fallback_image="/boot/initramfs-linux-fallback.img"
+fallback_uki="/boot/EFI/Linux/arch-linux-fallback.efi"
 fallback_options="-S autodetect"