| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Promotes linux-hardened to the sole primary kernel and replaces
linux with linux-lts as the safety-net fallback. Rationale:
- linux and linux-hardened track the same upstream major version
and ship within days of each other, so 'linux' was a poor
fallback for the regression class that historically takes out
the hardened kernel on this hardware (e.g. checkpoint 026
wake-from-suspend panic). linux-lts lags by weeks/months and is
almost always known-good when hardened breaks.
- Drop etc/mkinitcpio.d/linux.preset, add linux-lts.preset.
Hardened preset header + bootstrap.sh efibootmgr instructions
updated accordingly (hardened registered first so it's the
default; lts registered as the on-demand fallback).
- Also add mkinitcpio-firmware (AUR) to silence the spurious
'missing firmware' warnings during initramfs builds.
Manual host-side steps after deploy:
paru -S linux-lts linux-lts-headers mkinitcpio-firmware
sudo pacman -Rsn linux # or via 'just pkg-apply' undeclared flow
sudo rm -f /etc/mkinitcpio.d/linux.preset # chezmoi-deployed, not pkg-owned
sudo mkinitcpio -P
sudo efibootmgr # add the Arch LTS entries, drop the stock linux ones
Note: meta/nvidia.txt still lists 'linux-headers' for nvidia-dkms.
That's a per-host concern; flagged for follow-up if any nvidia host
moves to the linux-lts world.
|
| |
|
|
|
|
|
|
| |
Pair each default UKI entry with its fallback so the boot order list
mirrors the four UKIs mkinitcpio produces. Fallback entries are
optional — UEFI firmware menus can usually pick UKIs from
/EFI/Linux/ directly — but having named entries lets you reorder /
--bootnext them without dropping into the firmware menu.
|
| |
|
|
|
|
| |
The hardened kernel ships as a parallel UKI; document its efibootmgr
registration alongside the stock one. Stock stays default-boot;
hardened is selected on demand (efibootmgr --bootnext or firmware menu).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pacman's 'nix' package is already in meta/base.txt and provides the
same multi-user daemon setup (nix-daemon.socket already enabled via
systemd-units/system.txt; flakes already enabled via /etc/nix/nix.conf
from etc/). The curl-piped Determinate installer was adding nothing
on top — and on a host where pacman already installed nix, it would
create two competing nix binaries.
Changes:
- Add 'nix' to PREREQS so pacman installs it alongside the other
prerequisites, before 'just init' runs.
- Drop the curl install block.
- Source /etc/profile.d/nix.sh (or nix-daemon.sh) before 'just init'
so the nix-switch step inside 'just init' finds the binary in PATH.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Append two steps to the root bootstrap.sh:
5a. install nix via the Determinate Systems multi-user installer
(same as remote-dev/nix; gives us a proper nix-daemon.service).
5b. chsh to ~/.nix-profile/bin/zsh after appending to /etc/shells.
Add a 'just nix-switch' recipe that auto-picks the host vs vm profile
based on /etc/os-release ID, and wire it into 'just init' and
'just sync' so day-to-day reconciliation also re-applies Home-Manager.
The recipe is a no-op when nix isn't installed, so it stays safe for
pre-bootstrap states and for hosts where the user opts out.
Phase 8 of the nix-on-host migration plan.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
AssumeInstalled is only a CLI flag (--assume-installed), not a
pacman.conf directive. The line I added was emitting a warning at
every pacman run and didn't actually keep base-devel from pulling
sudo.
Live with sudo installed: /usr/local/bin/sudo (-> sudo-rs) shadows
it via PATH precedence, so the /usr/bin/sudo binary is dead code
on disk. The alternative — maintaining a dummy 'provides=sudo'
package — is more cost than the ~1.5 MB it would save.
Update bootstrap.sh comment to reflect that sudo stays installed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
base-devel hard-depends on the sudo package, so without help, pacman
refuses to remove it. The Arch-native fix is pacman.conf's
AssumeInstalled directive: tell pacman to pretend a virtual
sudo=99.0 is installed and base-devel's dep is satisfied without
actually pulling sudo in.
- etc/pacman.conf: AssumeInstalled = sudo=99.0
- bootstrap.sh: after 'just init' (which writes the AssumeInstalled
line and installs sudo-rs), Rns the leftover sudo package so a
fresh install ends up with sudo-rs only.
Also reformat bootstrap.sh and the etc deploy script with the
project's shfmt style (-i 2 -ci -s).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
doas's one-shot password and absent 'sudo -v' kept wasting hour-long
paru AUR builds. sudo-rs is a memory-safe Rust rewrite (ISRG/Ferrous
Systems), drop-in CLI compatible, and the same one Ubuntu 25.10 ships
as default. We follow the Arch wiki 'Using sudo-rs without the sudo
package' recipe verbatim — no custom shims.
- meta/base.txt: -doas-sudo-shim +sudo-rs
- etc/sudoers-rs (mode 0440): wiki minimal config + NOPASSWD reboot/poweroff
- etc/pam.d/sudo: 4-line copy of upstream sudo's PAM file
- run_onchange_after_deploy-etc.sh.tmpl: use real sudo, deploy sudoers-rs
at 0440, create /etc/pam.d/sudo-i and /usr/local/bin/{sudo,sudoedit,
su,visudo} → sudo-rs symlinks idempotently
- delete etc/doas.conf, dot_local/bin/{doasedit,sudo}
- zshrc: drop sudo=doas/sudoedit=doasedit aliases; rewrite ss/gimme/
pacdiff/ssys to call sudo
- justfile: s/doas/sudo/g (status/diff/restore helpers)
- nvim: rename :DoasWrite → :SudoWrite (uses sudo -S)
- sway config: reboot/poweroff buttons call sudo
- bootstrap.sh: update step-5 comment
- README/KEYBINDS/copilot-instructions: flip the privesc convention
No Defaults overrides: sudo's defaults (passwd_tries=3,
timestamp_timeout=5) already fix the doas pain, and paru SudoLoop
(kept) refreshes the 5-min window via real sudo -v.
|
| |
|
|
|
|
|
|
| |
- bootstrap.sh: the trailing backslash in the efibootmgr example is
literal text shown to the user, not shell line continuation.
Disable SC1003 with an inline directive and switch back to single
quotes so the backslash renders as-is.
- wifi-status.sh: reformat with shfmt -i 2 -ci -s.
|
| |
|
|
|
|
|
| |
Track /etc/kernel/cmdline and enable default_uki/fallback_uki in
linux.preset. Remove create-efi helper (UKI is self-contained; only
needed once at install time). Update bootstrap to print the one-off
efibootmgr command instead of launching create-efi.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce systemd-units/<group>.txt files paired by name with meta
groups (systemd-units/base.txt <-> meta/base.txt). Units listed there
are enabled by a new 'just services-enable' recipe, wired into 'just
init' so bootstrap.sh no longer needs its own systemctl loop.
New justfile recipes (Services section):
services list curated units with enabled/active state
services-enable idempotent 'systemctl enable --now', soft-fail per unit
services-drift two-way diff vs systemctl list-unit-files
bootstrap.sh drops its hardcoded 9-unit loop and laptop TLP block
(~22 lines); 'just init' now handles it. tlp.service lives directly in
systemd-units/base.txt (no laptop gating).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After 'just init' the script now:
- enables recommended systemd units that base.txt installs but nothing
was activating: fstrim.timer, systemd-timesyncd, systemd-resolved,
reflector.timer, paccache.timer, pkgstats.timer, acpid, cpupower, iwd
- enables tlp.service only when a battery is present
(/sys/class/power_supply/BAT*)
- refreshes the pacman mirrorlist via reflector using the already-
deployed /etc/xdg/reflector/reflector.conf
- runs xdg-user-dirs-update to create ~/Documents, ~/Downloads, etc.
Each step is soft-fail: warns and continues on failure rather than
aborting the whole bootstrap.
pacman.conf tuning is intentionally left out (should be managed via
chezmoi's etc/ pipeline). User creation is also out of scope; the
script continues to require the wheel user to exist beforehand, per
the Arch installation guide.
|
|
|
Takes a minimal Arch system (only 'base' installed) to the point where
'just init' has run and dotfiles are deployed. Installs prerequisites
(sudo, git, base-devel, chezmoi, just, efibootmgr), enables %wheel in
sudoers, bootstraps paru-bin from the AUR, clones the repo, runs
'just init' (which swaps sudo for doas-sudo-shim via the existing base
meta list), and launches create-efi if no Arch EFI boot entry exists.
Designed to be curlable:
curl -fsSL https://raw.githubusercontent.com/sommerfelddev/dotfiles/master/bootstrap.sh | sh
|
sommerfeld