Install drone CLI

They will be installed by ansible, and are not required for the
ansible run.

.gitmodules

@@ -1,15 +1,15 @@
-[submodule "contrib/vim-plug"]
-	path = contrib/vim-plug
-	url = https://github.com/junegunn/vim-plug
 [submodule "ansible_roles/firefox"]
 	path = ansible_roles/firefox
 	url = https://github.com/staticdev/ansible-role-firefox
 [submodule "pkgbuilds/spotify"]
 	path = pkgbuilds/spotify
 	url = https://aur.archlinux.org/spotify.git
-[submodule "pkgbuilds/archlinux-java-run"]
+[submodule "pkgbuilds/nodejs-intelephense"]
-	path = pkgbuilds/archlinux-java-run
+	path = pkgbuilds/nodejs-intelephense
-	url = https://aur.archlinux.org/archlinux-java-run.git
+	url = https://aur.archlinux.org/nodejs-intelephense.git
-[submodule "pkgbuilds/portfolio"]
+[submodule "pkgbuilds/portfolio-performance-bin"]
-	path = pkgbuilds/portfolio
+	path = pkgbuilds/portfolio-performance-bin
-	url = https://aur.archlinux.org/portfolio.git
+	url = https://aur.archlinux.org/portfolio-performance-bin.git
+[submodule "pkgbuilds/vim-plug"]
+	path = pkgbuilds/vim-plug
+	url = https://aur.archlinux.org/vim-plug.git

_machines/neptune.yml

@@ -59,12 +59,12 @@ users:
     - personal_projects
 
 screen:
-  1: DP-3
+  1: DP-4-1-6
-  2: DP-3
+  2: DP-4-1-6
-  3: DP-4
+  3: DP-4-1-6
-  4: DP-4
+  4: DP-4-1-6
-  5: DP-4
+  5: DP-4-1-6
-  6: DP-4
+  6: DP-4-1-6
   7: eDP-1
   8: eDP-1
   9: eDP-1
@@ -72,9 +72,9 @@ screen:
 
 workspace:
   1: ""
-  2: ""
+  2: ""
-  3: " local"
+  3: ""
-  4: " remote"
+  4: ""
   7: ""
   8: ""
   9: ""

autostart/autostart.target.j2

@@ -2,7 +2,6 @@
 BindsTo=windowmanager.target
 After=windowmanager.target
 
-Wants=blueman.service
 Wants=dpms.service
 Wants=dunst.service
 {% for profile, config in (user.firefox_profiles|default({})).items() %}

autostart/services/blueman.service

@@ -1,8 +0,0 @@
-[Unit]
-BindsTo=autostart.target
-After=windowmanager.target
-
-[Service]
-ExecStart=/usr/bin/env blueman-applet
-PassEnvironment=DISPLAY
-Restart=always

autostart/services/gpg-agent.service

@@ -5,7 +5,7 @@ ConditionPathExists=%t/features/gpg_agent
 
 [Service]
 Type=forking
-ExecStart=/usr/bin/env gpg-agent --no-detach --daemon
+ExecStart=/usr/bin/env gpg-agent --daemon
 PassEnvironment=DISPLAY GNUPGHOME
 
 Restart=always

autostart/services/laptop-lid.service

@@ -5,6 +5,6 @@ ConditionPathExists=%t/features/machine_is_laptop
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/env bash -c 'grep "^${ACPI_LID_NAME}.*enabled" /proc/acpi/wakeup && echo " ${ACPI_LID_NAME}" | sudo tee /proc/acpi/wakeup'
+ExecStart=/usr/bin/env bash -c 'grep "^${ACPI_LID_NAME}.*enabled" /proc/acpi/wakeup && echo " ${ACPI_LID_NAME}" | sudo tee /proc/acpi/wakeup || true'
 RemainAfterExit=true
 PassEnvironment=DISPLAY

autostart/services/yubikey-touch-detector.service

@@ -3,6 +3,7 @@ BindsTo=autostart.target
 PartOf=gpg-agent.service
 After=windowmanager.target
 After=gpg-agent.service
+ConditionPathExists=%t/features/gpg_agent
 
 [Service]
 ExecStart=/usr/bin/env yubikey-touch-detector -libnotify

bin/qr

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+qrencode "$*" -o - | imv -

check-aur-updates.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+git submodule update --remote pkgbuilds/*

git/gitconfig.j2

@@ -71,6 +71,9 @@
     fileMode = true
     whitespace = "blank-at-eol,space-before-tab,blank-at-eof"
     abbrev = 8
+    pager = delta
+[interactive]
+    diffFilter = delta --color-only
 [color]
     ui = true
 [column]
@@ -78,7 +81,7 @@
 [push]
     default = simple
 [merge]
-    tool = vimdiff
+    conflictstyle = diff3
 [gc]
     auto = 0
 [advice]
@@ -105,7 +108,6 @@
     autoStash = true
 [diff]
     submodule = log
-    mnemonicPrefix = true
     renameLimit = 1199
 [branch]
     autoSetupMerge = true
@@ -124,3 +126,9 @@
 	directory = /var/lib/dotfiles
 [includeIf "gitdir:/var/lib/dotfiles"]
     path = /var/lib/dotfiles/gitcfg
+[delta]
+    navigate = true    # use n and N to move between diff sections
+
+    # delta detects terminal colors automatically; set one of these to disable auto-detection
+    # dark = true
+    # light = true

i3/config.j2

@@ -327,8 +327,9 @@ bindsym XF86AudioPrev exec --no-startup-id playerctl -p spotify previous
 bindsym XF86MonBrightnessUp   exec --no-startup-id xbacklight -inc 8 ; exec --no-startup-id $scriptdir/update-status
 bindsym XF86MonBrightnessDown exec --no-startup-id xbacklight -dec 8 ; exec --no-startup-id $scriptdir/update-status
 
-bindsym $mod+m exec --no-startup-id pactl set-source-mute '@DEFAULT_SOURCE@' toggle
+bindsym $mod+m exec     --no-startup-id pactl set-source-mute '@DEFAULT_SOURCE@' toggle
 bindsym $mod+space exec --no-startup-id pactl set-source-mute '@DEFAULT_SOURCE@' toggle
+bindsym KP_Enter   exec --no-startup-id pactl set-source-mute '@DEFAULT_SOURCE@' toggle
 
 ##############################################################################
 ### BARS #######################################################################
@@ -338,7 +339,6 @@ bar {
     mode dock
     position bottom
 
-    tray_output primary
     tray_padding 2
 
     strip_workspace_numbers no

i3/i3status-rust/config.toml.j2

@@ -68,6 +68,7 @@ interval = 1
 block = "battery"
 interval = 10
 format = " $icon $percentage $time "
+charging_format = " $icon $percentage "
 missing_format = ""
 
 [[block]]
@@ -101,7 +102,7 @@ command = "ping -n -q -w 2 -c 1 8.8.8.8 >/dev/null 2>/dev/null && printf '{\"tex
 [[block]]
 block = "custom"
 command = "curl -s 'https://wttr.in/Stockholm?m&T&format=%c%t' | sed 's/  / /g'"
-interval = 1800
+interval = 3600
 
 [[block]]
 block = "time"

install.sh

@@ -9,27 +9,6 @@ set -o errexit
 set -o nounset
 
 DOTDIR="/var/lib/dotfiles"
-_SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-
-[[ -e './.git' ]] && git submodule update --init
-
-if [[ "$(readlink "${_SCRIPT_DIR}")" != "${DOTDIR}" ]] && [[ "${_SCRIPT_DIR}" != "${DOTDIR}" ]] ; then
-    if [[ -e "${DOTDIR}" ]] ; then
-        2>&1 printf "${DOTDIR} already exists. This seems unsafe.\n"
-        exit 1
-    fi
-    printf "Moving directory to $DOTDIR ...\n"
-    sudo=""
-    if (( $(id -u ) != 0 )) ; then
-        sudo=sudo
-    fi
-    $sudo mv --no-target-directory "${_SCRIPT_DIR}" "${DOTDIR}"
-    printf "Done\n"
-else
-    printf "Already working in ${DOTDIR}, nothing to do\n"
-fi
-
-cd "${DOTDIR}"
 
 os_release_file=/etc/os-release
 if [[ ! -e "${os_release_file}" ]] ; then
@@ -37,10 +16,10 @@ if [[ ! -e "${os_release_file}" ]] ; then
     exit 1
 fi
 
-source /etc/os-release
+source "${os_release_file}"
 
 sudowrap() {
-    if (( $(id -u ) != 0 )) ; then
+    if (( $(id -u) != 0 )) ; then
         sudo "${@}"
     else
         "${@}"
@@ -48,31 +27,22 @@ sudowrap() {
 }
 
 cache_updated=0
-_install() {
+install() {
-    _package="$1" ; shift
+    local package="$1" ; shift
+
     if [[ $NAME == "Arch Linux" ]] ; then
-        sudowrap pacman -S --noconfirm "${_package}"
+        if (( ! cache_updated )) ; then
+            sudowrap pacman -Sy
+            cache_updated=1
+        fi
+        sudowrap pacman -S --needed --noconfirm "${package}"
     else
         2>&1 printf "Unsupported distro $NAME, exiting"
         exit 1
     fi
 }
 
+command -v make    >/dev/null || install "make"
+command -v ansible >/dev/null || install "ansible"
 
-if ! command -v python3 >/dev/null ; then
+cd "${DOTDIR}" && make
-    printf 'Python3 not installed, installing ...\n'
-    _install "python3"
-    printf 'Done\n'
-fi
-
-if ! command -v make >/dev/null ; then
-    printf 'Make not installed, installing ...\n'
-    _install "make"
-    printf 'Done\n'
-fi
-
-if [[ $NAME == "Arch Linux" ]] ; then
-    _install "ansible"
-fi
-
-cd "$DOTDIR" && make

install_scripts/ares.sh

@@ -1,14 +1,10 @@
 #!/usr/bin/env bash
 
-# Parameters:
-#
-# $1: Device
-
 set -o xtrace
 set -o nounset
 set -o errexit
 
-DEVICE="${1:?}"
+DEVICE="/dev/sda"
 
 if [[ ! -b "${DEVICE}" ]] ; then
     printf '%s does not look like a device' "${DEVICE}"
@@ -106,6 +102,28 @@ grub-mkconfig -o /boot/grub/grub.cfg
 systemctl enable NetworkManager
 
 passwd
+
+# enable root autologin on first boot
+
+mkdir /etc/systemd/system/getty@tty1.service.d/
+cat << EOF > /etc/systemd/system/getty@tty1.service.d/autologin.conf
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty -o '-p -f -- \\u' --noclear --autologin root %I $TERM
+EOF
+# ExecStartPost=/bin/rm /etc/systemd/system/getty@tty1.service.d/autologin.conf
+# ExecStartPost=/bin/rmdir /etc/systemd/system/getty@tty1.service.d/
+
+# Run
+cat << 'EOF' > /root/.bash_profile
+    if [[ "\$(tty)" == "/dev/tty1" ]] ; then
+        rm -rf /etc/systemd/system/getty@tty1.service.d/
+        if /var/lib/dotfiles/install.sh ; then
+            rm -f /root/.bash_profile
+            reboot
+        fi
+    fi
+EOF
 CHROOTSCRIPT
 
 chmod +x /mnt/chroot-script.sh

install_scripts/bootstrap.sh

@@ -3,22 +3,17 @@
 set -o nounset
 set -o errexit
 
+host="${1}"   ; shift
+
 pacman -Sy --noconfirm git # yes its a partial upgrade, but thats just the live cd
 
 cd /root
 git clone --recursive https://code.hkoerber.de/hannes/dotfiles.git
 
-./dotfiles/install_scripts/ares.sh /dev/sda
+./dotfiles/install_scripts/${host}.sh
 
-mv /root/dotfiles /mnt/root/dotfiles
+mv /root/dotfiles /mnt/var/lib/dotfiles
-cat << EOF > /mnt/root/.bash_profile
-if /root/dotfiles/install.sh ; then
-    rm -f /root/.bash_profile
-    reboot
-fi
-EOF
-
-umount -R /mnt
 
 read -p "> Ready for reboot. Press enter for shutdown, then remove the installation media and boot again "
+
 poweroff

install_scripts/neptune.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+
+set -o xtrace
+set -o nounset
+set -o errexit
+
+DEVICE="/dev/nvme0n1"
+
+if [[ ! -b "${DEVICE}" ]] ; then
+    printf '%s does not look like a device' "${DEVICE}"
+    exit 1
+fi
+
+if [[ ! -d /sys/firmware/efi/efivars ]] ; then
+    printf 'efivars does not exist, looks like the system is not booted in EFI mode'
+    exit 1
+fi
+
+loadkeys de-latin1
+
+timedatectl set-ntp true
+
+sed -e 's/\s*\([^#]*\).*/\1/' << EOF | sfdisk ${DEVICE}
+    label: gpt
+    device: ${DEVICE}
+
+    ${DEVICE}p1 : name=uefi      , size=512M , type=uefi
+    ${DEVICE}p2 : name=boot      , size=512M , type=linux
+    ${DEVICE}p3 : name=cryptpart ,             type=linux
+EOF
+
+# might take a bit for the new partion table to be updated in-kernel
+sleep 1
+
+cryptsetup --batch-mode luksFormat --iter-time 1000 ${DEVICE}p3
+cryptsetup --batch-mode open ${DEVICE}p3 cryptpart
+
+pvcreate /dev/mapper/cryptpart
+vgcreate vgbase /dev/mapper/cryptpart
+
+lvcreate -L 32G vgbase -n swap
+lvcreate -l 100%FREE vgbase -n root
+
+yes | mkfs.fat -F32 ${DEVICE}p1
+yes | mkfs.ext4 ${DEVICE}p2
+yes | mkfs.ext4 /dev/vgbase/swap
+yes | mkfs.ext4 /dev/vgbase/root
+
+mount /dev/vgbase/root /mnt
+
+mkdir /mnt/efi
+mount ${DEVICE}p1 /mnt/efi
+
+mkdir /mnt/boot
+mount ${DEVICE}p2 /mnt/boot
+
+mkswap /dev/vgbase/swap
+swapon /dev/vgbase/swap
+
+pacstrap /mnt base linux-zen linux-firmware networkmanager intel-ucode lvm2 grub efibootmgr
+
+genfstab -U /mnt >> /mnt/etc/fstab
+
+cat << CHROOTSCRIPT > /mnt/chroot-script.sh
+
+set -o xtrace
+set -o errexit
+set -o nounset
+
+ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
+hwclock --systohc
+
+sed -i 's/^#de_DE.UTF-8 UTF-8/de_DE.UTF-8 UTF-8/' /etc/locale.gen
+sed -i 's/^#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
+
+locale-gen
+
+printf 'LANG=en_US.UTF-8\n' > /etc/locale.conf
+
+printf 'KEYMAP=de-latin1\nFONT=lat2-16\n' > /etc/vconsole.conf
+
+printf 'neptune\n' > /etc/hostname
+
+cat <<EOF > /etc/hosts
+127.0.0.1 localhost
+::1       localhost
+127.0.1.1 neptune
+EOF
+
+sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems resume fsck)/' /etc/mkinitcpio.conf
+
+mkinitcpio -P
+
+grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
+
+sed -i "s/^GRUB_CMDLINE_LINUX=.*$/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=\$(blkid -s UUID -o value ${DEVICE}p3):cryptpart root=UUID=\$(blkid -s UUID -o value /dev/vgbase/root)\"/" /etc/default/grub
+sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=.*$/GRUB_CMDLINE_LINUX_DEFAULT=\"resume=UUID=\$(blkid -s UUID -o value /dev/vgbase/swap)\"/" /etc/default/grub
+sed -i 's/^GRUB_DISABLE_RECOVERY=.*$/GRUB_DISABLE_RECOVERY=/' /etc/default/grub
+
+grub-mkconfig -o /boot/grub/grub.cfg
+
+systemctl enable NetworkManager
+
+passwd
+
+# enable root autologin on first boot
+
+mkdir /etc/systemd/system/getty@tty1.service.d/
+cat << EOF > /etc/systemd/system/getty@tty1.service.d/autologin.conf
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty -o '-p -f -- \\u' --noclear --autologin root %I $TERM
+EOF
+# ExecStartPost=/bin/rm /etc/systemd/system/getty@tty1.service.d/autologin.conf
+# ExecStartPost=/bin/rmdir /etc/systemd/system/getty@tty1.service.d/
+
+# Run
+cat << 'EOF' > /root/.bash_profile
+    if [[ "\$(tty)" == "/dev/tty1" ]] ; then
+        rm -rf /etc/systemd/system/getty@tty1.service.d/
+        if /var/lib/dotfiles/install.sh ; then
+            rm -f /root/.bash_profile
+            reboot
+        fi
+    fi
+EOF
+CHROOTSCRIPT
+
+chmod +x /mnt/chroot-script.sh
+arch-chroot /mnt /chroot-script.sh
+rm -f /mnt/chroot-script.sh

packages.yml

@@ -1,5 +1,9 @@
 packages:
   list:
+    kernel:
+      archlinux:
+        - linux-zen-headers
+        - linux-zen-docs
     build-essentials:
       archlinux:
         - gcc
@@ -7,6 +11,9 @@ packages:
         - cmake
         - maven
         - base-devel
+    posix:
+      archlinux:
+        - posix
     make:
       archlinux: ["make"]
     gdb:
@@ -15,6 +22,8 @@ packages:
       archlinux: ["strace"]
     sudo:
       archlinux: ["sudo"]
+    doas:
+      archlinux: ["opendoas"]
     apt:
       archlinux: [""]
     xorg:
@@ -53,7 +62,7 @@ packages:
       archlinux: ["noto-fonts-emoji"]
     git:
       # tk required for gitk
-      archlinux: ["git", "tk"]
+      archlinux: ["git", "tk", "git-delta"]
     htop:
       archlinux: ["htop"]
     feh:
@@ -97,7 +106,7 @@ packages:
     pandoc:
       archlinux: ["pandoc", "texlive-core", "texlive-fontsextra", "texlive-latexextra"]
     libvirt:
-      archlinux: ["virt-manager", "libvirt", "dnsmasq", "ebtables", "dmidecode", "virt-install", "virt-viewer"]
+      archlinux: ["virt-manager", "libvirt", "dnsmasq", "ebtables", "dmidecode", "virt-install", "virt-viewer", "libguestfs", "edk2-ovmf"]
     firefox:
       archlinux: ["firefox"]
     ranger:
@@ -131,8 +140,6 @@ packages:
       archlinux: ["wireshark-cli", "wireshark-qt"]
     nmap:
       archlinux: ["nmap"]
-    openvpn:
-      archlinux: ["openvpn"]
     curl:
       archlinux: ["curl"]
     wget:
@@ -180,8 +187,6 @@ packages:
       archlinux: ["cowsay"]
     ruby:
       archlinux: ["ruby"]
-    lxc:
-      archlinux: ["lxc"]
     acpi:
       archlinux: ["acpi", "acpid"]
     nodejs:
@@ -192,10 +197,6 @@ packages:
       archlinux: ["dunst"]
     cloc:
       archlinux: ["cloc"]
-    bluetooth:
-      archlinux: ["bluez", "bluez-tools", "blueman"]
-    autorandr:
-      archlinux: ["autorandr"]
     bwm-ng:
       archlinux: ["bwm-ng"]
     virtualbox:
@@ -212,8 +213,14 @@ packages:
       archlinux: ["rclone"]
     dnf:
       archlinux: ["dnf"]
-    rustup:
+    rust:
-      archlinux: ["rustup"]
+      archlinux:
+        - rustup
+        - cargo-edit
+        - cargo-msrv
+        - cargo-watch
+        - cargo-release
+        - cargo-sort
     musescore:
       archlinux: ["musescore"]
     sipcalc:
@@ -256,6 +263,8 @@ packages:
       archlinux: ["xf86-input-synaptics"]
     ncdu:
       archlinux: ["ncdu"]
+    dust:
+      archlinux: ["dust"]
     font-utils:
       archlinux: ["woff2"]
     jq:
@@ -306,6 +315,8 @@ packages:
       archlinux:
         - bash
         - bash-language-server
+        - shellcheck
+        - shfmt
     packer:
       archlinux: ["packer"]
     c:
@@ -328,6 +339,7 @@ packages:
     json:
       archlinux:
         - vscode-json-languageserver
+        - gron
     markdown:
       archlinux:
         - marksman
@@ -351,6 +363,63 @@ packages:
     telnet:
       archlinux:
         - inetutils
+    cloudformation-tools:
+      archlinux:
+        - python-cfn-lint
+    johntheripper:
+      archlinux:
+        - john
+    age:
+      archlinux:
+        - age
+    httpie:
+      archlinux:
+        - httpie
+    yt-dlp:
+      archlinux:
+        - yt-dlp
+    ytfzf:
+      archlinux:
+        - ytfzf
+        - ueberzug
+    ffmpeg:
+      archlinux:
+        - ffmpeg
+    zeal:
+      archlinux:
+        - zeal
+    kcharselect:
+      archlinux:
+        - kcharselect
+    bottom:
+      archlinux:
+        - bottom
+    # for iotop
+    sysstat:
+      archlinux:
+        - sysstat
+    qrencode:
+      archlinux:
+        - qrencode
+    iotop:
+      archlinux:
+        - iotop
+    w3m:
+      archlinux:
+        - w3m
+    ruff:
+      archlinux:
+        - ruff
+    mold:
+      archlinux:
+        - mold
+    arch-packaging:
+      archlinux:
+        - namcap
+        - devtools
+    dron:
+      archlinux:
+        - drone-cli
 
   remove:
     mousepad:
@@ -361,3 +430,11 @@ packages:
       archlinux: ["rust"]
     screen:
       archlinux: ["screen"]
+    lxc:
+      archlinux: ["lxc"]
+    autorandr:
+      archlinux: ["autorandr"]
+    openvpn:
+      archlinux: ["openvpn"]
+    bluetooth:
+      archlinux: ["bluez", "bluez-tools", "blueman"]

test.sh

@@ -0,0 +1,266 @@
+#!/usr/bin/env bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+tmpdir="$(mktemp -d --tmpdir=/var/tmp)"
+
+trap cleanup EXIT
+
+ISO_MIRROR="https://ftp.fau.de/archlinux/iso/latest/"
+ISO_MIRROR="https://ftp.acc.umu.se/mirror/archlinux/iso/latest/"
+
+iso_dir="${XDG_DATA_HOME}/arch-iso/"
+iso_path="${iso_dir}/archlinux-x86_64.iso"
+
+cleanup() {
+    rm -rf "${tmpdir}"
+    pids=()
+    jobs -p | while IFS="" read -r line; do pids+=("$line"); done
+    kill "${pids[@]}"
+}
+
+download_iso() {
+    mkdir -p "${iso_dir}"
+    (
+        cd "${iso_dir}"
+        wget \
+            --timestamping \
+            --no-hsts \
+            "${ISO_MIRROR}sha256sums.txt"
+
+        if [[ ! -e "${iso_path}" ]] || ! sha256sum --ignore-missing --check ./sha256sums.txt; then
+            wget \
+                --no-hsts \
+                --output-document "${iso_path}" \
+                "${ISO_MIRROR}archlinux-x86_64.iso"
+        fi
+    )
+}
+
+disk="${tmpdir}/disk.qcow2"
+
+mon_sock="${tmpdir}/mon.sock"
+
+sshopts=(
+    -o StrictHostKeyChecking=no
+    -o UserKnownHostsFile=/dev/null
+    -o PreferredAuthentications=publickey
+    -o ConnectTimeout=1s
+    -i "${tmpdir}/ssh.key"
+    -l root
+    -p 60022
+    127.0.0.1
+)
+
+wait_for_ssh() {
+    echo "waiting for ssh"
+    set +o errexit
+    maxtries=60
+    tries=0
+    while ! ssh -q "${sshopts[@]}" true; do
+        ((tries++))
+        if ((tries > maxtries)); then
+            echo "ssh did not become available"
+            exit 3
+        fi
+        sleep 1
+    done
+    echo "ssh available"
+    set -o errexit
+}
+
+qemuopts=(
+    "-m" "size=8G"
+    "-drive" "file=${disk},format=qcow2,if=none,id=root"
+
+    "-accel" "kvm"
+
+    "-drive" "if=pflash,format=raw,readonly=true,file=/usr/share/ovmf/x64/OVMF_CODE.fd"
+    "-drive" "if=pflash,format=raw,file=${tmpdir}/efivars.fd"
+    "-machine" "q35,smm=on,acpi=on"
+    "-smp" "cpus=8,sockets=1,cores=8,threads=1"
+    "-cpu" "host"
+
+    "-netdev" "user,id=net0,hostfwd=tcp::60022-:22"
+    "-device" "virtio-net-pci,netdev=net0"
+
+    "-nodefaults"
+
+    "-vga" "virtio"
+    "-display" "spice-app"
+)
+
+send_mon() {
+    local socket="${1}"
+    patterns=(
+        -e 's/ /spc/'
+        -e 's/\./dot/'
+        -e 's/,/comma/' -e 's/-/slash/'
+        -e 's/\//shift-7/'
+        -e 's/\([A-Z]\)/shift-\L\1/'
+        -e 's/=/shift-0/'
+        -e 's/"/shift-2/'
+        -e "s/'/shift-0x2b/"
+        # ^ is a dead key, we would have to send a space to be precise. but it's
+        # going to work out as long as the following char does not combine
+        -e 's/\^/0x29/'
+        -e 's/#/0x2b/'
+        -e 's/\?/shift-0x0c/'
+        -e 's/\\/alt_r-0x0c/' # altgr is alt_r
+        -e 's/\*/shift-0x1b/'
+        -e 's/(/shift-0x09/'
+        -e 's/)/shift-0x0a/'
+        -e 's/^/sendkey /'
+    )
+
+    cat \
+        <(fold -w 1 |
+            sed "${patterns[@]}") \
+        <(echo "sendkey ret") |
+        nc -N -U "${socket}"
+
+    echo "sendkey ret" | nc -N -U "${socket}"
+}
+
+install_from_iso() {
+    local hostname="${1}"
+    shift
+    local hostqemuopts=("$@")
+    rm -rf "${tmpdir:?}"/*
+
+    ssh-keygen -f "${tmpdir}"/ssh.key -N '' -t ed25519 -C 'archiso-tmp'
+
+    cloud-localds "${tmpdir}/userdata.img" <(
+        cat <<EOF
+    #cloud-config
+    users:
+      - name: root
+        ssh_authorized_keys:
+          - $(cat "${tmpdir}"/ssh.key.pub)
+
+EOF
+    )
+
+    cp /usr/share/ovmf/x64/OVMF_VARS.fd "${tmpdir}/efivars.fd"
+    mkisofs \
+        -uid 0 \
+        -gid 0 \
+        -J \
+        -R \
+        -T \
+        -V REPO \
+        -o "${tmpdir}/repo.iso" \
+        .
+
+    qemu-img create \
+        -f qcow2 \
+        "${disk}" \
+        1000G
+
+    opts=(
+        "-cdrom" "${iso_path}"
+        "-boot" "order=d"
+
+        "-drive" "file=${tmpdir}/repo.iso,format=raw,if=virtio,media=cdrom"
+        "-drive" "file=${tmpdir}/userdata.img,format=raw,if=virtio,media=cdrom"
+
+        "-fsdev" "local,id=pacman-cache,path=share,path=/var/cache/pacman/pkg/,readonly=on,security_model=none"
+        "-device" "virtio-9p-pci,fsdev=pacman-cache,mount_tag=pacman-cache"
+    )
+
+    qemu-system-x86_64 -name "${hostname}" "${qemuopts[@]}" "${hostqemuopts[@]}" "${opts[@]}" &
+    wait_for_ssh
+
+    # shellcheck disable=SC2087
+    ssh -tt "${sshopts[@]}" <<EOF || true
+      mkdir /var/cache/pacman-cache-host
+      mount -t 9p -o trans=virtio,version=9p2000.L,ro pacman-cache /var/cache/pacman-cache-host
+
+      # Uncomment CacheDir and prepend the host pacman cache as cachedir
+      # At worst, the cache directory will be ignored if it does not exist
+      # Pacman will always use the first directory with write access for downloads
+      sed -i 's/^#\?\(CacheDir.*\)/\1\nCacheDir = \/var\/cache\/pacman-cache-host\//' /etc/pacman.conf
+
+      mkdir /repo/
+      mount /dev/disk/by-label/REPO /repo/
+
+      printf 'lukspw\nlukspw\nrootpw\nrootpw\n' | \
+        /repo/install_scripts/"${hostname}".sh
+
+      mount /dev/mapper/vgbase-root /mnt
+
+      cat << SPECIALS > /tmp/specials.sh
+        if [[ "\\\$(tty)" == "/dev/tty1" ]] ; then
+          mkdir /var/cache/pacman-cache-host
+          mount -t 9p -o trans=virtio,version=9p2000.L,ro pacman-cache /var/cache/pacman-cache-host
+
+          # Uncomment CacheDir and prepend the host pacman cache as cachedir
+          # At worst, the cache directory will be ignored if it does not exist
+          # Pacman will always use the first directory with write access for downloads
+          sed -i 's/^#\?\(CacheDir.*\)/\1\nCacheDir = \/var\/cache\/pacman-cache-host\//' /etc/pacman.conf
+        fi
+SPECIALS
+
+      mv /mnt/root/.bash_profile /tmp/rest.sh
+
+      cat /tmp/specials.sh /tmp/rest.sh > /mnt/root/.bash_profile
+
+      rsync -rl /repo/ /mnt/var/lib/dotfiles/
+
+      umount /mnt
+
+      poweroff
+EOF
+
+    wait
+}
+
+configure_new_system() {
+    local hostname="${1}"
+    shift
+    local hostqemuopts=("${@}")
+
+    opts=(
+        "-fsdev" "local,id=pacman-cache,path=share,path=/var/cache/pacman/pkg/,readonly=on,security_model=none"
+        "-device" "virtio-9p-pci,fsdev=pacman-cache,mount_tag=pacman-cache"
+
+        "-monitor" "unix:${mon_sock},server=on,wait=off"
+    )
+
+    qemu-system-x86_64 -name "${hostname}" "${qemuopts[@]}" "${hostqemuopts[@]}" "${opts[@]}" &
+
+    # 5s for grub timeout, 5s for kernel boot
+    echo waiting for luks password prompt ...
+    sleep 10s
+    echo 'lukspw' | send_mon "${mon_sock}"
+
+    echo waiting for boot ...
+    sleep 10s
+    wait
+}
+
+machines=(ares neptune)
+if (($# > 0)); then
+    machines=("${@}")
+fi
+
+download_iso
+
+for hostname in "${machines[@]}"; do
+    case "${hostname}" in
+    ares)
+        hostqemuopts=("-device" "ide-hd,drive=root")
+        ;;
+    neptune)
+        hostqemuopts=("-device" "nvme,serial=rootnvme,drive=root")
+        ;;
+    *)
+        exit 1
+        ;;
+    esac
+    [[ ! "${hostqemuopts[*]}" ]] && exit 1
+    install_from_iso "${hostname}" "${hostqemuopts[@]}"
+    configure_new_system "${hostname}" "${hostqemuopts[@]}"
+done

user.yml

@@ -8,7 +8,6 @@
       - sudonopw
       - games
       - kvm
-  tags: [always]
 
 - name: create user group
   group:
@@ -25,15 +24,7 @@
     create_home: true
     groups: "{{ [user.name, 'dotfiles'] + user_groups }}"
     shell: /usr/bin/zsh
-
+    skeleton: /dev/null
-  become: true
-  become_user: root
-
-- name: configure sudoers
-  lineinfile:
-    path: /etc/sudoers
-    line: "{{ user.name }} ALL=(ALL) NOPASSWD:ALL"
-    regexp: "^{{ user.name }}\\s+"
   become: true
   become_user: root
 
@@ -48,30 +39,29 @@
     - "/home/{{ user.name }}/.config/systemd/"
     - "/home/{{ user.name }}/.config/systemd/user/"
 
-- set_fact:
+- name: disable undesired services
-    undesired_user_services:
+  tags:
-      - gpg-agent.socket
+    - undesired-services
-      - gpg-agent-browser.socket
+  block:
-      - gpg-agent-ssh.socket
+    - set_fact:
-      - gpg-agent-extra.socket
+        undesired_user_services:
-      - xdg-user-dirs-update.service
+          - gpg-agent.socket
-      - gnome-keyring-daemon.service
+          - gpg-agent.sock.service
+          - gpg-agent-browser.socket
+          - gpg-agent-ssh.socket
+          - gpg-agent-extra.socket
+          - xdg-user-dirs-update.service
+          - gnome-keyring-daemon.service
 
-- name: stop undesired service
+    # systemd needs a login session, machinectl handles that for us
-  systemd_service:
+    - name: stop and mask undesired services
-    name: "{{ item }}"
+      command:
-    scope: user
+        cmd: machinectl --quiet --uid {{ user.name }} shell -- .host /usr/bin/env systemctl --user mask --now "{{ item }}"
-    state: stopped
+      become: true
-  loop: "{{ undesired_user_services }}"
+      become_user: root
-
+      register: undesired_service_cmd
-# No way to use the `systemd` module here, as it needs a logind
+      changed_when: undesired_service_cmd.stderr != ""
-# session. So we have to handle the symlinks for masking ourselves.
+      loop: "{{ undesired_user_services }}"
-- name: disable and mask systemd user units
-  file:
-    state: link
-    dest: "/home/{{ user.name }}/.config/systemd/user/{{ item }}"
-    src: "/dev/null"
-  loop: "{{ undesired_user_services }}"
 
 - name: create directory for getty autologin
   file:
@@ -96,359 +86,343 @@
   become: true
   become_user: root
 
-- block:
+- name: configure dotfiles
-  - name: load dotfile list
-    include_vars:
-      file: dotfiles.yml
-
-  - name: get state of empty directories
-    stat:
-      path: ~/{{ item.name }}
-    register: empty_dir_stat
-    with_items: "{{ empty_directories }}"
-    check_mode: false
-    loop_control:
-      label: "{{ item.name }}"
-
-  - name: remove symlinks
-    file:
-      path: "{{ item.stat.path }}"
-      state: absent
-    when: item.stat.exists and item.stat.islnk
-    with_items: "{{ empty_dir_stat.results }}"
-    loop_control:
-      label: "{{ item.item.name }}"
-
-  - name: create empty directories for dotfiles
-    file:
-      state: directory
-      path: ~/{{ item.name }}
-      mode: "{{ item.mode | default('0755') }}"
-    with_items: "{{ empty_directories }}"
-    loop_control:
-      label: "{{ item.name }}"
-
-  - name: link this folder to ~/.dotfiles
-    file:
-      state: link
-      force: true
-      follow: false
-      owner: "{{ user.name }}"
-      group: "{{ user.name }}"
-      path: "/home/{{ user.name }}/.dotfiles"
-      src: "{{ playbook_dir }}"
-    become: true
-    become_user: root
-
-  - name: get state of copy targets
-    stat:
-      path: ~/{{ item.to }}
-    register: copy_stat
-    when: not item.template|default(false)
-    with_items: "{{ dotfiles }}"
-    check_mode: false
-    loop_control:
-      label: "{{ item.to }}"
-
-  - name: remove invalid copy target (directories)
-    file:
-      path: "{{ item.stat.path }}"
-      state: absent
-    when:
-      - not item.skipped is defined or not item.skipped
-      - item.stat.exists
-      - item.stat.isdir
-    with_items: "{{ copy_stat.results }}"
-    loop_control:
-      label: "{{ item.item.from }}"
-
-  - name: make sure target directories exist
-    file:
-      state: directory
-      path: "{{ (['/home', user.name, item.to]|join('/')) | dirname }}"
-      owner: "{{ user.name }}"
-      group: "{{ user.name }}"
-    with_items: "{{ dotfiles }}"
-    become: true
-    become_user: root
-    loop_control:
-      label: "{{ item.to }}"
-
-  - name: link dotfiles
-    file:
-      state: link
-      force: true
-      follow: false
-      path: "/home/{{ user.name }}/{{ item.to }}"
-      src: /var/lib/dotfiles/{{ item.from }}
-      owner: "{{ user.name }}"
-      group: "{{ user.name }}"
-    when: not item.template|default(false)
-    with_items: "{{ dotfiles }}"
-    become: true
-    become_user: root
-    loop_control:
-      label: "{{ item.to }}"
-
-  - name: get state of template targets
-    stat:
-      path: ~/{{ item.to }}
-    register: template_stat
-    when: item.template|default(false)
-    with_items: "{{ dotfiles }}"
-    check_mode: false
-    loop_control:
-      label: "{{ item.to }}"
-
-  - name: remove invalid template target (directory or symlink)
-    file:
-      path: "{{ item.stat.path }}"
-      state: absent
-    when:
-      - not item.skipped is defined or not item.skipped
-      - item.stat.exists
-      - not item.stat.isreg
-    with_items: "{{ template_stat.results }}"
-    loop_control:
-      label: "{{ item.item.to }}"
-
-  - name: deploy dotfiles templates
-    template:
-      src: /var/lib/dotfiles/{{ item.from }}.j2
-      dest: "/home/{{ user.name }}/{{ item.to }}"
-      owner: "{{ user.name }}"
-      group: "{{ user.name }}"
-      force: true
-    become: true
-    become_user: root
-    when: item.template|default(false)
-    with_items: "{{ dotfiles }}"
-    loop_control:
-      label: "{{ item.to }}"
-
-  - name: remove dotfiles
-    file:
-      state: absent
-      path: "/home/{{ user.name }}/{{ item }}"
-    loop: "{{ dotfiles_remove }}"
-
-  - name: create directories
-    file:
-      state: directory
-      path: "{{ item }}"
-    with_items:
-      - ~/tmp
-
-  - name: stat ~/bin
-    stat:
-      path: "/home/{{ user.name }}/bin"
-    register: bin_stat
-    check_mode: false
-
-  - name: remove ~/bin if not a link
-    file:
-      state: absent
-      path: "/home/{{ user.name }}/bin"
-    when:
-      - bin_stat.stat.exists
-      - not bin_stat.stat.islnk
-
-  - name: link bin directory
-    file:
-      state: link
-      force: true
-      follow: false
-      path: "/home/{{ user.name }}/bin"
-      src: /var/lib/dotfiles/bin
-      owner: "{{ user.name }}"
-      group: "{{ user.name }}"
   tags:
     - dotfiles
+  block:
+    - name: load dotfile list
+      include_vars:
+        file: dotfiles.yml
 
-- block:
+    - name: get state of empty directories
-  - name: create intermediate directories for vim-plug
+      stat:
-    file:
+        path: ~/{{ item.name }}
-      path: "{{ item }}"
+      register: empty_dir_stat
-      state: directory
+      with_items: "{{ empty_directories }}"
-    with_items:
+      check_mode: false
-      - ~/.local/
+      loop_control:
-      - ~/.local/share/
+        label: "{{ item.name }}"
-      - ~/.local/share/nvim/
-      - ~/.local/share/nvim/site/
-      - ~/.local/share/nvim/site/autoload/
 
-  - name: install vim-plug
+    - name: remove symlinks
-    copy:
+      file:
-      src: contrib/vim-plug/plug.vim
+        path: "{{ item.stat.path }}"
-      dest: ~/.local/share/nvim/site/autoload/plug.vim
+        state: absent
-      owner: "{{ user.name }}"
+      when: item.stat.exists and item.stat.islnk
-      group: "{{ user.name }}"
+      with_items: "{{ empty_dir_stat.results }}"
-      mode: "0644"
+      loop_control:
+        label: "{{ item.item.name }}"
 
-  - name: install vim plugins
+    - name: create empty directories for dotfiles
-    command: nvim --headless +PlugInstall +qall
+      file:
-    register: vim_plugin_install
+        state: directory
-    changed_when: vim_plugin_install.stderr != ""
+        path: ~/{{ item.name }}
+        mode: "{{ item.mode | default('0755') }}"
+      with_items: "{{ empty_directories }}"
+      loop_control:
+        label: "{{ item.name }}"
 
-  - name: update vim plugins
+    - name: link this folder to ~/.dotfiles
-    command: nvim --headless +PlugUpdate +qall
+      file:
-    register: vim_plugin_update
+        state: link
-    changed_when: vim_plugin_update.stderr != ""
+        force: true
+        follow: false
+        owner: "{{ user.name }}"
+        group: "{{ user.name }}"
+        path: "/home/{{ user.name }}/.dotfiles"
+        src: "{{ playbook_dir }}"
+      become: true
+      become_user: root
 
-  tags: [vim-plugins]
+    - name: get state of copy targets
+      stat:
+        path: ~/{{ item.to }}
+      register: copy_stat
+      when: not item.template|default(false)
+      with_items: "{{ dotfiles }}"
+      check_mode: false
+      loop_control:
+        label: "{{ item.to }}"
 
-- block:
+    - name: remove invalid copy target (directories)
-  - name: create firefox directories
+      file:
-    firefox_profile:
+        path: "{{ item.stat.path }}"
-      name: "{{ item.key }}"
+        state: absent
-    loop: "{{ user.firefox_profiles | dict2items }}"
+      when:
-    register: firefox_profile_names
+        - not item.skipped is defined or not item.skipped
+        - item.stat.exists
+        - item.stat.isdir
+      with_items: "{{ copy_stat.results }}"
+      loop_control:
+        label: "{{ item.item.from }}"
 
-  - set_fact:
+    - name: make sure target directories exist
-      firefox_preferences:
+      file:
-        browser.aboutConfig.showWarning: false
+        state: directory
-        extensions.pocket.enabled: false
+        path: "{{ (['/home', user.name, item.to]|join('/')) | dirname }}"
-        toolkit.legacyUserProfileCustomizations.stylesheets: true
+        owner: "{{ user.name }}"
-        browser.contentblocking.category: "strict"
+        group: "{{ user.name }}"
-        browser.newtabpage.enabled: false
+      with_items: "{{ dotfiles }}"
-        browser.shell.checkDefaultBrowser: false
+      become: true
-        browser.startup.homepage: "about:blank"
+      become_user: root
-        privacy.trackingprotection.enabled: true
+      loop_control:
-        privacy.trackingprotection.socialtracking.enabled: true
+        label: "{{ item.to }}"
-        general.smoothScroll: false
 
-        # Restore last session on startup
+    - name: link dotfiles
-        # https://support.mozilla.org/de/questions/1235263
+      file:
-        browser.startup.page: 3
+        state: link
-        browser.sessionstore.resume_from_crash: true
+        force: true
+        follow: false
+        path: "/home/{{ user.name }}/{{ item.to }}"
+        src: /var/lib/dotfiles/{{ item.from }}
+        owner: "{{ user.name }}"
+        group: "{{ user.name }}"
+      when: not item.template|default(false)
+      with_items: "{{ dotfiles }}"
+      become: true
+      become_user: root
+      loop_control:
+        label: "{{ item.to }}"
 
-        # "Play DRM-controlled content"
+    - name: get state of template targets
-        media.eme.enabled: true
+      stat:
+        path: ~/{{ item.to }}
+      register: template_stat
+      when: item.template|default(false)
+      with_items: "{{ dotfiles }}"
+      check_mode: false
+      loop_control:
+        label: "{{ item.to }}"
 
-        # "Recommend (extensions|features) as you browse"
+    - name: remove invalid template target (directory or symlink)
-        browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons: false
+      file:
-        browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features: false
+        path: "{{ item.stat.path }}"
+        state: absent
+      when:
+        - not item.skipped is defined or not item.skipped
+        - item.stat.exists
+        - not item.stat.isreg
+      with_items: "{{ template_stat.results }}"
+      loop_control:
+        label: "{{ item.item.to }}"
 
-        # "Ask to save logins and passwords for websites"
+    - name: deploy dotfiles templates
-        signon.rememberSignons: false
+      template:
+        src: /var/lib/dotfiles/{{ item.from }}.j2
+        dest: "/home/{{ user.name }}/{{ item.to }}"
+        owner: "{{ user.name }}"
+        group: "{{ user.name }}"
+        force: true
+      become: true
+      become_user: root
+      when: item.template|default(false)
+      with_items: "{{ dotfiles }}"
+      loop_control:
+        label: "{{ item.to }}"
 
-        # "Allow Firefox to make personalized extension recommendations"
+    - name: remove dotfiles
-        browser.discovery.enabled: false
+      file:
+        state: absent
+        path: "/home/{{ user.name }}/{{ item }}"
+      loop: "{{ dotfiles_remove }}"
 
-        # "Allow Firefox to install and run studies"
+    - name: create directories
-        app.shield.optoutstudies.enabled: false
+      file:
+        state: directory
+        path: "{{ item }}"
+      with_items:
+        - ~/tmp
 
-        # "Check spelling as you type"
+    - name: stat ~/bin
-        layout.spellcheckDefault: 0
+      stat:
+        path: "/home/{{ user.name }}/bin"
+      register: bin_stat
+      check_mode: false
 
-        # Ask for download directory
+    - name: remove ~/bin if not a link
-        browser.download.useDownloadDir: false
+      file:
+        state: absent
+        path: "/home/{{ user.name }}/bin"
+      when:
+        - bin_stat.stat.exists
+        - not bin_stat.stat.islnk
 
-        # (Try to) disable automatic update, as firefox is pulling a Windows
+    - name: link bin directory
-        app.update.auto: false
+      file:
-        app.update.service.enabled: false
+        state: link
+        force: true
+        follow: false
+        path: "/home/{{ user.name }}/bin"
+        src: /var/lib/dotfiles/bin
+        owner: "{{ user.name }}"
+        group: "{{ user.name }}"
 
-        # remove this camera / microphone overlay when in calls or similar
+- name: vim
-        privacy.webrtc.legacyGlobalIndicator: false
+  tags:
+    - vim
+  block:
+    - name: install vim plugins
+      command: nvim --headless +PlugInstall +qall
+      register: vim_plugin_install
+      changed_when: vim_plugin_install.stderr != ""
 
-  - include_role:
+    - name: update vim plugins
-      name: firefox
+      command: nvim --headless +PlugUpdate +qall
-    vars:
+      register: vim_plugin_update
-      firefox_profiles: "{{ {item.key: item.value} | combine({item.key: {'preferences': firefox_preferences}}, recursive=True) }}"
+      changed_when: vim_plugin_update.stderr != ""
-    loop: "{{ user.firefox_profiles | dict2items }}"
-    when: not ansible_check_mode
 
-  - name: firefox - create chrome directory
+- name: firefox
-    file:
-      path: "{{ item.profile_path }}/chrome/"
-      state: directory
-      mode: '0755'
-    with_items: "{{ firefox_profile_names.results }}"
-    when: not ansible_check_mode
-    loop_control:
-      label: "{{ item.profile_path }}"
-
-  - name: firefox - configure firefox custom css
-    copy:
-      dest: "{{ item.profile_path }}/chrome/userChrome.css"
-      content: |
-        #TabsToolbar {
-          visibility: collapse !important;
-        }
-        #titlebar {
-          visibility: collapse !important;
-        }
-        #sidebar-header {
-          visibility: collapse !important;
-        }
-    when:
-      - not ansible_check_mode
-      - user.firefox_profiles[item.profile_name].manage_css is sameas True
-    with_items: "{{ firefox_profile_names.results }}"
-    loop_control:
-      label: "{{ item.profile_path }}"
   tags:
     - firefox
+  block:
+    - name: create firefox directories
+      firefox_profile:
+        name: "{{ item.key }}"
+      loop: "{{ user.firefox_profiles | dict2items }}"
+      check_mode: false
+      register: firefox_profile_names
+
+    - set_fact:
+        firefox_preferences:
+          browser.aboutConfig.showWarning: false
+          extensions.pocket.enabled: false
+          toolkit.legacyUserProfileCustomizations.stylesheets: true
+          browser.contentblocking.category: "strict"
+          browser.newtabpage.enabled: false
+          browser.startup.homepage: "about:blank"
+          privacy.trackingprotection.enabled: true
+          privacy.trackingprotection.socialtracking.enabled: true
+          general.smoothScroll: false
+
+          # Restore last session on startup
+          # https://support.mozilla.org/de/questions/1235263
+          browser.startup.page: 3
+
+          # "Play DRM-controlled content"
+          media.eme.enabled: true
+
+          # "Recommend (extensions|features) as you browse"
+          browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons: false
+          browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features: false
+
+          # "Ask to save logins and passwords for websites"
+          signon.rememberSignons: false
+
+          # "Allow Firefox to make personalized extension recommendations"
+          browser.discovery.enabled: false
+
+          # "Allow Firefox to install and run studies"
+          app.shield.optoutstudies.enabled: false
+
+          # "Check spelling as you type"
+          layout.spellcheckDefault: 0
+
+          # Ask for download directory
+          browser.download.useDownloadDir: false
+
+          # (Try to) disable automatic update, as firefox is pulling a Windows
+          app.update.auto: false
+          app.update.service.enabled: false
+
+          # remove this camera / microphone overlay when in calls or similar
+          privacy.webrtc.legacyGlobalIndicator: false
+
+    - include_role:
+        name: firefox
+      vars:
+        firefox_profiles: "{{ {item.key: item.value} | combine({item.key: {'preferences': firefox_preferences}}, recursive=True) }}"
+      loop: "{{ user.firefox_profiles | dict2items }}"
+      when: not ansible_check_mode
+
+    - name: firefox - create chrome directory
+      file:
+        path: "{{ item.profile_path }}/chrome/"
+        state: directory
+        mode: '0755'
+      with_items: "{{ firefox_profile_names.results }}"
+      when: not ansible_check_mode
+      loop_control:
+        label: "{{ item.profile_path }}"
+
+    - name: firefox - configure firefox custom css
+      copy:
+        dest: "{{ item.profile_path }}/chrome/userChrome.css"
+        content: |
+          #TabsToolbar {
+            visibility: collapse !important;
+          }
+          #titlebar {
+            visibility: collapse !important;
+          }
+          #sidebar-header {
+            visibility: collapse !important;
+          }
+      when:
+        - not ansible_check_mode
+        - user.firefox_profiles[item.profile_name].manage_css is sameas True
+      with_items: "{{ firefox_profile_names.results }}"
+      loop_control:
+        label: "{{ item.profile_path }}"
 
 - name: handle autostart units
-  block:
-  - name: create systemd user directory
-    file:
-      state: directory
-      path: ~/{{ item }}
-    loop:
-      - .config/
-      - .config/systemd/
-      - .config/systemd/user/
-
-  - name: link autostart service files
-    file:
-      state: link
-      force: true
-      follow: false
-      path: "/home/{{ user.name }}/.config/systemd/user/{{ item | basename }}"
-      src: "{{ item }}"
-      owner: "{{ user.name }}"
-      group: "{{ user.name }}"
-    with_fileglob: /var/lib/dotfiles/autostart/services/*
-
-  - name: get state of autostart.target
-    stat:
-      path: "/home/{{ user.name }}/.config/systemd/user/autostart.target"
-    register: autostart_target_stat
-
-  - name: remove invalid autostart.target
-    file:
-      path: "/home/{{ user.name }}/.config/systemd/user/autostart.target"
-      state: absent
-    when:
-      - autostart_target_stat.stat.exists
-      - not autostart_target_stat.stat.isreg
-
-  - name: deploy autostart.target
-    template:
-      src: ./autostart/autostart.target.j2
-      dest: "/home/{{ user.name }}/.config/systemd/user/autostart.target"
-      owner: "{{ user.name }}"
-      group: "{{ user.name }}"
-      force: true
-      follow: false
-
   tags:
     - autostart
+  block:
+    - name: create systemd user directory
+      file:
+        state: directory
+        path: ~/{{ item }}
+      loop:
+        - .config/
+        - .config/systemd/
+        - .config/systemd/user/
 
-- block:
+    - name: link autostart service files
-  - name: import gpg key
+      file:
-    command: gpg --import ./gpgkeys/{{ user.gpg_key.email }}.gpg.asc
+        state: link
-    register: gpg_import_output
+        force: true
-    changed_when: not ("unchanged" in gpg_import_output.stderr)
+        follow: false
+        path: "/home/{{ user.name }}/.config/systemd/user/{{ item | basename }}"
+        src: "{{ item }}"
+        owner: "{{ user.name }}"
+        group: "{{ user.name }}"
+      with_fileglob: /var/lib/dotfiles/autostart/services/*
 
-  - name: trust gpg key
+    - name: get state of autostart.target
-    shell: "gpg --import-ownertrust <<< {{ user.gpg_key.fingerprint }}:6"
+      stat:
-    args:
+        path: "/home/{{ user.name }}/.config/systemd/user/autostart.target"
-      executable: /bin/bash # required for <<<
+      register: autostart_target_stat
-    register: gpg_trust_output
+
-    changed_when: gpg_trust_output.stderr_lines|length > 0
+    - name: remove invalid autostart.target
+      file:
+        path: "/home/{{ user.name }}/.config/systemd/user/autostart.target"
+        state: absent
+      when:
+        - autostart_target_stat.stat.exists
+        - not autostart_target_stat.stat.isreg
+
+    - name: deploy autostart.target
+      template:
+        src: ./autostart/autostart.target.j2
+        dest: "/home/{{ user.name }}/.config/systemd/user/autostart.target"
+        owner: "{{ user.name }}"
+        group: "{{ user.name }}"
+        force: true
+        follow: false
+
+- name: gpg
+  tags:
+    - gpg
+  block:
+    - name: import gpg key
+      command: gpg --import ./gpgkeys/{{ user.gpg_key.email }}.gpg.asc
+      register: gpg_import_output
+      changed_when: not ("unchanged" in gpg_import_output.stderr)
+
+    - name: trust gpg key
+      shell: "gpg --import-ownertrust <<< {{ user.gpg_key.fingerprint }}:6"
+      args:
+        executable: /bin/bash # required for <<<
+      register: gpg_trust_output
+      changed_when: gpg_trust_output.stderr_lines|length > 0
 
   when: user.gpg_key is defined
-  tags: [gpg]

zsh/zprofile.j2

@@ -1,5 +1,9 @@
 source /etc/profile
 
+if [[ "$(passwd --status $USER | awk '{print $2}')" =~ ^(NP|L)$ ]] ; then
+    while ! sudo passwd $USER ; do ; done
+fi
+
 _path=(
     "$HOME/bin"
     "$HOME/.cargo/bin"
@@ -17,16 +21,10 @@ export BROWSER="firefox"
 export PAGER="less"
 export LESS="FRX"
 
-export WINEPATH="$HOME/games/wine"
-
-export BINDIR="$HOME/bin"
-
 export LANG=en_US.UTF-8
 export LC_TIME=de_DE.UTF-8
 export LC_COLLATE=C
 
-export DOTFILES=~/dotfiles
-
 export GOPATH=~/.go
 export PATH=$PATH:$(go env GOPATH)/bin
 
@@ -52,23 +50,29 @@ umask 0022
 export {{ k }}="{{ v }}"
 {% endfor %}
 
-export FEATURE_DIR="${XDG_RUNTIME_DIR}/features/"
+feature_dir="${XDG_RUNTIME_DIR}/features/"
-rm -rf "${FEATURE_DIR}"/
+rm -rf "${feature_dir}"/
-mkdir -p "${FEATURE_DIR}"
+mkdir -p "${feature_dir}"
 
-[[ $MACHINE_HAS_NEXTCLOUD     == "true" ]] && touch "${FEATURE_DIR}"/nextcloud
+[[ $MACHINE_HAS_NEXTCLOUD     == "true" ]] && touch "${feature_dir}"/nextcloud
-[[ $MACHINE_HAS_KEEPASSX      == "true" ]] && touch "${FEATURE_DIR}"/keepassx
+[[ $MACHINE_HAS_KEEPASSX      == "true" ]] && touch "${feature_dir}"/keepassx
-[[ $MACHINE_HAS_STEAM         == "true" ]] && touch "${FEATURE_DIR}"/steam
+[[ $MACHINE_HAS_STEAM         == "true" ]] && touch "${feature_dir}"/steam
-[[ $MACHINE_HAS_RESTIC_BACKUP == "true" ]] && touch "${FEATURE_DIR}"/restic_backup
+[[ $MACHINE_HAS_RESTIC_BACKUP == "true" ]] && touch "${feature_dir}"/restic_backup
 
-[[ $MACHINE_TYPE == "laptop" ]] && touch "${FEATURE_DIR}"/machine_is_laptop
+[[ $MACHINE_TYPE == "laptop" ]] && touch "${feature_dir}"/machine_is_laptop
 
 {% if user.gpg_agent %}
-touch "${FEATURE_DIR}"/gpg_agent
+touch "${feature_dir}"/gpg_agent
 {% endif %}
 
-# Make all environment variables also usable in the systemd user instancee
+# Make important environment variables also usable in the systemd user instance
-systemctl --user import-environment
+systemd_envs=(
+    DISPLAY
+    GNUPGHOME
+    PATH
+    ACPI_LID_NAME
+)
+systemctl --user import-environment "${systemd_envs[@]}"
 
 # exec startx breaks some logind fuckery, without exec it works
 if [[ -z $DISPLAY ]] ; then

zsh/zshrc.j2

@@ -100,7 +100,7 @@ alias grep='grep --color=auto'
 alias fgrep='fgrep --color=auto'
 alias egrep='egrep --color=auto'
 
-alias rg='rg --hidden --glob "!.git/**"'
+alias rg='rg --hidden --glob "!.git/**" --glob "!.git"'
 
 alias rm='rm -v'
 alias cp='cp -vi'