Use aws-cli v2

.gitmodules

@@ -1,6 +1,3 @@
-[submodule "ansible_roles/firefox"]
-	path = ansible_roles/firefox
-	url = https://github.com/staticdev/ansible-role-firefox
 [submodule "pkgbuilds/spotify"]
 	path = pkgbuilds/spotify
 	url = https://aur.archlinux.org/spotify.git
@@ -10,9 +7,6 @@
 [submodule "pkgbuilds/portfolio-performance-bin"]
 	path = pkgbuilds/portfolio-performance-bin
 	url = https://aur.archlinux.org/portfolio-performance-bin.git
-[submodule "pkgbuilds/vim-plug"]
-	path = pkgbuilds/vim-plug
-	url = https://aur.archlinux.org/vim-plug.git
 [submodule "pkgbuilds/terraform-ls-bin"]
 	path = pkgbuilds/terraform-ls-bin
 	url = https://aur.archlinux.org/terraform-ls-bin.git
@@ -58,3 +52,9 @@
 [submodule "pkgbuilds/python-rst2ansi"]
 	path = pkgbuilds/python-rst2ansi
 	url = https://aur.archlinux.org/python-rst2ansi.git
+[submodule "pkgbuilds/claude-code"]
+	path = pkgbuilds/claude-code
+	url = https://aur.archlinux.org/claude-code.git
+[submodule "pkgbuilds/aws-session-manager-plugin"]
+	path = pkgbuilds/aws-session-manager-plugin
+	url = https://aur.archlinux.org/aws-session-manager-plugin.git

README.md

@@ -18,7 +18,7 @@ For easier installation, the install scripts are available via shortlinks. To
 (re)install a new machine from a Arch live environment:
 
 ```
-curl --proto '=https' -sSfL https://s.hkoerber.de/i/${hostname}.sh | bash
+curl --proto '=https' -O -sSfL https://s.hkoerber.de/i/bootstrap.sh && bash bootstrap.sh {host}
 ```
 
 ## Manual Installation

_machines/ares.yml

@@ -2,6 +2,7 @@ font_size: 11
 
 gpu: amd
 cpu: amd
+encrypted_root: true
 
 users:
 - name: hannes
@@ -11,20 +12,10 @@ users:
       extensions:
         - ublock-origin
         - passff
-        - privacy-badger17
         - tree-style-tab
         - i-dont-care-about-cookies
         - floccus
       manage_css: true
-    media:
-      extensions:
-        - ublock-origin
-        - passff
-        - privacy-badger17
-        - tree-style-tab
-        - i-dont-care-about-cookies
-      manage_css: true
-      bigger_font: true
   mail: hannes@hkoerber.de
   ssh_agent: false
   gpg_agent: true

_machines/dionysus.yml

@@ -2,6 +2,7 @@ font_size: 11
 
 gpu: intel
 cpu: intel
+encrypted_root: true
 
 users:
 - name: hannes
@@ -11,7 +12,6 @@ users:
       extensions:
         - ublock-origin
         - passff
-        - privacy-badger17
         - tree-style-tab
         - i-dont-care-about-cookies
         - floccus
@@ -20,7 +20,6 @@ users:
       extensions:
         - ublock-origin
         - passff
-        - privacy-badger17
         - tree-style-tab
         - i-dont-care-about-cookies
       manage_css: true

_machines/hera-tasks.yml

@@ -0,0 +1,265 @@
+---
+- name: Autoupdate
+  block:
+    - name: Deploy autoupdate script
+      copy:
+        owner: root
+        group: root
+        mode: "0755"
+        dest: /usr/local/bin/pacman-autoupdate
+        content: |
+          #!/usr/bin/env bash
+
+          set -o errexit
+          set -o nounset
+          set -o pipefail
+
+          # Prevent failures when not battery present
+          shopt -s nullglob
+
+          for battery in /sys/class/power_supply/*/capacity ; do
+              capacity="$(< "$battery")"
+              if (( "${capacity}" < 40 )) ; then
+                  printf "Battery at %s%%, exiting\n" "${capacity}" >&2
+                  exit 0
+              fi
+          done
+
+          if nmcli --terse --fields GENERAL.METERED dev show 2>/dev/null | grep -q "yes" ; then
+              printf "Detected metered connection, exiting\n" >&2
+              exit 0
+          fi
+
+          # Make sure that keys are up to date, otherwise sig checks may fail
+          pacman --sync --noprogressbar --noconfirm --refresh --needed archlinux-keyring
+
+          pacman --noprogressbar --noconfirm --sysupgrade
+
+    - name: Install pacman autoupdate service
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/pacman-autoupdate.service
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          [Service]
+          Type=oneshot
+          ExecStart=/usr/local/bin/pacman-autoupdate
+      become: true
+
+    - name: Install pacman autoupdate timer
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/pacman-autoupdate.timer
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          [Timer]
+          OnCalendar=daily
+          OnBootSec=5min
+          OnUnitInactiveSec=120min
+
+          [Install]
+          WantedBy=multi-user.target
+
+    - name: Enable pacman autoupdate timer
+      ansible.builtin.systemd:
+        name: pacman-autoupdate.timer
+        enabled: true
+        state: started
+        daemon_reload: true
+      become: true
+  become: true
+
+- name: User configuration
+  block:
+    - name: Create user group
+      ansible.builtin.group:
+        name: "herta"
+        state: present
+      become: true
+
+    - name: Create user
+      ansible.builtin.user:
+        name: "herta"
+        state: present
+        home: "/home/herta"
+        create_home: true
+        groups:
+          - dotfiles
+          - libvirt
+          - wheel
+          - wireshark
+          - docker
+          - sudonopw
+          - games
+          - kvm
+          - video
+        shell: /usr/bin/zsh
+        skeleton: /dev/null
+      become: true
+
+- name: Display Manager
+  block:
+    - name: Enable sddm
+      ansible.builtin.systemd:
+        name: sddm.service
+        enabled: true
+        daemon_reload: true
+      become: true
+
+    - name: Create sddm config folder
+      ansible.builtin.file:
+        state: directory
+        path: /etc/sddm.conf.d/
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: Enable autologin
+      ansible.builtin.copy:
+        dest: /etc/sddm.conf.d/autologin.conf
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          [Autologin]
+          User=herta
+          Session=plasma
+
+    - name: Lock on startup
+      ansible.builtin.copy:
+        dest: /etc/xdg/kscreenlockerrc
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          [Daemon]
+          LockOnStart=true
+
+- name: Backup
+  block:
+    - name: create restic config directory
+      file:
+        path: /etc/restic
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+      become: true
+
+    - name: create restic exclude file
+      copy:
+        dest: /etc/restic/exclude.lst
+        content: |
+          /home/*/.cache/**
+          /home/*/.mozilla/firefox/*/Cache/**
+        owner: root
+        group: root
+        mode: "0755"
+      become: true
+
+    - name: create restic cache directory
+      file:
+        path: /var/cache/restic
+        state: directory
+        owner: root
+        group: root
+        mode: "0700"
+      become: true
+
+    - name: create restic wrapper script
+      copy:
+        owner: root
+        group: root
+        mode: "0700"
+        dest: /usr/local/bin/restic-cmd
+        content: |
+          #!/usr/bin/env bash
+          source /etc/restic/env
+
+          set -o nounset
+          set -o errexit
+          set -o pipefail
+
+          export B2_ACCOUNT_ID
+          export B2_ACCOUNT_KEY
+
+          export RESTIC_PASSWORD_FILE=/etc/restic/repopassword
+
+          restic \
+            --cache-dir=/var/cache/restic/ \
+            --repo="b2:${BUCKET_NAME}:hera" \
+            --password-file=/etc/restic/repopassword \
+            --verbose \
+            "${@}"
+      become: true
+
+    - name: add backup script
+      copy:
+        owner: root
+        group: root
+        mode: "0700"
+        dest: /usr/local/bin/restic-backup
+        content: |
+          #!/usr/bin/env bash
+
+          set -o nounset
+          set -o errexit
+          set -o pipefail
+
+          run() {
+            name="${1}" ; shift
+            printf '[%s] %s - start\n' "${name}" "$(date --utc --iso-8601=seconds)"
+            "${@}"
+            printf '[%s] %s - end\n' "${name}" "$(date --utc --iso-8601=seconds)"
+          }
+
+          run backup restic-cmd \
+              backup \
+              --exclude-file /etc/restic/exclude.lst \
+              /home/
+
+          run forget restic-cmd \
+              forget \
+              --prune \
+              --keep-daily 30 \
+              --keep-monthly 12 \
+              --keep-yearly 3
+      become: true
+
+
+    - name: Install restic backup service
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/restic-backup.service
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          [Service]
+          Type=oneshot
+          ExecStart=systemd-inhibit /usr/local/bin/restic-backup
+      become: true
+
+    - name: Install restic backup timer
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/restic-backup.timer
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          [Timer]
+          OnCalendar=daily
+          Persistent=true
+
+          [Install]
+          WantedBy=multi-user.target
+      become: true
+
+    - name: Enable restic backup timer
+      ansible.builtin.systemd:
+        name: restic-backup.timer
+        enabled: true
+        state: started
+        daemon_reload: true
+      become: true

_machines/hera.yml

@@ -2,10 +2,31 @@ font_size: 11
 
 gpu: intel
 cpu: intel
+encrypted_root: false
 
 # make sure that display manager works
 system_default_target: "graphical.target"
 
+additional_packages:
+  - plasma-desktop
+  - konsole
+  - dolphin
+  - kdeplasma-addons
+  - plasma-nm
+  - plasma-pa
+  - plasma-systemmonitor
+  - sddm
+  - sddm-kcm
+  - thunderbird
+  # kde archive manager
+  - ark
+  # kde image viewer
+  - gwenview
+  # german language packs
+  - hunspell-de
+  - thunderbird-i18n-de
+  - firefox-i18n-de
+
 users:
 - name: hannes
   vt: 1
@@ -14,7 +35,6 @@ users:
       extensions:
         - ublock-origin
         - passff
-        - privacy-badger17
         - tree-style-tab
         - i-dont-care-about-cookies
         - floccus
@@ -23,7 +43,6 @@ users:
       extensions:
         - ublock-origin
         - passff
-        - privacy-badger17
         - tree-style-tab
         - i-dont-care-about-cookies
       manage_css: true

_machines/neptune.yml

@@ -2,6 +2,7 @@ font_size: 11
 
 gpu: nvidia
 cpu: intel
+encrypted_root: true
 
 users:
 - name: hannes-work
@@ -10,7 +11,6 @@ users:
     default:
       extensions:
         - ublock-origin
-        - privacy-badger17
         - tree-style-tab
         - i-dont-care-about-cookies
       manage_css: true
@@ -33,7 +33,6 @@ users:
       extensions:
         - ublock-origin
         - passff
-        - privacy-badger17
         - tree-style-tab
         - i-dont-care-about-cookies
         - floccus

ansible.cfg

@@ -2,4 +2,4 @@
 retry_files_enabled = False
 nocows = 1
 roles_path = ./ansible_roles
-library = ./ansible_roles/firefox/library
+interpreter_python = "auto_silent"

applications/firefox.desktop

@@ -0,0 +1,4 @@
+[Desktop Entry]
+Type=Application
+Name=Firefox
+Exec=firefox-default --new-tab %u

autostart/autostart.target.j2

@@ -31,3 +31,4 @@ Wants=yubikey-touch-detector.service
 Wants=kdeconnect.service
 Wants=color-theme-dark.service
 Wants=workstation-mgr.service
+Wants=screencfg.service

autostart/services/firefox-gtk-override-bigger-font@.service

@@ -3,7 +3,7 @@ BindsTo=autostart.target
 After=windowmanager.target
 
 [Service]
-ExecStart=/usr/bin/env firefox --setDefaultBrowser -P %i
+ExecStart=/usr/bin/env firefox --profile %h/.mozilla/firefox/profile-%i
 PassEnvironment=DISPLAY
 Environment=XDG_CONFIG_HOME=%h/.config/gtk-3.0-overrides/bigger-font/
 Restart=always

autostart/services/firefox@.service

@@ -3,6 +3,6 @@ BindsTo=autostart.target
 After=windowmanager.target
 
 [Service]
-ExecStart=/usr/bin/env firefox --setDefaultBrowser -P %i
+ExecStart=/usr/bin/env firefox --profile %h/.mozilla/firefox/profile-%i
 PassEnvironment=DISPLAY
 Restart=always

autostart/services/screencfg.service

@@ -0,0 +1,8 @@
+[Unit]
+BindsTo=autostart.target
+After=windowmanager.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/screencfg watch --best
+Restart=always

bin/firefox-default

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+exec /usr/bin/firefox --profile "$HOME/.mozilla/firefox/profile-default" "${@}"

cargo/config.toml

@@ -3,4 +3,4 @@ rustc-wrapper = "sccache"
 
 [target.x86_64-unknown-linux-gnu]
 linker = "/usr/bin/clang"
-rustflags = ["-C", "link-arg=--ld-path=/usr/bin/mold"]
+rustflags = ["-Clink-arg=--ld-path=/usr/bin/wild"]

dotfiles.yml

@@ -1,5 +1,4 @@
 empty_directories:
-  - name: .config/nvim
   - name: .config/rofi
   - name: .config/gtk-3.0
   - name: .config/gtk-3.0-overrides
@@ -47,8 +46,6 @@ dotfiles:
     dir: true
   - from: tmux/tmux.conf
     to: .config/tmux/tmux.conf
-  - from: vim/vimrc
-    to: .config/nvim/init.vim
   - from: x/Xresources
     to: .config/Xresources
   - from: x/xinitrc
@@ -102,9 +99,13 @@ dotfiles:
     to: .config/screencfg.toml
   - from: cargo/config.toml
     to: .local/state/cargo/config.toml
+  - from: applications
+    to: .local/share/applications
+    dir: true
 dotfiles_remove:
   - .gitconfig
   - .vimrc
+  - .config/nvim/init.vim
   - .tmux.conf
   - .i3
   - .gtkrc-2.0

drivers.yml

@@ -26,3 +26,9 @@ gpu:
     - lib32-vulkan-nouveau
     - vulkan-headers
     - vulkan-tools
+  intel:
+    - mesa
+    - mesa-utils
+    - lib32-mesa
+    - vulkan-intel
+    - lib32-vulkan-intel

git/gitconfig.j2

@@ -118,6 +118,13 @@
 [url "ssh://git@code.hkoerber.de:2222/"]
     insteadOf = https://code.hkoerber.de/
 
+# https://stackoverflow.com/a/71971739
+[url "https://github.com/"]
+    insteadOf = "git@github.com:"
+[url "git@github.com:"]
+    pushInsteadOf = "https://github.com/"
+    pushInsteadOf = "git@github.com:"
+
 [init]
 	defaultBranch = main
 [safe]

i3/i3status-rust/config.toml.j2

@@ -100,12 +100,6 @@ block = "custom"
 json = true
 command = "ping -n -q -w 2 -c 1 8.8.8.8 >/dev/null 2>/dev/null && printf '{\"text\":\"\",\"state\":\"Info\"}' || printf '{\"text\":\"\",\"state\":\"Critical\"}'"
 
-[[block]]
-block = "custom"
-command = "workstation-client weather get"
-# caching is handled by the workstation daemon
-interval = 60
-
 [[block]]
 block = "time"
 interval = 1

install_scripts/ares.sh

@@ -25,7 +25,7 @@ sed -e 's/\s*\([^#]*\).*/\1/' << EOF | sfdisk ${DEVICE}
     device: ${DEVICE}
 
     ${DEVICE}1 : name=uefi      , size=512M , type=uefi
-    ${DEVICE}2 : name=boot      , size=512M , type=linux
+    ${DEVICE}2 : name=boot      , size=1G   , type=linux
     ${DEVICE}3 : name=cryptpart ,             type=linux
 EOF
 
@@ -89,7 +89,7 @@ cat <<EOF > /etc/hosts
 127.0.1.1 ares
 EOF
 
-sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems resume fsck)/' /etc/mkinitcpio.conf
+sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems resume fsck)/' /etc/mkinitcpio.conf
 
 mkinitcpio -P
 

install_scripts/dionysus.sh

@@ -25,7 +25,7 @@ sed -e 's/\s*\([^#]*\).*/\1/' << EOF | sfdisk ${DEVICE}
     device: ${DEVICE}
 
     ${DEVICE}p1 : name=uefi      , size=512M , type=uefi
-    ${DEVICE}p2 : name=boot      , size=512M , type=linux
+    ${DEVICE}p2 : name=boot      , size=1G   , type=linux
     ${DEVICE}p3 : name=cryptpart ,             type=linux
 EOF
 
@@ -89,7 +89,7 @@ cat <<EOF > /etc/hosts
 127.0.1.1 dionysus
 EOF
 
-sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems resume fsck)/' /etc/mkinitcpio.conf
+sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems resume fsck)/' /etc/mkinitcpio.conf
 
 mkinitcpio -P
 

install_scripts/hera.sh

@@ -25,7 +25,7 @@ sed -e 's/\s*\([^#]*\).*/\1/' << EOF | sfdisk ${DEVICE}
     device: ${DEVICE}
 
     ${DEVICE}p1 : name=uefi, size=512M , type=uefi
-    ${DEVICE}p2 : name=boot, size=512M , type=linux
+    ${DEVICE}p2 : name=boot, size=1G   , type=linux
     ${DEVICE}p3 : name=swap, size=16G  , type=linux
     ${DEVICE}p4 : name=root, size=60G  , type=linux
     ${DEVICE}p5 : name=home,             type=linux
@@ -83,7 +83,7 @@ cat <<EOF > /etc/hosts
 127.0.1.1 hera
 EOF
 
-sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect keyboard keymap consolefont modconf block filesystems resume fsck)/' /etc/mkinitcpio.conf
+sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems resume fsck)/' /etc/mkinitcpio.conf
 
 mkinitcpio -P
 

install_scripts/neptune.sh

@@ -25,7 +25,7 @@ sed -e 's/\s*\([^#]*\).*/\1/' << EOF | sfdisk ${DEVICE}
     device: ${DEVICE}
 
     ${DEVICE}p1 : name=uefi      , size=512M , type=uefi
-    ${DEVICE}p2 : name=boot      , size=512M , type=linux
+    ${DEVICE}p2 : name=boot      , size=1G   , type=linux
     ${DEVICE}p3 : name=cryptpart ,             type=linux
 EOF
 
@@ -89,7 +89,7 @@ cat <<EOF > /etc/hosts
 127.0.1.1 neptune
 EOF
 
-sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems resume fsck)/' /etc/mkinitcpio.conf
+sed -i 's/^HOOKS=.*$/HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems resume fsck)/' /etc/mkinitcpio.conf
 
 mkinitcpio -P
 

maintenance.sh

@@ -3,7 +3,7 @@
 set -o nounset
 set -o errexit
 
-sudo pacman -Syu
+sudo bash -c "pacman -Sy --needed --noconfirm archlinux-keyring && pacman -Su"
 
 ./update-aur-pkgs.sh
 

packages.yml

@@ -77,7 +77,7 @@ font-libertine:
     - libertinus-font
 font-awesome:
   archlinux:
-    - ttf-font-awesome
+    - woff2-font-awesome
 font-noto:
   archlinux:
     - noto-fonts
@@ -226,8 +226,6 @@ cloc:
   archlinux: ["cloc"]
 bwm-ng:
   archlinux: ["bwm-ng"]
-virtualbox:
-  archlinux: ["virtualbox"]
 ssh:
   archlinux: ["openssh"]
 sshfs:
@@ -320,8 +318,6 @@ fzf:
   archlinux: ["fzf"]
 chromium:
   archlinux: ["chromium"]
-signal:
-  archlinux: ["signal-desktop"]
 go:
   archlinux: ["go", "gopls", "delve"]
 helix:
@@ -329,7 +325,7 @@ helix:
 keepassxc:
   archlinux: ["keepassxc"]
 awscli:
-  archlinux: ["aws-cli"]
+  archlinux: ["aws-cli-v2"]
 mariadb-client:
   archlinux: ["mariadb-clients"]
 php:
@@ -378,6 +374,7 @@ json:
 markdown:
   archlinux:
     - marksman
+    - mdformat
 lldb:
   archlinux:
     - lldb
@@ -449,6 +446,9 @@ mold:
   archlinux:
     - clang
     - mold
+wild:
+  archlinux:
+    - wild
 arch-packaging:
   archlinux:
     - namcap
@@ -573,3 +573,20 @@ podman:
 pulumi:
   archlinux:
     - pulumi
+reflector:
+  archlinux:
+    - reflector
+yazi:
+  archlinux:
+    - yazi
+    - ffmpeg
+    - 7zip
+    - jq
+    - poppler
+    - fd
+    - ripgrep
+    - fzf
+    - xsel
+    - zoxide
+    - resvg
+    - imagemagick

playbook.yml

@@ -6,13 +6,13 @@
   tasks:
     - name: Read machine-specific variables
       ansible.builtin.include_vars:
-        file: _machines/{{ ansible_hostname }}.yml
+        file: _machines/{{ ansible_facts['hostname'] }}.yml
         name: machine
       tags:
         - always
 
     - ansible.builtin.set_fact:
-        distro: "{{ ansible_distribution | lower }}"
+        distro: "{{ ansible_facts['distribution'] | lower }}"
       tags:
         - always
 
@@ -194,6 +194,12 @@
           vars:
             pkg_query: "{{ '*.%s[]'|format(distro) }}"
 
+        - name: install additional packages
+          package:
+            name: "{{ machine.additional_packages|default([]) }}"
+            state: present
+          become: true
+
         - name: remove unconfigured packages
           script:
             cmd: ./remove-unconfigured-packages.sh --noconfirm
@@ -202,6 +208,30 @@
           changed_when: unconfigured_packages_cmd.rc == 123
           become: true
 
+    - name: reflector
+      block:
+      - name: Configure reflector
+        ansible.builtin.copy:
+          dest: /etc/xdg/reflector/reflector.conf
+          owner: root
+          group: root
+          mode: "0644"
+          content: |
+            --save /etc/pacman.d/mirrorlist
+            --protocol https
+            --country Germany
+            --latest 5
+            --sort age
+        become: true
+
+      - name: Enable reflector timer
+        ansible.builtin.systemd:
+          name: reflector.timer
+          enabled: true
+          state: started
+          daemon_reload: true
+        become: true
+
     - name: aur
       tags:
         - aur
@@ -231,10 +261,9 @@
                   #!/usr/bin/env bash
                   source ./env
                   echo lel
-                  curl -sSf --proto '=https' https://download.spotify.com/debian/pubkey_C85668DF69375001.gpg | gpg --import -
+                  curl -sSf --proto '=https' https://download.spotify.com/debian/pubkey_5384CE82BA52C83A.gpg | gpg --import -
 
               - name: nodejs-intelephense
-              - name: vim-plug
               - name: terraform-ls-bin
               - name: grm-git
               - name: screencfg-git
@@ -264,6 +293,9 @@
               # dependency of
               - name: backblaze-b2
 
+              # ===
+              - name: claude-code
+
         - set_fact:
             aur_packages: "{{ aur_packages|map(attribute='dependencies', default=[]) | flatten + aur_packages }}"
 
@@ -417,13 +449,14 @@
 
               source ./PKGBUILD
 
-              for arch in "${arch[@]}" ; do
-                if [[ "${arch}" == "any" ]] ; then
+              for a in "${arch[@]}" ; do
+                if [[ "${a}" == "any" ]] ; then
                   arch="any"
                   break
                 fi
-                if [[ "${arch}" == "x86_64" ]] ; then
+                if [[ "${a}" == "x86_64" ]] ; then
                   arch="x86_64"
+                  break
                 fi
               done
 
@@ -521,6 +554,25 @@
         state: present
       become: true
 
+    - name: set mkinitcpio hooks
+      set_fact:
+        mkinitcpio_hooks: "base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems resume fsck"
+      when: machine.encrypted_root|bool
+
+    - name: set mkinitcpio hooks
+      set_fact:
+        mkinitcpio_hooks: "base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems resume fsck"
+      when: not machine.encrypted_root|bool
+
+    - name: configure mkinitcpio hooks
+      lineinfile:
+        path: /etc/mkinitcpio.conf
+        regexp: "^#?HOOKS=.*$"
+        line: 'HOOKS=({{ mkinitcpio_hooks }})'
+      become: true
+      notify:
+        - rebuild initrd
+
     - name: use vz4 for mkinitcpio compression
       lineinfile:
         path: /etc/mkinitcpio.conf
@@ -752,6 +804,15 @@
                     name: "{{ drivers.gpu.nvidia }}"
                     state: present
                   become: true
+
+            - name: Intel configuration
+              when: machine.gpu == 'intel'
+              block:
+                - name: install intel packages
+                  package:
+                    name: "{{ drivers.gpu.intel }}"
+                    state: present
+                  become: true
           when:
             - machine.gpu is defined
 
@@ -798,6 +859,175 @@
               ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chgrp video $sys$devpath/brightness", RUN+="/bin/chmod g+w $sys$devpath/brightness"
           become: true
 
+    - name: Firefox
+      tags:
+        - firefox
+      block:
+        - name: create firefox directories
+          file:
+            state: directory
+            path: "{{ item }}"
+            owner: root
+            group: root
+            mode: "0775"
+          become: true
+          become_user: root
+          loop:
+            - /etc/firefox
+            - /etc/firefox/policies
+
+        - set_fact:
+            firefox_policy:
+              policies:
+                AutofillAddressEnabled: false
+                AutofillCreditCardEnabled: false
+                DefaultDownloadDirectory: "${home}/download"
+                DisableFeedbackCommands: true
+                DisableFirefoxAccounts: true
+                DisableFirefoxStudies: true
+                DisableForgetButton: true
+                DisableMasterPasswordCreation: true
+                DisableProfileImport: true
+                DisableProfileRefresh: true
+                DisableSafeMode: true
+                DisableSetDesktopBackground: true
+                DisableTelemetry: true
+                DisplayBookmarksToolbar: "always"
+                DisplayMenuBar: "default-off"
+                DontCheckDefaultBrowser: true
+                EnableTrackingProtection:
+                  Value: true
+                  Locked: false
+                  Category: "strict"
+                  BaselineExceptions: true
+                  ConvenienceExceptions: false
+                ExtensionSettings:
+                  "*":
+                    allowed_types:
+                      - extension
+                  "jid1-KKzOGWgsW3Ao4Q@jetpack": # I don't care about cookies
+                    installation_mode: "normal_installed"
+                    install_url: "https://addons.mozilla.org/firefox/downloads/file/4202634/i_dont_care_about_cookies.xpi"
+                    default_area: "menupanel"
+                    private_browsing: true
+                    updates_disabled: false
+                  "uBlock0@raymondhill.net": # Ublock origin
+                    installation_mode: "normal_installed"
+                    install_url: "https://addons.mozilla.org/firefox/downloads/file/4598854/ublock_origin-1.67.0.xpi"
+                    default_area: "navbar"
+                    private_browsing: true
+                    updates_disabled: false
+                  "treestyletab@piro.sakura.ne.jp": # I don't care about cookies
+                    installation_mode: "normal_installed"
+                    install_url: "https://addons.mozilla.org/firefox/downloads/file/4602712/tree_style_tab-4.2.7.xpi"
+                    default_area: "navbar"
+                    private_browsing: true
+                    updates_disabled: false
+                  "{9063c2e9-e07c-4c2c-9646-cfe7ca8d0498}": # Old Reddit redirect
+                    installation_mode: "normal_installed"
+                    install_url: "https://addons.mozilla.org/firefox/downloads/file/4526031/old_reddit_redirect-2.0.9.xpi"
+                    default_area: "menupanel"
+                    private_browsing: true
+                    updates_disabled: false
+                FirefoxHome:
+                  Search: false
+                  TopSites: false
+                  SponsoredTopSites: false
+                  Highlights: false
+                  Pocket: false
+                  Stories: false
+                  SponsoredPocket: false
+                  SponsoredStories: false
+                  Snippets: false
+                  Locked: true
+                GenerativeAI:
+                  Enabled: false
+                  Chatbot: false
+                  LinkPreviews: false
+                  TabGroups: false
+                Homepage:
+                  URL: "about:newtab"
+                  StartPage: "previous-session"
+                MicrosoftEntraSSO: false
+                NewTabPage: false
+                NoDefaultBookmarks: true
+                OfferToSaveLogins: false
+                OverrideFirstRunPage: ""
+                PasswordManagerEnabled: false
+                Preferences:
+                  "browser.translations.automaticallyPopup":
+                    Value: false
+                    Status: "default"
+                    Type: "boolean"
+                  "browser.aboutConfig.showWarning":
+                    Value: false
+                    Status: "default"
+                    Type: "boolean"
+                  "general.smoothScroll":
+                    Value: true
+                    Status: "default"
+                    Type: "boolean"
+                  # "Play DRM-controlled content"
+                  "media.eme.enabled":
+                    Value: true
+                    Status: "default"
+                    Type: "boolean"
+                  # Restore last session on startup
+                  # https://support.mozilla.org/de/questions/1235263
+                  "browser.startup.page":
+                    Value: 3
+                    Status: "default"
+                    Type: "number"
+                  # reload the tabs properly when restoring
+                  "browser.sessionstore.restore_on_demand":
+                    Value: false
+                    Status: "default"
+                    Type: "boolean"
+                  # "Check spelling as you type"
+                  "layout.spellcheckDefault":
+                    Value: 0
+                    Status: "default"
+                    Type: "number"
+                  # remove ad tracking garbage
+                  "dom.private-attribution.submission.enabled":
+                    Value: false
+                    Status: "default"
+                    Type: "boolean"
+                  # (Try to) disable automatic update, as firefox is pulling a Windows
+                  "app.update.auto":
+                    Value: false
+                    Status: "default"
+                    Type: "boolean"
+                  "app.update.service.enabled": 
+                    Value: false
+                    Status: "default"
+                    Type: "boolean"
+                PromptForDownloadLocation: false
+                RequestedLocales:
+                  - en-US
+                  - de
+                SearchSuggestEnabled: false
+                ShowHomeButton: false
+                SkipTermsOfUse: true
+                UserMessaging:
+                  ExtensionRecommendations: false
+                  FeatureRecommendations: false
+                  UrlbarInterventions: false
+                  SkipOnboarding: true
+                  MoreFromMozilla: false
+                  FirefoxLabs: false
+                VisualSearchEnabled: false
+
+        - name: Firefox global policies
+          ansible.builtin.copy:
+            dest: "/etc/firefox/policies/policies.json"
+            owner: root
+            group: root
+            mode: "0644"
+            content: "{{ firefox_policy | to_nice_json }}"
+          become: true
+          become_user: root
+
     - set_fact:
         users: "{{ machine.users }}"
       tags:
@@ -817,6 +1047,14 @@
       tags:
         - always
 
+    - include_tasks: "{{ item }}"
+      with_first_found:
+        - files:
+            - "_machines/{{ ansible_facts['hostname'] }}-tasks.yml"
+          skip: true
+      tags:
+        - always
+
   handlers:
     - name: refresh package lists
       community.general.pacman:

remove-unconfigured-packages.sh

@@ -32,6 +32,7 @@ declare -a packages_to_remove=()
 
 readarray -d $'\0' -t packages_to_remove < <(comm --zero-terminated -13 \
   <(cat \
+    <(<_machines/"$(hostname --short)".yml yaml2json | jq --raw-output0 '(.additional_packages // [])[]') \
     <(<packages.yml yaml2json | jq --raw-output0 'map(.archlinux) | flatten[]') \
     <(for dep in "${aurdeps[@]}" "${cpu_packages[@]}" "${gpu_packages[@]}" ; do printf '%s\0' "${dep}" ; done) \
   | while IFS= read -r -d $'\0' package; do
@@ -61,12 +62,29 @@ readarray -d $'\0' -t packages_to_remove < <(comm --zero-terminated -13 \
     printf '%s\0' "${package}"
   done) 
 
+packages_removed=0
+
 if (( "${#packages_to_remove[@]}" > 0 )) ; then
     echo "found the following explicitly installed packages that are not configured:"
     for pkg in "${packages_to_remove[@]}" ; do
       echo "${pkg}"
     done
     sudo pacman -Rcns "${packages_to_remove[@]}" "${@}" || exit $?
+    packages_removed=1
+fi
+
+readarray -t orphans < <(pacman -Qdtq)
+
+if (( "${#orphans[@]}" > 0 )) ; then
+    echo "found the following orphaned packages:"
+    for pkg in "${orphans[@]}" ; do
+      echo "${pkg}"
+    done
+    sudo pacman -Rcns "${orphans[@]}" "${@}" || exit $?
+    packages_removed=1
+fi
+
+if (( packages_removed)) ; then
     exit 123
 fi
 

update-aur-pkgs.sh

@@ -11,7 +11,7 @@ for pkg in pkgbuilds/* ; do
         printf "checking local package %s\n" "${pkg}"
         (
             builtin cd "${pkg}" || exit 1
-            makepkg --nodeps --nobuild --noextract
+            makepkg --nodeps --nobuild --noextract --cleanbuild
         )
     fi
     if git status --porcelain "${pkg}" | grep -q . ; then

user.yml

@@ -6,7 +6,6 @@
         user_groups:
           - libvirt
           - wheel
-          - vboxusers
           - wireshark
           - docker
           - sudonopw
@@ -27,7 +26,8 @@
         state: present
         home: "/home/{{ user.name }}"
         create_home: true
-        groups: "{{ [user.name, 'dotfiles'] + user_groups }}"
+        group: "{{ user.name }}"
+        groups: "{{ ['dotfiles'] + user_groups }}"
         shell: /usr/bin/zsh
         skeleton: /dev/null
       become: true
@@ -270,117 +270,83 @@
         owner: "{{ user.name }}"
         group: "{{ user.name }}"
 
-- name: Vim
-  tags:
-    - user:vim
-  block:
-    - name: Install vim plugins
-      ansible.builtin.command: nvim --headless +PlugInstall +qall
-      register: vim_plugin_install
-      changed_when: vim_plugin_install.stderr != ""
-
-    - name: Update vim plugins
-      ansible.builtin.command: nvim --headless +PlugUpdate +qall
-      register: vim_plugin_update
-      changed_when: vim_plugin_update.stderr != ""
-
 - name: Firefox
   tags:
     - user:firefox
   block:
-    - name: Create firefox directories
-      firefox_profile:
-        name: "{{ item.key }}"
-      loop: "{{ user.firefox_profiles | dict2items }}"
-      check_mode: false
-      register: firefox_profile_names
-
-    - ansible.builtin.set_fact:
-        firefox_preferences:
-          browser.aboutConfig.showWarning: false
-          extensions.pocket.enabled: false
-          toolkit.legacyUserProfileCustomizations.stylesheets: true
-          browser.contentblocking.category: "strict"
-          browser.newtabpage.enabled: false
-          browser.startup.homepage: "about:blank"
-          privacy.trackingprotection.enabled: true
-          privacy.trackingprotection.socialtracking.enabled: true
-          general.smoothScroll: true
-
-          # Restore last session on startup
-          # https://support.mozilla.org/de/questions/1235263
-          browser.startup.page: 3
-          # reload the tabs properly when restoring
-          browser.sessionstore.restore_on_demand: false
-
-          # "Play DRM-controlled content"
-          media.eme.enabled: true
-
-          # "Recommend (extensions|features) as you browse"
-          browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons: false
-          browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features: false
-
-          # "Ask to save logins and passwords for websites"
-          signon.rememberSignons: false
-
-          # "Allow Firefox to make personalized extension recommendations"
-          browser.discovery.enabled: false
-
-          # "Allow Firefox to install and run studies"
-          app.shield.optoutstudies.enabled: false
-
-          # "Check spelling as you type"
-          layout.spellcheckDefault: 0
-
-          # Ask for download directory
-          browser.download.useDownloadDir: false
-
-          # (Try to) disable automatic update, as firefox is pulling a Windows
-          app.update.auto: false
-          app.update.service.enabled: false
-
-          # remove this camera / microphone overlay when in calls or similar
-          privacy.webrtc.legacyGlobalIndicator: false
-
-          # remove ad tracking garbage
-          dom.private-attribution.submission.enabled: false
-
-    - ansible.builtin.include_role:
-        name: firefox
-      vars:
-        firefox_profiles: "{{ {item.key: item.value} | combine({item.key: {'preferences': firefox_preferences}}, recursive=True) }}"
-      loop: "{{ user.firefox_profiles | dict2items }}"
-      when: not ansible_check_mode
-
-    - name: Firefox - create chrome directory
+    - name: Create firefox base directories
       ansible.builtin.file:
-        path: "{{ item.profile_path }}/chrome/"
+        path: "{{ item }}"
         state: directory
         mode: "0755"
-      with_items: "{{ firefox_profile_names.results }}"
-      when: not ansible_check_mode
-      loop_control:
-        label: "{{ item.profile_path }}"
+      loop:
+        - "~/.mozilla/"
+        - "~/.mozilla/firefox/"
 
-    - name: Firefox - configure firefox custom css
+    - name: Create firefox profile directories
+      ansible.builtin.file:
+        path: "~/.mozilla/firefox/profile-{{ item.key }}"
+        state: directory
+        mode: "0755"
+      loop: "{{ user.firefox_profiles | dict2items }}"
+      loop_control:
+        label: "{{ item.key }}"
+
+    - name: Create chrome directory
+      ansible.builtin.file:
+        path: "~/.mozilla/firefox/profile-{{ item.key }}/chrome/"
+        state: directory
+        mode: "0755"
+      loop: "{{ user.firefox_profiles | dict2items }}"
+      loop_control:
+        label: "{{ item.key }}"
+
+    - name: Configure firefox custom css
       ansible.builtin.copy:
-        dest: "{{ item.profile_path }}/chrome/userChrome.css"
+        dest: "~/.mozilla/firefox/profile-{{ item.key }}/chrome/userChrome.css"
+        # from https://www.kvakil.me/posts/2023-09-12-my-tree-style-tab-configuration.html
         content: |
-          #TabsToolbar {
-            visibility: collapse !important;
-          }
+          // Hide the title bar.
           #titlebar {
+            appearance: none !important;
+            height: 0px;
+          }
+
+          #titlebar > #toolbar-menubar {
+            margin-top: 0px;
+          }
+
+          // Hide regular tab toolbar.
+          #main-window[tabsintitlebar="true"]:not([extradragspace="true"]) #TabsToolbar > .toolbar-items {
+            opacity: 0;
+            pointer-events: none;
+          }
+
+          #main-window:not([tabsintitlebar="true"]) #TabsToolbar {
             visibility: collapse !important;
           }
-          #sidebar-header {
-            visibility: collapse !important;
+
+          // Hide the side toolbar noise.
+          #TabsToolbar {
+            min-width: 0 !important;
+            min-height: 0 !important;
+          }
+
+          #TabsToolbar > .titlebar-buttonbox-container {
+            display: block;
+            position: absolute;
+            top: 12px;
+            left: 0px;
+          }
+
+          #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
+            display: none;
           }
       when:
-        - not ansible_check_mode
-        - user.firefox_profiles[item.profile_name].manage_css is sameas True
-      with_items: "{{ firefox_profile_names.results }}"
+        - item.value.manage_css is sameas True
+      loop: "{{ user.firefox_profiles | dict2items }}"
       loop_control:
-        label: "{{ item.profile_path }}"
+        label: "{{ item.key }}"
 
 - name: Handle user units
   tags:

vim/vimrc

@@ -1,320 +0,0 @@
-set nocompatible
-filetype off
-call plug#begin('~/.local/share/nvim/plugged')
-
-" === plugins ===
-
-function! Cond(Cond, ...)
-  let opts = get(a:000, 0, {})
-  return a:Cond ? opts : extend(opts, { 'on': [], 'for': [] })
-endfunction
-
-" editing plugins
-Plug 'godlygeek/tabular', Cond(!exists('g:vscode'))
-Plug 'nathanaelkane/vim-indent-guides', Cond(!exists('g:vscode'))
-Plug 'tpope/vim-commentary', Cond(!exists('g:vscode'))
-Plug 'airblade/vim-gitgutter', Cond(!exists('g:vscode'))
-
-" ui
-Plug 'sickill/vim-monokai', Cond(!exists('g:vscode'))
-Plug 'itchyny/lightline.vim', Cond(!exists('g:vscode'))
-
-" lang integrations
-Plug 'lepture/vim-jinja', Cond(!exists('g:vscode'))
-Plug 'fatih/vim-go', Cond(!exists('g:vscode'))
-Plug 'hashivim/vim-terraform', Cond(!exists('g:vscode'))
-Plug 'editorconfig/editorconfig-vim', Cond(!exists('g:vscode'))
-Plug 'rust-lang/rust.vim', Cond(!exists('g:vscode'))
-Plug 'rodjek/vim-puppet', Cond(!exists('g:vscode'))
-
-" helpers
-"" distraction free writing
-Plug 'junegunn/limelight.vim', Cond(!exists('g:vscode'))
-Plug 'junegunn/goyo.vim', Cond(!exists('g:vscode'))
-Plug 'reedes/vim-pencil', Cond(!exists('g:vscode'))
-
-"" markdown
-Plug 'suan/vim-instant-markdown', Cond(!exists('g:vscode'))
-
-Plug 'dense-analysis/ale', Cond(!exists('g:vscode'))
-
-Plug 'neoclide/coc.nvim', Cond(!exists('g:vscode'), {'branch': 'release'})
-
-
-call plug#end()
-filetype plugin indent on
-
-" == formatting ==
-set tabstop=4
-set smarttab
-set softtabstop=4
-set shiftround
-set shiftwidth=4
-set autoindent
-set expandtab
-set smartindent
-set formatoptions=tcqjron
-"set formatoptions=
-
-" == ui ==
-set cursorline
-set showcmd
-set number
-set wildmode=list:longest
-set lazyredraw
-set wildmenu
-set noshowmatch
-set colorcolumn=80
-set laststatus=2
-set matchtime=5
-set mouse=a
-set mousehide
-set noerrorbells
-set noshowmode
-set numberwidth=2
-set relativenumber
-set shortmess=rtiF
-set ruler
-set scrolloff=7
-set title
-set titlestring=""
-set ttyfast
-
-" == searching ==
-set hlsearch
-set incsearch
-set gdefault
-set ignorecase
-set magic
-set smartcase
-
-" == folding ==
-set foldenable
-set foldmethod=indent
-set foldnestmax=2
-set foldlevelstart=2
-
-" == backups ==
-set nobackup
-set backupcopy=no
-set nowritebackup
-
-" == swap ==
-set swapfile
-set updatecount=200
-set updatetime=300
-
-" == undo ==
-set undolevels=1000
-set undoreload=10000
-set undodir=~/.vim/undo
-set undofile
-
-" == environment / directories ==
-set autochdir
-set directory=/var/tmp,/tmp
-set viewdir=~/.vim/view
-
-" == misc ==
-set autoread
-set confirm
-set encoding=utf-8
-set history=1000
-set modeline
-set modelines=5
-set notildeop
-set wildignore=*.swp,*.bak,*.pyc,*~,*.o
-set hidden
-
-" == editing ==
-set backspace=indent,eol,start
-" set esckeys
-set matchpairs=(:),{:},[:],<:>
-set notimeout
-set ttimeout
-set timeoutlen=1000
-set ttimeoutlen=0
-set virtualedit=block
-set whichwrap=b,s
-
-" == line breaking ==
-set linebreak
-set wrap
-set wrapscan
-
-" == to use guicolors in terminal ==
-set termguicolors
-
-" === keybinds ===
-set pastetoggle=<F11>
-
-set signcolumn=yes
-
-let maplocalleader = "ö"
-let mapleader = "\<Space>"
-" map <leader>w: w!<cr>
-
-" nnoremap <leader>w :w<CR>
-nmap <leader><leader> za
-map , :
-
-vnoremap <silent> y y`]
-vnoremap <silent> p p`]
-nnoremap <silent> p p`]
-
-nnoremap <leader>, :nohlsearch<CR>
-
-noremap gV `[v`]
-
-map Y y$
-map j gj
-map k gk
-
-
-map N Nzz
-map n nzz
-
-inoremap jj <ESC>
-
-" no more ex mode
-nnoremap Q <nop>
-
-" Use // in visual mode to search for selection
-" https://vim.fandom.com/wiki/Search_for_visually_selected_text
-vnoremap // y/\V<C-R>=escape(@",'/\')<CR><CR>
-
-if exists('g:vscode')
-    xmap gc  <Plug>VSCodeCommentary
-    nmap gc  <Plug>VSCodeCommentary
-    omap gc  <Plug>VSCodeCommentary
-    nmap gcc <Plug>VSCodeCommentaryLine
-else
-    nnoremap <C-h> <C-w>h
-    nnoremap <C-j> <C-w>j
-    nnoremap <C-k> <C-w>k
-    nnoremap <C-l> <C-w>l
-
-    nmap <C-n> :bnext<CR>
-    nmap <C-p> :bprev<CR>
-
-    nnoremap <leader>m :InstantMarkdownPreview<CR>
-
-    nnoremap <leader>u :GundoToggle<CR>
-    nnoremap <leader>d :diffupdate<CR>
-
-    nmap <F9> :Goyo<CR>:TogglePencil<CR>
-    nmap <leader>w :Goyo<CR>:TogglePencil<CR>:set colorcolumn=<CR>
-
-    nmap <leader>c :%w !xclip -selection clipboard<CR>
-    nmap <leader>x :r !xclip -out -selection -clipboard<CR><CR>
-
-    nmap <leader>f :Autoformat<CR>
-
-    nnoremap <leader>v <C-w>v<C-w>l
-
-    syntax enable
-    silent! colorscheme monokai
-
-    highlight Comment guifg=#64d86b
-    highlight SpecialComment guifg=#64d86b
-    highlight Todo guibg=#a9ebad
-
-    let g:lightline = {
-      \ 'colorscheme': 'wombat',
-      \ 'active': {
-      \   'left': [ [ 'mode', 'paste' ],
-      \             [ 'readonly', 'filename', 'modified', 'helloworld' ] ],
-      \   'right': [ [ 'gitbranch' ],
-      \              [ 'lineinfo' ],
-      \              [ 'percent' ],
-      \              [ 'fileformat', 'fileencoding', 'filetype', 'charvaluehex' ],
-      \              [ 'directory' ] ],
-      \ },
-      \ 'component_function': {
-      \   'gitbranch': 'fugitive#head',
-      \   'directory': 'LightLineFilename',
-      \ },
-      \ 'component': {
-      \ },
-      \ }
-
-
-    function! LightLineFilename()
-        return fnamemodify(expand('%F'), ":~:h")
-    endfunction
-
-    " == pencil ==
-    let g:pencil#textwidth = 80
-    let g:pencil#autoformat = 1
-    let g:pencil#wrapModeDefault = 'hard'
-    let g:pencil#map#suspend_af = 'K'
-
-    " == goyo ==
-    let g:goyo_width = 100
-    let g:goyo_height = "90%"
-    let g:goyo_linenr = 0
-
-    autocmd! User GoyoEnter Limelight
-    autocmd! User GoyoLeave Limelight!
-
-    " == limelight ==
-    let g:limelight_default_coefficient = 0.5
-
-    let g:ale_linters = {'rust': ['rust-analyzer']}
-
-    " === functions ===
-    function! DeleteTrailingWS()
-        exe "normal mz"
-        %s/\s\+$//e
-        exe "normal `z"
-    endfunction
-    autocmd BufWritePre * :call DeleteTrailingWS()
-
-    autocmd FileType yaml set shiftwidth=2
-    autocmd FileType toml set shiftwidth=2
-    autocmd FileType html setl shiftwidth=2
-
-    let g:instant_markdown_autostart = 0
-
-    let g:terraform_align = 1
-    let g:terraform_fmt_on_save=1
-
-    let g:rustfmt_autosave = 1
-
-    inoremap <silent><expr> <TAB>
-                \ coc#pum#visible() ? coc#pum#next(1) :
-                \ CheckBackspace() ? "\<Tab>" :
-                \ coc#refresh()
-    inoremap <expr><S-TAB> coc#pum#visible() ? coc#pum#prev(1) : "\<C-h>"
-
-    " Make <CR> to accept selected completion item or notify coc.nvim to format
-    " <C-g>u breaks current undo, please make your own choice.
-    inoremap <silent><expr> <CR> coc#pum#visible() ? coc#pum#confirm()
-                \: "\<C-g>u\<CR>\<c-r>=coc#on_enter()\<CR>"
-
-    function! CheckBackspace() abort
-        let col = col('.') - 1
-        return !col || getline('.')[col - 1]  =~# '\s'
-    endfunction
-
-    " Use <c-space> to trigger completion.
-    if has('nvim')
-        inoremap <silent><expr> <c-space> coc#refresh()
-    else
-        inoremap <silent><expr> <c-@> coc#refresh()
-    endif
-
-    if has('nvim')
-        inoremap <silent><expr> <c-space> coc#refresh()
-    else
-        inoremap <silent><expr> <c-@> coc#refresh()
-    endif
-
-    " https://stackoverflow.com/a/8585343
-    map <leader>q :bp<bar>sp<bar>bn<bar>bd<CR>
-
-    nmap <silent> gd <Plug>(coc-definition)
-    nmap <silent> gy <Plug>(coc-type-definition)
-    nmap <silent> gi <Plug>(coc-implementation)
-    nmap <silent> gr <Plug>(coc-references)
-endif

zsh/zprofile.j2

@@ -8,7 +8,7 @@ export PATH="${HOME}/bin:${PATH}"
 
 export EDITOR="helix"
 export VISUAL="helix"
-export BROWSER="firefox"
+export BROWSER="firefox-default"
 
 export PAGER="less"
 export LESS="FRX"
@@ -69,6 +69,20 @@ export AWS_CONFIG_FILE="$XDG_CONFIG_HOME"/aws/config
 
 export XINITRC="$XDG_CONFIG_HOME"/xinitrc
 
+export PSQLRC="$XDG_CONFIG_HOME/psqlrc"
+export PSQL_HISTORY="$XDG_STATE_HOME/psql_history"
+export PGPASSFILE="$XDG_CONFIG_HOME/pgpass"
+export PGSERVICEFILE="$XDG_CONFIG_HOME/pg_service.conf"
+
+export REDISCLI_HISTFILE="$XDG_DATA_HOME"/rediscli_history
+export REDISCLI_RCFILE="$XDG_CONFIG_HOME"/redisclirc
+
+export PYTHON_HISTORY=$XDG_STATE_HOME/python_history
+export PYTHONPYCACHEPREFIX=$XDG_CACHE_HOME/python
+
+# bash-specific
+export HISTFILE="$XDG_STATE_HOME"/bash_history
+
 umask 0022
 
 {% set env = machine.environment | combine(user.environment) %}

zsh/zshrc.j2

@@ -333,12 +333,7 @@ embiggen() {
 }
 
 journal() {
-    journaldir=~/sync/journal/
-    file="$journaldir/$(date +%Y-%m-%d).md"
-    if [[ ! -e $file ]] ; then
-        cp $journaldir/template.md $file || return
-    fi
-    $EDITOR $file
+    $EDITOR ~/sync/journal/"$(date +%Y-%m-%d).md"
 }
 
 prefix() {
@@ -379,6 +374,16 @@ tmp() {
     fi
 }
 
+# taken verbatim from https://yazi-rs.github.io/docs/quick-start, extended with "command" in
+# the last line to not use aliased `rm`
+function y() {
+    local tmp="$(mktemp -t "yazi-cwd.XXXXXX")" cwd
+    yazi "$@" --cwd-file="$tmp"
+    IFS= read -r -d '' cwd < "$tmp"
+    [ -n "$cwd" ] && [ "$cwd" != "$PWD" ] && builtin cd -- "$cwd"
+    command rm -f -- "$tmp"
+}
+
 setopt PROMPT_SUBST
 
 autoload -Uz vcs_info