Dotfiles

My dotfiles - use them and contribute your personal changes/suggestions.

Installation

The specifically target Arch-alike distributions. For instance, the instructions here should also work for Manjaro, which builds upon Arch.

Most importantly, it's require to install a package manager, which makes use of the AUR. yay is by far the best one I've ever seen and can simply be installed like so.

sudo pacman -S --needed git base-devel && git clone https://aur.archlinux.org/yay.git && cd yay && makepkg -si

Then, you'd want to install all relevant packages from the General packages, Fonts and AUR sections.

Dotfiles are managed by chezmoi. Run chezmoi init rtucek in order to download all dotfiles, followed by chezmoi cd for jumping directly to the git repo of the dotfiles.

A couple of template variables have to be set for proper configuration. Use the sample config file from dot_config/chezmoi/chezmoi.toml.sample and copy it to ~/.config/chezmoi/chezmoi.toml, then set the value accordingly and run chezmoi apply for having the actual dotfiles being put a their right place.

Refer to chezmoi's docs for further details.

Contribution

Pull requests are welcome!

Dependencies

The dotfiles are optimized for the following setup.

General packages

• alsa-utils
• arandr
• arch-audit
• autorandr [8]
• bash-completion
• bat [1]
• bluetui
• bluez
• bluez-utils
• bolt [4]
• brightnessctl
• chezmoi
• ctags
• devspace-bin
• diff-so-fancy
• dmidecode
• docker [2]
• docker-compose
• dog
• dunst
• firefox
• fwupd
• fzf
• gimp
• git-delta [1]
• glab
• globalprotect-openconnect
• gnome-keyring
• gnu-netcat
• go
• gparted
• gufw
• gzip
• helm
• helvum
• httpie
• i3-battery-popup-git
• inxi
• ipcalc
• jless
• jq
• k9s
• kubectl
• lastpass-cli
• less
• litecli
• lsb-release
• lshw
• lsof
• man-db
• mkcert
• msr-tools
• mtr
• mycli
• mysql-workbench
• neovim
• networkmanager-openconnect
• nitrogen
• openconnect
• openssh
• osquery
• pcmanfm
• percona-server-clients
• percona-toolkit
• pgcli
• picom
• pigz
• pipewire [7]
• pipewire-pulse
• playerctl
• polkit-gnome
• polybar [6]
• postgresql-client
• pw-volume
• pwgen
• python-pip
• python-pipx
• python-pynvim
• ranger
• rofi
• rsync
• ruby-erb
• scrot
• snapd
• sound-theme-freedesktop
• speedtest-cli
• stern
• strongswan
• tcpdump
• tela-circle-icon-theme-manjaro
• terminator
• testssl.sh
• the_silver_searcher
• thunderbird
• tmux [3]
• torbrowser-launcher
• tree
• tree-sitter-cli
• udiskie
• udisks2
• ufw [5]
• unzip
• usbutils
• veracrypt
• vi
• whois
• wireplumber
• xclip
• xorg-xinput
• xorg-xkill
• xss-lock
• yay
• yubioath-desktop

FS support

• bcachefs-tools
• btrfs-progs
• btrfs-tools
• cryptsetup
• dosfstools
• exfatprogs
• hfsprogrs
• hfsutils
• lvm2
• mtools
• ntfs-3g
• ntfs-progrs

Fonts

• noto-fonts
• noto-fonts-cjk
• noto-fonts-emoji
• ttf-dejavu
• ttf-font-awesome
• ttf-input-nerd
• ttf-joypixels

AUR

• 1password
• 1password-cli
• auto-cpufreq [9]
• certigo
• csvtools-git
• google-chrome
• kind-bin
• nvm
• postman-bin
• tmuxinator
• unimatrix-git
• xidlehook

Snap packages

n/a

Composer

composer global require consolidation/cgr

nvm

Most important commands are:

nvm install --lts # Installing most recent LTS version
nvm alias default "lts/*" # Alias most recent lts node version as default
nvm use default # Use most recent version
nvm install-latest-npm # Upgrade npm to the latest version

npm

The following npm packages are considered as standard. Install them via npm install --global [packages]:

• @vue/cli
• create-react-app
• neovim

yarn

Install yarn via npm. Let yarn manage itself by re-installing yarn globally and removing it afterwards via npm again.

npm -g install yarn
yarn global add yarn
npm -g remove yarn

PIP

pipx install python-language-server # (coc-python)

Bash completion

• composer (cgr require bamarni/symfony-console-autocomplete)
• tmux (https://github.com/imomaliev/tmux-bash-completion/blob/master/completions/tmux)
• yarn (https://github.com/dsifford/yarn-completion/blob/master/yarn-completion.bash)

Addendum

Syntax highlight with bat and cat [1]

As a special case, in order to have syntax highlighting for PHP work with bat in combination with delta diffs, refer to these instructions.

It's necessary to perform this step, whenever bat gets updated.

Docker post-installation [2]

By default, the docker installation requires some manual actions. For instance, the docker daemon is not started automatically. It's required to run sudo systemctl start docker after the installation and likewise, it's required to run every docker command with sudo. For convenience, you'd typically want to run these commands once (based on Docker's official docs:

# Start docker and containerd daemon upon boot
sudo systemctl enable --now docker.service
sudo systemctl enable --now containerd.service

# Run docker commands root-less
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker

Install tmux plugins [3]

After tmux has been installed, run the following commands in order to install and setup tmux plugin manager (TPM) for the first time. The following commands below will clone TPM's source code and install it at the right location, then type; Ctrl + SPACE + I in order to actually install tmux plugins.

git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm

sudo password indicator

When using sudo, it's convenient to have a masked password indicator in case sudo requires to enter the user's password. In order to have a password indicator, simply run sudo visudo and add the following lines below.

+# Have a masked password indicator, when typing the password for sudo
+Defaults pwfeedback

Pacman tweaks

There are some nice2have tweaks for pacman. Simply add these lines to the /etc/pacman.conf file (or uncomment existing ones).

+# Have colored output
+Color
+# Add fancy pacman gimmick to progres bar
+ILoveCandy
+# Multiple simultaneous downloads
+ParallelDownloads = 5

Faillock account lockout

Faillock with cause a temporary account lock for users, who mistype their password too often. Usually, the default values are a lockout of 10 minutes after 3 failed attempts. In case this is unwanted, disable faillock like so by modifying /etc/security/faillock.conf (source: Arch Wiki - Security):

 #
 # Only track failed user authentications attempts for local users
 # in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
 # The `faillock` command will also no longer track user failed
 # authentication attempts. Enabling this option will prevent a
 # double-lockout scenario where a user is locked out locally and
 # in the centralized mechanism.
 # Enabled if option is present.
 # local_users_only
 #
 # Deny access if the number of consecutive authentication failures
 # for this user during the recent interval exceeds n tries.
 # The default is 3.
-# deny = 3
+deny = 0
 #
 # The length of the interval during which the consecutive
 # authentication failures must happen for the user account
 # lock out is <replaceable>n</replaceable> seconds.
 # The default is 900 (15 minutes).
 # fail_interval = 900
 #

Handling lid-switch, power key pressing and similar

The handling of certain hardware events like lid-switch, short or long pressing of power key, etc., are handled by systemd's systemd-logind.service.

The default settings may be viewed by running systemd-analyze cat-config systemd/logind.conf.

In order to override default behavior, create a drop-in for the config file by adding overrides into any /etc/systemd/logind.conf.d/*.conf. This is typically done by:

sudo mkdir -p /etc/systemd/logind.conf.d
systemd-analyze cat-config systemd/logind.conf | sudo tee /etc/systemd/logind.conf.d/90-logind.conf

Then, open /etc/systemd/logind.conf.d/90-logind.conf and leave only your overrides un-commented. Below are some sample customizations.

--- /etc/systemd/logind.conf
+++ /etc/systemd/logind.conf.d/90-logind.conf
@@ -1,3 +1,4 @@
+# /etc/systemd/logind.conf
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it under the
@@ -24,18 +25,18 @@
 #KillExcludeUsers=root
 #InhibitDelayMaxSec=5
 #UserStopDelaySec=10
-#SleepOperation=suspend-then-hibernate suspend
-#HandlePowerKey=poweroff
-#HandlePowerKeyLongPress=ignore
+SleepOperation=suspend-then-hibernate suspend
+HandlePowerKey=suspend
+HandlePowerKeyLongPress=poweroff
 #HandleRebootKey=reboot
 #HandleRebootKeyLongPress=poweroff
 #HandleSuspendKey=suspend
 #HandleSuspendKeyLongPress=hibernate
 #HandleHibernateKey=hibernate
 #HandleHibernateKeyLongPress=ignore
-#HandleLidSwitch=suspend
-#HandleLidSwitchExternalPower=suspend
-#HandleLidSwitchDocked=ignore
+HandleLidSwitch=suspend
+HandleLidSwitchExternalPower=suspend
+HandleLidSwitchDocked=suspend
 #HandleSecureAttentionKey=secure-attention-key
 #PowerKeyIgnoreInhibited=no
 #SuspendKeyIgnoreInhibited=no

Finally, run sudo systemctl reload systemd-logind.service in order to have any changes being applied.

Links:

• LOGIND.CONF(5)
• SYSTEMD-LOGIND.SERVICE(8)

CPU clock modulation fix

Some Dell XPS devices may become slow after system wakeups. This is due to aggressive suspend settings in clock modulation settings.

To fix this issue, add the systemd unit file to /etc/systemd/system/msr-fix.service, then enable it via sudo systemctl enable msr-fix.service. The unit file will explicitly reset the necessary CPU register.

[Unit]
Description=Fix MSR after wakeup
After=suspend.target

[Service]
User=root
Type=oneshot
ExecStart=wrmsr -a 0x19a 0x0

[Install]
WantedBy=suspend.target

Fix hotplug issue with Thunderbolt [4]

Given the following symptoms:

Devices, connected via Thunderbolt don't work if "hot plugged in" (that is, after the OS has booted). However, if the device is connected at cold boot time, the device works mystically. In particular, to a Dock connected devices like keyboards and mouses don't assume to have any powered state (e.g. the laser pointer of a mouse remains switched off).

This is due to the OS' security settings. The OS - by default - protects against DMA attacks such as Thunderstrike, by setting the security mode to user or secure. So the in some form or another, we have to "approve" the connected device.

One way to simply get away with it, is to add a udev rule to /etc/udev/rules.d/99-removable.rules, which just authorizes essentially every hot-plugged Thunderbolt device:

ACTION=="add", SUBSYSTEM=="thunderbolt", ATTR{authorized}=="0", ATTR{authorized}="1"

The rule will become effective after the next reboot, however you can also avoid a reboot by live-reloading udev rules:

sudo udevadm control --reload-rules
sudo udevadm trigger

However, a much simpler approach would be actually authorizing the device via bolt.

Sources:

• Thunderbolt
• Thunderbolt - udev rule (Arch Wiki)
• Live-reload udev rule (unix.stackexchange.com)

GPG keyservers

My GPG keys are generally distributed via the following public keyservers:

• keys.openpgp.org
• keyserver.ubuntu.com
• pgp.mit.edu

Fix automatic wake ups from suspend

For some Tuxedo Laptops, the Laptop wakes up automatically within a couple of seconds. This is due to a bug in the BIOS, which can be seen in the syslog, based on these log entries:

[...]
xxx xx xx:xx:xx archlinux kernel: ACPI BIOS Error (bug): Could not resolve symbol [\_SB.ACDC.RTAC], AE_NOT_FOUND (20230628/psargs-332)
xxx xx xx:xx:xx archlinux kernel: ACPI Error: Aborting method \_SB.PEP._DSM due to previous error (AE_NOT_FOUND) (20230628/psparse-529)
[...]

For mitigation, the kernel parameter acpi.ec_no_wakeup=1 must be set in /etc/default/grub:

-GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
+GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi.ec_no_wakeup=1"

Don't forget to run sudo update-grub in order re-build and deploy the grub config, so that it becomes effective from the next system boot onwards..

For testing purpose, the acpi.ec_no_wakeup=1 parameter can also be set at post-boot with the sysfs interface:

# Read current state of acpi.ec_no_wakeup via ...
cat /sys/module/acpi/parameters/ec_no_wakeup
# ... Y -> 1 (on); N -> 0 (off)
# Set the value by writing 1 or 0 to the file: e.g.
echo "1" | sudo tee /sys/module/acpi/parameters/ec_no_wakeup

It's worth pointing out, that even with setting the parameter, the error will still be logged to syslog, however the automatic wake ups are prevented this way.

Links:

• Tuxedo FAQ / Device Immediately Wakes Up After Suspend
• Arch Wiki / /sys/module/acpi/parameters/ec_no_wakeup

ufw post-install actions [5]

Uncomplicated Firewall (aka ufw) may not be active right away post-install. This can be fixed with systemd.

sudo systemctl enable --now ufw.service

Further, even if ufw is started via systemd, ufw may not be initialized. Run the following commands in order to check and fix (if needed).

$ sudo ufw status
Status: inactive
# explicitly enable ufw
$ sudo ufw enable
Firewall is active and enabled on system startup

Finally, check if the current rules are the "sane and sensitive defaults":

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

Mind the Default: deny (incoming), allow (outgoing), deny (routed) line. In case default rules are different by default, you may correct them with:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw default deny routed

Links:

• Arch Wiki / Uncomplicated Firewall
• Ubuntu Wiki / UFW

Have systemd using same default console editor

By default, systemd may use any available console-based editor. However, the SYSTEMD_EDITOR ENV allows configuring any editor of preference. In order to have sudo based commands inheriting this ENV, add the following line to the sudoers file manually via visudo.

 ##
 ## Preserve editor environment variables for visudo.
 ## To preserve these for all commands, remove the "!visudo" qualifier.
 Defaults!/usr/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
+Defaults env_keep += "SYSTEMD_EDITOR"
 ##
 ## Use a hard-coded PATH instead of the user's to find commands.

Permissions for Polybar [6]

Many modules may not work out of the box. Inspect ~/.config/polybar/config.ini, which might require a few parameters to be properly templated via chezmoi.

Change backlight via scrolling

For having support for changing the backlight via scrolling, do the following:

1. Add your user to the video group.

sudo usermod -aG video $USER
newgrp video

2. Add the following udev rule /etc/udev/rules.d/99-backlight.rules

ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/chgrp video $sys$devpath/brightness", RUN+="/bin/chmod g+w $sys$devpath/brightness"

Reload udev via:

sudo udevadm control --reload-rules
sudo udevadm trigger

In case it does not work, try rebooting the system.

Pipewire post-installation activation [7]

pipewire is used as the audio router and processor. For audio session management, wireplumber is used.

Additionally, the pipewire-pulse package is installed for mimicking pulseaudio for some applications. In order to have both services working reliably, make sure systemd is running them upon startup.

helvum may be used as patchbay GUI for pipewire.

systemctl enable --user --now pipewire.service
systemctl enable --user --now pipewire-pulse.service

Autorandr post-installation activation [8]

autorandr is used to automatically detect monitors, storing profiles and auto-applying them upon reconnect.

In order to work properly, the following 2 systemd services should be activated:

sudo systemctl enable --now autorandr.service
sudo systemctl enable --now autorandr-lid-listener.service

Bluetooth support

For having Bluetooth working, the bluetoothd daemon must run in the background. Run the following systemd command in order to run bluetoothd from the beginning.

sudo systemctl enable --now bluetooth.service

Tools like bluetui and bluetoothctl may be used for frontends for interacting.

Yubikey support

Yubikey builds upon the smartcard interface, whose service may not be running. You may enable the service to become available via systemd activation:

sudo systemctl enable --now pcscd.service

auto-cpufreq post-installation activation [9]

THe auto-cpufreq daemon need to be activated via systemd first.

sudo systemctl enable --now auto-cpufreq

Once done, auto-cpufreq --stats allows live-observing the profile. For instance on AC, the performance governor will be applied, otherwise the powersave governor when relying on battery.