#+TITLE: ArchSetup Tasks #+AUTHOR: Craig Jennings #+DATE: 2026-02-14 * Archsetup Open Work ** TODO [#A] Ensure sleep/suspend works on laptops Critical functionality for laptop use - current battery drain unacceptable **NOTE:** This applies to Framework Laptop (velox), not Framework Desktop (ratio) Add kernel parameter: ~rtc_cmos.use_acpi_alarm=1~ (will become systemd default) Consider: ~acpi_mask_gpe=0x1A~ for battery drain, suspend-then-hibernate config See Framework community notes on logind.conf and sleep.conf settings ** TODO [#A] Build CI/CD pipeline that runs archsetup on every commit Core automation infrastructure - enables continuous validation *** TODO [#B] Investigate rlwrap not installed after archsetup run rlwrap is declared in archsetup (Emacs Dependencies section, line 1779) but was not installed on this machine after archsetup ran. Manually installed 2026-02-06. When CI/CD is running, verify that all packages in the Emacs Dependencies section are actually installed after a full test run. May indicate a broader issue with packages being skipped silently. ** TODO [#A] Generate recovery scripts from test failures Auto-create post-install fix scripts for failed packages - makes failures actionable ** TODO [#A] Create package inventory system *** TODO [#A] List all packages archsetup would install (including dependencies) *** TODO [#A] List all packages currently installed on live system *** TODO [#A] Generate diff showing what's in archsetup vs what's on system ** TODO [#A] Establish monthly review workflow *** TODO [#A] For packages in archsetup but not on system: determine if still needed *** TODO [#A] For packages on system but not in archsetup: decide add or remove *** TODO [#A] Schedule monthly package diff review ** TODO [#A] Automate the inventory comparison Make package diff a runnable script instead of manual process ** TODO [#A] Complete security education within 3 months Read recommended resources to make informed security decisions (see metrics for Claude suggestions) ** TODO [#A] Prevent X termination and VT switching (security risk) If someone grabs laptop at cafe and hits ctrl+alt+backspace, they kill screensaver/X and get console access Need to disable: ctrl+alt+backspace (zap X) and ctrl+alt+F# (VT switching) Previous attempts to configure in xorg.conf.d failed - need to investigate what's overriding the settings Tried: /etc/X11/xorg.conf.d/00-no-vt-or-zap.conf with DontVTSwitch and DontZap options Removed conflicting setxkbmap statements, gdm, and keyd configs - still didn't work ** TODO [#B] All error messages should be actionable with recovery steps Currently just reports errors without guidance on how to fix them ** TODO [#B] Full install logs should contain timestamps Verify timestamps exist for debugging failures ** TODO [#B] Add input validation for username and paths Variables like ~$username~, ~$source_dir~, and paths are not validated Special characters or malicious input could break the script or cause security issues Should validate inputs match expected patterns (alphanumeric, valid paths, etc.) ** TODO [#B] Enable TLP power management for laptops TLP manages power-saving modes for Wi-Fi, USB, PCIe, Bluetooth, CPU scheduler Install tlp, enable service, add custom Framework 13 config to /etc/tlp.d/01-custom.conf Improves battery life and prevents power-related issues during install/post-install ** TODO [#B] Improve logging consistency Some operations log to ~$logfile~, others don't - standardize logging All package installs should log, all system modifications should log, all errors should log with context Makes debugging failed installations easier ** TODO [#B] Add backup before system file modifications Safety net for /etc/X11/xorg.conf.d and other system file edits Files like ~/etc/sudoers~, ~/etc/pacman.conf~, ~/etc/default/grub~ modified without backup If modifications fail or are incorrect, difficult to recover - should backup files to ~.backup~ before modifying ** TODO [#B] Implement Testinfra test suite for archsetup Create comprehensive integration tests using Testinfra (Python + pytest) to validate archsetup installations See complete documentation: [[file:docs/testing-strategy.org::*Test Automation Framework][Testing Strategy - Test Automation Framework]] Tests should cover: - Smoke tests: user created, key packages installed, dotfiles present - Integration tests: services running, configs valid, X11 starts, apps launch - End-to-end tests: login as user, startx, open terminal, run emacs, verify workflows Framework: Testinfra with pytest (SSH-native, built-in modules for files/packages/services/commands) Location: scripts/testing/tests/ directory Integration: Run via pytest against test VMs after archsetup completes Benefits: Expressive Python tests, excellent reporting, can test interactive scenarios The testing-strategy.org document includes: - Complete example test suite (test_integration.py) - Tiered testing strategy (smoke/integration/end-to-end) - How to run tests and integrate with run-test.sh - Comparison with alternatives (Goss) ** TODO [#B] Set up automated test schedule Weekly full run to catch deprecated packages even without commits ** TODO [#B] Implement manual test trigger capability Allow on-demand test runs when automation is toggled off ** TODO [#B] Create test results dashboard/reporting Make test outcomes visible and actionable ** TODO [#B] Block merges to main if tests fail Enforce quality gate - broken changes don't enter main branch ** TODO [#B] Add network failure testing to test suite Simulate network disconnect mid-install to verify resilience ** TODO [#B] Keep container base images up to date Regular updates to Arch base image with review process and schedule ** TODO [#B] Persist test logs for historical analysis Archive logs with review process and schedule to identify failure patterns and trends ** TODO [#B] Implement automated deprecation detection Parse package warnings and repo metadata to catch upcoming deprecations proactively ** TODO [#B] Audit dotfiles/common directory *** TODO [#B] Review all 50+ scripts in ~/.local/bin - remove unused scripts *** TODO [#B] Check dotfiles for uninstalled packages - remove orphaned configs *** TODO [#B] Verify all stowed files are actually used ** TODO [#B] Remove unnecessary linux-firmware packages (velox only) Remove firmware packages for hardware not present on Framework laptop. **NOTE:** This applies to Framework Laptop (velox), not Framework Desktop (ratio) Only needed: - linux-firmware-intel (CPU/GPU/Audio) - linux-firmware-atheros (WiFi) Can remove: - linux-firmware (meta-package) - linux-firmware-amdgpu - linux-firmware-broadcom - linux-firmware-cirrus - linux-firmware-mediatek - linux-firmware-nvidia - linux-firmware-other - linux-firmware-radeon - linux-firmware-realtek Disk space savings: ~600 MB See [[file:docs/firmware-cleanup.org][docs/firmware-cleanup.org]] for full analysis and removal commands. After removal, update archsetup script to install only needed firmware packages. ** TODO [#B] Identify and replace packages no longer in repos Systematic check for availability issues ** TODO [#B] Verify package origin for all packages Ensure packages are installed from correct source (official repos vs AUR) - prevent installing from wrong place ** TODO [#B] Automate script usage tracking Parse shell history files for ~/.local/bin script names to identify last usage date and unused scripts ** TODO [#B] Automate dotfile validation Parse config files for binary/command references and verify those binaries exist - catch orphaned references ** TODO [#B] Test security + functionality together *** DONE [#B] Verify SSH to remote server works CLOSED: [2026-02-02 Mon] Tested 2026-02-02: ssh cjennings.net returns "connected" successfully. SSH key authentication working, no password required. *** DONE [#B] Verify Proton Mail Bridge retrieves email CLOSED: [2026-02-02 Mon] Verified 2026-02-02: Proton Mail Bridge running, ports 1143 (IMAP) and 1025 (SMTP) listening on 127.0.0.1. mu4e email retrieval functional. *** TODO [#B] Verify no unexpected open ports or services ** TODO [#B] Security audit tooling *** TODO [#B] Implement port scanning check *** TODO [#B] Create security posture verification script *** TODO [#B] Set up intrusion detection monitoring ** TODO [#B] Document threat model and mitigations within 6 months Identify attack vectors, what's mitigated, what remains ** TODO [#B] Verify package signature verification not bypassed by --noconfirm Packages installed with ~--noconfirm~ may skip signature checks AUR had issues previously requiring --noconfirm workaround - verify this doesn't compromise security Ensure package signatures are still verified despite --noconfirm flag ** TODO [#B] Document evaluation criteria and trade-offs Establish clear process for tool evaluation decisions ** TODO [#B] Test each modernization thoroughly before replacing Ensure new tools integrate with DWM environment and don't break workflow ** TODO [#B] Add Rust installation via rustup instead of pacman package The =rust= package has been removed from archsetup. Need to add Rust installation using =rustup= (the official Rust toolchain manager) instead of the Arch package. Steps: - Install rustup: =pacman -S rustup= - Initialize default toolchain: =rustup default stable= - Consider adding to archsetup or post-install script Reference: Removed from archsetup on 2025-11-15 ** TODO [#B] Add NVIDIA preflight check for Hyprland Detect NVIDIA GPU and warn user about potential Wayland issues: - Require driver version 535+ or abort - Document required env vars (LIBVA_DRIVER_NAME, GBM_BACKEND, etc.) - Prompt to continue or abort if NVIDIA detected ** TODO [#B] Validate DESKTOP_ENV default behavior Confirm that defaulting DESKTOP_ENV to "dwm" when unassigned is the right choice. Consider: should it prompt interactively instead? Or fail with a clear message? ** TODO [#B] Test archsetup username/password prompts Test the username and password prompt functionality added to archsetup. Verify prompts work correctly on fresh install simulation. ** TODO Check linux-lts version until 6.18+ SCHEDULED: <2026-02-23 Mon +3w> Run =topgrade= and check =pacman -Q linux-lts=. Once 6.18+, remove =/etc/modprobe.d/amdgpu.conf= and mark this DONE. Background: AMD Strix Halo VPE power gating bug causes system freeze. Workaround disables power gating. Fix is in kernel 6.15+. ** TODO [#C] Review theme config architecture for dunst/fuzzel The active dunst config is stowed from dotfiles/common/ but theme templates live in dotfiles/hyprland/.config/themes/. set-theme copies the templates to the stowed locations at runtime, so edits to the common file get overwritten on theme switch. This split between stowed configs and theme templates is error-prone — changes must be made in both places. Consider: - Having set-theme be the single source of truth (remove common dunstrc from stow) - Or symlinking the stowed config to a theme-managed location - Same situation applies to fuzzel.ini The goal is a single place to edit each config, not two. ** TODO [#C] Create Chrome theme with dupre colors Create a Chrome browser theme using the dupre color palette. Plan saved in [[file:docs/PLAN-browser-themes.org][docs/PLAN-browser-themes.org]]. ** TODO [#C] Document testing process in README Help future maintainers understand and modify test infrastructure ** TODO [#C] Monitor and optimize test execution time Keep test runs performant as installs and post-install tests grow (target < 2 hours) ** TODO [#C] Set up alerts for deprecated packages Proactive monitoring integrated with testing ** TODO [#C] Fix VM cloning machine-ID conflicts for parallel testing Currently using snapshot-based testing which works but limits to sequential test runs Cloned VMs fail to get DHCP/network even with machine-ID manipulation (truncate/remove) Root cause: Truncating /etc/machine-id breaks systemd/NetworkManager startup Need to investigate proper machine-ID regeneration that doesn't break networking Would enable parallel test execution in CI/CD Priority C because snapshot-based testing meets current needs ** TODO [#C] Create security checklist for cafe/public wifi scenarios Practical guidelines for working in public spaces ** TODO [#C] Build security dashboard command Single command shows: encryption status, firewall status, open ports, running services ** TODO [#C] Evaluate modern CLI tool replacements bat, eza, zoxide, dust, ripgrep-all - only adopt if clear friction reduction ** TODO [#C] Consider paru instead of yay Evaluate if paru offers meaningful improvements for AUR management ** TODO [#C] Evaluate terminal emulator alternatives ghostty for ligature support - addresses known deficiency ** TODO [#C] Review file manager options for Wayland Ranger image previews don't work in foot terminal (Wayland). Ranger's kitty graphics method checks TERM for "kitty" string, and foot's kitty protocol implementation has subtle incompatibilities that cause hangs. ueberzug is X11-only. Tried yazi (2026-02) - theming/icon color customization was problematic. Revisit later when yazi matures or try lf with custom preview scripts. Keep ranger for DWM/X11 where ueberzug works fine. ** TODO [#C] Review current tool pain points annually Once-yearly systematic inventory of known deficiencies and friction points in current toolset ** TODO [#C] Install Zoxide integration into Ranger https://github.com/jchook/ranger-zoxide - enables zoxide jumping within ranger file manager ** TODO [#D] Find or create a monocle layout for Hyprland Both existing monocle plugins (zakk4223/hyprlandMonocle, pianocomposer321/hyprland-monocle) are abandoned and broken against current Hyprland. Options: fork and fix hyprlandMonocle (more features), script a pseudo-monocle using fullscreen 1, or wait for a maintained plugin. Lower priority since stash-window ($mod+O / $mod+Shift+O) covers the main use case. More important for laptop installs. ** TODO [#D] Consider Customizing Hyprland Animations Current: windows pop in, scratchpads slide from bottom. Customizable animations: - windows / windowsOut / windowsMove - window open/close/move - fade - opacity changes - border / borderangle - border color and gradient angle - workspaces - workspace switching - specialWorkspace - scratchpads (currently slidevert) - layers - waybar, notifications, etc. Styles: slide, slidevert, popin X%, fade Parameters: animation = NAME, ON/OFF, SPEED, BEZIER, STYLE Speed: lower = faster (1-10 typical) Example tweaks: #+begin_src conf animation = windows, 1, 2, myBezier, popin 80% animation = workspaces, 1, 4, default, slide animation = fade, 1, 2, default animation = layers, 1, 2, default, fade #+end_src ** VERIFY [#D] Test wlogout menu on laptop Test wlogout exit menu on laptop to verify sizing works on different display. Current config uses fixed pixel margins - may need adjustment for laptop screen. ** TODO [#D] Parse and improve AUR error reporting Parse yay errors and provide specific, actionable fixes instead of generic error messages ** TODO [#D] Improve progress indicators throughout install Enhance existing indicators to show what's happening in real-time ** TODO [#D] Add retry logic to git_install function pacman_install and aur_install have retry logic, but git_install doesn't ** TODO [#D] Add cpupower installation and enabling to archsetup cpupower service configures the default CPU scheduler (powersave or performance) Install cpupower, configure /etc/default/cpupower, enable service: ~systemctl enable --now cpupower.service~ ** TODO [#D] Bulk shellcheck cleanup Reviewed 2026-01-24: ~128 warnings, mostly acceptable patterns or low-priority style issues. - SC2024 (sudo redirects) - acceptable, script runs as root - SC2174 (mkdir -p -m) - reviewed, not a practical issue - Various quoting warnings - high-priority ones already fixed Run =shellcheck archsetup= periodically to check for new issues, but bulk cleanup is low priority. * Archsetup Resolved