| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
| |
A full archsetup install with heavy AUR builds (vagrant and its git-cloned
installers) can run past the old 90-minute monitor cap on a slow mirror. When
that happened the run stopped monitoring mid-install and validated a
half-installed system, producing spurious late-step failures. Raise MAX_POLLS
from 180 to 300 (90 -> 150 minutes) so a slow-but-healthy install completes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
run-test.sh no longer runs the shell run_all_validations sweep; the Testinfra
pytest sweep now drives the run's pass/fail. run_testinfra_validation returns
pytest's exit code (and treats "could not run" as a failure, not a silent
pass), surfaces the pass/skip/fail counts through the shared VALIDATION_*
counters, and parses the attribution file so generate_issue_report still
buckets failures into archsetup / base_install / unknown.
The shell-sweep functions stay in validation.sh for now because
run-test-baremetal.sh still calls them; removing them (after migrating the
bare-metal runner) is filed as a follow-up.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add post-install checks beyond the original shell sweep, validated against a
live VM: test_hardening (sshd prohibit-password, quiet-printk sysctl, emptied
/etc/issue, console font, EFI mount perms), test_config_applied (pacman
ParallelDownloads/Color/multilib, makepkg flags, NetworkManager drop-ins,
fail2ban jail, reflector), and test_backups (the .archsetup.bak files
backup_system_file leaves behind — end-to-end proof of that feature).
The new tests caught a real bug: ParallelDownloads stayed at Arch's default 5
because the sed only matched a commented "#ParallelDownloads", but current Arch
ships it uncommented. Match both (^#?ParallelDownloads) so the intended 10 takes
effect.
Verified against a kept VM: 95 passed, 10 skipped (the one remaining failure was
the pre-fix ParallelDownloads on the already-built VM, which the sed fix
resolves on the next fresh install).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
VM run #2 exposed two test bugs (archsetup itself passed clean, 53/0/0):
- ScopeMismatch errors on 26 tests: the host-dependent fixtures were
session-scoped, but Testinfra's host fixture is module-scoped, and a
session fixture cannot request a module one. Drop those fixtures to
module scope.
- test_console_font_in_initramfs hardcoded /boot/initramfs-linux.img; this
fleet runs linux-lts, so the image is initramfs-linux-lts.img. Pick the
main (non-fallback) initramfs by glob instead.
|
| |
|
|
|
|
| |
The VM test SSHes into the guest as root with a password for the whole run. archsetup hardens sshd to PermitRootLogin prohibit-password and reloads it partway through the install, so every SSH after that step failed with "Permission denied" and the run aborted before any validation — make test had been silently broken since the hardening landed.
inject_root_key authorizes a throwaway root key right after the first SSH (before archsetup runs) and the ssh/scp helpers now add -i <key> via SSH_KEY_OPT. prohibit-password still allows root key auth, so the harness survives the very hardening it validates. Password stays as the fallback, so the change is additive.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Port all ~26 post-install checks from validation.sh to pytest/Testinfra,
reaching parity before the cutover. Adds test_users, test_packages,
test_services, test_desktop, test_boot, test_keyring, and test_archsetup
(88 tests after parametrizing groups, services, timers, tools, and configs),
plus shared conftest fixtures for ZFS/NVMe/compositor/networking gating.
The shell sweep's three outcomes map cleanly: hard failures become assertions,
advisory warnings and unmet preconditions (headless compositor, slirp
networking, optional services, non-ZFS/non-NVMe hosts) become skips.
One correctness fix vs the shell sweep: check awww, not swww — archsetup
installs awww (swww's successor) and `pacman -Q swww` no longer matches.
Verified on the host: py_compile clean, pytest --collect-only green (88 tests).
The sweep against a real VM is verified by the make test run that follows.
|
| |
|
|
|
|
|
|
| |
Stand up the Testinfra/pytest harness alongside the existing shell sweep so the two can be compared for parity before pytest takes over.
Adds scripts/testing/tests/ (conftest with failure attribution markers, a report hook, and a target_user fixture, plus three parity checks: user, ufw, dotfiles) and scripts/testing/lib/testinfra.sh, which injects a throwaway SSH key into the VM and runs pytest over SSH. The sweep is advisory here (RUN_TESTINFRA toggle, non-fatal) and does not yet affect pass/fail. Pulls python-pytest and python-pytest-testinfra into make deps.
Verified on the host: py_compile clean, pytest --collect-only green, bash -n and shellcheck clean. The sweep running against a real VM is verified by the next make test run.
|
| |
|
|
|
|
| |
Plan to port the VM harness's shell validation sweep (validation.sh, ~26 checks) to Testinfra + pytest for more expressive checks and better reporting, then expand coverage to the parts of archsetup that aren't validated today.
Records the design: where pytest fits in run-test.sh, the SSH connection model (inject a throwaway test key), preserving the three-way issue attribution via pytest markers, smoke/integration tiering, a parity-then-expand migration, and a Goss comparison.
|
| |
|
|
|
|
|
|
| |
Add a backup_system_file helper that snapshots a pre-existing file to <path>.archsetup.bak before archsetup edits it in place, so a botched edit to fstab, mkinitcpio.conf, or sudoers is recoverable. It is idempotent: it never overwrites an existing backup, so the pristine original survives repeated edits within a run and across re-runs. It uses cp -p to preserve mode and ownership.
Only the in-place sed and append edits to pre-existing files route through it (locale.gen, makepkg.conf, pacman.conf, sudoers, wireless-regdom, geoclue.conf, pacman-contrib, fstab, mkinitcpio.conf, vconsole.conf). The brand-new drop-in files archsetup fully owns are skipped: there is no prior state to save, and recovery is just deleting them.
Covered by tests/backup-system-file/ (Normal, Boundary, Error cases, including mode preservation and the no-overwrite guarantee).
|
| |
|
|
| |
Mark the waypaper --restore task DONE, add the relogin manual-test under "Manual testing and validation", and file a follow-up: set-wallpaper's mv detaches the waypaper config from its stow symlink.
|
| |
|
|
|
|
|
| |
- Restore the dropped "Collapsible waybar sides" heading. Its drawer and body were orphaned when an earlier edit clobbered the heading line.
- Re-stamp the oldest-unreviewed task batch; drop "security education" to [#C]; tag the bridge-font and wallpaper-restore items.
- Close the Proton Mail Bridge font task (UI font scaled via QT_FONT_DPI).
- Archive two resolved inbox items to assets/outbox/.
|
| | |
|
| | |
|
| |
|
|
| |
Claimed the dirvish-wallpaper item from the roam inbox (it's a Wayland wallpaper-utility issue). Filed it with the awww/set-wallpaper findings and handed the Emacs dirvish-command piece to that project. Closed the four next-set tasks: the device-udev flag, SPDX headers, boolean-comparison style, and the mpd playlist_directory split.
|
| |
|
|
|
|
|
|
| |
Three release cleanups, all behavior-preserving for my machines:
- Gated the Logitech BRIO udev rule behind INSTALL_DEVICE_UDEV_RULES (default yes, opt-out), so the device-specific rule is off for anyone without that hardware. Added the config read, validation, and a conf.example entry.
- Added a GPL-3.0-or-later SPDX-License-Identifier header after the shebang of all 24 shell scripts in the repo.
- Standardized boolean conditionals on the explicit [ "$var" = "true" ] form, replacing the bare `if $var` idiom. The STEPS function-dispatch is left alone, since it runs a function name rather than testing a boolean.
|
| |
|
|
| |
The first note said the system dconf db fixed it, but that left the running session white: a system-db default emits no change signal, so the appearance portal kept reporting no-preference, and libadwaita reads the portal, not GTK_THEME. The working fix added a user-level color-scheme set to signal the portal live.
|
| |
|
|
| |
Closed four solo tasks: nautilus dark theming (velox was missing the system dconf db that archsetup already declares), the CLI-tools install, the waybar tray-spacing fix, and the calendar-hover month/year highlight. Recorded the python-lyricsgenius recheck, which stays open: it still needs --skipinteg, but the cause moved from an expired PGP signature to a drifting LICENSE.txt checksum.
|
| |
|
|
|
|
| |
I adopted four modern CLI tools after the 2026-06-10 evaluation: bat (syntax-highlighting cat), dust (proportional disk-usage tree), hyperfine (statistical benchmarking), and doggo (a DNS client that speaks DoH/DoT/DoQ). tealdeer was already declared. All four are in extra and go in the General Utilities block.
I also corrected the python-lyricsgenius --skipinteg note. The original expired-signature cause is gone (the package tarball verifies now), but makepkg still fails integrity on a LICENSE.txt the PKGBUILD pulls from github master, so the workaround stays for a different reason than the old comment claimed.
|
| |
|
|
|
|
| |
Closed the three resolved tool-evaluation tasks into actionable work: adopt the modern CLI tools, migrate the terminal from foot to ghostty, and keep nautilus over yazi. Closed the org-capture popup task as sized to the scratchpad. Demoted nine undated high-priority sub-tasks to B per the priority scheme. Folded the wlogout laptop-test task into the rectangular-buttons task and tagged the whole waybar cluster :waybar: so it filters as a unit.
Reviewed the seven oldest-unreviewed tasks and kept all seven. Filed two new waybar tasks (calendar-hover highlight, idle-inhibitor rename) and folded a timer/stopwatch/alarm scope expansion into the existing waybar timer task.
|
| |
|
|
| |
Filed the zoom-launches-tiny and focus-on-unhide bugs as tracked tasks (held for a debug pass), and moved this round's completed tasks into Resolved.
|
| |
|
|
|
|
| |
The installer now writes /etc/ssh/sshd_config.d/10-hardening.conf with PermitRootLogin prohibit-password and reloads sshd, right after it starts the service. Root can still log in by key, never by password. PasswordAuthentication is left at the default so a normal user can bootstrap a key with ssh-copy-id.
This makes the posture intentional instead of leaning on Arch's commented default. velox and ratio both carried an explicit PermitRootLogin yes from earlier provisioning, which I'd already fixed by hand.
|
| | |
|
| | |
|
| |
|
|
| |
audit
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Filed a [#C] task for the Fn+F9-toggles-pocketbook behavior on velox, with the investigation findings: the trigger isn't in any Hyprland bind, remapper, or pocketbook's own source, so it's parked until it resurfaces.
Also closed the paru-vs-yay research task properly: it had been left as a level-2 dated header, which is a sub-task shape, so it became DONE + CLOSED.
|
| |
|
|
| |
Manual-test checklists for the Super+F Dirvish popup (launch, focus-loss dismiss, per-type external launch, single-instance, q). New tasks captured from the roam inbox: wifi remediation scope, waybar emacs-service control, collapse sysmonitor to one icon, and Proton Mail Bridge font size.
|
| | |
|
| |
|
|
|
|
| |
A spike disproved the CSS / state-file approach. GTK3 has no display:none, so native modules go invisible but hold their space, and the bar never reflows. The mechanism is config-swap plus a SIGUSR2 reload, driven through an active config copied into XDG_RUNTIME_DIR so the toggle never rewrites the stowed canonical config.
The spec locks the base sets (left: menu + workspaces; right: date + worldclock + tray), keeps the two sides independent, and stays host-agnostic: the base set is constant, the full set is whatever each host already defines. Spec and spike findings live under working/.
|
| |
|
|
|
|
|
|
|
|
| |
Arch's rolling repo ships zig 0.16+, but ghostel's native-module compile fallback needs exactly 0.15.2: ghostel pins ghostty 1.3.2-dev, whose build does requireZig(0.15.2), and 0.16's build-API changes break the dependency build scripts. So a plain pacman -S zig produces a zig that can't build ghostel.
install_zig_pin downloads zig-x86_64-linux-0.15.2.tar.xz from ziglang.org, verifies the sha256, extracts to /opt/zig-0.15.2, and symlinks /usr/local/bin/zig ahead of /usr/bin on PATH, where pacman -Syu can't bump it. I split the verify-and-install core (zig_install_from_tarball) out so it stays network-free and unit-testable: it refuses on a sha256 mismatch, a missing tarball, or a tree with no zig binary, and short-circuits when a correct install already exists.
ghostel's default path downloads a prebuilt module and needs no zig, so this only matters for the offline compile fallback. The pin needs a one-line bump (ZIG_VERSION + ZIG_SHA256) whenever ghostel moves to a newer ghostty.
Tests live in tests/zig-pin/: 7 cases covering extract+symlink, idempotency, sha256-mismatch refusal, missing tarball, and no-binary cleanup, run against the real function extracted from the script.
|
| |
|
|
|
|
|
|
| |
I ran an audit pass over the open-work tasks. I moved the six release-prep sub-tasks that target the now-standalone ~/.dotfiles repo out of the GitHub-release epic into that project, leaving a dated note pointing at the handoff. The epic now covers archsetup-proper release work only.
I reconciled two stale facts: dropped the dead scripts/gitrepos.sh reference (consolidated into post-install.sh in dae7659), and noted on the install-errors task that the latest VM run holds the error set at four known residuals.
I added a Tags section to the priority scheme (type, effort/autonomy, and an open set of topic tags) so the file declares its tag vocabulary, not just its priorities. I also de-linked two dead handoff-file references and filed the Waybar Wi-Fi no-internet task.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
I marked the two package-inventory tasks DONE. Both are satisfied by scripts/package-inventory, now covered by characterization tests and a make package-diff target. I demoted the CI/CD pipeline task to C, since a full VM install per commit isn't realistic active backlog.
|
| |
|
|
|
|
|
|
| |
package-inventory compares archsetup's declared packages against the live system but had no tests, so a future archsetup edit (a new for-loop shape, a renamed install helper) could silently break the extraction.
I added two env seams so the script is testable without the real system. PKGINV_ARCHSETUP points the extractor at a fixture installer, PKGINV_PACMAN swaps in a fake pacman serving controlled query output. Both default to the real targets, so normal use is unchanged, and the seams match the env-override pattern audit-packages.sh already uses.
The 7 tests pin the extraction (direct calls, for-loop lists, variable-arg skip) and both diff directions against the fixture, with no network or real pacman db. I also added a make package-diff target so the tool is reachable alongside the test targets.
|
| |
|
|
| |
The popup fix shipped in the dotfiles repo (the script now calls cj/quick-capture; the scrolling layout is disabled and Super+Shift+S reassigned to a fullscreen screenshot). I filed the scrolling-layout frame-fit and wrap-around work as a follow-up, and archived the processed cross-project handoff replies.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The check captured 'ls path && echo yes', so a present linger file produced 'path\nyes', which never string-equals yes — every run warned regardless of actual state. Forensics on a kept VM showed lingering correctly enabled all along (file present mid-install, loginctl Linger=yes, logind healthy): the original VM-artifact hypothesis was wrong, archsetup's enable-linger calls were always fine. test -e captures cleanly; verified returning 'yes' against the live VM.
|
| |
|
|
| |
A single slow mirror (fastly, <1 byte/sec on one signature file) halted a full install at the -Syu step, which had no retry while every per-package install gets three attempts. The refresh now shares MAX_INSTALL_RETRIES; pacman resumes partial downloads, so a transient stall recovers.
|
| |
|
|
|
|
| |
scripts/audit-packages.sh extracts every pacman_install/aur_install package (loop lists included) and verifies each against its declared source — sync dbs for official, one batched RPC query for AUR — flagging movers in both directions. Unit-tested against fixture installers with fake pacman/curl.
First real run over 420 packages found four that vanished from both sources, each now fixed: libva-mesa-driver folded into mesa (line dropped), nvidia-dkms replaced by nvidia-open-dkms (Turing+; legacy cards are the preflight task's problem), swww replaced by awww (its successor, already what both machines run), and libappindicator-gtk3 replaced by libayatana-appindicator. Fifteen AUR entries that graduated to official repos still install fine via yay and are left as-is.
|
| |
|
|
| |
Mirrors the dotfiles Makefile semantics: a package named after the machine (/etc/hostname, uname -n fallback) is stowed after common + DE when the directory exists, skipped with a message otherwise. Hosts without a tier — including the test VM — see no behavior change.
|
| | |
|
| |
|
|
| |
close-out
|