Initial commit: linux-provision repo

Distribution-agnostic provisioning script that sets up a new Linux machine
(Detected via lib/distro.sh - supports Debian/Ubuntu/Pop and Fedora families).

13 stages covering:
- System packages, external repos, toolchains (nvm, uv, Python)
- Shell config (zsh, oh-my-zsh, p10k), git, SSH
- Custom uv tools from ~40 git repos
- Desktop config (keybindings, hotkeys, ghostty, fonts)
- Docker, system tweaks, browser/app installs
- Custom systemd user services (porridge, swayidle, mempi-sync, etc.)
- API keys loaded from Bitwarden at shell startup

TODO.md

@@ -0,0 +1,173 @@
+# Post-Provisioning TODO
+
+Things that can't be fully automated (require manual setup, credentials,
+or hardware-specific configuration).
+
+## 1. SSH Keys & GitHub
+
+- [ ] **Load SSH keys from Bitwarden** or generate a new key:
+  ```bash
+  # Option A: Generate fresh key
+  ssh-keygen -t ed25519 -C "hi@julianprester.com"
+
+  # Option B: Set up Bitwarden+SSH loading
+  bw login
+  bw unlock --raw > ~/.config/Bitwarden\ CLI/.session
+  chmod 600 ~/.config/Bitwarden\ CLI/.session
+  bw-load-ssh.sh
+
+  # Option C: Copy keys from old machine
+  # scp old-machine:~/.ssh/id_ed25519* ~/.ssh/
+  ```
+- [ ] **Add SSH public key to GitHub**: https://github.com/settings/keys
+- [ ] Clone this repo and remaining repos:
+  ```bash
+  git clone git@github.com:julianprester/linux-provision.git
+  ```
+
+## 2. Bitwarden & Environment Variables
+
+API keys are loaded directly in `.zshrc` via `bw` + `jq`. No separate script.
+
+- [ ] **Run `bw login`** to authenticate with Bitwarden
+- [ ] **Unlock vault and save session:**
+  ```bash
+  bw unlock --raw > ~/.config/Bitwarden\ CLI/.session
+  chmod 600 ~/.config/Bitwarden\ CLI/.session
+  ```
+- [ ] **Create a Bitwarden item** named "Environment" (type: Secure Note)
+      with custom fields for each API key:
+
+      | Field Name | Type | Example Value |
+      |---|---|---|
+      | `GROQ_API_KEY` | Hidden | `gsk_your_key` |
+      | `ANTHROPIC_API_KEY` | Hidden | `sk-ant-your-key` |
+      | `GOOGLE_API_KEY` | Hidden | `AIza_your_key` |
+      | `CANVAS_API_KEY` | Hidden | `3156~your_key` |
+      | `NC_PASSWORD` | Hidden | `your_nextcloud_password` |
+      | ... (22 vars total — see `config/shell/zshrc.local.example` for the full list) |
+
+- [ ] **Open a new shell** — `.zshrc` exports them automatically
+- [ ] **Verify:** `echo $GROQ_API_KEY` (should show your key)
+
+If you prefer a plain file instead of Bitwarden:
+- [ ] Edit `~/.zshrc.local` with your API keys (template in `config/shell/zshrc.local.example`)
+- [ ] Uncomment the alternate `source ~/.zshrc.local` line in the deployed `.zshrc`
+
+If you prefer a plain file instead of Bitwarden:
+- [ ] Edit `~/.zshrc.local` with your API keys (template in `config/shell/zshrc.local.example`)
+- [ ] Uncomment the `source ~/.zshrc.local` line in your deployed `.zshrc`
+
+## 3. Tailscale
+
+- [ ] Authenticate Tailscale:
+  ```bash
+  sudo tailscale up
+  ```
+- [ ] Verify connection: `tailscale status`
+- [ ] Note your Tailscale IP for services (Actual Budget, Nextcloud, etc.)
+
+## 4. Nextcloud
+
+- [ ] Install Nextcloud Desktop Client (Flatpak or RPM)
+- [ ] Connect to `https://nc.julianprester.com`
+- [ ] Select sync folders (especially `Nextcloud/3_bibliography/`)
+- [ ] Update `PandocCiter.DefaultBib` in VS Code settings if bib path changes
+
+## 5. Actual Budget
+
+- [ ] Verify connection: `actualpy accounts`
+- [ ] Update URL/password in `~/.config/actualpy/config.yaml`
+
+## 6. Docker & WinBoat
+
+- [ ] Log out and back in for docker group to take effect
+- [ ] Pull WinBoat image: `docker pull ghcr.io/dockur/windows:5.14`
+- [ ] Set up `~/.winboat/docker-compose.yml` (see reference in repo notes)
+- [ ] Pull grobid: `docker pull grobid/grobid`
+- [ ] Run grobid: `docker run -d -p 8070:8070 grobid/grobid`
+
+## 7. Zotero
+
+- [ ] Install Zotero (Flatpak or tarball from zotero.org)
+- [ ] Sign in to sync library
+- [ ] Install Zotero browser connector
+- [ ] Set ZOTERO_KEY env var in `~/.zshrc.local`
+
+## 8. GNOME Keybindings (if using GNOME)
+
+- [ ] Verify custom shortcuts were applied:
+  ```bash
+  gsettings list-recursively org.gnome.settings-daemon.plugins.media-keys.custom-keybinding
+  ```
+- [ ] Or add them manually via Settings → Keyboard → Keyboard Shortcuts
+
+## 9. Fonts
+
+- [ ] If Nerd Font download failed, install manually:
+  - Download from https://www.nerdfonts.com/font-downloads
+  - MesloLGS NF (recommended for Powerlevel10k)
+  - Extract to `~/.local/share/fonts/` and run `fc-cache -fv`
+
+## 10. Ghostty
+
+- [ ] Verify Ghostty runs and fonts look correct (nerd font icons in prompt)
+- [ ] If not, set `font-family = "MesloLGS NF"` in `~/.config/ghostty/config`
+
+## 11. VS Code
+
+- [ ] Open VS Code and verify extensions are installed
+- [ ] Sign in to GitHub → Settings → Sync (if you use Settings Sync)
+- [ ] Verify PandocCiter path to bibliography
+
+## 12. Solaar (Logitech Peripherals)
+
+- [ ] Open Solaar from applications menu
+- [ ] Pair your Logitech receiver or connect via Bluetooth
+- [ ] The config will auto-save to `~/.config/solaar/config.yaml`
+
+## 13. Printer / Scanning
+
+- [ ] If using a printer, add via Settings → Printers
+- [ ] If using a scanner, install `simple-scan`:
+  ```bash
+  sudo dnf install simple-scan
+  ```
+
+## 14. Reboot to Apply Kernel Changes
+
+- [ ] `sudo reboot` — required for:
+  - GRUB kernel cmdline parameters (if uncommented)
+  - sysctl settings (most apply at runtime, but reboot ensures)
+  - Docker group membership
+  - Desktop environment changes
+
+## 15. Verify Everything
+
+Run a quick sanity check after reboot:
+
+```bash
+# Development tools
+node --version
+npm --version
+python3 --version
+uv --version
+git --version
+
+# Docker
+docker run --rm hello-world
+
+# Shell
+zsh --version
+echo $SHELL
+
+# Services
+systemctl --user status porridge.service 2>/dev/null | head -5
+
+# Network
+tailscale status
+ping -c 1 google.com
+
+# Config files exist
+ls -la ~/.zshrc ~/.zshrc.local ~/.gitconfig ~/.p10k.zsh ~/.local/bin/
+```