Initial commit: linux-provision repo

Distribution-agnostic provisioning script that sets up a new Linux machine (Detected via lib/distro.sh - supports Debian/Ubuntu/Pop and Fedora families). 13 stages covering: - System packages, external repos, toolchains (nvm, uv, Python) - Shell config (zsh, oh-my-zsh, p10k), git, SSH - Custom uv tools from ~40 git repos - Desktop config (keybindings, hotkeys, ghostty, fonts) - Docker, system tweaks, browser/app installs - Custom systemd user services (porridge, swayidle, mempi-sync, etc.) - API keys loaded from Bitwarden at shell startup
2026-06-05 21:21:46 +10:00
commit 180c5838ea
36 changed files with 4176 additions and 0 deletions
--- a/config/scripts/bw-load-ssh.sh
+++ b/config/scripts/bw-load-ssh.sh
@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# ===========================================================================
+#  bw-load-ssh.sh — Load SSH keys from Bitwarden into ssh-agent
+#  Reads SSH key items from Bitwarden vault and loads private keys into
+#  the running ssh-agent.
+#
+#  Dependencies: bw (Bitwarden CLI), jq, ssh-agent running
+#  Usage:
+#    1. First, authenticate: bw login
+#    2. Unlock and save session: bw unlock --raw > ~/.config/Bitwarden\ CLI/.session
+#    3. Run: ./bw-load-ssh.sh
+#  Or run automatically via bw-ssh-keys.service (systemd user service).
+# ===========================================================================
+
+set -euo pipefail
+
+CONFIG_DIR="${HOME}/.config/Bitwarden CLI"
+SESSION_FILE="${CONFIG_DIR}/.session"
+
+# Check session file exists
+if [ ! -f "$SESSION_FILE" ]; then
+    echo "ERROR: Session file not found at $SESSION_FILE"
+    echo "Run: bw unlock --raw > '$SESSION_FILE' && chmod 600 '$SESSION_FILE'"
+    exit 1
+fi
+
+# Check ssh-agent is running
+if ! ssh-add -l >/dev/null 2>&1; then
+    echo "ERROR: ssh-agent is not running."
+    echo "Start it with: eval \$(ssh-agent)"
+    exit 1
+fi
+
+# Read session key
+export BW_SESSION=$(cat "$SESSION_FILE")
+
+# Verify session is still valid
+if ! bw status 2>/dev/null | jq -e '.status == "unlocked"' >/dev/null 2>&1; then
+    echo "ERROR: Session is no longer valid (vault is locked or logged out)."
+    echo "Regenerate with: bw unlock --raw > '$SESSION_FILE' && chmod 600 '$SESSION_FILE'"
+    exit 1
+fi
+
+# Find all SSH key items
+echo "Fetching SSH keys from vault..."
+ITEMS=$(bw list items 2>/dev/null | jq -c '.[] | select(.type == 5)')
+
+if [ -z "$ITEMS" ]; then
+    echo "No SSH keys found in vault."
+    exit 0
+fi
+
+LOADED=0
+SKIPPED=0
+
+echo "$ITEMS" | while IFS= read -r item; do
+    NAME=$(echo "$item" | jq -r '.name')
+    PUBLIC_KEY=$(echo "$item" | jq -r '.sshKey.publicKey // ""')
+    PRIVATE_KEY=$(echo "$item" | jq -r '.sshKey.privateKey // ""')
+
+    if [ -z "$PRIVATE_KEY" ]; then
+        echo "  SKIP '$NAME' — no private key found"
+        continue
+    fi
+
+    # Extract comment from public key for checking if already loaded
+    COMMENT=$(echo "$PUBLIC_KEY" | awk '{print $3}' | tr -d '\n')
+
+    # Check if already loaded in ssh-agent
+    if [ -n "$COMMENT" ] && ssh-add -l 2>/dev/null | grep -q "$COMMENT"; then
+        echo "  OK   '$NAME' — already loaded"
+        SKIPPED=$((SKIPPED + 1))
+        continue
+    fi
+
+    # Load into ssh-agent
+    if echo "$PRIVATE_KEY" | ssh-add - 2>/dev/null; then
+        echo "  LOAD '$NAME'"
+        LOADED=$((LOADED + 1))
+    else
+        echo "  FAIL '$NAME'"
+    fi
+done
+
+echo "Done. Loaded: $LOADED, Skipped (already loaded): $SKIPPED"
--- a/config/scripts/env.sh
+++ b/config/scripts/env.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+# ===========================================================================
+#  env — PATH helper
+#  Sourced from ~/.profile and ~/.bashrc to ensure ~/.local/bin is in PATH.
+#  Idempotent — won't duplicate PATH entries.
+# ===========================================================================
+# affix colons on either side of $PATH to simplify matching
+case ":${PATH}:" in
+    *:"$HOME/.local/bin":*)
+        ;;
+    *)
+        # Prepending path in case a system-installed binary needs overriding
+        export PATH="$HOME/.local/bin:$PATH"
+        ;;
+esac
--- a/config/scripts/idle-battery-suspend.sh
+++ b/config/scripts/idle-battery-suspend.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# ===========================================================================
+#  idle-battery-suspend.sh — Suspend laptop only when on battery
+#  Checks AC power status before suspending. If on AC power, does nothing.
+#  Used by swayidle.service (systemd user service).
+# ===========================================================================
+# Only suspend if on battery (AC online = 0)
+AC_ONLINE=$(cat /sys/class/power_supply/AC/online 2>/dev/null)
+if [ "$AC_ONLINE" = "0" ]; then
+    systemctl suspend-then-hibernate
+fi
--- a/config/scripts/zoom.sh
+++ b/config/scripts/zoom.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# ===========================================================================
+#  zoom — Zoom launcher wrapper for COSMIC/Wayland on AMD GPU
+#  Forces Wayland-native mode (avoids X11 event freezes via XWayland).
+#  Forces VA-API hardware video decoding (fixes screen share performance).
+#
+#  Works with: AMD Radeon 680M (Rembrandt) and similar.
+#  For NVIDIA GPUs, use: export LIBVA_DRIVER_NAME=nvidia
+# ===========================================================================
+
+export QT_QPA_PLATFORM=wayland
+export LIBVA_DRIVER_NAME=radeonsi
+export LIBVA_DRI3_DISABLE=0
+
+exec /usr/bin/zoom "$@"