From d6b105d2ec8f5146e583775d27f062497c57fe57 Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Fri, 10 Apr 2026 18:54:53 +0300 Subject: [PATCH 01/11] Sort keybindings --- .config/emacs/init.el | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.config/emacs/init.el b/.config/emacs/init.el index 3da0d64..c8748eb 100644 --- a/.config/emacs/init.el +++ b/.config/emacs/init.el @@ -30,10 +30,14 @@ (use-package emacs :ensure nil - :bind (("C-z" . nil) - ("C-z i" . find-init-file) + :bind ( + ("C-z" . nil) + ;; keep-sorted start ("C-z f" . ffap) - ("C-z u" . insert-uuid4-at-point)) + ("C-z i" . find-init-file) + ("C-z u" . insert-uuid4-at-point) + ;; keep-sorted end + ) :hook ( ;; keep-sorted start (after-save . executable-make-buffer-file-executable-if-script-p) From 6b27d7e5e285bd14a2e688952bc900868731044c Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Fri, 10 Apr 2026 18:54:15 +0300 Subject: [PATCH 02/11] Use hardened defaults for SSH connections --- .ssh/config | 1 + .ssh/config.d/90-hardened-security.conf | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 .ssh/config create mode 100644 .ssh/config.d/90-hardened-security.conf diff --git a/.ssh/config b/.ssh/config new file mode 100644 index 0000000..51ec533 --- /dev/null +++ b/.ssh/config @@ -0,0 +1 @@ +Include ~/.ssh/config.d/*.conf diff --git a/.ssh/config.d/90-hardened-security.conf b/.ssh/config.d/90-hardened-security.conf new file mode 100644 index 0000000..47856a4 --- /dev/null +++ b/.ssh/config.d/90-hardened-security.conf @@ -0,0 +1,14 @@ +# SSH client algorithm hardening. +# +# Require PQ-hybrid KEX, AEAD ciphers, Ed25519 keys. +# Applied to all outgoing SSH connections from this machine. +# +# Requires OpenSSH 9.9+ for mlkem768x25519-sha256. + +Host * + KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com + PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com + RekeyLimit 1G 1h From 34d62d92b2d96ac9db5b9464b2aff5476d16c6d9 Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Sat, 11 Apr 2026 00:00:50 +0300 Subject: [PATCH 03/11] Short-circuit installation commands on failure --- .local/share/github-versions/dolt | 4 ++-- .local/share/github-versions/kingfisher | 4 ++-- .local/share/github-versions/minikube | 8 ++++---- .local/share/github-versions/rust-analyzer | 8 ++++---- .local/share/github-versions/uv | 8 ++++---- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.local/share/github-versions/dolt b/.local/share/github-versions/dolt index 24eab50..9254013 100755 --- a/.local/share/github-versions/dolt +++ b/.local/share/github-versions/dolt @@ -11,8 +11,8 @@ dolt_resource() { } install_dolt() { - tar xz --directory="$(systemd-path user-binaries)" --strip-components=2 dolt-linux-amd64/bin/dolt - chmod 550 "$(systemd-path user-binaries)"/dolt + tar xz --directory="$(systemd-path user-binaries)" --strip-components=2 dolt-linux-amd64/bin/dolt && \ + chmod 550 "$(systemd-path user-binaries)"/dolt } github_update "${package}" "${repo}" dolt_resource install_dolt diff --git a/.local/share/github-versions/kingfisher b/.local/share/github-versions/kingfisher index 10c7f17..f6903dc 100755 --- a/.local/share/github-versions/kingfisher +++ b/.local/share/github-versions/kingfisher @@ -11,8 +11,8 @@ kingfisher_resource() { } install_kingfisher() { - tar xz --directory="$(systemd-path user-binaries)" kingfisher - chmod 550 "$(systemd-path user-binaries)"/kingfisher + tar xz --directory="$(systemd-path user-binaries)" kingfisher && \ + chmod 550 "$(systemd-path user-binaries)"/kingfisher } github_update "${package}" "${repo}" kingfisher_resource install_kingfisher diff --git a/.local/share/github-versions/minikube b/.local/share/github-versions/minikube index 004f74c..8012485 100755 --- a/.local/share/github-versions/minikube +++ b/.local/share/github-versions/minikube @@ -11,10 +11,10 @@ minikube_resource() { } install_minikube() { - tempfile="$(mktemp)" - cat - > "${tempfile}" - chmod 550 "${tempfile}" - mv "${tempfile}" "$(systemd-path user-binaries)"/minikube + tempfile="$(mktemp)" && \ + cat - > "${tempfile}" && \ + chmod 550 "${tempfile}" && \ + mv "${tempfile}" "$(systemd-path user-binaries)"/minikube } github_update "${package}" "${repo}" minikube_resource install_minikube diff --git a/.local/share/github-versions/rust-analyzer b/.local/share/github-versions/rust-analyzer index 1add828..bd41614 100755 --- a/.local/share/github-versions/rust-analyzer +++ b/.local/share/github-versions/rust-analyzer @@ -11,10 +11,10 @@ rust_analyzer_resource() { } install_rust_analyzer() { - tempfile="$(mktemp)" - gunzip --to-stdout - > "${tempfile}" - chmod 550 "${tempfile}" - mv "${tempfile}" "$(systemd-path user-binaries)"/rust-analyzer + tempfile="$(mktemp)" && \ + gunzip --to-stdout - > "${tempfile}" && \ + chmod 550 "${tempfile}" && \ + mv "${tempfile}" "$(systemd-path user-binaries)"/rust-analyzer } github_update "${package}" "${repo}" rust_analyzer_resource install_rust_analyzer diff --git a/.local/share/github-versions/uv b/.local/share/github-versions/uv index b0c0ad9..389c20d 100755 --- a/.local/share/github-versions/uv +++ b/.local/share/github-versions/uv @@ -11,10 +11,10 @@ uv_resource() { } install_uv() { - tempdir="$(mktemp --directory)" - tar xz --directory="${tempdir}" --strip-components=1 && \ - chmod 550 "${tempdir}"/uv "${tempdir}"/uvx && \ - mv --force "${tempdir}"/uv "${tempdir}"/uvx "$(systemd-path user-binaries)" + tempdir="$(mktemp --directory)" && \ + tar xz --directory="${tempdir}" --strip-components=1 && \ + chmod 550 "${tempdir}"/uv "${tempdir}"/uvx && \ + mv --force "${tempdir}"/uv "${tempdir}"/uvx "$(systemd-path user-binaries)" } github_update "${package}" "${repo}" uv_resource install_uv From 6ca9d889957302276790a34371e3a12c0606aa82 Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Fri, 10 Apr 2026 23:57:19 +0300 Subject: [PATCH 04/11] Install SimpleX Chat from the GitHub repository --- .local/share/github-versions/simplex-chat | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100755 .local/share/github-versions/simplex-chat diff --git a/.local/share/github-versions/simplex-chat b/.local/share/github-versions/simplex-chat new file mode 100755 index 0000000..82e7977 --- /dev/null +++ b/.local/share/github-versions/simplex-chat @@ -0,0 +1,20 @@ +#! /usr/bin/bash + +set -euo pipefail +IFS=$'\n\t' + +package=simplex-chat +repo=simplex-chat/simplex-chat + +sc_resource() { + echo "simplex-chat-ubuntu-24_04-x86_64" +} + +install_sc() { + tempfile="$(mktemp)" && \ + cat - > "${tempfile}" && \ + chmod 550 "${tempfile}" && \ + mv "${tempfile}" "$(systemd-path user-binaries)"/simplex-chat +} + +github_update "${package}" "${repo}" sc_resource install_sc From e4b0e731d68b5e6d50ed21301523d415a728d2fd Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Thu, 9 Apr 2026 21:56:06 +0300 Subject: [PATCH 05/11] Restrict service container privileges --- .config/containers/systemd/ollama.container | 2 ++ .config/containers/systemd/plantuml.container | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.config/containers/systemd/ollama.container b/.config/containers/systemd/ollama.container index 98929ac..051de23 100644 --- a/.config/containers/systemd/ollama.container +++ b/.config/containers/systemd/ollama.container @@ -5,9 +5,11 @@ Description=A local LLM server # keep-sorted start AutoUpdate=registry ContainerName=ollama +DropCapability=ALL Environment=OLLAMA_KEEP_ALIVE=10m Image=docker.io/ollama/ollama:latest Network=ollama.network +NoNewPrivileges=true PodmanArgs=--transient-store PublishPort=11434:11434 ReadOnly=true diff --git a/.config/containers/systemd/plantuml.container b/.config/containers/systemd/plantuml.container index aa8057d..0648c34 100644 --- a/.config/containers/systemd/plantuml.container +++ b/.config/containers/systemd/plantuml.container @@ -5,8 +5,10 @@ Description=A local PlantUML server # keep-sorted start AutoUpdate=registry ContainerName=plantuml +DropCapability=ALL Image=docker.io/plantuml/plantuml-server:jetty Network=private +NoNewPrivileges=true PodmanArgs=--transient-store PublishPort=8080:8080 ReadOnly=true From 8f927221b46ffdbb08d52bb95d4bae952954c7d0 Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Thu, 9 Apr 2026 21:58:53 +0300 Subject: [PATCH 06/11] Only expose access ports on the localhost network --- .config/containers/systemd/ollama.container | 2 +- .config/containers/systemd/plantuml.container | 2 +- .config/containers/systemd/transmission.container | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.config/containers/systemd/ollama.container b/.config/containers/systemd/ollama.container index 051de23..a3a4402 100644 --- a/.config/containers/systemd/ollama.container +++ b/.config/containers/systemd/ollama.container @@ -11,7 +11,7 @@ Image=docker.io/ollama/ollama:latest Network=ollama.network NoNewPrivileges=true PodmanArgs=--transient-store -PublishPort=11434:11434 +PublishPort=127.0.0.1:11434:11434 ReadOnly=true Volume=%h/.local/share/ollama:/root/.ollama:ro,z # keep-sorted end diff --git a/.config/containers/systemd/plantuml.container b/.config/containers/systemd/plantuml.container index 0648c34..7a1b266 100644 --- a/.config/containers/systemd/plantuml.container +++ b/.config/containers/systemd/plantuml.container @@ -10,7 +10,7 @@ Image=docker.io/plantuml/plantuml-server:jetty Network=private NoNewPrivileges=true PodmanArgs=--transient-store -PublishPort=8080:8080 +PublishPort=127.0.0.1:8080:8080 ReadOnly=true # keep-sorted end diff --git a/.config/containers/systemd/transmission.container b/.config/containers/systemd/transmission.container index 6d83357..210cd62 100644 --- a/.config/containers/systemd/transmission.container +++ b/.config/containers/systemd/transmission.container @@ -10,9 +10,9 @@ Environment=PUID=1000 Image=lscr.io/linuxserver/transmission:latest Network=private PodmanArgs=--transient-store +PublishPort=127.0.0.1:9091:9091 PublishPort=51413:51413 PublishPort=51413:51413/udp -PublishPort=9091:9091 ReadOnly=true UserNS=keep-id Volume=%h/.config/transmission:/config:Z From 203e6656dac74e01afb204284d00250640b4e8cd Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Thu, 9 Apr 2026 21:59:52 +0300 Subject: [PATCH 07/11] Check for image updates on startup --- .config/containers/systemd/ollama.container | 2 +- .config/containers/systemd/plantuml.container | 2 +- .config/containers/systemd/transmission.container | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.config/containers/systemd/ollama.container b/.config/containers/systemd/ollama.container index a3a4402..b44121d 100644 --- a/.config/containers/systemd/ollama.container +++ b/.config/containers/systemd/ollama.container @@ -10,7 +10,7 @@ Environment=OLLAMA_KEEP_ALIVE=10m Image=docker.io/ollama/ollama:latest Network=ollama.network NoNewPrivileges=true -PodmanArgs=--transient-store +PodmanArgs=--pull=newer --transient-store PublishPort=127.0.0.1:11434:11434 ReadOnly=true Volume=%h/.local/share/ollama:/root/.ollama:ro,z diff --git a/.config/containers/systemd/plantuml.container b/.config/containers/systemd/plantuml.container index 7a1b266..47e0f49 100644 --- a/.config/containers/systemd/plantuml.container +++ b/.config/containers/systemd/plantuml.container @@ -9,7 +9,7 @@ DropCapability=ALL Image=docker.io/plantuml/plantuml-server:jetty Network=private NoNewPrivileges=true -PodmanArgs=--transient-store +PodmanArgs=--pull=newer --transient-store PublishPort=127.0.0.1:8080:8080 ReadOnly=true # keep-sorted end diff --git a/.config/containers/systemd/transmission.container b/.config/containers/systemd/transmission.container index 210cd62..1f2ec07 100644 --- a/.config/containers/systemd/transmission.container +++ b/.config/containers/systemd/transmission.container @@ -9,7 +9,7 @@ Environment=PGID=1000 Environment=PUID=1000 Image=lscr.io/linuxserver/transmission:latest Network=private -PodmanArgs=--transient-store +PodmanArgs=--pull=newer --transient-store PublishPort=127.0.0.1:9091:9091 PublishPort=51413:51413 PublishPort=51413:51413/udp From c852857583708ce5b598958778a0800d143bf8e5 Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Thu, 9 Apr 2026 22:02:30 +0300 Subject: [PATCH 08/11] Support health checks for the services --- .config/containers/systemd/ollama.container | 3 +++ .config/containers/systemd/transmission.container | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.config/containers/systemd/ollama.container b/.config/containers/systemd/ollama.container index b44121d..d47f626 100644 --- a/.config/containers/systemd/ollama.container +++ b/.config/containers/systemd/ollama.container @@ -7,6 +7,9 @@ AutoUpdate=registry ContainerName=ollama DropCapability=ALL Environment=OLLAMA_KEEP_ALIVE=10m +HealthCmd=ollama list +# HealthInterval=30s +# HealthStartPeriod=15s Image=docker.io/ollama/ollama:latest Network=ollama.network NoNewPrivileges=true diff --git a/.config/containers/systemd/transmission.container b/.config/containers/systemd/transmission.container index 1f2ec07..01f0446 100644 --- a/.config/containers/systemd/transmission.container +++ b/.config/containers/systemd/transmission.container @@ -7,6 +7,9 @@ AutoUpdate=registry ContainerName=transmission Environment=PGID=1000 Environment=PUID=1000 +HealthCmd=curl --fail --silent http://localhost:9091/ +# HealthInterval=30s +# HealthStartPeriod=30s Image=lscr.io/linuxserver/transmission:latest Network=private PodmanArgs=--pull=newer --transient-store From c18017eef43232994e07357790bfdb3c507408b5 Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Thu, 9 Apr 2026 23:17:56 +0300 Subject: [PATCH 09/11] Create periodic healthcheck units for the transient store --- .config/setup/14-install-cron-jobs.sh | 2 ++ .config/systemd/user/podman-healthcheck@.service | 6 ++++++ .config/systemd/user/podman-healthcheck@.timer | 11 +++++++++++ 3 files changed, 19 insertions(+) create mode 100644 .config/systemd/user/podman-healthcheck@.service create mode 100644 .config/systemd/user/podman-healthcheck@.timer diff --git a/.config/setup/14-install-cron-jobs.sh b/.config/setup/14-install-cron-jobs.sh index 22851b8..df7b93d 100755 --- a/.config/setup/14-install-cron-jobs.sh +++ b/.config/setup/14-install-cron-jobs.sh @@ -5,6 +5,8 @@ IFS=$'\n\t' # keep-sorted start systemctl --user enable --now backup.timer +systemctl --user enable --now podman-healthcheck@ollama.timer +systemctl --user enable --now podman-healthcheck@transmission.timer systemctl --user enable --now sync-backup.timer systemctl --user enable --now sync-git-repos.timer # keep-sorted end diff --git a/.config/systemd/user/podman-healthcheck@.service b/.config/systemd/user/podman-healthcheck@.service new file mode 100644 index 0000000..b521d85 --- /dev/null +++ b/.config/systemd/user/podman-healthcheck@.service @@ -0,0 +1,6 @@ +[Unit] +Description=Podman health check for %i + +[Service] +Type=oneshot +ExecStart=podman --transient-store healthcheck run %i diff --git a/.config/systemd/user/podman-healthcheck@.timer b/.config/systemd/user/podman-healthcheck@.timer new file mode 100644 index 0000000..255104d --- /dev/null +++ b/.config/systemd/user/podman-healthcheck@.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Podman health check timer for %i +BindsTo=%i.service +After=%i.service + +[Timer] +OnActiveSec=30s +OnUnitActiveSec=30s + +[Install] +WantedBy=%i.service From b4838af164e7dcec144d05bc7dc7892fd208c369 Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Sun, 12 Apr 2026 22:45:39 +0300 Subject: [PATCH 10/11] Use a widely-available terminal config in SSH remotes --- .ssh/config.d/90-terminal-emulator.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .ssh/config.d/90-terminal-emulator.conf diff --git a/.ssh/config.d/90-terminal-emulator.conf b/.ssh/config.d/90-terminal-emulator.conf new file mode 100644 index 0000000..a11d57f --- /dev/null +++ b/.ssh/config.d/90-terminal-emulator.conf @@ -0,0 +1,2 @@ +Host * + SetEnv TERM=xterm-256color From c7aca696d74a94404c225a5b067377e96fd9feda Mon Sep 17 00:00:00 2001 From: Ohad Livne Date: Mon, 13 Apr 2026 08:13:06 +0300 Subject: [PATCH 11/11] Ignore local Claude Code files globally --- .gitconfig | 2 ++ .gitignore_global | 3 +++ 2 files changed, 5 insertions(+) create mode 100644 .gitignore_global diff --git a/.gitconfig b/.gitconfig index d269033..54f18df 100644 --- a/.gitconfig +++ b/.gitconfig @@ -20,3 +20,5 @@ # keep-sorted end [include] path = .hostgitconfig +[core] + excludesfile = /home/ohad/.gitignore_global diff --git a/.gitignore_global b/.gitignore_global new file mode 100644 index 0000000..1a88ff4 --- /dev/null +++ b/.gitignore_global @@ -0,0 +1,3 @@ +/conversation-id.txt +/conversation-id-*.txt +/.claude/settings.local.json