Ignore local Claude Code files globally

.config/containers/systemd/ollama.container

@@ -5,11 +5,16 @@ Description=A local LLM server
 # keep-sorted start
 AutoUpdate=registry
 ContainerName=ollama
+DropCapability=ALL
 Environment=OLLAMA_KEEP_ALIVE=10m
+HealthCmd=ollama list
+# HealthInterval=30s
+# HealthStartPeriod=15s
 Image=docker.io/ollama/ollama:latest
 Network=ollama.network
-PodmanArgs=--transient-store
-PublishPort=11434:11434
+NoNewPrivileges=true
+PodmanArgs=--pull=newer --transient-store
+PublishPort=127.0.0.1:11434:11434
 ReadOnly=true
 Volume=%h/.local/share/ollama:/root/.ollama:ro,z
 # keep-sorted end

.config/containers/systemd/plantuml.container

@@ -5,10 +5,12 @@ Description=A local PlantUML server
 # keep-sorted start
 AutoUpdate=registry
 ContainerName=plantuml
+DropCapability=ALL
 Image=docker.io/plantuml/plantuml-server:jetty
 Network=private
-PodmanArgs=--transient-store
-PublishPort=8080:8080
+NoNewPrivileges=true
+PodmanArgs=--pull=newer --transient-store
+PublishPort=127.0.0.1:8080:8080
 ReadOnly=true
 # keep-sorted end
 

.config/containers/systemd/transmission.container

@@ -7,12 +7,15 @@ AutoUpdate=registry
 ContainerName=transmission
 Environment=PGID=1000
 Environment=PUID=1000
+HealthCmd=curl --fail --silent http://localhost:9091/
+# HealthInterval=30s
+# HealthStartPeriod=30s
 Image=lscr.io/linuxserver/transmission:latest
 Network=private
-PodmanArgs=--transient-store
+PodmanArgs=--pull=newer --transient-store
+PublishPort=127.0.0.1:9091:9091
 PublishPort=51413:51413
 PublishPort=51413:51413/udp
-PublishPort=9091:9091
 ReadOnly=true
 UserNS=keep-id
 Volume=%h/.config/transmission:/config:Z

.config/emacs/init.el

@@ -30,10 +30,14 @@
 
 (use-package emacs
   :ensure nil
-  :bind (("C-z" . nil)
-         ("C-z i" . find-init-file)
+  :bind (
+         ("C-z" . nil)
+         ;; keep-sorted start
          ("C-z f" . ffap)
-         ("C-z u" . insert-uuid4-at-point))
+         ("C-z i" . find-init-file)
+         ("C-z u" . insert-uuid4-at-point)
+         ;; keep-sorted end
+         )
   :hook (
          ;; keep-sorted start
          (after-save . executable-make-buffer-file-executable-if-script-p)

.config/setup/14-install-cron-jobs.sh

@@ -5,6 +5,8 @@ IFS=$'\n\t'
 
 # keep-sorted start
 systemctl --user enable --now backup.timer
+systemctl --user enable --now podman-healthcheck@ollama.timer
+systemctl --user enable --now podman-healthcheck@transmission.timer
 systemctl --user enable --now sync-backup.timer
 systemctl --user enable --now sync-git-repos.timer
 # keep-sorted end

.config/systemd/user/podman-healthcheck@.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Podman health check for %i
+
+[Service]
+Type=oneshot
+ExecStart=podman --transient-store healthcheck run %i

.config/systemd/user/podman-healthcheck@.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Podman health check timer for %i
+BindsTo=%i.service
+After=%i.service
+
+[Timer]
+OnActiveSec=30s
+OnUnitActiveSec=30s
+
+[Install]
+WantedBy=%i.service

.gitconfig

@@ -20,3 +20,5 @@
         # keep-sorted end
 [include]
         path = .hostgitconfig
+[core]
+	excludesfile = /home/ohad/.gitignore_global

.gitignore_global

@@ -0,0 +1,3 @@
+/conversation-id.txt
+/conversation-id-*.txt
+/.claude/settings.local.json

.local/share/github-versions/dolt

@@ -11,8 +11,8 @@ dolt_resource() {
 }
 
 install_dolt() {
-    tar xz --directory="$(systemd-path user-binaries)" --strip-components=2 dolt-linux-amd64/bin/dolt
-    chmod 550 "$(systemd-path user-binaries)"/dolt
+    tar xz --directory="$(systemd-path user-binaries)" --strip-components=2 dolt-linux-amd64/bin/dolt && \
+        chmod 550 "$(systemd-path user-binaries)"/dolt
 }
 
 github_update "${package}" "${repo}" dolt_resource install_dolt

.local/share/github-versions/kingfisher

@@ -11,8 +11,8 @@ kingfisher_resource() {
 }
 
 install_kingfisher() {
-    tar xz --directory="$(systemd-path user-binaries)" kingfisher
-    chmod 550 "$(systemd-path user-binaries)"/kingfisher
+    tar xz --directory="$(systemd-path user-binaries)" kingfisher && \
+        chmod 550 "$(systemd-path user-binaries)"/kingfisher
 }
 
 github_update "${package}" "${repo}" kingfisher_resource install_kingfisher

.local/share/github-versions/minikube

@@ -11,10 +11,10 @@ minikube_resource() {
 }
 
 install_minikube() {
-    tempfile="$(mktemp)"
-    cat - > "${tempfile}"
-    chmod 550 "${tempfile}"
-    mv "${tempfile}" "$(systemd-path user-binaries)"/minikube
+    tempfile="$(mktemp)" && \
+        cat - > "${tempfile}" && \
+        chmod 550 "${tempfile}" && \
+        mv "${tempfile}" "$(systemd-path user-binaries)"/minikube
 }
 
 github_update "${package}" "${repo}" minikube_resource install_minikube

.local/share/github-versions/rust-analyzer

@@ -11,10 +11,10 @@ rust_analyzer_resource() {
 }
 
 install_rust_analyzer() {
-    tempfile="$(mktemp)"
-    gunzip --to-stdout - > "${tempfile}"
-    chmod 550 "${tempfile}"
-    mv "${tempfile}" "$(systemd-path user-binaries)"/rust-analyzer
+    tempfile="$(mktemp)" && \
+        gunzip --to-stdout - > "${tempfile}" && \
+        chmod 550 "${tempfile}" && \
+        mv "${tempfile}" "$(systemd-path user-binaries)"/rust-analyzer
 }
 
 github_update "${package}" "${repo}" rust_analyzer_resource install_rust_analyzer

.local/share/github-versions/simplex-chat

@@ -0,0 +1,20 @@
+#! /usr/bin/bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+package=simplex-chat
+repo=simplex-chat/simplex-chat
+
+sc_resource() {
+    echo "simplex-chat-ubuntu-24_04-x86_64"
+}
+
+install_sc() {
+    tempfile="$(mktemp)" && \
+        cat - > "${tempfile}" && \
+        chmod 550 "${tempfile}" && \
+        mv "${tempfile}" "$(systemd-path user-binaries)"/simplex-chat
+}
+
+github_update "${package}" "${repo}" sc_resource install_sc

.local/share/github-versions/uv

@@ -11,10 +11,10 @@ uv_resource() {
 }
 
 install_uv() {
-    tempdir="$(mktemp --directory)"
-    tar xz --directory="${tempdir}" --strip-components=1 && \
-    chmod 550 "${tempdir}"/uv "${tempdir}"/uvx && \
-    mv --force "${tempdir}"/uv "${tempdir}"/uvx "$(systemd-path user-binaries)"
+    tempdir="$(mktemp --directory)" && \
+        tar xz --directory="${tempdir}" --strip-components=1 && \
+        chmod 550 "${tempdir}"/uv "${tempdir}"/uvx && \
+        mv --force "${tempdir}"/uv "${tempdir}"/uvx "$(systemd-path user-binaries)"
 }
 
 github_update "${package}" "${repo}" uv_resource install_uv

.ssh/config

@@ -0,0 +1 @@
+Include ~/.ssh/config.d/*.conf

.ssh/config.d/90-hardened-security.conf

@@ -0,0 +1,14 @@
+# SSH client algorithm hardening.
+#
+# Require PQ-hybrid KEX, AEAD ciphers, Ed25519 keys.
+# Applied to all outgoing SSH connections from this machine.
+#
+# Requires OpenSSH 9.9+ for mlkem768x25519-sha256.
+
+Host *
+    KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
+    PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
+    RekeyLimit 1G 1h

.ssh/config.d/90-terminal-emulator.conf

@@ -0,0 +1,2 @@
+Host *
+     SetEnv TERM=xterm-256color