Ignore local Claude Code files globally

Use a widely-available terminal config in SSH remotes
Create periodic healthcheck units for the transient store
2026-04-13 08:33:38 +03:00 · 2026-04-13 08:33:37 +03:00 · 2026-04-13 08:33:37 +03:00 · 2026-04-13 08:33:36 +03:00 · 2026-04-13 08:33:36 +03:00 · 2026-04-13 08:33:35 +03:00
18 changed files with 100 additions and 25 deletions
--- a/.config/containers/systemd/ollama.container
+++ b/.config/containers/systemd/ollama.container
@ -5,11 +5,16 @@ Description=A local LLM server
 # keep-sorted start
 AutoUpdate=registry
 ContainerName=ollama
 DropCapability=ALL
 Environment=OLLAMA_KEEP_ALIVE=10m
 HealthCmd=ollama list
 # HealthInterval=30s
 # HealthStartPeriod=15s
 Image=docker.io/ollama/ollama:latest
 Network=ollama.network
-PodmanArgs=--transient-store
+NoNewPrivileges=true
-PublishPort=11434:11434
+PodmanArgs=--pull=newer --transient-store
 PublishPort=127.0.0.1:11434:11434
 ReadOnly=true
 Volume=%h/.local/share/ollama:/root/.ollama:ro,z
 # keep-sorted end
--- a/.config/containers/systemd/plantuml.container
+++ b/.config/containers/systemd/plantuml.container
@ -5,10 +5,12 @@ Description=A local PlantUML server
 # keep-sorted start
 AutoUpdate=registry
 ContainerName=plantuml
 DropCapability=ALL
 Image=docker.io/plantuml/plantuml-server:jetty
 Network=private
-PodmanArgs=--transient-store
+NoNewPrivileges=true
-PublishPort=8080:8080
+PodmanArgs=--pull=newer --transient-store
 PublishPort=127.0.0.1:8080:8080
 ReadOnly=true
 # keep-sorted end
--- a/.config/containers/systemd/transmission.container
+++ b/.config/containers/systemd/transmission.container
@ -7,12 +7,15 @@ AutoUpdate=registry
 ContainerName=transmission
 Environment=PGID=1000
 Environment=PUID=1000
 HealthCmd=curl --fail --silent http://localhost:9091/
 # HealthInterval=30s
 # HealthStartPeriod=30s
 Image=lscr.io/linuxserver/transmission:latest
 Network=private
-PodmanArgs=--transient-store
+PodmanArgs=--pull=newer --transient-store
 PublishPort=127.0.0.1:9091:9091
 PublishPort=51413:51413
 PublishPort=51413:51413/udp
 PublishPort=9091:9091
 ReadOnly=true
 UserNS=keep-id
 Volume=%h/.config/transmission:/config:Z
--- a/.config/emacs/init.el
+++ b/.config/emacs/init.el
@ -30,10 +30,14 @@
 (use-package emacs
  :ensure nil
-  :bind (("C-z" . nil)
+  :bind (
-         ("C-z i" . find-init-file)
+         ("C-z" . nil)
         ;; keep-sorted start
         ("C-z f" . ffap)
-         ("C-z u" . insert-uuid4-at-point))
+         ("C-z i" . find-init-file)
         ("C-z u" . insert-uuid4-at-point)
         ;; keep-sorted end
         )
  :hook (
         ;; keep-sorted start
         (after-save . executable-make-buffer-file-executable-if-script-p)
--- a/.config/setup/14-install-cron-jobs.sh
+++ b/.config/setup/14-install-cron-jobs.sh
@ -5,6 +5,8 @@ IFS=$'\n\t'
 # keep-sorted start
 systemctl --user enable --now backup.timer
 systemctl --user enable --now podman-healthcheck@ollama.timer
 systemctl --user enable --now podman-healthcheck@transmission.timer
 systemctl --user enable --now sync-backup.timer
 systemctl --user enable --now sync-git-repos.timer
 # keep-sorted end
--- a/.config/systemd/user/podman-healthcheck@.service
+++ b/.config/systemd/user/podman-healthcheck@.service
@ -0,0 +1,6 @@
 [Unit]
 Description=Podman health check for %i
 [Service]
 Type=oneshot
 ExecStart=podman --transient-store healthcheck run %i
--- a/.config/systemd/user/podman-healthcheck@.timer
+++ b/.config/systemd/user/podman-healthcheck@.timer
@ -0,0 +1,11 @@
 [Unit]
 Description=Podman health check timer for %i
 BindsTo=%i.service
 After=%i.service
 [Timer]
 OnActiveSec=30s
 OnUnitActiveSec=30s
 [Install]
 WantedBy=%i.service
--- a/.gitconfig
+++ b/.gitconfig
@ -20,3 +20,5 @@
        # keep-sorted end
 [include]
        path = .hostgitconfig
 [core]
 	excludesfile = /home/ohad/.gitignore_global
--- a/.gitignore_global
+++ b/.gitignore_global
@ -0,0 +1,3 @@
 /conversation-id.txt
 /conversation-id-*.txt
 /.claude/settings.local.json
--- a/.local/share/github-versions/dolt
+++ b/.local/share/github-versions/dolt
@ -11,8 +11,8 @@ dolt_resource() {
 }
 install_dolt() {
-    tar xz --directory="$(systemd-path user-binaries)" --strip-components=2 dolt-linux-amd64/bin/dolt
+    tar xz --directory="$(systemd-path user-binaries)" --strip-components=2 dolt-linux-amd64/bin/dolt && \
-    chmod 550 "$(systemd-path user-binaries)"/dolt
+        chmod 550 "$(systemd-path user-binaries)"/dolt
 }
 github_update "${package}" "${repo}" dolt_resource install_dolt
--- a/.local/share/github-versions/kingfisher
+++ b/.local/share/github-versions/kingfisher
@ -11,8 +11,8 @@ kingfisher_resource() {
 }
 install_kingfisher() {
-    tar xz --directory="$(systemd-path user-binaries)" kingfisher
+    tar xz --directory="$(systemd-path user-binaries)" kingfisher && \
-    chmod 550 "$(systemd-path user-binaries)"/kingfisher
+        chmod 550 "$(systemd-path user-binaries)"/kingfisher
 }
 github_update "${package}" "${repo}" kingfisher_resource install_kingfisher
--- a/.local/share/github-versions/minikube
+++ b/.local/share/github-versions/minikube
@ -11,10 +11,10 @@ minikube_resource() {
 }
 install_minikube() {
-    tempfile="$(mktemp)"
+    tempfile="$(mktemp)" && \
-    cat - > "${tempfile}"
+        cat - > "${tempfile}" && \
-    chmod 550 "${tempfile}"
+        chmod 550 "${tempfile}" && \
-    mv "${tempfile}" "$(systemd-path user-binaries)"/minikube
+        mv "${tempfile}" "$(systemd-path user-binaries)"/minikube
 }
 github_update "${package}" "${repo}" minikube_resource install_minikube
--- a/.local/share/github-versions/rust-analyzer
+++ b/.local/share/github-versions/rust-analyzer
@ -11,10 +11,10 @@ rust_analyzer_resource() {
 }
 install_rust_analyzer() {
-    tempfile="$(mktemp)"
+    tempfile="$(mktemp)" && \
-    gunzip --to-stdout - > "${tempfile}"
+        gunzip --to-stdout - > "${tempfile}" && \
-    chmod 550 "${tempfile}"
+        chmod 550 "${tempfile}" && \
-    mv "${tempfile}" "$(systemd-path user-binaries)"/rust-analyzer
+        mv "${tempfile}" "$(systemd-path user-binaries)"/rust-analyzer
 }
 github_update "${package}" "${repo}" rust_analyzer_resource install_rust_analyzer
--- a/.local/share/github-versions/simplex-chat
+++ b/.local/share/github-versions/simplex-chat
@ -0,0 +1,20 @@
 #! /usr/bin/bash
 set -euo pipefail
 IFS=$'\n\t'
 package=simplex-chat
 repo=simplex-chat/simplex-chat
 sc_resource() {
    echo "simplex-chat-ubuntu-24_04-x86_64"
 }
 install_sc() {
    tempfile="$(mktemp)" && \
        cat - > "${tempfile}" && \
        chmod 550 "${tempfile}" && \
        mv "${tempfile}" "$(systemd-path user-binaries)"/simplex-chat
 }
 github_update "${package}" "${repo}" sc_resource install_sc
--- a/.local/share/github-versions/uv
+++ b/.local/share/github-versions/uv
@ -11,10 +11,10 @@ uv_resource() {
 }
 install_uv() {
-    tempdir="$(mktemp --directory)"
+    tempdir="$(mktemp --directory)" && \
-    tar xz --directory="${tempdir}" --strip-components=1 && \
+        tar xz --directory="${tempdir}" --strip-components=1 && \
-    chmod 550 "${tempdir}"/uv "${tempdir}"/uvx && \
+        chmod 550 "${tempdir}"/uv "${tempdir}"/uvx && \
-    mv --force "${tempdir}"/uv "${tempdir}"/uvx "$(systemd-path user-binaries)"
+        mv --force "${tempdir}"/uv "${tempdir}"/uvx "$(systemd-path user-binaries)"
 }
 github_update "${package}" "${repo}" uv_resource install_uv
--- a/.ssh/config
+++ b/.ssh/config
@ -0,0 +1 @@
 Include ~/.ssh/config.d/*.conf
--- a/.ssh/config.d/90-hardened-security.conf
+++ b/.ssh/config.d/90-hardened-security.conf
@ -0,0 +1,14 @@
 # SSH client algorithm hardening.
 #
 # Require PQ-hybrid KEX, AEAD ciphers, Ed25519 keys.
 # Applied to all outgoing SSH connections from this machine.
 #
 # Requires OpenSSH 9.9+ for mlkem768x25519-sha256.
 Host *
    KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
    HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
    PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
    RekeyLimit 1G 1h
--- a/.ssh/config.d/90-terminal-emulator.conf
+++ b/.ssh/config.d/90-terminal-emulator.conf
@ -0,0 +1,2 @@
 Host *
     SetEnv TERM=xterm-256color
Author	SHA1	Message	Date
Ohad Livne	c7aca696d7	Ignore local Claude Code files globally	2026-04-13 08:33:38 +03:00
Ohad Livne	b4838af164	Use a widely-available terminal config in SSH remotes	2026-04-13 08:33:37 +03:00
Ohad Livne	c18017eef4	Create periodic healthcheck units for the transient store	2026-04-13 08:33:37 +03:00
Ohad Livne	c852857583	Support health checks for the services	2026-04-13 08:33:36 +03:00
Ohad Livne	203e6656da	Check for image updates on startup	2026-04-13 08:33:36 +03:00
Ohad Livne	8f927221b4	Only expose access ports on the localhost network	2026-04-13 08:33:35 +03:00
Ohad Livne	e4b0e731d6	Restrict service container privileges	2026-04-13 08:33:35 +03:00
Ohad Livne	6ca9d88995	Install SimpleX Chat from the GitHub repository	2026-04-13 08:33:34 +03:00
Ohad Livne	34d62d92b2	Short-circuit installation commands on failure	2026-04-13 08:33:34 +03:00
Ohad Livne	6b27d7e5e2	Use hardened defaults for SSH connections	2026-04-13 08:33:34 +03:00
Ohad Livne	d6b105d2ec	Sort keybindings	2026-04-11 12:30:25 +03:00