About synctex and backward search functionality:

Synctex is a tool that enables synchronization of the text editor position and
the pdf viewer position. The tool may be used to add mappings in vim to go to
the current position in the compiled pdf document (forward search), and also
to go from a specific position in the pdf file to the corresponding position
in vim (inverse/backward search).
...
In supported viewers one may set up backward or inverse search. When
correctly set up, this allows one to go directly from a selected line in the
viewer (typically by double clicking with the mouse or something similar) to
the corresponding line inside the VIM instance.

For example I'm using vim (+vimtex) and zathura together. Zathura should be able to run vim like this: vim --servername VIM --remote +10 my-file.tex to force VIM to place cursor on line 10.

It is prohibited in spark defaults because in default zathura.profile there isn't vim binary at all. The solution is to add this line: private-bin zathura,vim

P.S. Possibly it should be a little bit agile and support any editor binary not only VIM.

Hey there - I have a fork of yours under development, and noticed that pasystray-gtk3-standalone has been removed from the AUR. You use it in the sound role, figured a heads up wouldn't hurt.

There doesn't seem to be any way around this short of building a custom kernel, which I do not want to do.

I use VirtualBox to spin up a handful of Debian-based images, mostly managed with Vagrant. Switching over to some sort of libvirt/kvm backend may be more productive than trying to get vbox to work.

There were several security issues found recently:

CVE-2017-5180: http://openwall.com/lists/oss-security/2017/01/04/1
tmpfs related (CVE-2016-10117, CVE-2016-10119), rewrite /etc/resolv.conf (CVE-2016-10118), full access to system files (CVE-2016-10120, CVE-2016-10121), root access (CVE-2016-10122, CVE-2016-10123): http://openwall.com/lists/oss-security/2017/01/05/4

And 2 more which are fixed by now: CVE-2017-5207, CVE-2017-5206.

It isn't about sandbox actually but if your user somehow vulnerable therefore (by means of firejail) your root is also vulnerable. That's If I got it right consequence of nature of firejail and of using suid mechanism.

Probably it is worth consideting to switch to some alternative. For example:

1. bubblewrap
2. Sandstorm.io
3. Other tools. Some of them mentioned (with some comparison) in bubblewrap README.

Probably it is sensible to generate ssh private key if it isn't set.

With code like this:

 63 - name: Generate user SSH key
 64   user:
 65     name: "{{ user.name }}"
 66     generate_ssh_key: yes
 67     ssh_key_bits: 2048
 68     ssh_key_file: "/home/{{ user.name }}/.ssh/id_rsa"
 69   when: ssh.user_key is undefined

all in the title :)

Why do you disable automount? Is it for sequrity reason? If so please give some links where to read about it.

And about /media: do you change default behaviour (/var/ran/media) just for convinience or there is something else?

  5 - name: Disable udisks automounting                                                                                                     
...                                                                    
 11 - name: Mount to /media         

Hi again, wondering if you have any advice on what I'm doing wrong, or what secret you may have for this. Here is what I have done:

• haven't run ansible in about 3 weeks
• since then, I have run sudo aura -Ayu which has updated several pkgs
• I noticed you had made some playbook changes, pulled those, ran ansible
• and now a handful of aur packages got downgraded, since my ~/aur hadn't changed since 3 weeks ago:

    $  grep downgraded /var/log/pacman.log 
    [2015-10-27 09:02] [ALPM] downgraded chromium-pepper-flash (1:19.0.0.226-1 -> 1:19.0.0.207-1)
    [2015-10-27 09:02] [ALPM] downgraded firejail (0.9.32-1 -> 0.9.30-1)
    [2015-10-27 09:02] [ALPM] downgraded virtualbox-ext-oracle (5.0.8-1 -> 5.0.6-1)
    [2015-12-08 10:39] [ALPM] downgraded aura-bin (1.3.4-1 -> 1.3.2.1-1)

Am I incorrectly expecting the playbook to be fairly idempotent like how I use puppet, and run it multiple times? In other words are you only running ansible once on a new system?
Or are you updating your ~/aur somehow? Guess I could just nuke ~/aur, but I think I found another idempotency issue so I thought I'd ask this question. Cheers!

Why do you install unbound by default? Could you please point to benefits of it in default distribution?

As it stated in nohang README:

OOM conditions may cause freezes, livelocks, drop caches and processes to be killed (via sending SIGKILL) instead of trying to terminate them correctly (via sending SIGTERM or takes other corrective action). Some applications may crash if it's impossible to allocate memory.

So it is very convinient to have one in playbook.

There are several options mentioned in nohang README.

May be nohang itself is a good option.

According to article How to properly activate TRIM for your SSD on Linux: fstrim, lvm and dm-crypt

TRIM should be enabled in all configs expect for fstab:

1. /etc/crypttab
2. /etc/lvm/lvm.conf

Quote:

you must enable support for TRIM in these three layers: The filesystem, LVM and dm-crypt. There is no point in enabling it at the filesystem level if you don’t enable it also on the other layers. The TRIM command should be translated from one layer to another until reaching the SSD.

But according to spark there isn't any setup like this.

If I have

fingerprint: True

in group_vars/all and setup fprintd and try to run ansible-playbook -i localhost playbook.yml --ask-become-pass I catch the error:

<localhost> EXEC /bin/sh -c 'rm -f -r /home/user/.ansible/tmp/ansible-tmp-1680455171.562048-412582-219023120032225/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "msg": "timeout waiting for privilege escalation password prompt:\n"
}

Workaround

Install and setup pam_fprintd_grosshack as suggested in Arch wiki:

If you want to prompt for fingerprint and password input at the same time, you can use pam-fprint-grosshack. This may be needed for some graphical programs which do not allow blank password input, such as Gnome's built-in polkit agent.

auth		sufficient  	pam_fprintd_grosshack.so
auth		sufficient  	pam_unix.so try_first_pass nullok
...

P.S. Also fprintd with pam_fprintd.so brakes yay AUR helper. And pam_fprintd_grosshack fixes it.

AllowTcpForwarding:

Qutation from man sshd_config:

The default is “yes”. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders

So probably it isn't necessary for setting it to no value.

And also could you please explain why you use this very Ciper: aes256-ctr and MACs: hmac-sha2-512. Why these and not something else (default for example).

Please, explain why do you add following packages as dependencies for networkmanager:

- xfce4-notifyd                                                                                                          
- gnome-keyring 

Browser (Firefox, Chromium) default profiles include following line:

whitelist ${DOWNLOADS}

so it depends on existance of ${DOWNLOADS} dir. Otherwise you cannot actually download files with jailed browsers. Downloads folder is one of the XDG user dirs.

I propose to add following lines to x role:

- name: Install xdg-user-dirs 
  pacman: name=xdg-user-dirs state=present

- name: Create user directories
  shell: LC_ALL=C /usr/bin/xdg-user-dirs-update
  args:
    creates: /home/{{ user.name }}/Downloads 
  become: "{{ user.name }}"

Instead of LC_ALL=C one may place some configurable locale. Possibly somebody wants to have localized xdg dirs.

The problem

When packages from the AUR are being installed and the process takes longer than passwd_timeout of sudo, then I get a sudo password promt and the installation is paused. I would expect from Ansible to provide non-interactive provisioning process (do not ask for any info during the provisioning process, except at the very beginning or end).

If the AUR module could utilise the become feature of Ansible that would be great.

Actual result

I have to type the password of my user multiple times.

Expected result

Installation/uninstallation completes without prompting for password at all.

There is arch-secure-boot:

Highly opinionated setup that provides minimal Secure Boot for Arch Linux, and a few recovery tools.

According to Arch wiki:

Secure Boot is a feature of UEFI that allows authentication of the files your computer boots. This helps preventing some evil maid attacks such as replacing files inside the boot partition. Normally computers come with keys that are enrolled by vendors (OEM). However these can be removed and allow the computer to enter Setup Mode which allows the user to enroll and manage their own keys.

The problem

When provisioning a machine where the user does not exist, then Ansible fails at the task
gnupg : Enable gpg-agent.socket.

Actual output

fatal: [localhost]: FAILED! => {"changed": false, "cmd":/usr/bin/systemctl --user", "msg": "Failed ro connect to bus: No such file or directory", "rc": 1}

Expected output

ok: [localhost]

Additional info

The reason for this is that the gpg-agent.socket is going to be installed as a user service (opposed to system service) and for that systemctl --user needs to connect to the socket /run/user/< name-of-new-user >/bus, but that does not exist, because the current user is root and only the current user will get a socket created by default.

It seems that the NetworkManager config provided here doesn't utilize the Unbound server also installed, as NetworkManager simply overwrites /etc/resolv.conf if any DNS servers are provided by the DHCP server.

I looked into several possible solutions, but couldn't find one that seemed to stick. The farthest I got was installing and starting dnssec-trigger and setting dns=unbound in NetworkManager.conf, but it still resolved some of the sites given in /etc/hosts to the real IP address, rather than 0.0.0.0.

A bit stuck, hope you can help figure this out.

This is the information I have about the error:

fatal: [host1]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "invocation": {
        "module_args": {
            "dir": null, 
            "name": "cower", 
            "skip_pgp": true, 
            "user": "someone"
        }
    }, 
    "msg": "failed to install package cower, because: ==> Making package: cower 17-2 (Thu Oct 19 14:09:03 EEST 2017)\n==> Checking runtime dependencies...\n==> Checking buildtime dependencies...\n==> Retrieving sources...\n  -> Found cower-17.tar.gz\n  -> Found cower-17.tar.gz.sig\n==> WARNING: Skipping verification of source file PGP signatures.\n==> Validating source files with md5sums...\n    cower-17.tar.gz ... Passed\n    cower-17.tar.gz.sig ... Skipped\n==> Extracting sources...\n  -> Extracting cower-17.tar.gz with bsdtar\n==> Removing existing $pkgdir/ directory...\n==> Starting build()...\n/bin/sh: pod2man: command not found\nmake: *** [Makefile:90: cower.1] Error 127\n==> ERROR: A failure occurred in build().\n    Aborting...\n"
}

I have also tried to install via yaourt and I get an error about PGP signatures:

ERROR: One or more PGP signatures could not be verified!
ERROR: Makepkg was unable to build cower

It seems like a cower issue and not spark's.

Quotation from fix-infinality.md:

If you installed infinality-bundle or the patched freetype2-infinality(-ultimate) package, you'll most likely recently have run into an error relating to the harfbuzz package (>= 1.4.1-1), specifically something like: /usr/lib/libharfbuzz.so.0: undefined symbol: FT_Get_Var_Blend_Coordinates.

So there is a problem which break a lot of processes like compilation for example.

CC -o dwm
/usr/lib/libharfbuzz.so.0: undefined reference to `FT_Get_Var_Blend_Coordinates'
collect2: error: ld returned 1 exit status
make: *** [Makefile:29: dwm] Error 1

Literature by this topic:

1. Workaround: https://gist.github.com/cryzed/e002e7057435f02cc7894b9e748c5671
2. Reddit discussion: https://www.reddit.com/r/archlinux/comments/5mphpu/psa_harfbuzz_update_infinality_breaking_system/
3. Another discussion in github issuses: polybar/polybar#310

It seems like AUR dependencies cannot be installed (or detected) via ansible-aur module.

Possible solutions:

1. (dirty but easy one) list in ansible role all aur dependencies (at the moment) of wormhole by hands like this:

  2 - name: Install magic-wormhole
  3   aur: name={{ item }} user={{ user.name }}
  4   with_items:
  5     - python-tqdm
  6     - python-hkdf
  7     - python-pynacl
  8     - python-spake2
  9     - magic-wormhole

2. make ansible-aur module to use yaourt (or something like this) which is capable to install AUR dependencies

Error itself:

< TASK [wormhole : Install magic-wormhole] >
 ------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "failed to install package magic-wormhole, because: ==> Making package: magic-wormhole 0.8.1-3 (Wed Dec 28 19:27:56 AEDT 2016)\n==> Checkin
g runtime dependencies...\n==> Installing missing dependencies...\nerror: target not found: python-tqdm\nerror: target not found: python-hkdf\nerror: target not found: python-pynacl\nerror: target not found: pyth
on-spake2\n==> ERROR: 'pacman' failed to install missing dependencies.\n"}

There is absolutely fresh arch linux install (real hardware not virtual).

There is an error during installing cower:

TASK [base : Install cower] ****************************************************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "failed to install package cower, because: ==> ERROR: Cannot find the strip binary required for object file stripping.\n"}
	to retry, use: --limit @/home/petrunin/tmp/spark/playbook.retry

Reason is missed binutils package.

According to discussion at pulseaudio-modules-bt-git, quote message at 2021-02-08:

Upstream is deprecated, see EHfive/pulseaudio-modules-bt#154. I am going to orphan this package.

You have 2 alternative options alongside with this:

PipeWire: A2DP (LDAC, AAC, aptX(-HD)) and HFP(mSBC) are working on stable release. (git package maintained by me: https://aur.archlinux.org/packages/pipewire-common-git/)

PulseAudio: A2DP (LDAC, AAC, aptX(-HD)) support is merged, no HFP support yet, but you need to use "git" package before a new stable version shipped

Hello, thanks for sharing your ansible playbook and roles with the public!

As you encourage the reader in your blog, I'm considering to fork this project in the near future. Or at least get inspired from some of your tasks and roles. But your project does not have a license at all. Without a license it isn't clear what a user (me in this case) is allowed to do with your code. In the end it need to be considered proprietary and it is not allowed to re-use your code for other publicly shared projects.

Would it be possible to set a license for your project?

Some Ideas:

• If you don't care what happens with your code at all and want to release it to the public domain, you could set UNLICENSE.
• If you want to get a copyright notice to you in other projects, you could set MIT.
• If you want that all future versions of your code get released as open source too, you could set GPL.

The easiest for people like me would be the UNLICENSE, because I don't need much about it. But I can understand if you want to get noted or ensure that forks are also shared as open source with the community.

I am using manjaro linux. when I try to install any package with pacman, I get an error:

error: unable to write to pipe (Broken pipe)

what should I do to fix this error?

thank you.

sudo pacman -S maxima                                                                
resolving dependencies...
looking for conflicting packages...

Packages (1) maxima-5.46.0-5

Total Installed Size:  63.02 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                              [##########################################] 100%
(1/1) checking package integrity                                            [##########################################] 100%
(1/1) loading package files                                                 [##########################################] 100%
(1/1) checking for file conflicts                                           [##########################################] 100%
(1/1) checking available disk space                                         [##########################################] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
:: Processing package changes...
(1/1) reinstalling maxima                                                   [##########################################] 100%
:: Running post-transaction hooks...
(1/6) Arming ConditionNeedsUpdate...
(2/6) Updating the MIME type database...
(3/6) Refreshing PackageKit...
(4/6) Updating the info directory file...
(5/6) Updating the desktop file MIME type cache...
(6/6) SELinux: relabel installed files
error: unable to write to pipe (Broken pipe)

I've been working on this, and after discussing with @pigmonkey we are going to try and keep this on a separate branch.

PR coming soon!

Security page of ArchWiki says:

Prefer using Wayland over Xorg. Xorg's design predates modern security practices and is considered insecure by many. For example, Xorg applications may record keystrokes while inactive.

If you must run Xorg, it is recommended to avoid running it as root. Within Wayland, the XWayland compatibility layer will automatically use rootless Xorg.

So it seems that in order to increase security is it worth considering to look at Wayland.

There are several articles on the subject. I mention some of them:

• LinuX, SSDs and disk encryption
• Arch wiki Improving_performance#Storage_devices
• Debian SSDOptimization

1. Main advice is to reduce of SSD write frequency via RAMDISK (debian, arch and "After installation — Setting up ramdisks using tmpfs" from blog post). Some quotations are followed.

   Blog:

   good paradigm is to use ramdisks for temporary files to avoid wasting writes for files we don't want to keep anyway. Looking at the UNIX Filesystem Hierarchy Standard we note that temporary files are stored at /tmp and (in practice to a lesser extent) at /var/tmp. Moving the files in these locations to RAM can now be easily achieved by mounting the corresponding paths with the filesystem type tmpfs. This will create a dynamical ramdisk, meaning that only as much RAM is used up by the disk as it requires to store the files

   If you can spare a little more RAM you should furthermore consider the use of ramdisks for locations in the file system tree where frequent writes take place, e.g. /var/log and /var/spool. You might be aware that /var/log contains the system's logfiles, meaning that by applying these settings you will loose all logs on system reboot. For servers this would surely be a problem, but in the case of laptops I don't want to loose this option of saving a lot of writes.

   Arch:

   Avoiding unnecessary access to slow storage drives is good for performance and also increasing lifetime of the devices, although on modern hardware the difference in life expectancy is usually negligible.

2. Another but controversial common advice is to switch to low-latency IO-Scheduler:

   The default I/O scheduler queues data to minimize seeks on HDDs, which is not necessary for SSDs. Thus, use the "deadline" scheduler that just ensures bulk transactions won't slow down small transactions

   Blog post (After installation — Changing the disk scheduler) is also saying that:

   The disk scheduler controls how the kernel schedules access to storage drives. For rotating disks data access is obviously a slow process and it needs to be distributed fairly between the many processes that might want to read or write something to/from different parts of the disk. The default scheduler called cfq is optimised for the latter scenario, but not for SSDs. Performance can be greatly improved if noop or deadline are used instead. Noop is the most simple one: It basically handles requests in the order they are submitted. Deadline in some sense implements a timer on top and stops requests that take too long. Which one to use pretty much depends on the underlying hardware and the use case, but for a normal laptop and a normal use it should not make much of a difference.

   Arch wiki warns us:

   Only the CFQ scheduler supports setting IO priorities with ionice. Some background processes rely on this capability to perform background IO unobtrusively by reducing their IO priority, for example KDE's file indexer baloo. Using a different scheduler than the default CFQ scheduler can worsen the user experience on desktops.

3. One more controversial option is adding the mount options noatime and nodiratime. See (Blog: After installation — Editing /etc/fstab, arch and debian)

   Blog:

   For each partition that is located on an SSD drive you should at least add the mount options noatime and nodiratime. These options will suppress the usual bookkeeping of access times for files and directories, respectively. Usually accessing a file implies a write as well since the current date and time will be written to the so-called inode table of the filesystem. For most applications this is not required and can therefore be safely disabled using the above options.

   Arch:

   The noatime option is known to improve performance of the filesystem.

   Debian:

   Add the "noatime" (or "relatime") mount option in /etc/fstab, to disable (or significantly reduce) disk writes whenever a file is read. Please note that since Linux kernel 2.6.30, "relatime" is the default. This improves filesystem read performance for both SSDs and HDDs.

4. Blog: Enabling device-level write cache

   Turning on the write cache of a drive causes the drive to use some internal RAM to cache files until they are written to the disk properly. This improves performance in both SSDs as well as traditional hard drives. A disadvantage is that in the case of an abrupt power loss enabling this feature could lead to data loss. Since data is usually only kept in the disk cache for extremely short times this is hardly a problem for normal use cases.

5. Move browsers cache (or even whole browser or other software profiles) to RAM.

   Blog:

   On a user level it is mostly the browser cache which is very predictable to cause a lot of writes. Now that /tmp is located in RAM it is a good idea to make the browser drop its cache at this location

   Move full browser profile to RAM and sync: https://wiki.archlinux.org/index.php/Profile-sync-daemon

   Since the profile(s), browser cache*, etc. are relocated into tmpfs (RAM disk), the corresponding I/O associated with using the browser is also redirected from the physical drive to RAM, thus reducing wear to the physical drive and also greatly improving browser speed and responsiveness.

   Arch#Relocate files to tmpfs provides following options:

   Relocate files, such as your browser profile, to a tmpfs file system, for improvements in application response as all the files are now stored in RAM:

   1. Refer to Profile-sync-daemon for syncing browser profiles. Certain browsers might need special attention, see e.g. Firefox on RAM.
   2. Refer to Anything-sync-daemon for syncing any specified folder.
   3. Refer to Makepkg#tmpfs for improving compile times when building packages.
   

I had error, when ansible executed fonts tasks:

TASK [fonts : Enable LCD filter] ************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "src file does not exist, use \"force=yes\" if you really want to create the link: /etc/fonts/conf.avail/11-lcdfilter-default.conf", "path": "/etc/fonts/conf.d/11-lcdfilter-default.conf", "src": "/etc/fonts/conf.avail/11-lcdfilter-default.conf"}

I changed them from /etc/fonts/ to /usr/share/fontconfig and it's seems worked. I had issues with latest arch installation image.
So is possible to fix this? Maybe somehow auto-detect this paths.

Inom-Turdikulov@a7dbc2a

Hi,

RCM is no more supported, why not replace it with : dotbot ?

There are at least to mail syncing tools: isync and offlineimap:

https://github.com/pigmonkey/spark/blob/master/roles/mail/tasks/main.yml

Why do you need both of them?

I am using the spark repo to configure a laptop of mine.

Unfortunately I am getting these kind of messages in pacman and aur:

<192.168.1.2> (0, '', 'OpenSSH_7.6p1, OpenSSL 1.1.0f  25 May 2017\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: 
auto- mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: 
mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: 
mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 7263\r\ndebug3: mux_client_request_session: session 
request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r
\ndebug2: Received exit status from master 0\r\n')

Then the shell halts and after 3-4 minutes it fails. The system I am trying to deploy is a clean install of the latest Manjaro O/S. Not every role it has fails - I have commended everything out in order to find why this error happens. The OpenSSH server has the default configuration, so nothing fancy here.

I am not sure this issue is of this repo's fault, just posting it there in case someone else has the same. I've seen some issues as well in ansible's repository for 2.4. Please ignore and close If that's the case.

Quotation from archwiki:

Warning: The SliM project has been abandoned (the project homepage is down, leaving a github mirror), and is not fully compatible with systemd, including logind sessions. Consider using a different Display manager or Xinitrc.

What do toy think about switching to lightdm for example?

I had to add the linux-header packages to the base packages.
Was this really missing or did i made a configuration mistake?
Grepping the source from github didnt yield a result.

The output:

failed: [localhost] (item=[u'freetype2-infinality-ultimate', u'fontconfig-infinality-ultimate', u'cairo-infinality-ultimate']) => {"failed": true, "item": ["freetype2-infinality-ultimate", "fontconfig-infinality-ultimate", "cairo-infinality-ultimate"], "msg": "failed to install freetype2-infinality-ultimate"}

Possible reason:

freetype2-infinality-ultimate and freetype2 are in conflict. Remove freetype2?

Posibly it is better to install nmtrust in archway: add it to AUR and install it as AUR package.

cower fails to install due to a missing dependency, yajl.

light is orphaned at the moment:

WARNING: This project is considered orphaned since the 8th of March, 2023. Use is heavily discouraged until such a time that it is adopted by another developer.

May be it is worth consider alternatives like brightnessctl.

Moreover brightnessctl allows to control brightness of external monitor, not only laptop screen:

I'd like to configure the brightness of an external monitor

Use the ddcci-driver-linux kernel module to expose external monitor brightness controls to brightnessctl.

Couple of years ago I've cloned spark and have started to have my own changes in repository (because my set of software and settings couldn't be 100% same as somebodies else). From time to time I've cherry-pick`d some commits from upstream. But now I have ~2 years history of commits in upstream I want to incorporate to my fork of spark (and then somehow apply changes with ansible).

So it is more like question and not an issue. What is the best practice?

How to:

• have simultaneously my own fork with my own changes some roles are commented out and etc
• pull upstream changes
• have changes (from commits) applied to my installation

Hi, I'm trying out this playbook.

I'm having issues with the ssh role. It seems that sshd.socket is not available in the openssh package anymore?

I suppose the role has to be updated with using sshd.service instead?

Best regards,
Daniel

Packages to consider adding:

• wsjtx
• fldigi
• hamlib
• tucnak

Others? @jshuping ?

Why did you decided to stick with alsa instead of pulseaudio?

I've been using pulseaudio for a long time and don't see any significant troubles (except for necessity of restarting pulse after some suspending of my laptop).

Benefits (short list): Bluetooth audio support, network audio support, per application volume control, simplified volume controls and source selection.

The problem

Installation of the ttf-impallari-cantora package failed, because the font cannot be downloaded from the source URL. See below.

Expected behaviour

I would expect to be able to define the list of fonts to be installed by myself (like how it's done with AUR packages.), but it's hard-coded currently.

On my EFI-based macbook, I'm using systemd-boot (ex gummiboot) instead of grub.

I will have to figure out the steps to actually configure/load/boot the grsec kernel on my laptop.
After running spark, I have /etc/mkinitcpio.d/linux-grsec.preset (in addition to linux.preset).
Running the typical {{mkinitcpio -p linux}} only reads the linux.preset.
I probably also have to update/append to /boot/loader/arch/entries.conf to choose grsec kern from the boot menu.

In absolutely fresh system there is preinstall vim package, so installation of gvim always break the execution of playbook:

:: gvim and vim are in conflict (vim-minimal). Remove vim? [y/N]

Don't you think on moving to Pipewire?

From Arch Wiki:

PipeWire is a new low-level multimedia framework. It aims to offer capture and playback for both audio and video with minimal latency and support for PulseAudio, JACK, ALSA and GStreamer-based applications.

From Wikipedia:

PipeWire has received much praise, especially among the GNOME and Arch Linux communities. Particularly, it fixes many problems that PulseAudio had experienced, including its high CPU usage, Bluetooth connection issues, and its JACK backend issues.

From official wiki, How Is PipeWire Supposed To Be A Better PulseAudio?:

PipeWire can achieve lower latency with much less CPU usage and dropouts compared to PulseAudio. This would greatly improve video conferencing apps, like WebRTC in the browser.
PipeWire's security model can stop applications from snooping on each other's audio.
PipeWire allows more control over how applications are linked to devices and filters.
PipeWire uses an external policy manager that can provide better integration with the rest of the desktop system and configuration.

Even Pulseeffects migrated to PipeWire.

So it seems like good idea to try it.

When executing browser chooser as default application for relevant mimetypes there is an error.

/ TASK [browsers : Set rofi browser chooser as default \
\ application for relevant mimetypes]                  /
 ------------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

failed: [localhost] (item={u'regexp': u'^text/html=', u'line': u'text/html=browser.desktop'}) => {"failed": true, "item": {"line": "text/html=browser.desktop", "regexp": "^text/html="}, "msg": "Destination /etc/x
dg/mimeapps.list does not exist !", "rc": 257}
failed: [localhost] (item={u'regexp': u'^text/xml=', u'line': u'text/xml=browser.desktop'}) => {"failed": true, "item": {"line": "text/xml=browser.desktop", "regexp": "^text/xml="}, "msg": "Destination /etc/xdg/m
imeapps.list does not exist !", "rc": 257}
failed: [localhost] (item={u'regexp': u'^text/mml=', u'line': u'text/mml=browser.desktop'}) => {"failed": true, "item": {"line": "text/mml=browser.desktop", "regexp": "^text/mml="}, "msg": "Destination /etc/xdg/m
imeapps.list does not exist !", "rc": 257}
failed: [localhost] (item={u'regexp': u'^application/xhtml\\+xml=', u'line': u'application/xhtml+xml=browser.desktop'}) => {"failed": true, "item": {"line": "application/xhtml+xml=browser.desktop", "regexp": "^ap
plication/xhtml\\+xml="}, "msg": "Destination /etc/xdg/mimeapps.list does not exist !", "rc": 257}
failed: [localhost] (item={u'regexp': u'^application/xml=', u'line': u'application/xml=browser.desktop'}) => {"failed": true, "item": {"line": "application/xml=browser.desktop", "regexp": "^application/xml="}, "m
sg": "Destination /etc/xdg/mimeapps.list does not exist !", "rc": 257}
failed: [localhost] (item={u'regexp': u'^x-scheme-handler/http=', u'line': u'x-scheme-handler/http=browser.desktop'}) => {"failed": true, "item": {"line": "x-scheme-handler/http=browser.desktop", "regexp": "^x-sc
heme-handler/http="}, "msg": "Destination /etc/xdg/mimeapps.list does not exist !", "rc": 257}
failed: [localhost] (item={u'regexp': u'^x-scheme-handler/https=', u'line': u'x-scheme-handler/https=browser.desktop'}) => {"failed": true, "item": {"line": "x-scheme-handler/https=browser.desktop", "regexp": "^x
-scheme-handler/https="}, "msg": "Destination /etc/xdg/mimeapps.list does not exist !", "rc": 257}

grsec decided to kill itself. Arch has dropped it, so we'll need to rip that out and go back to vanilla.

Yay virtualbox?

I think we can start with the recommendation to run powertop --auto-tune via systemd, as shown here:
http://loicpefferkorn.net/2015/01/arch-linux-on-macbook-pro-retina-2014-with-dm-crypt-lvm-and-suspend-to-disk/
(also note he recommends powerdown.git which redirects to tlp docs).

other wants/todos:

• warning message when battery low and a suspend when battery critical.
• any other tlp tweaks
• do we need to disable rfkill? (see https://wiki.archlinux.org/index.php/TLP) .. it's still enabled on my laptop