Removed commit history

Signed-off-by: Marko Korhonen <marko.korhonen@reekynet.com>

root/boot/loader/entries/arch-lts.conf

@@ -0,0 +1,5 @@
+title	Arch Linux
+linux	/vmlinuz-linux-lts
+initrd	/amd-ucode.img
+initrd 	/initramfs-linux-lts.img
+options cryptdevice=/dev/disk/by-uuid/2fedee0d-fbf1-41ee-8d27-01feb25d9e8d:cryptroot:allow-discards root=/dev/mapper/cryptroot rootflags=subvol=__arch/root resume=/dev/mapper/cryptswap quiet acpi_backlight=vendor rw

root/boot/loader/entries/arch.conf

@@ -0,0 +1,5 @@
+title	Arch Linux
+linux	/vmlinuz-linux
+initrd	/amd-ucode.img
+initrd 	/initramfs-linux.img
+options cryptdevice=/dev/disk/by-uuid/2fedee0d-fbf1-41ee-8d27-01feb25d9e8d:cryptroot:allow-discards root=/dev/mapper/cryptroot rootflags=subvol=__arch/root resume=/dev/mapper/cryptswap cpuidle.governor=teo acpi_backlight=vendor amd_iommu=on iommu=pt rw idle=nomwait rcu_nocbs=0-7 quiet fastboot

root/boot/loader/loader.conf

@@ -0,0 +1,3 @@
+default arch
+timeout 0
+editor 	1

root/etc/NetworkManager/30-wg0.network

@@ -0,0 +1,10 @@
+[Match]
+Name = wg0
+
+[Network]
+Address = 10.0.0.3/32
+DNS = 10.0.0.1
+
+[Route]
+Gateway = 10.0.0.1
+Destination = 10.0.0.0/24

root/etc/NetworkManager/conf.d/rc-manager.conf

@@ -0,0 +1,2 @@
+[main]
+rc-manager=resolvconf

root/etc/NetworkManager/conf.d/wifi_backend.conf

@@ -0,0 +1,4 @@
+[device]
+wifi.backend=iwd
+match-device=interface-name:wlp1s0
+managed=1

root/etc/NetworkManager/dispatcher.d/10-tzupdate.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+status=$2
+case $status in
+    up)
+        /usr/bin/tzupdate
+esac

root/etc/NetworkManager/dispatcher.d/11-ssh-tunnel.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+if [[ "$2" == "up" ]] || [ "$2" == "vpn-up"]]; then
+	su - reekymarko -c 'ssh -f -N -R 8123:localhost:22 teapot sleep 10'
+fi
+
+if [[ "$2" == "down" ]] || [ "$2" == "vpn-up"]];then
+	killall ssh
+fi

root/etc/X11/xorg.conf.d/10-amdgpu.conf

@@ -0,0 +1,5 @@
+Section "Device"
+	Identifier "AMD" 
+	Driver "amdgpu"
+	Option "TearFree" "true"
+EndSection

root/etc/bluetooth/main.conf

@@ -0,0 +1,107 @@
+[General]
+
+# Default adapter name
+# Defaults to 'BlueZ X.YZ'
+#Name = BlueZ
+
+# Default device class. Only the major and minor device class bits are
+# considered. Defaults to '0x000000'.
+#Class = 0x000100
+
+# How long to stay in discoverable mode before going back to non-discoverable
+# The value is in seconds. Default is 180, i.e. 3 minutes.
+# 0 = disable timer, i.e. stay discoverable forever
+#DiscoverableTimeout = 0
+
+# How long to stay in pairable mode before going back to non-discoverable
+# The value is in seconds. Default is 0.
+# 0 = disable timer, i.e. stay pairable forever
+#PairableTimeout = 0
+
+# Use vendor id source (assigner), vendor, product and version information for
+# DID profile support. The values are separated by ":" and assigner, VID, PID
+# and version.
+# Possible vendor id source values: bluetooth, usb (defaults to usb)
+#DeviceID = bluetooth:1234:5678:abcd
+
+# Do reverse service discovery for previously unknown devices that connect to
+# us. This option is really only needed for qualification since the BITE tester
+# doesn't like us doing reverse SDP for some test cases (though there could in
+# theory be other useful purposes for this too). Defaults to 'true'.
+#ReverseServiceDiscovery = true
+
+# Enable name resolving after inquiry. Set it to 'false' if you don't need
+# remote devices name and want shorter discovery cycle. Defaults to 'true'.
+#NameResolving = true
+
+# Enable runtime persistency of debug link keys. Default is false which
+# makes debug link keys valid only for the duration of the connection
+# that they were created for.
+#DebugKeys = false
+
+# Restricts all controllers to the specified transport. Default value
+# is "dual", i.e. both BR/EDR and LE enabled (when supported by the HW).
+# Possible values: "dual", "bredr", "le"
+#ControllerMode = dual
+
+# Enables Multi Profile Specification support. This allows to specify if
+# system supports only Multiple Profiles Single Device (MPSD) configuration
+# or both Multiple Profiles Single Device (MPSD) and Multiple Profiles Multiple
+# Devices (MPMD) configurations.
+# Possible values: "off", "single", "multiple"
+#MultiProfile = off
+
+# Permanently enables the Fast Connectable setting for adapters that
+# support it. When enabled other devices can connect faster to us,
+# however the tradeoff is increased power consumptions. This feature
+# will fully work only on kernel version 4.1 and newer. Defaults to
+# 'false'.
+#FastConnectable = false
+
+# Default privacy setting.
+# Enables use of private address.
+# Possible values: "off", "device", "network"
+# "network" option not supported currently
+# Defaults to "off"
+# Privacy = off
+
+[GATT]
+# GATT attribute cache.
+# Possible values:
+# always: Always cache attributes even for devices not paired, this is
+# recommended as it is best for interoperability, with more consistent
+# reconnection times and enables proper tracking of notifications for all
+# devices.
+# yes: Only cache attributes of paired devices.
+# no: Never cache attributes
+# Default: always
+#Cache = always
+
+# Minimum required Encryption Key Size for accessing secured characteristics.
+# Possible values: 0 and 7-16. 0 means don't care.
+# Defaults to 0
+# MinEncKeySize = 0
+
+[Policy]
+#
+# The ReconnectUUIDs defines the set of remote services that should try
+# to be reconnected to in case of a link loss (link supervision
+# timeout). The policy plugin should contain a sane set of values by
+# default, but this list can be overridden here. By setting the list to
+# empty the reconnection feature gets disabled.
+#ReconnectUUIDs=00001112-0000-1000-8000-00805f9b34fb,0000111f-0000-1000-8000-00805f9b34fb,0000110a-0000-1000-8000-00805f9b34fb
+
+# ReconnectAttempts define the number of attempts to reconnect after a link
+# lost. Setting the value to 0 disables reconnecting feature.
+#ReconnectAttempts=7
+
+# ReconnectIntervals define the set of intervals in seconds to use in between
+# attempts.
+# If the number of attempts defined in ReconnectAttempts is bigger than the
+# set of intervals the last interval is repeated until the last attempt.
+#ReconnectIntervals=1,2,4,8,16,32,64
+
+# AutoEnable defines option to enable all controllers when they are found.
+# This includes adapters present on start as well as adapters that are plugged
+# in later on. Defaults to 'false'.
+AutoEnable=true

root/etc/clamav/clamd.conf

@@ -0,0 +1,15 @@
+LogFile /var/log/clamav/clamd.log
+LogTime yes
+PidFile /run/clamav/clamd.pid
+TemporaryDirectory /tmp
+LocalSocket /run/clamav/clamd.ctl
+
+ScanOnAccess true
+OnAccessMountPath /usr
+OnAccessMountPath /home/
+OnAccessExcludePath /var/log/
+OnAccessPrevention false
+OnAccessExtraScanning true
+OnAccessExcludeUID 0
+VirusEvent /etc/clamav/detected.sh
+User root

root/etc/clamav/detected.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+PATH=/usr/bin
+
+alert="Signature detected: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
+
+# Send the alert to systemd logger if exist, othewise to /var/log
+if [[ -z $(command -v systemd-cat) ]]; then
+	echo "$(date) - $alert" >> /var/log/clamav/infected.log
+else
+	# as "emerg", this could cause your DE to show a visual alert. Happen in Plasma. but the next visual alert is much nicer
+	echo "$alert" | /usr/bin/systemd-cat -t clamav -p emerg
+fi
+
+#send an alrt to all graphical user
+XUSERS=($(who|awk '{print $1}'|sort -u))
+
+for XUSER in $XUSERS; do
+    NAME=(${XUSER/(/ })
+    DISPLAY=${NAME[1]/)/}
+    DBUS_ADDRESS=unix:path=/run/user/$(id -u ${NAME[0]})/bus
+    echo "run $NAME - $DISPLAY - $DBUS_ADDRESS -" >> /tmp/testlog 
+    /usr/bin/sudo -u ${NAME[0]} DISPLAY=${DISPLAY} \
+                       DBUS_SESSION_BUS_ADDRESS=${DBUS_ADDRESS} \
+                       PATH=${PATH} \
+                       /usr/bin/notify-send -i dialog-warning "clamAV" "$alert"
+done

root/etc/cryptissue

@@ -0,0 +1,49 @@
+
+
+		    Welcome to
+                    _          _      _                  
+     /\            | |        | |    (_)                 
+    /  \   _ __ ___| |__      | |     _ _ __  _   ___  __
+   / /\ \ | '__/ __| '_ \     | |    | | '_ \| | | \ \/ /
+  / ____ \| | | (__| | | |    | |____| | | | | |_| |>  < 
+ /_/    \_\_|  \___|_| |_|    |______|_|_| |_|\__,_/_/\_\
+                                                         
+                                                         
+   a lightweight and flexible GNU/Linux distribution.
+                                          
+
+ _________________________________________________________
+( << Warning! >>                                          )
+( This is a private computer for authorized users ONLY.   )   
+( Unauthorized access or any attempts to bypass security  )
+( mechanisms is a violation of the law.                   ) 
+( By proceeding, you acknowledge that you have fully read )
+( and understood this notice.                             )
+ --------------------------------------------------------- 
+    o                                                
+     o                                     ,           ,
+      o                                   /             \  
+     .--.                  /\            ((__-^^-,-^^-__)) 
+    |o_o |                /^^\            `-_---' `---_-'  
+    |:_/ |               /\   \            `--|o` 'o|--' 
+   //   \ \             /  __  \              \  `  / 
+  (|     | )           /  (  )  \              ): :(   
+ /'\_   _/`\          / __|  |__\\             :o_o: 
+ \___)=(___/ tux     ///        \\\ arch        "-"  gnu
+
+
+
+ _____  __                          __                      _    _   _     _        _             _              
+|_   _|/ _|                        / _|                    | |  | | | |   (_)      | |           | |             
+  | | | |_    _   _  ___  _   _   | |_ ___  _   _ _ __   __| |  | |_| |__  _ ___   | | __ _ _ __ | |_ ___  _ __  
+  | | |  _|  | | | |/ _ \| | | |  |  _/ _ \| | | | '_ \ / _` |  | __| '_ \| / __|  | |/ _` | '_ \| __/ _ \| '_ \ 
+ _| |_| |    | |_| | (_) | |_| |  | || (_) | |_| | | | | (_| |  | |_| | | | \__ \  | | (_| | |_) | || (_) | |_) |
+|_____|_|     \__, |\___/ \__,_|  |_| \___/ \__,_|_| |_|\__,_|   \__|_| |_|_|___/  |_|\__,_| .__/ \__\___/| .__/ 
+               __/ |                                                                       | |            | |    
+              |___/                                                                        |_|            |_|    
+
+Please return it to me! Below are my contact details
+
+Name: 		{{@@ env['ME_FULLNAME'] @@}}
+Address: 	{{@@ env['ME_ADDRESS'] @@}}
+Phone: 		{{@@ env['ME_PHONE'] @@}}

root/etc/environment

@@ -0,0 +1,20 @@
+# Fix java on wayland
+_JAVA_AWT_WM_NONREPARENTING=1
+_JAVA_OPTIONS='-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel'
+
+# Enable qt5 theming and wayland support
+QT_QPA_PLATFORMTHEME=gnome
+QT_QPA_PLATFORM=wayland-egl
+QT_WAYLAND_DISABLE_WINDOWDECORATION=1
+
+# Firefox
+MOZ_ENABLE_WAYLAND=1
+MOZ_USE_XINPUT2=1
+
+# Webrender disabled temporarily until
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1589114
+# is fixed
+#MOZ_WEBRENDER=1
+
+# Fix redshift on wlroots
+WLR_DRM_NO_ATOMIC=1

root/etc/fonts/local.conf

@@ -0,0 +1,19 @@
+<?xml version="1.0"?>
+<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
+<fontconfig>
+    <match>
+        <edit mode="prepend" name="family"><string>Lucida G</string></edit>
+    </match>
+    <match target="pattern">
+        <test qual="any" name="family"><string>serif</string></test>
+        <edit name="family" mode="assign" binding="same"><string>Lucida G</string></edit>
+    </match>
+    <match target="pattern">
+        <test qual="any" name="family"><string>sans-serif</string></test>
+        <edit name="family" mode="assign" binding="same"><string>Lucida G</string></edit>
+    </match>
+    <match target="pattern">
+        <test qual="any" name="family"><string>monospace</string></test>
+        <edit name="family" mode="assign" binding="same"><string>Hack Nerd Font Mono</string></edit>
+    </match>
+</fontconfig>

root/etc/libvirt/qemu.conf

@@ -0,0 +1,823 @@
+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# Use of TLS requires that x509 certificates be issued. The default is
+# to keep them in /etc/pki/qemu. This directory must contain
+#
+#  ca-cert.pem - the CA master certificate
+#  server-cert.pem - the server certificate signed with ca-cert.pem
+#  server-key.pem  - the server private key
+#
+# and optionally may contain
+#
+#  dh-params.pem - the DH params configuration file
+#
+# If the directory does not exist, libvirtd will fail to start. If the
+# directory doesn't contain the necessary files, QEMU domains will fail
+# to start if they are configured to use TLS.
+#
+# In order to overwrite the default path alter the following. This path
+# definition will be used as the default path for other *_tls_x509_cert_dir
+# configuration settings if their default path does not exist or is not
+# specifically set.
+#
+#default_tls_x509_cert_dir = "/etc/pki/qemu"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
+#
+# The default_tls_x509_cert_dir directory must also contain
+#
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
+#default_tls_x509_verify = 1
+
+#
+# Libvirt assumes the server-key.pem file is unencrypted by default.
+# To use an encrypted server-key.pem file, the password to decrypt
+# the PEM file is required. This can be provided by creating a secret
+# object in libvirt and then to uncomment this setting to set the UUID
+# of the secret.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#vnc_listen = "0.0.0.0"
+
+# Enable this option to have VNC served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine, though most VNC clients do not support it.
+#
+# This will only be enabled for VNC configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over vnc_listen.
+#
+#vnc_auto_unix_socket = 1
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#vnc_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# vnc certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vnc_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#vnc_tls_x509_verify = 1
+
+
+# The default VNC password. Only 8 bytes are significant for
+# VNC passwords. This parameter is only used if the per-domain
+# XML config does not already provide a password. To allow
+# access without passwords, leave this commented out. An empty
+# string will still enable passwords, but be rejected by QEMU,
+# effectively preventing any use of VNC. Obviously change this
+# example here before you set this.
+#
+#vnc_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the VNC server. This requires
+# a VNC client which supports the SASL protocol extension.
+# Examples include vinagre, virt-viewer and virt-manager
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#vnc_sasl = 1
+
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#vnc_sasl_dir = "/some/directory/sasl2"
+
+
+# QEMU implements an extension for providing audio over a VNC connection,
+# though if your VNC client does not support it, your only chance for getting
+# sound output is through regular audio backends. By default, libvirt will
+# disable all QEMU sound backends if using VNC, since they can cause
+# permissions issues. Enabling this option will make libvirtd honor the
+# QEMU_AUDIO_DRV environment variable when using VNC.
+#
+#vnc_allow_host_audio = 0
+
+
+
+# SPICE is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#spice_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the SPICE server.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#spice_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# spice certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but spice_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
+
+
+# Enable this option to have SPICE served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine.
+#
+# This will only be enabled for SPICE configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over spice_listen.
+#
+#spice_auto_unix_socket = 1
+
+
+# The default SPICE password. This parameter is only used if the
+# per-domain XML config does not already provide a password. To
+# allow access without passwords, leave this commented out. An
+# empty string will still enable passwords, but be rejected by
+# QEMU, effectively preventing any use of SPICE. Obviously change
+# this example here before you set this.
+#
+#spice_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#spice_sasl_dir = "/some/directory/sasl2"
+
+# Enable use of TLS encryption on the chardev TCP transports.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#chardev_tls = 1
+
+
+# In order to override the default TLS certificate location for character
+# device TCP certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but chardev_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#chardev_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# Enable use of TLS encryption for all VxHS network block devices that
+# don't specifically disable.
+#
+# When the VxHS network block device server is set up appropriately,
+# x509 certificates are required for authentication between the clients
+# (qemu processes) and the remote VxHS server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#vxhs_tls = 1
+
+
+# In order to override the default TLS certificate location for VxHS
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the VxHS block device clients to the VxHS
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vxhs_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# VxHS block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA master certificate.
+# If using the default environment, default_tls_x509_verify must be configured.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a VxHS directory must contain the following:
+#
+#  ca-cert.pem - the CA master certificate
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
+#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+
+
+
+# Enable use of TLS encryption for all NBD disk devices that don't
+# specifically disable it.
+#
+# When the NBD server is set up appropriately, x509 certificates are required
+# for authentication between the client and the remote NBD server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#nbd_tls = 1
+
+
+# In order to override the default TLS certificate location for NBD
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the NBD block device clients to the NBD
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but nbd_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# NBD block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA certificate.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a NBD directory must contain the following:
+#
+#  ca-cert.pem - the CA master certificate
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
+#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
+
+
+# In order to override the default TLS certificate location for migration
+# certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path
+# will be used. Once/if a default certificate is enabled/defined, migration
+# will then be able to use the certificate via migration API flags.
+#
+#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#migrate_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# By default, if no graphical front end is configured, libvirt will disable
+# QEMU audio output since directly talking to alsa/pulseaudio may not work
+# with various security settings. If you know what you're doing, enable
+# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
+# environment variable when using nographics.
+#
+#nographics_allow_host_audio = 1
+
+
+# Override the port for creating both VNC and SPICE sessions (min).
+# This defaults to 5900 and increases for consecutive sessions
+# or when ports are occupied, until it hits the maximum.
+#
+# Minimum must be greater than or equal to 5900 as lower number would
+# result into negative vnc display number.
+#
+# Maximum must be less than 65536, because higher numbers do not make
+# sense as a port number.
+#
+#remote_display_port_min = 5900
+#remote_display_port_max = 65535
+
+# VNC WebSocket port policies, same rules apply as with remote display
+# ports.  VNC WebSockets use similar display <-> port mappings, with
+# the exception being that ports start from 5700 instead of 5900.
+#
+#remote_websocket_port_min = 5700
+#remote_websocket_port_max = 65535
+
+# The default security driver is SELinux. If SELinux is disabled
+# on the host, then the security driver will automatically disable
+# itself. If you wish to disable QEMU SELinux security driver while
+# leaving SELinux enabled for the host in general, then set this
+# to 'none' instead. It's also possible to use more than one security
+# driver at the same time, for this use a list of names separated by
+# comma and delimited by square brackets. For example:
+#
+#       security_driver = [ "selinux", "apparmor" ]
+#
+# Notes: The DAC security driver is always enabled; as a result, the
+# value of security_driver cannot contain "dac".  The value "none" is
+# a special value; security_driver can be set to that value in
+# isolation, but it cannot appear in a list of drivers.
+#
+#security_driver = "selinux"
+
+# If set to non-zero, then the default security labeling
+# will make guests confined. If set to zero, then guests
+# will be unconfined by default. Defaults to 1.
+#security_default_confined = 1
+
+# If set to non-zero, then attempts to create unconfined
+# guests will be blocked. Defaults to 0.
+#security_require_confined = 1
+
+# The user for QEMU processes run by the system instance. It can be
+# specified as a user name or as a user id. The qemu driver will try to
+# parse this value first as a name and then, if the name doesn't exist,
+# as a user id.
+#
+# Since a sequence of digits is a valid user name, a leading plus sign
+# can be used to ensure that a user id will not be interpreted as a user
+# name.
+#
+# Some examples of valid values are:
+#
+#       user = "qemu"   # A user named "qemu"
+#       user = "+0"     # Super user (uid=0)
+#       user = "100"    # A user named "100" or a user with uid=100
+#
+#user = "root"
+
+# The group for QEMU processes run by the system instance. It can be
+# specified in a similar way to user.
+#group = "root"
+
+# Whether libvirt should dynamically change file ownership
+# to match the configured user/group above. Defaults to 1.
+# Set to 0 to disable file ownership changes.
+#dynamic_ownership = 1
+
+# What cgroup controllers to make use of with QEMU guests
+#
+#  - 'cpu' - use for scheduler tunables
+#  - 'devices' - use for device whitelisting
+#  - 'memory' - use for memory tunables
+#  - 'blkio' - use for block devices I/O tunables
+#  - 'cpuset' - use for CPUs and memory nodes
+#  - 'cpuacct' - use for CPUs statistics.
+#
+# NB, even if configured here, they won't be used unless
+# the administrator has mounted cgroups, e.g.:
+#
+#  mkdir /dev/cgroup
+#  mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
+#
+# They can be mounted anywhere, and different controllers
+# can be mounted in different locations. libvirt will detect
+# where they are located.
+#
+#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
+
+# This is the basic set of devices allowed / required by
+# all virtual machines.
+#
+# As well as this, any configured block backed disks,
+# all sound device, and all PTY devices are allowed.
+#
+# This will only need setting if newer QEMU suddenly
+# wants some device we don't already know about.
+#
+#cgroup_device_acl = [
+#    "/dev/null", "/dev/full", "/dev/zero",
+#    "/dev/random", "/dev/urandom",
+#    "/dev/ptmx", "/dev/kvm",
+#    "/dev/rtc","/dev/hpet"
+#]
+#
+# RDMA migration requires the following extra files to be added to the list:
+#   "/dev/infiniband/rdma_cm",
+#   "/dev/infiniband/issm0",
+#   "/dev/infiniband/issm1",
+#   "/dev/infiniband/umad0",
+#   "/dev/infiniband/umad1",
+#   "/dev/infiniband/uverbs0"
+
+
+# The default format for QEMU/KVM guest save images is raw; that is, the
+# memory from the domain is dumped out directly to a file.  If you have
+# guests with a large amount of memory, however, this can take up quite
+# a bit of space.  If you would like to compress the images while they
+# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
+# for save_image_format.  Note that this means you slow down the process of
+# saving a domain in order to save disk space; the list above is in descending
+# order by performance and ascending order by compression ratio.
+#
+# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
+# at scheduled saving, and it is an error if the specified save_image_format
+# is not valid, or the requested compression program can't be found.
+#
+# dump_image_format is used when you use 'virsh dump' at emergency
+# crashdump, and if the specified dump_image_format is not valid, or
+# the requested compression program can't be found, this falls
+# back to "raw" compression.
+#
+# snapshot_image_format specifies the compression algorithm of the memory save
+# image when an external snapshot of a domain is taken. This does not apply
+# on disk image format. It is an error if the specified format isn't valid,
+# or the requested compression program can't be found.
+#
+#save_image_format = "raw"
+#dump_image_format = "raw"
+#snapshot_image_format = "raw"
+
+# When a domain is configured to be auto-dumped when libvirtd receives a
+# watchdog event from qemu guest, libvirtd will save dump files in directory
+# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
+#
+#auto_dump_path = "/var/lib/libvirt/qemu/dump"
+
+# When a domain is configured to be auto-dumped, enabling this flag
+# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
+# virDomainCoreDump API.  That is, the system will avoid using the
+# file system cache while writing the dump file, but may cause
+# slower operation.
+#
+#auto_dump_bypass_cache = 0
+
+# When a domain is configured to be auto-started, enabling this flag
+# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
+# with the virDomainCreateWithFlags API.  That is, the system will
+# avoid using the file system cache when restoring any managed state
+# file, but may cause slower operation.
+#
+#auto_start_bypass_cache = 0
+
+# If provided by the host and a hugetlbfs mount point is configured,
+# a guest may request huge page backing.  When this mount point is
+# unspecified here, determination of a host mount point in /proc/mounts
+# will be attempted.  Specifying an explicit mount overrides detection
+# of the same in /proc/mounts.  Setting the mount point to "" will
+# disable guest hugepage backing. If desired, multiple mount points can
+# be specified at once, separated by comma and enclosed in square
+# brackets, for example:
+#
+#     hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
+#
+# The size of huge page served by specific mount point is determined by
+# libvirt at the daemon startup.
+#
+# NB, within these mount points, guests will create memory backing
+# files in a location of $MOUNTPOINT/libvirt/qemu
+#
+#hugetlbfs_mount = "/dev/hugepages"
+
+
+# Path to the setuid helper for creating tap devices.  This executable
+# is used to create <source type='bridge'> interfaces when libvirtd is
+# running unprivileged.  libvirt invokes the helper directly, instead
+# of using "-netdev bridge", for security reasons.
+#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
+
+
+
+# If clear_emulator_capabilities is enabled, libvirt will drop all
+# privileged capabilities of the QEMU/KVM emulator. This is enabled by
+# default.
+#
+# Warning: Disabling this option means that a compromised guest can
+# exploit the privileges and possibly do damage to the host.
+#
+#clear_emulator_capabilities = 1
+
+
+# If enabled, libvirt will have QEMU set its process name to
+# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
+# process will appear as "qemu:VM_NAME" in process listings and
+# other system monitoring tools. By default, QEMU does not set
+# its process title, so the complete QEMU command (emulator and
+# its arguments) appear in process listings.
+#
+#set_process_name = 1
+
+
+# If max_processes is set to a positive integer, libvirt will use
+# it to set the maximum number of processes that can be run by qemu
+# user. This can be used to override default value set by host OS.
+# The same applies to max_files which sets the limit on the maximum
+# number of opened files.
+#
+#max_processes = 0
+#max_files = 0
+
+# If max_core is set to a non-zero integer, then QEMU will be
+# permitted to create core dumps when it crashes, provided its
+# RAM size is smaller than the limit set.
+#
+# Be warned that the core dump will include a full copy of the
+# guest RAM, if the 'dump_guest_core' setting has been enabled,
+# or if the guest XML contains
+#
+#   <memory dumpcore="on">...guest ram...</memory>
+#
+# If guest RAM is to be included, ensure the max_core limit
+# is set to at least the size of the largest expected guest
+# plus another 1GB for any QEMU host side memory mappings.
+#
+# As a special case it can be set to the string "unlimited" to
+# to allow arbitrarily sized core dumps.
+#
+# By default the core dump size is set to 0 disabling all dumps
+#
+# Size is a positive integer specifying bytes or the
+# string "unlimited"
+#
+#max_core = "unlimited"
+
+# Determine if guest RAM is included in QEMU core dumps. By
+# default guest RAM will be excluded if a new enough QEMU is
+# present. Setting this to '1' will force guest RAM to always
+# be included in QEMU core dumps.
+#
+# This setting will be ignored if the guest XML has set the
+# dumpcore attribute on the <memory> element.
+#
+#dump_guest_core = 1
+
+# mac_filter enables MAC addressed based filtering on bridge ports.
+# This currently requires ebtables to be installed.
+#
+#mac_filter = 1
+
+
+# By default, PCI devices below non-ACS switch are not allowed to be assigned
+# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
+# be assigned to guests.
+#
+#relaxed_acs_check = 1
+
+
+# In order to prevent accidentally starting two domains that
+# share one writable disk, libvirt offers two approaches for
+# locking files. The first one is sanlock, the other one,
+# virtlockd, is then our own implementation. Accepted values
+# are "sanlock" and "lockd".
+#
+#lock_manager = "lockd"
+
+
+# Set limit of maximum APIs queued on one domain. All other APIs
+# over this threshold will fail on acquiring job lock. Specially,
+# setting to zero turns this feature off.
+# Note, that job lock is per domain.
+#
+#max_queued = 0
+
+###################################################################
+# Keepalive protocol:
+# This allows qemu driver to detect broken connections to remote
+# libvirtd during peer-to-peer migration.  A keepalive message is
+# sent to the daemon after keepalive_interval seconds of inactivity
+# to check if the daemon is still responding; keepalive_count is a
+# maximum number of keepalive messages that are allowed to be sent
+# to the daemon without getting any response before the connection
+# is considered broken.  In other words, the connection is
+# automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the daemon.  If keepalive_interval is set to
+# -1, qemu driver will not send keepalive requests during
+# peer-to-peer migration; however, the remote libvirtd can still
+# send them and source libvirtd will send responses.  When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+
+
+# Use seccomp syscall sandbox in QEMU.
+# 1 == seccomp enabled, 0 == seccomp disabled
+#
+# If it is unset (or -1), then seccomp will be enabled
+# only if QEMU >= 2.11.0 is detected, otherwise it is
+# left disabled. This ensures the default config gets
+# protection for new QEMU using the blacklist approach.
+#
+#seccomp_sandbox = 1
+
+
+# Override the listen address for all incoming migrations. Defaults to
+# 0.0.0.0, or :: if both host and qemu are capable of IPv6.
+#migration_address = "0.0.0.0"
+
+
+# The default hostname or IP address which will be used by a migration
+# source for transferring migration data to this host.  The migration
+# source has to be able to resolve this hostname and connect to it so
+# setting "localhost" will not work.  By default, the host's configured
+# hostname is used.
+#migration_host = "host.example.com"
+
+
+# Override the port range used for incoming migrations.
+#
+# Minimum must be greater than 0, however when QEMU is not running as root,
+# setting the minimum to be lower than 1024 will not work.
+#
+# Maximum must not be greater than 65535.
+#
+#migration_port_min = 49152
+#migration_port_max = 49215
+
+
+
+# Timestamp QEMU's log messages (if QEMU supports it)
+#
+# Defaults to 1.
+#
+#log_timestamp = 0
+
+
+# Location of master nvram file
+#
+# When a domain is configured to use UEFI instead of standard
+# BIOS it may use a separate storage for UEFI variables. If
+# that's the case libvirt creates the variable store per domain
+# using this master file as image. Each UEFI firmware can,
+# however, have different variables store. Therefore the nvram is
+# a list of strings when a single item is in form of:
+#   ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
+# Later, when libvirt creates per domain variable store, this list is
+# searched for the master image. The UEFI firmware can be called
+# differently for different guest architectures. For instance, it's OVMF
+# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
+# follows this scheme.
+#nvram = [
+#   "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
+#   "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
+#   "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
+#   "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
+#]
+
+# The backend to use for handling stdout/stderr output from
+# QEMU processes.
+#
+#  'file': QEMU writes directly to a plain file. This is the
+#          historical default, but allows QEMU to inflict a
+#          denial of service attack on the host by exhausting
+#          filesystem space
+#
+#  'logd': QEMU writes to a pipe provided by virtlogd daemon.
+#          This is the current default, providing protection
+#          against denial of service by performing log file
+#          rollover when a size limit is hit.
+#
+#stdio_handler = "logd"
+
+# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
+# most verbose, and 0 representing no debugging output.
+#
+# The current logging levels defined in the gluster GFAPI are:
+#
+#    0 - None
+#    1 - Emergency
+#    2 - Alert
+#    3 - Critical
+#    4 - Error
+#    5 - Warning
+#    6 - Notice
+#    7 - Info
+#    8 - Debug
+#    9 - Trace
+#
+# Defaults to 4
+#
+#gluster_debug_level = 9
+
+# To enhance security, QEMU driver is capable of creating private namespaces
+# for each domain started. Well, so far only "mount" namespace is supported. If
+# enabled it means qemu process is unable to see all the devices on the system,
+# only those configured for the domain in question. Libvirt then manages
+# devices entries throughout the domain lifetime. This namespace is turned on
+# by default.
+#namespaces = [ "mount" ]
+
+# This directory is used for memoryBacking source if configured as file.
+# NOTE: big files will be stored here
+#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
+
+# Path to the SCSI persistent reservations helper. This helper is
+# used whenever <reservations/> are enabled for SCSI LUN devices.
+#pr_helper = "/usr/bin/qemu-pr-helper"
+
+# User for the swtpm TPM Emulator
+#
+# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
+# and uses; alternative is 'root'
+#
+#swtpm_user = "tss"
+#swtpm_group = "tss"
+
+nvram = [
+    "/usr/share/ovmf/x64/OVMF_CODE.fd:/usr/share/ovmf/x64/OVMF_VARS.fd"
+]

root/etc/locale.conf

@@ -0,0 +1,2 @@
+LANG=en_XX.UTF-8@POSIX
+LC_CTYPE=en_US.UTF-8

root/etc/locale.gen

@@ -0,0 +1,2 @@
+en_US.UTF-8 UTF-8
+en_XX.UTF-8@POSIX UTF-8

root/etc/pacman.conf

@@ -0,0 +1,26 @@
+[options]
+ILoveCandy
+Color
+CheckSpace
+TotalDownload
+HoldPkg = pacman glibc
+SigLevel = Required DatabaseOptional
+Architecture = auto
+LocalFileSigLevel = Optional
+CacheDir = /var/cache/pacman/pkg
+
+[core]
+Include = /etc/pacman.d/pacserve
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/pacserve
+Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/pacserve
+Include = /etc/pacman.d/mirrorlist
+
+[multilib]
+Include = /etc/pacman.d/pacserve
+Include = /etc/pacman.d/mirrorlist

root/etc/pacserve/pacserve.service.conf

@@ -0,0 +1 @@
+PACSERVE_ARGS="--multicast"

root/etc/profile.d/freetype2.sh

@@ -0,0 +1,12 @@
+# Subpixel hinting mode can be chosen by setting the right TrueType interpreter
+# version. The available settings are:
+#
+#     truetype:interpreter-version=35  # Classic mode (default in 2.6)
+#     truetype:interpreter-version=38  # Infinality mode
+#     truetype:interpreter-version=40  # Minimal mode (default in 2.7)
+#
+# There are more properties that can be set, separated by whitespace. Please
+# refer to the FreeType documentation for details.
+
+# Uncomment and configure below
+export FREETYPE_PROPERTIES="truetype:interpreter-version=40"

root/etc/pulse/default.pa

@@ -0,0 +1,146 @@
+#!/usr/bin/pulseaudio -nF
+#
+# This file is part of PulseAudio.
+#
+# PulseAudio is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# PulseAudio is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with PulseAudio; if not, see <http://www.gnu.org/licenses/>.
+
+# This startup script is used only if PulseAudio is started per-user
+# (i.e. not in system mode)
+
+.fail
+
+### Automatically restore the volume of streams and devices
+load-module module-device-restore
+load-module module-stream-restore
+load-module module-card-restore
+
+### Use Avahi
+load-module module-zeroconf-publish
+load-module module-zeroconf-discover
+
+### Automatically augment property information from .desktop files
+### stored in /usr/share/application
+load-module module-augment-properties
+
+### Should be after module-*-restore but before module-*-detect
+load-module module-switch-on-port-available
+
+### Load audio drivers statically
+### (it's probably better to not load these drivers manually, but instead
+### use module-udev-detect -- see below -- for doing this automatically)
+#load-module module-alsa-sink
+#load-module module-alsa-source device=hw:1,0
+#load-module module-oss device="/dev/dsp" sink_name=output source_name=input
+#load-module module-oss-mmap device="/dev/dsp" sink_name=output source_name=input
+#load-module module-null-sink
+#load-module module-pipe-sink
+
+### Automatically load driver modules depending on the hardware available
+.ifexists module-udev-detect.so
+load-module module-udev-detect
+.else
+### Use the static hardware detection module (for systems that lack udev support)
+load-module module-detect
+.endif
+
+### Automatically connect sink and source if JACK server is present
+.ifexists module-jackdbus-detect.so
+.nofail
+load-module module-jackdbus-detect channels=2
+.fail
+.endif
+
+### Automatically load driver modules for Bluetooth hardware
+.ifexists module-bluetooth-policy.so
+load-module module-bluetooth-policy
+.endif
+
+.ifexists module-bluetooth-discover.so
+load-module module-bluetooth-discover
+.endif
+
+### Load several protocols
+load-module module-dbus-protocol
+.ifexists module-esound-protocol-unix.so
+load-module module-esound-protocol-unix
+.endif
+load-module module-native-protocol-unix
+
+### Network access (may be configured with paprefs, so leave this commented
+### here if you plan to use paprefs)
+#load-module module-esound-protocol-tcp
+#load-module module-native-protocol-tcp
+#load-module module-zeroconf-publish
+
+### Load the RTP receiver module (also configured via paprefs, see above)
+#load-module module-rtp-recv
+
+### Load the RTP sender module (also configured via paprefs, see above)
+#load-module module-null-sink sink_name=rtp format=s16be channels=2 rate=44100 sink_properties="device.description='RTP Multicast Sink'"
+#load-module module-rtp-send source=rtp.monitor
+
+### Load additional modules from GSettings. This can be configured with the paprefs tool.
+### Please keep in mind that the modules configured by paprefs might conflict with manually
+### loaded modules.
+.ifexists module-gsettings.so
+.nofail
+load-module module-gsettings
+.fail
+.endif
+
+
+### Automatically restore the default sink/source when changed by the user
+### during runtime
+### NOTE: This should be loaded as early as possible so that subsequent modules
+### that look up the default sink/source get the right value
+load-module module-default-device-restore
+
+### Automatically move streams to the default sink if the sink they are
+### connected to dies, similar for sources
+load-module module-rescue-streams
+
+### Make sure we always have a sink around, even if it is a null sink.
+load-module module-always-sink
+
+### Honour intended role device property
+load-module module-intended-roles
+
+### Automatically suspend sinks/sources that become idle for too long
+load-module module-suspend-on-idle
+
+### If autoexit on idle is enabled we want to make sure we only quit
+### when no local session needs us anymore.
+.ifexists module-console-kit.so
+load-module module-console-kit
+.endif
+.ifexists module-systemd-login.so
+load-module module-systemd-login
+.endif
+
+### Enable positioned event sounds
+load-module module-position-event-sounds
+
+### Cork music/video streams when a phone stream is active
+load-module module-role-cork
+
+### Modules to allow autoloading of filters (such as echo cancellation)
+### on demand. module-filter-heuristics tries to determine what filters
+### make sense, and module-filter-apply does the heavy-lifting of
+### loading modules and rerouting streams.
+load-module module-filter-heuristics
+load-module module-filter-apply
+
+### Make some devices default
+#set-default-sink output
+#set-default-source input

root/etc/ssh/sshd_config

@@ -0,0 +1,10 @@
+# Remove socket for gpg agent forwarding
+StreamLocalBindUnlink yes
+
+X11Forwarding yes
+AuthorizedKeysFile	.ssh/authorized_keys
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+UsePAM yes
+PrintMotd no # pam does that
+Subsystem	sftp	/usr/lib/ssh/sftp-server

root/etc/sysctl.d/99-sysctl.conf

@@ -0,0 +1 @@
+net.ipv4.ip_forward = 1

root/etc/systemd/logind.conf

@@ -0,0 +1,37 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# Defaults can be restored by simply deleting this file.
+#
+# See logind.conf(5) for details.
+
+[Login]
+#NAutoVTs=6
+#ReserveVT=6
+#KillUserProcesses=no
+#KillOnlyUsers=
+#KillExcludeUsers=root
+#InhibitDelayMaxSec=5
+HandlePowerKey=suspend
+#HandleSuspendKey=suspend
+#HandleHibernateKey=hibernate
+HandleLidSwitch=suspend
+HandleLidSwitchExternalPower=suspend
+HandleLidSwitchDocked=ignore
+#PowerKeyIgnoreInhibited=no
+#SuspendKeyIgnoreInhibited=no
+#HibernateKeyIgnoreInhibited=no
+#LidSwitchIgnoreInhibited=yes
+#HoldoffTimeoutSec=30s
+#IdleAction=ignore
+#IdleActionSec=30min
+#RuntimeDirectorySize=10%
+#RemoveIPC=yes
+#InhibitorsMax=8192
+#SessionsMax=8192

root/etc/systemd/resolved.conf

@@ -0,0 +1,24 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# Defaults can be restored by simply deleting this file.
+#
+# See resolved.conf(5) for details
+
+[Resolve]
+#DNS=
+#FallbackDNS=1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
+#Domains=
+#LLMNR=yes
+MulticastDNS=yes
+#DNSSEC=allow-downgrade
+#DNSOverTLS=opportunistic
+#Cache=yes
+#DNSStubListener=yes
+#ReadEtcHosts=yes

root/etc/systemd/system/adb.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Android Debug Server Daemon
+
+[Service]
+Type=forking
+User=root
+ExecStart=/usr/bin/adb start-server
+ExecStop=/usr/bin/adb kill-server
+
+[Install]
+WantedBy=multi-user.target

root/etc/systemd/system/getty@tty1.service.d/override.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=-/usr/bin/agetty --autologin frodo --noclear %I $TERM

root/etc/systemd/system/iwd.service.d/override.conf

@@ -0,0 +1,3 @@
+[Unit]
+BindsTo=sys-subsystem-net-devices-wlan0.device
+After=sys-subsystem-net-devices-wlan0.device

root/etc/systemd/system/iwd@.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Wireless service on %I
+BindsTo=sys-subsystem-net-devices-%i.device
+After=sys-subsystem-net-devices-%i.device
+
+[Service]
+Type=dbus
+BusName=net.connman.iwd
+ExecStart=/usr/lib/iwd/iwd --interface %i
+LimitNPROC=1
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

root/etc/systemd/system/qbittorrent.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=qBittorrent Daemon Service
+After=network.target
+
+[Service]
+User=qbtuser
+ExecStart=/usr/bin/qbittorrent-nox --webui-port=8080
+
+[Install]
+WantedBy=multi-user.target

root/etc/systemd/system/rtorrent.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=rTorrent in tmux
+After=network.target
+
+[Service]
+User=rtorrent
+WorkingDirectory=/home/rtorrent
+Environment="TERM=linux"
+Type=forking
+ExecStart=/bin/bash -c "/usr/bin/tmux -2u -L rtps-%u new-session -s rtps-%u -n rT-PS -d /bin/bash -c rtorrent"
+
+[Install]
+WantedBy=default.target

root/etc/systemd/timesyncd.conf

@@ -0,0 +1,3 @@
+[Time]
+NTP=0.arch.pool.ntp.org
+FallbackNTP=0.pfsense.pool.ntp.org

root/etc/udev/rules.d/60-uinput-permissions.rules

@@ -0,0 +1 @@
+KERNEL=="uinput", MODE="0660", GROUP="users", OPTIONS+="static_node=uinput"

root/etc/welcomemessage.conf

@@ -0,0 +1 @@
+filename=/etc/cryptissue

root/usr/local/bin/audacity

@@ -0,0 +1 @@
+GTK_THEME=Adwaita /usr/bin/audacity $@

root/usr/local/bin/evenbetterlockscreen

@@ -0,0 +1,373 @@
+#!/usr/bin/env bash
+
+# Author : Pavan Jadhaw
+# Github Profile : https://github.com/pavanjadhaw
+# Project Repository : https://github.com/pavanjadhaw/betterlockscreen
+
+
+# create folder in ~/.cache/i3lock directory
+folder="$HOME/.cache/i3lock"
+
+# ratio for rectangle to be drawn for time background on lockscreen
+# Original Image
+orig_wall="$folder/wall.png"
+
+# Versions (from here)
+# You can use these images to set different versions as wallpaper
+# lockscreen background.
+resized="$folder/resized.png" # resized image for your resolution
+
+# images to be used as wallpaper
+dim="$folder/dim.png" # image with subtle overlay of black
+blur="$folder/blur.png" # blurred version
+dimblur="$folder/dimblur.png"
+
+# lockscreen images (images to be used as lockscreen background)
+l_resized="$folder/l_resized.png"
+l_dim="$folder/l_dim.png"
+l_blur="$folder/l_blur.png"
+l_dimblur="$folder/l_dimblur.png"
+
+
+prelock() {
+	pkill -u "$USER" -USR1 dunst
+}
+
+lock() {
+	#$1 image path
+	letterEnteredColor=d23c3dff
+	letterRemovedColor=d23c3dff
+	passwordCorrect=00000000
+	passwordIncorrect=d23c3dff
+	background=00000000
+	foreground=ffffffff
+	i3lock \
+		-n \
+		--timestr="%H:%M" \
+		-t -i "$1" \
+		--timepos="110:h-70" \
+		--datepos="135:h-45" \
+		--clock --datestr "Type password to unlock" \
+		--insidecolor=$background --ringcolor=$foreground --line-uses-inside \
+		--keyhlcolor=$letterEnteredColor --bshlcolor=$letterRemovedColor --separatorcolor=$background \
+		--insidevercolor=$passwordCorrect --insidewrongcolor=$passwordIncorrect \
+		--ringvercolor=$foreground --ringwrongcolor=$foreground --indpos="x+280:h-70" \
+		--radius=20 --ring-width=4 --veriftext="" --wrongtext="" \
+		--verifcolor="$foreground" --timecolor="$foreground" --datecolor="$foreground" \
+        --noinputtext="" \
+		--force-clock
+}
+
+postlock() {
+	pkill -u "$USER" -USR2 dunst
+}
+
+rec_get_random() {
+	dir="$1"
+	if [ ! -d "$dir" ]; then
+		user_input="$dir"
+		return
+	fi
+	dir=($dir/*)
+	dir=${dir[RANDOM % ${#dir[@]}]}
+	rec_get_random "$dir"
+}
+
+usage() {
+
+        echo "Important : Update the image cache, Ex: betterlockscreen -u path/to/image.jpg"
+        echo "            Image cache must be updated to initially configure or update wallpaper used"
+		echo
+		echo
+		echo "See : https://github.com/pavanjadhaw/betterlockscreen for additional info..."
+		echo
+		echo
+		echo "Options:"
+		echo
+		echo "          -h --help"
+
+		echo "              For help. Ex: betterlockscreen -h or betterlockscreen --help"
+		echo
+		echo
+		echo "          -u --update"
+		echo "              to update image cache, you should do this before using any other options"
+
+		echo "              Ex: betterlockscreen -u path/to/image.png when image.png is custom background"
+		echo "              Or you can use betterlockscreen -u path/to/imagedir and a random file will be selected"
+		echo
+		echo
+		echo "          -l --lock"
+		echo "              to lock screen, Ex. betterlockscreen -l"
+		echo "              you can also use dimmed or blurred background for lockscreen"
+		echo "              Ex: betterlockscreen -l dim (for dimmed background)"
+		echo "              Ex: betterlockscreen -l blur (for blurred background)"
+		echo "              Ex: betterlockscreen -l dimblur (for dimmed + blurred background)"
+		echo
+		echo
+		echo "          -s --suspend"
+		echo "              to suspend system and lock screen, Ex. betterlockscreen -s"
+		echo "              you can also use dimmed or blurred background for lockscreen"
+		echo "              Ex: betterlockscreen -s dim (for dimmed background)"
+		echo "              Ex: betterlockscreen -s blur (for blurred background)"
+		echo "              Ex: betterlockscreen -s dimblur (for dimmed + blurred background)"
+		echo
+		echo
+		echo "          -w --wall"
+		echo "              you can also set lockscreen background as wallpaper"
+		echo "              to set wallpaper. Ex betterlockscreen -w or betterlockscreen --wall"
+		echo "              you can also use dimmed or blurred variants"
+		echo "              Ex: betterlockscreen -w dim (for dimmed wallpaper)"
+		echo "              Ex: betterlockscreen -w blur (for blurred wallpaper)"
+		echo "              Ex: betterlockscreen -w dimblur (for dimmed + blurred wallpaper)"
+		echo
+		echo
+		echo "          -r --resolution"
+		echo "              to be used after -u"
+		echo "              used to set a custom resolution for the image cache."
+		echo "              Ex: betterlockscreen -u path/to/image.png -r 1920x1080"
+		echo "              Ex: betterlockscreen -u path/to/image.png --resolution 3840x1080"
+		echo
+		echo "          -b --blur"
+		echo "              to be used after -u"
+		echo "              used to set blur intensity. Default to 1."
+		echo "              Ex: betterlockscreen -u path/to/image.png -b 3"
+		echo "              Ex: betterlockscreen -u path/to/image.png --blur 0.5"
+        echo
+
+}
+
+# Options
+case "$1" in
+	"")
+		if [ ! -f $l_dim ]; then
+
+			echo "Important : Update the image cache, Ex. betterlockscreen -u path/to/image.jpg"
+			echo
+            echo "            Image cache must be updated to initially configure or update wallpaper used"
+            echo
+			echo "See also : For other set of options and help use help command."
+			echo "Ex. betterlockscreen -h or betterlockscreen --help"
+
+			echo
+			echo "See : https://github.com/pavanjadhaw/betterlockscreen for addition info..."
+			exit 1
+		else
+			echo
+			echo "Seems you havent provided any argument, see below for usage info"
+			echo
+			echo "See also : For other set of options and help use help command."
+
+			echo "Ex. betterlockscreen -h or betterlockscreen --help"
+
+			echo
+			echo "See : https://github.com/pavanjadhaw/betterlockscreen for addition info..."
+			echo
+			exit 1
+		fi
+		;;
+
+	-h | --help)
+
+        usage
+
+		;;
+
+	-l | --lock)
+		case "$2" in
+			"")
+				# default lockscreen
+				prelock
+				lock "$l_resized"
+				postlock
+				;;
+
+			dim)
+				# lockscreen with dimmed background
+				prelock
+				lock "$l_dim"
+				postlock
+				;;
+
+			blur)
+				# set lockscreen with blurred background
+				prelock
+				lock "$l_blur"
+				postlock
+				;;
+
+			dimblur)
+				# set lockscreen with dimmed + blurred background
+				prelock
+				lock "$l_dimblur"
+				postlock
+				;;
+		esac
+		;;
+
+	-s | --suspend)
+		case "$2" in
+			"")
+				# default lockscreen
+				prelock
+				lock "$l_resized" && systemctl suspend
+				postlock
+				;;
+
+			dim)
+				# lockscreen with dimmed background
+				prelock
+				lock "$l_dim" && systemctl suspend
+				postlock
+				;;
+
+			blur)
+				# set lockscreen with blurred background
+				prelock
+				lock "$l_blur" && systemctl suspend
+				postlock
+				;;
+
+			dimblur)
+				# set lockscreen with dimmed + blurred background
+				prelock
+				lock "$l_dimblur" && systemctl suspend
+				postlock
+				;;
+		esac
+		;;
+
+
+	-w | --wall)
+		case "$2" in
+			"")
+				# set resized image as wallpaper if no argument is supplied by user
+				feh --bg-fill $resized
+				;;
+
+			dim)
+				# set dimmed image as wallpaper
+				feh --bg-fill $dim
+				;;
+
+			blur)
+				# set blurred image as wallpaper
+				feh --bg-fill $blur
+				;;
+
+			dimblur)
+				# set dimmed + blurred image as wallpaper
+				feh --bg-fill $dimblur
+				;;
+		esac
+		;;
+
+	-u | --update)
+		background="$2"
+		shift 2
+
+		# find your resolution so images can be resized to match your screen resolution
+		y_res=$(xdpyinfo | grep dimensions | sed -r 's/^[^0-9]*([0-9]+x[0-9]+).*$/\1/')
+		# default blur level
+		blur_level=1
+
+		# parse update arguments
+		while [ $# -gt 0 ]; do
+		    case "$1" in
+			-r | --resolution )
+			    y_res="$2"
+			    shift 2
+			    ;;
+			-b | --blur )
+			    blur_level="$2"
+			    shift 2
+			    ;;
+			*)
+			    shift ;;
+		    esac
+		done
+
+		rectangles=" "
+		SR=$(xrandr --query | grep ' connected' | grep -o '[0-9][0-9]*x[0-9][0-9]*[^ ]*')
+		for RES in $SR; do
+			SRA=(${RES//[x+]/ })
+			CX=$((${SRA[2]} + 25))
+			CY=$((${SRA[1]} - 30))
+			rectangles+="rectangle $CX,$CY $((CX+300)),$((CY-80)) "
+		done
+
+		# User supplied Image
+		user_image="$folder/user_image.png"
+
+		# create folder
+		if [ ! -d $folder ]; then
+			echo "Creating '$folder' directory to cache processed images."
+			mkdir -p "$folder"
+		fi
+
+		# get random file in dir if passed argument is a dir
+		rec_get_random "$background"
+
+		# get user image
+		cp "$user_input" "$user_image"
+		if [ ! -f $user_image ]; then
+			echo "Please specify the path to the image you would like to use"
+			exit 1
+		fi
+
+		# replace orignal with user image
+		cp "$user_image" "$orig_wall"
+		rm "$user_image"
+
+		echo "Generating alternate images based on the image you specified,"
+		echo "please wait this might take few seconds..."
+
+		# wallpapers
+
+		echo
+		echo "Converting provided image to match your resolution..."
+		# resize image
+		convert "$orig_wall" -resize "$y_res""^" -gravity center -extent "$y_res" "$resized"
+
+		echo
+		echo "Applying dim and blur effect to resized image"
+		# dim
+		convert "$resized" -fill black -colorize 40% "$dim"
+
+		# blur
+		blur_shrink=$(echo "scale=2; 20 / $blur_level" | bc)
+		blur_sigma=$(echo "scale=2; 0.6 * $blur_level" | bc)
+		convert "$resized" \
+		    -filter Gaussian \
+		    -resize "$blur_shrink%" \
+		    -define "filter:sigma=$blur_sigma" \
+		    -resize "$y_res^" -gravity center -extent "$y_res" \
+		    "$blur"
+
+		# dimblur
+		convert "$dim" \
+		    -filter Gaussian \
+		    -resize "$blur_shrink%" \
+		    -define "filter:sigma=$blur_sigma" \
+		    -resize "$y_res^" -gravity center -extent "$y_res" \
+		    "$dimblur"
+
+		# lockscreen backgrounds
+
+		echo
+		echo "Caching images for faster screen locking"
+		# resized
+        convert "$resized" -draw "fill rgba(0, 0, 0, 0.4) $rectangles" "$l_resized"
+
+		# dim
+		convert "$dim" -draw "fill rgba(0, 0, 0, 0.4) $rectangles" "$l_dim"
+
+		# blur
+		convert "$blur" -draw "fill rgba(0, 0, 0, 0.4) $rectangles" "$l_blur"
+
+		# blur
+		convert "$dimblur" -draw "fill rgba(0, 0, 0, 0.4) $rectangles" "$l_dimblur"
+		echo
+		echo "All required changes have been applied"
+		;;
+esac
+

root/usr/local/bin/gnome-terminal

@@ -0,0 +1,6 @@
+#!/bin/bash
+if [ $# -eq 1 ]; then
+	/usr/bin/alacritty -e "nvim $1"
+else
+	/usr/bin/alacritty -e "$@"
+fi

root/usr/local/bin/ikhal

@@ -0,0 +1 @@
+LANG="en_US.UTF-8" /usr/bin/ikhal $*

root/usr/local/bin/khal

@@ -0,0 +1 @@
+LANG="en_US.UTF-8" /usr/bin/khal $*

root/usr/local/bin/qtwebflix

@@ -0,0 +1 @@
+/usr/lib/qtwebflix --register-pepper-plugins="/usr/lib/qt/plugins/ppapi/libwidevinecdmadapter.so; application/x-ppapi-widevine-cdm"

root/usr/local/bin/telegram-desktop

@@ -0,0 +1 @@
+LANG=en_DK.UTF-8 QT_QPA_PLATFORMTHEME="" QT_STYLE_OVERRIDE="" /usr/bin/telegram-desktop $@

root/usr/local/bin/thunderbird

@@ -0,0 +1 @@
+env LANG=en_SE.UTF-8 /usr/lib/thunderbird/thunderbird "$@"