Set _nc_first=0 in the already-found branch so that a configured folder
prevents subsequent entries from wiping the Nextcloud config.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Before the sync loop, find all *.bak directories in the parent dirs of
configured sync paths, list them with their size, and ask the user to
delete them with a y/N prompt.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace static _bak suffix with _YYYYMMDDhhmmss.bak so repeated runs
never fail trying to overwrite an existing backup directory.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Config wipe now guarded by _nc_wipe_done flag so subsequent new entries
do not destroy the previous setup. _nc_first logic kept as comments for
later activation when multi-folder support is confirmed working.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Shebang changed to sh; replace all [[ ]] with [ ], == with = in [ ]
- Loop over CLIENT_DATA_SYNC[@] directly instead of counting to 100;
replace index-based first-entry check with a _nc_first flag
- Fix missing fi before done, remove stray fi after KWallet block
- Dedent KWallet block to top level (was left indented from inside the loop)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- sync_client_software.sh: add system-wide flatpak session-bus override for
Nextcloud so KWallet D-Bus access works for all users; fix broken compound
test ([ a || b ] → [ a ] || [ b ])
- user_run.sh: check KWallet entries with hasEntry before writing — skip write
and print info message when both passwords are already present; remove stale
commented-out code
- install.sh: forward REPO_URL and REPO_BRANCH into configure.sh environment
for both the su- and direct-bash invocation paths
- configure.sh: simplify do_configure (user cleanup)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add source_fedora_44.inc with verified mirror URLs for Fedora 44 base,
updates, cisco-openh264, and RPM Fusion free/nonfree. Both kde_fullsetup.cfg
and cinnamon_fullsetup.cfg now %include this file instead of inlining the
repo lines. Fix stale comment in source_fedora_44.inc (said Fedora 43).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cinnamon_fullsetup.cfg: add xapps package so the xapp-gtk3-module GTK
module referenced in Cinnamon's GTK settings is present for Flatpak apps.
user_run.sh: pass --setenv=SESSION_MANAGER= to systemd-run so Qt does not
try to connect to an X11 session manager socket that may not exist (fixes
"Could not open network socket" on Wayland and non-KDE desktops).
Guard the KWallet D-Bus block behind a session-bus presence check
(qdbus | grep org.kde.kwalletd) so it is skipped entirely on Cinnamon and
other non-KDE desktops instead of producing D-Bus errors.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
setup_system.inc.sh: replace $(dirname "$0") with $(dirname "${BASH_SOURCE[0]:-$0}") so
paths resolve correctly whether the file is sourced or executed directly. Add --missingconfok
flag to warn-and-continue instead of prompting+aborting when config is missing. Fix machine_uuid
path (missing ../). Move `source config` into the else branch so it is not reached when
missingconfok skips the exit.
install.sh: source inc.sh instead of executing it as a subprocess so exported variables
(REPO_URL etc.) propagate back to the caller. Fix git-origin conflict handling: when reusing
an existing OEMDRV partition the user has already confirmed they want to keep it, so remove
the "fresh clone / wipe" option entirely. Now always pulls (fetch+checkout) when a git repo
is present; clears and fresh-clones only when no git repo exists on the partition.
basic_pre_script.inc: dot-source inc.sh so INSTALLDOCS and other config vars are available.
config.dist, sync_client_software.sh: rename UPGRADEURL/UPGRADEBRANCH to REPO_URL/REPO_BRANCH
to match the variable names already used in install.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
basic_pre_script.inc already identifies the disk holding OEMDRV
($SYSDRIVE). Write its short name to /tmp/disk-include.cfg after the
GPT check so both cinnamon and KDE profiles can %include it instead of
the hardcoded 'ignoredisk --only-use=sda,nvme0n1' that fails on
systems without an NVMe drive (or without sda).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use config/setup_system.conf as the template for configure.conf when
present, so existing values appear as defaults. Falls back to the dist
file on a fresh install.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- install.sh: pre-create ks.cfg with o+w after permission setup so
non-root users can overwrite it (OEMDRV root itself stays o=rX)
- install.sh: restore su drop to $SUDO_USER when it is set and not
root; fall back to direct root execution otherwise
- configure.sh: remove the hard root check so both cases work
- configure.md: update docs to reflect root/non-root support
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Move setup_system.conf.dist to system_setup/config.dist/ and
skel.tar.zst.dist + pack_skel.sh to system_setup/skel/; config/ now
holds only gitignored local files
- Fix configure.sh CONF_DIST path (was pointing at non-existent
config/setup_system.conf.dist)
- Fix skel/pack_skel.sh: remove vestigial source line whose path was
wrong in both old and new location
- Update error messages in setup_system.inc.sh and
sync_client_software.sh to reference new dist file location
- Move machine_uuid reading/writing into setup_system.inc.sh so all
scripts have MACHINEID available; setup_system.conf.dist now uses
MACHINEID conditionally with a hostname fallback
- sync_client_software.sh: fix && / typo (should be && \) that broke
the flatpak remote-add → install chain; add network error handling
after flatpak install; cleanup upgrade logic and chown placement
- Update CLAUDE.md and install.md to reflect new dist file locations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Detect existing OEMDRV partition at startup; offer to reuse it
instead of creating a new one (mounts if needed, sources existing
setup_system.inc.sh before cloning)
- When existing repo origin/branch differs from REPO_URL/REPO_BRANCH,
offer to pull from existing origin, migrate to new origin (preserving
gitignored local files), or fall through to fresh clone
- Extract finish_install() and do_clone_and_done() helpers to share
clone, permissions, and configure.sh prompt across all paths
- Replace generic chmod with chown root:root + chmod ug=rwX,o=rX
recursively, plus o+w on config/ and config.d/
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fetches user_full_name (givenname + sn) and user_email from FreeIPA via
ipalib and writes them into the Thunderbird IMAP account prefs. Adds
ipalib availability check to logon_script.sh. Drops TB_MAIL_FULLNAME
config variable.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds SERVERFQDN_IMAP and TB_MAIL_FULLNAME to setup_system.conf.dist.
On each logon the script checks if an IMAP account for DAVTOKEN_USER@TLDOMAIN
already exists in prefs.js; if not it writes the server, identity, and account
entries and registers it with accountmanager. Idempotent — skipped when the
account is already present.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ensures session bus socket and kwalletd5/6 talk permissions are set at
logon, so Flatseal or a missing manifest entry cannot silently break
Talk's credential storage and Plasma integration.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
--scope ... & had two problems:
1. systemd-run stayed alive in the autostart service cgroup;
KillMode=control-group sent it SIGTERM when logon_script.sh exited,
tearing down the scope and killing Talk mid-initialization.
2. The scope lacked Delegate=yes, preventing Electron's zygote from
creating sub-cgroups for the GPU/renderer processes.
The previous commit added Delegate=yes but kept --scope, so problem 1
remained: the scope was still torn down on service exit, causing the
GPU/network service crash visible in talk.log.
Switch to a transient service unit identical to the Nextcloud Desktop
Client fix: --no-block returns immediately so systemd-run is gone from
the cgroup before the service ends; --property=Delegate=yes is retained
for Electron's zygote. Tested: service active, zygote and network
service running, no GPU crash.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
systemd-run --scope ... & left the systemd-run binary running as a
background process inside the autostart service's cgroup. When
logon_script.sh exited, systemd's KillMode=control-group sent SIGTERM
to all remaining cgroup processes, including systemd-run. systemd-run,
on receiving SIGTERM while monitoring a scope, stopped the scope and
killed the Nextcloud client -- at exactly the same moment the autostart
service ended.
--no-block with --scope is not supported. Switch to a transient service
unit (drop --scope, add --no-block). systemd-run registers the unit and
returns immediately, leaving the cgroup before logon_script.sh ends.
The Nextcloud process then runs as an independent systemd user service,
unaffected by the autostart service lifecycle. Tested: Nextcloud keeps
running after systemd-run exits.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Nextcloud Talk is an Electron app. Electron uses a zygote process to
fork sandboxed child processes (GPU, renderer, network service) into
their own sub-cgroups. systemd-run --scope without Delegate=yes locks
down the cgroup — sub-cgroups cannot be created — so the zygote fails,
causing the GPU process to crash immediately on startup.
Adding --property=Delegate=yes hands cgroup management to the scope,
allowing flatpak/bubblewrap and Electron's zygote to create the
sub-cgroups they need. Tested: no GPU crash with this flag set.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/var/tmp is persistent on-disk storage. The encryption key must never
be written to disk, even temporarily. Replaced all occurrences of
/var/tmp/IPAVAULTKEY.txt with ${XDG_RUNTIME_DIR}/IPAVAULTKEY, which
is a per-user tmpfs directory (/run/user/<UID>) created by
systemd-logind: guaranteed memory-only, mode 0700, wiped on logout.
Also removed the TODO comment that tracked this exact issue.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
setsid -f forks the process into a new session but leaves it in the
calling service's cgroup. systemd-run --user --scope moves it into its
own transient scope cgroup so the autostart service can finish normally.
Added & to background the launch, replacing the fork that setsid -f
was providing. Tested: scope is created and Talk starts correctly.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Same root cause as the gocryptfs and Nextcloud fixes: kwalletd6 is a
long-running daemon that stays alive for the entire KDE session.
Launching it with setsid keeps it in the autostart service cgroup,
preventing app-logon_script.sh@autostart from reaching finished state.
Replace setsid with systemd-run --user --scope so kwalletd6 runs in
its own transient scope cgroup.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
obel1x
Daniel unbrot Pätzold
unbrot