drunkendotfiles

dissimulo/drunkendotfiles

Fork 0

Commit Graph

Author	SHA1	Message	Date
dissimulo	a45f89b187	.claude/settings.json: prune server-specific entries; consolidate redundant ones The previous snapshot of settings.json was a verbatim dump from one Mastodon-server install — it carried allowlist entries that won't match anywhere else and a lot of narrow rules already subsumed by broader wildcards. Removed (server-specific, dead weight on other hosts): - /home/mastodon/* paths and Mastodon .env.production sed/chmod/chown - signers.online and auto.signers.online curl/openssl probes - mastodon-web / mastodon-streaming / mastodon-sidekiq journalctl - n8n journalctl, windmill journalctl + binary - /usr/local/bin/fail2ban-ignoreip and the hardcoded IP 76.95.82.63 - nslookup signers.live, nginx site-availables grep with literal paths - /var/log/nginx/access.log* zcat probes (path-specific) - StatusReactions / status_quoted grep over Mastodon's frontend tree Removed (redundant, covered by broader wildcard already in the list): - All narrow Bash(systemctl <verb>:) entries — Bash(systemctl:) covers - All narrow Bash(git ...) entries — Bash(git:) covers - All narrow Bash(curl ...) probes — Bash(curl:) covers - Bash(rkhunter --update), Bash(rkhunter --propupd) — Bash(rkhunter:) covers - Bash(sysctl -a) — Bash(sysctl:) covers Kept: tmux/git/curl/sudo/find/ls/cat plus generic system-admin verbs (systemctl, sysctl, crontab, iptables, ufw, firewall-cmd, fail2ban-client, apt/apt-get/dpkg, mount, netstat, openssl, lsmod, last, nginx, redis-cli, rkhunter, aideinit, getent, sqlite3, dig, ulimit, getenforce, aa-status) plus Read(//home/), Read(//opt/), Read(//etc/nginx/sites-{enabled,available}/**). Net: 5004 -> 1434 bytes (57 lines), still valid JSON, behavior on a fresh host is identical for the kept verbs and tighter for the dropped ones (host-specific allows just won't match anything anyway). If you re-run install.sh on this host, the slim version replaces the fat one; the fat one survives in ~/.drunkendotfiles.bak.<ts>/ for recovery.	2026-05-06 10:10:21 +00:00
dissimulo	1b60a9364d	Add portable Claude Code config Saves ~/.claude/settings.json (user-level prefs + Bash/Read permissions allowlist) so the same Claude Code config can be replicated on other hosts via install.sh. What gets deployed: - .claude/settings.json — theme, verbose, defaultMode, skipAutoPermissionPrompt and the cumulative "approve once" allowlist for common ops (systemctl, iptables, journalctl, git, curl, etc.). Server-specific allow entries (e.g. /home/mastodon/* paths) are dead weight elsewhere but harmless. - .claude/.gitignore — explicit deny-list so a future `git add .claude` doesn't accidentally pull in credentials, session logs, project memories, file-history, telemetry, caches, or settings.local.json. What is NOT tracked (by design): - .credentials.json (auth) - history.jsonl, sessions/, projects/ (chat data, project memories) - settings.local.json (per-machine overrides — by Claude Code convention) - file-history/, plans/, paste-cache/, shell-snapshots/, session-env/, telemetry/, downloads/, cache/, backups/, mcp-needs-auth-cache.json - plugins/ (marketplace install paths are absolute and host-specific) deploy_dir's merge semantics mean: on a host that already has ~/.claude/.credentials.json or ~/.claude/projects/, those stay untouched because the repo doesn't track them. Only the files we explicitly include get installed. Existing settings.json on the target host is moved aside to ~/.drunkendotfiles.bak.<timestamp>/ before being replaced.	2026-05-06 10:06:36 +00:00

Author

SHA1

Message

Date

dissimulo

a45f89b187

.claude/settings.json: prune server-specific entries; consolidate redundant ones

The previous snapshot of settings.json was a verbatim dump from one
Mastodon-server install — it carried allowlist entries that won't
match anywhere else and a lot of narrow rules already subsumed by
broader wildcards.

Removed (server-specific, dead weight on other hosts):
- /home/mastodon/* paths and Mastodon .env.production sed/chmod/chown
- signers.online and auto.signers.online curl/openssl probes
- mastodon-web / mastodon-streaming / mastodon-sidekiq journalctl
- n8n journalctl, windmill journalctl + binary
- /usr/local/bin/fail2ban-ignoreip and the hardcoded IP 76.95.82.63
- nslookup signers.live, nginx site-availables grep with literal paths
- /var/log/nginx/access.log* zcat probes (path-specific)
- StatusReactions / status_quoted grep over Mastodon's frontend tree

Removed (redundant, covered by broader wildcard already in the list):
- All narrow Bash(systemctl <verb>:*) entries — Bash(systemctl:*) covers
- All narrow Bash(git ...) entries — Bash(git:*) covers
- All narrow Bash(curl ...) probes — Bash(curl:*) covers
- Bash(rkhunter --update), Bash(rkhunter --propupd) — Bash(rkhunter:*) covers
- Bash(sysctl -a) — Bash(sysctl:*) covers

Kept: tmux/git/curl/sudo/find/ls/cat plus generic system-admin verbs
(systemctl, sysctl, crontab, iptables, ufw, firewall-cmd, fail2ban-client,
apt/apt-get/dpkg, mount, netstat, openssl, lsmod, last, nginx, redis-cli,
rkhunter, aideinit, getent, sqlite3, dig, ulimit, getenforce, aa-status)
plus Read(//home/**), Read(//opt/**), Read(//etc/nginx/sites-{enabled,available}/**).

Net: 5004 -> 1434 bytes (57 lines), still valid JSON, behavior on a
fresh host is identical for the kept verbs and tighter for the dropped
ones (host-specific allows just won't match anything anyway).

If you re-run install.sh on this host, the slim version replaces the
fat one; the fat one survives in ~/.drunkendotfiles.bak.<ts>/ for
recovery.

2026-05-06 10:10:21 +00:00

dissimulo

1b60a9364d

Add portable Claude Code config

Saves ~/.claude/settings.json (user-level prefs + Bash/Read permissions
allowlist) so the same Claude Code config can be replicated on other
hosts via install.sh.

What gets deployed:
- .claude/settings.json — theme, verbose, defaultMode, skipAutoPermissionPrompt
  and the cumulative "approve once" allowlist for common ops (systemctl,
  iptables, journalctl, git, curl, etc.). Server-specific allow entries
  (e.g. /home/mastodon/* paths) are dead weight elsewhere but harmless.
- .claude/.gitignore — explicit deny-list so a future `git add .claude`
  doesn't accidentally pull in credentials, session logs, project
  memories, file-history, telemetry, caches, or settings.local.json.

What is NOT tracked (by design):
- .credentials.json (auth)
- history.jsonl, sessions/, projects/ (chat data, project memories)
- settings.local.json (per-machine overrides — by Claude Code convention)
- file-history/, plans/, paste-cache/, shell-snapshots/, session-env/,
  telemetry/, downloads/, cache/, backups/, mcp-needs-auth-cache.json
- plugins/ (marketplace install paths are absolute and host-specific)

deploy_dir's merge semantics mean: on a host that already has
~/.claude/.credentials.json or ~/.claude/projects/, those stay untouched
because the repo doesn't track them. Only the files we explicitly
include get installed.

Existing settings.json on the target host is moved aside to
~/.drunkendotfiles.bak.<timestamp>/ before being replaced.

2026-05-06 10:06:36 +00:00

2 Commits