treewide: move zsh functions to sh scripts

ci: switch to Debian 13 "Trixie"
zsh: improve sbuild snippet
2025-09-09 20:53:55 +03:00 · 2025-08-18 12:08:45 +03:00 · 2025-08-18 10:58:51 +03:00 · 2025-08-17 17:36:29 +03:00 · 2025-07-23 10:59:44 +03:00 · 2025-07-13 21:09:51 +03:00
137 changed files with 5757 additions and 81 deletions
--- a/.cache/zsh/compcache/.keep
+++ b/.cache/zsh/compcache/.keep
--- a/.cache/zsh/completion/.keep
+++ b/.cache/zsh/completion/.keep
--- a/.cache/zsh/compzwc/.keep
+++ b/.cache/zsh/compzwc/.keep
--- a/.cache/zsh/ssh/.keep
+++ b/.cache/zsh/ssh/.keep
--- a/.config/dotfiles/bin/.keep
+++ b/.config/dotfiles/bin/.keep
--- a/.config/dotfiles/gen-gitignore.sh
+++ b/.config/dotfiles/gen-gitignore.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+set -ef
+
+path_gitignore='.config/dotfiles/gitignore'
+
+gen_gitignore() {
+    git rev-parse --git-dir >/dev/null 2>&1
+    touch "$1"
+    {
+        echo '*'
+        git ls-files | sed -E 's:^:!/:'
+    } > "$1"
+    exit 0
+}
+
+me=$(readlink -e "$0")
+topdir=$(printf '%s' "${me}" | sed -E 's:/[^/]+/[^/]+/[^/]+$::')
+cd "${topdir}"
+
+export GIT_OPTIONAL_LOCKS=0
+
+dir="${me%/*}/repo.git"
+if [ -d "${dir}" ] ; then
+    ## end-point installation
+    GIT_DIR="${dir}"
+    GIT_WORK_TREE="${topdir}"
+    export GIT_DIR GIT_WORK_TREE
+    gen_gitignore "${GIT_WORK_TREE}/${path_gitignore}"
+else
+    ## development tree
+    gen_gitignore "${path_gitignore}"
+fi
--- a/.config/dotfiles/gitattributes
+++ b/.config/dotfiles/gitattributes
--- a/.config/dotfiles/gitignore
+++ b/.config/dotfiles/gitignore
@@ -0,0 +1,136 @@
+*
+!/.cache/zsh/compcache/.keep
+!/.cache/zsh/completion/.keep
+!/.cache/zsh/compzwc/.keep
+!/.cache/zsh/ssh/.keep
+!/.config/dotfiles/bin/.keep
+!/.config/dotfiles/gen-gitignore.sh
+!/.config/dotfiles/gitattributes
+!/.config/dotfiles/gitignore
+!/.config/dotfiles/gitignore.vcs
+!/.config/dotfiles/install.sh
+!/.config/dotfiles/scripts/_perl-wrapper.sh
+!/.config/dotfiles/scripts/_rsync-wrapper.sh
+!/.config/dotfiles/scripts/apt-add-keyring
+!/.config/dotfiles/scripts/apt-env
+!/.config/dotfiles/scripts/apt-http-fetch
+!/.config/dotfiles/scripts/apt-install
+!/.config/dotfiles/scripts/apt-remove
+!/.config/dotfiles/scripts/apt-repo-get-fpr
+!/.config/dotfiles/scripts/apt-search
+!/.config/dotfiles/scripts/apt-update
+!/.config/dotfiles/scripts/check-bin-pkg
+!/.config/dotfiles/scripts/crlf-fix
+!/.config/dotfiles/scripts/deb-src-export
+!/.config/dotfiles/scripts/deb-ver-parse
+!/.config/dotfiles/scripts/dperl
+!/.config/dotfiles/scripts/dpkg-list-auto
+!/.config/dotfiles/scripts/dpkg-list-installed
+!/.config/dotfiles/scripts/dpkg-list-manual
+!/.config/dotfiles/scripts/dpkg-list-martians
+!/.config/dotfiles/scripts/dpkg-search
+!/.config/dotfiles/scripts/dpkg-source-raw
+!/.config/dotfiles/scripts/dpkg-which
+!/.config/dotfiles/scripts/ensure-eof-empty-line
+!/.config/dotfiles/scripts/from
+!/.config/dotfiles/scripts/gpg-batch
+!/.config/dotfiles/scripts/gpg-export
+!/.config/dotfiles/scripts/gpg-sign-file
+!/.config/dotfiles/scripts/gpg-warmup
+!/.config/dotfiles/scripts/idle
+!/.config/dotfiles/scripts/krd-debsrc
+!/.config/dotfiles/scripts/krd-quilt
+!/.config/dotfiles/scripts/krd-sbuild
+!/.config/dotfiles/scripts/openssl-cert-auto-pem
+!/.config/dotfiles/scripts/openssl-generate-dh-bundle
+!/.config/dotfiles/scripts/openssl-ocsp
+!/.config/dotfiles/scripts/pip-env
+!/.config/dotfiles/scripts/quiet
+!/.config/dotfiles/scripts/quilt-series-auto
+!/.config/dotfiles/scripts/quilt-series-strip-comments
+!/.config/dotfiles/scripts/run-as
+!/.config/dotfiles/scripts/sperl
+!/.config/dotfiles/scripts/static-compress
+!/.config/dotfiles/scripts/to
+!/.config/dotfiles/scripts/try-read-stdin
+!/.config/dotfiles/scripts/ufind.sh
+!/.config/dotfiles/scripts/zap-tree
+!/.config/dotfiles/woodpecker.yml
+!/.config/htop/htoprc.dist
+!/.config/mc/ini.dist
+!/.config/sbuild/config.pl.dist
+!/.config/zsh.dots/.zshenv
+!/.config/zsh/_.zsh
+!/.config/zsh/_wip/enclave.zsh.wip
+!/.config/zsh/alias.zsh
+!/.config/zsh/alias/containers.zsh
+!/.config/zsh/alias/diff.zsh
+!/.config/zsh/alias/directories.zsh
+!/.config/zsh/alias/git.zsh
+!/.config/zsh/alias/grep.zsh
+!/.config/zsh/alias/history.zsh
+!/.config/zsh/alias/idle.zsh.old
+!/.config/zsh/alias/k8s.zsh
+!/.config/zsh/alias/kconfig.zsh
+!/.config/zsh/alias/ls.zsh
+!/.config/zsh/alias/openwrt.zsh
+!/.config/zsh/alias/sudo.zsh
+!/.config/zsh/alias/telnet.zsh
+!/.config/zsh/completion/.keep
+!/.config/zsh/completion/bash.zsh
+!/.config/zsh/completion/external.zsh
+!/.config/zsh/completion/system.zsh
+!/.config/zsh/env.zsh
+!/.config/zsh/env/aux.zsh
+!/.config/zsh/env/containers.zsh
+!/.config/zsh/env/gopath.zsh
+!/.config/zsh/env/history.zsh
+!/.config/zsh/env/ld.so.zsh
+!/.config/zsh/env/pager.zsh
+!/.config/zsh/env/quilt.zsh
+!/.config/zsh/env/sed.zsh
+!/.config/zsh/env/xdg.zsh
+!/.config/zsh/lib.zsh
+!/.config/zsh/lib/alternatives.zsh
+!/.config/zsh/lib/cmdtime.zsh
+!/.config/zsh/lib/completion.zsh
+!/.config/zsh/lib/csv.zsh
+!/.config/zsh/lib/curl.zsh
+!/.config/zsh/lib/git.zsh
+!/.config/zsh/lib/gpg.zsh
+!/.config/zsh/lib/history.zsh
+!/.config/zsh/lib/prompt.zsh
+!/.config/zsh/lib/pswalk.zsh
+!/.config/zsh/lib/say-my.zsh
+!/.config/zsh/lib/selfservice.zsh
+!/.config/zsh/lib/systemd.zsh
+!/.config/zsh/lib/term.zsh
+!/.config/zsh/lib/time.zsh
+!/.config/zsh/local.zsh.example
+!/.config/zsh/local/.keep
+!/.config/zsh/local/completion/.keep
+!/.config/zsh/local/env.zsh.example
+!/.config/zsh/opt.zsh
+!/.config/zsh/opt/chase.zsh
+!/.config/zsh/opt/completion.zsh
+!/.config/zsh/opt/directories.zsh
+!/.config/zsh/opt/history.zsh
+!/.config/zsh/opt/prompt.zsh
+!/.config/zsh/rc.zsh
+!/.config/zsh/rc/completion.zsh
+!/.config/zsh/rc/gpg-agent.zsh
+!/.config/zsh/rc/keyboard-base.zsh
+!/.config/zsh/rc/keyboard-extras.zsh
+!/.config/zsh/rc/pager.zsh
+!/.config/zsh/rc/prompt.zsh
+!/.config/zsh/rc/ssh-agent.zsh
+!/.config/zsh/rc/terminal.zsh
+!/.config/zsh/var/.keep
+!/.gdbinit
+!/.gitconfig
+!/.sbuildrc.dist
+!/.screenrc
+!/.selected_editor
+!/.vimrc
+!/.zshenv
+!/.zshrc
--- a/.config/dotfiles/gitignore.vcs
+++ b/.config/dotfiles/gitignore.vcs
@@ -0,0 +1,18 @@
+!/.cache/zsh/compcache/.keep
+!/.cache/zsh/completion/.keep
+!/.cache/zsh/compzwc/.keep
+!/.cache/zsh/ssh/.keep
+!/.config/zsh/local/.keep
+!/.config/zsh/local/completion/.keep
+!/.config/zsh/local/env.zsh.example
+!/.config/zsh/var/.keep
+
+/.cache/zsh/compcache/*
+/.cache/zsh/compdump
+/.cache/zsh/completion/*
+/.cache/zsh/compzwc/*
+/.cache/zsh/ssh/*
+/.config/zsh/**/*.zwc
+/.config/zsh/local.zsh
+/.config/zsh/local/*
+/.config/zsh/var/*
--- a/.config/dotfiles/install.sh
+++ b/.config/dotfiles/install.sh
@@ -0,0 +1,281 @@
+#!/bin/sh
+set -ef
+
+unset LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
+unset LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS
+unset LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION
+unset POSIXLY_CORRECT TAR_OPTIONS
+
+uri_krdsh="${GITKRDSH:-https://git.krd.sh/krd}/dotfiles"
+uri_github="${GITHUB:-https://github.com/rockdrilla}/dotfiles"
+
+git_branch='main'
+
+d_repo='.config/dotfiles/repo.git'
+f_gitignore='.config/dotfiles/gitignore'
+
+have_cmd() { command -v "$1" </dev/null >/dev/null 2>&1 ; }
+
+fetch() {
+    if have_cmd curl ; then
+        curl -sSL ${2:+ -o "$2" } "$1" || return $?
+        return 0
+    fi
+    if have_cmd wget ; then
+        if [ -n "$2" ] ; then
+            wget -q -O - "$1" > "$2" || return $?
+        else
+            wget -q -O - "$1" || return $?
+        fi
+        return 0
+    fi
+    x=/usr/lib/apt/apt-helper
+    if have_cmd $x ; then
+        if [ -n "$2" ] ; then
+            $x download-file "$1" "$2" || return $?
+            return 0
+        fi
+        __fetch_t=$(mktemp) || return 1
+        set +e
+        (
+            set -e
+            $x download-file "$1" "${__fetch_t}" || return $?
+            cat "${__fetch_t}"
+        )
+        __fetch_r=$?
+        rm -f "${__fetch_t}" ; unset __fetch_t
+        return ${__fetch_r}
+    fi
+    echo 'no method is available to fetch URLs' >&2
+    return 1
+}
+
+test_forge() {
+    fetch "$1" "$2" || return 1
+    [ "$(head -n 1 "$2")" = '*' ] || return 1
+    return 0
+}
+
+select_forge() {
+    unset uri_gitignore uri_repo uri_tarball
+    __t=$(mktemp)
+    ## try with git.krd.sh
+    while [ -z "${uri_repo}" ] ; do
+        t_gitignore="${uri_krdsh}/raw/branch/${git_branch}/${f_gitignore}"
+        test_forge "${t_gitignore}" "${__t}" || break
+
+        uri_repo="${uri_krdsh}.git"
+        uri_gitignore="${t_gitignore}"
+        uri_tarball="${uri_krdsh}/archive/${git_branch}.tar.gz"
+
+        break
+    done
+    ## try with github.com
+    while [ -z "${uri_repo}" ] ; do
+        t_gitignore="${uri_github}/raw/${git_branch}/${f_gitignore}"
+        test_forge "${t_gitignore}" "${__t}" || break
+
+        uri_repo="${uri_github}.git"
+        uri_gitignore="${t_gitignore}"
+        uri_tarball="${uri_github}/archive/refs/heads/${git_branch}.tar.gz"
+
+        break
+    done
+    rm -f "${__t}" ; unset __t
+    unset t_gitignore
+    if [ -n "${uri_repo}" ] ; then
+        return 0
+    fi
+    echo 'no forge is available to fetch URLs' >&2
+    return 1
+}
+
+main() {
+    ## test connectivity and select forge
+    select_forge
+
+    umask 0077
+
+    if have_cmd git ; then
+        if [ -s "${HOME}/${d_repo}/HEAD" ] ; then
+            dot_update
+        else
+            dot_install
+        fi
+    else
+        echo 'git is missing, proceed "raw" installation.' >&2
+        dot_install_raw
+    fi
+
+    propagate_dist_files
+
+    echo 'installed.' >&2
+}
+
+dot_install() {
+    backup_unconditionally
+    git_env
+    mkdir -p "${GIT_DIR}"
+    git init
+    git branch -M "${git_branch}" || true
+    git_config_init
+    git_update
+}
+
+dot_update() {
+    git_env
+    git_update
+}
+
+find_fast() {
+    find "$@" -printf . -quit | grep -Fq .
+}
+
+dot_install_raw() {
+    tf_tar=$(mktemp)
+    fetch "${uri_tarball}" "${tf_tar}"
+
+    td_tree=$(mktemp -d)
+
+    if ! tar_try_extract "${tf_tar}" "${td_tree}" "${f_gitignore}" ; then
+        rm -rf "${tf_tar}" "${td_tree}"
+        exit 1
+    fi
+    rm -f "${tf_tar}"
+
+    tf_list=$(mktemp)
+    fetch "${uri_gitignore}" \
+    | sed -En '/^!\/(.+)$/{s//\1/;p;}' \
+    > "${tf_list}"
+
+    td_backup=$(mktemp -d)
+    while read -r f ; do
+        if [ -f "${HOME}/$f" ] ; then
+            if cmp_files "${td_tree}" "${HOME}" "$f" ; then
+                continue
+            fi
+            d=$(dirname "$f")
+            if [ -n "$d" ] ; then
+                mkdir -p "${td_backup}/$d"
+            fi
+            cat < "${HOME}/$f" > "${td_backup}/$f"
+        fi
+    done < "${tf_list}"
+    rm -f "${tf_list}" ; unset tf_list
+
+    tar -C "${td_tree}" -cf . - | tar -C "${HOME}" -xf -
+    rm -rf "${td_tree}"
+
+    if find_fast "${td_backup}/" -mindepth 1 ; then
+        echo "backed-up files are here: ${td_backup}/"
+        find "${td_backup}/" -mindepth 1 -ls
+    else
+        rmdir "${td_backup}"
+    fi
+}
+
+git_env() {
+    GIT_DIR="${HOME}/${d_repo}"
+    GIT_WORK_TREE="${HOME}"
+    export GIT_DIR GIT_WORK_TREE
+}
+
+git_config_init() {
+    ## remote
+    git remote add origin "${uri_repo}"
+    git config remote.origin.fetch "+refs/heads/${git_branch}:refs/remotes/origin/${git_branch}"
+    git config remote.origin.tagopt '--no-tags'
+    git config "branch.${git_branch}.remote" origin
+    ## repo-specific
+    git config core.worktree "${GIT_WORK_TREE}"
+    git config core.excludesfile "${f_gitignore}"
+}
+
+git_config() {
+    ## repo-specific
+    git remote set-url origin "${uri_repo}"
+    git config core.attributesfile .config/dotfiles/gitattributes
+    ## migration (remove later)
+    git config --unset gc.auto || :
+    git config --unset pull.ff || :
+    ## size optimization
+    git config core.bigFileThreshold 64k
+    git config core.compression 9
+    git config core.looseCompression 8
+    git config pack.compression 9
+    git config pack.threads 2
+    ## generic
+    git config receive.denyNonFastForwards true
+}
+
+git_update() {
+    git_config
+    git remote update -p
+    git pull || git reset --hard "origin/${git_branch}"
+    git gc --aggressive --prune=all --force || git gc || true
+}
+
+tar_test() {
+    tar --wildcards -tf "$@" >/dev/null 2>&1
+}
+
+tar_try_extract() {
+    if tar_test "$1" "$3" ; then
+        tar -C "$2" -xf "$2"
+        return
+    fi
+    opt='--strip-components=1'
+    if tar_test "$1" ${opt} "*/$3" ; then
+        tar -C "$2" ${opt} -xf "$2"
+        return
+    fi
+    return 1
+}
+
+cmp_files() {
+    cmp -s "$1/$3" "$2/$3" >/dev/null 2>&1
+}
+
+backup_unconditionally() {
+    tf_list=$(mktemp)
+    fetch "${uri_gitignore}" \
+    | sed -En '/^!\/(.+)$/{s//\1/;p;}' \
+    > "${tf_list}"
+
+    td_backup=$(mktemp -d)
+    while read -r f ; do
+        if [ -f "${HOME}/$f" ] ; then
+            d=$(dirname "$f")
+            if [ -n "$d" ] ; then
+                mkdir -p "${td_backup}/$d"
+            fi
+            mv -f "${HOME}/$f" "${td_backup}/$f"
+        fi
+    done < "${tf_list}"
+    rm -f "${tf_list}" ; unset tf_list
+
+    if find_fast "${td_backup}/" -mindepth 1 ; then
+        echo "backed-up files are here: ${td_backup}/"
+        find "${td_backup}/" -mindepth 1 -ls
+    else
+        rmdir "${td_backup}"
+    fi
+}
+
+propagate_dist_files() {
+    tf_list=$(mktemp)
+    sed -En '/^!\/(.+\.dist)$/{s//\1/;p;}' < "${HOME}/${f_gitignore}" > "${tf_list}"
+
+    while read -r f_dist ; do
+        [ -n "${f_dist}" ] || continue
+        [ -f "${f_dist}" ] || continue
+
+        f=${f_dist%.dist}
+        if [ -f "$f" ] ; then continue ; fi
+
+        cp "${f_dist}" "$f"
+    done < "${tf_list}"
+    rm -f "${tf_list}" ; unset tf_list
+}
+
+main "$@"
--- a/.config/dotfiles/scripts/_perl-wrapper.sh
+++ b/.config/dotfiles/scripts/_perl-wrapper.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -ef
+
+e=perl ; d=
+case "${0##*/}" in
+d* )
+	e=debugperl
+
+	check-bin-pkg "$e:perl-debug"
+
+	case "$1" in
+	-* )
+		d=$1 ; shift
+	;;
+	esac
+;;
+esac
+
+export PERL_HASH_SEED=0 PERL_PERTURB_KEYS=0
+
+$e $d -T -c "$@" || echo
+exec $e $d -T "$@"
--- a/.config/dotfiles/scripts/_rsync-wrapper.sh
+++ b/.config/dotfiles/scripts/_rsync-wrapper.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+set -ef
+
+me="${0##*/}"
+case "${me}" in
+to | from ) ;;
+* ) exit 1 ;;
+esac
+
+check-bin-pkg rsync ssh:openssh-client
+
+h=$1 ; shift
+
+rsync_aux=
+for i ; do
+	case "$i" in
+	-*) rsync_aux="${rsync_aux}${rsync_aux:+' '}$i" ;;
+	esac
+done
+
+for i ; do
+	case "$i" in
+	-* ) continue ;;
+	*:* )
+		k=${i#*:}
+		case "$k" in
+		*:* )
+			env printf "%q: skipping bogus argument: %q\\n" "${me}" "$i" >&2
+			continue
+		;;
+		esac
+		i=${i%%:*}
+	;;
+	* ) k=$i ;;
+	esac
+
+	k="$h:$k"
+
+	case "${me}" in
+	to )   src=$i dst=$k ;;
+	from ) src=$k dst=$i ;;
+	esac
+
+	rsync -vaxISc -e ssh ${rsync_aux} "${src}" "${dst}"
+done
--- a/.config/dotfiles/scripts/apt-add-keyring
+++ b/.config/dotfiles/scripts/apt-add-keyring
@@ -0,0 +1,430 @@
+#!/bin/sh
+set -ef
+
+me="${0##*/}"
+
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} [options] <name> <repo uri> <suite> [keyring uri or path]
+	# options:
+	#  -m, --merge
+	#    merge with existing keyring (if any)
+	#  -o, --optimize
+	#    optimize keyring - preserve public key(s) which is/are used to sign repository
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+gnupg_testdata_clearsign() {
+	cat <<-EOF
+	-----BEGIN PGP SIGNED MESSAGE-----
+	Hash: SHA256
+
+	test data
+	-----BEGIN PGP SIGNATURE-----
+
+	iHUEARYIAB0WIQTk95XBmO8PsqERxxdADlhK/AU7ugUCZVSqdwAKCRBADlhK/AU7
+	uj4rAP4nb8tkF6FEhEd7sAoBBTPX5vc/WlAhDYM8uK61mo2KMQD/UjsJ3YOvRYip
+	epkflbk2cdCD7ZHsGYpBIhMh9eDTRQE=
+	=vrbd
+	-----END PGP SIGNATURE-----
+	EOF
+}
+
+## NB: requires further "base64 -d" per line output
+gnupg_dearmor_pubkey() {
+	sed -En -e "$(_gnupg_dearmor_pubkey_sed)" "$@"
+}
+
+_gnupg_dearmor_pubkey_sed() {
+	cat <<-EOF
+	/^-----BEGIN PGP PUBLIC KEY BLOCK-----\$/ {
+
+	:_scan
+	    \$ { b _quit }
+	    n
+
+	    /^-----BEGIN PGP PUBLIC KEY BLOCK-----\$/  { b _quit }
+	    /^-----END PGP PUBLIC KEY BLOCK-----\$/    { b _quit }
+
+	    \\%^[[:alnum:]/+]{64}\$%     { h ; b _read }
+	    \\%^[[:alnum:]/+]{1,64}=*\$% { b _quit }
+	    \\%^=[[:alnum:]/+]+=*\$%     { b _quit }
+
+	    b _scan
+
+	:_read
+	    \$ { b _quit }
+	    n
+
+	    /^-----BEGIN PGP PUBLIC KEY BLOCK-----\$/  { b _quit }
+	    /^-----END PGP PUBLIC KEY BLOCK-----\$/    { z ; b _end }
+
+	    \\%^[[:alnum:]/+]{64}\$%     { H ; b _read }
+	    \\%^[[:alnum:]/+]{1,64}=*\$% { H ; b _read }
+	    \\%^=[[:alnum:]/+]+=*\$%     { H ; b _read }
+	    b _read
+
+	:_end
+	    x
+	    s/[\\n]//gm
+	    s/^([[:alnum:]/+]+).+\$/\\1==/g
+	    p
+	:_quit
+	}
+	EOF
+}
+
+## NB: almost pristine format except last empty line
+## TODO: research gnupg format
+gnupg_armor_pubkey() {
+	cat <<-EOF
+	-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+	$(base64 < "$1")
+
+	-----END PGP PUBLIC KEY BLOCK-----
+	EOF
+}
+
+_gpgv_debug_pkt() { gpgv --debug 1 "$@" ; }
+
+gnupg_count_public_keys() {
+	## sanity test
+	_gpgv_debug_pkt --version >/dev/null 2>&1
+
+	gnupg_testdata_clearsign \
+	| _gpgv_debug_pkt --keyring "$1" 2>&1 >/dev/null \
+	| { grep -Fw parse_packet || : ; } \
+	| { grep -Fwc -e 'type=6' || : ; }
+}
+
+# process options
+n_opt=0
+for i ; do
+	case "$i" in
+	-m | --merge )
+		if [ -n "${o_merge:+1}" ] ; then
+			env printf "%q: error: 'merge' flag already set\\n" "${me}" >&2
+			usage 1
+		fi
+		o_merge=1
+	;;
+	-o | --optimize )
+		if [ -n "${o_optimize:+1}" ] ; then
+			env printf "%q: error: 'optimize' flag already set\\n" "${me}" >&2
+			usage 1
+		fi
+		o_optimize=1
+	;;
+	-*)
+		env printf "%q: error: unknown option: %q\\n" "${me}" "$i" >&2
+		usage 1
+	;;
+	*) break ;;
+	esac
+
+	n_opt=$((n_opt+1))
+done
+
+[ ${n_opt} = 0 ] || shift ${n_opt}
+
+arg_ok=
+while : ; do
+	[ -n "$1" ] || break
+	[ -n "$2" ] || break
+	[ -n "$3" ] || break
+	arg_ok=1 ; break
+done
+[ -n "${arg_ok}" ] || usage 1
+
+xsedx=$(printf '\027')
+
+_distro=$(sh -ec '. /etc/os-release ; printf "%s" "${ID}"' || : )
+_suite=$(sh -ec '. /etc/os-release ; printf "%s" "${VERSION_CODENAME}"' || : )
+if [ -z "${_distro}" ] || [ -z "${_suite}" ] ; then
+	env printf "%q: error: /etc/os-release is somewhat broken\\n" "${me}" >&2
+	exit 1
+fi
+unwrap_default_distro_suite() {
+	sed -ze "s${xsedx}@{distro}${xsedx}${_distro}${xsedx}g;s${xsedx}@{suite}${xsedx}${_suite}${xsedx}g"
+}
+
+name=$(printf '%s' "$1" | unwrap_default_distro_suite)
+uri=$(printf '%s' "$2" | unwrap_default_distro_suite)
+suite=$(printf '%s' "$3" | unwrap_default_distro_suite)
+keyring_arg=$(printf '%s' "$4" | unwrap_default_distro_suite)
+
+case "${name}" in
+*/* | *..* )
+	env printf "%q: error: name is path-like: %q\\n" "${me}" "${name}" >&2
+	usage 1
+;;
+esac
+
+verify_apt_uri() {
+	case "$1" in
+	http:* | https:* ) return 0 ;;
+	mirror:* | mirror+http:* | mirror+https:* ) return 0 ;;
+	esac
+
+	__uncommon=
+	case "$1" in
+	cdrom:* | copy:* | file:* | rsh:* | ssh:* ) __uncommon=1 ;;
+	mirror+copy:* | mirror+file:* ) __uncommon=1 ;;
+	mirror+*:* )
+		env printf "%q: error: unsupported uri mirror format: %q\\n" "${me}" "$1" >&2
+		usage 1
+	;;
+	esac
+
+	if [ -n "${__uncommon}" ] ; then
+		unset __uncommon
+		env printf "%q: warning: uncommon but likely valid uri: %q\\n" "${me}" "$1" >&2
+		return 0
+	fi
+
+	env printf "%q: error: unsupported uri format: %q\\n" "${me}" "$1" >&2
+	usage 1
+}
+
+verify_suite() {
+	if printf '%s' "$1" | grep -Eq '^[[:alnum:]][[:alnum:]-_]*[[:alnum:]]$' ; then
+		return 0
+	fi
+	env printf "%q: error: unsupported suite format: %q\\n" "${me}" "$1" >&2
+	usage 1
+}
+
+verify_apt_uri "${uri}"
+verify_suite "${suite}"
+
+_keyring_dirs='/etc/apt/keyrings /etc/apt/trusted.gpg.d'
+lookup_keyring_dir() {
+	if [ -n "${_keyring_dir}" ] ; then
+		echo "${_keyring_dir}"
+		return
+	fi
+	for __keyring_dir in ${_keyring_dirs} ; do
+		[ -d "${__keyring_dir}" ] || continue
+		_keyring_dir=${__keyring_dir}
+		unset __keyring_dir
+		echo "${_keyring_dir}"
+		return
+		# [ -z "${1:-}" ] || return
+	done
+	unset __keyring_dir
+	env printf "%q: error: APT installation is broken: /etc/apt/trusted.gpg.d/ is missing\\n" "${me}" >&2
+	return 1
+}
+
+keyring_dir=$(lookup_keyring_dir) || exit 1
+keyring_base="${keyring_dir}/${name}"
+keyring="${keyring_base}.asc"
+
+w=$(mktemp -d) ; : "${w:?}"
+
+lookup_keyring() {
+	case "${1:?}" in
+	*/* | *..* )
+		env printf "%q: error: arg is path-like: %q\\n" "${me}" "$1" >&2
+		return 1
+	;;
+	esac
+
+	__keyring_base=$(lookup_keyring_dir) || return 1
+	__keyring_base="${__keyring_base}/$1"
+	__keyring_cnt=0
+	for __ext in asc gpg gpg.asc ; do
+		__keyring="${__keyring_base}.${__ext}"
+		[ -e "${__keyring}" ] || continue
+		if ! [ -f "${__keyring}" ] ; then
+			__dentry_type=$(env stat -c %F "${__keyring}")
+			env printf "%q: warning: found %q (expected: file): %q\\n" "${me}" "${__dentry_type}" "${__keyring}" >&2
+			continue
+		fi
+		if ! [ -s "${__keyring}" ] ; then
+			env printf "%q: warning: found empty file: %q\\n" "${me}" "${__keyring}" >&2
+			continue
+		fi
+		env printf "%q: info: found keyring: %q\\n" "${me}" "${__keyring}" >&2
+		echo "${__keyring}"
+		__keyring_cnt=$((__keyring_cnt+1))
+
+		## return 1st available
+		[ -z "$2" ] || break
+	done
+	unset __keyring_base __ext __keyring __dentry_type
+}
+
+if [ -n "${keyring_arg}" ] ; then
+	case "${keyring_arg}" in
+	http:* | https:* )
+		apt-http-fetch "${keyring_arg}" "$w/keyring" || {
+			rm -rf "$w"
+			exit 1
+		}
+	;;
+	* )
+		if ! [ -f "${keyring_arg}" ] ; then
+			env printf "%q: error: unknown keyring argument format: %q\\n" "${me}" "${keyring_arg}" >&2
+			rm -rf "$w"
+			usage 1
+		fi
+		if ! [ -s "${keyring_arg}" ] ; then
+			env printf "%q: error: empty keyring file: %q\\n" "${me}" "${keyring_arg}" >&2
+			rm -rf "$w"
+			usage 1
+		fi
+		cat < "${keyring_arg}" > "$w/keyring"
+	;;
+	esac
+
+	keynum=$(gnupg_count_public_keys "$w/keyring")
+	if [ "${keynum}" != 0 ] ; then
+		## valid gnupg keyring file in (appropriate) binary format (*.gpg)
+		keyring="${keyring_base}.gpg"
+	else
+		while read -r n ; do
+			[ -n "$n" ] || continue
+
+			echo "$n" | base64 -d > "$w/temp.gpg" || continue
+			x=$(gnupg_count_public_keys "$w/temp.gpg")
+			[ "$x" != 0 ] || continue
+
+			keynum=$((keynum+1))
+		done <<-EOF
+		$(gnupg_dearmor_pubkey "$w/keyring")
+		EOF
+
+		rm -f "$w/temp.gpg"
+	fi
+
+	if [ "${keynum}" = 0 ] ; then
+		env printf "%q: error: unable to parse keyring file: %q\\n" "${me}" "${keyring_arg}" >&2
+		rm -rf "$w"
+		exit 1
+	fi
+
+	while [ -n "${o_merge}" ] ; do
+		lookup_keyring "${name}" | grep -Fxq -e "${keyring}" || break
+
+		env printf "%q: warning: existing file is to be REPLACED: %q\\n" "${me}" "${keyring}" >&2
+		env printf "%q: info: consider running script with -m/--merge option to merge with existing keyring\\n" "${me}" >&2
+		break
+	done
+fi
+
+## TODO: whether we can skip gpg-related tasks?
+
+## request gnupg for work
+check-bin-pkg gpg gpgv dirmngr gpgconf
+
+gpg_on() { gpg-batch start ; }
+gpg_off() {
+	cd /
+	gpg-batch stop
+	unset GNUPGHOME
+	rm -rf "$w"
+	exit "${1:-0}"
+}
+
+(
+	export GNUPGHOME="$w/dot-gnupg"
+	mkdir -m 0700 "${GNUPGHOME}"
+	gpg_on
+
+	cd "$w"
+
+	csv_field_grep() {
+		if [ -n "$2" ] ; then
+			sed -En "\\${xsedx}$2${xsedx}p"
+		else
+			cat
+		fi \
+		| cut -d: -f "$1"
+	}
+
+	join_lines() { sed -zE 's/[[:space:]]+/ /g;s/^ //;s/ $//' ; }
+
+	if [ -s ./keyring ] ; then
+		gpg --import ./keyring
+		rm -f ./keyring
+	else
+		apt-repo-get-fpr "${uri}" "${suite}" > fpr.repo
+		## must contain at least one fingerprint; if not - bail out
+		[ -s fpr.repo ]
+
+		keys=$(join_lines < fpr.repo)
+
+		gpg --recv-keys ${keys}
+	fi
+
+	gpg --with-colons --list-keys > dump.all
+	csv_field_grep 5 '^pub:' < dump.all > pub.all
+
+	## must contain at least one public key; if not - bail out
+	[ -s pub.all ]
+
+	## minimize keyring
+	while [ -n "${o_optimize}" ] ; do
+		csv_field_grep 10 '^fpr:' < dump.all > fpr.all
+
+		: > fpr.save
+		for i in $(join_lines < pub.all) ; do
+			gpg --with-colons --list-keys "$i" \
+			| csv_field_grep 10 '^fpr:' > "fpr.$i"
+
+			## must contain at least one fingerprint; if not - bail out
+			[ -s "fpr.$i" ]
+
+			fpr_pub=$(head -n 1 "fpr.$i")
+
+			## try filter out useful fingerprints; if none - skip whole key chain
+			grep -Fx -f fpr.repo "fpr.$i" > "fpr-save.$i" || :
+			[ -s "fpr-save.$i" ] || continue
+
+			if grep -Fxq -e "${fpr_pub}" "fpr-save.$i" ; then
+				## primary key fingerprint match - do nothing
+				:
+			else
+				## subkey fingerprint match - add primary key fingerprint
+				echo "${fpr_pub}" >> "fpr-save.$i"
+			fi
+
+			## append fingerprints
+			cat < "fpr-save.$i" >> fpr.save
+		done
+		## must contain at least one fingerprint; if not - bail out
+		## (supplied key material seems to be useless)
+		[ -s fpr.save ]
+
+		sort -u < fpr.save > fpr.include
+
+		grep -Fxv -f fpr.include fpr.all > fpr.exclude || :
+		if [ -s fpr.exclude ] ; then
+			gpg --delete-keys $(sed -E 's/$/!/' < fpr.exclude)
+		fi
+
+		break
+	done
+
+	if [ -n "${o_merge}" ] ; then
+		while read -r k ; do
+			[ -n "$k" ] || continue
+
+			gpg --import "$k" || continue
+			rm -f "$k"
+			env printf "%q: info: merging with existing keyring: %q\\n" "${me}" "$k" >&2
+		done <<-EOF
+		$(lookup_keyring "${name}" 2>/dev/null)
+		EOF
+	fi
+
+	gpg --armor --export > "${keyring}"
+	gpg --show-keys "${keyring}"
+
+	gpg_off
+
+) || gpg_off 1
--- a/.config/dotfiles/scripts/apt-env
+++ b/.config/dotfiles/scripts/apt-env
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -ef
+
+set -a
+DEBCONF_NONINTERACTIVE_SEEN=true
+DEBIAN_FRONTEND=noninteractive
+DEBIAN_PRIORITY=critical
+TERM=linux
+set +a
+
+exec "$@"
--- a/.config/dotfiles/scripts/apt-http-fetch
+++ b/.config/dotfiles/scripts/apt-http-fetch
@@ -0,0 +1,51 @@
+#!/bin/sh
+set -ef
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} [options] <uri> <destination file>
+	# cURL compatibility options:
+	#  -s, --silent
+	#    suppress output until error is occured
+	#  -k, --insecure
+	#    ignore TLS verification error
+	#  -L, --location
+	#    no-op (does nothing)
+	#  --no-location
+	#    prohibit HTTP redirects
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+o_quiet=
+o_insecure=
+o_noredir=
+
+## process options
+n_opt=0
+for i ; do
+	case "$i" in
+	-s | --silent )   o_quiet=1 ;;
+	-k | --insecure ) o_insecure=1 ;;
+	--no-location )   o_noredir=1 ;;
+	-L | --location ) o_noredir= ;;
+	-* )
+		env printf "%q: unknown option: %q\\n" "${me}" "$i" >&2
+		usage 1
+	;;
+	* ) break ;;
+	esac
+
+	n_opt=$((n_opt+1))
+done
+
+[ ${n_opt} = 0 ] || shift ${n_opt}
+[ $# -eq 2 ] || usage 1
+
+exec ${o_quiet:+ quiet } /usr/lib/apt/apt-helper \
+  ${o_insecure:+ -o 'Acquire::https::Verify-Peer=false' } \
+  ${o_insecure:+ -o 'Acquire::https::Verify-Host=false' } \
+  ${o_noredir:+ -o 'Acquire::http::AllowRedirect=false' } \
+  download-file "$1" "$2"
--- a/.config/dotfiles/scripts/apt-install
+++ b/.config/dotfiles/scripts/apt-install
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -ef
+
+apt-update ${APT_OPTS}
+exec apt-env \
+  apt-get \
+    ${APT_OPTS} \
+  "${APT_INSTALL:-install}" \
+  "$@"
--- a/.config/dotfiles/scripts/apt-remove
+++ b/.config/dotfiles/scripts/apt-remove
@@ -0,0 +1,14 @@
+#!/bin/sh
+set -ef
+
+apt-env \
+  apt-get \
+    ${APT_OPTS} \
+    --allow-remove-essential \
+  "${APT_REMOVE:-remove}" \
+  "$@"
+exec apt-env \
+  apt-get \
+    ${APT_OPTS} \
+    -y
+  autoremove \
--- a/.config/dotfiles/scripts/apt-repo-get-fpr
+++ b/.config/dotfiles/scripts/apt-repo-get-fpr
@@ -0,0 +1,80 @@
+#!/bin/sh
+set -ef
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} <repo uri> <suite>
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+arg_ok=
+while : ; do
+	[ -n "$1" ] || break
+	[ -n "$2" ] || break
+	arg_ok=1 ; break
+done
+[ -n "${arg_ok}" ] || usage 1
+
+check-bin-pkg gpg dirmngr gpgconf
+
+gpg_on() { gpg-batch start ; }
+gpg_off() {
+	cd /
+	gpg-batch stop
+	unset GNUPGHOME
+	rm -rf "$w"
+	exit "${1:-0}"
+}
+
+gpg_keys_from_sig() {
+	set +e
+	gpg --no-options --verify "$@" 2>&1 \
+	| sed -En 's/\s+/ /g;s/ $//;/^([Gg][Pp][Gg]|[Gg][Nn][Uu][Pp][Gg]): using .+ key (.+)$/{s,,\2,p}'
+	set -e
+}
+
+w=$(mktemp -d) ; : "${w:?}"
+export GNUPGHOME="$w/dot-gnupg"
+
+(
+	mkdir -m 0700 "${GNUPGHOME}"
+	gpg_on
+
+	cd "$w"
+
+	while : ; do
+		apt-http-fetch -s "$1/dists/$2/InRelease" InRelease || break
+		gpg_keys_from_sig InRelease > apt.fpr.InRelease
+		break
+	done
+	rm -f InRelease
+
+	while : ; do
+		apt-http-fetch -s "$1/dists/$2/Release.gpg" Release.gpg || break
+		apt-http-fetch -s "$1/dists/$2/Release" Release || break
+		gpg_keys_from_sig Release.gpg Release > apt.fpr.Release
+		break
+	done
+	rm -f Release.gpg Release
+
+	rm -f apt.fpr
+	c=0
+	for i in apt.fpr.InRelease apt.fpr.Release ; do
+		[ -s "$i" ] || continue
+		cp -f "$i" apt.fpr
+		c=$((c+1))
+	done
+
+	if [ "$c" = 2 ] ; then
+		cmp apt.fpr.InRelease apt.fpr.Release >&2
+	fi
+
+	[ -s apt.fpr ]
+	cat apt.fpr
+
+	gpg_off
+
+) || gpg_off 1
--- a/.config/dotfiles/scripts/apt-search
+++ b/.config/dotfiles/scripts/apt-search
@@ -0,0 +1,52 @@
+#!/bin/sh
+set -ef
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} <name or regex> [regex]
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+[ -n "$1" ] || usage 1
+
+w=$(mktemp -d) ; : "${w:?}"
+r=0
+
+_exit() {
+	rm -rf "$w"
+	exit $r
+}
+
+set +e
+if [ "$(id -u)" = 0 ] ; then
+	apt-update
+fi
+apt-cache --names-only search "$1" > "$w/search"
+r=$?
+
+[ $r = 0 ] || _exit
+[ -s "$w/search" ] || _exit
+
+awk '{print $1}' < "$w/search" > "$w/list"
+rm -f "$w/search"
+
+pat="${2:-$1}"
+
+## plain string, exact match
+if grep -Fq -e "${pat}" "$w/list" ; then
+	grep -Fx -e "${pat}" "$w/list"
+	_exit
+fi
+
+## regex (?)
+
+need_anchors=
+case "${pat}" in
+*^* | *\$* ) ;;
+*) need_anchors=1 ;;
+esac
+grep -E${need_anchors:+x} -e "${pat}" "$w/list"
+
+_exit
--- a/.config/dotfiles/scripts/apt-update
+++ b/.config/dotfiles/scripts/apt-update
@@ -0,0 +1,53 @@
+#!/bin/sh
+set -ef
+
+: "${DPKG_ADMINDIR:=/var/lib/dpkg}"
+
+find_fresh_ts() {
+	{
+		find "$@" -exec stat -c '%Y' '{}' '+' 2>/dev/null || :
+		## duck and cover!
+		echo 1
+	} | sort -rn | head -n 1
+}
+
+_apt_update() {
+	## update package lists; may fail sometimes,
+	## e.g. soon-to-release channels like Debian "bullseye" @ 22.04.2021
+
+	if [ $# = 0 ] ; then
+		## (wannabe) smart package list update
+		ts_sources=$(find_fresh_ts /etc/apt/ -follow -regextype egrep -regex '^/etc/apt/sources\.list(|\.d/[^/]+\.(list|sources))$' -type f)
+		ts_lists=$(find_fresh_ts /var/lib/apt/lists/ -maxdepth 1 -regextype egrep -regex '^.+_Packages(|\.(bz2|gz|lz[4o]|xz|zstd?))$' -type f)
+		if [ ${ts_sources} -gt ${ts_lists} ] ; then
+			apt-env apt-get -y update
+		fi
+	else
+		apt-env apt-get "$@" update
+	fi
+}
+
+_dpkg_avail_hack() {
+	set +e
+	suite=$(sh -ec '. /etc/os-release ; printf "%s" "${VERSION_CODENAME}"' || : )
+	## if ${suite} is empty then we're on Debian sid or so :)
+	: "${suite:-sid}"
+	set -e
+	f="${DPKG_ADMINDIR}/available"
+	case "${suite}" in
+	stretch | buster | bionic | focal )
+		## ref: https://unix.stackexchange.com/a/271387/49297
+		if [ -s "$f" ] ; then
+			return
+		fi
+		echo '# fixing "dpkg/available"' >&2
+		/usr/lib/dpkg/methods/apt/update "${DPKG_ADMINDIR}" apt apt
+	;;
+	* )
+		touch "$f"
+	;;
+	esac
+}
+
+_apt_update "$@"
+_dpkg_avail_hack
--- a/.config/dotfiles/scripts/check-bin-pkg
+++ b/.config/dotfiles/scripts/check-bin-pkg
@@ -0,0 +1,44 @@
+#!/bin/sh
+set -ef
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} <binary>[:<package>] [...]
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+[ -n "$1" ] || usage 1
+
+for i ; do
+	unset bin pkg
+	IFS=: read -r bin pkg <<-EOF
+	$i
+	EOF
+
+	if [ -z "${bin}" ] ; then
+		env printf "%q: 'binary' expected but empty: %q\\n" "${me}" "$i" >&2
+		usage 1
+	fi
+done
+
+for i ; do
+	unset bin pkg
+	IFS=: read -r bin pkg <<-EOF
+	$i
+	EOF
+
+	[ -n "${pkg}" ] || pkg=${bin}
+
+	if command -v "${bin}" >/dev/null 2>&1 ; then
+		continue
+	fi
+
+	cat >&2 <<-EOF
+	# ${0##*/}: unable to find command '${bin}'
+	#   install package '${pkg}' first, e.g.
+	#     sudo apt-install ${pkg}
+	EOF
+	exit 1
+done
--- a/.config/dotfiles/scripts/crlf-fix
+++ b/.config/dotfiles/scripts/crlf-fix
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -ef
+
+exec sed -zE 's/\r\n/\n/g;s/\r/\n/g' "$@"
--- a/.config/dotfiles/scripts/deb-src-export
+++ b/.config/dotfiles/scripts/deb-src-export
@@ -0,0 +1,254 @@
+#!/bin/sh
+set -ef
+
+tar_opts='--blocking-factor=1 --format=gnu --no-selinux --no-xattrs --sparse'
+
+unset LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
+unset LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS
+unset LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION
+unset POSIXLY_CORRECT TAR_OPTIONS
+
+export LC_ALL=C.UTF-8 LANG=C.UTF8
+
+have_cmd() { command -v "$1" </dev/null >/dev/null 2>&1 ; }
+
+ro_git() { GIT_OPTIONAL_LOCKS=0 command git "$@" ; }
+
+find_fast() {
+	find "$@" -printf . -quit | grep -Fq .
+}
+
+check-bin-pkg dh:debhelper dpkg-parsechangelog:dpkg-dev
+
+have_git=
+while [ "${DEB_SRC_EXPORT_GIT:-1}" = 1 ] ; do
+	have_cmd git || break
+	ro_git rev-parse --is-inside-work-tree >/dev/null 2>&1 || break
+
+	have_git=1
+	break
+done
+
+want_gpg=
+while [ "${DEB_SRC_EXPORT_GNUPG:-1}" = 1 ] ; do
+	have_cmd gpg || break
+
+	[ -z "${DEB_SIGN_KEYID}" ] || want_gpg=1
+
+	if [ -n "${have_git}" ] ; then
+		if ro_git config --get commit.gpgsign | grep -Fxq true ; then
+			want_gpg=1
+		fi
+	fi
+
+	break
+done
+
+SIGN_OPT=
+if [ -n "${want_gpg}" ] ; then
+	sign_file() { gpg-sign-file "$@"; }
+else
+	SIGN_OPT='--no-sign'
+	sign_file() { :; }
+
+	unset \
+	  GNUPGHOME GPG_AGENT_INFO GPG_TTY PINENTRY_USER_DATA \
+	  SSH_AGENT_PID SSH_AUTH_SOCK \
+	  DEB_SIGN_KEYID DEBEMAIL DEBFULLNAME
+fi
+
+deb_folder='debian'
+if [ -z "$2" ] ; then
+	if [ -n "${have_git}" ] ; then
+		cd "$(ro_git rev-parse --show-toplevel)"
+	fi
+else
+	deb_folder=$(printf '%s' "$2" | sed -zE 's,/+,/,g;s,/$,,')
+fi
+
+## basic verification of debian/ folder
+[ -d "${deb_folder}" ]
+[ -s "${deb_folder}/rules" ]
+
+if [ "${deb_folder##*/}" = . ] ; then
+	deb_folder=$( ( cd "${deb_folder}" ; pwd ; ) )
+fi
+
+if [ -z "${SOURCE_DATE_EPOCH}" ] ; then
+	SOURCE_DATE_EPOCH=$(date -u +%s)
+fi
+export SOURCE_DATE_EPOCH
+
+temp_folder=$(mktemp -d) ; : "${temp_folder:?}"
+
+## prepare/warmup GnuPG
+## if signing is disabled then it does nothing with files or GnuPG
+date > "${temp_folder}/t" ; sign_file "${temp_folder}/t" ; rm -f "${temp_folder}/t"
+
+## (early) grab source package related files
+mkdir -p "${temp_folder}/debian"
+find "${deb_folder}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+| tar -C "${deb_folder}" ${tar_opts} --dereference --null -T - -cf - \
+| tar -C "${temp_folder}/debian" -xf -
+
+chmod 0755 "${temp_folder}/debian/rules"
+
+d_rules() { DPKG_BUILD_API="${DPKG_BUILD_API:-0}" debian/rules "$@" ; }
+
+(
+	cd "${temp_folder}"
+
+	set +e
+
+	## refresh control files
+	d_rules clean
+	d_rules debian/control
+	d_rules debian/changelog
+)
+if ! [ -s "${temp_folder}/debian/control" ] ; then
+	echo "# ${0##*/}: debian/control is missing/unreproducible for ${deb_folder}/!"
+	rm -rf "${temp_folder}"
+	exit 1
+fi
+
+## retrieve only desired fields from dpkg-parsechangelog output
+if ! dpkg-parsechangelog -l "${temp_folder}/debian/changelog" > "${temp_folder}/changelog" ; then
+	rm -rf "${temp_folder}"
+	exit 1
+fi
+
+# pkg_name=$(deb822 get "${temp_folder}/changelog" Source | sed -zn 1p | tr -d '\0')
+# pkg_ver=$(deb822 get "${temp_folder}/changelog" Version | sed -zn 1p | tr -d '\0')
+# pkg_ts=$(deb822 get "${temp_folder}/changelog" Timestamp | sed -zn 1p | tr -d '\0')
+
+pkg_name=$(sed -En '/^Source:\s*(\S+)$/{s//\1/p;q;}' "${temp_folder}/changelog")
+pkg_ver=$(sed -En '/^Version:\s*(\S+)$/{s//\1/p;q;}' "${temp_folder}/changelog")
+pkg_ts=$(sed -En '/^Timestamp:\s*(\S+)$/{s//\1/p;q;}' "${temp_folder}/changelog")
+
+rm -f "${temp_folder}/changelog"
+
+SOURCE_DATE_EPOCH=${pkg_ts}
+export SOURCE_DATE_EPOCH
+
+pkg_ver_list=$(deb-ver-parse "${pkg_ver}")
+[ -n "${pkg_ver_list}" ]
+
+unset ver_epoch ver_upstream ver_revision
+IFS='|' read -r ver_epoch ver_upstream ver_revision <<EOF
+${pkg_ver_list}
+EOF
+
+T="$1"
+if [ -z "$T" ] ; then
+	T=$(mktemp -d) ; : "${T:?}"
+	echo "output directory (auto-created): $T" >&2
+else
+	echo "output directory: $T" >&2
+	mkdir -p "$T"
+fi
+
+if [ -z "${ver_upstream}" ] ; then
+	## native package
+	## do as simple as possible
+	W="$T/${pkg_name}-${ver_revision}" ; mkdir -p "$W"
+	echo "working directory (as subdirectory of output): $W" >&2
+else
+	## regular package
+	## do some tricks! :)
+	W=$(mktemp -d)
+	echo "working directory (auto-created): $W" >&2
+fi
+
+_cleanup() {
+	cd /
+	rm -rf -- "$W" ; rm -rf -- "$T"
+}
+
+_finish_export() {
+	cd "$T" ; rm -rf -- "$W"
+	echo "index of $T" >&2
+	ls -lhgG >&2
+}
+
+## move files to "permanent" location
+tar -C "${temp_folder}" ${tar_opts} -cf - debian \
+| tar -C "$W" -xf -
+rm -rf "${temp_folder}" ; unset temp_folder
+
+if [ -z "${ver_upstream}" ] ; then
+	## native package
+	## grab all the things (except Git)
+	(
+		cd "${deb_folder}/.."
+		if [ -n "${have_git}" ] ; then
+			git ls-files -z
+		else
+			find ./ -mindepth 1 -maxdepth 1 -printf '%P\0'
+		fi \
+		| sed -zE '/^(\.git|debian)(\/|$)/d' \
+		| tar ${tar_opts} --null -T - -cf - \
+		| tar -C "$W" -xf -
+	) || { _cleanup ; exit 1 ; }
+fi
+
+export TAR_OPTIONS="${tar_opts} --mtime @${pkg_ts} --sort=name --numeric-owner --owner=0 --group=0 --exclude-vcs"
+
+if [ -z "${ver_upstream}" ] ; then
+	## native package
+	## do as simple as possible
+	cd "$W"
+
+	dpkg-buildpackage --build=source -z9 -d -nc ${SIGN_OPT} || { _cleanup ; exit 1 ; }
+
+	_finish_export
+	exit
+fi
+
+## regular package
+## here goes magic and dragons
+
+## shortcuts
+pnu="${pkg_name}_${ver_upstream}"
+pnd="${pnu}-${ver_revision}"
+pna="${pnd}_source"
+
+## try copy upstream source tarball(s) (if any)
+(
+	cd "${deb_folder}/.."
+
+	for d in '..' '.' ; do
+		## main tarball
+		find "$d/" -follow -mindepth 1 -maxdepth 1 -type f -name "${pnu}.orig.*" \
+		-exec cp -vaL -t "$T" {} +
+		## extra tarball(s) for multiple upstream tarball (MUT) package
+		find "$d/" -follow -mindepth 1 -maxdepth 1 -type f -name "${pnu}.orig-*.*" \
+		-exec cp -vaL -t "$T" {} +
+	done
+) || { _cleanup ; exit 1 ; }
+
+cd "$W"
+
+(
+	## verify that we have upstream tarball(s)
+	if ! find_fast "$T" -mindepth 1 -maxdepth 1 -name "${pnu}.orig.*" -type f ; then
+		d_rules debian/watch || :
+		check-bin-pkg uscan:devscripts || exit 1
+		uscan --destdir "$T" --download-current-version --rename
+	fi
+
+	tar -cf - debian | xz -9 > "$T/${pnd}.debian.tar.xz"
+
+	## hackish way to generate .dsc with minimal overhead
+	dpkg-source-raw "$T" || exit 1
+
+	sign_file "$T/${pnd}.dsc"
+
+	dpkg-genbuildinfo --build=source -u"$T" -O > "$T/${pna}.buildinfo"
+	sign_file "$T/${pna}.buildinfo"
+
+	dpkg-genchanges --build=source -u"$T" > "$T/${pna}.changes"
+	sign_file "$T/${pna}.changes"
+
+	_finish_export
+	exit
+) || { _cleanup ; exit 1 ; }
--- a/.config/dotfiles/scripts/deb-ver-parse
+++ b/.config/dotfiles/scripts/deb-ver-parse
@@ -0,0 +1,23 @@
+#!/bin/sh
+set +e ; set -f
+
+## debian package version handling
+
+## match pattern "epoch:version-revision"
+m1='([1-9][0-9]*):([0-9][0-9a-zA-Z.+~-]*)-([0-9a-zA-Z.+~]+)'
+## match pattern "epoch:native_version"
+m2='([1-9][0-9]*):([0-9][0-9a-zA-Z.+~]*)'
+## match pattern "version-revision"
+m3='([0-9][0-9a-zA-Z.+~-]*)-([0-9a-zA-Z.+~]+)'
+## match pattern "native_version"
+m4='([0-9][0-9a-zA-Z.+~]*)'
+
+## replace pattern "epoch|upstream version|revision or native_version"
+replace='\2\5|\3\7|\4\6\8\9'
+
+## sed script to split package version into kind of 'list'
+pkg_ver_to_list='/^('${m1}'|'${m2}'|'${m3}'|'${m4}')$/{s##'${replace}'#;p;}'
+
+for i ; do
+	echo "$i" | sed -En "${pkg_ver_to_list}"
+done
--- a/.config/dotfiles/scripts/dperl
+++ b/.config/dotfiles/scripts/dperl
@@ -0,0 +1 @@
+_perl-wrapper.sh
--- a/.config/dotfiles/scripts/dpkg-list-auto
+++ b/.config/dotfiles/scripts/dpkg-list-auto
@@ -0,0 +1,49 @@
+#!/bin/sh
+set -ef
+
+w=$(mktemp -d) ; : "${w:?}"
+
+have_cmd() { command -v "$1" </dev/null >/dev/null 2>&1 ; }
+
+unset has_mawk
+if have_cmd mawk ; then has_mawk=1 ; fi
+mawk_then_awk() {
+	if [ -n "${has_mawk}" ]
+	then mawk "$@"
+	else awk "$@"
+	fi
+}
+
+f='/var/lib/apt/extended_states'
+if [ -f "$f" ] ; then
+	mawk_then_awk '
+	/^Package:/,/^$/ {
+		if ($1 == "Package:")        { pkg = $2; }
+		if ($1 == "Architecture:")   { arch = $2; }
+		if ($1 == "Auto-Installed:") { is_auto = $2; }
+		if ($0 == "") {
+			if (is_auto == 1) { print pkg ":" arch; }
+		}
+	}
+	' "$f" | sort -V
+fi > "$w/auto.pkg"
+
+while [ -s "$w/auto.pkg" ] ; do
+	dpkg-list-installed > "$w/all"
+
+	## fix:
+	## /var/lib/apt/extended_states stores (some) arch:all entries as arch:native
+	sed -En '/^([^:]+):all$/ {s##/^\1:.+$/ {s//\1:all/}#p}' \
+	  < "$w/all" \
+	  > "$w/auto.sed"
+
+	if [ -s "$w/auto.sed" ] ; then
+		sed -E -f "$w/auto.sed"
+	else
+		cat
+	fi < "$w/auto.pkg"
+
+	break
+done
+
+rm -rf "$w"
--- a/.config/dotfiles/scripts/dpkg-list-installed
+++ b/.config/dotfiles/scripts/dpkg-list-installed
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -ef
+
+dpkg-query --show --showformat='${Package}:${Architecture}|${db:Status-Abbrev}\n' \
+| sed -En '/^(.+)\|[hi]i $/{s//\1/;p}' \
+| sort -V
--- a/.config/dotfiles/scripts/dpkg-list-manual
+++ b/.config/dotfiles/scripts/dpkg-list-manual
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -ef
+
+w=$(mktemp -d) ; : "${w:?}"
+
+dpkg-list-installed > "$w/all"
+dpkg-list-auto > "$w/auto"
+
+if [ -s "$w/auto" ] ; then
+	grep -Fxv -f "$w/auto"
+else
+	cat
+fi < "$w/all"
+
+rm -rf "$w"
--- a/.config/dotfiles/scripts/dpkg-list-martians
+++ b/.config/dotfiles/scripts/dpkg-list-martians
@@ -0,0 +1,24 @@
+#!/bin/sh
+set +e ; set -f
+
+_list() {
+	dpkg-query --show --showformat='${Package}:${Architecture} ${Version} status="${db:Status-Abbrev}"\n' \
+	| grep -Ev '"ii "$' \
+	| sort -V
+}
+
+t=$(mktemp)
+if [ -z "$t" ] ; then
+	# unable to create temporary file?
+	# produce "raw" output
+	_list
+	exit 0
+fi
+
+_list > "$t"
+if [ -s "$t" ] ; then
+	echo '# "martian" packages (i.e. unusual state):' >&2
+	cat "$t"
+fi
+
+rm -f "$t"
--- a/.config/dotfiles/scripts/dpkg-search
+++ b/.config/dotfiles/scripts/dpkg-search
@@ -0,0 +1,25 @@
+#!/bin/sh
+set -ef
+
+: "${1:?}"
+
+me="${0##*/}"
+
+if dpkg-query --search "$1" ; then exit 0 ; fi
+
+case "$1" in
+*\** | *\?* )
+	env printf "%q does not support globs: %q\\n" "${me}" "$1" >&2
+	exit 1
+;;
+esac
+
+while read -r f ; do
+	[ -n "$f" ] || continue
+	dpkg-query --search "$f" || continue
+	exit 0
+done <<EOF
+$(set +e ; find / -xdev -follow -samefile "$1" 2>/dev/null | grep -Fxv -e "$1" | sort -V)
+EOF
+
+exit 1
--- a/.config/dotfiles/scripts/dpkg-source-raw
+++ b/.config/dotfiles/scripts/dpkg-source-raw
@@ -0,0 +1,280 @@
+#!/usr/bin/perl
+#
+# dpkg-source-raw: "hackish" script based on original dpkg-source
+# repo: https://git.dpkg.org/git/dpkg/dpkg.git
+# synced commit: f506e5dbc94393e9b5a8783d992815dca8ea7a2b
+# file: scripts/dpkg-source.pl
+#
+# Copyright © 1996 Ian Jackson <ijackson@chiark.greenend.org.uk>
+# Copyright © 1997 Klee Dienes <klee@debian.org>
+# Copyright © 1999-2003 Wichert Akkerman <wakkerma@debian.org>
+# Copyright © 1999 Ben Collins <bcollins@debian.org>
+# Copyright © 2000-2003 Adam Heath <doogie@debian.org>
+# Copyright © 2005 Brendan O'Dea <bod@debian.org>
+# Copyright © 2006-2008 Frank Lichtenheld <djpig@debian.org>
+# Copyright © 2006-2009,2012 Guillem Jover <guillem@debian.org>
+# Copyright © 2008-2011 Raphaël Hertzog <hertzog@debian.org>
+# Copyright © 2020-2025 Konstantin Demin <rockdrilla@gmail.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+use strict;
+use warnings;
+
+use List::Util qw(any none);
+use Cwd;
+use File::Basename;
+use File::Spec;
+
+use Dpkg ();
+use Dpkg::ErrorHandling;
+use Dpkg::Arch qw(:operators);
+use Dpkg::Deps;
+use Dpkg::Compression;
+use Dpkg::Conf;
+use Dpkg::Control::Info;
+use Dpkg::Control::Tests;
+use Dpkg::Control::Fields;
+use Dpkg::Substvars;
+use Dpkg::Version;
+use Dpkg::Changelog::Parse;
+use Dpkg::Source::Format;
+use Dpkg::Source::Package;
+use Dpkg::Vendor;
+
+# heavily-conditional "use MODULE"
+BEGIN {
+    my $dpkg_ver = Dpkg::Version->new($Dpkg::PROGVERSION);
+    my $new_api_ver = Dpkg::Version->new('1.22.0');
+    if ($dpkg_ver >= $new_api_ver) {
+        require Dpkg::Package;
+        Dpkg::Package->import(qw(set_source_name));
+        # aliasing
+        *set_source_package = \&set_source_name;
+    } else {
+        require Dpkg::Vars;
+        Dpkg::Vars->import(qw(set_source_package));
+    }
+}
+
+my $build_format;
+my %options = ();
+
+my $substvars = Dpkg::Substvars->new();
+
+my @options;
+
+$options{origtardir} = $ARGV[0];
+$options{changelog_file} = 'debian/changelog';
+
+my %ch_options = (file => $options{changelog_file});
+my $changelog = changelog_parse(%ch_options);
+my $control = Dpkg::Control::Info->new('debian/control');
+
+# <https://reproducible-builds.org/specs/source-date-epoch/>
+$ENV{SOURCE_DATE_EPOCH} ||= $changelog->{timestamp} || time;
+
+# Select the format to use
+if (not defined $build_format) {
+    my $format_file = 'debian/source/format';
+    if (-e $format_file) {
+        my $format = Dpkg::Source::Format->new(filename => $format_file);
+        $build_format = $format->get();
+    } else {
+        warning('no source format specified in %s, ' .
+                'see dpkg-source(1)', $format_file);
+        $build_format = '1.0';
+    }
+}
+
+my $srcpkg = Dpkg::Source::Package->new(format => $build_format,
+                                        options => \%options);
+my $fields = $srcpkg->{fields};
+
+my @sourcearch;
+my %archadded;
+my @binarypackages;
+
+# Scan control info of source package
+my $src_fields = $control->get_source();
+error("debian/control doesn't contain any information about the source package") unless defined $src_fields;
+my $src_sect = $src_fields->{'Section'} || 'unknown';
+my $src_prio = $src_fields->{'Priority'} || 'unknown';
+
+foreach my $f (keys %{$src_fields}) {
+    my $v = $src_fields->{$f};
+
+    if ($f eq 'Source') {
+        set_source_package($v);
+        $fields->{$f} = $v;
+    } elsif ($f eq 'Uploaders') {
+        # Merge in a single-line
+        ($fields->{$f} = $v) =~ s/\s*[\r\n]\s*/ /g;
+    } elsif (any { $f eq $_ } field_list_src_dep()) {
+        my $dep;
+        my $type = field_get_dep_type($f);
+        $dep = deps_parse($v, build_dep => 1, union => $type eq 'union');
+        error('error occurred while parsing %s', $f) unless defined $dep;
+        my $facts = Dpkg::Deps::KnownFacts->new();
+        $dep->simplify_deps($facts);
+        $dep->sort() if $type eq 'union';
+        $fields->{$f} = $dep->output();
+    } else {
+        field_transfer_single($src_fields, $fields, $f);
+    }
+}
+
+# Scan control info of binary packages
+my @pkglist;
+foreach my $pkg ($control->get_packages()) {
+    my $p = $pkg->{'Package'};
+    my $sect = $pkg->{'Section'} || $src_sect;
+    my $prio = $pkg->{'Priority'} || $src_prio;
+    my $type = $pkg->{'Package-Type'} ||
+            $pkg->get_custom_field('Package-Type') || 'deb';
+    my $arch = $pkg->{'Architecture'};
+    my $profile = $pkg->{'Build-Profiles'};
+
+    my $pkg_summary = sprintf('%s %s %s %s', $p, $type, $sect, $prio);
+
+    $pkg_summary .= ' arch=' . join ',', split ' ', $arch;
+
+    if (defined $profile) {
+        # Instead of splitting twice and then joining twice, we just do
+        # simple string replacements:
+
+        # Remove the enclosing <>
+        $profile =~ s/^\s*<(.*)>\s*$/$1/;
+        # Join lists with a plus (OR)
+        $profile =~ s/>\s+</+/g;
+        # Join their elements with a comma (AND)
+        $profile =~ s/\s+/,/g;
+        $pkg_summary .= " profile=$profile";
+    }
+
+    if (defined $pkg->{'Protected'} and $pkg->{'Protected'} eq 'yes') {
+        $pkg_summary .= ' protected=yes';
+    }
+    if (defined $pkg->{'Essential'} and $pkg->{'Essential'} eq 'yes') {
+        $pkg_summary .= ' essential=yes';
+    }
+
+    push @pkglist, $pkg_summary;
+    push @binarypackages, $p;
+    foreach my $f (keys %{$pkg}) {
+        my $v = $pkg->{$f};
+        if ($f eq 'Architecture') {
+            # Gather all binary architectures in one set. 'any' and 'all'
+            # are special-cased as they need to be the only ones in the
+            # current stanza if present.
+            if (debarch_eq($v, 'any') || debarch_eq($v, 'all')) {
+                push(@sourcearch, $v) unless $archadded{$v}++;
+            } else {
+                for my $a (split(/\s+/, $v)) {
+                    error("'%s' is not a legal architecture string", $a)
+                        if debarch_is_illegal($a);
+                    error('architecture %s only allowed on its ' .
+                             "own (list for package %s is '%s')",
+                          $a, $p, $a)
+                        if $a eq 'any' or $a eq 'all';
+                    push(@sourcearch, $a) unless $archadded{$a}++;
+                }
+            }
+        } elsif (any { $f eq $_ } qw(Homepage Description)) {
+            # Do not overwrite the same field from the source entry
+        } else {
+            field_transfer_single($pkg, $fields, $f);
+        }
+    }
+}
+
+unless (scalar(@pkglist)) {
+    error("debian/control doesn't list any binary package");
+}
+
+if (any { $_ eq 'any' } @sourcearch) {
+    # If we encounter one 'any' then the other arches become insignificant
+    # except for 'all' that must also be kept
+    if (any { $_ eq 'all' } @sourcearch) {
+        @sourcearch = qw(any all);
+    } else {
+        @sourcearch = qw(any);
+    }
+} else {
+    # Minimize arch list, by removing arches already covered by wildcards
+    my @arch_wildcards = grep { debarch_is_wildcard($_) } @sourcearch;
+    my @mini_sourcearch = @arch_wildcards;
+    foreach my $arch (@sourcearch) {
+        if (none { debarch_is($arch, $_) } @arch_wildcards) {
+            push @mini_sourcearch, $arch;
+        }
+    }
+    @sourcearch = @mini_sourcearch;
+}
+$fields->{'Architecture'} = join(' ', @sourcearch);
+$fields->{'Package-List'} = "\n" . join("\n", sort @pkglist);
+
+# Scan fields of dpkg-parsechangelog
+foreach my $f (keys %{$changelog}) {
+    my $v = $changelog->{$f};
+
+    if ($f eq 'Source') {
+        set_source_package($v);
+        $fields->{$f} = $v;
+    } elsif ($f eq 'Version') {
+        my ($ok, $error) = version_check($v);
+        error($error) unless $ok;
+        $fields->{$f} = $v;
+    } elsif ($f eq 'Binary-Only') {
+        error('building source for a binary-only release')
+            if $v eq 'yes';
+    } elsif ($f eq 'Maintainer') {
+        # Do not replace the field coming from the source entry
+    } else {
+        field_transfer_single($changelog, $fields, $f);
+    }
+}
+
+$fields->{'Binary'} = join(', ', @binarypackages);
+# Avoid overly long line by splitting over multiple lines
+if (length($fields->{'Binary'}) > 980) {
+    $fields->{'Binary'} =~ s/(.{0,980}), ?/$1,\n/g;
+}
+
+my $basenamerev = $srcpkg->get_basename(1);
+
+# fragment from Dpkg::Source::Package::V2::_generate_patch()
+	my $tarfile;
+	my $comp_ext_regex = compression_get_file_extension_regex();
+	foreach my $file (sort $srcpkg->find_original_tarballs()) {
+	    if ($file =~ /\.orig\.tar\.$comp_ext_regex$/) {
+	        if (defined($tarfile)) {
+	            error('several orig.tar files found (%s and %s) but only ' .
+	                     'one is allowed', $tarfile, $file);
+	        }
+	        $srcpkg->add_file($file);
+	    } elsif ($file =~ /\.orig-([[:alnum:]-]+)\.tar\.$comp_ext_regex$/) {
+	        $srcpkg->add_file($file);
+	    }
+	}
+# end of fragment
+
+# fragment from Dpkg::Source::Package::V2::do_build()
+	$srcpkg->add_file("$ARGV[0]/$basenamerev.debian.tar.xz");
+# end of fragment
+
+# Write the .dsc
+my $dscname = "$ARGV[0]/$basenamerev.dsc";
+$srcpkg->write_dsc(filename => $dscname, substvars => $substvars);
+exit(0);
--- a/.config/dotfiles/scripts/dpkg-which
+++ b/.config/dotfiles/scripts/dpkg-which
@@ -0,0 +1,91 @@
+#!/bin/sh
+set +e ; set -f
+
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${0##*/} <path> [<path> ..]
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+: "${DPKG_ADMINDIR:=/var/lib/dpkg}"
+dpkg_info_dir="${DPKG_ADMINDIR}/info"
+dpkg_diversions="${DPKG_ADMINDIR}/diversions"
+
+# _same() { find "$@" -maxdepth 0 -samefile "$1" -print0 2>/dev/null ; }
+
+_get_alt() {
+	[ -n "$1" ] || return
+
+	a="$1"
+	case "$1" in
+	/usr/local/* )  return ;;
+	/usr/* )        a="${1#/usr}" ;;
+	/* )            a="/usr$1" ;;
+	* )             return ;;
+	esac
+
+	# n=$(_same "$1" "$a" | xargs -0 sh -c 'echo $#' --)
+	# [ "$n" = 2 ] || return
+	# printf '%s' "$a"
+	test "$1" -ef "$a" || return 0
+	printf '%s' "$a"
+}
+
+_dpkg_search() {
+	[ -n "$1" ] || return
+
+	grep -FxRl -e "$1" "${dpkg_info_dir}/" \
+	| sed -En '/\.list$/{s,^.+/([^/]+)\.list$,\1,p}'
+}
+
+_dpkg_divert() {
+	[ -n "$1" ] || return
+
+	n=$(grep -Fxhn -e "$1" "${dpkg_diversions}" | cut -d: -f1)
+	[ -n "$n" ] || return
+
+	case "$((n%3))" in
+	1 | 2 ) ;;
+	* ) return ;;
+	esac
+
+	k=$(( n - (n%3) ))
+	divert_pkg=$(sed -n "$((k+3))p" "${dpkg_diversions}")
+	case "$((n%3))" in
+	1 )
+		[ "${divert_pkg}" = ':' ] || echo "${divert_pkg}"
+	;;
+	2 )
+		divert_from=$(sed -n "$((k+1))p" "${dpkg_diversions}")
+		_dpkg_search "${divert_from}" | grep -Fxv -e "${divert_pkg}"
+	;;
+	esac
+}
+
+for i ; do
+	[ -n "$i" ] || continue
+
+	name=
+	altpath=$(_get_alt "$i")
+
+	name=$(_dpkg_divert "$i")
+	if [ -n "${name}" ] ; then
+		echo "${name}"
+		continue
+	fi
+
+	name=$(_dpkg_divert "${altpath}")
+	if [ -n "${name}" ] ; then
+		echo "${name}"
+		continue
+	fi
+
+	name=$( { _dpkg_search "$i" ; _dpkg_search "${altpath}" ; } | sort -uV)
+	if [ -n "${name}" ] ; then
+		echo "${name}"
+		continue
+	fi
+done
+exit 0
--- a/.config/dotfiles/scripts/ensure-eof-empty-line
+++ b/.config/dotfiles/scripts/ensure-eof-empty-line
@@ -0,0 +1,35 @@
+#!/bin/sh
+set -ef
+
+[ -n "$1" ] || exit 1
+[ -f "$1" ] || exit 1
+! [ -h "$1" ] || exit 1
+
+# ensure that we have at least two empty lines at the end
+n=$(env stat -c '%s' "$1") || exit 1
+
+want_lf=2 i=$n
+case "$n" in
+1 ) ;;
+0 ) exit 0 ;;
+* ) i=2 ;;
+esac
+
+while [ $i -gt 0 ] ; do
+	n=$((n - 1))
+	c=$(od -A n -j "$n" -N 1 -t x1 "$1") || exit 1
+	c=$(printf '%s' "$c" | tr -d '[:space:]')
+	i=$((i - 1))
+
+	[ "$c" = '0a' ] || break
+	want_lf=$((want_lf - 1))
+done
+
+padding=
+case "${want_lf}" in
+0 ) exit 0 ;;
+1 ) padding='\n' ;;
+2 ) padding='\n\n' ;;
+esac
+
+printf "${padding}" >> "$1"
--- a/.config/dotfiles/scripts/from
+++ b/.config/dotfiles/scripts/from
@@ -0,0 +1 @@
+_rsync-wrapper.sh
--- a/.config/dotfiles/scripts/gpg-batch
+++ b/.config/dotfiles/scripts/gpg-batch
@@ -0,0 +1,59 @@
+#!/bin/sh
+set -ef
+
+: "${GPG_KEYSERVER:=hkps://keyserver.ubuntu.com}"
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} {start|stop}
+	# NB: ensure that env GNUPGHOME is set to appropriate (e.g. temporary) directory
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+act=$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')
+case "${act}" in
+1 | start ) ;;
+0 | stop )  ;;
+* )         usage 1 ;;
+esac
+
+check-bin-pkg gpg dirmngr gpgconf
+
+case "${act}" in
+1 | start )
+	[ -n "${GNUPGHOME}" ] || usage 1
+	[ -d "${GNUPGHOME}" ] || usage 1
+
+	cd "${GNUPGHOME}"
+	cat > gpg.conf <<-EOF
+		quiet
+		batch
+		trust-model always
+		no-auto-check-trustdb
+		ignore-time-conflict
+		keyid-format 0xlong
+		keyserver ${GPG_KEYSERVER}
+	EOF
+	cat > dirmngr.conf <<-EOF
+		quiet
+		batch
+		keyserver ${GPG_KEYSERVER}
+	EOF
+	quiet gpg --update-trustdb
+	quiet gpg --list-keys
+	quiet dirmngr
+;;
+0 | stop )
+	[ -n "${GNUPGHOME}" ] || exit 0
+	[ -d "${GNUPGHOME}" ] || usage 1
+
+	cd "${GNUPGHOME}"
+	quiet gpgconf --kill all
+	cd /
+	rm -rf "${GNUPGHOME}"
+;;
+esac
+exit 0
--- a/.config/dotfiles/scripts/gpg-export
+++ b/.config/dotfiles/scripts/gpg-export
@@ -0,0 +1,29 @@
+#!/bin/sh
+set -ef
+
+: "${1:?}" "${2:?}"
+
+w=$(mktemp -d) ; : "${w:?}"
+
+gpg_on() { gpg-batch start ; }
+gpg_off() {
+	cd /
+	gpg-batch stop
+	unset GNUPGHOME
+	rm -rf "$w"
+	exit "${1:-0}"
+}
+
+(
+	export GNUPGHOME="$w/dot-gnupg"
+	mkdir -m 0700 "${GNUPGHOME}"
+	gpg_on
+
+	gpg --import "$1"
+	gpg --armor --export > "$w/export"
+	cat < "$w/export" > "$2"
+	gpg --show-keys "$2"
+
+	gpg_off
+
+) || gpg_off 1
--- a/.config/dotfiles/scripts/gpg-sign-file
+++ b/.config/dotfiles/scripts/gpg-sign-file
@@ -0,0 +1,38 @@
+#!/bin/sh
+set +e ; set -f
+
+me="${0##*/}"
+
+## test that 1st argument is (exactly) file
+if [ -z "$1" ] ; then
+	env printf "%q: requires 1st argument\\n" "${me}" >&2
+	exit 1
+fi
+if [ -h "$1" ] ; then
+	env printf "%q: symlinks are not supported: %q\\n" "${me}" "$1" >&2
+	exit 1
+fi
+if ! [ -f "$1" ] ; then
+	env printf "%q: file does not exist: %q\\n" "${me}" "$1" >&2
+	exit 1
+fi
+
+check-bin-pkg gpg dirmngr gpgconf
+
+w=$(mktemp -d) ; : "${w:?}"
+(
+	set -e
+	cp -L "$1" "$w/s"
+	ensure-eof-empty-line "$w/s"
+	gpg \
+	  --utf8-strings --textmode --armor --clearsign \
+	  --output "$w/d" - < "$w/s"
+	rm -f "$w/s"
+	cat < "$w/d" > "$1"
+	rm -f "$w/d"
+)
+res=$?
+
+rm -rf -- "$w"
+
+exit ${res}
--- a/.config/dotfiles/scripts/gpg-warmup
+++ b/.config/dotfiles/scripts/gpg-warmup
@@ -0,0 +1,10 @@
+#!/bin/sh
+set +e ; set -f
+
+check-bin-pkg gpg || exit $?
+
+t=$(mktemp) || exit $?
+gpg -abs "$t"
+r=$?
+rm -f "$t" "$t.asc"
+exit $r
--- a/.config/dotfiles/scripts/idle
+++ b/.config/dotfiles/scripts/idle
@@ -0,0 +1,20 @@
+#!/bin/sh
+set +e ; set -f
+
+have_cmd() { command -v "$1" </dev/null >/dev/null 2>&1 ; }
+
+has_nice=1 has_chrt=1 has_ionice=1
+have_cmd nice || has_nice=
+have_cmd chrt || has_chrt=
+have_cmd ionice || has_ionice=
+
+if [ -z "${has_nice}${has_chrt}${has_ionice}" ] ; then
+	env printf "%q: unable to launch command in idle mode due to missing executables\\n" "${0##*/}" >&2
+	exit 126
+fi
+
+exec \
+  ${has_nice:+ nice -n +40 } \
+  ${has_chrt:+ chrt -i 0 } \
+  ${has_ionice:+ ionice -c 3 } \
+"$@"
--- a/.config/dotfiles/scripts/krd-debsrc
+++ b/.config/dotfiles/scripts/krd-debsrc
@@ -0,0 +1,13 @@
+#!/bin/sh
+set +e ; set -f
+
+[ -n "${1:?}" ]
+
+check-bin-pkg deb-src-export || exit $?
+
+case "$1" in
+*/* ) dstdir="$1/src" ;;
+* )   dstdir="/tmp/$1/src" ;;
+esac
+rm -rf "${dstdir}"
+exec deb-src-export "${dstdir}"
--- a/.config/dotfiles/scripts/krd-quilt
+++ b/.config/dotfiles/scripts/krd-quilt
@@ -0,0 +1,60 @@
+#!/bin/sh
+set +e ; set -f
+
+check-bin-pkg quilt || exit $?
+
+[ -n "${1:?}" ] || exit 1
+
+if [ -d "$1" ] ; then
+	patchdir="$1/debian/patches"
+	if [ -d "${patchdir}" ] ; then
+		ls "${patchdir}/series" >/dev/null || exit 1
+	else
+		patchdir="$1"
+	fi
+
+	series="${patchdir}/series"
+	if ! [ -f "${series}" ] ; then
+		mkdir -p "$1/.pc" || exit 1
+		series="$1/.pc/krd-quilt-series"
+		touch "${series}" || exit 1
+		quilt-series-auto "${patchdir}" > "${series}"
+	fi
+elif [ -f "$1" ] ; then
+	[ -s "$1" ] || exit 1
+
+	series="$1"
+	patchdir=$(dirname "${series}")
+else
+	exit 1
+fi
+
+set -a
+QUILT_SERIES="${series:?}"
+QUILT_PATCHES="${patchdir:?}"
+set +a
+
+xsedx=$(printf '\027')
+
+r=0
+while read -r i ; do
+	[ -n "$i" ] || continue
+
+	quilt --fuzz=0 push "$i" || exit $?
+	quilt refresh "$i" || exit $?
+
+	sed -E -i \
+		-e 's#^(-{3} )[^/][^/]*/(.*)$#\1a/\2#;' \
+		-e 's#^(\+{3} )[^/][^/]*/(.*)$#\1b/\2#' \
+	"$i"
+
+	rm -f "$i"'~'
+done <<EOF
+$(
+	if ! quilt unapplied ; then
+		quilt-series-strip-comments "${series}" \
+		| sed -E "s${xsedx}^${xsedx}${patchdir}/${xsedx}"
+	fi
+)
+EOF
+exit $r
--- a/.config/dotfiles/scripts/krd-sbuild
+++ b/.config/dotfiles/scripts/krd-sbuild
@@ -0,0 +1,115 @@
+#!/bin/sh
+set +e ; set -f
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} <package top directory> {<arch>|<host-arch>:<build-arch>} [env|arguments]
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+check-bin-pkg sbuild xz:xz-utils || exit $?
+
+_tmpdir() {
+	TMPDIR="$1"
+	TMP="$1"
+	TEMPDIR="$1"
+	TEMP="$1"
+	export TMPDIR TMP TEMPDIR TEMP
+}
+## TODO: questionable
+_tmpdir /tmp
+
+[ -n "${1:?}" ]
+[ -n "${2:?}" ]
+
+case "$1" in
+*/* ) topdir="$1" ;;
+* )   topdir="/tmp/$1" ;;
+esac
+[ -d "${topdir}" ] || return 1
+
+srcdir="${topdir}/src"
+[ -d "${srcdir}" ] || return 2
+
+_sbuild_args=
+_append_args() {
+	for __i ; do
+		_sbuild_args="${_sbuild_args}${_sbuild_args:+ }$(env printf '%q' "${__i}" )"
+	done ; unset __i
+}
+
+case "$2" in
+*:* )
+	unset host_arch build_arch _xtra
+	IFS=: read -r host_arch build_arch _xtra <<-EOF
+	$i
+	EOF
+
+	if [ -z "${host_arch}" ] ; then
+		env printf "%q: error: 'host-arch' expected but empty\\n" "${me}" >&2
+		exit 1
+	fi
+	if [ -z "${build_arch}" ] ; then
+		env printf "%q: error: 'build-arch' expected but empty\\n" "${me}" >&2
+		exit 1
+	fi
+	if [ -n "${_xtra}" ] ; then
+		env printf "%q: warning: extra data in 'host-arch:build-arch' specifier: %q\\n" "${me}" "${_xtra}" >&2
+	fi
+	unset _xtra
+
+	arch=${host_arch}
+	_append_args "--host=${host_arch}"
+	_append_args "--build=${build_arch}"
+;;
+* )
+	arch=$2
+	_append_args "--arch=$2"
+;;
+esac
+
+## done with args
+shift 2
+
+for i ; do
+	## naive splitting args and env
+	case "$i" in
+	-*  ) _append_args "$i" ;;
+	=*  ) _append_args "$i" ;;
+	*=  ) unset "$i" ;;
+	*=* ) export "$i" ;;
+	*   ) _append_args "$i" ;;
+	esac
+done ; unset i
+
+builddir="${topdir}/${arch}"
+mkdir -p "${topdir}/all" "${builddir}" "${builddir}-all" "${builddir}-debug"
+
+cd "${builddir}"
+
+set +f
+for i in "${srcdir}"/*.dsc ; do
+	## I'm NOT proud of using "eval" here :(
+	eval "idle sbuild --arch-all --arch-any ${_sbuild_args} $i" || exit $?
+	find -name '*.build' -type l -exec rm -f {} +
+	find -name '*.build' -type f -exec xz -9vv {} +
+done
+
+find \
+  -regextype egrep -regex '.+all\.d?deb$' -type f \
+  -exec mv -fvt "../${arch}-all" {} +
+
+find \
+  -name '*.ddeb' -type f \
+  -exec mv -fvt "../${arch}-debug" {} +
+find \
+  -regextype egrep -regex '.+dbgsym_[^_]+_'"${arch}"'\.d?deb$' -type f \
+  -exec mv -fvt "../${arch}-debug" {} +
+
+cd "${builddir}-all"
+find -type f -exec mv -nvt '../all' {} +
+
+exit 0
--- a/.config/dotfiles/scripts/openssl-cert-auto-pem
+++ b/.config/dotfiles/scripts/openssl-cert-auto-pem
@@ -0,0 +1,117 @@
+#!/bin/sh
+set +e ; set -f
+
+me=${0##*/}
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} <certificate file> [PEM output file] [fingerprints output file] [offsets output file]
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+[ -n "$1" ] || exit 1
+[ -f "$1" ] || {
+	env printf '%s: not a file or does not exist: %q\n' "${me}" "$1" >&2
+	exit 1
+}
+[ -s "$1" ] || exit 0
+
+w=$(mktemp -d) || exit 1
+w_cleanup() {
+	[ -z "$w" ] || ls -lA "$w/" >&2
+	[ -z "$w" ] || rm -rf "$w"
+	unset w
+	exit "${1:-0}"
+}
+
+have_cmd() { command -v "$1" </dev/null >/dev/null 2>&1 ; }
+
+unset has_mawk
+if have_cmd mawk ; then has_mawk=1 ; fi
+mawk_then_awk() {
+	if [ -n "${has_mawk}" ]
+	then mawk "$@"
+	else awk "$@"
+	fi
+}
+
+bundle_offsets() {
+	mawk_then_awk 'BEGIN { OFS = ","; i_begin = 0; }
+	$0 == "-----BEGIN CERTIFICATE-----" {
+	    i_begin = NR;
+	}
+	$0 == "-----END CERTIFICATE-----" {
+	    if (i_begin > 0) {
+	        print i_begin, NR;
+	        i_begin = 0;
+	    }
+	}' "$1"
+}
+
+bundle_fingerprints() {
+	local x f
+	while read -r x ; do
+		[ -n "$x" ] || continue
+
+		f=$(sed -ne "${x}p" "$1" | openssl x509 -noout -fingerprint -sha256)
+		[ -n "$f" ] || f=$(sed -ne "${x}p" "$1" | openssl x509 -noout -fingerprint)
+		[ -n "$f" ] || continue
+
+		printf '%s\n' "$f" | tr '[:upper:]' '[:lower:]'
+	done < "$2"
+}
+
+openssl storeutl -certs "$1" > "$w/cert.pem" || w_cleanup 1
+[ -s "$w/cert.pem" ] || w_cleanup 1
+tr -s '\r\n' '\n' < "$w/cert.pem" > "$w/cert.txt"
+[ -s "$w/cert.txt" ] || w_cleanup 1
+rm -f "$w/cert.pem"
+
+bundle_offsets "$w/cert.txt" > "$w/cert.off"
+[ -s "$w/cert.off" ] || w_cleanup 1
+
+bundle_fingerprints "$w/cert.txt" "$w/cert.off" > "$w/cert.fp.all"
+[ -s "$w/cert.fp.all" ] || w_cleanup 1
+
+sort -uV < "$w/cert.fp.all" > "$w/cert.fp"
+while read -r fp ; do
+	[ -n "${fp}" ] || continue
+
+	n=$(grep -m1 -Fxn -e "${fp}" "$w/cert.fp.all" | cut -d : -f 1)
+	[ -n "$n" ] || continue
+
+	off=$(sed -ne "${n}p" "$w/cert.off")
+	[ -n "${off}" ] || continue
+
+	sed -ne "${off}p" "$w/cert.txt"
+done < "$w/cert.fp" > "$w/cert.pem"
+[ -s "$w/cert.pem" ] || w_cleanup 1
+rm -f "$w/cert.txt" "$w/cert.off" "$w/cert.fp.all"
+
+if [ -n "$2" ] ; then
+	while : ; do
+		if [ -e "$2" ] ; then
+			[ -f "$2" ] || break
+		fi
+		cat > "$2"
+	break ; done
+else
+	cat
+fi < "$w/cert.pem"
+
+while [ -n "$3" ] ; do
+	if [ -e "$3" ] ; then
+		[ -f "$3" ] || break
+	fi
+	cat "$w/cert.fp" > "$3"
+break ; done
+
+while [ -n "$4" ] ; do
+	if [ -e "$4" ] ; then
+		[ -f "$4" ] || break
+	fi
+	bundle_offsets "$w/cert.pem" > "$4"
+break ; done
+
+rm -rf "$w" ; unset w
--- a/.config/dotfiles/scripts/openssl-generate-dh-bundle
+++ b/.config/dotfiles/scripts/openssl-generate-dh-bundle
@@ -0,0 +1,28 @@
+#!/bin/sh
+set -ef
+
+for k in 1024:20 2048:80 ; do
+
+	unset b t
+	IFS=':' read -r b t <<-EOF
+	$k
+	EOF
+
+	f="dh${b}.pem"
+	echo "# openssl genpkey: $f" >&2
+	timeout --kill-after=3s ${t}s \
+	  openssl genpkey -quiet -genparam -algorithm DH -out "./$f" -pkeyopt "dh_paramgen_prime_len:${b}"
+done
+
+for k in 2048:80 3072:120 4096:160 ; do
+
+	unset b t
+	IFS=':' read -r b t <<-EOF
+	$k
+	EOF
+
+	f="ffdhe${b}.pem"
+	echo "# openssl genpkey: $f" >&2
+	timeout --kill-after=3s ${t}s \
+	  openssl genpkey -quiet -genparam -algorithm DH -out "./$f" -pkeyopt "group:ffdhe${b}"
+done
--- a/.config/dotfiles/scripts/openssl-ocsp
+++ b/.config/dotfiles/scripts/openssl-ocsp
@@ -0,0 +1,209 @@
+#!/bin/sh
+set -ef
+
+ocsp_fetch_timeout=15
+ocsp_fetch_retries=3
+ocsp_fetch_retry_delay=5
+ocsp_valid_threshold=86400
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} <command> [args...]
+	#   ${me} get-uri <in:cert.pem>
+	#   ${me} is-valid <in:issuer.pem> <in:cert.pem> <in:ocsp.der>
+	#   ${me} is-expiring <in:issuer.pem> <in:cert.pem> <in:ocsp.der>
+	#   ${me} fetch <in:issuer.pem> <in:cert.pem> <out:ocsp.der>
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+## $1 - X509 in PEM format
+ossl_x509_verify_fmt() {
+	openssl x509 -in "$1" -noout >/dev/null
+}
+
+## $1 - cert
+ossl_ocsp_uri() {
+	openssl x509 -in "$1" -noout -ocsp_uri \
+	| head -n 1
+}
+
+## $1 - chain
+## $2 - cert
+## $3 - ocsp uri
+## $4 - ocsp response
+ossl_ocsp_fetch() {
+	openssl ocsp \
+	  -timeout "${ocsp_fetch_timeout}" \
+	  -nonce \
+	  -issuer "$1" -cert "$2" -url "$3" -respout "$4"
+}
+
+## $1 - ocsp response
+ossl_ocsp_verify_fmt() {
+	openssl ocsp \
+	  -noverify -respin "$1"
+}
+
+## $1 - chain
+## $2 - cert
+## $3 - ocsp response
+ossl_ocsp_read() {
+	openssl ocsp \
+	  -issuer "$1" -cert "$2" -respin "$3" -resp_text
+}
+
+## $1 - chain
+## $2 - cert
+## $3 - ocsp response
+ossl_ocsp_verify() {
+	ossl_ocsp_read "$@" >/dev/null
+}
+
+## stdin - output of ossl_ocsp_read()
+ossl_ocsp_next_update() {
+	sed -En '/^\s*[Nn]ext [Uu]pdate:\s*(\S.+\S)\s*$/{s//\1/;p;q}'
+}
+
+unset arg_ok cmd chain cert ocsp_uri ocsp_resp
+arg_ok=
+while : ; do
+	[ -n "$1" ] || break
+	cmd="$1"
+	case "$1" in
+	get-uri )
+		[ -n "$2" ] || break
+		[ -s "$2" ] || break
+		ossl_x509_verify_fmt "$2" || break
+		cert="$2"
+	;;
+	is-valid | is-expiring | fetch )
+		[ -n "$2" ] || break
+		[ -s "$2" ] || break
+		ossl_x509_verify_fmt "$2" || break
+		chain="$2"
+		[ -n "$3" ] || break
+		[ -s "$3" ] || break
+		ossl_x509_verify_fmt "$3" || break
+		cert="$3"
+		[ -n "$4" ] || break
+		ocsp_resp="$4"
+		## OCSP response validation is handled later and in various ways (!)
+		## e.g. "is-valid" (cmd_is_valid) validates OCSP response as expected
+		## but "is-expiring" (cmd_is_expiring) returns success for invalid OCSP response
+		## which means OCSP response should be updated ASAP
+	;;
+	*) break ;;
+	esac
+	arg_ok=1
+break ; done
+[ -n "${arg_ok}" ] || usage 1
+unset arg_ok
+
+## OCSP URI is used only in "get-uri" and "fetch" commands
+## but implicitly required for all actions
+ocsp_uri=$(ossl_ocsp_uri "${cert}") || exit 1
+if [ -z "${ocsp_uri}" ] ; then
+	env printf '%q: unable to extract OCSP URI from %q\n' "${me}" "${cert}" >&2
+	exit 1
+fi
+## early command handling
+if [ "${cmd}" = 'get-uri' ] ; then
+	printf '%s\n' "${ocsp_uri}"
+	exit 0
+fi
+
+## $1 - chain
+## $2 - cert
+## $3 - ocsp response
+cmd_is_valid() {
+	ossl_ocsp_verify_fmt "$3" || return 1
+	ossl_ocsp_verify "$1" "$2" "$3" || return 1
+}
+
+## $1 - chain
+## $2 - cert
+## $3 - ocsp response
+cmd_is_expiring() {
+	cmd_is_valid "$1" "$2" "$3" || return 0
+
+	local need_update next ts_now ts_next ts_diff
+
+	need_update=1
+	while : ; do
+		next=$(ossl_ocsp_read "$1" "$2" "$3" 2>/dev/null | ossl_ocsp_next_update)
+		[ -n "${next}" ] || break
+
+		ts_now=$(date '+%s')
+		ts_next=$(date -d "${next}" '+%s')
+		[ -n "${ts_next}" ] || break
+		[ ${ts_now} -lt ${ts_next} ] || break
+
+		ts_diff=$((ts_next - ts_now))
+		[ ${ts_diff} -le ${ocsp_valid_threshold} ] || need_update=0
+	break ; done
+
+	if [ "${need_update}" = 0 ] ; then
+		env printf '%q: %q has valid and fresh OCSP response\n' "${me}" "$2" >&2
+		return 1
+	fi
+
+	return 0
+}
+
+## $1 - chain
+## $2 - cert
+## $3 - ocsp uri
+## $4 - ocsp response
+cmd_fetch() {
+	local t i r
+
+	t=$(mktemp) ; : "${t:?}"
+
+	for i in $(seq 1 "${ocsp_fetch_retries}") ; do
+		i= ## no-op
+
+		if ossl_ocsp_fetch "$1" "$2" "$3" "$t" ; then
+			break
+		fi
+		: > "$t"
+		sleep "${ocsp_fetch_retry_delay}"
+	done
+
+	r=
+	while : ; do
+		[ -s "$t" ] || break
+		cmd_is_valid "$1" "$2" "$t" || break
+		r=1
+	break ; done
+
+	if [ -z "$r" ] ; then
+		env printf '%q: unable to fetch OCSP response for %q via %q\n' "${me}" "$2" "$3" >&2
+		rm -rf "$t"
+		return 1
+	fi
+
+	r=
+	while : ; do
+		touch "$4" || break
+		tee "$4" < "$t" >/dev/null || break
+		chmod 0644 "$4" || break
+		r=1
+	break ; done
+
+	if [ -z "$r" ] ; then
+		env printf '%q: unable to save OCSP response for %q into %q\n' "${me}" "$2" "$4" >&2
+		rm -rf "$t"
+		return 1
+	fi
+
+	return 0
+}
+
+case "${cmd}" in
+is-valid )     cmd_is_valid "${chain}" "${cert}" "${ocsp_resp}" ;;
+is-expiring )  cmd_is_expiring "${chain}" "${cert}" "${ocsp_resp}" ;;
+fetch )        cmd_fetch "${chain}" "${cert}" "${ocsp_uri}" "${ocsp_resp}" ;;
+esac
--- a/.config/dotfiles/scripts/pip-env
+++ b/.config/dotfiles/scripts/pip-env
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -ef
+
+set -a
+PIP_DISABLE_PIP_VERSION_CHECK=1
+PIP_NO_CACHE_DIR=1
+PIP_ROOT_USER_ACTION=ignore
+PIP_NO_COMPILE=1
+set +a
+
+exec "$@"
--- a/.config/dotfiles/scripts/quiet
+++ b/.config/dotfiles/scripts/quiet
@@ -0,0 +1,38 @@
+#!/bin/sh
+set +e ; set -f
+
+me="${0##*/}"
+
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} <command> [arguments]
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+t=$(mktemp)
+if [ -z "$t" ] ; then
+	env printf "# %q: unable to create temporary file\\n" "${me}" >&2
+
+	## unable to create temporary file?
+	## no output in case of error
+	exec "$@" >/dev/null 2>/dev/null
+fi
+
+( "$@" ; ) >"$t" 2>"$t"
+
+r=$?
+if [ $r != 0 ] ; then
+	printf '# command:'
+	env printf ' %q' "$@"
+	echo
+	echo "# return code: $r"
+	if [ -s "$t" ] ; then
+		echo '# output:'
+		sed -E 's/^(.+)$/#>| \1/;s/^$/#=|/' < "$t"
+	fi
+fi >&2
+
+rm -f "$t"
+exit $r
--- a/.config/dotfiles/scripts/quilt-series-auto
+++ b/.config/dotfiles/scripts/quilt-series-auto
@@ -0,0 +1,10 @@
+#!/bin/sh
+set +e ; set -f
+
+[ -n "${1:?}" ] || exit 1
+[ -d "$1" ] || exit 1
+
+find "$1/" -follow -type f -printf '%P\0' \
+| sed -zEn '/\.(diff|patch)$/p' \
+| sort -zuV \
+| xargs -0r printf '%s\n'
--- a/.config/dotfiles/scripts/quilt-series-strip-comments
+++ b/.config/dotfiles/scripts/quilt-series-strip-comments
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -ef
+
+sed -E -e '/^[[:space:]]*(#|$)/d' "$@"
--- a/.config/dotfiles/scripts/run-as
+++ b/.config/dotfiles/scripts/run-as
@@ -0,0 +1,148 @@
+#!/bin/sh
+set -ef
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} <user>[:<group>] [command and arguments]
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+[ -n "$1" ] || usage 1
+
+if ! command -v setpriv >/dev/null ; then
+	env printf "%q: error: 'setpriv' is missing, unable to switch user!\\n" "${me}" >&2
+	exit 126
+fi
+
+is_id() { printf '%s' "$1" | grep -Eqz '^(0|[1-9][0-9]*)$' ; }
+
+userspec="$1" ; shift
+
+unset user group _xtra
+IFS=':' read -r user group _xtra <<-EOF
+${userspec}
+EOF
+
+if [ -z "${user}" ] ; then
+	env printf "%q: error: 'user' expected but empty\\n" "${me}" >&2
+	usage 1
+fi
+
+if [ -n "${_xtra}" ] ; then
+	env printf "%q: warning: extra data in 'user:group' specifier: %q\\n" "${me}" "${_xtra}" >&2
+fi
+unset _xtra
+
+unset _user _x _uid _gid _comment _home _shell _xtra
+IFS=':' read -r _user _x _uid _gid _comment _home _shell _xtra <<-EOF
+$(getent passwd "${user}" || : )
+EOF
+unset _x _uid _comment _xtra
+
+_has_user=0
+homedir='/'
+shell=/bin/sh
+if [ -n "${_user}" ] ; then
+	_has_user=1
+	user=${_user}
+	homedir=${_home}
+	shell=${_shell}
+elif is_id "${user}" ; then
+	## accept unknown/random uid
+	:
+else
+	env printf "%q: error: 'user' is malformed - not exist nor numeric\\n" "${me}" >&2
+	exit 1
+fi
+
+if [ -z "${group}" ] ; then
+	if [ ${_has_user} = 1 ] ; then
+		group=_gid
+	else
+		group=nogroup
+	fi
+else
+	unset _group _x _gid _users _xtra
+	IFS=':' read -r _group _x _gid _users _xtra <<-EOF
+	$(getent group "${group}" || : )
+	EOF
+	unset _x _gid _users _xtra
+
+	if [ -n "${_group}" ] ; then
+		group=${_group}
+	elif is_id "${group}" ; then
+		## accept unknown/random gid
+		:
+	else
+		env printf "%q: error: 'group' is malformed - not exist nor numeric\\n" "${me}" >&2
+		exit 1
+	fi
+fi
+
+unset _user _gid _home _shell _group _gid _users
+
+# handle username and working directory
+username='__non_existent_user__'
+init_groups='--clear-groups'
+if [ ${_has_user} = 1 ] ; then
+	username="${user}"
+	init_groups='--init-groups'
+fi
+
+unset __exec__
+_runas() {
+	${__exec__:+ exec } \
+	setpriv \
+	  --reuid="${user}" \
+	  --regid="${group}" \
+	  ${init_groups} \
+	  ${inh_caps} \
+	env \
+	  -u __exec__ \
+	  -C "${cwd}" \
+	  USER="${username}" \
+	  LOGNAME="${username}" \
+	  HOME="${homedir}" \
+	  SHELL="${shell}" \
+	"$@"
+}
+
+## TODO: support somehow flags for "setpriv"
+
+## Ubuntu 20.04 "Focal":
+## setpriv: libcap-ng is too old for "all" caps
+cwd=/
+inh_caps='--inh-caps=-all'
+_runas true >/dev/null 2>&1 || inh_caps=
+
+cwd=
+for i in "${PWD}" "${homedir}" / ; do
+	[ -d "$i" ] || continue
+
+	cwd=/
+	if _runas ls -l "$i" >/dev/null ; then
+		if [ "$i" != "${PWD}" ] ; then
+			env printf "%q: info: working directory will be changed to %q\\n" "${me}" "$i" >&2
+		fi
+
+		cwd="$i"
+		break
+	else
+		env printf "%q: warning: user %q can't access directory %q\\n" "${me}" "${user}" "$i" >&2
+	fi
+	cwd=
+done
+
+if [ -z "${cwd}" ] ; then
+	env printf "%q: error: unable to find appropriate working directory\\n" "${me}" >&2
+	exit 1
+fi
+
+__exec__=1
+if [ $# = 0 ] ; then
+	_runas id
+else
+	_runas "$@"
+fi
--- a/.config/dotfiles/scripts/sperl
+++ b/.config/dotfiles/scripts/sperl
@@ -0,0 +1 @@
+_perl-wrapper.sh
--- a/.config/dotfiles/scripts/static-compress
+++ b/.config/dotfiles/scripts/static-compress
@@ -0,0 +1,89 @@
+#!/bin/sh
+set +e ; set -f
+
+: "${GZIP_COMPLEVEL:=1}"
+: "${BROTLI_COMPLEVEL:=1}"
+: "${ZSTD_COMPLEVEL:=1}"
+
+has_gzip=1 has_brotli=1 has_zstd=1
+check-bin-pkg gzip   || has_gzip=
+check-bin-pkg brotli || has_brotli=
+check-bin-pkg zstd   || has_zstd=
+
+if [ -z "${has_gzip}${has_brotli}${has_zstd}" ] ; then
+	env printf "%q: suitable compressors are missing\\n" "${0##*/}" >&2
+	exit 1
+fi
+
+do_gzip() {
+	[ "$1" -nt "$1.gz" ] || return 0
+	gzip "-${GZIP_COMPLEVEL}kf" "$1" || return $?
+	comp_fixup "$1" "$1.gz" || rm -f "$1.gz"
+}
+
+do_brotli() {
+	[ "$1" -nt "$1.br" ] || return 0
+	brotli "-${BROTLI_COMPLEVEL}kf" "$1" || return $?
+	comp_fixup "$1" "$1.br" || rm -f "$1.br"
+}
+
+do_zstd() {
+	[ "$1" -nt "$1.zst" ] || return 0
+	zstd "-${ZSTD_COMPLEVEL}kfq" "$1" || return $?
+	comp_fixup "$1" "$1.zst" || rm -f "$1.zst"
+}
+
+have_cmd() { command -v "$1" </dev/null >/dev/null 2>&1 ; }
+
+unset has_mawk
+if have_cmd mawk ; then has_mawk=1 ; fi
+mawk_then_awk() {
+	if [ -n "${has_mawk}" ]
+	then mawk "$@"
+	else awk "$@"
+	fi
+}
+
+float_div() {
+	mawk_then_awk -v "a=$1" -v "b=$2" 'BEGIN{print a/b;exit;}' </dev/null
+}
+
+comp_fixup() {
+	[ -f "$1" ] || return 1
+	size1=$(env stat -Lc '%s' "$1") || return 1
+	[ -n "${size1}" ] || return 1
+	[ "${size1}" != 0 ] || return 1
+
+	[ -f "$2" ] || return 1
+	size2=$(env stat -c '%s' "$2") || return 1
+	[ -n "${size2}" ] || return 1
+	[ "${size2}" != 0 ] || return 1
+
+	ratio=$(float_div "${size2}" "${size1}") || return 1
+	case "${ratio}" in
+	[0-9]*e-[0-9]* )
+		## doubtful but okay (c) Oleg Tinkov
+	;;
+	0.[0-8]* | 0.9[0-5]* )
+		## compression ratio below 95% is fine enough
+	;;
+	* ) return 1 ;;
+	esac
+
+	return 0
+}
+
+for i ; do
+	[ -n "$i" ] || continue
+
+	case "$i" in
+	*.br | *.gz | *.zst ) continue ;;
+	esac
+
+	[ -f "$i" ] || continue
+	[ -s "$i" ] || continue
+
+	[ -z "${has_gzip}"   ] || do_gzip   "$i"
+	[ -z "${has_brotli}" ] || do_brotli "$i"
+	[ -z "${has_zstd}"   ] || do_zstd   "$i"
+done
--- a/.config/dotfiles/scripts/to
+++ b/.config/dotfiles/scripts/to
@@ -0,0 +1 @@
+_rsync-wrapper.sh
--- a/.config/dotfiles/scripts/try-read-stdin
+++ b/.config/dotfiles/scripts/try-read-stdin
@@ -0,0 +1,42 @@
+#!/bin/sh
+set +e ; set -f
+
+_timelimit='15s'
+
+me="${0##*/}"
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${me} [<timeout>]
+	# if <timeout> is not specified then default '${_timelimit}' is used
+	# <timeout> format: [1-9][0-9]*[smh]
+	EOF
+	exit "${1:-0}"
+}
+
+case "$1" in
+-h | --help ) usage ;;
+esac
+
+_timeout() { timeout --verbose --kill-after=3s --foreground "$@" ; }
+
+tlimit="${1:-${_timelimit}}"
+case "${tlimit}" in
+*s | *m | *h )
+	printf '%s' "${tlimit}" | grep -zEq '^[1-9][0-9]*[smh]$' || {
+		env printf "%q: broken <timeout> format: %q\\n" "${me}" "${tlimit}" >&2
+		usage 1
+	}
+;;
+* )
+	env printf "%q: unsupported <timeout> format: %q\\n" "${me}" "${tlimit}" >&2
+	usage 1
+;;
+esac
+
+## verify tlimit
+_timeout "${tlimit}" /bin/true || usage 1
+
+_dd='dd conv=notrunc status=none'
+
+_timeout "${tlimit}" ${_dd} bs=1 count=1 || exit 1
+exec ${_dd}
--- a/.config/dotfiles/scripts/ufind.sh
+++ b/.config/dotfiles/scripts/ufind.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+set +e ; set -f
+
+find "$@" -follow -type f -print0 \
+| xargs -0 -r -n 128 stat -L --printf='%d:%i|%n\0' \
+| sort -z -u -t '|' -k1,1 \
+| cut -z -d '|' -f 2 \
+| tr '\0' '\n'
--- a/.config/dotfiles/scripts/zap-tree
+++ b/.config/dotfiles/scripts/zap-tree
@@ -0,0 +1,30 @@
+#!/bin/sh
+set +e ; set -f
+
+if [ -z "${ZAP_TREE}" ] ; then
+	export ZAP_TREE=1
+
+	## intrusive parallelism
+	jobs=$(nproc)
+	jobs=$(( jobs + (jobs + 1)/2 ))
+
+	for i ; do
+		[ -d "$i" ] || continue
+		find "$i/" -mindepth 1 -maxdepth 1 -type d -print0
+	done \
+	| xargs -0 -r readlink -e \
+	| sort -zuV \
+	| xargs -0 -r -n 1 -P "${jobs}" "$0"
+
+	exit
+fi
+
+find_fast() {
+	find "$@" -printf . -quit | grep -Fq .
+}
+
+for i ; do
+	[ -d "$i" ] || continue
+
+	find_fast "$i/" ! -type d || rm -rfv "$i"
+done
--- a/.config/dotfiles/woodpecker.yml
+++ b/.config/dotfiles/woodpecker.yml
@@ -0,0 +1,34 @@
+steps:
+  - name: check
+    image: docker.io/debian:trixie-slim
+    environment:
+      DEBCONF_NONINTERACTIVE_SEEN: 'true'
+      DEBIAN_FRONTEND: 'noninteractive'
+      DEBIAN_PRIORITY: 'critical'
+      TERM: 'linux'
+      MALLOC_ARENA_MAX: '4'
+    commands:
+      - |
+        : # install required packages
+        apt-get -y update
+        apt-get -y install file findutils git shellcheck zsh
+        apt-get -y clean
+      - |
+        : # verify that repo doesn't contain "garbage"
+        find_fast() {
+            find "$@" -printf . -quit | grep -Fq .
+        }
+        if find_fast ./ -type f -name '*.zwc' ; then
+          echo 'found *.zwc' >&2
+          find ./ -type f -name '*.zwc' | sort -V
+          exit 1
+        fi
+      - |
+        : # try zsh compile
+        git ls-files | sort -uV | xargs -r file -N -i | grep text/x-shellscript | cut -d: -f1 \
+        | xargs -r -n1 zsh -efc 'zcompile -UR "$@"' --
+        find ./ -type f -name '*.zwc' -delete
+      - |
+        : # try shellcheck (except for *.zsh)
+        git ls-files | grep -Fv '.zsh' | sort -uV | xargs -r file -N -i | grep text/x-shellscript | cut -d: -f1 \
+        | xargs -r -n1 shellcheck
--- a/.config/htop/htoprc.dist
+++ b/.config/htop/htoprc.dist
@@ -0,0 +1,65 @@
+# Beware! This file is rewritten by htop when settings are changed in the interface.
+# The parser is also very primitive, and not human-friendly.
+htop_version=3.3.0
+config_reader_min_version=3
+fields=0 48 17 18 38 39 40 2 46 47 49 1
+hide_kernel_threads=1
+hide_userland_threads=1
+hide_running_in_container=0
+shadow_other_users=0
+show_thread_names=1
+show_program_path=1
+highlight_base_name=1
+highlight_deleted_exe=1
+shadow_distribution_path_prefix=1
+highlight_megabytes=1
+highlight_threads=1
+highlight_changes=0
+highlight_changes_delay_secs=5
+find_comm_in_cmdline=1
+strip_exe_from_cmdline=1
+show_merged_command=0
+header_margin=1
+screen_tabs=1
+detailed_cpu_time=1
+cpu_count_from_one=0
+show_cpu_usage=1
+show_cpu_frequency=1
+show_cpu_temperature=1
+degree_fahrenheit=0
+update_process_names=0
+account_guest_in_cpu_meter=1
+color_scheme=0
+enable_mouse=1
+delay=11
+hide_function_bar=0
+header_layout=three_30_40_30
+column_meters_0=Hostname System DateTime Uptime Blank Tasks LoadAverage FileDescriptors
+column_meter_modes_0=2 2 2 2 2 2 2 2
+column_meters_1=Memory HugePages Swap Blank AllCPUs2
+column_meter_modes_1=1 1 1 2 1
+column_meters_2=DiskIO NetworkIO Battery Blank PressureStallCPUSome PressureStallMemorySome PressureStallMemoryFull PressureStallIOSome PressureStallIOFull
+column_meter_modes_2=2 2 2 2 2 2 2 2 2
+tree_view=1
+sort_key=46
+tree_sort_key=0
+sort_direction=-1
+tree_sort_direction=1
+tree_view_always_by_pid=1
+all_branches_collapsed=0
+screen:Main=PID USER PRIORITY NICE M_VIRT M_RESIDENT M_SHARE STATE PERCENT_CPU PERCENT_MEM TIME Command
+.sort_key=PERCENT_CPU
+.tree_sort_key=PID
+.tree_view_always_by_pid=1
+.tree_view=1
+.sort_direction=-1
+.tree_sort_direction=1
+.all_branches_collapsed=0
+screen:I/O=PID USER IO_PRIORITY IO_RATE IO_READ_RATE IO_WRITE_RATE PERCENT_SWAP_DELAY PERCENT_IO_DELAY Command
+.sort_key=PID
+.tree_sort_key=PID
+.tree_view_always_by_pid=1
+.tree_view=1
+.sort_direction=-1
+.tree_sort_direction=1
+.all_branches_collapsed=0
--- a/.config/mc/ini.dist
+++ b/.config/mc/ini.dist
@@ -0,0 +1,2 @@
+[Midnight-Commander]
+skin=dark
--- a/.config/sbuild/config.pl.dist
+++ b/.config/sbuild/config.pl.dist
@@ -0,0 +1,21 @@
+$chroot_mode = "schroot";
+$build_path = '';
+
+$pgp_options = [ '-us', '-uc', '-ui' ];
+
+$build_arch_all = 1;
+$build_arch_any = 1;
+$check_space = 0;
+$enable_network = 1;
+
+$run_autopkgtest = 0;
+$run_lintian = 0;
+$run_piuparts = 0;
+
+$apt_distupgrade = 1;
+$apt_upgrade = 1;
+
+$purge_build_directory = 'successful';
+
+# don't remove this, Perl needs it:
+1;
--- a/.config/zsh.dots/.zshenv
+++ b/.config/zsh.dots/.zshenv
@@ -0,0 +1,6 @@
+#!/bin/zsh
+if [[ -o interactive ]] ; then
+    ## early redirect
+    ZDOTDIR="${ZDOTDIR%/${ZDOTDIR:t2}}"
+    source "${ZDOTDIR}/.zshenv"
+fi
--- a/.config/zsh/_.zsh
+++ b/.config/zsh/_.zsh
@@ -0,0 +1,57 @@
+#!/bin/zsh
+
+## early load modules
+zmodload zsh/mathfunc zsh/datetime zsh/zprof
+
+typeset -gA ZSHU
+
+__z_unsupported() { echo "not supported" >&2 ; }
+
+ZSHU[t_begin]=${(%):-%D{%s.%6.}}
+
+ZSHU[d_zdot]="${ZDOTDIR}"
+ZSHU[d_dotfiles]="${ZDOTDIR}/.config/dotfiles"
+ZSHU[d_conf]="${ZDOTDIR}/.config/zsh"
+ZSHU[d_cache]="${ZDOTDIR}/.cache/zsh"
+
+ZSHU[d_var]="${ZSHU[d_conf]}/var"
+ZSHU[d_bin]="${ZSHU[d_dotfiles]}/bin"
+ZSHU[d_scripts]="${ZSHU[d_dotfiles]}/scripts"
+
+## early escape
+unsetopt global_rcs
+
+## safety measure:
+## redirect all following activity within ZDOTDIR to cache
+export ZDOTDIR="${ZDOTDIR}/.config/zsh.dots"
+
+## cleanup: start from scratch
+for i ( a s f d ) ; do unhash -$i -m '*' ; done ; unset i
+
+## set default umask
+umask 0022
+
+zshu_parts=( env opt lib rc alias local )
+
+for n ( ${zshu_parts} ) ; do
+    [ -s "${ZSHU[d_conf]}/$n.zsh" ] || continue
+    source "${ZSHU[d_conf]}/$n.zsh"
+done ; unset n
+
+for n ( ${zshu_parts} ) ; do
+    [ -d "${ZSHU[d_conf]}/$n" ] || continue
+    for i ( "${ZSHU[d_conf]}/$n"/*.zsh(N.r) ) ; do
+        source "$i"
+    done
+done ; unset i n
+
+unset zshu_parts
+
+hash -f
+
+t=${(%):-%D{%s.%6.}}
+t=$[ t - ZSHU[t_begin] ]
+unset 'ZSHU[t_begin]'
+n=${t#*.}
+ZSHU[t_load]=${t%.*}.${n:0:4}
+unset n t
--- a/.config/zsh/_wip/enclave.zsh.wip
+++ b/.config/zsh/_wip/enclave.zsh.wip
@@ -0,0 +1,63 @@
+#!/bin/zsh
+
+if autoload -Uz add-zsh-hook ; then
+
+ZSHU[f_enclave]="${ZSHU[d_var]}/enclave"
+[ -f "${ZSHU[f_enclave]}" ] || touch "${ZSHU[f_enclave]}"
+[ -s "${ZSHU[f_enclave]}" ] && . "${ZSHU[f_enclave]}"
+
+## <test data>
+test_enclave_enter() { echo "you are in $1 enclave" 1>&2 ; }
+test_enclave_leave() { echo "you are left $1 enclave" 1>&2 ; }
+
+zstyle ":enclave:box1:path:${HOME}/prj/*" ''
+zstyle ":enclave:box1:path:${HOME}/prj/_stale/*" exclude
+zstyle ':enclave:box1:env:unset' 'var2'
+zstyle ':enclave:box1:env:set' 'var1' 1
+zstyle ':enclave:box1:on_enter' test_enclave_enter
+zstyle ':enclave:box1:on_leave' test_enclave_leave
+
+zstyle ":enclave:box2:path:${HOME}/doc/*" ''
+zstyle ":enclave:box2:path:${HOME}/doc/work/*" exclude
+zstyle ':enclave:box2:env:unset' 'var1'
+zstyle ':enclave:box2:env:set' 'var2' 1
+zstyle ':enclave:box2:on_enter' test_enclave_enter
+zstyle ':enclave:box2:on_leave' test_enclave_leave
+
+typeset -g var1=0
+typeset -g var2=0
+## </test data>
+
+__z_enclave_list() {
+    local -aU list=( $(zstyle -L ':enclave:*' \
+                       | sed -En "/^zstyle '?:enclave:([^:]+):.*\$/{s//\1/;p;}") )
+    printf '%s' "${(j: :)list}"
+}
+
+__z_chpwd_enclave() {
+    [ -z "${PWD}" ] && return
+    ## enclave changed? if no - do nothing
+    [ -z "${OLDPWD}" ] && return
+    [ "${PWD}" = "${OLDPWD}" ] && return
+
+    local a
+    zstyle -s ":enclave:*:path:$PWD" '' a && \
+    declare -p a
+
+    ## call on_leave()
+    ## unset previously set
+    ## set previously set
+
+    env > /tmp/env
+}
+
+# zstyle -L ':enclave:*'
+# echo
+
+
+    add-zsh-hook chpwd __z_chpwd_enclave
+    __z_chpwd_enclave
+
+else
+    echo "enclaves are disabled due to missing hook support" 1>&2
+fi
--- a/.config/zsh/alias.zsh
+++ b/.config/zsh/alias.zsh
@@ -0,0 +1,5 @@
+#!/bin/zsh
+
+alias which='whence -p '
+alias which-command='whence -p '
+alias zsh-which='whence -c '
--- a/.config/zsh/alias/containers.zsh
+++ b/.config/zsh/alias/containers.zsh
@@ -0,0 +1,197 @@
+#!/bin/zsh
+
+typeset -Uga ZSHU_CNTR_SHELLS=( /bin/bash /bin/sh /bin/ash )
+typeset -ga ZSHU_CNTR_FALLBACK_SHELL=( /busybox/busybox sh )
+
+alias bud='buildah bud --network=host -f '
+
+function {
+    local i
+    for i ( run images ps top inspect logs ) ; do
+        alias "pod-$i"="podman $i "
+    done
+}
+
+z-pod() { command podman "$@" ; }
+
+alias podman='z-podman '
+z-podman() {
+    case "${1:-}" in
+    run )    shift ; z-pod-run "$@" ;;
+    images ) shift ; z-pod-images "$@" ;;
+    ps )     shift ; z-pod-ps "$@" ;;
+    top )    shift ; z-pod-top "$@" ;;
+    * ) z-pod "$@" ;;
+    esac
+}
+
+z-pod-run() {
+    z-pod run -e "TERM=${TERM:-linux}" --rm -it "$@"
+}
+
+z-pod-images() {
+    local have_flags=0
+    case "$1" in
+    -* ) have_flags=1 ;;
+    esac
+    if [ ${have_flags} = 1 ] ; then
+        z-pod images "$@"
+        return $?
+    fi
+    z-pod images --format 'table {{.ID}} {{.Repository}}:{{.Tag}} {{.Size}} {{.Created}} |{{.CreatedAt}}' "$@"
+}
+
+z-pod-ps() {
+    local have_flags=0
+    case "$1" in
+    -* ) have_flags=1 ;;
+    esac
+    if [ ${have_flags} = 1 ] ; then
+        z-pod ps "$@"
+        return $?
+    fi
+    z-pod ps -a --sort names --format 'table {{.ID}} {{.Names}} {{.Image}} {{.CreatedHuman}} {{.Status}}' "$@"
+}
+
+z-pod-top() {
+    local have_flags=0
+    case "$1" in
+    -* ) have_flags=1 ;;
+    esac
+    if [ ${have_flags} = 1 ] ; then
+        z-pod top "$@"
+        return $?
+    fi
+    if [ $# -eq 1 ] ; then
+        z-pod top "$1" 'pid,ppid,user,args,pcpu,time,stime,etime,state,nice,rss,vsz'
+    else
+        z-pod top "$@"
+    fi
+}
+
+pod-images-grep() {
+    z-pod-images \
+    | {
+        if [ -z "$1" ] ; then
+            head
+        else
+            sed -En "1{p;D};\\${ZSHU_XSED}$1${ZSHU_XSED}p"
+        fi
+    }
+}
+
+## NB: naive. rewrite!
+pod-run-sh() {
+    local -a cntr_opts=( --network=host --entrypoint='[]' --user=0:0 )
+    local i
+    local -a shell
+    for i ( ${ZSHU_CNTR_SHELLS} ) ; do
+        echo "pod-run-sh: trying $i as shell" >&2
+        z-pod-run ${cntr_opts[@]} "$@" "$i" -c ':' 2>/dev/null || continue
+        shell=($i) ; break
+    done
+    while [ -z "${shell}" ] ; do
+        echo "pod-run-sh: trying '${ZSHU_CNTR_FALLBACK_SHELL[*]}' as last-resort shell" >&2
+        z-pod-run ${cntr_opts[@]} "$@" ${ZSHU_CNTR_FALLBACK_SHELL[@]} -c ':' 2>/dev/null || break
+        shell=(${ZSHU_CNTR_FALLBACK_SHELL})
+        break
+    done
+    if [ -z "${shell}" ] ; then
+        echo "unable to run: $*"
+        return 1
+    fi
+    z-pod-run ${cntr_opts[@]} "$@" ${shell[@]}
+}
+
+## NB: naive. rewrite!
+sko-inspect() {
+    local i
+    i="${1:?}" ; shift
+    command skopeo inspect "$@" "docker://$i"
+}
+
+## NB: naive. rewrite!
+sko-list-tags() {
+    local i
+    i="${1:?}" ; shift
+    command skopeo list-tags "$@" "docker://$i"
+}
+
+## NB: naive. rewrite!
+pod-dive() {
+    local i
+    i="${1:?}" ; shift
+    command dive "$@" "podman://$i"
+}
+
+jq-visual() { jq -C | "${PAGER:-cat}" ; }
+jq-config() { jq '.[].Config' ; }
+jq-tags() { jq -r '.Tags[]' ; }
+
+alias dkr='docker '
+alias dkr-run='dkr run -e "TERM=${TERM:-linux}" --rm -it '
+alias dkr-ps='dkr ps '
+alias dkr-images='dkr images --format "table {{.ID}}\\t{{.Repository}}:{{.Tag}}\\t{{.Size}}\\t{{.CreatedAt}}" '
+alias dkr-inspect='dkr inspect '
+alias dkr-logs='dkr logs '
+
+z-dkr() { command docker "$@" ; }
+
+z-dkr-run() {
+    z-dkr run -e "TERM=${TERM:-linux}" --rm -it "$@"
+}
+
+## NB: naive. rewrite!
+dkr-run-sh() {
+    local -a cntr_opts=( --network=host --entrypoint='' --user=0:0 )
+    local i
+    local -a shell
+    for i ( ${ZSHU_CNTR_SHELLS} ) ; do
+        echo "dkr-run-sh: trying $i as shell" >&2
+        z-dkr-run ${cntr_opts[@]} "$@" "$i" -c ':' 2>/dev/null || continue
+        shell=($i) ; break
+    done
+    while [ -z "${shell}" ] ; do
+        echo "dkr-run-sh: trying '${ZSHU_CNTR_FALLBACK_SHELL[*]}' as last-resort shell" >&2
+        z-dkr-run ${cntr_opts[@]} "$@" ${ZSHU_CNTR_FALLBACK_SHELL[@]} -c ':' 2>/dev/null || break
+        shell=(${ZSHU_CNTR_FALLBACK_SHELL})
+        break
+    done
+    if [ -z "${shell}" ] ; then
+        echo "unable to run: $*"
+        return 1
+    fi
+    z-dkr-run ${cntr_opts[@]} "$@" ${shell[@]}
+}
+
+## NB: naive. rewrite!
+dkr-dive() {
+    local i
+    i="${1:?}" ; shift
+    command dive "$@" "docker://$i"
+}
+
+typeset -g ZSHU_GRP_DOCKER=docker
+z-adjust-docker() {
+    [ ${UID} -eq 0 ] && return 0
+
+    getent group "${ZSHU_GRP_DOCKER}" >/dev/null || return 1
+    (( ${+commands[docker]} )) || return 127
+
+    local _users=$(getent group "${ZSHU_GRP_DOCKER}" | cut -d: -f4)
+    local -a users=("${(@s[,])_users}")
+    local i found
+    for i ( ${users}) ; do
+        if [ "$i" = "${USERNAME}" ] ; then
+            found=1
+            break
+        fi
+    done
+    [ -n "${found}" ] && return 0
+
+    (( ${+commands[sudo]} )) || return 127
+
+    alias docker='sudo docker '
+    z-dkr() { command sudo docker "$@" ; }
+    return 0
+}
--- a/.config/zsh/alias/diff.zsh
+++ b/.config/zsh/alias/diff.zsh
@@ -0,0 +1,5 @@
+#!/bin/zsh
+
+z-alt-set-static \
+    'diff|. .' \
+    'diff --color=auto|diff'
--- a/.config/zsh/alias/directories.zsh
+++ b/.config/zsh/alias/directories.zsh
@@ -0,0 +1,31 @@
+#!/bin/zsh
+
+## alias -g ...='../..'
+## alias -g ....='../../..'
+## ...
+for (( i=3 ; i < 10 ; i++ )) ; do
+    alias -g ${(l:i::.:)}='..'${(l:3*(i-2)::/..:)}
+done ; unset i
+
+alias -- -='cd -'
+alias 1='cd -'
+## alias 2='cd -2'
+## ...
+for (( i=2 ; i < 10 ; i++ )) ; do
+    alias $i="cd -$i"
+done ; unset i
+
+## "Go to Dir" - create path if missing
+gd() {
+    [ $# -lt 2 ] || echo "# gd() takes no more than one argument, seen instead: $#" >&2
+
+    case "$#" in
+    0 ) cd ;;
+    * )
+        if ! [ -d "$1" ] ; then
+            mkdir -p "$1" || return $?
+        fi
+        cd "$1"
+    ;;
+    esac
+}
--- a/.config/zsh/alias/git.zsh
+++ b/.config/zsh/alias/git.zsh
@@ -0,0 +1,80 @@
+#!/bin/zsh
+
+alias gar='git-archive-ref '
+alias gbr='git-br '
+alias gds='git diff -p --stat=200 '
+alias gdu='git-dir-usage '
+alias ggc='git-gc '
+alias ggcf='git-gc-force '
+alias gst='git status -s '
+
+git-dir-usage() {
+    local gitdir x topdir
+    gitdir=$(__z_git rev-parse --git-dir) || return $?
+    x=$(__z_git rev-parse --path-format=absolute 2>/dev/null) || return $?
+    if [ -n "$x" ] ; then
+        ## older git version which does not support "--path-format=absolute"
+        : TODO
+    else
+        gitdir=$(__z_git rev-parse --path-format=absolute --git-dir) || return $?
+    fi
+
+    case "${gitdir}" in
+    */* ) topdir=${gitdir:h} ; gitdir=${gitdir:t} ;;
+    esac
+
+    local -a subdirs
+    for x ( logs/refs objects/info objects/pack ) ; do
+        [ -d "${gitdir}/$x" ] || continue
+        subdirs+="${gitdir}/$x"
+    done
+    
+    (
+        [ -n "${topdir}" ] && cd "${topdir}/"
+        if [ ${#subdirs} -gt 0 ] ; then
+            du -d1 "${subdirs[@]}"
+        fi
+        du -d1 "${gitdir}"
+    ) | grep -Ev '^[0-9]K?\s' | sort -Vk2
+}
+
+git-gc() {
+    git-dir-usage || return $?
+    echo
+    echo "# git gc $*" >&2
+    z-time idle git gc "$@"
+    echo
+    git-dir-usage
+}
+
+git-gc-force() {
+    git-dir-usage || return $?
+    echo
+    echo "# git gc --aggressive --force $*" >&2
+    z-time idle git gc --aggressive --force "$@"
+    echo
+    echo "# git repack -Ad" >&2
+    z-time idle git repack -Ad
+    echo
+    git-dir-usage
+}
+
+git-archive-ref() {
+    local name ver gitref topdir c_hash c_time out
+    name="${1:?}" ver="${2:?}" gitref="${3:?}"
+    topdir=$(__z_git rev-parse --show-toplevel) || return $?
+    c_hash=$(__z_git log -n 1 --format='%h' --abbrev=12 "${gitref}") || return $?
+    c_time=$(__z_git log -n 1 --format='%cd' --date='format:%Y%m%d.%H%M%S' "${gitref}") || return $?
+    out="${name}_${ver}+git.${c_time}.${c_hash}.tar"
+    topdir=${topdir:h}
+    git archive --format=tar -o "${topdir}/${out}" --prefix="${name}-${ver}-git.${c_hash}/" "${gitref}" || return $?
+    echo "archived to ${out} in ${topdir}/" >&2
+}
+
+git-br() {
+    __z_git -c core.pager='cat' branch --no-abbrev "$@"
+}
+
+git-rebase-log() {
+    git log --format='pick %h # %s' --reverse "$@"
+}
--- a/.config/zsh/alias/grep.zsh
+++ b/.config/zsh/alias/grep.zsh
@@ -0,0 +1,31 @@
+#!/bin/zsh
+
+z-alt-grep() {
+    local -a a
+    local n
+
+    a=( ${(@s:|:)1} )
+    [ ${#a} = 0 ] && a=( "$1" )
+    n=${#a}
+    [ -z "$1" ] && n=0
+    case "$n" in
+    0 ) ;;
+    * )
+        z-alt-set-static \
+          "grep|-q -e ' ' ${ZSHU[d_conf]}/_.zsh" \
+          "$1" \
+          "GREP_OPTIONS='' command" \
+    ;;
+    esac
+}
+
+## TODO: add --exclude-dir={.bzr,CVS,.git,.hg,.svn,.idea,.tox}
+GREP_GNU='--color=auto'
+
+z-alt-grep "grep ${GREP_GNU}|grep"
+unfunction z-alt-grep
+unset GREP_GNU
+
+alias grep='grep '
+alias egrep='grep -E '
+alias fgrep='grep -F '
--- a/.config/zsh/alias/history.zsh
+++ b/.config/zsh/alias/history.zsh
@@ -0,0 +1,5 @@
+#!/bin/zsh
+
+fc() { builtin fc -i "$@" ; }
+
+# history() { builtin fc -il "$@" ; }
--- a/.config/zsh/alias/idle.zsh.old
+++ b/.config/zsh/alias/idle.zsh.old
@@ -0,0 +1,42 @@
+#!/bin/zsh
+
+idle() {
+    [ -n "${1:?}" ]
+
+    local f
+
+    f=$(type "$1")
+    case "$f" in
+    "$1 is /"* )
+        z-idle-ext "$@"
+    ;;
+    * )
+        z-idle-int "$@"
+    ;;
+    esac
+}
+
+z-idle-ext() {
+    [ -n "${1:?}" ]
+
+    local -a s
+
+    s+=( $(z-alt-find 'nice -n +40') )
+    s+=( $(z-alt-find 'chrt -i 0'  ) )
+    s+=( $(z-alt-find 'ionice -c 3') )
+    command ${s[@]} "$@"
+}
+
+z-idle-int() {
+    [ -n "${1:?}" ]
+
+    ## execute in subshell
+    (
+        {
+        command renice -n +40 -p ${sysparams[pid]}
+        command chrt -i -p 0 ${sysparams[pid]}
+        command ionice -c 3 -p ${sysparams[pid]}
+        } </dev/null &>/dev/null
+        "$@"
+    )
+}
--- a/.config/zsh/alias/k8s.zsh
+++ b/.config/zsh/alias/k8s.zsh
@@ -0,0 +1,3 @@
+#!/bin/zsh
+
+alias k='kubectl '
--- a/.config/zsh/alias/kconfig.zsh
+++ b/.config/zsh/alias/kconfig.zsh
@@ -0,0 +1,23 @@
+#!/bin/zsh
+
+kconf-set() {
+    local n v
+    n="${1:?}" v=$2
+    shift 2
+
+    [ $# -gt 0 ] || return 1
+
+    command grep -ElZ "^((CONFIG_)?$n=|# (CONFIG_)?$n is not set)" "$@" \
+    | xargs -0 -r sed -i -E -e "s/^(((CONFIG_)?$n)=.+|# ((CONFIG_)?$n) is not set)\$/\\2\\4=$v/"
+}
+
+kconf-unset() {
+    local n
+    n="${1:?}"
+    shift
+
+    [ $# -gt 0 ] || return 1
+
+    command grep -ElZ "^(CONFIG_)?$n=" "$@" \
+    | xargs -0 -r sed -i -E -e "s/^((CONFIG_)?$n)=.+\$/# \\1 is not set/"
+}
--- a/.config/zsh/alias/ls.zsh
+++ b/.config/zsh/alias/ls.zsh
@@ -0,0 +1,57 @@
+#!/bin/zsh
+
+if [ -z "${LS_COLORS}" ] ; then
+    (( $+commands[dircolors] )) && eval "$(dircolors -b)"
+fi
+
+case "${ZSHU[os_family]}" in
+bsd | darwin ) export LSCOLORS="Gxfxcxdxbxegedabagacad" ;;
+esac
+
+z-alt-ls() {
+    local -a a
+    local n
+
+    a=( ${(@s:|:)1} )
+    [ ${#a} = 0 ] && a=( "$1" )
+    n=${#a}
+    [ -z "$1" ] && n=0
+    case "$n" in
+    0 ) ;;
+    * )
+        z-alt-set-static \
+          'ls|-d .' \
+          "$1" \
+          "LS_OPTIONS='' command"
+    ;;
+    esac
+}
+
+LS_GNU='--color=tty --group-directories-first'
+
+case "${ZSHU[os_type]}" in
+linux* )   alt="ls ${LS_GNU}|ls" ;;
+netbsd* )  alt="gls ${LS_GNU}|ls" ;;
+openbsd* ) alt="gls ${LS_GNU}|colorls -G|ls" ;;
+freebsd* ) alt="gls ${LS_GNU}|ls -G|ls" ;;
+darwin* )  alt="gls ${LS_GNU}|ls -G|ls" ;;
+* )        alt="ls ${LS_GNU}|ls" ;;
+esac
+
+z-alt-ls "${alt}"
+unset -f z-alt-ls
+unset alt LS_GNU
+
+[ -n "${LS_COLORS}" ] && zstyle ':completion:*' list-colors "${(s.:.)LS_COLORS}"
+
+case "${ZSHU[os_family]}" in
+linux ) alias l='ls -lhF ' ;;
+bsd )   alias l='ls -lhIF ' ;;
+esac
+
+alias ll='ls -lAF '
+
+case "${ZSHU[os_family]}" in
+linux ) alias lll='ls -lAn --full-time ' ;;
+bsd )   alias lll='ls -lAnT ' ;;
+esac
--- a/.config/zsh/alias/openwrt.zsh
+++ b/.config/zsh/alias/openwrt.zsh
@@ -0,0 +1,42 @@
+#!/bin/zsh
+
+openwrt-ssh() {
+    ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no "$@"
+}
+
+openwrt-apk-list() {
+    (( ${+commands[openwrt-apk]} )) || {
+        echo 'missing "openwrt-apk"' >&2
+        return 127
+    }
+
+    local i w
+    w=$(mktemp -d) ; : "${w:?}"
+    for i ; do
+        [ -n "$i" ] || continue
+        find "$w/" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
+        find "$w/" -mindepth 1 -maxdepth 1 -exec rm -rf {} + || return
+        openwrt-apk extract --no-cache --no-logfile --no-network --no-check-certificate --allow-untrusted --no-chown --destination "$w" "$i"
+        env -C "$w" find ./ -mindepth 1 -exec ls -ldgG --color {} +
+    done
+    rm -rf "$w"
+}
+
+openwrt-ipk-list() {
+    local i m o
+    for i ; do
+        [ -n "$i" ] || continue
+        o=0
+        for m ( './data.tar.gz' 'data.tar.gz' ) ; do
+            tar -tf "$i" "$m" 2>/dev/null || continue
+            o=1
+            env printf '%q:\n' "$i"
+            tar -Oxf "$i" "$m" | tar -ztvf -
+            break
+        done
+        if [ "$o" = '0' ] ; then
+            env printf '%q: missing data.tar.gz\n' "$i"
+            continue
+        fi
+    done
+}
--- a/.config/zsh/alias/sudo.zsh
+++ b/.config/zsh/alias/sudo.zsh
@@ -0,0 +1,10 @@
+#!/bin/zsh
+
+function {
+    local c
+    if [ ${UID} -ne 0 ] ; then
+        c='sudo -i '
+    fi
+    alias sudo-i="$c"
+    alias sudoi="$c"
+}
--- a/.config/zsh/alias/telnet.zsh
+++ b/.config/zsh/alias/telnet.zsh
@@ -0,0 +1,6 @@
+#!/bin/zsh
+
+case "${ZSHU[os_type]}" in
+linux-gnu ) alias tl='telnet -K ' ;;
+*bsd* )     alias tl='telnet -K -N -y ' ;;
+esac
--- a/.config/zsh/completion/.keep
+++ b/.config/zsh/completion/.keep
--- a/.config/zsh/completion/bash.zsh
+++ b/.config/zsh/completion/bash.zsh
@@ -0,0 +1,5 @@
+#!/bin/zsh
+
+for i ( buildah ) ; do
+    __z_comp_bash $i
+done ; unset i
--- a/.config/zsh/completion/external.zsh
+++ b/.config/zsh/completion/external.zsh
@@ -0,0 +1,17 @@
+#!/bin/zsh
+
+typeset -A ZSHU_COMP_EXTERNAL
+
+for i ( kubectl podman skopeo docker ) ; do
+    ZSHU_COMP_EXTERNAL[$i]="command $i completion zsh"
+done ; unset i
+
+## example of "automatic" shell completion generation
+# ZSHU_COMP_EXTERNAL[yq]='command yq shell-completion zsh'
+__z_comp_ext__yq() { command yq shell-completion zsh ; }
+
+## example of more complex shell completion generation
+# __z_comp__shifty_nifty() { command shifty-nifty completion zsh | sed -E 's/shifty_nifty/shifty-nifty/g' ; }
+# ZSHU_COMP_EXTERNAL[shifty-nifty]='__z_comp__shifty_nifty'
+
+z-comp-auto
--- a/.config/zsh/completion/system.zsh
+++ b/.config/zsh/completion/system.zsh
@@ -0,0 +1,5 @@
+#!/bin/zsh
+
+for i ( fd fdfind hyperfine ) ; do
+    __z_comp_system $i
+done ; unset i
--- a/.config/zsh/env.zsh
+++ b/.config/zsh/env.zsh
@@ -0,0 +1,96 @@
+#!/bin/zsh
+
+## sort-n-fill PATH
+z-sort-path() {
+    local -a p
+    local -aU t npath games
+
+    p=( ${path} )
+
+    ## strip "games" first :)
+    t=( ${(@)p:#*games*} )
+    games+=( ${(@)p:|t} )
+    p=( $t )
+
+    ## process in-home part
+    t=( ${(@)p:#${HOME}/*} )
+    npath+=( "${HOME}/bin" "${ZSHU[d_bin]}" "${ZSHU[d_scripts]}" )
+    npath+=( ${(@)p:|t} )
+    p=( $t )
+
+    ## process /usr/local/*
+    t=( ${(@)p:#/usr/local/*} )
+    npath+=( /usr/local/sbin /usr/local/bin )
+    npath+=( ${(@)p:|t} )
+    p=( $t )
+
+    ## process /usr/*
+    t=( ${(@)p:#/usr/*} )
+    npath+=( /usr/sbin /usr/bin )
+    npath+=( ${(@)p:|t} )
+    p=( $t )
+
+    ## now we're with /sbin and /bin... probably :)
+
+    ## in case of merged /usr
+    [ -h /sbin ] || npath+=( /sbin )
+    [ -h /bin ]  || npath+=( /bin )
+    npath+=( $p )
+
+    ## finally... games! xD
+    npath+=( /usr/local/games /usr/games )
+    npath+=( ${games} )
+
+    path=( ${npath} )
+    hash -f
+}
+z-sort-path
+
+unset GREP_OPTIONS
+unset LS_OPTIONS
+
+unset LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+unset LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION
+export LANG=C.UTF-8
+export LC_ALL=C.UTF-8
+
+z-set-tmpdir() {
+    TMPDIR="$1"
+    TMP="$1"
+    TEMPDIR="$1"
+    TEMP="$1"
+    export TMPDIR TMP TEMPDIR TEMP
+}
+z-set-tmpdir "${TMPDIR:=/tmp}"
+
+ZSHU[uname]=$(uname -s 2>/dev/null)
+ZSHU[uname]=${ZSHU[uname]:l}
+
+ZSHU[mach]=$(uname -m 2>/dev/null)
+ZSHU[mach]=${ZSHU[mach]:l}
+case "${ZSHU[mach]}" in
+amd64 ) ZSHU[mach]=x86_64 ;;
+arm64 ) ZSHU[mach]=aarch64 ;;
+armv* ) ZSHU[mach]=arm ;;
+esac
+
+ZSHU[os_type]=${OSTYPE:l}
+
+ZSHU[os_family]=${ZSHU[uname]:l}
+case "${ZSHU[os_family]}" in
+*bsd ) ZSHU[os_family]=bsd ;;
+esac
+
+ZSHU[host_name]=${(%):-%m}
+ZSHU[host_fqdn]=${(%):-%M}
+ZSHU[host]=${ZSHU[host_name]}
+function {
+    [ "${ZSHU[uname]}" = darwin ] || return
+    ZSHU[host]=$(scutil --get ComputerName 2>/dev/null) && return
+    ## last resort
+    ZSHU[host]=${ZSHU[host_name]}
+}
+
+case "${ZSHU[os_family]}" in
+linux ) ZSHU[procfs]=/proc ;;
+esac
--- a/.config/zsh/env/aux.zsh
+++ b/.config/zsh/env/aux.zsh
@@ -0,0 +1,8 @@
+#!/bin/zsh
+
+set -a
+NO_AT_BRIDGE=1
+QT_ACCESSIBILITY=0
+
+MENUCONFIG_COLOR=blackbg
+set +a
--- a/.config/zsh/env/containers.zsh
+++ b/.config/zsh/env/containers.zsh
@@ -0,0 +1,11 @@
+#!/bin/zsh
+
+BUILDAH_FORMAT=docker
+BUILDAH_ISOLATION=chroot
+
+typeset -x -m 'BUILDAH_*'
+
+BUILD_IMAGE_NETWORK=host
+BUILD_IMAGE_PUSH=0
+
+typeset -x -m 'BUILD_IMAGE*'
--- a/.config/zsh/env/gopath.zsh
+++ b/.config/zsh/env/gopath.zsh
@@ -0,0 +1,21 @@
+#!/bin/zsh
+
+z-gobin-fixup() {
+    (( ${+commands[go]} )) || return 0
+
+    local gobin
+    gobin=$(command go env GOBIN)
+    if [ -z "${gobin}" ] ; then
+        local gopath
+        gopath=$(command go env GOPATH)
+        [ -n "${gopath}" ] || return 1
+        [ -d "${gopath}" ] || return 0
+        gobin="${gopath}/bin"
+    fi
+    [ -d "${gobin}" ] || mkdir "${gobin}" || return 1
+    ## already in PATH?
+    [ "${path[(I)${gobin}]}" = 0 ] || return 0
+    path=( "${gobin}" ${path} )
+}
+
+z-gobin-fixup
--- a/.config/zsh/env/history.zsh
+++ b/.config/zsh/env/history.zsh
@@ -0,0 +1,10 @@
+#!/bin/zsh
+
+## kinda unlimited history
+HISTSIZE=10000000
+SAVEHIST=10000000
+
+ZSHU[f_hist]="${ZSHU[d_var]}/history"
+[ -f "${ZSHU[f_hist]}" ] || touch "${ZSHU[f_hist]}"
+
+HISTFILE="${ZSHU[f_hist]}"
--- a/.config/zsh/env/ld.so.zsh
+++ b/.config/zsh/env/ld.so.zsh
@@ -0,0 +1,5 @@
+#!/bin/zsh
+
+typeset -T LD_LIBRARY_PATH  ld_library_path
+typeset -T LD_PRELOAD       ld_preload
+typeset -T LD_AUDIT         ld_audit
--- a/.config/zsh/env/pager.zsh
+++ b/.config/zsh/env/pager.zsh
@@ -0,0 +1,3 @@
+#!/bin/zsh
+
+export LESS=RSF
--- a/.config/zsh/env/quilt.zsh
+++ b/.config/zsh/env/quilt.zsh
@@ -0,0 +1,15 @@
+#!/bin/zsh
+
+z-quilt-default-env() {
+    set -a
+    QUILT_PATCHES='debian/patches'
+    QUILT_NO_DIFF_INDEX=1
+    QUILT_NO_DIFF_TIMESTAMPS=1
+    QUILT_PATCH_OPTS='--reject-format=unified'
+    QUILT_DIFF_ARGS='-pab --no-timestamps --no-index --color=auto'
+    QUILT_REFRESH_ARGS='-pab --no-timestamps --no-index'
+    QUILT_COLORS='diff_hdr=1;32:diff_add=1;34:diff_rem=1;31:diff_hunk=1;33:diff_ctx=35:diff_cctx=33'
+    set +a
+}
+
+z-quilt-default-env
--- a/.config/zsh/env/sed.zsh
+++ b/.config/zsh/env/sed.zsh
@@ -0,0 +1,3 @@
+#!/bin/zsh
+
+typeset -r ZSHU_XSED=$'\027'
--- a/.config/zsh/env/xdg.zsh
+++ b/.config/zsh/env/xdg.zsh
@@ -0,0 +1,13 @@
+#!/bin/zsh
+
+: ${XDG_CONFIG_HOME:=${HOME}/.config}
+: ${XDG_CACHE_HOME:=${HOME}/.cache}
+: ${XDG_DATA_HOME:=${HOME}/.local/share}
+: ${XDG_RUNTIME_DIR:=${TMPDIR}}
+: ${XDG_DATA_DIRS:=/usr/local/share:/usr/share}
+: ${XDG_CONFIG_DIRS:=/etc/xdg}
+
+typeset -x -m 'XDG*'
+
+export -T XDG_DATA_DIRS    xdg_data_dirs
+export -T XDG_CONFIG_DIRS  xdg_config_dirs
--- a/.config/zsh/lib.zsh
+++ b/.config/zsh/lib.zsh
@@ -0,0 +1,6 @@
+#!/bin/zsh
+
+disable which
+which() { builtin whence -p "$@"; }
+which-command() { builtin whence -p "$@"; }
+zsh-which() { builtin whence -c "$@"; }
--- a/.config/zsh/lib/alternatives.zsh
+++ b/.config/zsh/lib/alternatives.zsh
@@ -0,0 +1,87 @@
+#!/bin/zsh
+
+## alternatives list is pipe-separated list of commands/binaries
+
+## find (first) candidate in alternatives
+## $1 - alternatives list
+## $2 - arguments to test command (USE WITH CAUTION!)
+z-alt-find() {
+    local -a v a
+    local i c r t
+
+    v=( ${(@s:|:)1} )
+    [ ${#v} = 0 ] && v=( "$1" )
+    for i ( $v ) ; do
+        a=( ${(@s: :)i} )
+
+        c=$(which "${a[1]}")
+        [ -z "$c" ] && continue
+        a[1]="$c"
+
+    #   r=$(readlink -f "$c" 2>/dev/null)
+    #   [ -z "$r" ] && continue
+    #   a[1]="$r"
+
+        if [ -n "$2" ] ; then
+            t="$a $2"
+            command ${(@s: :)t} </dev/null &>/dev/null || continue
+        fi
+
+        echo "${a[@]}"
+        return 0
+    done
+
+    return 127
+}
+
+## set function alias for alternative (one-time static resolve)
+## $1 - function name
+## $2 - alternatives list
+## $3 - command wrapper
+## $4 - function prologue
+## $5 - function epilogue
+z-alt-set-static() {
+    local -a s
+    local n t a r
+
+    n="$1" ; t=''
+    if [[ "$n" =~ '\|' ]] ; then
+        t=${n:${MBEGIN}} ; n=${n:0:${MBEGIN}-1}
+    fi
+    a=$(z-alt-find "$2" "$t")
+    if [ -n "$a" ] ; then
+        r=0
+        [ -n "$4" ] && s+=( "$4 ;" )
+        s+=( "${3:-command}" )
+        s+=( "$a \"\$@\" || return 127" )
+        [ -n "$5" ] && s+=( "; $5" )
+    else
+        r=127
+        s+=( 'return 127' )
+    fi
+    eval "$n () { ${s[@]} ; } ; typeset -g $n"
+
+    return $r
+}
+
+## set function alias for alternative (dynamic resolve)
+## $1 - function name
+## $2 - alternatives list
+## $3 - command wrapper
+## $4 - function prologue
+## $5 - function epilogue
+z-alt-set-dynamic() {
+    local -a s
+    local n t
+
+    n="$1" ; t=''
+    if [[ "$n" =~ '\|' ]] ; then
+        t=${n:${MBEGIN}} ; n=${n:0:${MBEGIN}-1}
+    fi
+    [ -n "$4" ] && s+=( "$4 ;" )
+    s+=( 'local a=$(z-alt-find' "${(qq)2}" "${t:+' $t'} ) ;" )
+    s+=( "${3:-command}" )
+    s+=( '${(@s: :)a} "$@" || return 127' )
+    [ -n "$5" ] && s+=( "; $5" )
+    eval "$n () { ${s[@]} ; } ; typeset -g $n"
+}
--- a/.config/zsh/lib/cmdtime.zsh
+++ b/.config/zsh/lib/cmdtime.zsh
@@ -0,0 +1,54 @@
+#!/bin/zsh
+
+z-time() {
+    local a r
+
+    a=${EPOCHREALTIME}
+    "$@" ; r=$?
+    a=$[ EPOCHREALTIME - a ]
+    a=$(z-ts-to-human "$a" 6)
+    printf '\n# time took: %s\n' "$a" >&2
+
+    return $r
+}
+
+if autoload -Uz add-zsh-hook ; then
+
+typeset -gA ZSHU_PS
+ZSHU_PS[cmd_threshold]=3
+
+__z_cmdtime_measure() {
+    local t x
+
+    x=${EPOCHREALTIME}
+
+    unset 'ZSHU[cmd_dt]' 'ZSHU_PS[elapsed]'
+    (( ${+ZSHU[cmd_ts]} )) || return
+
+    t=$[ x - ZSHU[cmd_ts] ]
+    ZSHU[cmd_ts]=$x
+
+    x=${ZSHU_PS[cmd_threshold]}
+    x=$[ x + 0 ] || x=0
+    [ "$x" = 0 ] && return
+
+    x=$[ t - x ]
+    [ "${x:0:1}" = '-' ] && return
+
+    t=$(z-ts-to-human "$t")
+    ZSHU[cmd_dt]=$t
+    ZSHU_PS[elapsed]=" %f[%B%F{yellow}+$t%b%f]"
+}
+
+__z_cmdtime_set() {
+    ZSHU[cmd_ts]=${EPOCHREALTIME}
+}
+
+add-zsh-hook precmd  __z_cmdtime_measure
+add-zsh-hook preexec __z_cmdtime_set
+
+else
+
+echo "cmd time measurement is disabled due to missing hook support" >&2
+
+fi
--- a/.config/zsh/lib/completion.zsh
+++ b/.config/zsh/lib/completion.zsh
@@ -0,0 +1,145 @@
+#!/bin/zsh
+
+typeset -gA ZSHU_COMP_FORCE
+
+ZSHU[f_compdump]="${ZSHU[d_cache]}/compdump"
+ZSHU[d_completion]="${ZSHU[d_cache]}/completion"
+ZSHU[d_compzwc]="${ZSHU[d_cache]}/compzwc"
+ZSHU[d_compcache]="${ZSHU[d_cache]}/compcache"
+
+typeset -a ZSHU_SYS_FPATH=( ${fpath} )
+fpath=( "${ZSHU[d_compzwc]}" "${ZSHU[d_completion]}" ${fpath} )
+
+__z_compdump_print() { printf '#zshu %s %s\n' "$1" "${(P)1}" ; }
+
+__z_compdump_invalidate() {
+    rm -f "${ZSHU[f_compdump]}"
+    find "${ZSHU[d_compcache]}/" -xdev -type f '!' -name '.keep' -delete
+    ZSHU[compdump_refresh]=1
+}
+
+__z_compdump_verify() {
+    local i s
+
+    unset 'ZSHU[compdump_refresh]'
+    ZSHU[compdump_meta]='ZSH_VERSION ZSH_PATCHLEVEL FPATH PATH'
+    for i ( ${(s: :)ZSHU[compdump_meta]} ) ; do
+        s=$(__z_compdump_print "$i")
+        command grep -Fx -e "$s" "${ZSHU[f_compdump]}" &>/dev/null && continue
+        __z_compdump_invalidate
+        break
+    done
+}
+
+__z_compdump_finalize() {
+    local i
+
+    if (( ${+ZSHU[compdump_refresh]} )) ; then
+        {
+            echo
+            for i ( ${(s: :)ZSHU[compdump_meta]} ) ; do
+                __z_compdump_print "$i"
+            done
+        } | tee -a "${ZSHU[f_compdump]}" &>/dev/null
+        unset 'ZSHU[compdump_refresh]'
+    fi
+    unset 'ZSHU[compdump_meta]'
+}
+
+## TODO: refactor (e.g. buildah completion is a "bit" broken)
+__z_comp_bash() {
+    # (( ${+commands[$1]} )) || return 127
+
+    local f p x
+
+    (( ${+_comps[$1]} )) && return 1
+    (( ${+ZSHU[compdump_bash]} )) || return 2
+    (( ${+2} )) && return 0
+
+    f=0
+    for p ( /usr/share/bash-completion/completions ) ; do
+        x="_$1" ; [ -s "$p/$x" ] && f=1 && break
+        x="$1"  ; [ -s "$p/$x" ] && f=1 && break
+    done
+    [ "$f" = 0 ] && return 3
+    complete -C "$x" "$1"
+
+    return 0
+}
+
+__z_comp_external() {
+    local c f
+    c="$1" ; shift
+
+    (( ${+commands[$c]} )) || return 127
+
+    [ $# -gt 0 ] || return 1
+
+    if ! (( ${+ZSHU_COMP_FORCE[$c]} )) ; then
+        (( ${+_comps[$c]} )) && return 0
+    fi
+
+    f="${ZSHU[d_completion]}/_$c"
+    if ! [ -s "$f" ] ; then
+        if ! "$@" > "$f" ; then
+            rm -f "$f"
+            return 2
+        fi
+    fi
+    # zcompile -zR "$f"
+    # mv -f "$f.zwc" "${ZSHU[d_compzwc]}/$c.zwc"
+    # emulate zsh -c "autoload -Uz _$c"
+    autoload -Uz "_$c"
+
+    return 0
+}
+
+__z_comp_system() {
+    # (( ${+commands[$1]} )) || return 127
+
+    local d
+
+    (( ${+_comps[$1]} )) && return 1
+
+    (( ${+ZSHU_COMP_FORCE[$c]} )) && return 0
+
+    local -a _fpath
+    _fpath=( ${fpath} )
+    fpath=( ${ZSHU_SYS_FPATH} )
+
+    for d ( ${fpath} ) ; do
+        [ -s "$d/_$1" ] || continue
+        # emulate zsh -c "autoload -Uz _$1"
+        autoload -Uz "_$1"
+        fpath=( ${_fpath} )
+        return 0
+    done
+    fpath=( ${_fpath} )
+    return 2
+}
+
+## reload or new session are required to regenerate compcache
+z-comp-invalidate() {
+    [ -n "${1:?}" ]
+
+    # rm -f "${ZSHU[d_completion]}/_$1" "${ZSHU[d_compzwc]}/_$1.zwc" "${ZSHU[d_compzwc]}/$1.zwc"
+    rm -f "${ZSHU[d_completion]}/_$1"
+}
+
+## reload or new session are required to regenerate completions
+z-comp-flush() {
+    find "${ZSHU[d_completion]}/" "${ZSHU[d_compzwc]}/" -xdev -type f '!' -name '.keep' -delete
+}
+
+z-comp-auto() {
+    local c f
+
+    for c ( ${(k)ZSHU_COMP_EXTERNAL} ) ; do
+        __z_comp_external "$c" "${(@s: :)ZSHU_COMP_EXTERNAL[$c]}" && unset "ZSHU_COMP_EXTERNAL[$c]"
+    done
+
+    for f ( ${functions[(I)__z_comp_ext__*]} ) ; do
+        c=${f#__z_comp_ext__}
+        __z_comp_external $c $f && unset -f "$f"
+    done
+}
--- a/.config/zsh/lib/csv.zsh
+++ b/.config/zsh/lib/csv.zsh
@@ -0,0 +1,33 @@
+#!/bin/zsh
+
+## NB: set IFS manually
+
+z-csv-select() {
+    local field value
+    field="${1:?}" value="${2:?}"
+
+    local line
+    local -a ary
+    while IFS='' read -rs line ; do
+        [ -n "${line}" ] || continue
+
+        ary=()
+        read -rs -A ary <<< "${line}"
+        [ "${ary[${field}]}" = "${value}" ] || continue
+
+        printf '%s' "${line}"
+        return 0
+    done
+
+    return 1
+}
+
+z-csv-field() {
+    local field
+    field="${1:?}"
+
+    local -a ary
+    read -rs -A ary
+
+    printf '%s' "${ary[${field}]}"
+}
--- a/.config/zsh/lib/curl.zsh
+++ b/.config/zsh/lib/curl.zsh
@@ -0,0 +1,14 @@
+#!/bin/zsh
+
+__z_curl_headers() {
+    command curl -qsI "$@" 2>/dev/null
+}
+__z_curl_location() {
+    __z_curl_headers "$1" \
+    | sed -En '/^[Ll]ocation: (.+)$/{s//\1/;p}'
+}
+__z_curl_response() {
+    __z_curl_headers -L "$1" \
+    | sed -En '/^HTTP\/[0-9.]+ ([1-5][0-9]{2})( .+)?$/{s//\1/;p}' \
+    | tail -n 1
+}
--- a/.config/zsh/lib/git.zsh
+++ b/.config/zsh/lib/git.zsh
@@ -0,0 +1,155 @@
+#!/bin/zsh
+
+## fancy and manageable PS1 for git
+typeset -gA ZSHU_GIT ZSHU_PM ZSHU_PS
+ZSHU_PS[git]=0
+ZSHU_PM[git_branch]='🞷'
+ZSHU_PM[git_ahead]='↱'
+ZSHU_PM[git_behind]='↴'
+ZSHU_PM[git_detach]='☈'
+ZSHU_PM[git_tag]='🗹'
+ZSHU_PM[git_commit]='⌽'
+
+__z_git_avail() { (( $+commands[git] )) ; }
+
+__z_git() { GIT_OPTIONAL_LOCKS=0 command git "$@"; }
+
+__z_git_is_repo() { __z_git rev-parse --git-dir &>/dev/null ; }
+
+__z_git_desc_tag() { __z_git describe --tags "$@" ; }
+
+z-git-test() {
+    [ "${ZSHU_PS[git]}" = '1' ] || return 1
+
+    __z_git_avail || return $?
+
+    __z_git_is_repo || return 3
+
+    return 0
+}
+
+__z_git_pwd() {
+    unset 'ZSHU_PS[git_ref]' 'ZSHU_PS[git_changes]' 'ZSHU_PS[git_tag]'
+    ZSHU_GIT=()
+    z-git-test || return
+
+
+    local x
+    x=$(__z_git rev-parse --short HEAD 2>/dev/null)
+    [ -n "$x" ] || return
+    ZSHU_GIT[commit]=$x
+
+    ## git ref
+    while : ; do
+        ZSHU_GIT[detached]=1
+        x=$(__z_git symbolic-ref --short HEAD 2>/dev/null)
+        if [ -n "$x" ] ; then
+            ZSHU_GIT[detached]=0
+            ZSHU_GIT[ref]=$x
+            ZSHU_PS[git_ref]="%F{green}%B${ZSHU_PM[git_branch]}%b ${ZSHU_GIT[ref]}%f"
+            break
+        fi
+
+        x=$(__z_git for-each-ref --format='%(refname:short)' --count=1 --points-at=${ZSHU_GIT[commit]} refs/heads/ refs/remotes/)
+        if [ -n "$x" ] ; then
+            ZSHU_GIT[detached]=0
+            ZSHU_GIT[ref]=$x
+            ZSHU_PS[git_ref]="%F{yellow}%B${ZSHU_PM[git_branch]}%b ${ZSHU_GIT[ref]}%f"
+            break
+        fi
+
+        ZSHU_GIT[ref]=${ZSHU_GIT[commit]}
+        ZSHU_PS[git_ref]="%F{red}%B${ZSHU_PM[git_detach]}%b ${ZSHU_GIT[ref]}%f"
+
+        break
+    done
+
+    ## local<->remote changes
+    while [ ${ZSHU_GIT[detached]} = 0 ] ; do
+        x=$(__z_git for-each-ref --format='%(upstream:short)' --count=1 --points-at=${ZSHU_GIT[commit]} refs/heads/ refs/remotes/)
+        [ -n "$x" ] || break
+        ZSHU_GIT[remote]=$x
+
+        x=$(__z_git rev-list --left-right "${ZSHU_GIT[ref]}...${ZSHU_GIT[remote]}" 2>/dev/null) || break
+        ZSHU_GIT[ref_ahead]=$(echo "$x" | grep -Ec '^<')
+        ZSHU_GIT[ref_behind]=$(echo "$x" | grep -Ec '^>')
+        ZSHU_GIT[ref_changes]=$[ ZSHU_GIT[ref_ahead] + ZSHU_GIT[ref_behind] ]
+        [ ${ZSHU_GIT[ref_changes]} -eq 0 ] && break
+
+        x=''
+        [ ${ZSHU_GIT[ref_ahead]} -eq 0 ]  || x="$x${x:+ }%B%F{green}${ZSHU_PM[git_ahead]} ${ZSHU_GIT[ref_ahead]}%b"
+        [ ${ZSHU_GIT[ref_behind]} -eq 0 ] || x="$x${x:+ }%B%F{red}${ZSHU_PM[git_behind]} ${ZSHU_GIT[ref_behind]}%b"
+        ZSHU_PS[git_changes]=$x
+
+        break
+    done
+
+    ## git tag
+    while [ ${ZSHU_GIT[detached]} = 1 ] ; do
+        x=$(__z_git_desc_tag --exact-match HEAD 2>/dev/null)
+        if [ -n "$x" ] ; then
+            ZSHU_GIT[tag]=$x
+            ZSHU_PS[git_tag]="%F{green}%B${ZSHU_PM[git_tag]}%b ${ZSHU_GIT[tag]}%f"
+            break
+        fi
+
+        x=$(__z_git_desc_tag HEAD 2>/dev/null)
+        if [ -n "$x" ] ; then
+            ZSHU_GIT[tag]=${x%-*}
+            ZSHU_PS[git_tag]="%F{yellow}%B${ZSHU_PM[git_commit]}%b ${ZSHU_GIT[tag]}%f"
+            break
+        fi
+
+        break
+    done
+
+    ## try to fancy split current path
+    while : ; do
+        x=${(%):-%~}
+        [[ "$x" =~ '/.+' ]] || break
+
+        local pfx last mid
+        pfx=$(__z_git rev-parse --show-prefix)
+        pfx="${pfx%/}"
+        if [ -n "${pfx}" ] ; then
+            x=${x%/${pfx}}
+            last="${pfx:t}"
+            mid="${pfx%${last}}"
+            mid="${mid%/}"
+            mid="/${mid}${mid:+/}"
+
+            ZSHU_GIT[path_mid]=${mid}
+            ZSHU_GIT[path_last]=${last}
+        else
+            ZSHU_GIT[path_last]='/'
+        fi
+        break
+    done
+    ZSHU_GIT[path_root]=$x
+
+    x="%F{magenta}${ZSHU_GIT[path_root]:gs/%/%%}"
+    x="$x%F{cyan}${ZSHU_GIT[path_mid]:gs/%/%%}"
+    x="$x%B${ZSHU_GIT[path_last]:gs/%/%%}%f%b"
+    ZSHU_PS[pwd]=$x
+
+    local -a ary
+    ary+="${ZSHU_PS[git_ref]}"
+    ary+="${ZSHU_PS[git_changes]}"
+    ary+="${ZSHU_PS[git_tag]}"
+    x="${(j: :)ary}"
+    [ -z "$x" ] || ZSHU_PS[pwd_extra]=" $x"
+}
+
+z-git-enable()  { ZSHU_PS[git]=1 ; }
+z-git-disable() { ZSHU_PS[git]=0 ; }
+
+z-git-status() {
+    __z_git_avail
+    echo "Git binary: "${(%):-%(?..NOT )}"found in PATH"
+    [ "${ZSHU_PS[git]}" = 1 ]
+    echo "Git prompt: "${(%):-%(?.enabled.disabled)}
+    __z_git_is_repo
+    echo "Git repo: "${(%):-%(?..NOT )}"present"
+}
+
+ZSHU[pwd_hook]="${ZSHU[pwd_hook]}${ZSHU[pwd_hook]:+ }__z_git_pwd"
--- a/.config/zsh/lib/gpg.zsh
+++ b/.config/zsh/lib/gpg.zsh
@@ -0,0 +1,45 @@
+#!/bin/zsh
+
+z-gpgconf-comp-avail() {
+    (( ${+commands[gpgconf]} )) || return 127
+
+    local comp
+    comp="${1:?}"
+
+    local csv
+    csv=$(command gpgconf --list-components | IFS=':' z-csv-select 1 "${comp}")
+    [ -n "${csv}" ]
+}
+
+z-gpgconf-comp-opt-avail() {
+    (( ${+commands[gpgconf]} )) || return 127
+
+    local comp opt
+    comp="${1:?}" opt="${2:?}"
+    
+    z-gpgconf-comp-avail "${comp}" || return $?
+
+    local csv
+    csv=$(command gpgconf --list-options "${comp}" | IFS=':' z-csv-select 1 "${opt}")
+    [ -n "${csv}" ]
+}
+
+## merely that command:
+##   gpgconf --list-options "$1" | awk -F: "/^$2:/{ print \$10 }"
+z-gpgconf-getopt() {
+    (( ${+commands[gpgconf]} )) || return 127
+
+    local comp opt
+    comp="${1:?}" opt="${2:?}"
+
+    ## not really necessary here
+    # z-gpgconf-comp-opt-avail "${comp}" "${opt}" || return $?
+
+    local csv
+    csv=$(command gpgconf --list-options "${comp}" | IFS=':' z-csv-select 1 "${opt}")
+    [ -n "${csv}" ] || return 1
+
+    local v
+    v=$(IFS=':' z-csv-field 10 <<< "${csv}")
+    printf '%s' "$v"
+}
--- a/.config/zsh/lib/history.zsh
+++ b/.config/zsh/lib/history.zsh
@@ -0,0 +1,19 @@
+#!/bin/zsh
+
+z-history() {
+    local list
+
+    zparseopts -E l=list
+    if [ -n "${list}" ]; then
+        builtin fc "$@"
+    else
+        [[ ${@[-1]-} = *[0-9]* ]] && builtin fc -il "$@" || builtin fc -il "$@" 1
+    fi
+}
+
+z-grephist() {
+    local x
+
+    x=$1 ; shift
+    z-history -m "*${x}*" "$@"
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Konstantin Demin	9871b29288	treewide: move zsh functions to sh scripts Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details	2025-09-09 20:53:55 +03:00
Konstantin Demin	37599593bc	ci: switch to Debian 13 "Trixie" All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2025-08-18 12:08:45 +03:00
Konstantin Demin	a6e52c8992	zsh: improve sbuild snippet All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2025-08-18 10:58:51 +03:00
Konstantin Demin	06126b2991	sbuild: dedup & adjust All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2025-08-17 17:36:29 +03:00
Konstantin Demin	00648901a9	zsh: update All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2025-07-23 10:59:44 +03:00
Konstantin Demin	48e93e48b6	zsh: openwrt-related goodies Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details ci/woodpecker/manual/woodpecker Pipeline was successful Details	2025-07-13 21:09:51 +03:00
Konstantin Demin	12449788a6	zsh/git goodies Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details	2025-07-08 12:21:04 +03:00
Konstantin Demin	3b6c18395b	zsh: openwrt-related goodies listing archives with apk-tools 3.0.0_pre20250606 is PITA	2025-07-08 12:20:59 +03:00
Konstantin Demin	c58b27fe29	zsh/git goodies	2025-06-18 19:32:44 +03:00
Konstantin Demin	403b8a7e6c	dotfiles: update git config Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details	2025-05-02 16:19:30 +03:00
Konstantin Demin	8137c7efde	zsh: git branch snippet	2025-05-02 16:13:31 +03:00
Konstantin Demin	b12c01b3cb	git: refresh Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details	2025-05-02 15:27:13 +03:00
Konstantin Demin	88262ef200	sbuild: improve changes from `fa00d72c` Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details	2025-03-14 10:38:58 +03:00
Konstantin Demin	fa00d72cbc	sbuild: enforce random build directory Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details	2025-03-14 02:33:22 +03:00
Konstantin Demin	e9e9b7fc51	dotfiles: cleanup Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details	2025-01-27 11:24:41 +03:00
Konstantin Demin	5662040673	dotfiles: sbuild Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details	2025-01-17 04:16:11 +03:00
Konstantin Demin	5cfbe03d71	zsh: optimize gpg-agent initialization All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-12-19 20:50:46 +03:00
Konstantin Demin	4e67805847	dotfiles: update gitignore	2024-12-19 20:49:51 +03:00
Konstantin Demin	8956cd7280	dotfiles: separate gitignore for vcs	2024-12-19 20:49:08 +03:00
Konstantin Demin	61fb51b3eb	zsh: update sbuild once more All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-08-03 14:08:31 +03:00
Konstantin Demin	4e8515debe	zsh: correct sbuild snippet All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-08-03 13:51:01 +03:00
Konstantin Demin	bc90303dc1	ci: minor adjust All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details ci/woodpecker/manual/woodpecker Pipeline was successful Details	2024-07-28 21:28:58 +03:00
Konstantin Demin	055de153b1	ci: update All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details ci/woodpecker/manual/woodpecker Pipeline was successful Details	2024-07-28 19:43:09 +03:00
Konstantin Demin	6c0ac78b6e	zsh: improve git snippets All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details ci/woodpecker/manual/woodpecker Pipeline was successful Details	2024-07-23 23:08:35 +03:00
Konstantin Demin	e6678b1a31	fix `bd1f46de` All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-07-12 15:45:14 +03:00
Konstantin Demin	bd1f46dec6	zsh: container goodies	2024-07-12 15:41:17 +03:00
Konstantin Demin	9012696fea	zsh: bit better PATH	2024-07-10 12:09:31 +03:00
Konstantin Demin	0ae83ee81b	dotfiles: improve forge selection	2024-07-05 17:51:22 +03:00
Konstantin Demin	4112913166	git: refresh a bit	2024-07-05 15:02:09 +03:00
Konstantin Demin	8378e9993d	zsh: rework krd-quilt	2024-07-05 13:42:31 +03:00
Konstantin Demin	e3ff1bcb69	zsh: update	2024-07-05 13:18:16 +03:00
Konstantin Demin	8283b6c752	zsh: fix `dc30f109`	2024-06-16 12:51:37 +03:00
Konstantin Demin	785294aef5	zsh: better detect gnu screen	2024-06-16 12:49:12 +03:00
Konstantin Demin	dc30f109cf	zsh: adjust container-related stuff	2024-06-16 12:48:58 +03:00
Konstantin Demin	d9ef22abc5	dotfiles: fix copy-paste All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-03-20 12:16:19 +03:00
Konstantin Demin	69ba98a9d5	dotfiles: update All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details select origin dynamically	2024-03-20 11:41:04 +03:00
Konstantin Demin	b2436b9e21	zsh: minor ssh-agent fix All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-03-04 16:11:07 +03:00
Konstantin Demin	5a9f0b08c0	zsh: ssh-agent persistence All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-03-04 16:05:08 +03:00
Konstantin Demin	98deefe039	zsh: fix ssh-agent All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-03-04 15:47:43 +03:00
Konstantin Demin	6d29f9afbc	dotfiles: fix accounting fixes `20aafe29`	2024-03-04 15:42:02 +03:00
Konstantin Demin	20aafe29e8	zsh: update examples All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-03-04 15:39:55 +03:00
Konstantin Demin	8834da817c	zsh: update All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-03-04 15:35:55 +03:00
Konstantin Demin	25123cece2	zsh: completion All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details many thanks to blackmou5e for pointing this out	2024-02-29 12:34:20 +03:00
Konstantin Demin	3f527a0c73	zsh: modules All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-02-29 11:10:03 +03:00
Konstantin Demin	3321d21f8b	zsh: rework ZDOTDIR redirection All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-02-29 01:04:53 +03:00
Konstantin Demin	7aac214e04	dotfiles: fix All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-02-29 00:21:48 +03:00
Konstantin Demin	0bb93c3b11	zsh: minor fixes All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-02-29 00:15:08 +03:00
Konstantin Demin	ea774fdd8b	dotfiles: update All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details rework htop layout :)	2024-02-29 00:02:58 +03:00
Konstantin Demin	d872b655c9	zsh: update PS: zprof rocks!	2024-02-28 23:22:33 +03:00
Konstantin Demin	47b2170058	zsh: update All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-02-23 21:46:04 +03:00
Konstantin Demin	0289d90fb9	zsh: zwc things All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2024-02-20 09:51:55 +03:00
Konstantin Demin	a54be4863a	dotfiles: remove unreachable code found by CI	2024-02-20 09:35:47 +03:00
Konstantin Demin	d05065f3aa	ci: introduce	2024-02-20 09:35:34 +03:00
Konstantin Demin	af26648283	zsh: correct podman-to-docker examples	2024-02-18 15:14:43 +03:00
Konstantin Demin	b9b056d10d	zsh: update	2024-02-18 15:10:19 +03:00
Konstantin Demin	f77e4a54bc	tools: refresh configs	2024-02-18 03:03:16 +03:00
Konstantin Demin	9725317a4a	zsh: update	2024-02-18 02:32:08 +03:00
Konstantin Demin	aea9334649	zsh: update	2024-02-13 18:54:46 +03:00
Konstantin Demin	8af457ab05	zsh: update git functions	2024-02-12 12:07:41 +03:00
Konstantin Demin	d65860c0ac	git: refresh a bit	2024-01-27 11:24:27 +03:00
Konstantin Demin	9d1de60648	zsh: update	2024-01-27 00:10:58 +03:00
Konstantin Demin	d5209414e9	zsh: git prompt	2024-01-20 13:54:23 +03:00
Konstantin Demin	ad4acd935a	zsh: misc git functions	2024-01-20 13:54:12 +03:00
Konstantin Demin	9bd1bb79ea	zsh: update	2024-01-16 02:55:39 +03:00
Konstantin Demin	19571a4046	zsh: fix grep alias fixes `086279d7`	2023-12-23 11:19:21 +03:00
Konstantin Demin	7a8ba289fa	update tracked files list	2023-12-23 09:16:06 +03:00
Konstantin Demin	086279d721	zsh: move/hide initialization this also improves .zsh bytecode compilation	2023-12-23 09:15:33 +03:00
Konstantin Demin	d2061dda65	update internal scripts	2023-12-23 09:11:04 +03:00
Konstantin Demin	5fd6a13726	screen: drastically decrease scrollback	2023-12-23 09:05:19 +03:00
Konstantin Demin	e10445bf10	git: refresh a bit	2023-11-23 12:26:41 +03:00
Konstantin Demin	80ae65a3fa	env: container-related	2023-09-22 10:21:06 +03:00
Konstantin Demin	25c314caa9	minor terminal fixup	2023-07-20 00:31:30 +03:00
Konstantin Demin	e76ed11c36	gdb: enable debuginfod	2022-10-23 13:16:13 +03:00
Konstantin Demin	2ef127fe7a	zsh: globbing	2022-09-05 11:11:57 +03:00
Konstantin Demin	3220c72f6f	zsh: cache tasks	2022-09-05 10:42:43 +03:00
Konstantin Demin	55324be58e	zsh: compile without aliases	2022-09-05 10:39:16 +03:00
Konstantin Demin	ac9d7a7de6	zsh: compile cache & cache flush	2022-09-05 10:35:13 +03:00
Konstantin Demin	5041d2c7e7	update tracked files list	2022-09-05 10:19:19 +03:00
Konstantin Demin	f6a2541e4f	git: pack.threads=4	2022-09-01 13:57:30 +03:00
Konstantin Demin	732d00440e	htop: add example config	2022-07-29 10:09:54 +03:00
Konstantin Demin	e59ee51009	git: core.abbrev=8	2022-07-29 09:24:07 +03:00
Konstantin Demin	de28616e6c	git: refresh a bit	2022-07-20 00:11:48 +03:00
Konstantin Demin	d524b4255a	install: dumb support for local proxies	2022-07-20 00:10:20 +03:00
Konstantin Demin	724df8e2d8	zsh: treewide: minor fixes/style	2022-07-19 02:41:45 +03:00
Konstantin Demin	0ec196bef2	fix for select-editor it's a bit dumb :)	2022-05-18 11:40:59 +03:00
Konstantin Demin	23275ec9fc	rework personal completions also support: - fd/fdfind - hyperfine	2022-05-18 11:39:55 +03:00
Konstantin Demin	2622b6e7e8	fd/fdfind completion	2022-05-18 11:14:55 +03:00
Konstantin Demin	4a2b874478	add dumb completion routine	2022-05-18 11:13:35 +03:00
Konstantin Demin	48a90c3981	guard find call in completion	2022-05-18 10:41:27 +03:00
Konstantin Demin	f0a6c78243	add simple cache flush routine	2022-05-18 10:41:08 +03:00
Konstantin Demin	faae072861	refactor key bindings	2022-05-18 10:29:39 +03:00
Konstantin Demin	a70347e7f7	drop remnants	2022-05-18 10:21:00 +03:00
Konstantin Demin	3b50183a0d	drop useless placeholder	2022-05-18 09:57:25 +03:00
Konstantin Demin	113ce00644	zsh: use fzf if any	2022-05-09 12:58:59 +03:00
Konstantin Demin	e6fef308ef	update vimrc again	2022-01-08 23:29:28 +03:00
Konstantin Demin	5e2f600eba	update vimrc	2022-01-08 22:51:33 +03:00
Konstantin Demin	27137da435	minor fixes for gitconfig	2021-12-08 23:46:00 +03:00
Konstantin Demin	cf3e5623ab	fix "bud" alias	2021-12-07 11:53:52 +03:00
Konstantin Demin	731471aee7	zsh: aliases and related	2021-12-07 02:46:50 +03:00
Konstantin Demin	95d73f7f64	git: update conf	2021-12-05 18:58:24 +03:00
Konstantin Demin	59c691e5df	git: fix typo	2021-11-18 19:18:07 +03:00
Konstantin Demin	5e64dfe3fe	git: update conf	2021-11-08 08:32:59 +03:00
Konstantin Demin	e1ac7abd92	podman run: provide TERM to container	2021-10-29 22:35:35 +03:00
Konstantin Demin	7f0793da39	one more podman alias	2021-10-13 14:32:05 +03:00
Konstantin Demin	3c91a3f5ae	update tracked files list	2021-10-01 10:23:00 +03:00
Konstantin Demin	deed34735d	add k8s completion and alias	2021-10-01 10:22:25 +03:00
Konstantin Demin	54ae3affd0	add gpg helper function	2021-10-01 10:22:10 +03:00
Konstantin Demin	6ecf110b2c	completion: allow manual invalidation	2021-10-01 10:15:45 +03:00
Konstantin Demin	bc5e07f76e	treewide: style (trivia)	2021-10-01 10:14:53 +03:00
Konstantin Demin	f07d2d3b35	add 'podman run' alias	2021-09-29 11:26:06 +03:00
Konstantin Demin	e9ba43b038	update gitignore fixes: `765d07a7`, `6530af46`	2021-08-18 10:04:59 +03:00
Konstantin Demin	1c849b0404	fix title function for real terminal	2021-07-29 08:53:10 +03:00
Konstantin Demin	765d07a7b8	set title	2021-06-05 13:53:16 +03:00
Konstantin Demin	6530af46f0	split term functions	2021-06-05 13:49:09 +03:00
Konstantin Demin	5addb3ae5e	fix default locale setting	2021-05-10 12:59:36 +03:00
Konstantin Demin	5626190a83	add identity (icon) in prompt	2021-05-07 17:11:02 +03:00
Konstantin Demin	2e41d859c9	modify cmd prompt coloring	2021-05-07 17:10:12 +03:00
Konstantin Demin	b0e681a87a	remove unused variable	2021-05-07 14:42:58 +03:00
Konstantin Demin	786277961d	extend git configuration	2021-05-04 12:33:38 +03:00
Konstantin Demin	e014ff180f	configure full name and email	2021-04-19 01:21:34 +03:00
Konstantin Demin	17ef24e460	partially undo changes in screenrc	2021-04-19 01:01:15 +03:00
Konstantin Demin	5a06ade27b	force update with script	2021-04-19 01:01:15 +03:00
Konstantin Demin	83a61a4c2f	highlight user and host in prompt when required	2021-04-19 01:01:15 +03:00
Konstantin Demin	5394f208b6	remove TERM fixup :)	2021-04-19 01:01:15 +03:00
Konstantin Demin	a312de64e1	avoid interaction with PID1	2021-04-19 01:01:15 +03:00
Konstantin Demin	04b31f7a24	add TERM fixup	2021-04-19 01:01:14 +03:00
Konstantin Demin	a6b87e2330	add buildah alias	2021-04-19 01:01:14 +03:00
Konstantin Demin	4cc414b20d	add missing file to gitignore	2021-04-19 01:01:14 +03:00
Konstantin Demin	100187ca04	add kconfig helper functions	2021-04-19 01:01:14 +03:00
Konstantin Demin	ac12fc459b	modify bash-completion loader	2021-04-19 01:01:14 +03:00
Konstantin Demin	7bf6262945	modify external completion routines	2021-04-19 01:01:13 +03:00
Konstantin Demin	26f29d0514	support more nesting levels	2021-04-19 01:01:13 +03:00
Konstantin Demin	ad82f32828	fix fresh install with ancient git	2021-04-19 01:01:13 +03:00
Konstantin Demin	87d9c7f978	rename remaining remnants	2021-04-19 01:01:13 +03:00
Konstantin Demin	eeaa54993a	dotfiles maintenance in subshell	2021-04-19 01:01:13 +03:00
Konstantin Demin	32bd17a702	fix update logic	2021-04-19 01:01:12 +03:00
Konstantin Demin	9e79767704	don't modify git remote when updating	2021-04-19 01:01:12 +03:00
Konstantin Demin	467332a5ec	fix fresh install with git available	2021-04-19 01:01:12 +03:00
Konstantin Demin	28231f278c	initial commit	2021-04-19 01:00:58 +03:00