fix: update wireguard example

inventory/host_vars/example.yml

@@ -114,17 +114,19 @@ zfs_datasets:
       mountpoint: /mnt/omer/movies
     state: present
 
-# Wireguard "client" VPN configuration
+# Wireguard VPN configuration
-# ------------------------------------
+# ----------------------------
-wireguard_address: 192.168.20.4/27
+wireguard_tunnels:
-wireguard_peers:
+  - interface: wg0
-  - name: "Marge server"
+    address: 192.168.20.4/27
-    public_key: fB6zC8oWpQxN4yR2sT1uA7vJ9kH3mG5eD0cLlI8bV6aF2dP3eXwZ1qY4rU7tO9
+    dns: 192.168.20.1
-    allowed_ips:
+    server_mode: false
-      - 192.168.20.1/32
+    peers:
-    endpoint: 192.168.1.56:51820
+      - name: "Marge server"
-wireguard_dns: 192.168.20.1
+        public_key: fB6zC8oWpQxN4yR2sT1uA7vJ9kH3mG5eD0cLlI8bV6aF2dP3eXwZ1qY4rU7tO9
-wireguard_server_mode: false
+        allowed_ips:
+          - 192.168.20.1/32
+        endpoint: 192.168.1.56:51820
 
 # NFS server configuration
 # ------------------------

roles/archlinux/tasks/main.yml

@@ -3,6 +3,10 @@
   ansible.builtin.meta: end_play
   when: ansible_facts['os_family'] != 'Archlinux'
 
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ inventory_hostname }}"
+
 - name: Archlinux base setup
   ansible.builtin.include_tasks: "{{ item }}"
   loop:

roles/archlinux/tasks/paru.yml

@@ -68,7 +68,7 @@
       ansible.builtin.set_fact:
         paru_url: "{{ item.browser_download_url }}"
       loop: "{{ paru_release.json.assets }}"
-      when: "'os_arch.tar.zst' in item.name"
+      when: "(os_arch + '.tar.zst') in item.name"
 
     - name: Download
       ansible.builtin.get_url:

roles/archlinux/tasks/yay.yml

@@ -22,21 +22,27 @@
         line: "%wheel ALL=(ALL) NOPASSWD: ALL"
         validate: /usr/sbin/visudo -cf %s
 
+    - name: Clean up stale yay sources dir
+      ansible.builtin.file:
+        path: "{{ yay_src_path }}"
+        state: absent
+
     - name: Create yay sources dir
       ansible.builtin.file:
         path: "{{ yay_src_path }}"
         state: directory
         owner: "{{ ansible_user }}"
+        mode: "0755"
 
     - name: Clone git sources
-      become: false
+      become_user: "{{ ansible_user }}"
       ansible.builtin.git:
         repo: "{{ yay_git_repo }}"
         dest: "{{ yay_src_path }}"
 
     # note: this only works because SUDOERS password prompt is disabled
     - name: Build and install
-      become: false
+      become_user: "{{ ansible_user }}"
       ansible.builtin.command:
         chdir: "{{ yay_src_path }}"
         cmd: "makepkg -si -f --noconfirm"

roles/dhcpd/templates/dhcpd4@.service.j2

@@ -2,7 +2,8 @@
 
 [Unit]
 Description=IPv4 DHCP server on %I
-After=sys-subsystem-net-devices-%i.device
+After=sys-subsystem-net-devices-%i.device network-online.target
+Wants=network-online.target
 BindsTo=sys-subsystem-net-devices-%i.device
 
 [Service]

roles/nginx/tasks/main.yml

@@ -56,6 +56,12 @@
     state: started
   when: acme_email is defined
 
+- name: Remove default nginx vhost (Arch ships one that conflicts)
+  ansible.builtin.file:
+    path: "{{ nginx_conf_dir }}/default.conf"
+    state: absent
+  notify: Reload nginx
+
 - name: Ensure nginx conf.d directory exists
   ansible.builtin.file:
     path: "{{ nginx_conf_dir }}"

roles/nginx/templates/vhost-acme.conf.j2

@@ -1,41 +0,0 @@
-# HTTPS vhost with Let's Encrypt (Certbot) for {{ server_name }}
-# Managed by Ansible - DO NOT EDIT MANUALLY
-
-server {
-    listen 80;
-    server_name {{ server_name }};
-
-    # Certbot webroot for ACME challenges
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Redirect to HTTPS
-    location / {
-        return 301 https://$server_name$request_uri;
-    }
-}
-
-server {
-    listen 443 ssl;
-    server_name {{ server_name }};
-
-    # Let's Encrypt certificates (managed by Certbot)
-    ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;
-
-    # SSL configuration
-    ssl_protocols {{ nginx_ssl_protocols }};
-    ssl_prefer_server_ciphers on;
-
-{% if nginx_log_backend == 'journald' %}
-    access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_{{ server_name | replace('.', '_') }};
-    error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_{{ server_name | replace('.', '_') }};
-{% else %}
-    access_log /var/log/nginx/{{ server_name }}_access.log main;
-    error_log /var/log/nginx/{{ server_name }}_error.log;
-{% endif %}
-
-    # Service-specific configuration included below
-    {{ vhost_config | default('') }}
-}

roles/ntfy/tasks/main.yml

@@ -79,9 +79,17 @@
     mode: "0644"
   notify: Reload systemd user
 
+- name: Check if lingering is enabled for {{ ansible_user }}
+  ansible.builtin.stat:
+    path: "/var/lib/systemd/linger/{{ ansible_user }}"
+  register: linger_file
+
 - name: Enable lingering for user {{ ansible_user }}
   ansible.builtin.command: "loginctl enable-linger {{ ansible_user }}"
-  when: ansible_user != 'root'
+  changed_when: true
+  when:
+    - ansible_user != 'root'
+    - not linger_file.stat.exists
 
 - name: Enable and start ntfy service (user scope)
   ansible.builtin.systemd:
@@ -126,6 +134,12 @@
   become: false
   become_user: "{{ ansible_user }}"
 
+- name: Provision TLS certificate for ntfy
+  ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml"
+  vars:
+    certbot_hostname: "{{ ntfy_nginx_hostname }}"
+  when: ntfy_nginx_enabled
+
 - name: Deploy nginx vhost configuration for ntfy
   ansible.builtin.template:
     src: nginx-vhost.conf.j2

roles/sshd/defaults/main.yml

@@ -1,7 +1,8 @@
 ---
 ssh_port: 22
-ssh_allowed_network: "192.168.1.0/24"
+ssh_allowed_networks:
-ssh_allowed_vpn_network: "192.168.27.0/27"
+  - { src: "192.168.1.0/24", comment: "SSH from LAN" }
+  - { src: "192.168.27.0/27", comment: "SSH from VPN" }
 ssh_users: "jokester" # space separated if many
 ssh_config_dir: "/etc/ssh"
 sshd_config: "{{ ssh_config_dir }}/sshd_config"

roles/sshd/tasks/main.yml

@@ -20,23 +20,15 @@
     name: "{{ ssh_service_name }}"
     enabled: true
 
-- name: Allow local network incoming connection
+- name: Allow SSH incoming connections
   community.general.ufw:
     rule: allow
     port: "{{ ssh_port }}"
     proto: tcp
-    from: "{{ ssh_allowed_network }}"
+    from: "{{ item.src }}"
     direction: in
-    comment: "SSH from local network"
+    comment: "{{ item.comment }}"
-
+  loop: "{{ ssh_allowed_networks }}"
-- name: Allow SSH VPN incoming connection
-  community.general.ufw:
-    rule: allow
-    port: "{{ ssh_port }}"
-    proto: tcp
-    from: "{{ ssh_allowed_vpn_network }}"
-    direction: in
-    comment: "SSH from VPN network"
 
 # TODO
 # - name: Add SSH public key to authorized_keys
@@ -105,8 +97,3 @@
     enabled: true
     state: started
 
-- name: Start and enable fail2ban
-  ansible.builtin.service:
-    name: fail2ban
-    state: started
-    enabled: true

roles/tooling/tooling.yml

@@ -40,3 +40,21 @@
     name: iperf3
     state: present
   changed_when: false
+
+- name: Install vi
+  package:
+    name: vi
+    state: present
+  changed_when: false
+
+- name: Install vim
+  package:
+    name: vim
+    state: present
+  changed_when: false
+
+- name: Install nano
+  package:
+    name: nano
+    state: present
+  changed_when: false

roles/uptime_kuma/tasks/main.yml

@@ -70,6 +70,12 @@
   become: false
   become_user: "{{ ansible_user }}"
 
+- name: Provision TLS certificate for uptime-kuma
+  ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml"
+  vars:
+    certbot_hostname: "{{ uptime_kuma_nginx_hostname }}"
+  when: uptime_kuma_nginx_enabled
+
 - name: Deploy nginx vhost configuration for uptime-kuma
   ansible.builtin.template:
     src: nginx-vhost.conf.j2

roles/uptime_kuma/templates/nginx-vhost.conf.j2

@@ -46,9 +46,10 @@ server {
         # WebSocket support for real-time updates
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+        proxy_set_header Connection $http_connection;
 
         # Disable buffering for real-time updates
         proxy_buffering off;
+        proxy_read_timeout 3600s;
     }
 }

roles/zsh/files/alacritty.terminfo

@@ -0,0 +1,76 @@
+alacritty|alacritty terminal emulator,
+	OTbs, am, bce, ccc, hs, km, mc5i, mir, msgr, npc, xenl, AX, XF, XT,
+	colors#256, cols#80, it#8, lines#24, pairs#32767,
+	acsc=``aaffggiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~,
+	bel=^G, bold=\E[1m, cbt=\E[Z, civis=\E[?25l,
+	clear=\E[H\E[2J, cnorm=\E[?12l\E[?25h, cr=^M,
+	csr=\E[%i%p1%d;%p2%dr, cub=\E[%p1%dD, cub1=^H,
+	cud=\E[%p1%dB, cud1=^J, cuf=\E[%p1%dC, cuf1=\E[C,
+	cup=\E[%i%p1%d;%p2%dH, cuu=\E[%p1%dA, cuu1=\E[A,
+	cvvis=\E[?12;25h, dch=\E[%p1%dP, dch1=\E[P, dim=\E[2m,
+	dl=\E[%p1%dM, dl1=\E[M, dsl=\E]2;\007, ech=\E[%p1%dX,
+	ed=\E[J, el=\E[K, el1=\E[1K, fsl=^G, home=\E[H,
+	hpa=\E[%i%p1%dG, ht=^I, hts=\EH, ich=\E[%p1%d@,
+	il=\E[%p1%dL, il1=\E[L, ind=^J, indn=\E[%p1%dS,
+	initc=\E]4;%p1%d;rgb\:%p2%{255}%*%{1000}%/%2.2X/%p3%{255}%*%{1000}%/%2.2X/%p4%{255}%*%{1000}%/%2.2X\E\\,
+	invis=\E[8m, is2=\E[!p\E[?3;4l\E[4l\E>, kDC=\E[3;2~,
+	kEND=\E[1;2F, kHOM=\E[1;2H, kIC=\E[2;2~, kLFT=\E[1;2D,
+	kNXT=\E[6;2~, kPRV=\E[5;2~, kRIT=\E[1;2C, kb2=\EOE,
+	kbs=\177, kcbt=\E[Z, kcub1=\EOD, kcud1=\EOB, kcuf1=\EOC,
+	kcuu1=\EOA, kdch1=\E[3~, kend=\EOF, kent=\EOM, kf1=\EOP,
+	kf10=\E[21~, kf11=\E[23~, kf12=\E[24~, kf13=\E[1;2P,
+	kf14=\E[1;2Q, kf15=\E[1;2R, kf16=\E[1;2S, kf17=\E[15;2~,
+	kf18=\E[17;2~, kf19=\E[18;2~, kf2=\EOQ, kf20=\E[19;2~,
+	kf21=\E[20;2~, kf22=\E[21;2~, kf23=\E[23;2~,
+	kf24=\E[24;2~, kf25=\E[1;5P, kf26=\E[1;5Q, kf27=\E[1;5R,
+	kf28=\E[1;5S, kf29=\E[15;5~, kf3=\EOR, kf30=\E[17;5~,
+	kf31=\E[18;5~, kf32=\E[19;5~, kf33=\E[20;5~,
+	kf34=\E[21;5~, kf35=\E[23;5~, kf36=\E[24;5~,
+	kf37=\E[1;6P, kf38=\E[1;6Q, kf39=\E[1;6R, kf4=\EOS,
+	kf40=\E[1;6S, kf41=\E[15;6~, kf42=\E[17;6~,
+	kf43=\E[18;6~, kf44=\E[19;6~, kf45=\E[20;6~,
+	kf46=\E[21;6~, kf47=\E[23;6~, kf48=\E[24;6~,
+	kf49=\E[1;3P, kf5=\E[15~, kf50=\E[1;3Q, kf51=\E[1;3R,
+	kf52=\E[1;3S, kf53=\E[15;3~, kf54=\E[17;3~,
+	kf55=\E[18;3~, kf56=\E[19;3~, kf57=\E[20;3~,
+	kf58=\E[21;3~, kf59=\E[23;3~, kf6=\E[17~, kf60=\E[24;3~,
+	kf61=\E[1;4P, kf62=\E[1;4Q, kf63=\E[1;4R, kf7=\E[18~,
+	kf8=\E[19~, kf9=\E[20~, khome=\EOH, kich1=\E[2~,
+	kind=\E[1;2B, kmous=\E[M, knp=\E[6~, kpp=\E[5~,
+	kri=\E[1;2A, mc0=\E[i, mc4=\E[4i, mc5=\E[5i, meml=\El,
+	memu=\Em, oc=\E]104\007, op=\E[39;49m, rc=\E8,
+	rep=%p1%c\E[%p2%{1}%-%db, rev=\E[7m, ri=\EM,
+	rin=\E[%p1%dT, ritm=\E[23m, rmacs=\E(B, rmam=\E[?7l,
+	rmcup=\E[?1049l\E[23;0;0t, rmir=\E[4l, rmkx=\E[?1l\E>,
+	rmm=\E[?1034l, rmso=\E[27m, rmul=\E[24m,
+	rs1=\Ec\E]104\007, rs2=\E[!p\E[?3;4l\E[4l\E>, sc=\E7,
+	setab=\E[%?%p1%{8}%<%t4%p1%d%e%p1%{16}%<%t10%p1%{8}%-%d%e48;5;%p1%d%;m,
+	setaf=\E[%?%p1%{8}%<%t3%p1%d%e%p1%{16}%<%t9%p1%{8}%-%d%e38;5;%p1%d%;m,
+	setb@, setf@,
+	sgr=%?%p9%t\E(0%e\E(B%;\E[0%?%p6%t;1%;%?%p5%t;2%;%?%p2%t;4%;%?%p1%p3%|%t;7%;%?%p4%t;5%;%?%p7%t;8%;m,
+	sgr0=\E(B\E[m, sitm=\E[3m, smacs=\E(0, smam=\E[?7h,
+	smcup=\E[?1049h\E[22;0;0t, smir=\E[4h, smkx=\E[?1h\E=,
+	smm=\E[?1034h, smso=\E[7m, smul=\E[4m, tbc=\E[3g,
+	tsl=\E]2;, u6=\E[%i%d;%dR, u7=\E[6n,
+	u8=\E[?%[;0123456789]c, u9=\E[c, vpa=\E[%i%p1%dd,
+	BD=\E[?2004l, BE=\E[?2004h, Cr=\E]112\007,
+	Cs=\E]12;%p1%s\007, E3=\E[3J, Ms=\E]52;%p1%s;%p2%s\007,
+	PE=\E[201~, PS=\E[200~, Se=\E[0 q, Smulx=\E[4\:%p1%dm,
+	Ss=\E[%p1%d q, Sync=\E[?2026%?%p1%{1}%-%tl%eh%;,
+	kDC3=\E[3;3~, kDC4=\E[3;4~, kDC5=\E[3;5~, kDC6=\E[3;6~,
+	kDC7=\E[3;7~, kDN=\E[1;2B, kDN3=\E[1;3B, kDN4=\E[1;4B,
+	kDN5=\E[1;5B, kDN6=\E[1;6B, kDN7=\E[1;7B, kEND3=\E[1;3F,
+	kEND4=\E[1;4F, kEND5=\E[1;5F, kEND6=\E[1;6F,
+	kEND7=\E[1;7F, kHOM3=\E[1;3H, kHOM4=\E[1;4H,
+	kHOM5=\E[1;5H, kHOM6=\E[1;6H, kHOM7=\E[1;7H,
+	kIC3=\E[2;3~, kIC4=\E[2;4~, kIC5=\E[2;5~, kIC6=\E[2;6~,
+	kIC7=\E[2;7~, kLFT3=\E[1;3D, kLFT4=\E[1;4D,
+	kLFT5=\E[1;5D, kLFT6=\E[1;6D, kLFT7=\E[1;7D,
+	kNXT3=\E[6;3~, kNXT4=\E[6;4~, kNXT5=\E[6;5~,
+	kNXT6=\E[6;6~, kNXT7=\E[6;7~, kPRV3=\E[5;3~,
+	kPRV4=\E[5;4~, kPRV5=\E[5;5~, kPRV6=\E[5;6~,
+	kPRV7=\E[5;7~, kRIT3=\E[1;3C, kRIT4=\E[1;4C,
+	kRIT5=\E[1;5C, kRIT6=\E[1;6C, kRIT7=\E[1;7C, kUP=\E[1;2A,
+	kUP3=\E[1;3A, kUP4=\E[1;4A, kUP5=\E[1;5A, kUP6=\E[1;6A,
+	kUP7=\E[1;7A, kxIN=\E[I, kxOUT=\E[O, rmxx=\E[29m,
+	smxx=\E[9m,

roles/zsh/tasks/alacritty-terminfo.yml

@@ -0,0 +1,21 @@
+---
+- name: Install ncurses for tic command
+  ansible.builtin.package:
+    name: ncurses
+    state: present
+
+- name: Copy alacritty terminfo source
+  ansible.builtin.copy:
+    src: alacritty.terminfo
+    dest: /tmp/alacritty.terminfo
+    mode: "0644"
+
+- name: Compile alacritty terminfo
+  ansible.builtin.command:
+    cmd: tic -x /tmp/alacritty.terminfo
+  changed_when: false
+
+- name: Remove terminfo source
+  ansible.builtin.file:
+    path: /tmp/alacritty.terminfo
+    state: absent

roles/zsh/tasks/main.yml

@@ -4,6 +4,9 @@
     name: zsh
     state: present
 
+- name: Install alacritty terminfo
+  ansible.builtin.include_tasks: alacritty-terminfo.yml
+
 - name: Install zsh plugins
   ansible.builtin.include_tasks: plugins.yml
 - name: Setup zsh for the user(s)

roles/zsh/tasks/plugins.yml

@@ -22,7 +22,7 @@
     repo: "{{ item.repo }}"
     dest: "{{ item.dest }}"
     update: true
-    version: master
+    version: "{{ item.version | default('master') }}"
   loop:
     - repo: https://github.com/zsh-users/zsh-syntax-highlighting.git
       dest: "{{ zsh_plugins_path }}/zsh-syntax-highlighting"
@@ -30,6 +30,16 @@
       dest: "{{ zsh_plugins_path }}/zsh-autosuggestions"
     - repo: https://github.com/romkatv/powerlevel10k.git
       dest: "{{ zsh_plugins_path }}/powerlevel10k"
+    - repo: https://github.com/zsh-users/zsh-history-substring-search.git
+      dest: "{{ zsh_plugins_path }}/zsh-history-substring-search"
+    - repo: https://github.com/Aloxaf/fzf-tab.git
+      dest: "{{ zsh_plugins_path }}/fzf-tab"
+      version: master
+
+- name: Install fzf package
+  ansible.builtin.package:
+    name: fzf
+    state: present
 
 - name: Assert plugins are available for any user
   ansible.builtin.file:
@@ -42,3 +52,5 @@
     - "{{ zsh_plugins_path }}/zsh-syntax-highlighting"
     - "{{ zsh_plugins_path }}/zsh-autosuggestions"
     - "{{ zsh_plugins_path }}/powerlevel10k"
+    - "{{ zsh_plugins_path }}/zsh-history-substring-search"
+    - "{{ zsh_plugins_path }}/fzf-tab"

roles/zsh/tasks/user-setup.yml

@@ -1,4 +1,12 @@
 ---
+- name: Setup .zshenv (environment variables)
+  ansible.builtin.template:
+    src: zshenv.j2
+    dest: "{{ zsh_home }}/.zshenv"
+    owner: "{{ zsh_user }}"
+    group: "{{ zsh_user }}"
+    mode: "0600"
+
 - name: Setup zsh base config
   ansible.builtin.template:
     src: main.zshrc.j2
@@ -31,6 +39,18 @@
     group: "{{ zsh_user }}"
     mode: "0600"
 
+- name: Configure fzf-tab plugin
+  ansible.builtin.copy:
+    dest: "{{ zsh_config_path }}/fzf-tab.zsh"
+    content: |
+      # Enable fzf-tab
+      zstyle ':fzf-tab:*' continuous-trigger 'right'
+      zstyle ':fzf-tab:*' group-colors ''
+      zstyle ':fzf-tab:*' preview-contained-categories true
+    owner: "{{ zsh_user }}"
+    group: "{{ zsh_user }}"
+    mode: "0600"
+
 - name: Change default shell to zsh
   ansible.builtin.user:
     name: "{{ zsh_user }}"

roles/zsh/templates/aliases

@@ -1,3 +1,9 @@
-alias dc="docker compose"
+alias p="podman"
+alias pp="podman play"
+alias pl="podman logs -f"
 alias pc="podman compose"
-alias w="cd ~/workspace"
+alias sd="systemctl"
+alias jd="journalctl -xe"
+alias docker="echo 'use podman instead'"
+alias docker-compose="echo 'use podman-compose instead'"
+alias w='cd $HOME/workspace'

roles/zsh/templates/zshenv.j2

@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+# Essential environment variables - loaded before .zshrc for all sessions
+
+# XDG Base Directory
+export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-$HOME/.config}"
+export XDG_DATA_HOME="${XDG_DATA_HOME:-$HOME/.local/share}"
+export XDG_CACHE_HOME="${XDG_CACHE_HOME:-$HOME/.cache}"
+
+# Enable color support
+export CLICOLOR=1
+export COLORTERM=truecolor
+
+# Less configuration
+export LESS=-R
+export LESS_TERMCAP_mb=$'\E[1;31m'
+export LESS_TERMCAP_md=$'\E[1;36m'
+export LESS_TERMCAP_me=$'\E[0m'
+export LESS_TERMCAP_se=$'\E[0m'
+export LESS_TERMCAP_so=$'\E[1;44;33m'
+export LESS_TERMCAP_ue=$'\E[0m'
+export LESS_TERMCAP_us=$'\E[1;32m'
+
+# Editors
+export EDITOR=vim
+export VISUAL=vim
+
+# Locale
+export LANG=en_US.UTF-8
+export LC_ALL=en_US.UTF-8

roles/zsh/templates/zshrc.j2

@@ -1,24 +1,86 @@
 # {{ ansible_managed }}
 export ZSH_PLUGINS={{ zsh_plugins_path }}
 
+# History configuration
+HISTFILE={{ zsh_config_path }}/.zsh_history
+HISTSIZE=50000
+SAVEHIST=50000
+setopt EXTENDED_HISTORY       # record timestamp of command
+setopt HIST_EXPIRE_DUPS_FIRST # delete duplicates first when trimming
+setopt HIST_IGNORE_DUPS       # ignore duplicated commands
+setopt HIST_IGNORE_SPACE      # ignore commands starting with space
+setopt HIST_VERIFY            # show command with history expansion before running
+setopt SHARE_HISTORY          # share history between sessions
+setopt APPEND_HISTORY         # append to history file, don't overwrite
+
+# Directory navigation
+setopt AUTO_CD               # cd by typing directory name
+setopt AUTO_PUSHD            # push directories on cd
+setopt PUSHD_IGNORE_DUPS     # don't push duplicates
+setopt CORRECT               # correct command spelling
+setopt NO_BEEP               # no beeps
+
+# Force emacs keybindings (zsh defaults to vi when EDITOR=vim)
+bindkey -e
+
+# Completion
+autoload -Uz compinit
+compinit -C                  # faster completion (cache)
+
 # Enable Powerlevel10k instant prompt. Should stay close to the top of ~/.zshrc.
-# Initialization code that may require console input (password prompts, [y/n]
-# confirmations, etc.) must go above this block; everything else may go below.
 if [[ -r "$HOME/.cache/p10k-instant-prompt-${(%):-%n}.zsh" ]]; then
   source "$HOME/.cache/p10k-instant-prompt-${(%):-%n}.zsh"
 fi
 
-# To customize prompt, run `p10k configure` or edit the following file.
-source {{ zsh_p10k_theme_config }}
-
-# Enable syntax highlighting for zsh
-source $ZSH_PLUGINS/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
-
-# Enable autosuggestions
-source $ZSH_PLUGINS/zsh-autosuggestions/zsh-autosuggestions.zsh
-
 # Enable powerlevel10k theme
 source $ZSH_PLUGINS/powerlevel10k/powerlevel10k.zsh-theme
 
+# Load powerlevel10k configuration
+source {{ zsh_p10k_theme_config }}
+
+# Exclude forward-word from partial-accept so that Opt+Right always navigates
+# instead of accepting the next word from the autosuggestion.
+# Right arrow (forward-char) still accepts the full suggestion.
+ZSH_AUTOSUGGEST_PARTIAL_ACCEPT_WIDGETS=(
+  emacs-forward-word
+  vi-forward-word
+  vi-forward-word-end
+  vi-forward-blank-word
+  vi-forward-blank-word-end
+  vi-find-next-char
+  vi-find-next-char-skip
+)
+
+# Enable autosuggestions (before syntax highlighting)
+source $ZSH_PLUGINS/zsh-autosuggestions/zsh-autosuggestions.zsh
+
+# Enable history substring search (before keybindings, before syntax highlighting)
+source $ZSH_PLUGINS/zsh-history-substring-search/zsh-history-substring-search.zsh
+
+# Enable syntax highlighting (must be loaded last)
+source $ZSH_PLUGINS/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+
+# Enable fzf integration (Ctrl+R, Ctrl+T, Alt+C)
+source /usr/share/fzf/key-bindings.zsh
+source /usr/share/fzf/completion.zsh
+
+# Enable fzf-tab for completions (after compinit)
+source $ZSH_PLUGINS/fzf-tab/fzf-tab.zsh
+
+# Source fzf-tab config
+[[ -f {{ zsh_config_path }}/fzf-tab.zsh ]] && source {{ zsh_config_path }}/fzf-tab.zsh
+
+# Source aliases
+[[ -f {{ zsh_config_path }}/aliases ]] && source {{ zsh_config_path }}/aliases
+
 export ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE='fg=8'
-export PROMPT="%n@%m:%~$ "
+
+# Useful keybindings
+bindkey "^[[A" history-substring-search-up
+bindkey "^[[B" history-substring-search-down
+
+# Line and word navigation (Alacritty Cmd/Opt+arrow compatibility)
+bindkey '\eOH' beginning-of-line    # Home / Cmd+Left
+bindkey '\eOF' end-of-line          # End / Cmd+Right
+bindkey '\eb'  backward-word        # Opt+Left
+bindkey '\ef'  forward-word         # Opt+Right