Appendix: Commands Learned

Commands Learned

New or non-obvious commands encountered during this deployment:

Command What It Does

Command	What It Does
`ip -o link show \| grep 'link/ether' \| awk '…'`	Reliable MAC extraction — field position varies with altname, `for` loop finds `link/ether` regardless
`sudo -E BORG_PASSPHRASE="$BORG_PASSPHRASE" borg …`	Pass env vars through sudo (`-E` preserves environment)
`sudo mount -o uid=$(id -u),gid=$(id -g) /dev/sdX1 /mnt`	Mount FAT32/exFAT as your user so `cp` works without sudo
`ssh -F /dev/null -i key user@host`	Bypass SSH config entirely — ignores `Host *` block that forces pubkey-only
`rsync -avz -e "ssh -F /dev/null" source dest`	rsync with SSH config bypass for password auth
`scp -F /dev/null -i key files user@host:path`	scp with SSH config bypass (scp uses `-F` not `-e`)
`ssh -l git -p 443 -T ssh.github.com`	SSH to GitHub over HTTPS port — `-l git` is critical (sends "git" as username, not your local user)
`GIT_SSH_COMMAND="ssh -p 443 -l git" git clone ssh://ssh.github.com:443/user/repo.git`	Clone via port 443 when port 22 is blocked. `ssh://` URL format required for non-standard ports.
`git remote set-url origin git@github.com:user/repo.git`	Fix remote URL after cloning with port 443 workaround
`gopass show -f path` (not `-c`)	Print secret to console over SSH — `-c` (clipboard) fails without wl-clipboard
`sed -i 's/^#\?Pattern.*/Replacement/' file`	`^\?` matches lines starting with optional — handles both commented and uncommented states
`echo $NVIM_APPNAME`	Reveals which nvim config directory is active — `nvim-domus` means `~/.config/nvim-domus/`
`sgdisk -t 2:ea00 /dev/nvme0n1`	Change partition type without reformatting — preserves data
`efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "Arch Linux" --loader /EFI/systemd/systemd-bootx64.efi`	Register EFI boot entry when firmware doesn’t auto-detect it
`sudo sshd -T \| grep setting`	Show sshd RUNTIME config — what’s actually enforced, not just what’s in the file
`find ~/.gnupg -name "*.lock" -delete && gpgconf --kill all`	Clear stale GPG locks after rsync from another machine
`pacman -Q <package>`	Check if a package is already installed before running `pacman -S`
`pacman -Ss <search-term>`	Search repos for a package (fuzzy match)
`pacman -F <library-name>.so`	Find which package provides a missing shared library (run `sudo pacman -Fy` first to update file database)
`pacman -Qo /usr/lib/<library>.so`	Check what package owns an installed file on a working machine (baseline comparison)
`ldd /usr/bin/<binary> \| grep "not found"`	Find ALL missing shared libraries for a binary at once — stops chasing them one at a time
`gpg-connect-agent updatestartuptty /bye`	Tell running gpg-agent to use current terminal’s TTY for pinentry — required for SSH sessions when desktop is running
`readlink -f <symlink>`	Follow entire symlink chain to the final target — reveals broken chains

ip -o link show | grep 'link/ether' | awk '…'

Reliable MAC extraction — field position varies with altname, for loop finds link/ether regardless

sudo -E BORG_PASSPHRASE="$BORG_PASSPHRASE" borg …

Pass env vars through sudo (-E preserves environment)

sudo mount -o uid=$(id -u),gid=$(id -g) /dev/sdX1 /mnt

Mount FAT32/exFAT as your user so cp works without sudo

ssh -F /dev/null -i key user@host

Bypass SSH config entirely — ignores Host * block that forces pubkey-only

rsync -avz -e "ssh -F /dev/null" source dest

rsync with SSH config bypass for password auth

scp -F /dev/null -i key files user@host:path

scp with SSH config bypass (scp uses -F not -e)

ssh -l git -p 443 -T ssh.github.com

SSH to GitHub over HTTPS port — -l git is critical (sends "git" as username, not your local user)

GIT_SSH_COMMAND="ssh -p 443 -l git" git clone ssh://ssh.github.com:443/user/repo.git

Clone via port 443 when port 22 is blocked. ssh:// URL format required for non-standard ports.

git remote set-url origin git@github.com:user/repo.git

Fix remote URL after cloning with port 443 workaround

gopass show -f path (not -c)

Print secret to console over SSH — -c (clipboard) fails without wl-clipboard

sed -i 's/^#\?Pattern.*/Replacement/' file

^\? matches lines starting with optional — handles both commented and uncommented states

echo $NVIM_APPNAME

Reveals which nvim config directory is active — nvim-domus means ~/.config/nvim-domus/

sgdisk -t 2:ea00 /dev/nvme0n1

Change partition type without reformatting — preserves data

efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "Arch Linux" --loader /EFI/systemd/systemd-bootx64.efi

sudo sshd -T | grep setting

Show sshd RUNTIME config — what’s actually enforced, not just what’s in the file

find ~/.gnupg -name "*.lock" -delete && gpgconf --kill all

Clear stale GPG locks after rsync from another machine

pacman -Q <package>

Check if a package is already installed before running pacman -S

pacman -Ss <search-term>

Search repos for a package (fuzzy match)

pacman -F <library-name>.so

Find which package provides a missing shared library (run sudo pacman -Fy first to update file database)

pacman -Qo /usr/lib/<library>.so

Check what package owns an installed file on a working machine (baseline comparison)

ldd /usr/bin/<binary> | grep "not found"

Find ALL missing shared libraries for a binary at once — stops chasing them one at a time

gpg-connect-agent updatestartuptty /bye

Tell running gpg-agent to use current terminal’s TTY for pinentry — required for SSH sessions when desktop is running

readlink -f <symlink>

Follow entire symlink chain to the final target — reveals broken chains