various updates

infrastructure/graduated/arch/README.md

@@ -18,6 +18,8 @@ instructions for building a:
     - [Base Tools](#base-tools)
     - [ZSH](#zsh)
     - [Prompt Themes](#prompt-themes)
+    - [Pacman](#pacman)
+      - [Rollback previous upgrade](#rollback-previous-upgrade)
     - [AUR](#aur)
     - [Security](#security)
       - [Secure Boot](#secure-boot)
@@ -325,15 +327,59 @@ promptinit
 prompt grml
 ```
 
+### Pacman
+
+<https://wiki.archlinux.org/title/Pacman>
+
+#### Rollback previous upgrade
+
+This script will roll back a pacman update if something goes wrong.
+
+~/.local/scripts/rollback_update.sh
+
+```bash
+#!/bin/bash
+
+# Extract the list of most recent updates and save them to /tmp/lastupdates.txt
+grep -a upgraded /var/log/pacman.log| grep $(date +"%Y-%m-%d") > /tmp/lastupdates.txt
+
+# Extract the package names, save to /tmp/lines1
+awk '{print $4}' /tmp/lastupdates.txt > /tmp/lines1
+
+# Extract the previous version of each package, save to /tmp/lines2
+awk '{print $5}' /tmp/lastupdates.txt | sed 's/(/-/g' > /tmp/lines2
+
+# concat package name with previous version, save to /tmp/lines
+paste /tmp/lines1 /tmp/lines2 > /tmp/lines
+
+# Remove the whitespace between the package name and the version
+tr -d "[:blank:]" < /tmp/lines > /tmp/packages
+
+# Old versions of packages are stored here
+cd /var/cache/pacman/pkg/
+
+# For each package, install from cache
+for i in $(cat /tmp/packages);
+do
+    sudo pacman --noconfirm -U "$i"*
+done
+```
+
 ### AUR
 
 The AUR lets you install community-created and maintained packages. Here are the basics:
 
 ```bash
 pacman -S --needed git base-devel
-mkdir ~/AUR
+
+# For packages you plan on keeping (works with auto-update script)
+mkdir -p ~/AUR/install
+
+# For packages you are experimenting with (no auto-update)
+mkdir -p ~/AUR/inspect
 
 # When you find a project, the basic installation looks like this:
+cd ~/AUR/inspect
 git clone <git repo from aur>
 cd <folder name>
 ```
@@ -366,28 +412,48 @@ makepkg -si
 ```
 
 We can update our AUR packages with a script. As long as you clone your AUR
-packages into ~/AUR this will work:
+packages into ~/AUR/install this will work:
+
+1. Add `#%sudo   ALL=(ALL) NOPASSWD: /usr/bin/pacman` (commented out) to `/etc/sudoers`
+2. Create the following script:
 
 ~./local/scripts/update-aur.sh
 
 ```bash
 #!/bin/bash
 
-for file in $(ls /home/ducoterra/AUR);
+# Ensure password is required for pacman if ctrl+c pressed
+trap 'on_exit' SIGINT
+
+function on_exit() {
+  # Comment out pacman NOPASSWD line in /etc/sudoers
+  sudo sed -i -E 's/^([^#].*ALL=\(ALL\) NOPASSWD: \/usr\/bin\/pacman)/#\1/g' /etc/sudoers
+  exit
+}
+
+# Allow sudo pacman without password temporarily
+sudo sed -i -E 's/#(.*ALL=\(ALL\) NOPASSWD: \/usr\/bin\/pacman)/\1/g' /etc/sudoers
+
+for file in $(ls ~/AUR/install);
 do
-    cd /home/ducoterra/AUR/$file
-    git pull
-    makepkg -si
+  cd ~/AUR/install/$file
+  git pull
+  makepkg -si --noconfirm
 done
+
+# Ensure sudoers is put back to normal
+on_exit
 ```
 
+Now you can run `~/.local/scripts/update-aur.sh` and update all AUR packages.
+
 ### Security
 
 <https://wiki.archlinux.org/title/security>
 
 Every machine, regardless of use-case, should perform some basic hardening. You don't need to follow
 every instruction in the above wiki, but you should at least enable secure boot, tpm2 disk
-decryption, firewall, apparmor, clamav, btrfs snapshots, and btrfs backups.
+decryption, firewall, clamav, btrfs snapshots, and btrfs backups.
 
 Security Philosophy
 
@@ -687,6 +753,17 @@ Now set up the backup:
     systemctl enable --now btrbk_backup.conf
     ```
 
+Running the backup manually with progress is a good way to make things go well the first time:
+
+```bash
+# Prevent anything from putting the machine to sleep
+systemctl mask sleep.target
+
+btrbk -c /etc/btrbk/backups.conf --progress run
+
+systemctl unmask sleep.target
+```
+
 ##### Backing up a snapshot
 
 ```bash