-### path
-# typeset -U makes every array entry unique
-# /usr/{pkg,local,games} are unix/bsdisms
-typeset -U path
-path=({~/,/,/usr/}sbin {~/,/,/usr/}bin /usr/pkg/{s,}bin /usr/X11R{7,6}/bin
- /usr/local/{s,}bin /usr/games $path)
-
-### posix
-export EDITOR=vim
-export PAGER=less
-export GREP_OPTIONS=--color=auto
-export LANG="en_US.UTF-8"
-export LC_CTYPE="$LANG"
-
-### xdg
-export XDG_CONFIG_HOME=~/etc
-export XDG_CONFIG_DIRS=~/.config:/usr/pkg/etc/xdg:/usr/local/etc/xdg:/etc/xdg
-export XDG_DATA_HOME=~/share
-export XDG_DATA_DIRS=~/.local/share/:/usr/pkg/share/:/usr/local/share/:/usr/share/
-export XDG_CACHE_HOME=~/tmp
-
-### applications
-export DVTM_TERM=rxvt-unicode
-export PYTHONSTARTUP=~/.pythonrc
-
-### freebsd
-if [[ "$OSTYPE" = "freebsd" ]]; then
- export CLICOLOR=
- export LS_COLORS='di=34:ln=35:so=32:pi=33:ex=31:bd=46;34:cd=43;34:su=41;30:sg=46;30:tw=42;30:ow=43;30'
-fi
+### unset unwanted options that could be set in /etc/zshenv
+unsetopt SH_WORD_SPLIT KSH_ARRAYS
+
+### check if su
+if [[ -v _sev_olduser && $_sev_olduser != $USERNAME ]] _sev_reset_shell=
+export _sev_olduser=$USERNAME
+
+### exports for all new shells
+if [[ -v _sev_reset_shell || $SHLVL == 1 ]] {
+ ## lang
+ export CHARSET=UTF-8
+ export LANG=en_US.UTF-8
+ export LC_CTYPE=$LANG
+
+ ## path
+ typeset -U path fpath
+ if [[ $SHLVL == 1 ]] {
+ # take a backup before any customizations
+ export _sev_sys_PATH=$PATH
+ export _sev_sys_FPATH=$FPATH
+ }
+ # /usr/{pkg,local,games} are unix/bsdisms
+ path=({~/,/,/usr/}sbin {~/,/,/usr/}bin /usr/pkg/{s,}bin /usr/X11R{7,6}/bin
+ /usr/local/{s,}bin /usr/games)
+ PATH=$PATH:$_sev_sys_PATH
+ fpath=(${ZDOTDIR:-$HOME/.zsh}/functions/{*,Completions/*}(N))
+ #fpath is not exported by default
+ export FPATH=$FPATH:$_sev_sys_FPATH
+ # take another backup, explained in .zprofile
+ typeset -U _backup_path
+ _backup_path=("${path[@]}")
+
+ ## xdg
+ export XDG_CONFIG_HOME=~/etc
+ export XDG_CONFIG_DIRS=~/.config:/usr/pkg/etc/xdg:/usr/local/etc/xdg:/etc/xdg
+ export XDG_DATA_HOME=~/share
+ export XDG_DATA_DIRS=~/.local/share:/usr/pkg/share:/usr/local/share:/usr/share
+ export XDG_CACHE_HOME=~/tmp
+ export XDG_RUNTIME_DIR=~/tmp
+ if [[ -e $XDG_CONFIG_HOME/user-dirs.dirs ]] {
+ source $XDG_CONFIG_HOME/user-dirs.dirs
+ }
+
+ ## create tmp link
+ t=${TMPDIR:-/tmp}/home-$LOGNAME
+ if [[ ! -e $t ]] {
+ mkdir -m 700 $t >/dev/null 2>&1
+ # TODO: check if dir exists after mkdir
+ }
+ # allow opaque entries to override link creation
+ if [[ ! -e $XDG_RUNTIME_DIR ]] {
+ ln -sf $t $XDG_RUNTIME_DIR >/dev/null 2>&1
+ }
+ unset t
+
+ ## ssh agents
+ # NOTE: preferred order of agents to check: okcagent, gnupg, openssh
+ # first block takes care of okcagent and openssh, second gnupg
+ [[ -o interactive ]] && print -nP "%F{blue}>>>%f SSH: %F{green}"
+ if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] ||
+ ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] {
+ okc=${commands[okc-ssh-agent]:+okc-}
+ agentfile=~/tmp/${okc}ssh-agent-exports
+ typeset sock=
+ typeset -i pid=
+ if [[ -f $agentfile ]] {
+ IFS=$'\0' read -r sock pid <$agentfile
+ }
+ if [[ -S $sock && $pid > 0 ]] && kill -0 $pid; then
+ [[ -o interactive ]] && echo "Reusing agent pid $pid"
+ export SSH_AUTH_SOCK=$sock
+ export SSH_AGENT_PID=$pid
+ else
+ # TODO: ensure ssh-agent path looks legit
+ # to avoid unsafe eval?
+ # NOTE: no way around doing redirection like this I think
+ e=${okc}ssh-agent
+ if [[ -o interactive ]] {
+ eval `$e`
+ } else {
+ eval `$e` >/dev/null 2>&1
+ }
+ echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$agentfile
+ fi
+ unset okc agentfile sock pid
+ } elif [[ -v commands[gpg] && ! -S $_GNUPG_SOCK_DEST && \
+ ( ! -v SSH_AUTH_SOCK || -v DISPLAY ) ]] {
+ export GPG_TTY=$(tty)
+ export PINENTRY_USER_DATA=USE_TTY=$((!${+DISPLAY}))
+ gpg-connect-agent UPDATESTARTUPTTY /bye >/dev/null 2>&1
+ [[ -o interactive ]] && gpg-connect-agent /subst /serverpid \
+ '/echo GPG agent pid ${get serverpid}' /bye
+ [[ ! -v SSH_AUTH_SOCK ]] && \
+ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+ } else {
+ [[ -o interactive ]] && echo "Pre-existing or remote agent"
+ }
+
+ ## gpg ssh forwarding
+ # ssh automatically tunnels SSH_AUTH_SOCK with the right config, but GPG
+ # doesn't—we use a RemoteForward rule in ~/.ssh/config that uses these env
+ # vars to push the gpg extra socket through when connecting via ssh
+ # HACK: this entire thing sucks but there is no other easy way that works
+ # out of the box with other systems
+ if [[ -v commands[gpgconf] ]] {
+ # if already connected over SSH, reuse forwarded socket for future
+ # connections; else use extra socket
+ sock=${SSH_CLIENT:+agent-socket}
+ export _GNUPG_SOCK_SRC=$(gpgconf --list-dirs ${sock:-agent-extra-socket})
+ unset sock
+ # XXX: multiple SSH sessions to the same host will overwrite this
+ # socket, no way to send unique paths without configuring explicit
+ # SendEnv and AcceptEnv exclusions on client and host respectively
+ export _GNUPG_SOCK_DEST=/tmp/.gpg-agent-forward
+ # if socket exists already, we are on a RemoteForwarded client, so copy
+ # it over so that GPG sees it
+ # XXX: race condition if connecting multiple terminals at once
+ if [[ -S $_GNUPG_SOCK_DEST ]] {
+ unlink $_GNUPG_SOCK_SRC >/dev/null 2>&1
+ mv $_GNUPG_SOCK_DEST $_GNUPG_SOCK_SRC >/dev/null
+ }
+ }
+}