Configuracion inicial completa del entorno personal

Modulos de restauracion:
- bootstrap: instala yq, age y dependencias base (curl, wget, git, nano, gpg)
- ssh: descifra e instala claves SSH desde secrets/sshKeys.tar.gz.age
- registry: aplica paquetes apt/snap/flatpak, dotfiles, servicios y configs Docker
- thunderbird: instala Thunderbird snap y restaura perfil desde ZIP
- claudeCode: configura repositorio apt de Anthropic e instala claude-code
- easyEffects: restaura configuracion y presets desde ZIP
- wireplumber: restaura dispositivo Bluetooth por defecto y perfiles de audio
- cups: restaura impresoras y drivers PPD desde ZIP

Scripts de captura (correr antes de push):
- scripts/encryptSsh.sh: cifra ~/.ssh con age
- scripts/thunderbird/capture.sh: captura perfil de Thunderbird snap
- scripts/easyEffects/capture.sh: captura config de EasyEffects flatpak
- scripts/wireplumber/capture.sh: captura estado de WirePlumber
- scripts/cups/capture.sh: captura impresoras CUPS y PPDs (requiere sudo)

Registro de aplicaciones (config/registry.yaml):
- 9 paquetes apt, 1 snap (dbeaver-ce), 22 flatpaks incluyendo VSCodium,
  Bitwarden, Inkscape, LibreOffice, OBS Studio, Nextcloud Desktop, entre otros

Secretos incluidos:
- secrets/sshKeys.tar.gz.age: claves SSH cifradas con age
- secrets/thunderbirdProfile.zip: perfil de Thunderbird sin emails ni cache
- secrets/easyEffectsConfig.zip: ajustes y presets de salida de audio
- secrets/wireplumberState.zip: estado de audio incluyendo auriculares Bluetooth
- secrets/cupsConfig.zip: 5 impresoras configuradas con sus drivers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

modules/ssh.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+set -euo pipefail
+source "$stpRoot/lib/log.sh"
+source "$stpRoot/lib/utils.sh"
+
+readonly sshDestination="$HOME/.ssh"
+readonly encryptedArchive="$stpRoot/secrets/sshKeys.tar.gz.age"
+
+sshPermissionsForFile() {
+    local keyFilename="$1"
+    case "$keyFilename" in
+        *.pub|known_hosts|config) echo 644 ;;
+        *) echo 600 ;;
+    esac
+}
+
+ensureSshDirectoryExists() {
+    if [[ ! -d "$sshDestination" ]]; then
+        mkdir -p "$sshDestination"
+        chmod 700 "$sshDestination"
+    fi
+}
+
+decryptArchiveInto() {
+    local workingDirectory="$1"
+    log::info "Ingresá la passphrase para descifrar las claves SSH:"
+    if ! age -d -o "$workingDirectory/sshKeys.tar.gz" "$encryptedArchive"; then
+        log::error "Error al descifrar. Verificá la passphrase."
+        return 1
+    fi
+    tar -xzf "$workingDirectory/sshKeys.tar.gz" -C "$workingDirectory"
+}
+
+installSshKey() {
+    local sourceFile="$1"
+    local keyFilename
+    keyFilename="$(basename "$sourceFile")"
+    local destination="$sshDestination/$keyFilename"
+
+    if [[ -f "$destination" ]]; then
+        log::warn "Ya existe (salteando): $keyFilename"
+        return 1
+    fi
+
+    cp "$sourceFile" "$destination"
+    chmod "$(sshPermissionsForFile "$keyFilename")" "$destination"
+    log::ok "Instalada: $keyFilename"
+}
+
+installAllKeysFrom() {
+    local sourceDirectory="$1"
+    local installedCount=0 skippedCount=0
+
+    for sourceFile in "$sourceDirectory/.ssh/"*; do
+        [[ -f "$sourceFile" ]] || continue
+        if installSshKey "$sourceFile"; then
+            ((++installedCount))
+        else
+            ((++skippedCount))
+        fi
+    done
+
+    log::ok "$installedCount clave(s) instaladas, $skippedCount salteada(s)"
+}
+
+if [[ ! -f "$encryptedArchive" ]]; then
+    log::warn "Archivo de claves no encontrado: secrets/sshKeys.tar.gz.age"
+    log::warn "Para cifrar tus claves actuales: bash scripts/encryptSsh.sh"
+    exit 0
+fi
+
+if ! util::cmdExists age; then
+    log::error "age no está instalado. Ejecutá primero el módulo bootstrap"
+    exit 1
+fi
+
+log::info "Restaurando claves SSH..."
+
+workingDirectory="$(mktemp -d)"
+trap 'rm -rf "$workingDirectory"' EXIT
+
+decryptArchiveInto "$workingDirectory"
+ensureSshDirectoryExists
+installAllKeysFrom "$workingDirectory"