fix(hyprland): add polkit agent, fix portal startup order, restrict ranger to DWM

Launch polkit-kde-authentication-agent at startup. Restart backend
portals (GTK, Hyprland) before the main xdg-desktop-portal to prevent
50s GTK settings proxy timeout. Make ranger DWM-only since Hyprland
uses nautilus and dirvish.

2 files changed, 37 insertions, 11 deletions

diff --git a/archsetup b/archsetup
index f58b130..06e939b 100755
--- a/archsetup
+++ b/archsetup
@@ -329,6 +329,14 @@ preflight_checks() {
             echo "  Must start with lowercase letter, contain only lowercase letters, numbers, underscores"
             exit 1
         fi
+        # Reject reserved system usernames
+        local reserved_users="root bin daemon sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve messagebus polkitd sshd"
+        for reserved in $reserved_users; do
+            if [[ "$username" == "$reserved" ]]; then
+                echo "ERROR: '$username' is a reserved system username"
+                exit 1
+            fi
+        done
         echo "  [OK] Username: $username"
     else
         echo "  [OK] Username: $username (from config)"
@@ -700,7 +708,7 @@ prerequisites() {
         action="configuring locale ($locale)" && display "task" "$action"
         # Uncomment the selected locale in locale.gen (format: "en_US.UTF-8 UTF-8")
         locale_entry="${locale} ${locale##*.}"  # e.g., "en_US.UTF-8 UTF-8"
-        sed -i "s/^#${locale_entry}/${locale_entry}/" /etc/locale.gen
+        sed -i "s|^#${locale_entry}|${locale_entry}|" /etc/locale.gen
         (locale-gen >> "$logfile" 2>&1) || error_warn "$action" "$?"
         echo "LANG=$locale" > /etc/locale.conf
         export LANG="$locale"
@@ -790,8 +798,12 @@ create_user() {
         || error_warn "$action" "$?"
 
     # mount as ramdisk to speed aur/git build/installs
-    (mount -t tmpfs -o size=4G archsetup "$source_dir" >> "$logfile" 2>&1) || \
-        error_fatal "mounting the RAM disk for archsetup" "$?"
+    if ! mountpoint -q "$source_dir" 2>/dev/null; then
+        (mount -t tmpfs -o size=4G archsetup "$source_dir" >> "$logfile" 2>&1) || \
+            error_fatal "mounting the RAM disk for archsetup" "$?"
+    else
+        display "task" "ramdisk already mounted at $source_dir"
+    fi
 
     (chown -R "$username":wheel "$source_dir" >> "$logfile" 2>&1) || \
         error_fatal "changing ownership of $source_dir" "$?"
@@ -814,6 +826,8 @@ user_customizations() {
     # Clone archsetup to user's home directory so dotfile symlinks are accessible.
     # This ensures symlinks point to a user-readable location regardless of how
     # archsetup was invoked (curl|bash, from /root, etc.)
+    # Strategy: clone repo → stow dotfiles from it → user owns symlink targets.
+    # Without this, symlinks could point to /root or a tmpfs that disappears.
     user_archsetup_dir="/home/$username/code/archsetup"
     action="cloning archsetup to user's home directory" && display "task" "$action"
     (mkdir -p "$(dirname "$user_archsetup_dir")" && \
@@ -949,10 +963,12 @@ EOF
 
     # Configure wireless regulatory domain (enables full WiFi capabilities for region)
     # Derive region code from locale (e.g., en_US.UTF-8 → US, de_DE.UTF-8 → DE)
+    # Locale format is ll_CC.ENCODING — the country code at positions 3-4 maps to
+    # ISO 3166-1 alpha-2, which matches the wireless-regdom config format
     current_lang="${LANG:-en_US.UTF-8}"
     wireless_region="${current_lang:3:2}"  # extract country code (positions 3-4)
     action="configuring wireless regulatory domain ($wireless_region)" && display "task" "$action"
-    sed -i "s/^#WIRELESS_REGDOM=\"$wireless_region\"/WIRELESS_REGDOM=\"$wireless_region\"/" /etc/conf.d/wireless-regdom
+    sed -i "s|^#WIRELESS_REGDOM=\"${wireless_region}\"|WIRELESS_REGDOM=\"${wireless_region}\"|" /etc/conf.d/wireless-regdom
 
     # Encrypted DNS (DNS over TLS)
 
@@ -1452,15 +1468,16 @@ When = PostTransaction
 Exec = /usr/bin/runuser -u ARCHSETUP_USERNAME -- /usr/bin/hyprpm update --no-shallow
 HOOKEOF
     # Replace placeholder with actual username
-    sed -i "s/ARCHSETUP_USERNAME/$username/" /etc/pacman.d/hooks/hyprpm.hook
+    sed -i "s/ARCHSETUP_USERNAME/${username}/" /etc/pacman.d/hooks/hyprpm.hook
     chmod 644 /etc/pacman.d/hooks/hyprpm.hook
 
     # Logitech BRIO webcam auto-configuration
     action="creating Logitech BRIO udev rule" && display "task" "$action"
-    cat > /etc/udev/rules.d/99-logitech-brio.rules << UDEVEOF
+    cat > /etc/udev/rules.d/99-logitech-brio.rules << 'UDEVEOF'
 # Apply camera settings when Logitech BRIO is connected
-ACTION=="add", SUBSYSTEM=="video4linux", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="085e", ATTR{index}=="0", RUN+="/home/$username/.local/bin/logitech-brio-settings.sh /dev/%k"
+ACTION=="add", SUBSYSTEM=="video4linux", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="085e", ATTR{index}=="0", RUN+="/home/ARCHSETUP_USERNAME/.local/bin/logitech-brio-settings.sh /dev/%k"
 UDEVEOF
+    sed -i "s/ARCHSETUP_USERNAME/${username}/" /etc/udev/rules.d/99-logitech-brio.rules
     chmod 644 /etc/udev/rules.d/99-logitech-brio.rules
 }
 
@@ -1879,6 +1896,11 @@ EOF
     fi
     action="enabling docker service to launch on boot" && display "task" "$action"
     systemctl enable docker.service >> "$logfile" 2>&1  || error_warn "$action" "$?"
+
+    # podman (rootless containers for winvm)
+    pacman_install podman
+    pacman_install podman-compose
+    pacman_install python-dotenv
 }
 
 ### Supplemental Software
@@ -1926,7 +1948,9 @@ supplemental_software() {
     pacman_install perl-image-exiftool               # reads/writes exif info for raw photo files
     pacman_install poppler-glib                      # poppler-glib document viewer library
     pacman_install pv                                # monitor progress of data through pipeline
-    pacman_install ranger                            # terminal file manager (X11, ueberzug)
+    if [[ "$desktop_env" == "dwm" ]]; then
+        pacman_install ranger                        # terminal file manager (X11, ueberzug)
+    fi
     pacman_install rclone                            # syncs files from gdrive, s3, dropbox, etc.
     pacman_install signal-desktop                    # secure messenger
     if [[ "$desktop_env" == "hyprland" ]]; then
diff --git a/dotfiles/hyprland/.config/hypr/hyprland.conf b/dotfiles/hyprland/.config/hypr/hyprland.conf
index 12efa23..e03e18e 100644
--- a/dotfiles/hyprland/.config/hypr/hyprland.conf
+++ b/dotfiles/hyprland/.config/hypr/hyprland.conf
@@ -12,11 +12,13 @@ monitor=,preferred,auto,auto
 # ============================================================================
 # Portal and D-Bus setup FIRST, then waybar (needs portal for appearance query)
 exec-once = dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP HYPRLAND_INSTANCE_SIGNATURE
-# Portal restart (not start) reconnects stale portals on Hyprland restart; waybar
-# chained after so it doesn't block 25s waiting for a dead portal's appearance query
-exec-once = systemctl --user restart xdg-desktop-portal-hyprland xdg-desktop-portal && waybar > ~/.local/var/log/waybar-$(date +%Y-%m-%d-%H%M%S).log 2>&1
+# Portal restart (not start) reconnects stale portals on Hyprland restart.
+# Backend portals (GTK, Hyprland) must restart BEFORE the main portal to avoid
+# a 50s GTK settings proxy timeout. Waybar starts after portals are ready.
+exec-once = systemctl --user restart xdg-desktop-portal-hyprland xdg-desktop-portal-gtk && systemctl --user restart xdg-desktop-portal && waybar > ~/.local/var/log/waybar-$(date +%Y-%m-%d-%H%M%S).log 2>&1
 
 # Core services
+exec-once = /usr/lib/polkit-kde-authentication-agent-1
 exec-once = /usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh
 exec-once = dunst > ~/.local/var/log/dunst-$(date +%Y-%m-%d-%H%M%S).log 2>&1
 exec-once = hyprland-plugins-setup && sleep 1 && hyprctl dismissnotify -1