1 files changed, 93 insertions, 2 deletions

diff --git a/archsetup b/archsetup
index b07f369..9e03a8b 100755
--- a/archsetup
+++ b/archsetup
@@ -493,6 +493,14 @@ is_btrfs_root() {
     [ "$(findmnt -n -o FSTYPE /)" = "btrfs" ]
 }
 
+# CPU Detection
+is_amd_zen5() {
+    # Returns 0 (true) if CPU is AMD Zen 5 (family 26/0x1a)
+    # Used to detect CPUs affected by RDSEED32 bug (CVE-2025-62626)
+    grep -q "AuthenticAMD" /proc/cpuinfo && \
+    grep -E "^cpu family" /proc/cpuinfo | head -1 | grep -q ": 26$"
+}
+
 # Encryption Detection
 is_encrypted_root() {
     # Returns 0 (true) if root filesystem is on an encrypted volume
@@ -847,6 +855,11 @@ user_customizations() {
     (sudo -u "$username" update-desktop-database "/home/$username/.local/share/applications" \
                                 >> "$logfile" 2>&1 ) || true
 
+    # GTK file chooser settings (stored in dconf, can't be stowed)
+    action="configuring GTK file chooser" && display "task" "$action"
+    (sudo -u "$username" dbus-launch dconf write /org/gtk/settings/file-chooser/sort-directories-first true \
+                                >> "$logfile" 2>&1 ) || error_warn "$action" "$?"
+
     action="restoring dotfile versions" && display "task" "$action"
     (cd "$dotfiles_dir" && git config --global --add safe.directory "$user_archsetup_dir" && \
         git restore . >> "$logfile" 2>&1 )  || error_warn "$action" "$?"
@@ -1225,7 +1238,51 @@ EOF
         display "task" "zfs-replicate timer created (enable after SSH key setup to TrueNAS)"
 
     elif is_btrfs_root; then
-        display "task" "btrfs filesystem detected"
+        # Btrfs: Install snapper for snapshot management
+        display "task" "btrfs detected - installing snapper and grub-btrfs"
+        pacman_install snapper
+        pacman_install grub-btrfs
+        # inotify-tools is an optional dep of grub-btrfs but required for grub-btrfsd daemon
+        pacman_install inotify-tools
+
+        action="creating snapper configuration for root" && display "task" "$action"
+        # snapper requires the .snapshots subvolume to not exist when creating config
+        # If it already exists (from manual btrfs setup), umount and remove it first
+        if mountpoint -q /.snapshots 2>/dev/null; then
+            umount /.snapshots >> "$logfile" 2>&1
+        fi
+        if [ -d /.snapshots ]; then
+            rmdir /.snapshots >> "$logfile" 2>&1 || true
+        fi
+
+        # Create snapper config (this creates /.snapshots subvolume)
+        if [ ! -f /etc/snapper/configs/root ]; then
+            snapper -c root create-config / >> "$logfile" 2>&1 || error_warn "$action" "$?"
+        else
+            display "task" "snapper root config already exists"
+        fi
+
+        action="configuring snapper retention policy" && display "task" "$action"
+        # Conservative retention - local snapshots for quick rollback
+        snapper -c root set-config "TIMELINE_CREATE=yes" >> "$logfile" 2>&1
+        snapper -c root set-config "TIMELINE_CLEANUP=yes" >> "$logfile" 2>&1
+        snapper -c root set-config "TIMELINE_LIMIT_HOURLY=5" >> "$logfile" 2>&1
+        snapper -c root set-config "TIMELINE_LIMIT_DAILY=7" >> "$logfile" 2>&1
+        snapper -c root set-config "TIMELINE_LIMIT_WEEKLY=2" >> "$logfile" 2>&1
+        snapper -c root set-config "TIMELINE_LIMIT_MONTHLY=1" >> "$logfile" 2>&1
+        snapper -c root set-config "TIMELINE_LIMIT_YEARLY=0" >> "$logfile" 2>&1
+
+        action="enabling snapper timeline timer" && display "task" "$action"
+        systemctl enable snapper-timeline.timer >> "$logfile" 2>&1 || error_warn "$action" "$?"
+        systemctl enable snapper-cleanup.timer >> "$logfile" 2>&1 || error_warn "$action" "$?"
+
+        action="enabling grub-btrfsd for boot menu snapshots" && display "task" "$action"
+        systemctl enable grub-btrfsd >> "$logfile" 2>&1 || error_warn "$action" "$?"
+
+        # Allow user to use snapper without root
+        action="allowing wheel group to use snapper" && display "task" "$action"
+        snapper -c root set-config "ALLOW_GROUPS=wheel" >> "$logfile" 2>&1 || error_warn "$action" "$?"
+
     else
         display "task" "ext4/other filesystem detected"
     fi
@@ -1314,6 +1371,8 @@ hyprland() {
     pacman_install swww              # wallpaper
     pacman_install grim              # screenshot
     pacman_install slurp             # region select
+    pacman_install satty             # screenshot annotation
+    pacman_install hyprpicker        # color picker
     pacman_install gammastep         # night light (replaces redshift)
     pacman_install brightnessctl     # brightness control
     pacman_install pamixer           # audio control
@@ -1365,7 +1424,11 @@ desktop_environment() {
     # Fonts
 
     action="Fonts" && display "subtitle" "$action"
+    pacman_install cantarell-fonts
     pacman_install noto-fonts-emoji
+    pacman_install ttf-caladea                        # Cambria replacement
+    pacman_install ttf-carlito                        # Calibri replacement
+    pacman_install ttf-croscore                       # Chrome OS fonts (Arimo, Cousine, Tinos)
     pacman_install terminus-font
     pacman_install ttf-firacode-nerd
     pacman_install ttf-hack-nerd
@@ -1774,6 +1837,9 @@ supplemental_software() {
     pacman_install unclutter                         # hides mouse cursor when not being used
     pacman_install vlc                               # media player
     pacman_install w3m                               # text based browser
+    pacman_install mpd                               # music player daemon
+    pacman_install mpc                               # mpd command line client
+    pacman_install ncmpcpp                           # ncurses mpd client
     pacman_install opus                              # opus audio codec (all music in opus format)
     pacman_install wavpack                           # audio compression format
     pacman_install webkit2gtk                        # web content engine for GTK
@@ -1883,7 +1949,32 @@ EOF
         sed -i 's/.*GRUB_GFXMODE=auto/GRUB_GFXMODE=1024x768/' /etc/default/grub
         sed -i "s/.*GRUB_RECORDFAIL_TIMEOUT=.*/GRUB_RECORDFAIL_TIMEOUT=2/g" /etc/default/grub
         sed -i "s/.*GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT=\"rw loglevel=2 rd.systemd.show_status=auto rd.udev.log_level=2 nvme.noacpi=1 mem_sleep_default=deep nowatchdog random.trust_cpu=off quiet splash\"/g" /etc/default/grub
-        grub-mkconfig -o /boot/grub/grub.cfg  >> "$logfile" 2>&1  || error_warn "generating grub config" "$?"
+    fi
+
+    # Hardware-specific workarounds
+    display "subtitle" "Hardware Workarounds"
+
+    # AMD Zen 5 RDSEED32 bug (CVE-2025-62626)
+    # Zen 5 CPUs have a broken RDSEED instruction that causes kernel warnings at boot.
+    # Adding clearcpuid=rdseed disables the instruction via CPUID masking, suppressing
+    # the "RDSEED32 is broken. Disabling the corresponding CPUID bit." message.
+    # This is cosmetic - the kernel already disables RDSEED when it detects the bug.
+    if is_amd_zen5; then
+        action="applying AMD Zen 5 RDSEED32 workaround (CVE-2025-62626)" && display "task" "$action"
+        if [ -f /etc/default/grub ]; then
+            # Add clearcpuid=rdseed if not already present
+            if ! grep -q "clearcpuid=rdseed" /etc/default/grub; then
+                sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"/GRUB_CMDLINE_LINUX_DEFAULT="\1 clearcpuid=rdseed"/' /etc/default/grub
+            fi
+        fi
+    else
+        display "task" "no hardware workarounds needed"
+    fi
+
+    # Regenerate GRUB config after all modifications
+    if [ -f /etc/default/grub ]; then
+        action="generating grub configuration" && display "task" "$action"
+        grub-mkconfig -o /boot/grub/grub.cfg  >> "$logfile" 2>&1  || error_warn "$action" "$?"
     fi
 }