feat: add post-install cmail Bridge setup

Bridge first-run is interactive, so I put the cmail wiring in a post-install
helper rather than running it inside archsetup. scripts/cmail-setup-finish.sh
handles the post-first-run steps idempotently: it decrypts the encrypted
cmailpass, copies Bridge's self-signed cert to ~/.config/protonbridge.pem,
symlinks the cmail-action triage helper into ~/.local/bin, and enables the
user-level protonmail-bridge service.

I added loginctl enable-linger in essential_services so the user service
survives logout — without it, triaging cmail from a remote agent or SSH
session has nothing to talk to. outro prints a four-step runbook for the
manual steps after reboot.

1 files changed, 79 insertions, 0 deletions

diff --git a/scripts/cmail-setup-finish.sh b/scripts/cmail-setup-finish.sh
new file mode 100755
index 0000000..de99101
--- /dev/null
+++ b/scripts/cmail-setup-finish.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+# cmail-setup-finish.sh — finish Proton Mail Bridge + cmail-action setup after
+# Bridge first-run. Idempotent; safe to re-run after a Bridge cert rotation or
+# a claude-templates re-clone.
+#
+# Pre-reqs (the script aborts if any are missing):
+#   - protonmail-bridge installed (archsetup handles it)
+#   - You have run 'protonmail-bridge --cli', logged in, and quit at least once
+#     (the script looks for state at ~/.config/protonmail/bridge-v3/)
+#   - claude-templates cloned at ~/projects/claude-templates
+#   - dotfiles stowed (~/.config/.cmailpass.gpg present)
+#
+# What it does:
+#   1. Decrypts ~/.config/.cmailpass.gpg → ~/.config/.cmailpass (mode 0600)
+#   2. Copies Bridge's self-signed cert → ~/.config/protonbridge.pem
+#   3. Symlinks ~/projects/claude-templates/.ai/scripts/cmail-action.py
+#      → ~/.local/bin/cmail-action
+#   4. Enables + starts the protonmail-bridge user service
+#   5. Verifies Bridge is listening on 127.0.0.1:1143 / :1025
+
+set -euo pipefail
+
+err()  { printf 'error: %s\n' "$*" >&2; exit 1; }
+info() { printf '==> %s\n' "$*"; }
+ok()   { printf '    %s\n' "$*"; }
+
+# 1. Pre-reqs
+command -v protonmail-bridge >/dev/null 2>&1 \
+    || err "protonmail-bridge not found in PATH — install via archsetup first"
+
+bridge_state="$HOME/.config/protonmail/bridge-v3"
+[ -d "$bridge_state" ] \
+    || err "Bridge has no state at $bridge_state — run 'protonmail-bridge --cli' and log in first"
+
+cmail_action_src="$HOME/projects/claude-templates/.ai/scripts/cmail-action.py"
+[ -f "$cmail_action_src" ] \
+    || err "cmail-action.py not found at $cmail_action_src — clone claude-templates first"
+
+cmailpass_enc="$HOME/.config/.cmailpass.gpg"
+[ -f "$cmailpass_enc" ] \
+    || err "$cmailpass_enc not found — ensure dotfiles are stowed"
+
+# 2. Decrypt cmailpass
+info "decrypting $cmailpass_enc"
+cmailpass_plain="$HOME/.config/.cmailpass"
+gpg --quiet --yes --decrypt --output "$cmailpass_plain" "$cmailpass_enc"
+chmod 600 "$cmailpass_plain"
+ok "wrote $cmailpass_plain (mode 0600)"
+
+# 3. Bridge cert
+info "exporting Bridge cert"
+cert_src="$(find "$bridge_state" -name 'cert.pem' -print -quit 2>/dev/null)"
+[ -n "$cert_src" ] || err "no cert.pem found under $bridge_state — Bridge state is incomplete"
+cert_dst="$HOME/.config/protonbridge.pem"
+cp "$cert_src" "$cert_dst"
+ok "copied $cert_src → $cert_dst"
+
+# 4. Symlink cmail-action
+info "symlinking cmail-action"
+mkdir -p "$HOME/.local/bin"
+ln -sf "$cmail_action_src" "$HOME/.local/bin/cmail-action"
+ok "linked $HOME/.local/bin/cmail-action → $cmail_action_src"
+
+# 5. Enable + start systemd user service
+info "enabling protonmail-bridge user service"
+systemctl --user enable --now protonmail-bridge
+ok "service active"
+
+# 6. Verify
+info "verifying Bridge is listening"
+if ss -ltn 2>/dev/null | grep -qE '127\.0\.0\.1:(1143|1025)'; then
+    ok "127.0.0.1:1143 + :1025 LISTEN"
+else
+    err "Bridge isn't listening on the expected ports — check 'systemctl --user status protonmail-bridge'"
+fi
+
+echo
+echo "cmail setup complete."
+echo "Next: 'mbsync cmail && mu index' for the first sync."