diff options
| -rwxr-xr-x | archsetup | 154 |
1 files changed, 149 insertions, 5 deletions
@@ -897,6 +897,13 @@ prerequisites() { display "title" "Prerequisites" + bootstrap_pacman_keyring + install_required_software + configure_build_environment + configure_package_mirrors +} + +bootstrap_pacman_keyring() { display "subtitle" "Bootstrapping" # If the base ships informant (e.g. an archangel-installed system), it @@ -935,6 +942,9 @@ prerequisites() { done $refresh_ok || error_fatal "$action" "$?" +} + +install_required_software() { display "subtitle" "Required Software" for software in linux-firmware wireless-regdb base-devel ca-certificates \ @@ -943,6 +953,9 @@ prerequisites() { pacman_install "$software" done +} + +configure_build_environment() { display "subtitle" "Environment Configuration" # configure locale (must happen before package installs that depend on locale) @@ -997,6 +1010,9 @@ prerequisites() { pacman -Sy >> "$logfile" 2>&1 +} + +configure_package_mirrors() { action="Package Mirrors" && display "subtitle" "$action" pacman_install reflector @@ -1099,6 +1115,16 @@ create_user() { user_customizations() { action="User Customizations" && display "title" "$action" + clone_user_repos + stow_dotfiles + prune_waybar_battery + refresh_desktop_caches + configure_dconf_defaults + finalize_dotfiles + create_user_directories +} + +clone_user_repos() { # Clone archsetup to user's home directory so dotfile symlinks are accessible. # This ensures symlinks point to a user-readable location regardless of how # archsetup was invoked (curl|bash, from /root, etc.) @@ -1131,6 +1157,9 @@ user_customizations() { # root runs stow/restore against the user-owned clone; mark it safe. git config --global --add safe.directory "$dotfiles_dir" >> "$logfile" 2>&1 || true +} + +stow_dotfiles() { # Stow the universal layer plus the per-environment layer. Headless installs # (none) get the standalone minimal/ tree instead of common/. case "$desktop_env" in @@ -1161,6 +1190,9 @@ user_customizations() { ;; esac +} + +prune_waybar_battery() { # Remove battery module from waybar config on desktops with no battery # (hyprland only — waybar isn't part of the dwm or minimal trees). if [[ "$desktop_env" == "hyprland" ]] && ! ls /sys/class/power_supply/BAT* &>/dev/null; then @@ -1173,6 +1205,9 @@ user_customizations() { sed -i '/"battery": {/,/^ },$/d' "$waybar_config" fi +} + +refresh_desktop_caches() { # install fontconfig before refreshing cache (provides fc-cache) pacman_install fontconfig @@ -1187,6 +1222,9 @@ user_customizations() { (sudo -u "$username" update-desktop-database "/home/$username/.local/share/applications" \ >> "$logfile" 2>&1 ) || true +} + +configure_dconf_defaults() { # GTK and GNOME desktop interface settings — read by GTK apps and # xdg-desktop-portal-gtk. Written as a system-wide dconf db rather than # per-user dbus-launch dconf writes: the system path needs no session @@ -1215,6 +1253,9 @@ EOF dconf update ) >> "$logfile" 2>&1 || error_warn "$action" "$?" +} + +finalize_dotfiles() { action="marking archsetup dir as safe.directory" && display "task" "$action" git config --global --add safe.directory "$user_archsetup_dir" >> "$logfile" 2>&1 \ || error_warn "$action" "$?" @@ -1226,6 +1267,9 @@ EOF # files too, so its --adopt needs the same restore. run_task "restoring dotfile versions" git -C "$dotfiles_dir" restore . +} + +create_user_directories() { action="creating common directories" && display "task" "$action" # Create default directories and grant permissions { @@ -1275,6 +1319,20 @@ aur_installer() { ### Essential Services essential_services() { display "title" "Essential Services" + configure_randomness + configure_networking + configure_power + configure_ssh_server + configure_fail2ban + configure_firewall + configure_service_discovery + configure_job_scheduling + configure_package_cache + configure_snapshots + configure_user_lingering +} + +configure_randomness() { # Randomness @@ -1282,6 +1340,9 @@ essential_services() { pacman_install rng-tools enable_service rngd run_task "starting rngd service" systemctl start rngd +} + +configure_networking() { # Networking @@ -1341,12 +1402,18 @@ EOF # Create resolv.conf symlink to systemd-resolved run_task "linking resolv.conf to systemd-resolved" ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +} + +configure_power() { # Power display "subtitle" "Power" pacman_install upower enable_service upower +} + +configure_ssh_server() { # Secure Shell @@ -1362,6 +1429,9 @@ EOF PermitRootLogin prohibit-password EOF systemctl reload sshd >> "$logfile" 2>&1 || error_warn "$action" "$?" +} + +configure_fail2ban() { # SSH Brute Force Protection @@ -1388,6 +1458,9 @@ EOF enable_service fail2ban run_task "starting fail2ban service" systemctl start fail2ban +} + +configure_firewall() { display "subtitle" "Firewall" pacman_install ufw @@ -1433,6 +1506,9 @@ EOF error_messages=("FIREWALL NOT ACTIVE - run: sudo ufw enable" "${error_messages[@]}") error_warn "$action" "1" fi +} + +configure_service_discovery() { # Service Discovery @@ -1481,6 +1557,9 @@ EOF After=systemd-sysusers.service EOF +} + +configure_job_scheduling() { # Job Scheduling display "subtitle" "Job Scheduling" @@ -1494,6 +1573,9 @@ EOF echo "0 12 * * * \$HOME/.local/bin/cron/log-cleanup") \ | sudo -u "$username" crontab - \ >> "$logfile" 2>&1 || error_warn "$action" "$?" +} + +configure_package_cache() { # Package Repository Cache Maintenance @@ -1505,10 +1587,22 @@ EOF backup_system_file /etc/conf.d/pacman-contrib sed -i 's/^PACCACHE_ARGS=.*/PACCACHE_ARGS=-k3/' /etc/conf.d/pacman-contrib - # Snapshot Service - filesystem-aware +} + +configure_snapshots() { + display "subtitle" "Snapshot Service" if is_zfs_root; then + configure_zfs_snapshots + elif is_btrfs_root; then + configure_btrfs_snapshots + else + display "task" "ext4/other filesystem detected" + fi +} + +configure_zfs_snapshots() { # ZFS: Install sanoid for snapshot management display "task" "ZFS detected - installing sanoid" aur_install sanoid @@ -1624,7 +1718,9 @@ EOF # systemctl enable --now zfs-replicate.timer display "task" "zfs-replicate timer created (enable after SSH key setup to TrueNAS)" - elif is_btrfs_root; then +} + +configure_btrfs_snapshots() { # Btrfs: Install snapper for snapshot management display "task" "btrfs detected - installing snapper and grub-btrfs" pacman_install snapper @@ -1680,9 +1776,9 @@ EOF # Install snapper GUI (AUR) aur_install snapper-gui-git - else - display "task" "ext4/other filesystem detected" - fi +} + +configure_user_lingering() { # User Services Lingering # Keeps user-level systemd services (e.g., protonmail-bridge) running without @@ -2186,6 +2282,14 @@ developer_workstation() { action="Developer Workstation" && display "title" "$action" + install_programming_languages + install_editors + install_android_utilities + install_vpn_tools + install_devops_utilities +} + +install_programming_languages() { action="Programming Languages and Utilities" && display "subtitle" "$action" # Rust (via rustup — must precede AUR packages that compile with rust) pacman_install rustup # Rust toolchain manager @@ -2253,6 +2357,9 @@ developer_workstation() { pacman_install hyperfine # statistical command-line benchmarking pacman_install doggo # modern dig: readable DNS client, DoH/DoT/DoQ +} + +install_editors() { action="Programming Editors" && display "subtitle" "$action" pacman_install mg # mini emacs @@ -2311,10 +2418,16 @@ developer_workstation() { >> "$logfile" 2>&1 || error_warn "$action" "$?" fi +} + +install_android_utilities() { action="Android Utilities" && display "subtitle" "$action" pacman_install android-file-transfer pacman_install android-tools +} + +install_vpn_tools() { action="VPN Tools" && display "subtitle" "$action" pacman_install wireguard-tools # VPN - add configs to /etc/wireguard/ pacman_install systemd-resolvconf # resolvconf for wg-quick DNS integration @@ -2323,6 +2436,9 @@ developer_workstation() { run_task "enabling tailscale service" systemctl enable tailscaled +} + +install_devops_utilities() { action="DevOps Utilities" && display "subtitle" "$action" action="installing devops virtualization and automation tools" && display "task" "$action" @@ -2498,6 +2614,16 @@ supplemental_software() { boot_ux() { action="Boot UX" && display "title" "$action" + tighten_efi_permissions + add_nvme_early_module + configure_initramfs_hook + configure_encrypted_autologin + configure_tlp_power + trim_firmware + configure_grub +} + +tighten_efi_permissions() { # Tighten /efi mount permissions so kernel images, initramfs, and # bootloader config aren't world-readable. archinstall's defaults leave # them at 0755; fmask/dmask below makes files 0600 and dirs 0700. @@ -2510,6 +2636,9 @@ boot_ux() { || error_warn "$action" "$?" fi +} + +add_nvme_early_module() { # Add nvme module for early loading on NVMe systems # Ensures NVMe devices are available when ZFS/other hooks try to access them if has_nvme_drives; then @@ -2537,6 +2666,9 @@ boot_ux() { echo "FONT=ter-132n" >> /etc/vconsole.conf fi +} + +configure_initramfs_hook() { # Only switch to systemd hook for non-ZFS systems # ZFS initramfs hook is busybox-based and incompatible with systemd hook if ! is_zfs_root; then @@ -2561,6 +2693,9 @@ StandardOutput=null StandardError=journal+console EOF +} + +configure_encrypted_autologin() { # Automatic login for encrypted systems (prompts if no CLI flag and root is encrypted) configure_autologin @@ -2583,6 +2718,9 @@ HandleLidSwitchExternalPower=ignore HandleLidSwitchDocked=ignore EOF +} + +configure_tlp_power() { # TLP power management — laptops only (battery present). Manages wifi, # USB, PCIe, and CPU power policy on AC/battery transitions. systemd-rfkill # is masked per TLP's docs (it fights TLP's radio-state handling). @@ -2606,6 +2744,9 @@ EOF error_warn "masking systemd-rfkill for TLP" "$?" fi +} + +trim_firmware() { # Firmware trim — Framework 13 Intel only (matched by DMI), where the # hardware set is known: i915 graphics (linux-firmware-intel), ath9k wifi # (linux-firmware-atheros, firmware-free driver but kept for safety), and @@ -2626,6 +2767,9 @@ EOF run_task "rebuilding initramfs after firmware trim" mkinitcpio -P fi +} + +configure_grub() { # GRUB: reset timeouts, adjust log levels, larger menu for HiDPI screens, and show splashscreen # Note: nvme.noacpi=1 disables NVMe ACPI power management to prevent freezes on some drives. # Safe to keep on newer drives (minor power cost), remove if battery life is critical. |