feat: cleanup

2025-06-21 06:30:06 +00:00 · 2025-06-21 06:30:06 +00:00 · 649806d52d
commit 649806d52d
parent 92f562a03e
11 changed files with 212 additions and 64 deletions
--- a/11
+++ b/11
@ -6,11 +6,11 @@ install_type=dwm # base|desktop|dwm
 disk=/dev/nvme0n1
 disk_passwd=cryptroot

-swapfile=1024 # MiB, Comment to disable
+swapfile=1024 # MiB, comment to disable

 username=ange
 userpasswd=ange
-rootpasswd=root # Comment to disable
+rootpasswd=root # comment to disable

 shell=bash

@ -21,18 +21,19 @@ locales=en_US # en_US,fr_FR
 lang=en_US

 pkg=(
-    7zip unrar
-    base-devel man-{db,pages} tldr
+    7zip
    bash-completion
    detox
    dosfstools exfatprogs
    fastfetch
    fzf
    git
+    inotify-tools
    iwd iptables-nft wireguard-tools gnu-netcat
    jq
    lf
-    neovim{,-lspconfig} python-{pynvim,black} ripgrep bash-language-server pyright
+    make man-{db,pages} patch texinfo tldr
+    neovim-lspconfig python-{pynvim,black} ripgrep bash-language-server pyright
    opendoas
    openssh
    podman docker-compose
--- a/modules/00-prechroot/10-disk.sh
+++ b/modules/00-prechroot/10-disk.sh
@ -9,11 +9,11 @@ sgdisk -Z \
 esp=/dev/disk/by-partlabel/esp
 root=/dev/disk/by-partlabel/root

-[ -n "$disk_passwd" ] && {
+if [ -n "$disk_passwd" ]; then
    echo -n "$disk_passwd" | cryptsetup luksFormat "$root" -
    cryptsetup open "$root" cryptroot - <<< "$disk_passwd"
    root=/dev/mapper/cryptroot
-}
+fi

 sleep 5 # wait /dev/disk/by-partlabel/

@ -26,13 +26,13 @@ UUID=$(blkid "$root" -ovalue -sUUID)	/	ext4	rw,relatime	0 1
 UUID=$(blkid "$esp" -ovalue -sUUID)	/efi	vfat	rw,fmask=0077,dmask=0077,noauto	0 2
 EOF

-[ -n "$swapfile" ] && {
+if [ -n "$swapfile" ]; then
    dd if=/dev/zero of=/mnt/swapfile bs=1M count="$swapfile" status=progress
    chmod 600 /mnt/swapfile
    mkswap /mnt/swapfile
    swapon /mnt/swapfile
    echo "/swapfile	none	swap	defaults	0 0" >> /mnt/etc/fstab
-}
+fi

 cp -rfTv rootfs/ /mnt/

--- a/modules/00-prechroot/20-pkg.sh
+++ b/modules/00-prechroot/20-pkg.sh
@ -7,10 +7,9 @@ case "$(lscpu)" in
    *) ;;
 esac

-[ -s modules/chroot/flatpak.txt ] \
-    && printf '%s\n' flatpak xdg-desktop-portal-gtk >> pkglist.txt
-
-[ -d /sys/class/power_supply/BAT0 ] && echo tlp >> pkglist.txt
+if [ -d /sys/class/power_supply/BAT0 ]; then
+    echo tlp >> pkglist.txt
+fi

 echo "$shell" >> pkglist.txt
 pacstrap -C rootfs/etc/pacman.conf -K /mnt \
--- a/modules/10-chroot/10-bootloader.sh
+++ b/modules/10-chroot/10-bootloader.sh
@ -5,10 +5,10 @@ root="$(findmnt -n -osource /)"
 boot="$(lsblk -ls -oname /dev/disk/by-partlabel/boot | tail -n1)"

 cryptdev="$(cryptsetup status "$root" | awk '/device/ {print $2}')"
-[ -n "$cryptdev" ] && {
+if [ -n "$cryptdev" ]; then
    uuid="$(blkid | grep "$cryptdev" | awk '{print $2}')"
    options="cryptdevice=$uuid:${root##*/} "
-}
+fi

 options="${options}root=$root rw"

--- a/modules/10-chroot/20-users.sh
+++ b/modules/10-chroot/20-users.sh
@ -4,5 +4,7 @@
 shell="$(sed -n "/$shell/{p;q}" /etc/shells)"
 useradd -mG wheel,video "$username" -s "${shell:-/bin/bash}"

-[ -n "$rootpasswd" ] && echo "root:$rootpasswd" | chpasswd
+if [ -n "$rootpasswd" ]; then
+    echo "root:$rootpasswd" | chpasswd
+fi
 echo "$username:$userpasswd" | chpasswd
--- a/modules/10-chroot/40-flatpak.sh
+++ b/modules/10-chroot/40-flatpak.sh
@ -1,5 +0,0 @@
-#!/bin/bash
-#shellcheck disable=SC2154
-
-[ -s /chroot/flatpak.txt ] \
-    && xargs flatpak install -y --noninteractive < /chroot/flatpak.txt
--- a/modules/20-postchroot/99-done.sh
+++ b/modules/20-postchroot/99-done.sh
@ -5,10 +5,9 @@ BOLD=$'\e[1m'
 GREEN=$'\e[32m'
 NORMAL=$'\e[0m'

-echo "${BOLD}${GREEN}DONE. Umount? [Y/n]${NORMAL} " && read -r ANS
-case "$ANS" in
-    ''|[Yy]*) ;;
-    *) exit ;;
-esac
+read -rp "${BOLD}${GREEN}DONE. Umount? [Y/n]${NORMAL} " ANS
+if ! [[ "${ANS,}" =~ ^$|^y ]]; then
+    exit
+fi

 umount -R /mnt/
--- a/modules/desktop.sh
+++ b/modules/desktop.sh
@ -7,31 +7,24 @@ printf '%s\n' \
    alacritty \
    bluez{,-utils} \
    feh \
+    firefox{,-ublock-origin} \
    gammastep \
    imagemagick ghostscript \
-    materia-gtk-theme papirus-icon-theme \
+    materia-gtk-theme \
    monero \
    mpv \
    noto-fonts{,-cjk,-emoji} otf-font-awesome \
-    pass{,-otp} gcr \
-    pcmanfm-gtk3 \
-    pipewire{,-pulse,-jack} pavucontrol playerctl \
+    pass-otp gcr \
+    pipewire{-pulse,-jack} playerctl \
    polkit-gnome \
-    qemu-{base,audio-pipewire,hw-usb-host,hw-display-virtio-{gpu,vga},ui-gtk} dnsmasq \
+    qemu-{base,audio-pipewire,hw-usb-host,hw-display-virtio-{gpu,vga},ui-gtk} dnsmasq usbutils \
    udisks2 \
-    xdg-user-dirs \
+    xdg-utils xdg-user-dirs \
    yt-dlp \
-    zathura{,-pdf-poppler} \
+    zathura-pdf-poppler \
    zenity \
        >> pkglist.txt

-printf '%s\n' \
-    com.valvesoftware.Steam \
-    org.gimp.GIMP \
-    org.gtk.Gtk3theme.Materia-dark \
-    org.mozilla.firefox \
-        >> modules/chroot/flatpak.txt
-
 case "$(lspci | grep 'VGA\|3D')" in
    *AMD*)    echo vulkan-radeon mesa >> pkglist.txt ;;
    *Intel*)  echo vulkan-intel intel-media-driver >> pkglist.txt ;;
--- a/rootfs/etc/iwd/main.conf
+++ b/rootfs/etc/iwd/main.conf
@ -0,0 +1,2 @@
+[General]
+AddressRandomization=once
--- a/rootfs/etc/makepkg.conf
+++ b/rootfs/etc/makepkg.conf
@ -0,0 +1,165 @@
+#!/hint/bash
+# shellcheck disable=2034
+
+#
+# /etc/makepkg.conf
+#
+
+#########################################################################
+# SOURCE ACQUISITION
+#########################################################################
+#
+#-- The download utilities that makepkg should use to acquire sources
+#  Format: 'protocol::agent'
+DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u'
+          'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
+          'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'rsync::/usr/bin/rsync --no-motd -z %u %o'
+          'scp::/usr/bin/scp -C %u %o')
+
+# Other common tools:
+# /usr/bin/snarf
+# /usr/bin/lftpget -c
+# /usr/bin/wget
+
+#-- The package required by makepkg to download VCS sources
+#  Format: 'protocol::package'
+VCSCLIENTS=('bzr::breezy'
+            'fossil::fossil'
+            'git::git'
+            'hg::mercurial'
+            'svn::subversion')
+
+#########################################################################
+# ARCHITECTURE, COMPILE FLAGS
+#########################################################################
+#
+CARCH="x86_64"
+CHOST="x86_64-pc-linux-gnu"
+
+#-- Compiler and Linker Flags
+#CPPFLAGS=""
+CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
+        -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \
+        -fstack-clash-protection -fcf-protection \
+        -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer"
+CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
+LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \
+         -Wl,-z,pack-relative-relocs"
+LTOFLAGS="-flto=auto"
+#-- Make Flags: change this for DistCC/SMP systems
+#MAKEFLAGS="-j2"
+#-- Debugging flags
+DEBUG_CFLAGS="-g"
+DEBUG_CXXFLAGS="$DEBUG_CFLAGS"
+
+#########################################################################
+# BUILD ENVIRONMENT
+#########################################################################
+#
+# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign)
+#  A negated environment option will do the opposite of the comments below.
+#
+#-- distcc:   Use the Distributed C/C++/ObjC compiler
+#-- color:    Colorize output messages
+#-- ccache:   Use ccache to cache compilation
+#-- check:    Run the check() function if present in the PKGBUILD
+#-- sign:     Generate PGP signature file
+#
+BUILDENV=(!distcc color !ccache check !sign)
+#
+#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
+#-- specify a space-delimited list of hosts running in the DistCC cluster.
+#DISTCC_HOSTS=""
+#
+#-- Specify a directory for package building.
+#BUILDDIR=/tmp/makepkg
+
+#########################################################################
+# GLOBAL PACKAGE OPTIONS
+#   These are default values for the options=() settings
+#########################################################################
+#
+# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto !autodeps)
+#  A negated option will do the opposite of the comments below.
+#
+#-- strip:      Strip symbols from binaries/libraries
+#-- docs:       Save doc directories specified by DOC_DIRS
+#-- libtool:    Leave libtool (.la) files in packages
+#-- staticlibs: Leave static library (.a) files in packages
+#-- emptydirs:  Leave empty directories in packages
+#-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
+#-- purge:      Remove files specified by PURGE_TARGETS
+#-- debug:      Add debugging flags as specified in DEBUG_* variables
+#-- lto:        Add compile flags for building with link time optimization
+#-- autodeps:   Automatically add depends/provides
+#
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto)
+
+#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2
+INTEGRITY_CHECK=(sha256)
+#-- Options to be used when stripping binaries. See `man strip' for details.
+STRIP_BINARIES="--strip-all"
+#-- Options to be used when stripping shared libraries. See `man strip' for details.
+STRIP_SHARED="--strip-unneeded"
+#-- Options to be used when stripping static libraries. See `man strip' for details.
+STRIP_STATIC="--strip-debug"
+#-- Manual (man and info) directories to compress (if zipman is specified)
+MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
+#-- Doc directories to remove (if !docs is specified)
+DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
+#-- Files to be removed from all packages (if purge is specified)
+PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
+#-- Directory to store source code in for debug packages
+DBGSRCDIR="/usr/src/debug"
+#-- Prefix and directories for library autodeps
+LIB_DIRS=('lib:usr/lib' 'lib32:usr/lib32')
+
+#########################################################################
+# PACKAGE OUTPUT
+#########################################################################
+#
+# Default: put built package and cached source in build directory
+#
+#-- Destination: specify a fixed directory where all packages will be placed
+#PKGDEST=/home/packages
+#-- Source cache: specify a fixed directory where source files will be cached
+#SRCDEST=/home/sources
+#-- Source packages: specify a fixed directory where all src packages will be placed
+#SRCPKGDEST=/home/srcpackages
+#-- Log files: specify a fixed directory where all log files will be placed
+#LOGDEST=/home/makepkglogs
+#-- Packager: name/email of the person or organization building packages
+#PACKAGER="John Doe <john@doe.com>"
+#-- Specify a key to use for package signing
+#GPGKEY=""
+
+#########################################################################
+# COMPRESSION DEFAULTS
+#########################################################################
+#
+COMPRESSGZ=(gzip -c -f -n)
+COMPRESSBZ2=(bzip2 -c -f)
+COMPRESSXZ=(xz -c -z -)
+COMPRESSZST=(zstd -c -T0 -)
+COMPRESSLRZ=(lrzip -q)
+COMPRESSLZO=(lzop -q)
+COMPRESSZ=(compress -c -f)
+COMPRESSLZ4=(lz4 -q)
+COMPRESSLZ=(lzip -c -f)
+
+#########################################################################
+# EXTENSION DEFAULTS
+#########################################################################
+#
+PKGEXT='.pkg.tar.zst'
+SRCEXT='.src.tar.gz'
+
+#########################################################################
+# OTHER
+#########################################################################
+#
+#-- Command used to run pacman as root, instead of trying sudo and su
+PACMAN_AUTH=(doas)
+# vim: set ft=sh ts=2 sw=2 et:
--- a/rootfs/etc/nftables.conf
+++ b/rootfs/etc/nftables.conf
@ -1,36 +1,28 @@
 #!/usr/bin/nft -f
-# vim:set ts=2 sw=2 et:

 destroy table inet filter;
 table inet filter {
-  chain input {
-    type filter hook input priority filter; policy drop;
+	chain input {
+		type filter hook input priority filter; policy drop;

-    #tcp dport 32768-65535 counter meta nftrace set 1 accept comment "WoW VoiceError:17"
+		ct state invalid counter drop
+		ct state {established, related} counter accept

-    ct state invalid                counter drop
-    ct state {established, related} counter accept
+		iif "lo" counter accept
+		ip protocol {icmp,icmpv6} counter accept

-    iif "lo"                  counter accept
-    ip protocol {icmp,icmpv6} counter accept
+		counter meta nftrace set 1 comment "dropped"
+	}

-    iifname "waydroid0" meta l4proto {tcp, udp} th dport {53, 67} counter accept
+	chain forward {
+		type filter hook forward priority filter; policy drop;

-    counter meta nftrace set 1 comment "dropped"
-  }
+		counter meta nftrace set 1 comment "dropped"
+	}

-  chain forward {
-    type filter hook forward priority filter; policy drop;
+	chain output {
+		type filter hook output priority filter; policy accept;

-    iifname "waydroid0" counter accept
-    oifname "waydroid0" counter accept
-
-    counter meta nftrace set 1 comment "dropped"
-  }
-
-  chain output {
-    type filter hook output priority filter; policy accept;
-
-    counter comment "accepted"
-  }
+		counter comment "accepted"
+	}
 }