diff --git a/config b/config index e74390c..bbb9755 100644 --- a/config +++ b/config @@ -6,11 +6,11 @@ install_type=dwm # base|desktop|dwm disk=/dev/nvme0n1 disk_passwd=cryptroot -swapfile=1024 # MiB, Comment to disable +swapfile=1024 # MiB, comment to disable username=ange userpasswd=ange -rootpasswd=root # Comment to disable +rootpasswd=root # comment to disable shell=bash @@ -21,18 +21,19 @@ locales=en_US # en_US,fr_FR lang=en_US pkg=( - 7zip unrar - base-devel man-{db,pages} tldr + 7zip bash-completion detox dosfstools exfatprogs fastfetch fzf git + inotify-tools iwd iptables-nft wireguard-tools gnu-netcat jq lf - neovim{,-lspconfig} python-{pynvim,black} ripgrep bash-language-server pyright + make man-{db,pages} patch texinfo tldr + neovim-lspconfig python-{pynvim,black} ripgrep bash-language-server pyright opendoas openssh podman docker-compose diff --git a/modules/00-prechroot/10-disk.sh b/modules/00-prechroot/10-disk.sh index ec5de1d..d495678 100644 --- a/modules/00-prechroot/10-disk.sh +++ b/modules/00-prechroot/10-disk.sh @@ -9,11 +9,11 @@ sgdisk -Z \ esp=/dev/disk/by-partlabel/esp root=/dev/disk/by-partlabel/root -[ -n "$disk_passwd" ] && { +if [ -n "$disk_passwd" ]; then echo -n "$disk_passwd" | cryptsetup luksFormat "$root" - cryptsetup open "$root" cryptroot - <<< "$disk_passwd" root=/dev/mapper/cryptroot -} +fi sleep 5 # wait /dev/disk/by-partlabel/ @@ -26,13 +26,13 @@ UUID=$(blkid "$root" -ovalue -sUUID) / ext4 rw,relatime 0 1 UUID=$(blkid "$esp" -ovalue -sUUID) /efi vfat rw,fmask=0077,dmask=0077,noauto 0 2 EOF -[ -n "$swapfile" ] && { +if [ -n "$swapfile" ]; then dd if=/dev/zero of=/mnt/swapfile bs=1M count="$swapfile" status=progress chmod 600 /mnt/swapfile mkswap /mnt/swapfile swapon /mnt/swapfile echo "/swapfile none swap defaults 0 0" >> /mnt/etc/fstab -} +fi cp -rfTv rootfs/ /mnt/ diff --git a/modules/00-prechroot/20-pkg.sh b/modules/00-prechroot/20-pkg.sh index 0fe2f0d..9581b57 100644 --- a/modules/00-prechroot/20-pkg.sh +++ b/modules/00-prechroot/20-pkg.sh @@ -7,10 +7,9 @@ case "$(lscpu)" in *) ;; esac -[ -s modules/chroot/flatpak.txt ] \ - && printf '%s\n' flatpak xdg-desktop-portal-gtk >> pkglist.txt - -[ -d /sys/class/power_supply/BAT0 ] && echo tlp >> pkglist.txt +if [ -d /sys/class/power_supply/BAT0 ]; then + echo tlp >> pkglist.txt +fi echo "$shell" >> pkglist.txt pacstrap -C rootfs/etc/pacman.conf -K /mnt \ diff --git a/modules/10-chroot/10-bootloader.sh b/modules/10-chroot/10-bootloader.sh index 4210968..0733fc0 100644 --- a/modules/10-chroot/10-bootloader.sh +++ b/modules/10-chroot/10-bootloader.sh @@ -5,10 +5,10 @@ root="$(findmnt -n -osource /)" boot="$(lsblk -ls -oname /dev/disk/by-partlabel/boot | tail -n1)" cryptdev="$(cryptsetup status "$root" | awk '/device/ {print $2}')" -[ -n "$cryptdev" ] && { +if [ -n "$cryptdev" ]; then uuid="$(blkid | grep "$cryptdev" | awk '{print $2}')" options="cryptdevice=$uuid:${root##*/} " -} +fi options="${options}root=$root rw" diff --git a/modules/10-chroot/20-users.sh b/modules/10-chroot/20-users.sh index 82c6dd8..d69f79b 100644 --- a/modules/10-chroot/20-users.sh +++ b/modules/10-chroot/20-users.sh @@ -4,5 +4,7 @@ shell="$(sed -n "/$shell/{p;q}" /etc/shells)" useradd -mG wheel,video "$username" -s "${shell:-/bin/bash}" -[ -n "$rootpasswd" ] && echo "root:$rootpasswd" | chpasswd +if [ -n "$rootpasswd" ]; then + echo "root:$rootpasswd" | chpasswd +fi echo "$username:$userpasswd" | chpasswd diff --git a/modules/10-chroot/40-flatpak.sh b/modules/10-chroot/40-flatpak.sh deleted file mode 100644 index 69a2dba..0000000 --- a/modules/10-chroot/40-flatpak.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -#shellcheck disable=SC2154 - -[ -s /chroot/flatpak.txt ] \ - && xargs flatpak install -y --noninteractive < /chroot/flatpak.txt diff --git a/modules/20-postchroot/99-done.sh b/modules/20-postchroot/99-done.sh index 511b5e8..92d6f4d 100644 --- a/modules/20-postchroot/99-done.sh +++ b/modules/20-postchroot/99-done.sh @@ -5,10 +5,9 @@ BOLD=$'\e[1m' GREEN=$'\e[32m' NORMAL=$'\e[0m' -echo "${BOLD}${GREEN}DONE. Umount? [Y/n]${NORMAL} " && read -r ANS -case "$ANS" in - ''|[Yy]*) ;; - *) exit ;; -esac +read -rp "${BOLD}${GREEN}DONE. Umount? [Y/n]${NORMAL} " ANS +if ! [[ "${ANS,}" =~ ^$|^y ]]; then + exit +fi umount -R /mnt/ diff --git a/modules/desktop.sh b/modules/desktop.sh index 99b51bc..4e69e3c 100644 --- a/modules/desktop.sh +++ b/modules/desktop.sh @@ -7,31 +7,24 @@ printf '%s\n' \ alacritty \ bluez{,-utils} \ feh \ + firefox{,-ublock-origin} \ gammastep \ imagemagick ghostscript \ - materia-gtk-theme papirus-icon-theme \ + materia-gtk-theme \ monero \ mpv \ noto-fonts{,-cjk,-emoji} otf-font-awesome \ - pass{,-otp} gcr \ - pcmanfm-gtk3 \ - pipewire{,-pulse,-jack} pavucontrol playerctl \ + pass-otp gcr \ + pipewire{-pulse,-jack} playerctl \ polkit-gnome \ - qemu-{base,audio-pipewire,hw-usb-host,hw-display-virtio-{gpu,vga},ui-gtk} dnsmasq \ + qemu-{base,audio-pipewire,hw-usb-host,hw-display-virtio-{gpu,vga},ui-gtk} dnsmasq usbutils \ udisks2 \ - xdg-user-dirs \ + xdg-utils xdg-user-dirs \ yt-dlp \ - zathura{,-pdf-poppler} \ + zathura-pdf-poppler \ zenity \ >> pkglist.txt -printf '%s\n' \ - com.valvesoftware.Steam \ - org.gimp.GIMP \ - org.gtk.Gtk3theme.Materia-dark \ - org.mozilla.firefox \ - >> modules/chroot/flatpak.txt - case "$(lspci | grep 'VGA\|3D')" in *AMD*) echo vulkan-radeon mesa >> pkglist.txt ;; *Intel*) echo vulkan-intel intel-media-driver >> pkglist.txt ;; diff --git a/rootfs/etc/iwd/main.conf b/rootfs/etc/iwd/main.conf new file mode 100644 index 0000000..a13a69f --- /dev/null +++ b/rootfs/etc/iwd/main.conf @@ -0,0 +1,2 @@ +[General] +AddressRandomization=once diff --git a/rootfs/etc/makepkg.conf b/rootfs/etc/makepkg.conf new file mode 100644 index 0000000..a5821f8 --- /dev/null +++ b/rootfs/etc/makepkg.conf @@ -0,0 +1,165 @@ +#!/hint/bash +# shellcheck disable=2034 + +# +# /etc/makepkg.conf +# + +######################################################################### +# SOURCE ACQUISITION +######################################################################### +# +#-- The download utilities that makepkg should use to acquire sources +# Format: 'protocol::agent' +DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u' + 'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u' + 'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u' + 'rsync::/usr/bin/rsync --no-motd -z %u %o' + 'scp::/usr/bin/scp -C %u %o') + +# Other common tools: +# /usr/bin/snarf +# /usr/bin/lftpget -c +# /usr/bin/wget + +#-- The package required by makepkg to download VCS sources +# Format: 'protocol::package' +VCSCLIENTS=('bzr::breezy' + 'fossil::fossil' + 'git::git' + 'hg::mercurial' + 'svn::subversion') + +######################################################################### +# ARCHITECTURE, COMPILE FLAGS +######################################################################### +# +CARCH="x86_64" +CHOST="x86_64-pc-linux-gnu" + +#-- Compiler and Linker Flags +#CPPFLAGS="" +CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \ + -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \ + -fstack-clash-protection -fcf-protection \ + -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer" +CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS" +LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \ + -Wl,-z,pack-relative-relocs" +LTOFLAGS="-flto=auto" +#-- Make Flags: change this for DistCC/SMP systems +#MAKEFLAGS="-j2" +#-- Debugging flags +DEBUG_CFLAGS="-g" +DEBUG_CXXFLAGS="$DEBUG_CFLAGS" + +######################################################################### +# BUILD ENVIRONMENT +######################################################################### +# +# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign) +# A negated environment option will do the opposite of the comments below. +# +#-- distcc: Use the Distributed C/C++/ObjC compiler +#-- color: Colorize output messages +#-- ccache: Use ccache to cache compilation +#-- check: Run the check() function if present in the PKGBUILD +#-- sign: Generate PGP signature file +# +BUILDENV=(!distcc color !ccache check !sign) +# +#-- If using DistCC, your MAKEFLAGS will also need modification. In addition, +#-- specify a space-delimited list of hosts running in the DistCC cluster. +#DISTCC_HOSTS="" +# +#-- Specify a directory for package building. +#BUILDDIR=/tmp/makepkg + +######################################################################### +# GLOBAL PACKAGE OPTIONS +# These are default values for the options=() settings +######################################################################### +# +# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto !autodeps) +# A negated option will do the opposite of the comments below. +# +#-- strip: Strip symbols from binaries/libraries +#-- docs: Save doc directories specified by DOC_DIRS +#-- libtool: Leave libtool (.la) files in packages +#-- staticlibs: Leave static library (.a) files in packages +#-- emptydirs: Leave empty directories in packages +#-- zipman: Compress manual (man and info) pages in MAN_DIRS with gzip +#-- purge: Remove files specified by PURGE_TARGETS +#-- debug: Add debugging flags as specified in DEBUG_* variables +#-- lto: Add compile flags for building with link time optimization +#-- autodeps: Automatically add depends/provides +# +OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto) + +#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2 +INTEGRITY_CHECK=(sha256) +#-- Options to be used when stripping binaries. See `man strip' for details. +STRIP_BINARIES="--strip-all" +#-- Options to be used when stripping shared libraries. See `man strip' for details. +STRIP_SHARED="--strip-unneeded" +#-- Options to be used when stripping static libraries. See `man strip' for details. +STRIP_STATIC="--strip-debug" +#-- Manual (man and info) directories to compress (if zipman is specified) +MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info}) +#-- Doc directories to remove (if !docs is specified) +DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc}) +#-- Files to be removed from all packages (if purge is specified) +PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod) +#-- Directory to store source code in for debug packages +DBGSRCDIR="/usr/src/debug" +#-- Prefix and directories for library autodeps +LIB_DIRS=('lib:usr/lib' 'lib32:usr/lib32') + +######################################################################### +# PACKAGE OUTPUT +######################################################################### +# +# Default: put built package and cached source in build directory +# +#-- Destination: specify a fixed directory where all packages will be placed +#PKGDEST=/home/packages +#-- Source cache: specify a fixed directory where source files will be cached +#SRCDEST=/home/sources +#-- Source packages: specify a fixed directory where all src packages will be placed +#SRCPKGDEST=/home/srcpackages +#-- Log files: specify a fixed directory where all log files will be placed +#LOGDEST=/home/makepkglogs +#-- Packager: name/email of the person or organization building packages +#PACKAGER="John Doe " +#-- Specify a key to use for package signing +#GPGKEY="" + +######################################################################### +# COMPRESSION DEFAULTS +######################################################################### +# +COMPRESSGZ=(gzip -c -f -n) +COMPRESSBZ2=(bzip2 -c -f) +COMPRESSXZ=(xz -c -z -) +COMPRESSZST=(zstd -c -T0 -) +COMPRESSLRZ=(lrzip -q) +COMPRESSLZO=(lzop -q) +COMPRESSZ=(compress -c -f) +COMPRESSLZ4=(lz4 -q) +COMPRESSLZ=(lzip -c -f) + +######################################################################### +# EXTENSION DEFAULTS +######################################################################### +# +PKGEXT='.pkg.tar.zst' +SRCEXT='.src.tar.gz' + +######################################################################### +# OTHER +######################################################################### +# +#-- Command used to run pacman as root, instead of trying sudo and su +PACMAN_AUTH=(doas) +# vim: set ft=sh ts=2 sw=2 et: diff --git a/rootfs/etc/nftables.conf b/rootfs/etc/nftables.conf index dfbd8eb..4540dc7 100644 --- a/rootfs/etc/nftables.conf +++ b/rootfs/etc/nftables.conf @@ -1,36 +1,28 @@ #!/usr/bin/nft -f -# vim:set ts=2 sw=2 et: destroy table inet filter; table inet filter { - chain input { - type filter hook input priority filter; policy drop; + chain input { + type filter hook input priority filter; policy drop; - #tcp dport 32768-65535 counter meta nftrace set 1 accept comment "WoW VoiceError:17" + ct state invalid counter drop + ct state {established, related} counter accept - ct state invalid counter drop - ct state {established, related} counter accept + iif "lo" counter accept + ip protocol {icmp,icmpv6} counter accept - iif "lo" counter accept - ip protocol {icmp,icmpv6} counter accept + counter meta nftrace set 1 comment "dropped" + } - iifname "waydroid0" meta l4proto {tcp, udp} th dport {53, 67} counter accept + chain forward { + type filter hook forward priority filter; policy drop; - counter meta nftrace set 1 comment "dropped" - } + counter meta nftrace set 1 comment "dropped" + } - chain forward { - type filter hook forward priority filter; policy drop; + chain output { + type filter hook output priority filter; policy accept; - iifname "waydroid0" counter accept - oifname "waydroid0" counter accept - - counter meta nftrace set 1 comment "dropped" - } - - chain output { - type filter hook output priority filter; policy accept; - - counter comment "accepted" - } + counter comment "accepted" + } }