fix: cleanup

config

@@ -1,5 +1,4 @@
 # User Variables
-# Comment to disable
 # shellcheck disable=SC2034
 
 install_type=dwm # base|desktop|dwm
@@ -7,39 +6,40 @@ install_type=dwm # base|desktop|dwm
 disk=/dev/nvme0n1
 disk_passwd=cryptroot
 
-swapfile=1024 # MiB
+swapfile=1024 # MiB, Comment to disable
 
 username=ange
 userpasswd=ange
-rootpasswd=root
+rootpasswd=root # Comment to disable
 
-shell=zsh
+shell=bash
 
 hostname="$username-pc"
 
-tz=Europe/Paris
-locales=en_US # e.g. 'en_US,fr_FR'
+tz=UTC        # Europe/Paris
+locales=en_US # en_US,fr_FR
 lang=en_US
 
 pkg=(
+    7zip unrar
     base-devel man-{db,pages} tldr
-    efibootmgr
-    fastfetch
-    git
+    bash-completion
+    detox
     dosfstools exfatprogs
-    iwd iptables-nft wireguard-tools bind gnu-netcat
+    fastfetch
+    fzf
+    git
+    iwd iptables-nft wireguard-tools gnu-netcat
     jq
     lf
     neovim{,-lspconfig} python-{pynvim,black} ripgrep bash-language-server pyright
     opendoas
     openssh
-    p7zip unrar
-    podman docker-compose aardvark-dns
+    podman docker-compose
     reflector
     renameutils perl-rename
     rsync
     terminus-font awesome-terminal-fonts
-    fzf
 )
 
 # vim: ft=sh

install.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+echo 'If you want Secure Boot support, you need to put your system in Setup Mode'
+read -r
+
 exec &> >(tee logs.out)
 
 set -a

modules/00-prechroot/10-disk.sh

@@ -2,11 +2,11 @@
 #shellcheck disable=SC2154
 
 sgdisk -Z \
-    -n '0:0:+512M' -t '0:ef00' -c '0:boot' \
+    -n '0:0:+512M' -t '0:ef00' -c '0:esp' \
     -n '0:0:0'     -t '0:8300' -c '0:root' \
     "$disk"
 
-boot=/dev/disk/by-partlabel/boot
+esp=/dev/disk/by-partlabel/esp
 root=/dev/disk/by-partlabel/root
 
 [ -n "$disk_passwd" ] && {
@@ -15,20 +15,25 @@ root=/dev/disk/by-partlabel/root
     root=/dev/mapper/cryptroot
 }
 
-sleep 2 # wait for /dev/disk/by-partlabel/ to be populated
+sleep 5 # wait /dev/disk/by-partlabel/
 
-mkfs.fat -F32 "$boot"
+mkfs.vfat -F32 "$esp"
 mkfs.ext4 -F "$root"
 mount "$root" /mnt/
-mount -m -o fmask=0077,dmask=0077 /dev/disk/by-partlabel/boot /mnt/boot/
+
+cat <<EOF > /mnt/etc/fstab
+UUID=$(blkid "$root" -ovalue -sUUID)	/	ext4	rw,relatime	0 1
+UUID=$(blkid "$esp" -ovalue -sUUID)	/efi	vfat	rw,fmask=0077,dmask=0077,noauto	0 2
+EOF
 
 [ -n "$swapfile" ] && {
     dd if=/dev/zero of=/mnt/swapfile bs=1M count="$swapfile" status=progress
     chmod 600 /mnt/swapfile
     mkswap /mnt/swapfile
     swapon /mnt/swapfile
+    echo "/swapfile	none	swap	defaults	0 0" >> /mnt/etc/fstab
 }
 
 cp -rfTv rootfs/ /mnt/
-genfstab -U /mnt/ >> /mnt/etc/fstab
+
 swapoff /mnt/swapfile

modules/00-prechroot/20-pkg.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+#shellcheck disable=SC2154
+
+case "$(lscpu)" in
+    *AMD*)   echo amd-ucode   >> pkglist.txt ;;
+    *Intel*) echo intel-ucode >> pkglist.txt ;;
+    *) ;;
+esac
+
+[ -s modules/chroot/flatpak.txt ] \
+    && printf '%s\n' flatpak xdg-desktop-portal-gtk >> pkglist.txt
+
+[ -d /sys/class/power_supply/BAT0 ] && echo tlp >> pkglist.txt
+
+echo "$shell" >> pkglist.txt
+pacstrap -C rootfs/etc/pacman.conf -K /mnt \
+    base linux{,-lts,-firmware} efibootmgr sbctl - < pkglist.txt
+
+find /mnt/etc/ -name '*.pacnew' -delete

modules/10-chroot/00-bootstrap.sh

@@ -6,7 +6,7 @@ hwclock --systohc
 
 while read -r l; do
     sed -i "/^#\s*$l.UTF-8/s/^#\s*//" /etc/locale.gen
-done < <(sed 's/,/\n/g' "$locales")
+done <<< "${locales//,/$'\n'}"
 locale-gen
 
 echo "LANG=$lang.UTF-8" > /etc/locale.conf

modules/10-chroot/10-bootloader.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+#shellcheck disable=SC2154
+
+root="$(findmnt -n -osource /)"
+boot="$(lsblk -ls -oname /dev/disk/by-partlabel/boot | tail -n1)"
+
+cryptdev="$(cryptsetup status "$root" | awk '/device/ {print $2}')"
+[ -n "$cryptdev" ] && {
+    uuid="$(blkid | grep "$cryptdev" | awk '{print $2}')"
+    options="cryptdevice=$uuid:${root##*/} "
+}
+
+options="${options}root=$root rw"
+
+sbctl create-keys
+sbctl enroll-keys
+
+for l in arch{,-lts-fallback}; do
+    efibootmgr --create --unicode --label "$l" \
+        --disk "$boot" --part 1 --loader "\\EFI\\Linux\\arch-linux$l.efi"
+done
+echo "$options" > /etc/cmdline.d/root.conf

modules/10-chroot/20-users.sh

@@ -4,5 +4,5 @@
 shell="$(sed -n "/$shell/{p;q}" /etc/shells)"
 useradd -mG wheel,video "$username" -s "${shell:-/bin/bash}"
 
-echo "root:$rootpasswd" | chpasswd
+[ -n "$rootpasswd" ] && echo "root:$rootpasswd" | chpasswd
 echo "$username:$userpasswd" | chpasswd

modules/10-chroot/30-services.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+#shellcheck disable=SC2154
+
+systemctl enable iwd.service
+systemctl enable nftables.service
+systemctl enable reflector.timer
+systemctl enable systemd-networkd.service
+systemctl enable systemd-resolved.service
+systemctl enable systemd-timesyncd.service
+systemctl enable tlp.service

modules/10-chroot/40-flatpak.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+#shellcheck disable=SC2154
+
+[ -s /chroot/flatpak.txt ] \
+    && xargs flatpak install -y --noninteractive < /chroot/flatpak.txt

modules/10-chroot/50-dwm.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+#shellcheck disable=SC2154
 
 git clone --depth 1 https://git.maby.dev/ange/.dotfiles.git /tmp/dotfiles
 /tmp/dotfiles/.config/suckless/update.sh

modules/20-postchroot/99-done.sh

@@ -6,7 +6,6 @@ GREEN=$'\e[32m'
 NORMAL=$'\e[0m'
 
 echo "${BOLD}${GREEN}DONE. Umount? [Y/n]${NORMAL} " && read -r ANS
-
 case "$ANS" in
     ''|[Yy]*) ;;
     *) exit ;;

modules/base.sh

@@ -1,22 +1,21 @@
 #!/bin/bash
 #shellcheck disable=SC2154
 
-for i in ./modules/prechroot/*.sh; do
+for i in modules/00-prechroot/*.sh; do
     bash -x "$i"
 done
 
-cp -r ./modules/chroot/ /mnt/
-(cd ./modules/ || exit
-    for i in ./chroot/*.sh; do
-        arch-chroot /mnt/ bash -x "/$i"
-    done
+cp -r modules/chroot/ /mnt/
 
-    for i in ./chroot/user/*.sh; do
-        arch-chroot /mnt/ su - "$username" -c "bash -x '/$i'"
-    done
-)
+for i in modules/10-chroot/*.sh; do
+    arch-chroot /mnt bash -x "${i/modules/}"
+done
 
-for i in ./modules/postchroot/*.sh; do
+for i in modules/10-chroot/user/*.sh; do
+    arch-chroot /mnt su - "$username" -c "bash -x '${i/modules/}'"
+done
+
+for i in modules/20-postchroot/*.sh; do
     bash -x "$i"
 done
 

modules/chroot/10-bootloader.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-#shellcheck disable=SC2154
-
-bootctl install
-
-root="$(findmnt -nr -o source /)"
-
-cryptdev="$(cryptsetup status "$root" | awk '/device/ {print $2}')"
-[ -n "$cryptdev" ] && {
-    uuid="$(blkid | grep "$cryptdev" | awk '{print $2}')"
-    options="cryptdevice=$uuid:$(basename "$root") "
-}
-
-options="${options}root=$root"
-
-for f in /boot/loader/entries/*.conf; do
-    cat << EOF >> "$f"
-options $options rw
-EOF
-done

modules/chroot/30-services.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-#shellcheck disable=SC2154
-
-systemctl enable \
-    iwd.service \
-    nftables.service \
-    reflector.timer \
-    systemd-networkd.service \
-    systemd-resolved.service \
-    systemd-timesyncd.service \
-    tlp.service

modules/chroot/40-flatpak.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-#shellcheck disable=SC2154
-
-[ -s flatpak.txt ] && xargs flatpak install -y < flatpak.txt

modules/chroot/user/10-services.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-#shellcheck disable=SC2154
-
-systemctl enable --user podman.socket

modules/desktop.sh

@@ -4,21 +4,21 @@
 #newsraft
 printf '%s\n' \
     aerc w3m \
+    alacritty \
     bluez{,-utils} \
-    dunst libnotify \
     feh \
     gammastep \
-    graphicsmagick ghostscript \
-    gvfs{,-gphoto2,-mtp} \
+    imagemagick ghostscript \
     materia-gtk-theme papirus-icon-theme \
     monero \
     mpv \
-    noto-fonts{,-cjk,-emoji} ttf-{dejavu,liberation} otf-font-awesome \
+    noto-fonts{,-cjk,-emoji} otf-font-awesome \
     pass{,-otp} gcr \
     pcmanfm-gtk3 \
     pipewire{,-pulse,-jack} pavucontrol playerctl \
     polkit-gnome \
     qemu-{base,audio-pipewire,hw-usb-host,hw-display-virtio-{gpu,vga},ui-gtk} dnsmasq \
+    udisks2 \
     xdg-user-dirs \
     yt-dlp \
     zathura{,-pdf-poppler} \
@@ -26,17 +26,16 @@ printf '%s\n' \
         >> pkglist.txt
 
 printf '%s\n' \
-    com.valvesoftware.Steam org.freedesktop.Platform.VulkanLayer.gamescope \
-    net.lutris.Lutris \
+    com.valvesoftware.Steam \
     org.gimp.GIMP \
     org.gtk.Gtk3theme.Materia-dark \
     org.mozilla.firefox \
-        >> flatpak.txt
+        >> modules/chroot/flatpak.txt
 
 case "$(lspci | grep 'VGA\|3D')" in
-    *AMD*)    echo vulkan-radeon  >> pkglist.txt ;;
-    *Intel*)  echo vulkan-intel   >> pkglist.txt ;;
-    *NVIDIA*) echo vulkan-nouveau >> pkglist.txt ;;
+    *AMD*)    echo vulkan-radeon mesa >> pkglist.txt ;;
+    *Intel*)  echo vulkan-intel intel-media-driver >> pkglist.txt ;;
+    *NVIDIA*) echo vulkan-nouveau mesa >> pkglist.txt ;;
     *) ;;
 esac
 

modules/dwm.sh

@@ -2,7 +2,6 @@
 #shellcheck disable=SC2154
 
 printf '%s\n' \
-    autorandr \
     i3lock xss-lock \
     picom \
     xorg-{server,xinit,xrandr,xsetroot} xclip xdotool \

modules/prechroot/20-pkg.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-#shellcheck disable=SC2154
-
-case "$(lscpu)" in
-    *AMD*)   echo amd-ucode >> pkglist.txt ;;
-    *Intel*) echo intel-ucode >> pkglist.txt ;;
-    *) ;;
-esac
-
-[ -s "$flatpakpkg" ] \
-    && printf '%s\n' flatpak xdg-desktop-portal-gtk >> pkglist.txt
-
-[ -f /sys/class/power_supply/BAT0 ] && echo tlp >> pkglist.txt
-
-pacstrap -C rootfs/etc/pacman.conf -K /mnt/ \
-    base linux{,-lts,-firmware} "$shell" - < pkglist.txt
-
-find /mnt/etc -name '*.pacnew' -delete

rootfs/boot/loader/entries/arch-lts.conf

@@ -1,3 +0,0 @@
-title   Arch Linux LTS
-linux   /vmlinuz-linux-lts
-initrd  /initramfs-linux-lts.img

rootfs/boot/loader/entries/arch.conf

@@ -1,3 +0,0 @@
-title   Arch Linux
-linux   /vmlinuz-linux
-initrd  /initramfs-linux.img

rootfs/boot/loader/loader.conf

@@ -1 +0,0 @@
-default arch

rootfs/etc/mkinitcpio.d/linux-lts.preset

@@ -0,0 +1,3 @@
+ALL_kver='/boot/vmlinuz-linux-lts'
+PRESETS=('fallback')
+fallback_uki='/efi/EFI/Linux/arch-linux-lts-fallback.efi'

rootfs/etc/mkinitcpio.d/linux.preset

@@ -0,0 +1,3 @@
+ALL_kver='/boot/vmlinuz-linux'
+PRESETS=('default')
+default_uki='/efi/EFI/Linux/arch-linux.efi'

rootfs/etc/modprobe.d/nobeep.conf

@@ -1,2 +1 @@
 blacklist pcspkr
-blacklist snd_pcsp

rootfs/etc/nftables.conf

@@ -1,25 +1,30 @@
 #!/usr/bin/nft -f
 # vim:set ts=2 sw=2 et:
 
-destroy table inet filter
+destroy table inet filter;
 table inet filter {
   chain input {
     type filter hook input priority filter; policy drop;
 
-    #tcp dport 32768-40960 counter meta nftrace set 1 accept comment "WoW VoiceError:17"
+    #tcp dport 32768-65535 counter meta nftrace set 1 accept comment "WoW VoiceError:17"
 
-    ct state invalid               counter drop
-    ct state {established,related} counter accept
+    ct state invalid                counter drop
+    ct state {established, related} counter accept
 
     iif "lo"                  counter accept
     ip protocol {icmp,icmpv6} counter accept
 
+    iifname "waydroid0" meta l4proto {tcp, udp} th dport {53, 67} counter accept
+
     counter meta nftrace set 1 comment "dropped"
   }
 
   chain forward {
     type filter hook forward priority filter; policy drop;
 
+    iifname "waydroid0" counter accept
+    oifname "waydroid0" counter accept
+
     counter meta nftrace set 1 comment "dropped"
   }
 

rootfs/etc/pacman.conf

@@ -35,6 +35,8 @@ Color
 CheckSpace
 VerbosePkgLists
 ParallelDownloads = 8
+DownloadUser = alpm
+#DisableSandbox
 ILoveCandy
 
 # By default, pacman accepts packages signed by keys that its local keyring

rootfs/etc/pacman.d/hooks/10-systemd-boot.hook

@@ -1,9 +0,0 @@
-[Trigger]
-Type = Package
-Operation = Upgrade
-Target = systemd
-
-[Action]
-Description = Gracefully upgrading systemd-boot...
-When = PostTransaction
-Exec = /usr/bin/systemctl restart systemd-boot-update.service

rootfs/etc/xdg/reflector/reflector.conf

@@ -1,4 +1,3 @@
 --save /etc/pacman.d/mirrorlist
 --protocol https
---latest 5
---sort rate
+--sort score