config

@@ -1,4 +1,5 @@
 # User Variables
+# Comment to disable
 # shellcheck disable=SC2034
 
 install_type=dwm # base|desktop|dwm
@@ -6,36 +7,34 @@ install_type=dwm # base|desktop|dwm
 disk=/dev/nvme0n1
 disk_passwd=cryptroot
 
-swapfile=1024 # MiB, comment to disable
+swapfile=1024 # MiB
 
 username=ange
 userpasswd=ange
-rootpasswd=root # comment to disable
+rootpasswd=root
 
 shell=bash
 
 hostname="$username-pc"
 
-tz=UTC        # Europe/Paris
+tz=Europe/Paris
-locales=en_US # en_US,fr_FR
+locales=en_US # 'en_US,fr_FR'
 lang=en_US
 
 pkg=(
-    7zip
+    base-devel man-{db,pages} tldr
-    bash-completion
+    bash-completion fzf
-    detox
     dosfstools exfatprogs
+    efibootmgr
     fastfetch
-    fzf
     git
-    inotify-tools
+    iwd iptables-nft wireguard-tools bind gnu-netcat
-    iwd iptables-nft wireguard-tools gnu-netcat
     jq
     lf
-    make man-{db,pages} patch texinfo tldr
+    neovim{,-lspconfig} python-{pynvim,black} ripgrep bash-language-server pyright
-    neovim-lspconfig python-{pynvim,black} ripgrep bash-language-server pyright
     opendoas
     openssh
+    p7zip unrar
     podman docker-compose
     reflector
     renameutils perl-rename

install.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 
-echo 'If you want Secure Boot support, you need to put your system in Setup Mode'
-read -r
-
 exec &> >(tee logs.out)
 
 set -a

modules/10-chroot/10-bootloader.sh

@@ -1,22 +0,0 @@
-#!/bin/bash
-#shellcheck disable=SC2154
-
-root="$(findmnt -n -osource /)"
-boot="$(lsblk -ls -oname /dev/disk/by-partlabel/boot | tail -n1)"
-
-cryptdev="$(cryptsetup status "$root" | awk '/device/ {print $2}')"
-if [ -n "$cryptdev" ]; then
-    uuid="$(blkid | grep "$cryptdev" | awk '{print $2}')"
-    options="cryptdevice=$uuid:${root##*/} "
-fi
-
-options="${options}root=$root rw"
-
-sbctl create-keys
-sbctl enroll-keys
-
-for l in arch{,-lts-fallback}; do
-    efibootmgr --create --unicode --label "$l" \
-        --disk "$boot" --part 1 --loader "\\EFI\\Linux\\arch-linux$l.efi"
-done
-echo "$options" > /etc/cmdline.d/root.conf

modules/20-postchroot/99-done.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-#shellcheck disable=SC2154
-
-BOLD=$'\e[1m'
-GREEN=$'\e[32m'
-NORMAL=$'\e[0m'
-
-read -rp "${BOLD}${GREEN}DONE. Umount? [Y/n]${NORMAL} " ANS
-if ! [[ "${ANS,}" =~ ^$|^y ]]; then
-    exit
-fi
-
-umount -R /mnt/

modules/base.sh

@@ -1,21 +1,21 @@
 #!/bin/bash
 #shellcheck disable=SC2154
 
-for i in modules/00-prechroot/*.sh; do
+for i in modules/prechroot/*.sh; do
     bash -x "$i"
 done
 
 cp -r modules/chroot/ /mnt/
 
-for i in modules/10-chroot/*.sh; do
+for i in modules/chroot/*.sh; do
     arch-chroot /mnt bash -x "${i/modules/}"
 done
 
-for i in modules/10-chroot/user/*.sh; do
+for i in modules/chroot/user/*.sh; do
     arch-chroot /mnt su - "$username" -c "bash -x '${i/modules/}'"
 done
 
-for i in modules/20-postchroot/*.sh; do
+for i in modules/postchroot/*.sh; do
     bash -x "$i"
 done
 

modules/chroot/10-bootloader.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+#shellcheck disable=SC2154
+
+bootctl install
+
+root="$(findmnt -nr -o source /)"
+
+cryptdev="$(cryptsetup status "$root" | awk '/device/ {print $2}')"
+[ -n "$cryptdev" ] && {
+    uuid="$(blkid | grep "$cryptdev" | awk '{print $2}')"
+    options="cryptdevice=$uuid:$(basename "$root") "
+}
+
+options="${options}root=$root"
+
+for f in /boot/loader/entries/*.conf; do
+    cat << EOF >> "$f"
+options $options rw
+EOF
+done

modules/chroot/20-users.sh

@@ -4,7 +4,5 @@
 shell="$(sed -n "/$shell/{p;q}" /etc/shells)"
 useradd -mG wheel,video "$username" -s "${shell:-/bin/bash}"
 
-if [ -n "$rootpasswd" ]; then
+echo "root:$rootpasswd"      | chpasswd
-    echo "root:$rootpasswd" | chpasswd
-fi
 echo "$username:$userpasswd" | chpasswd

modules/chroot/40-flatpak.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+#shellcheck disable=SC2154
+
+[ -s /chroot/flatpak.txt ] \
+    && xargs flatpak install -y --noninteractive < /chroot/flatpak.txt

modules/chroot/50-dwm.sh.dwm

@@ -1,5 +1,4 @@
 #!/bin/bash
-#shellcheck disable=SC2154
 
 git clone --depth 1 https://git.maby.dev/ange/.dotfiles.git /tmp/dotfiles
 /tmp/dotfiles/.config/suckless/update.sh

modules/chroot/user/10-services.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+#shellcheck disable=SC2154
+
+systemctl enable --user podman.socket

modules/chroot/user/20-dotfiles.sh

@@ -2,10 +2,10 @@
 #shellcheck disable=SC2154
 
 config=(git --git-dir "$HOME/.dotfiles" --work-tree "$HOME")
-repo='https://git.gmoker.com/ange/dotfiles.git'
+repo='https://git.maby.dev/ange/.dotfiles.git'
 
 git clone --bare "$repo" "$HOME/.dotfiles"
 "${config[@]}" checkout -f
 "${config[@]}" submodule update --init --recursive --remote
 "${config[@]}" config status.showUntrackedFiles no
-"${config[@]}" remote set-url origin git@git.gmoker.com:ange/dotfiles.git
+"${config[@]}" remote set-url origin git@git.maby.dev:ange/.dotfiles.git

modules/desktop.sh

@@ -6,29 +6,37 @@ printf '%s\n' \
     aerc w3m \
     alacritty \
     bluez{,-utils} \
+    dunst libnotify \
     feh \
-    firefox{,-ublock-origin} \
     gammastep \
-    imagemagick ghostscript \
+    graphicsmagick ghostscript \
-    materia-gtk-theme \
+    gvfs{,-gphoto2,-mtp} \
+    materia-gtk-theme papirus-icon-theme \
     monero \
     mpv \
     noto-fonts{,-cjk,-emoji} otf-font-awesome \
-    pass-otp gcr \
+    pass{,-otp} gcr \
-    pipewire{-pulse,-jack} playerctl \
+    pcmanfm-gtk3 \
+    pipewire{,-pulse,-jack} pavucontrol playerctl \
     polkit-gnome \
-    qemu-{base,audio-pipewire,hw-usb-host,hw-display-virtio-{gpu,vga},ui-gtk} dnsmasq usbutils \
+    qemu-{base,audio-pipewire,hw-usb-host,hw-display-virtio-{gpu,vga},ui-gtk} dnsmasq \
-    udisks2 \
+    xdg-user-dirs \
-    xdg-utils xdg-user-dirs \
     yt-dlp \
-    zathura-pdf-poppler \
+    zathura{,-pdf-poppler} \
     zenity \
         >> pkglist.txt
 
+printf '%s\n' \
+    com.valvesoftware.Steam \
+    org.gimp.GIMP \
+    org.gtk.Gtk3theme.Materia-dark \
+    org.mozilla.firefox \
+        >> modules/chroot/flatpak.txt
+
 case "$(lspci | grep 'VGA\|3D')" in
-    *AMD*)    echo vulkan-radeon mesa >> pkglist.txt ;;
+    *AMD*)    echo vulkan-radeon libva-mesa-driver mesa-vdpau >> pkglist.txt ;;
     *Intel*)  echo vulkan-intel intel-media-driver >> pkglist.txt ;;
-    *NVIDIA*) echo vulkan-nouveau mesa >> pkglist.txt ;;
+    *NVIDIA*) echo vulkan-nouveau libva-mesa-driver mesa-vdpau >> pkglist.txt ;;
     *) ;;
 esac
 

modules/dwm.sh

@@ -2,6 +2,7 @@
 #shellcheck disable=SC2154
 
 printf '%s\n' \
+    autorandr \
     i3lock xss-lock \
     picom \
     xorg-{server,xinit,xrandr,xsetroot} xclip xdotool \

modules/postchroot/99-done.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+#shellcheck disable=SC2154
+
+BOLD=$'\e[1m'
+GREEN=$'\e[32m'
+NORMAL=$'\e[0m'
+
+echo "${BOLD}${GREEN}DONE. Umount? [Y/n]${NORMAL} " && read -r ANS
+case "$ANS" in
+    ''|[Yy]*) ;;
+    *) exit ;;
+esac
+
+umount -R /mnt/

modules/prechroot/10-disk.sh

@@ -2,38 +2,34 @@
 #shellcheck disable=SC2154
 
 sgdisk -Z \
-    -n '0:0:+512M' -t '0:ef00' -c '0:esp' \
+    -n '0:0:+512M' -t '0:ef00' -c '0:boot' \
     -n '0:0:0'     -t '0:8300' -c '0:root' \
     "$disk"
 
-esp=/dev/disk/by-partlabel/esp
+boot=/dev/disk/by-partlabel/boot
 root=/dev/disk/by-partlabel/root
 
-if [ -n "$disk_passwd" ]; then
+[ -n "$disk_passwd" ] && {
     echo -n "$disk_passwd" | cryptsetup luksFormat "$root" -
     cryptsetup open "$root" cryptroot - <<< "$disk_passwd"
     root=/dev/mapper/cryptroot
-fi
+}
 
-sleep 5 # wait /dev/disk/by-partlabel/
+sleep 2 # wait for /dev/disk/by-partlabel/ to be populated
 
-mkfs.vfat -F32 "$esp"
+mkfs.fat -F32 "$boot"
 mkfs.ext4 -F "$root"
 mount "$root" /mnt/
+mount -m -o fmask=0077,dmask=0077 /dev/disk/by-partlabel/boot /mnt/boot/
 
-cat <<EOF > /mnt/etc/fstab
+[ -n "$swapfile" ] && {
-UUID=$(blkid "$root" -ovalue -sUUID)	/	ext4	rw,relatime	0 1
-UUID=$(blkid "$esp" -ovalue -sUUID)	/efi	vfat	rw,fmask=0077,dmask=0077,noauto	0 2
-EOF
-
-if [ -n "$swapfile" ]; then
     dd if=/dev/zero of=/mnt/swapfile bs=1M count="$swapfile" status=progress
     chmod 600 /mnt/swapfile
     mkswap /mnt/swapfile
     swapon /mnt/swapfile
-    echo "/swapfile	none	swap	defaults	0 0" >> /mnt/etc/fstab
+}
-fi
 
 cp -rfTv rootfs/ /mnt/
 
+genfstab -U /mnt/ >> /mnt/etc/fstab
 swapoff /mnt/swapfile

modules/prechroot/20-pkg.sh

@@ -7,12 +7,12 @@ case "$(lscpu)" in
     *) ;;
 esac
 
-if [ -d /sys/class/power_supply/BAT0 ]; then
+[ -s modules/chroot/flatpak.txt ] \
-    echo tlp >> pkglist.txt
+    && printf '%s\n' flatpak xdg-desktop-portal-gtk >> pkglist.txt
-fi
+
+[ -d /sys/class/power_supply/BAT0 ] && echo tlp >> pkglist.txt
 
-echo "$shell" >> pkglist.txt
 pacstrap -C rootfs/etc/pacman.conf -K /mnt \
-    base linux{,-lts,-firmware} efibootmgr sbctl - < pkglist.txt
+    base linux{,-lts,-firmware} "$shell" - < pkglist.txt
 
 find /mnt/etc/ -name '*.pacnew' -delete

rootfs/boot/loader/entries/arch-lts.conf

@@ -0,0 +1,3 @@
+title   Arch Linux LTS
+linux   /vmlinuz-linux-lts
+initrd  /initramfs-linux-lts.img

rootfs/boot/loader/entries/arch.conf

@@ -0,0 +1,3 @@
+title   Arch Linux
+linux   /vmlinuz-linux
+initrd  /initramfs-linux.img

rootfs/boot/loader/loader.conf

@@ -0,0 +1 @@
+default arch

rootfs/etc/iwd/main.conf

@@ -1,2 +0,0 @@
-[General]
-AddressRandomization=once

rootfs/etc/makepkg.conf

@@ -1,165 +0,0 @@
-#!/hint/bash
-# shellcheck disable=2034
-
-#
-# /etc/makepkg.conf
-#
-
-#########################################################################
-# SOURCE ACQUISITION
-#########################################################################
-#
-#-- The download utilities that makepkg should use to acquire sources
-#  Format: 'protocol::agent'
-DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u'
-          'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
-          'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
-          'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
-          'rsync::/usr/bin/rsync --no-motd -z %u %o'
-          'scp::/usr/bin/scp -C %u %o')
-
-# Other common tools:
-# /usr/bin/snarf
-# /usr/bin/lftpget -c
-# /usr/bin/wget
-
-#-- The package required by makepkg to download VCS sources
-#  Format: 'protocol::package'
-VCSCLIENTS=('bzr::breezy'
-            'fossil::fossil'
-            'git::git'
-            'hg::mercurial'
-            'svn::subversion')
-
-#########################################################################
-# ARCHITECTURE, COMPILE FLAGS
-#########################################################################
-#
-CARCH="x86_64"
-CHOST="x86_64-pc-linux-gnu"
-
-#-- Compiler and Linker Flags
-#CPPFLAGS=""
-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
-        -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \
-        -fstack-clash-protection -fcf-protection \
-        -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer"
-CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
-LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \
-         -Wl,-z,pack-relative-relocs"
-LTOFLAGS="-flto=auto"
-#-- Make Flags: change this for DistCC/SMP systems
-#MAKEFLAGS="-j2"
-#-- Debugging flags
-DEBUG_CFLAGS="-g"
-DEBUG_CXXFLAGS="$DEBUG_CFLAGS"
-
-#########################################################################
-# BUILD ENVIRONMENT
-#########################################################################
-#
-# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign)
-#  A negated environment option will do the opposite of the comments below.
-#
-#-- distcc:   Use the Distributed C/C++/ObjC compiler
-#-- color:    Colorize output messages
-#-- ccache:   Use ccache to cache compilation
-#-- check:    Run the check() function if present in the PKGBUILD
-#-- sign:     Generate PGP signature file
-#
-BUILDENV=(!distcc color !ccache check !sign)
-#
-#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
-#-- specify a space-delimited list of hosts running in the DistCC cluster.
-#DISTCC_HOSTS=""
-#
-#-- Specify a directory for package building.
-#BUILDDIR=/tmp/makepkg
-
-#########################################################################
-# GLOBAL PACKAGE OPTIONS
-#   These are default values for the options=() settings
-#########################################################################
-#
-# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto !autodeps)
-#  A negated option will do the opposite of the comments below.
-#
-#-- strip:      Strip symbols from binaries/libraries
-#-- docs:       Save doc directories specified by DOC_DIRS
-#-- libtool:    Leave libtool (.la) files in packages
-#-- staticlibs: Leave static library (.a) files in packages
-#-- emptydirs:  Leave empty directories in packages
-#-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
-#-- purge:      Remove files specified by PURGE_TARGETS
-#-- debug:      Add debugging flags as specified in DEBUG_* variables
-#-- lto:        Add compile flags for building with link time optimization
-#-- autodeps:   Automatically add depends/provides
-#
-OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto)
-
-#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2
-INTEGRITY_CHECK=(sha256)
-#-- Options to be used when stripping binaries. See `man strip' for details.
-STRIP_BINARIES="--strip-all"
-#-- Options to be used when stripping shared libraries. See `man strip' for details.
-STRIP_SHARED="--strip-unneeded"
-#-- Options to be used when stripping static libraries. See `man strip' for details.
-STRIP_STATIC="--strip-debug"
-#-- Manual (man and info) directories to compress (if zipman is specified)
-MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
-#-- Doc directories to remove (if !docs is specified)
-DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
-#-- Files to be removed from all packages (if purge is specified)
-PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
-#-- Directory to store source code in for debug packages
-DBGSRCDIR="/usr/src/debug"
-#-- Prefix and directories for library autodeps
-LIB_DIRS=('lib:usr/lib' 'lib32:usr/lib32')
-
-#########################################################################
-# PACKAGE OUTPUT
-#########################################################################
-#
-# Default: put built package and cached source in build directory
-#
-#-- Destination: specify a fixed directory where all packages will be placed
-#PKGDEST=/home/packages
-#-- Source cache: specify a fixed directory where source files will be cached
-#SRCDEST=/home/sources
-#-- Source packages: specify a fixed directory where all src packages will be placed
-#SRCPKGDEST=/home/srcpackages
-#-- Log files: specify a fixed directory where all log files will be placed
-#LOGDEST=/home/makepkglogs
-#-- Packager: name/email of the person or organization building packages
-#PACKAGER="John Doe <john@doe.com>"
-#-- Specify a key to use for package signing
-#GPGKEY=""
-
-#########################################################################
-# COMPRESSION DEFAULTS
-#########################################################################
-#
-COMPRESSGZ=(gzip -c -f -n)
-COMPRESSBZ2=(bzip2 -c -f)
-COMPRESSXZ=(xz -c -z -)
-COMPRESSZST=(zstd -c -T0 -)
-COMPRESSLRZ=(lrzip -q)
-COMPRESSLZO=(lzop -q)
-COMPRESSZ=(compress -c -f)
-COMPRESSLZ4=(lz4 -q)
-COMPRESSLZ=(lzip -c -f)
-
-#########################################################################
-# EXTENSION DEFAULTS
-#########################################################################
-#
-PKGEXT='.pkg.tar.zst'
-SRCEXT='.src.tar.gz'
-
-#########################################################################
-# OTHER
-#########################################################################
-#
-#-- Command used to run pacman as root, instead of trying sudo and su
-PACMAN_AUTH=(doas)
-# vim: set ft=sh ts=2 sw=2 et:

rootfs/etc/mkinitcpio.d/linux-lts.preset

@@ -1,3 +0,0 @@
-ALL_kver='/boot/vmlinuz-linux-lts'
-PRESETS=('fallback')
-fallback_uki='/efi/EFI/Linux/arch-linux-lts-fallback.efi'

rootfs/etc/mkinitcpio.d/linux.preset

@@ -1,3 +0,0 @@
-ALL_kver='/boot/vmlinuz-linux'
-PRESETS=('default')
-default_uki='/efi/EFI/Linux/arch-linux.efi'

rootfs/etc/modprobe.d/nobeep.conf

@@ -1 +1,2 @@
 blacklist pcspkr
+blacklist snd_pcsp

rootfs/etc/nftables.conf

@@ -1,28 +1,32 @@
 #!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
 
-destroy table inet filter;
 table inet filter {
-	chain input {
+  chain input {
-		type filter hook input priority filter; policy drop;
+    type filter hook input priority filter; policy drop;
 
-		ct state invalid counter drop
+    #tcp dport 32768-40960 counter meta nftrace set 1 accept comment "WoW VoiceError:17"
-		ct state {established, related} counter accept
 
-		iif "lo" counter accept
+    ct state invalid               counter drop
-		ip protocol {icmp,icmpv6} counter accept
+    ct state {established,related} counter accept
 
-		counter meta nftrace set 1 comment "dropped"
+    iif "lo"                  counter accept
-	}
+    ip protocol {icmp,icmpv6} counter accept
 
-	chain forward {
+    counter meta nftrace set 1 comment "dropped"
-		type filter hook forward priority filter; policy drop;
+  }
 
-		counter meta nftrace set 1 comment "dropped"
+  chain forward {
-	}
+    type filter hook forward priority filter; policy drop;
 
-	chain output {
+    counter meta nftrace set 1 comment "dropped"
-		type filter hook output priority filter; policy accept;
+  }
 
-		counter comment "accepted"
+  chain output {
-	}
+    type filter hook output priority filter; policy accept;
+
+    counter comment "accepted"
+  }
 }

rootfs/etc/pacman.conf

@@ -35,8 +35,6 @@ Color
 CheckSpace
 VerbosePkgLists
 ParallelDownloads = 8
-DownloadUser = alpm
-#DisableSandbox
 ILoveCandy
 
 # By default, pacman accepts packages signed by keys that its local keyring

rootfs/etc/pacman.d/hooks/10-systemd-boot.hook

@@ -0,0 +1,9 @@
+[Trigger]
+Type = Package
+Operation = Upgrade
+Target = systemd
+
+[Action]
+Description = Gracefully upgrading systemd-boot...
+When = PostTransaction
+Exec = /usr/bin/systemctl restart systemd-boot-update.service

rootfs/etc/xdg/reflector/reflector.conf

@@ -1,3 +1,4 @@
 --save /etc/pacman.d/mirrorlist
 --protocol https
---sort score
+--latest 5
+--sort rate