diff --git a/setup b/setup index cf08aa5..af6ce13 100755 --- a/setup +++ b/setup @@ -1,173 +1,137 @@ #!/usr/bin/env bash set -euo pipefail -# ------------------------------------------------------------------- -# Arch/Debian post-install setup script -# Purpose: install software, configure user environment, and apply -# security tweaks. Base system + networking handled separately. -# ------------------------------------------------------------------- +# --- privilege keepalive --- +# prompt once for sudo and keep alive in background +if ! sudo -v; then + echo "❌ sudo access required. aborting." + exit 1 +fi +# keep sudo alive until script ends +while true; do sudo -n true; sleep 30; kill -0 "$$" || exit; done 2>/dev/null & +# --- distro detection --- if [[ -f /etc/os-release ]]; then . /etc/os-release DISTRO_ID="${ID,,}" else - echo "Cannot detect distribution (no /etc/os-release)" + echo "cannot detect distribution. aborting." exit 1 fi UNAME="${SUDO_USER:-${USER:-$(whoami)}}" if [[ -z "$UNAME" ]]; then - echo "Could not determine invoking user." + echo "cannot determine non-root user. aborting." exit 1 fi -echo "Running setup as: $UNAME on $DISTRO_ID" +echo "⚙️ running as user: $UNAME (distro: $DISTRO_ID)" -# ------------------------------------------------------------------- -# Utility helpers -# ------------------------------------------------------------------- +# --- helpers --- command_exists() { command -v "$1" >/dev/null 2>&1; } as_user() { sudo -H -u "$UNAME" bash -lc "$*"; } -# ------------------------------------------------------------------- -# Arch package installation -# ------------------------------------------------------------------- +# --- arch package install --- install_packages_arch() { - echo "→ Updating system (Arch)..." - sudo pacman -Syu --noconfirm || true + echo "📦 installing base packages..." + sudo pacman -Syu --noconfirm - PKGS=( + local PKGS=( base-devel git cmake gcc neovim vim python-pip xorg-server xorg-xinit xorg-xrandr xorg-xinput - openbox obconf alacritty cmus flameshot pavucontrol + openbox obconf + alacritty cmus flameshot pavucontrol chromium thunderbird steam keepassxc bluez bluez-tools blueman dmenu htop rsync unzip whois xclip xdotool xbindkeys efibootmgr grub nmap lynis rkhunter sbctl sudo ) + sudo pacman -S --noconfirm "${PKGS[@]}" - echo "→ Installing available packages..." - AVAILABLE=() - for pkg in "${PKGS[@]}"; do - if pacman -Si "$pkg" &>/dev/null; then - AVAILABLE+=("$pkg") - else - echo "⚠️ Skipping missing package: $pkg" - fi - done - - sudo pacman -S --noconfirm --needed "${AVAILABLE[@]}" - - # Install yay if missing + # yay if ! command_exists yay; then - echo "→ Installing yay (AUR helper)..." - TMPDIR="/tmp/yay-build.$$" - rm -rf "$TMPDIR" - git clone https://aur.archlinux.org/yay-bin.git "$TMPDIR" - as_user "cd $TMPDIR && makepkg -si --noconfirm || true" - rm -rf "$TMPDIR" + echo "📦 installing yay..." + TMP=$(mktemp -d) + git clone https://aur.archlinux.org/yay-bin.git "$TMP" + as_user "cd $TMP && makepkg -si --noconfirm" + rm -rf "$TMP" fi - # Optional AUR packages - if command_exists yay; then - echo "→ Installing AUR packages..." - as_user "yay -S --noconfirm --needed keybase-bin ckb-next || true" - fi + as_user "yay -S --noconfirm keybase-bin ckb-next" } -# ------------------------------------------------------------------- -# Debian/Ubuntu package installation -# ------------------------------------------------------------------- +# --- ubuntu/debian --- install_packages_ubuntu() { - echo "→ Updating system (Debian/Ubuntu)..." + echo "📦 installing packages (debian/ubuntu)..." sudo apt update && sudo apt upgrade -y - - PKGS_DEB=( - build-essential git cmake gcc neovim vim python3-pip - xorg openbox xinit x11-xserver-utils - alacritty cmus flameshot pavucontrol - chromium-browser thunderbird steam-installer keepassxc - bluez bluez-tools blueman - dmenu htop rsync unzip whois xclip xdotool xbindkeys + sudo apt install -y \ + build-essential git cmake gcc neovim vim python3-pip \ + xorg openbox xinit x11-xserver-utils \ + alacritty cmus flameshot pavucontrol \ + chromium-browser thunderbird steam-installer keepassxc \ + bluez bluez-tools blueman \ + dmenu htop rsync unzip whois xclip xdotool xbindkeys \ efibootmgr grub nmap lynis rkhunter sudo - ) - - echo "→ Installing packages..." - sudo apt install -y "${PKGS_DEB[@]}" || true } -# ------------------------------------------------------------------- -# Rust setup -# ------------------------------------------------------------------- +# --- rust setup --- setup_rust() { if ! command_exists rustc; then - echo "→ Installing rustup for $UNAME..." + echo "🦀 installing rustup for $UNAME..." as_user "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y" - else - echo "✓ rustc already installed" - fi - - if command_exists cargo; then - echo "→ Installing cargo utilities..." - as_user "PATH=~/.cargo/bin:\$PATH cargo install --locked bat lsd rusty-man cargo-expand viu || true" fi + as_user "source ~/.cargo/env && cargo install --locked bat lsd rusty-man cargo-expand viu || true" } -# ------------------------------------------------------------------- -# Fonts setup (optional) -# ------------------------------------------------------------------- +# --- fonts --- install_fonts() { - echo "→ Installing Nerd Font (Hack)..." + echo "🔤 installing Hack Nerd Font..." as_user "mkdir -p ~/.local/share/fonts && cd ~/.local/share/fonts && \ - git clone --depth=1 https://github.com/ryanoasis/nerd-fonts.git nerd-fonts-temp || true && \ - cd nerd-fonts-temp && ./install.sh Hack || true && \ - cd .. && rm -rf nerd-fonts-temp" + git clone --depth=1 https://github.com/ryanoasis/nerd-fonts.git nf-temp && \ + cd nf-temp && ./install.sh Hack && cd .. && rm -rf nf-temp" } -# ------------------------------------------------------------------- -# Security hardening -# ------------------------------------------------------------------- +# --- security setup --- setup_security() { - echo "→ Applying basic security tweaks..." + echo "🔐 configuring security..." + + if command_exists ufw; then + sudo ufw default deny incoming + sudo ufw default allow outgoing + sudo ufw allow ssh + sudo ufw --force enable + fi - # SSH if [[ -f /etc/ssh/sshd_config ]]; then - sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config || true - sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config || true + sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config + sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config sudo systemctl restart sshd || true fi - # Fail2ban if command_exists fail2ban-server; then sudo systemctl enable --now fail2ban || true fi - # rkhunter if command_exists rkhunter; then sudo rkhunter --update || true sudo rkhunter --propupd || true fi } -# ------------------------------------------------------------------- -# Main dispatcher -# ------------------------------------------------------------------- +# --- main flow --- case "$DISTRO_ID" in - arch|artix) - install_packages_arch - ;; + arch) + install_packages_arch ;; ubuntu|debian) - install_packages_ubuntu - ;; + install_packages_ubuntu ;; *) - echo "⚠️ Unknown distro: $DISTRO_ID — defaulting to Arch-style setup." - install_packages_arch - ;; + echo "unsupported distro: $DISTRO_ID" + exit 1 ;; esac setup_rust install_fonts setup_security -echo "✅ Post-install setup complete. You may reboot or log out to apply font and shell changes." +echo "✅ setup complete! (sudo kept alive for duration)"