diff --git a/setup b/setup
index 7d1578b..6727428 100755
--- a/setup
+++ b/setup
@@ -1,105 +1,167 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Detect distro
-if [[ $(uname -a) == *"arch"* ]]; then
-    IS_ARCH=true
+# Run as a regular user (script will use sudo for privileged operations)
+# Usage: ./setup.sh
+
+# --- Basic detection ---
+if [[ -f /etc/os-release ]]; then
+    . /etc/os-release
+    DISTRO_ID="${ID,,}"   # lowercase
 else
-    IS_ARCH=false
+    echo "Cannot detect distribution (no /etc/os-release). Aborting."
+    exit 1
 fi
 
-# --- Helper Functions ---
+# The non-root user invoking this script
+UNAME="${SUDO_USER:-${USER:-$(whoami)}}"
+if [[ -z "$UNAME" ]]; then
+    echo "Could not determine a non-root user. Run this as a normal user."
+    exit 1
+fi
+
+echo "Running as user: $UNAME (distro: $DISTRO_ID)"
+
+# --- helper functions ---
+command_exists() { command -v "$1" >/dev/null 2>&1; }
+
+# Run a command as the original non-root user
+as_user() {
+    sudo -H -u "$UNAME" bash -lc "$*"
+}
+
+# --- Arch package installation ---
 install_packages_arch() {
-    sudo pacman -Sy --noconfirm
-    sudo pacman -S --noconfirm base base-devel linux-hardened linux-hardened-headers \
-        git cmake gcc neovim vim python3-pip \
-        openbox obconf xorg-server xorg-xinit xorg-xinput xorg-xrandr \
-        alacritty cmus flameshot pavucontrol \
-        chromium thunderbird steam keepassxc \
-        bluez bluez-tools blueman \
-        dmenu htop rsync unzip whois xclip xdotool xbindkeys \
-        efibootmgr grub nmap lynis rkhunter sbctl
-    # Yay for AUR packages
-    if ! command -v yay >/dev/null; then
-        git clone https://aur.archlinux.org/yay-bin.git /tmp/yay
-        cd /tmp/yay
-        makepkg -si --noconfirm
+    echo "Updating system and installing packages (Arch)..."
+    sudo pacman -Syu --noconfirm
+
+    # core packages (tweak list as you like)
+    PKGS=(
+        base-devel git cmake gcc neovim vim python-pip
+        xorg-server xorg-xinit xorg-xrandr xorg-xinput
+        openbox obconf
+        alacritty cmus flameshot pavucontrol
+        chromium thunderbird steam keepassxc
+        bluez bluez-tools blueman
+        dmenu htop rsync unzip whois xclip xdotool xbindkeys
+        efibootmgr grub nmap lynis rkhunter sbctl sudo
+    )
+
+    sudo pacman -S --noconfirm "${PKGS[@]}"
+
+    # Install yay (AUR helper) if missing (build as non-root user)
+    if ! command_exists yay; then
+        echo "Installing yay (AUR helper)..."
+        # ensure base-devel present (already in PKGS)
+        TMP="/tmp/yay-build-$$"
+        rm -rf "$TMP"
+        git clone https://aur.archlinux.org/yay-bin.git "$TMP"
+        as_user "cd $TMP && makepkg -si --noconfirm"
+        rm -rf "$TMP"
+    else
+        echo "yay already installed"
     fi
-    # Additional yay apps
-    yay -S --noconfirm keybase-bin ckb-next minecraft-launcher nvidia-dkms nvidia-settings
+
+    # install some AUR packages (use yay, as non-root)
+    as_user "yay -S --noconfirm keybase-bin ckb-next"
 }
 
+# --- Debian/Ubuntu package installation (if needed) ---
 install_packages_ubuntu() {
+    echo "Updating system and installing packages (Debian/Ubuntu)..."
     sudo apt update && sudo apt upgrade -y
-    sudo apt install -y build-essential git cmake gcc neovim vim python3-pip \
-        openbox obconf xorg xinit x11-xserver-utils \
-        alacritty cmus flameshot pavucontrol \
-        chromium-browser thunderbird steam-installer keepassxc \
-        bluez bluez-tools blueman \
-        dmenu htop rsync unzip whois xclip xdotool xbindkeys \
+
+    PKGS_DEB=(
+        build-essential git cmake gcc neovim vim python3-pip
+        xorg openbox xinit x11-xserver-utils
+        alacritty cmus flameshot pavucontrol
+        chromium-browser thunderbird steam-installer keepassxc
+        bluez bluez-tools blueman
+        dmenu htop rsync unzip whois xclip xdotool xbindkeys
         efibootmgr grub nmap lynis rkhunter sudo
+    )
+    sudo apt install -y "${PKGS_DEB[@]}"
 }
 
-# --- Rust Setup ---
+# --- Rust setup for the user ---
 setup_rust() {
-    if ! command -v rustc >/dev/null; then
-        curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-        source $HOME/.cargo/env
+    if ! command_exists rustc; then
+        echo "Installing rustup for user $UNAME..."
+        as_user "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y"
+        # source would be needed in new shell; we'll also add cargo to PATH for this session when running cargo installs
+        export PATH="/home/$UNAME/.cargo/bin:$PATH"
+    else
+        echo "rustc already installed"
     fi
 
-    # Cargo apps
-    cargo install --locked alacritty bat lsd rusty-man cargo-expand viu
+    if command_exists cargo; then
+        echo "Installing useful cargo binaries for $UNAME..."
+        # Install per-user via cargo (run as user)
+        as_user "PATH=~/.cargo/bin:\$PATH cargo install --locked bat lsd rusty-man cargo-expand viu || true"
+    fi
 }
 
-# --- Fonts ---
+# --- Fonts installation (nerd fonts: user install) ---
 install_fonts() {
-    mkdir -p ~/bin/setup
-    cd ~/bin/setup
-    if [[ ! -d nerd-fonts ]]; then
-        git clone https://github.com/ryanoasis/nerd-fonts
-    fi
-    cd nerd-fonts
-    ./install.sh Hack
-    cd ~
+    echo "Installing Nerd Font (Hack) for user $UNAME..."
+    as_user "mkdir -p ~/.local/share/fonts && cd ~/.local/share/fonts && \
+        git clone --depth=1 https://github.com/ryanoasis/nerd-fonts.git nerd-fonts-temp || true && \
+        cd nerd-fonts-temp && ./install.sh Hack || true && cd ~ && rm -rf ~/.local/share/fonts/nerd-fonts-temp"
+    echo "Font install requested (may require logout/login to take effect)."
 }
 
-# --- Security Setup ---
+# --- Security setup (optional, best-effort) ---
 setup_security() {
-    # Firewall
-    if command -v ufw >/dev/null; then
+    echo "Configuring basic security settings (best-effort)..."
+
+    # UFW (if present)
+    if command_exists ufw; then
         sudo ufw default deny incoming
         sudo ufw default allow outgoing
         sudo ufw allow ssh
-        sudo ufw enable
+        sudo ufw --force enable
+    else
+        echo "ufw not installed; skipping UFW config"
     fi
 
-    # SSH hardening
-    sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
-    sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
-    sudo systemctl restart sshd
-
-    # Enable fail2ban if available
-    if command -v fail2ban >/dev/null; then
-        sudo systemctl enable --now fail2ban
+    # SSH hardening (edit sshd_config safely)
+    if [[ -f /etc/ssh/sshd_config ]]; then
+        sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config || true
+        sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config || true
+        sudo systemctl restart sshd || true
+    else
+        echo "/etc/ssh/sshd_config missing; skipping SSH hardening"
     fi
 
-    # Run rkhunter check
-    if command -v rkhunter >/dev/null; then
-        sudo rkhunter --update
-        sudo rkhunter --propupd
+    # enable fail2ban if installed
+    if command_exists fail2ban-server; then
+        sudo systemctl enable --now fail2ban || true
+    fi
+
+    # rkhunter (if installed)
+    if command_exists rkhunter; then
+        sudo rkhunter --update || true
+        sudo rkhunter --propupd || true
     fi
 }
 
 # --- Main ---
-if $IS_ARCH; then
-    install_packages_arch
-else
-    install_packages_ubuntu
-fi
+case "$DISTRO_ID" in
+    arch)
+        install_packages_arch
+        ;;
+    ubuntu|debian)
+        install_packages_ubuntu
+        ;;
+    *)
+        echo "Unsupported distro: $DISTRO_ID. Attempting Arch-like install by default."
+        install_packages_arch
+        ;;
+esac
 
 setup_rust
 install_fonts
 setup_security
 
-echo "Setup complete! You may need to reboot for kernel or grub changes."
+echo "Setup complete! You may need to log out/in or reboot for some changes (fonts, kernel, grub) to apply."