diff --git a/setup b/setup index af6ce13..5c382df 100755 --- a/setup +++ b/setup @@ -2,12 +2,10 @@ set -euo pipefail # --- privilege keepalive --- -# prompt once for sudo and keep alive in background if ! sudo -v; then echo "❌ sudo access required. aborting." exit 1 fi -# keep sudo alive until script ends while true; do sudo -n true; sleep 30; kill -0 "$$" || exit; done 2>/dev/null & # --- distro detection --- @@ -33,31 +31,43 @@ as_user() { sudo -H -u "$UNAME" bash -lc "$*"; } # --- arch package install --- install_packages_arch() { - echo "đŸ“Ļ installing base packages..." + echo "đŸ“Ļ Installing and updating base system..." sudo pacman -Syu --noconfirm local PKGS=( - base-devel git cmake gcc neovim vim python-pip + # Core & dev + base-devel git cmake gcc openssl python-pip + neovim vim + + # X11 & desktop environment xorg-server xorg-xinit xorg-xrandr xorg-xinput openbox obconf alacritty cmus flameshot pavucontrol - chromium thunderbird steam keepassxc + + # Apps + firefox thunderbird steam keepassxc bluez bluez-tools blueman + + # Utilities & security dmenu htop rsync unzip whois xclip xdotool xbindkeys efibootmgr grub nmap lynis rkhunter sbctl sudo ) sudo pacman -S --noconfirm "${PKGS[@]}" - # yay + # yay (AUR helper) if ! command_exists yay; then - echo "đŸ“Ļ installing yay..." + echo "đŸ“Ļ Installing yay..." TMP=$(mktemp -d) git clone https://aur.archlinux.org/yay-bin.git "$TMP" as_user "cd $TMP && makepkg -si --noconfirm" rm -rf "$TMP" fi - as_user "yay -S --noconfirm keybase-bin ckb-next" + # AUR packages (optional) + echo "đŸ“Ļ Installing AUR packages..." + as_user "yay -S --noconfirm tripwire" + + echo "✅ Base desktop packages installed successfully." } # --- ubuntu/debian --- @@ -68,7 +78,7 @@ install_packages_ubuntu() { build-essential git cmake gcc neovim vim python3-pip \ xorg openbox xinit x11-xserver-utils \ alacritty cmus flameshot pavucontrol \ - chromium-browser thunderbird steam-installer keepassxc \ + firefox thunderbird steam-installer keepassxc \ bluez bluez-tools blueman \ dmenu htop rsync unzip whois xclip xdotool xbindkeys \ efibootmgr grub nmap lynis rkhunter sudo @@ -118,6 +128,41 @@ setup_security() { fi } +# --- AppArmor setup --- +setup_apparmor() { + echo "🛡ī¸ Installing and enabling AppArmor..." + + case "$DISTRO_ID" in + arch) + sudo pacman -S --noconfirm apparmor ;; + ubuntu|debian) + sudo apt install -y apparmor apparmor-utils ;; + *) + echo "⚠ī¸ AppArmor not supported on this distro automatically." + return 0 ;; + esac + + # Enable service + sudo systemctl enable --now apparmor.service || true + + # Check if kernel param is active + if [[ "$(cat /sys/module/apparmor/parameters/enabled 2>/dev/null || echo N)" != "Y" ]]; then + echo "⚠ī¸ AppArmor not fully active." + echo "👉 Add to GRUB_CMDLINE_LINUX_DEFAULT: apparmor=1 security=apparmor" + echo "Then run: sudo grub-mkconfig -o /boot/grub/grub.cfg && reboot" + else + echo "✅ AppArmor kernel module active." + fi + + # Optional Firefox profile + if [[ -f /etc/apparmor.d/usr.bin.firefox ]]; then + sudo aa-enforce /etc/apparmor.d/usr.bin.firefox || true + echo "✅ Firefox AppArmor profile enforced." + else + echo "ℹī¸ No Firefox profile found (optional)." + fi +} + # --- main flow --- case "$DISTRO_ID" in arch) @@ -132,6 +177,7 @@ esac setup_rust install_fonts setup_security +setup_apparmor echo "✅ setup complete! (sudo kept alive for duration)"