-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstall
executable file
·302 lines (254 loc) · 10.4 KB
/
install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
#!/bin/sh
set -e
#******************************************************************************
# Copyright (C) 2022-2025 Henrique Almeida <me@h3nc4.com>
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#******************************************************************************
# This script must be run by your user on a fresh Debian/Devuan net-install
# Preferrably, select no packages during the installation process
while getopts "odgvm:" opt; do
case "$opt" in
o) OPTIONALS=y ;;
d) DEVPACKS=y ;;
g) GAMES=y ;;
v) VIRTUALIZATION=y ;;
m) MIRROR="$OPTARG" ;;
*)
echo "Usage: $0 [-o] [-d] [-g] [-v] [-m <mirror>]"
exit 1
;;
esac
done
# If no mirror is provided, set a default
if command -v systemctl >/dev/null 2>&1 || [ "$(cat /proc/1/comm)" = "systemd" ]; then
ONSYSTEMD=y
MIRROR=${MIRROR:-"http://deb.debian.org/debian/"}
else
MIRROR=${MIRROR:-"http://deb.devuan.org/merged/"}
fi
# Test internet connection
ping -c 2 gnu.org >/dev/null 2>&1 || {
echo "No internet connection"
exit 1
}
# Check if the script is not being run as root
if [ "$(id -u)" -eq 0 ]; then
echo "Please run this script as your regular user."
exit 1
fi
# Check if 'install' exists in the current dir
[ -x "./install" ] || {
SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
cd "$SCRIPT_DIR" || {
echo "Failed to change dir to $SCRIPT_DIR"
exit 1
}
}
# Installs doas and ntp to ensure security updates
if [ "$AUTOMATED" != 'y' ]; then
OGUSER="$USER" su -c "$SCRIPT_DIR/dev/setup" || {
echo "Failed to setup the system"
exit 1
}
fi
echo "Setting up the system."
. config/env # Load environment variables
. config/profile.d/install # Load functions
export DEBIAN_FRONTEND=noninteractive
# Change debian to testing and add unstable to the sources
doas tee /etc/apt/sources.list >/dev/null <<EOF
deb $MIRROR stable main non-free-firmware
deb-src $MIRROR stable main non-free-firmware
deb $MIRROR testing main non-free-firmware
deb-src $MIRROR testing main non-free-firmware
deb $MIRROR unstable main non-free-firmware
deb-src $MIRROR unstable main non-free-firmware
EOF
# Lower the priority of unstable packages and keep firmware from stable
doas tee /etc/apt/preferences.d/unstable.pref >/dev/null <<'EOF'
Package: *
Pin: release a=testing
Pin-Priority: 990
Package: *
Pin: release a=unstable
Pin-Priority: 10
Package: firmware-amd-graphics firmware-misc-nonfree
Pin: release a=stable
Pin-Priority: 1001
EOF
# Do not install recommended packages automatically
doas tee /etc/apt/apt.conf.d/99norecommends >/dev/null <<EOF
APT::Install-Recommends "0";
APT::Install-Suggests "0";
EOF
# Update the system expecting no errors
doas apt-get update -qq || {
echo "Failed to update the system"
exit 1
}
# Full system upgrade and install necessary packages
doas apt-get full-upgrade wget apt-transport-https ca-certificates gnupg lsb-release -y --autoremove --purge || {
echo "Failed to upgrade the system"
exit 1
}
# Initialize xdg directories
mkdir -p "$XDG_CONFIG_HOME" "$XDG_DATA_HOME" "$XDG_CACHE_HOME"
doas chown -R "$USER:$USER" "$XDG_CONFIG_HOME" "$XDG_DATA_HOME" "$XDG_CACHE_HOME"
echo "hsts-file = $HOME/.cache/wget-hsts" >>"$WGETRC" # Set wget hsts file
touch "$HOME/.cache/wget-hsts"
if [ -n "$OPTIONALS" ]; then
# Signal setup
wget -qO- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | doas tee /etc/apt/keyrings/signal.gpg >/dev/null &&
echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/signal.gpg] https://updates.signal.org/desktop/apt xenial main' |
doas tee /etc/apt/sources.list.d/signal.list >/dev/null
# Brave setup
wget -qO- https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg | gpg --dearmor | doas tee /etc/apt/keyrings/brave.gpg >/dev/null &&
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/brave.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main" |
doas tee /etc/apt/sources.list.d/brave.list >/dev/null
fi
if [ -n "$DEVPACKS" ]; then
# Vscodium setup
wget -qO- https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg | gpg --dearmor | doas tee /etc/apt/keyrings/codium.gpg >/dev/null &&
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/codium.gpg] https://download.vscodium.com/debs vscodium main" |
doas tee /etc/apt/sources.list.d/vscodium.list >/dev/null
# Docker setup
wget -qO- https://download.docker.com/linux/debian/gpg | gpg --dearmor | doas tee /etc/apt/keyrings/docker.gpg >/dev/null &&
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable" |
doas tee /etc/apt/sources.list.d/docker.list >/dev/null
# Terraform setup
wget -qO- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | doas tee /etc/apt/keyrings/terraform.gpg >/dev/null &&
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/terraform.gpg] https://apt.releases.hashicorp.com bookworm main" |
doas tee /etc/apt/sources.list.d/terraform.list >/dev/null
fi
if [ -n "$GAMES" ]; then
# Add the non-free and contrib repositories and enable i386
doas sed -i 's/main/main contrib non-free/g' /etc/apt/sources.list
doas dpkg --add-architecture i386
fi
doas apt-get update -qq
echo "Installing packages. This will take a while."
# Install packages
awk -F, -v opt="$OPTIONALS" -v dev="$DEVPACKS" -v games="$GAMES" -v virt="$VIRTUALIZATION" '
$1 == "core" || ($1 == "opt" && opt == "y") || ($1 == "dev" && dev == "y") || ($1 == "games" && games == "y") || ($1 == "virt" && virt == "y") { print $2 }
' config/packages.csv | xargs doas apt-get install -y
echo "Configuring the system."
# Add user to necessary groups
doas usermod -aG tty,video,audio,disk,input "$USER"
doas apt-get update -qq & # Populate the command-not-found cache
pipx install yt-dlp bibverse >/dev/null 2>&1 & # Install python packages locally
# Kill spying on firefox
(
firefox -no-remote -headless -CreateProfile "me $HOME/.mozilla/firefox/me" >/dev/null 2>&1 &&
rm -rf "$HOME/.mozilla/firefox/me/"* &&
wget -qO- https://raw.githubusercontent.com/arkenfox/user.js/master/user.js >"$HOME/.mozilla/firefox/me/user.js"
) & # Since dwm will call firefox with "firefox -P me" profile.ini can remain unchanged
# Add keyring if not present
doas chown -R "$USER:$USER" "$GNUPGHOME"
find "$GNUPGHOME" -type d -print0 | xargs -0 chmod 700
find "$GNUPGHOME" -type f -print0 | xargs -0 chmod 600
gpg --list-keys >/dev/null # Gen default files if not present already
yes 'n' | weavekeys >/dev/null 2>&1
# Install builds on my repos
weave dwm &
weave st &
weave dmenu &
weave sxac &
# Setup Nerdfonts
{
mkdir -p "$HOME/.cache" "$HOME/.local/bin" "$HOME/.local/share/fonts"
{
wget -qO- "https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Hack.tar.xz" |
tar -xJ -C "$HOME/.local/share/fonts"
} &
{
wget -qO- "https://github.com/ryanoasis/nerd-fonts/releases/latest/download/Terminus.tar.xz " |
tar -xJ -C "$HOME/.local/share/fonts"
} &
wait
mkfontscale "$HOME/.local/share/fonts" &&
mkfontdir "$HOME/.local/share/fonts" &&
fc-cache -fv >/dev/null &&
echo "Hack Nerd Font has been installed"
} &
# Apply various configurations
dev/config
# Remove beeping noise in tty and others
doas sed -i 's/# set bell-style none/set bell-style none/g' /etc/inputrc
echo "blacklist pcspkr" | doas tee /etc/modprobe.d/blacklist.conf >/dev/null
# Remove login messages
doas rm -f /etc/motd /etc/issue /etc/issue.net >/dev/null 2>&1
# Decrypt multiple partitions with the same key
if [ -f /etc/crypttab ]; then
# Hook to fix cryptsetup-initramfs not updating /etc/crypttab in initramfs
doas tee /etc/initramfs-tools/hooks/fix_multiple >/dev/null <<EOF
#!/bin/sh
cp /etc/crypttab \${DESTDIR}/cryptroot/crypttab
exit 0
EOF
doas chmod +x /etc/initramfs-tools/hooks/fix_multiple
grep -q ",initramfs,keyscript=decrypt_keyctl" /etc/crypttab >/dev/null 2>&1 ||
doas sed -i 's/$/,initramfs,keyscript=decrypt_keyctl/g' /etc/crypttab &&
doas update-initramfs -u
fi
if [ -n "$DEVPACKS" ]; then
# Docker
doas usermod -aG docker "$USER"
# Setup initial postgres user and database for development
doas su - postgres -c "psql -c \"CREATE USER dev WITH SUPERUSER PASSWORD 'dev';\""
doas su - postgres -c "createdb dev"
doas su - postgres -c "psql -c \"grant all privileges on database dev to dev;\""
# Create data dir on vscodium
CODIUM_DATA_DIR="$(dirname "$(readlink -f /usr/bin/codium)")/../data"
doas mkdir -p "$CODIUM_DATA_DIR"
doas chown "$USER:$USER" "$CODIUM_DATA_DIR"
# Disable services that are not needed at all times
if [ -n "$ONSYSTEMD" ]; then
doas systemctl disable --now docker.socket
doas systemctl disable --now docker containerd postgresql
fi
fi
if [ -n "$OPTIONALS" ] && [ -n "$ONSYSTEMD" ]; then
doas systemctl disable --now bluetooth # Disable bluetooth service
fi
if [ -n "$VIRTUALIZATION" ]; then
doas virsh net-start default
doas virsh net-autostart default
doas usermod -aG libvirt "$USER"
doas usermod -aG libvirt-qemu "$USER"
doas usermod -aG kvm "$USER"
doas usermod -aG input "$USER"
echo 'firewall_backend = "iptables"' >/etc/libvirt/network.conf # Use iptables as backend
# Disable services that are not needed at all times
if [ -n "$ONSYSTEMD" ]; then
doas systemctl disable --now libvirtd-ro.socket libvirtd.socket libvirtd-admin.socket virtlogd.socket virtlogd-admin.socket
doas systemctl disable --now libvirtd libvirt-guests virtlogd polkit
fi
fi
# Enable autologin for ttys
if [ -n "$ONSYSTEMD" ]; then
for _tty in $(seq 1 6); do # Systemd
doas mkdir -p "/etc/systemd/system/getty@tty$_tty.service.d/"
doas tee "/etc/systemd/system/getty@tty$_tty.service.d/override.conf" >/dev/null <<EOF
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin $USER --noclear %I \$TERM
EOF
done
if [ "$(cat /proc/1/comm)" = "systemd" ]; then
doas systemctl daemon-reload
fi
else
doas sed -i "s|38400 \(tty[1-6]\)|--autologin $USER 38400 \1|" /etc/inittab # Sysvinit
fi
doas setcap cap_net_raw+p /bin/ping # Allow non root users to ping
wait # Wait for all background processes to finish
rm -rf dwm st dmenu # Remove git repos