shurizzle/install.sh

## install.sh
#!/usr/bin/env bash

set -ex

declare -a TO_DELETE=()

cleanup() {
  rm -rf "${TO_DELETE[@]}"
}

trap cleanup EXIT

sudo=
if [ "$(id -g)" != 0 ]; then
  sudo=sudo
fi

install_paru() {
  $sudo pacman -Syu
  $sudo pacman -S archlinux-keyring autoconf automake binutils bison debugedit \
    fakeroot file findutils flex gawk gcc gettext grep groff libtool m4 \
    make patch pkgconf sed texinfo which git sudo gzip

  if ! which paru >/dev/null 2>&1; then
    PARUBUILD="$(mktemp -d)"
    TO_DELETE+=("$PARUBUILD")
    pushd "$PARUBUILD"
    git clone https://aur.archlinux.org/paru.git
    cd paru
    makepkg -s
    $sudo pacman -U paru-*.pkg.tar.zst
    popd
  fi
}

essentials() {
  paru -S adobe-source-code-pro-fonts cantarell-fonts noto-fonts \
    noto-fonts-cjk noto-fonts-emoji otf-ipafont ttf-baekmuk \
    otf-commit-mono ttf-liberation ttf-nerd-fonts-symbols-common

  paru -S git neovim ripgrep git-delta eza bat bfs fzf jq bottom gping \
    openssh man-db man-pages zsh topgrade pigz-gzip-symlink

  paru -Rs vim vi
  paru -S neovim-vim-compat
  $sudo ln -s "$(which nvim)" /sbin/vi
  $sudo systemctl enable sshd

  if pacman -Qi sudo >/dev/null 2>&1; then
    if ! pacman -Qi pleaser >/dev/null 2>&1; then
      paru -S pleaser
      cat <<'EOF' | $sudo tee /etc/please.d/wheel.ini >/dev/null
[wheel_group_run]
exact_name=wheel
group=true
type=run
permit=true
require_pass=true
rule=.*
EOF
      cat <<'EOF' | $sudo tee /etc/please.d/sudo.ini >/dev/null
[sudo_group_run]
exact_name=sudo
group=true
type=run
permit=true
require_pass=true
rule=.*
EOF
      cat <<'EOF' | $sudo tee /etc/please.d/admin.ini >/dev/null
[admin_group_run]
exact_name=admin
group=true
type=run
permit=true
require_pass=true
rule=.*
EOF
      cat <<'EOF' | $sudo tee /etc/please.d/root.ini >/dev/null
[root_user_run]
exact_name=root
group=false
type=run
permit=true
require_pass=false
rule=.*
EOF
      $sudo chmod 0600 /etc/please.d/{wheel,sudo,admin,root}.ini
    fi

    $sudo pacman -Rs sudo
    please ln -s "$(which please)" /usr/bin/sudo
    please ln -s "$(which pleaseedit)" /usr/bin/sudoedit
    $sudo rm -f /etc/sudoers.pacsave
  fi
}

config_neovim() {
  mkdir -p ~/.config
  rm -rf ~/.config/nvim
  git clone git@github.com:shurizzle/neovimmizzle.git ~/.config/nvim
}

config_zsh() {
  git clone --recursive git@github.com:shurizzle/zshrc.git ~/.zsh
  ln -s ~/.zsh/zshrc ~/.zshrc
}

config_fonts() {
  cat <<'EOF' >~/.config/fontconfig/fonts.conf
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
 <alias>
  <family>sans-serif</family>
  <prefer>
    <family>Noto Sans</family>
   </prefer>
 </alias>
 <alias>
  <family>system-ui</family>
  <prefer>
    <family>Noto Sans</family>
   </prefer>
 </alias>
 <alias>
  <family>monospace</family>
  <prefer>
    <family>CommitMono</family>
    <family>Hack Nerd Font Mono</family>
   </prefer>
 </alias>
 <alias>
  <family>emoji</family>
  <prefer>
    <family>Noto Color Emoji</family>
   </prefer>
 </alias>
</fontconfig>
EOF
  fc-cache -r
}

install_system() {
  paru -S acpid wezterm btrfs-progs celluloid cronie cups docker docker-compose dog efibootmgr feh firefox foomatic-db-engine foomatic-db-nonfree-ppds foomatic-db-ppds gdm git github-cli gnome-control-center mutter-dynamic-buffering gnome-shell gnome-themes-extra xdg-desktop-portal xdg-desktop-portal-gnome pop-launcher-git extension-manager gnome-shell-extension-forge gnome-shell-extension-appindicator gnome-tweaks ibus intel-ucode irqbalance mpv neofetch networkmanager nss-mdns ntfs-3g ntp nvidia pavucontrol pipewire-pulse pkgconf quickemu rustup sl strace tmux tokei touche touchegg traceroute ufw usbutils v4l2loopback-dkms wget which xclip xdg-user-dirs xdg-utils xsel yt-dlp zip zsh tlp tlp-rdw sbctl zathura zathura-cb zathura-pdf-mupdf rar sshfs alsa-scarlett-gui alsa-utils adwaita-qt5 adwaita-qt6 qpwgraph linux-zen linux-zen-headers gnome-browser-connector
  paru -S speech-dispatcher espeak-ng
  paru -Rs linux linux-headers

  echo '/dev/mapper/secure	/usr/share/secureboot	ext4 rw,relatime,noauto	0 0' | $sudo tee -a /etc/fstab >/dev/null

  $sudo mkdir -p /etc/pacman.d/hooks /etc/initcpio/post
  $sudo ln -s /dev/null /etc/pacman.d/hooks/zz-sbctl.hook

  cat <<'EOF' | $sudo tee /etc/pacman.d/hooks/90-mkinitcpio-dkms-linux.hook >/dev/null
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = Package
Target = nvidia
Target = nvidia-beta
Target = nvidia-open
Target = nvidia-lts
Target = nvidia-340xx
Target = nvidia-340xx-lts
Target = nvidia-dkms
Target = nvidia-*-dkms
Target = linux
Target = linux-zen
Target = intel-ucode
Target = amd-ucode
Target = v4l2loopback-dkms
Target = broadcom-wl-dkms

[Action]
Description = Update dkms modules in Linux initcpio
Depends = mkinitcpio
When = PostTransaction
NeedsTargets
Exec = /bin/sh -c 'while read -r trg; do case $trg in linux) exit 0;; linux-zen) exit 0;; esac; done; /usr/bin/mkinitcpio -P'
EOF

  cat <<'EOF' | $sudo tee /etc/initcpio/post/uki-sbsign >/dev/null
#!/bin/sh

set -eu

if ! test -e /dev/mapper/secure; then
  echo -e \\a
  (tput cnorm cvvis; cryptsetup luksOpen /boot/secure.img secure; tput civis) < /dev/tty >/dev/tty 2>/dev/tty

  if ! test -e /dev/mapper/secure; then
    exit 1
  fi
fi

if ! mountpoint /usr/share/secureboot > /dev/null 2> /dev/null; then
  mount /usr/share/secureboot
fi

sbctl generate-bundles -s
EOF
  $sudo chmod +x /etc/initcpio/post/uki-sbsign

  $sudo fallocate -l 100M /boot/secure.img
  local LOOPDEV
  LOOPDEV="$(losetup -f)"
  losetup "$LOOPDEV" /boot/secure.img
  $sudo cryptsetup luksFormat "$LOOPDEV"
  $sudo cryptsetup luksOpen "$LOOPDEV" secure
  $sudo mkfs.ext4 -L secureboot /dev/mapper/secure
  $sudo mount /usr/share/secureboot
  if ! test -f /etc/kernel/cmdline; then
    cat /proc/cmdline >/etc/kernel/cmdline
  fi

  $sudo sbctl create-keys

  $sudo sbctl enroll-keys -m

  # sudo sbctl bundle -s -i /boot/intel-ucode.img \
    # 	-l /usr/share/systemd/bootctl/splash-arch.bmp \
    # 	-k /boot/vmlinuz-linux \
    # 	-f /boot/initramfs-linux.img \
    # 	-c /etc/kernel/cmdline \
    # 	-o /usr/lib/os-release \
    # 	/efi/linux.efi
  #
  # sudo sbctl bundle -s -i /boot/intel-ucode.img \
    # 	-l /usr/share/systemd/bootctl/splash-arch.bmp \
    # 	-k /boot/vmlinuz-linux \
    # 	-f /boot/initramfs-linux-fallback.img \
    # 	-c /etc/kernel/cmdline \
    # 	-o /usr/lib/os-release \
    # 	/efi/linux-fallback.efi

  $sudo sbctl bundle -s -i /boot/intel-ucode.img \
    -l /usr/share/systemd/bootctl/splash-arch.bmp \
    -k /boot/vmlinuz-linux-zen \
    -f /boot/initramfs-linux-zen.img \
    -c /etc/kernel/cmdline \
    -o /usr/lib/os-release \
    /efi/linux.efi

  $sudo sbctl bundle -s -i /boot/intel-ucode.img \
    -l /usr/share/systemd/bootctl/splash-arch.bmp \
    -k /boot/vmlinuz-linux-zen \
    -f /boot/initramfs-linux-zen-fallback.img \
    -c /etc/kernel/cmdline \
    -o /usr/lib/os-release \
    /efi/linux-fallback.efi

  $sudo sbctl sign-all -g

  $sudo umount /usr/share/secureboot
  $sudo cryptsetup luksClose secure
  $sudo losetup -d "$LOOPDEV"

  $sudo pacman -Rs linux linux-headers

  printf 'QT_STYLE_OVERRIDE=adwaita-dark\nexport QT_STYLE_OVERRIDE\n' | $sudo tee -a /etc/profile.d/qt.sh
  $sudo chmod 0644 /etc/profile.d/qt.sh
}

install_gnome_exts() {
  local i VERSION_TAG

  for i in \
    caffeine@patapon.info \
    gsconnect@andyholmes.github.io \
    status-area-horizontal-spacing@mathematical.coffee.gmail.com \
    Vitals@CoreCoding.com \
    x11gestures@joseexposito.github.io; do
    VERSION_TAG="$(curl -Lfs "https://extensions.gnome.org/extension-query/?search=${i}" | jq '.extensions[0] | .shell_version_map | map(.pk) | max')"
    wget -O "${i}.zip" "https://extensions.gnome.org/download-extension/${i}.shell-extension.zip?version_tag=$VERSION_TAG"
    gnome-extensions install --force "${i}.zip"
    if ! gnome-extensions list | grep --quiet "${i}"; then
      busctl --user call org.gnome.Shell.Extensions /org/gnome/Shell/Extensions org.gnome.Shell.Extensions InstallRemoteExtension s "${i}"
    fi
    gnome-extensions enable "${i}"
    rm -f "${i}.zip"
  done

  if ! gnome-extensions list | grep --quiet forge@jmmaranan.com; then
    busctl --user call org.gnome.Shell.Extensions /org/gnome/Shell/Extensions org.gnome.Shell.Extensions InstallRemoteExtension s forge@jmmaranan.com
  fi
  gnome-extensions enable forge@jmmaranan.com
}

configure_system() {
  $sudo mv /etc/nsswitch.conf /etc/nsswitch.conf.bak
  cat <<'EOF' | $sudo tee /etc/nsswitch.conf >/dev/null
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files systemd
group: files [SUCCESS=merge] systemd
shadow: files systemd
gshadow: files systemd

publickey: files

hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files
EOF

  cat <<'EOF' | $sudo tee /etc/modprobe.d/scarlett.conf >/dev/null
options snd_usb_audio vid=0x1235 pid=0x8203 device_setup=1
EOF

  cat <<'EOF' | $sudo tee /etc/ufw/applications.d/ufw-kdeconnect >/dev/null
[KDEConnect]
title=KDEConnect
description=KDE Connect protocol
ports=1714:1764/udp|1714:1764/tcp
EOF
  cat <<'EOF' | $sudo tee /etc/ufw/applications.d/ufw-avahi >/dev/null
[Avahi]
title=Avahi
description=Avahi protocol
ports=5353/udp
EOF
  cat <<'EOF' | $sudo tee /etc/ufw/applications.d/ufw-spotify >/dev/null
[Spotify]
title=Spotify
description=Spotify P2P communication
ports=57621/udp
EOF
  cat <<'EOF' | $sudo tee /etc/profile.d/ibus.sh
export GTK_IM_MODULE=ibus
export XMODIFIERS=@im=ibus
export QT_IM_MODULE=ibus
export SDL_IM_MODULE=ibus
export GLFW_IM_MODULE=ibus
EOF
  $sudo systemctl disable systemd-resolved
  $sudo systemctl enable avahi-daemon
  $sudo systemctl enable avahi-dnsconfd
  $sudo systemctl enable acpid
  $sudo systemctl enable ntpd
  $sudo systemctl enable cups
  $sudo systemctl enable gdm
  $sudo systemctl enable NetworkManager
  $sudo systemctl enable bluetooth
  $sudo systemctl enable ufw
  $sudo systemctl enable nvidia-hibernate
  $sudo systemctl enable nvidia-persistenced
  $sudo systemctl enable nvidia-resume
  $sudo systemctl enable nvidia-suspend
  $sudo systemctl enable irqbalance
  $sudo systemctl enable lm_sensors
  $sudo systemctl enable touchegg
  $sudo systemctl enable tlp
  $sudo systemctl enable NetworkManager-dispatcher
  $sudo systemctl enable alsa-restore
  $sudo systemctl enable alsa-state

  $sudo systemctl mask systemd-rfkill.service systemd-rfkill.socket

  $sudo ufw default deny
  $sudo ufw limit SSH
  $sudo ufw allow Avahi
  $sudo ufw allow Spotify
  $sudo ufw allow KDEConnect
  $sudo ufw enable
}

systemd_user() {
  mkdir -p "${HOME}/.config/systemd/user"

  cat <<'EOF' >"$HOME"/.config/systemd/user/lemonade.service
[Unit]
Description=Lemonade server

[Service]
ExecStart=/sbin/lemonade server

[Install]
WantedBy=graphical-session.target
EOF
  cat <<'EOF' >"$HOME"/.config/systemd/user/ibus.service
[Unit]
Description=IBus Daemon

[Service]
ExecStart=/sbin/ibus-daemon -x

[Install]
WantedBy=graphical-session.target
EOF
  cat <<'EOF' >"$HOME"/.config/systemd/user/pop-launcher.service
[Unit]
Description=Pop!_OS Launcher

[Service]
ExecStart=/sbin/pop-launcher

[Install]
WantedBy=graphical-session.target
EOF

  systemctl --user enable ibus
  systemctl --user enable lemonade
  systemctl --user enable pop-launcher
  systemctl --user enable wireplumber

  $sudo usermod -a -G log,proc,games,lock,dbus,network,power,cups,docker,avahi,video,uucp,storage,kvm,input,disk,audio,wheel shura

  gh extension install mislav/gh-license
  gh extension install dlvhdr/gh-dash

  git config --global alias.co checkout
}

add_guest() {
  sudo groupadd guest
  sudo useradd -g guest -d /home/guest -p "$(openssl passwd '')" guest
  echo 'tmpfs /home/guest tmpfs rw,relatime,noauto 0 0' | \
    $sudo tee -a /etc/fstab >/dev/null
  cat <<'EOF' | $sudo tee /etc/gdm/PostLogin/Default >/dev/null
#!/bin/sh

if [ "$USER" = guest ]; then
  umount /home/guest >/dev/null 2>/dev/null
  mkdir /home/guest
  mount /home/guest
  cp /etc/skel/.* /home/guest
  chown -R guest:guest /home/guest
fi
exit 0
EOF
  cat <<'EOF' | $sudo tee /etc/gdm/PostSession/Default >/dev/null
#!/bin/sh

if [ "$USER" = guest ]; then
  umount /home/guest
fi
exit 0
EOF
  $sudo chmod 755 /etc/gdm/Post{Login,Session}/Default
  local pam
  pam="$(
    head -1 /etc/pam.d/gdm-password;
    echo;
    echo "auth       sufficient                  pam_succeed_if.so user ingroup guest";
    tail -n+2 /etc/pam.d/gdm-password
  )"

  printf '%s' "$pam" | $sudo tee /etc/pam.d/gdm-password >/dev/null
}
	#!/usr/bin/env bash

	set -ex

	declare -a TO_DELETE=()

	cleanup() {
	rm -rf "${TO_DELETE[@]}"
	}

	trap cleanup EXIT

	sudo=
	if [ "$(id -g)" != 0 ]; then
	sudo=sudo
	fi

	install_paru() {
	$sudo pacman -Syu
	$sudo pacman -S archlinux-keyring autoconf automake binutils bison debugedit \
	fakeroot file findutils flex gawk gcc gettext grep groff libtool m4 \
	make patch pkgconf sed texinfo which git sudo gzip

	if ! which paru >/dev/null 2>&1; then
	PARUBUILD="$(mktemp -d)"
	TO_DELETE+=("$PARUBUILD")
	pushd "$PARUBUILD"
	git clone https://aur.archlinux.org/paru.git
	cd paru
	makepkg -s
	$sudo pacman -U paru-*.pkg.tar.zst
	popd
	fi
	}

	essentials() {
	paru -S adobe-source-code-pro-fonts cantarell-fonts noto-fonts \
	noto-fonts-cjk noto-fonts-emoji otf-ipafont ttf-baekmuk \
	otf-commit-mono ttf-liberation ttf-nerd-fonts-symbols-common

	paru -S git neovim ripgrep git-delta eza bat bfs fzf jq bottom gping \
	openssh man-db man-pages zsh topgrade pigz-gzip-symlink

	paru -Rs vim vi
	paru -S neovim-vim-compat
	$sudo ln -s "$(which nvim)" /sbin/vi
	$sudo systemctl enable sshd

	if pacman -Qi sudo >/dev/null 2>&1; then
	if ! pacman -Qi pleaser >/dev/null 2>&1; then
	paru -S pleaser
	cat <<'EOF' \| $sudo tee /etc/please.d/wheel.ini >/dev/null
	[wheel_group_run]
	exact_name=wheel
	group=true
	type=run
	permit=true
	require_pass=true
	rule=.*
	EOF
	cat <<'EOF' \| $sudo tee /etc/please.d/sudo.ini >/dev/null
	[sudo_group_run]
	exact_name=sudo
	group=true
	type=run
	permit=true
	require_pass=true
	rule=.*
	EOF
	cat <<'EOF' \| $sudo tee /etc/please.d/admin.ini >/dev/null
	[admin_group_run]
	exact_name=admin
	group=true
	type=run
	permit=true
	require_pass=true
	rule=.*
	EOF
	cat <<'EOF' \| $sudo tee /etc/please.d/root.ini >/dev/null
	[root_user_run]
	exact_name=root
	group=false
	type=run
	permit=true
	require_pass=false
	rule=.*
	EOF
	$sudo chmod 0600 /etc/please.d/{wheel,sudo,admin,root}.ini
	fi

	$sudo pacman -Rs sudo
	please ln -s "$(which please)" /usr/bin/sudo
	please ln -s "$(which pleaseedit)" /usr/bin/sudoedit
	$sudo rm -f /etc/sudoers.pacsave
	fi
	}

	config_neovim() {
	mkdir -p ~/.config
	rm -rf ~/.config/nvim
	git clone git@github.com:shurizzle/neovimmizzle.git ~/.config/nvim
	}

	config_zsh() {
	git clone --recursive git@github.com:shurizzle/zshrc.git ~/.zsh
	ln -s ~/.zsh/zshrc ~/.zshrc
	}

	config_fonts() {
	cat <<'EOF' >~/.config/fontconfig/fonts.conf
	<?xml version="1.0"?>
	<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
	<fontconfig>
	<alias>
	<family>sans-serif</family>
	<prefer>
	<family>Noto Sans</family>
	</prefer>
	</alias>
	<alias>
	<family>system-ui</family>
	<prefer>
	<family>Noto Sans</family>
	</prefer>
	</alias>
	<alias>
	<family>monospace</family>
	<prefer>
	<family>CommitMono</family>
	<family>Hack Nerd Font Mono</family>
	</prefer>
	</alias>
	<alias>
	<family>emoji</family>
	<prefer>
	<family>Noto Color Emoji</family>
	</prefer>
	</alias>
	</fontconfig>
	EOF
	fc-cache -r
	}

	install_system() {
	paru -S acpid wezterm btrfs-progs celluloid cronie cups docker docker-compose dog efibootmgr feh firefox foomatic-db-engine foomatic-db-nonfree-ppds foomatic-db-ppds gdm git github-cli gnome-control-center mutter-dynamic-buffering gnome-shell gnome-themes-extra xdg-desktop-portal xdg-desktop-portal-gnome pop-launcher-git extension-manager gnome-shell-extension-forge gnome-shell-extension-appindicator gnome-tweaks ibus intel-ucode irqbalance mpv neofetch networkmanager nss-mdns ntfs-3g ntp nvidia pavucontrol pipewire-pulse pkgconf quickemu rustup sl strace tmux tokei touche touchegg traceroute ufw usbutils v4l2loopback-dkms wget which xclip xdg-user-dirs xdg-utils xsel yt-dlp zip zsh tlp tlp-rdw sbctl zathura zathura-cb zathura-pdf-mupdf rar sshfs alsa-scarlett-gui alsa-utils adwaita-qt5 adwaita-qt6 qpwgraph linux-zen linux-zen-headers gnome-browser-connector
	paru -S speech-dispatcher espeak-ng
	paru -Rs linux linux-headers

	echo '/dev/mapper/secure /usr/share/secureboot ext4 rw,relatime,noauto 0 0' \| $sudo tee -a /etc/fstab >/dev/null

	$sudo mkdir -p /etc/pacman.d/hooks /etc/initcpio/post
	$sudo ln -s /dev/null /etc/pacman.d/hooks/zz-sbctl.hook

	cat <<'EOF' \| $sudo tee /etc/pacman.d/hooks/90-mkinitcpio-dkms-linux.hook >/dev/null
	[Trigger]
	Operation = Install
	Operation = Upgrade
	Operation = Remove
	Type = Package
	Target = nvidia
	Target = nvidia-beta
	Target = nvidia-open
	Target = nvidia-lts
	Target = nvidia-340xx
	Target = nvidia-340xx-lts
	Target = nvidia-dkms
	Target = nvidia-*-dkms
	Target = linux
	Target = linux-zen
	Target = intel-ucode
	Target = amd-ucode
	Target = v4l2loopback-dkms
	Target = broadcom-wl-dkms

	[Action]
	Description = Update dkms modules in Linux initcpio
	Depends = mkinitcpio
	When = PostTransaction
	NeedsTargets
	Exec = /bin/sh -c 'while read -r trg; do case $trg in linux) exit 0;; linux-zen) exit 0;; esac; done; /usr/bin/mkinitcpio -P'
	EOF

	cat <<'EOF' \| $sudo tee /etc/initcpio/post/uki-sbsign >/dev/null
	#!/bin/sh

	set -eu

	if ! test -e /dev/mapper/secure; then
	echo -e \\a
	(tput cnorm cvvis; cryptsetup luksOpen /boot/secure.img secure; tput civis) < /dev/tty >/dev/tty 2>/dev/tty

	if ! test -e /dev/mapper/secure; then
	exit 1
	fi
	fi

	if ! mountpoint /usr/share/secureboot > /dev/null 2> /dev/null; then
	mount /usr/share/secureboot
	fi

	sbctl generate-bundles -s
	EOF
	$sudo chmod +x /etc/initcpio/post/uki-sbsign

	$sudo fallocate -l 100M /boot/secure.img
	local LOOPDEV
	LOOPDEV="$(losetup -f)"
	losetup "$LOOPDEV" /boot/secure.img
	$sudo cryptsetup luksFormat "$LOOPDEV"
	$sudo cryptsetup luksOpen "$LOOPDEV" secure
	$sudo mkfs.ext4 -L secureboot /dev/mapper/secure
	$sudo mount /usr/share/secureboot
	if ! test -f /etc/kernel/cmdline; then
	cat /proc/cmdline >/etc/kernel/cmdline
	fi

	$sudo sbctl create-keys

	$sudo sbctl enroll-keys -m

	# sudo sbctl bundle -s -i /boot/intel-ucode.img \
	# -l /usr/share/systemd/bootctl/splash-arch.bmp \
	# -k /boot/vmlinuz-linux \
	# -f /boot/initramfs-linux.img \
	# -c /etc/kernel/cmdline \
	# -o /usr/lib/os-release \
	# /efi/linux.efi
	#
	# sudo sbctl bundle -s -i /boot/intel-ucode.img \
	# -l /usr/share/systemd/bootctl/splash-arch.bmp \
	# -k /boot/vmlinuz-linux \
	# -f /boot/initramfs-linux-fallback.img \
	# -c /etc/kernel/cmdline \
	# -o /usr/lib/os-release \
	# /efi/linux-fallback.efi

	$sudo sbctl bundle -s -i /boot/intel-ucode.img \
	-l /usr/share/systemd/bootctl/splash-arch.bmp \
	-k /boot/vmlinuz-linux-zen \
	-f /boot/initramfs-linux-zen.img \
	-c /etc/kernel/cmdline \
	-o /usr/lib/os-release \
	/efi/linux.efi

	$sudo sbctl bundle -s -i /boot/intel-ucode.img \
	-l /usr/share/systemd/bootctl/splash-arch.bmp \
	-k /boot/vmlinuz-linux-zen \
	-f /boot/initramfs-linux-zen-fallback.img \
	-c /etc/kernel/cmdline \
	-o /usr/lib/os-release \
	/efi/linux-fallback.efi

	$sudo sbctl sign-all -g

	$sudo umount /usr/share/secureboot
	$sudo cryptsetup luksClose secure
	$sudo losetup -d "$LOOPDEV"

	$sudo pacman -Rs linux linux-headers

	printf 'QT_STYLE_OVERRIDE=adwaita-dark\nexport QT_STYLE_OVERRIDE\n' \| $sudo tee -a /etc/profile.d/qt.sh
	$sudo chmod 0644 /etc/profile.d/qt.sh
	}

	install_gnome_exts() {
	local i VERSION_TAG

	for i in \
	caffeine@patapon.info \
	gsconnect@andyholmes.github.io \
	status-area-horizontal-spacing@mathematical.coffee.gmail.com \
	Vitals@CoreCoding.com \
	x11gestures@joseexposito.github.io; do
	VERSION_TAG="$(curl -Lfs "https://extensions.gnome.org/extension-query/?search=${i}" \| jq '.extensions[0] \| .shell_version_map \| map(.pk) \| max')"
	wget -O "${i}.zip" "https://extensions.gnome.org/download-extension/${i}.shell-extension.zip?version_tag=$VERSION_TAG"
	gnome-extensions install --force "${i}.zip"
	if ! gnome-extensions list \| grep --quiet "${i}"; then
	busctl --user call org.gnome.Shell.Extensions /org/gnome/Shell/Extensions org.gnome.Shell.Extensions InstallRemoteExtension s "${i}"
	fi
	gnome-extensions enable "${i}"
	rm -f "${i}.zip"
	done

	if ! gnome-extensions list \| grep --quiet forge@jmmaranan.com; then
	busctl --user call org.gnome.Shell.Extensions /org/gnome/Shell/Extensions org.gnome.Shell.Extensions InstallRemoteExtension s forge@jmmaranan.com
	fi
	gnome-extensions enable forge@jmmaranan.com
	}

	configure_system() {
	$sudo mv /etc/nsswitch.conf /etc/nsswitch.conf.bak
	cat <<'EOF' \| $sudo tee /etc/nsswitch.conf >/dev/null
	# Name Service Switch configuration file.
	# See nsswitch.conf(5) for details.

	passwd: files systemd
	group: files [SUCCESS=merge] systemd
	shadow: files systemd
	gshadow: files systemd

	publickey: files

	hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
	networks: files

	protocols: files
	services: files
	ethers: files
	rpc: files

	netgroup: files
	EOF

	cat <<'EOF' \| $sudo tee /etc/modprobe.d/scarlett.conf >/dev/null
	options snd_usb_audio vid=0x1235 pid=0x8203 device_setup=1
	EOF

	cat <<'EOF' \| $sudo tee /etc/ufw/applications.d/ufw-kdeconnect >/dev/null
	[KDEConnect]
	title=KDEConnect
	description=KDE Connect protocol
	ports=1714:1764/udp\|1714:1764/tcp
	EOF
	cat <<'EOF' \| $sudo tee /etc/ufw/applications.d/ufw-avahi >/dev/null
	[Avahi]
	title=Avahi
	description=Avahi protocol
	ports=5353/udp
	EOF
	cat <<'EOF' \| $sudo tee /etc/ufw/applications.d/ufw-spotify >/dev/null
	[Spotify]
	title=Spotify
	description=Spotify P2P communication
	ports=57621/udp
	EOF
	cat <<'EOF' \| $sudo tee /etc/profile.d/ibus.sh
	export GTK_IM_MODULE=ibus
	export XMODIFIERS=@im=ibus
	export QT_IM_MODULE=ibus
	export SDL_IM_MODULE=ibus
	export GLFW_IM_MODULE=ibus
	EOF
	$sudo systemctl disable systemd-resolved
	$sudo systemctl enable avahi-daemon
	$sudo systemctl enable avahi-dnsconfd
	$sudo systemctl enable acpid
	$sudo systemctl enable ntpd
	$sudo systemctl enable cups
	$sudo systemctl enable gdm
	$sudo systemctl enable NetworkManager
	$sudo systemctl enable bluetooth
	$sudo systemctl enable ufw
	$sudo systemctl enable nvidia-hibernate
	$sudo systemctl enable nvidia-persistenced
	$sudo systemctl enable nvidia-resume
	$sudo systemctl enable nvidia-suspend
	$sudo systemctl enable irqbalance
	$sudo systemctl enable lm_sensors
	$sudo systemctl enable touchegg
	$sudo systemctl enable tlp
	$sudo systemctl enable NetworkManager-dispatcher
	$sudo systemctl enable alsa-restore
	$sudo systemctl enable alsa-state

	$sudo systemctl mask systemd-rfkill.service systemd-rfkill.socket

	$sudo ufw default deny
	$sudo ufw limit SSH
	$sudo ufw allow Avahi
	$sudo ufw allow Spotify
	$sudo ufw allow KDEConnect
	$sudo ufw enable
	}

	systemd_user() {
	mkdir -p "${HOME}/.config/systemd/user"

	cat <<'EOF' >"$HOME"/.config/systemd/user/lemonade.service
	[Unit]
	Description=Lemonade server

	[Service]
	ExecStart=/sbin/lemonade server

	[Install]
	WantedBy=graphical-session.target
	EOF
	cat <<'EOF' >"$HOME"/.config/systemd/user/ibus.service
	[Unit]
	Description=IBus Daemon

	[Service]
	ExecStart=/sbin/ibus-daemon -x

	[Install]
	WantedBy=graphical-session.target
	EOF
	cat <<'EOF' >"$HOME"/.config/systemd/user/pop-launcher.service
	[Unit]
	Description=Pop!_OS Launcher

	[Service]
	ExecStart=/sbin/pop-launcher

	[Install]
	WantedBy=graphical-session.target
	EOF

	systemctl --user enable ibus
	systemctl --user enable lemonade
	systemctl --user enable pop-launcher
	systemctl --user enable wireplumber

	$sudo usermod -a -G log,proc,games,lock,dbus,network,power,cups,docker,avahi,video,uucp,storage,kvm,input,disk,audio,wheel shura

	gh extension install mislav/gh-license
	gh extension install dlvhdr/gh-dash

	git config --global alias.co checkout
	}

	add_guest() {
	sudo groupadd guest
	sudo useradd -g guest -d /home/guest -p "$(openssl passwd '')" guest
	echo 'tmpfs /home/guest tmpfs rw,relatime,noauto 0 0' \| \
	$sudo tee -a /etc/fstab >/dev/null
	cat <<'EOF' \| $sudo tee /etc/gdm/PostLogin/Default >/dev/null
	#!/bin/sh

	if [ "$USER" = guest ]; then
	umount /home/guest >/dev/null 2>/dev/null
	mkdir /home/guest
	mount /home/guest
	cp /etc/skel/.* /home/guest
	chown -R guest:guest /home/guest
	fi
	exit 0
	EOF
	cat <<'EOF' \| $sudo tee /etc/gdm/PostSession/Default >/dev/null
	#!/bin/sh

	if [ "$USER" = guest ]; then
	umount /home/guest
	fi
	exit 0
	EOF
	$sudo chmod 755 /etc/gdm/Post{Login,Session}/Default
	local pam
	pam="$(
	head -1 /etc/pam.d/gdm-password;
	echo;
	echo "auth sufficient pam_succeed_if.so user ingroup guest";
	tail -n+2 /etc/pam.d/gdm-password
	)"

	printf '%s' "$pam" \| $sudo tee /etc/pam.d/gdm-password >/dev/null
	}