From 9107b9961a98ed1aaceaa68cf3fd4f50ad9f42ce Mon Sep 17 00:00:00 2001 From: The_miro Date: Fri, 26 Jun 2026 18:27:04 +0200 Subject: [PATCH] fix(installer): root-owned ~/.config, wrong logging path, flatpak system scope MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Diagnosed from a full guided-install log plus a Hyprland startup log. Three distinct remaining failures: 1. ~/.config left root-owned. The FIDO/Yubico setup runs `mkdir -p ~/.config/Yubico` as root (creating ~/.config itself), then chowned only Yubico/. ~/.config stayed root-owned, so every later user step failed with EACCES: shell-setup symlinks (starship.toml), the mail/caldav systemd --user timers, and Hyprland creating ~/.config/hypr at startup. Chown the whole ~/.config in both Yubico spots, and defensively reclaim it in shell-setup. 2. python/wprs/plymouth/zfs sourced ../lib/logging.sh, but apps/ modules need ../../lib — so they aborted with "No such file or directory". Corrected. 3. Flatpak app modules ran `flatpak install -y` at system scope, which needs the Flatpak SystemHelper D-Bus service + polkit (unavailable in a chroot/TTY install) — the "The name is not activatable" failures (wireshark, xournal, rnote, firefox-browser, …). Switch ensure_flatpak and all 19 main-flow installs to --user scope, matching apply_flatpak_theme's --user overrides. Co-Authored-By: Claude Opus 4.8 --- setup/archbaseos-guided-install.sh | 10 ++++++++-- setup/modules/lib/logging.sh | 15 +++++++++------ setup/modules/optional-Modules/apps/ardour.sh | 2 +- setup/modules/optional-Modules/apps/audacity.sh | 2 +- .../optional-Modules/apps/blender-povray.sh | 2 +- setup/modules/optional-Modules/apps/chromium.sh | 2 +- .../optional-Modules/apps/firefox-browser.sh | 2 +- setup/modules/optional-Modules/apps/obsidian.sh | 2 +- setup/modules/optional-Modules/apps/plymouth.sh | 2 +- setup/modules/optional-Modules/apps/prism.sh | 2 +- setup/modules/optional-Modules/apps/python.sh | 2 +- setup/modules/optional-Modules/apps/rdp-client.sh | 2 +- setup/modules/optional-Modules/apps/rnote.sh | 2 +- setup/modules/optional-Modules/apps/shotcut.sh | 2 +- setup/modules/optional-Modules/apps/steam.sh | 2 +- setup/modules/optional-Modules/apps/stuntrally.sh | 2 +- .../optional-Modules/apps/tangent-notes.sh | 2 +- setup/modules/optional-Modules/apps/vesktop.sh | 2 +- setup/modules/optional-Modules/apps/vscodium.sh | 2 +- setup/modules/optional-Modules/apps/wireshark.sh | 2 +- setup/modules/optional-Modules/apps/wprs.sh | 2 +- setup/modules/optional-Modules/apps/xournal.sh | 2 +- setup/modules/optional-Modules/apps/zed-ide.sh | 2 +- .../modules/optional-Modules/apps/zen-browser.sh | 2 +- setup/modules/optional-Modules/apps/zfs.sh | 2 +- setup/modules/shell-setup.sh | 10 ++++++++++ 26 files changed, 50 insertions(+), 31 deletions(-) diff --git a/setup/archbaseos-guided-install.sh b/setup/archbaseos-guided-install.sh index 310746c..d4294d0 100755 --- a/setup/archbaseos-guided-install.sh +++ b/setup/archbaseos-guided-install.sh @@ -504,8 +504,12 @@ grub-mkconfig -o /boot/grub/grub.cfg # User login FIDO2 — directory + PAM only; key enrollment happens outside chroot if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then # Create the Yubico config dir that pam_u2f expects for the u2f_keys file. + # `mkdir -p` here creates ~/.config itself as root, so chown the whole tree + # (not just Yubico/) — otherwise ~/.config stays root-owned and every later + # user-level step (shell-setup symlinks, systemd --user timers, Hyprland's + # own ~/.config/hypr) fails with "Permission denied". mkdir -p "/home/$USERNAME/.config/Yubico" - chown "$USERNAME:$USERNAME" "/home/$USERNAME/.config/Yubico" + chown -R "$USERNAME:$USERNAME" "/home/$USERNAME/.config" # `cue` option: pam_u2f prints a prompt so the user knows to touch the key. echo "auth required pam_u2f.so cue" >> /etc/pam.d/system-local-login fi @@ -525,7 +529,9 @@ if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then # the live environment may have different /etc/passwd entries. _NEWUID=$(arch-chroot /mnt id -u "$USERNAME" 2>/dev/null || echo "1000") _NEWGID=$(arch-chroot /mnt id -g "$USERNAME" 2>/dev/null || echo "1000") - chown -R "$_NEWUID:$_NEWGID" "/mnt/home/${USERNAME}/.config/Yubico" + # chown the whole ~/.config tree: the mkdir above created ~/.config as root, + # so reclaiming only Yubico/ would leave ~/.config itself root-owned. + chown -R "$_NEWUID:$_NEWGID" "/mnt/home/${USERNAME}/.config" # 600: only the owning user can read or write the key file. chmod 600 "$U2F_KEYFILE" echo "FIDO2 key enrolled for $USERNAME." diff --git a/setup/modules/lib/logging.sh b/setup/modules/lib/logging.sh index 2e14004..c6907e4 100644 --- a/setup/modules/lib/logging.sh +++ b/setup/modules/lib/logging.sh @@ -58,12 +58,15 @@ ensure_flatpak() { log "Installing flatpak..." sudo pacman -S --noconfirm --needed flatpak fi - # Check if the flathub remote is already configured to avoid duplicate remotes. - # flatpak remotes lists configured remotes; grep filters for 'flathub'. - if ! flatpak remotes 2>/dev/null | grep -q flathub; then - log "Adding Flathub remote..." - # --if-not-exists is redundant given the check above, but adds safety - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + # Add the Flathub remote at --user scope. A system-scope remote (and the + # matching `flatpak install` below) needs the org.freedesktop.Flatpak + # SystemHelper D-Bus service + polkit, which are not activatable in a chroot + # or bare-TTY install — that is the "The name is not activatable" failure. + # User scope needs neither, so it works during install and is the right place + # for per-user app installs anyway (apply_flatpak_theme already uses --user). + if ! flatpak remotes --user 2>/dev/null | grep -q flathub; then + log "Adding Flathub remote (user)..." + flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo fi } diff --git a/setup/modules/optional-Modules/apps/ardour.sh b/setup/modules/optional-Modules/apps/ardour.sh index e238cab..7a4fc68 100755 --- a/setup/modules/optional-Modules/apps/ardour.sh +++ b/setup/modules/optional-Modules/apps/ardour.sh @@ -25,7 +25,7 @@ ensure_flatpak # Install Ardour from the Flathub repository. # -y skips the interactive confirmation prompt so the script is non-interactive. -flatpak install -y flathub org.ardour.Ardour +flatpak install --user -y flathub org.ardour.Ardour # apply_flatpak_theme: applies the cyberqueer GTK theme override so Ardour's # GTK widgets match the rest of the desktop, rather than using the Flatpak diff --git a/setup/modules/optional-Modules/apps/audacity.sh b/setup/modules/optional-Modules/apps/audacity.sh index 772ef4f..30fd0c8 100755 --- a/setup/modules/optional-Modules/apps/audacity.sh +++ b/setup/modules/optional-Modules/apps/audacity.sh @@ -22,7 +22,7 @@ log "Installing Audacity (Flatpak)..." ensure_flatpak # Install from Flathub. -y suppresses the interactive confirmation. -flatpak install -y flathub org.audacityteam.Audacity +flatpak install --user -y flathub org.audacityteam.Audacity # apply_flatpak_theme: injects the cyberqueer GTK theme into Audacity's # Flatpak environment so it renders consistently with the rest of the desktop. diff --git a/setup/modules/optional-Modules/apps/blender-povray.sh b/setup/modules/optional-Modules/apps/blender-povray.sh index 4356b33..af17f2f 100755 --- a/setup/modules/optional-Modules/apps/blender-povray.sh +++ b/setup/modules/optional-Modules/apps/blender-povray.sh @@ -29,7 +29,7 @@ ensure_flatpak # Install Blender from Flathub. The Flatpak edition ships its own Python, # CUDA/HIP compute libraries, and codec support pre-bundled, avoiding # dependency conflicts with the system Python or GPU driver packages. -flatpak install -y flathub org.blender.Blender +flatpak install --user -y flathub org.blender.Blender # apply_flatpak_theme: sets the cyberqueer GTK theme for Blender's dialogs # (the main 3D viewport uses its own renderer, but file choosers and system diff --git a/setup/modules/optional-Modules/apps/chromium.sh b/setup/modules/optional-Modules/apps/chromium.sh index 7d2afbe..3cfc80e 100755 --- a/setup/modules/optional-Modules/apps/chromium.sh +++ b/setup/modules/optional-Modules/apps/chromium.sh @@ -24,7 +24,7 @@ log "Installing Chromium (Flatpak)..." ensure_flatpak # Install Chromium from Flathub. -y skips the confirmation prompt. -flatpak install -y flathub org.chromium.Chromium +flatpak install --user -y flathub org.chromium.Chromium # apply_flatpak_theme: applies the cyberqueer GTK theme so Chromium's file # dialogs and context menus match the rest of the desktop. diff --git a/setup/modules/optional-Modules/apps/firefox-browser.sh b/setup/modules/optional-Modules/apps/firefox-browser.sh index cdec509..17514e7 100755 --- a/setup/modules/optional-Modules/apps/firefox-browser.sh +++ b/setup/modules/optional-Modules/apps/firefox-browser.sh @@ -26,7 +26,7 @@ log "Installing Firefox (Flatpak)..." ensure_flatpak # Install from Flathub. -y skips interactive confirmation. -flatpak install -y flathub org.mozilla.firefox +flatpak install --user -y flathub org.mozilla.firefox # apply_flatpak_theme: injects the cyberqueer GTK theme so Firefox's native # file-open dialogs and context menus match the rest of the desktop. diff --git a/setup/modules/optional-Modules/apps/obsidian.sh b/setup/modules/optional-Modules/apps/obsidian.sh index 334584a..4fefd4e 100755 --- a/setup/modules/optional-Modules/apps/obsidian.sh +++ b/setup/modules/optional-Modules/apps/obsidian.sh @@ -4,7 +4,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Obsidian (Flatpak)..." ensure_flatpak -flatpak install -y flathub md.obsidian.Obsidian +flatpak install --user -y flathub md.obsidian.Obsidian apply_flatpak_theme "md.obsidian.Obsidian" log "Obsidian installed." diff --git a/setup/modules/optional-Modules/apps/plymouth.sh b/setup/modules/optional-Modules/apps/plymouth.sh index 09229c6..d92af94 100644 --- a/setup/modules/optional-Modules/apps/plymouth.sh +++ b/setup/modules/optional-Modules/apps/plymouth.sh @@ -28,7 +28,7 @@ # 9. Regenerate GRUB config and initramfs set -euo pipefail -source "$(dirname "${BASH_SOURCE[0]}")/../lib/logging.sh" +source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" THEME_DIR="/usr/share/plymouth/themes/m-archy" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" diff --git a/setup/modules/optional-Modules/apps/prism.sh b/setup/modules/optional-Modules/apps/prism.sh index 1d51fc0..65d23e8 100755 --- a/setup/modules/optional-Modules/apps/prism.sh +++ b/setup/modules/optional-Modules/apps/prism.sh @@ -8,6 +8,6 @@ log "Installing PrismLauncher (Flatpak)..." # PrismLauncher is a Minecraft launcher that manages multiple instances and Java versions. # The Flatpak edition bundles its own Java runtimes, avoiding system JDK conflicts. # -y: non-interactive, auto-approve all prompts. -flatpak install -y flathub org.prismlauncher.PrismLauncher +flatpak install --user -y flathub org.prismlauncher.PrismLauncher apply_flatpak_theme "org.prismlauncher.PrismLauncher" log "PrismLauncher installed." diff --git a/setup/modules/optional-Modules/apps/python.sh b/setup/modules/optional-Modules/apps/python.sh index 210696c..87736ca 100755 --- a/setup/modules/optional-Modules/apps/python.sh +++ b/setup/modules/optional-Modules/apps/python.sh @@ -3,7 +3,7 @@ set -euo pipefail # Path climbs one level (/../) because this optional module lives in a # subdirectory; logging.sh is in modules/lib/ relative to modules/. -source "$(dirname "${BASH_SOURCE[0]}")/../lib/logging.sh" +source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" # Install the Python ecosystem needed for neovim LSP support and scripting: # python — base interpreter (3.x) diff --git a/setup/modules/optional-Modules/apps/rdp-client.sh b/setup/modules/optional-Modules/apps/rdp-client.sh index a037660..7d597bc 100755 --- a/setup/modules/optional-Modules/apps/rdp-client.sh +++ b/setup/modules/optional-Modules/apps/rdp-client.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Remmina (Flatpak)..." ensure_flatpak -flatpak install -y flathub org.remmina.Remmina +flatpak install --user -y flathub org.remmina.Remmina apply_flatpak_theme "org.remmina.Remmina" log "Remmina installed." diff --git a/setup/modules/optional-Modules/apps/rnote.sh b/setup/modules/optional-Modules/apps/rnote.sh index ef8c59f..38185f6 100755 --- a/setup/modules/optional-Modules/apps/rnote.sh +++ b/setup/modules/optional-Modules/apps/rnote.sh @@ -4,7 +4,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Rnote (Flatpak)..." ensure_flatpak -flatpak install -y flathub com.github.flxzt.rnote +flatpak install --user -y flathub com.github.flxzt.rnote apply_flatpak_theme "com.github.flxzt.rnote" log "Rnote installed." diff --git a/setup/modules/optional-Modules/apps/shotcut.sh b/setup/modules/optional-Modules/apps/shotcut.sh index 32603f2..75b34b9 100755 --- a/setup/modules/optional-Modules/apps/shotcut.sh +++ b/setup/modules/optional-Modules/apps/shotcut.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Shotcut (Flatpak)..." ensure_flatpak -flatpak install -y flathub org.shotcut.Shotcut +flatpak install --user -y flathub org.shotcut.Shotcut apply_flatpak_theme "org.shotcut.Shotcut" log "Shotcut installed." diff --git a/setup/modules/optional-Modules/apps/steam.sh b/setup/modules/optional-Modules/apps/steam.sh index 8b730c8..9ea193f 100755 --- a/setup/modules/optional-Modules/apps/steam.sh +++ b/setup/modules/optional-Modules/apps/steam.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Steam (Flatpak)..." ensure_flatpak -flatpak install -y flathub com.valvesoftware.Steam +flatpak install --user -y flathub com.valvesoftware.Steam apply_flatpak_theme "com.valvesoftware.Steam" log "Steam installed." diff --git a/setup/modules/optional-Modules/apps/stuntrally.sh b/setup/modules/optional-Modules/apps/stuntrally.sh index 494275b..246b3ce 100755 --- a/setup/modules/optional-Modules/apps/stuntrally.sh +++ b/setup/modules/optional-Modules/apps/stuntrally.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Stunt Rally (Flatpak)..." ensure_flatpak -flatpak install -y flathub io.github.stuntrally.StuntRally3 +flatpak install --user -y flathub io.github.stuntrally.StuntRally3 apply_flatpak_theme "io.github.stuntrally.StuntRally3" log "Stunt Rally installed." diff --git a/setup/modules/optional-Modules/apps/tangent-notes.sh b/setup/modules/optional-Modules/apps/tangent-notes.sh index 91e1502..f39d6f7 100755 --- a/setup/modules/optional-Modules/apps/tangent-notes.sh +++ b/setup/modules/optional-Modules/apps/tangent-notes.sh @@ -4,7 +4,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Tangent Notes (Flatpak)..." ensure_flatpak -flatpak install -y flathub io.github.suchnsuch.Tangent +flatpak install --user -y flathub io.github.suchnsuch.Tangent apply_flatpak_theme "io.github.suchnsuch.Tangent" log "Tangent Notes installed." diff --git a/setup/modules/optional-Modules/apps/vesktop.sh b/setup/modules/optional-Modules/apps/vesktop.sh index 4ea10d3..549b0ca 100755 --- a/setup/modules/optional-Modules/apps/vesktop.sh +++ b/setup/modules/optional-Modules/apps/vesktop.sh @@ -4,7 +4,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Vesktop (Flatpak)..." ensure_flatpak -flatpak install -y flathub dev.vencord.Vesktop +flatpak install --user -y flathub dev.vencord.Vesktop apply_flatpak_theme "dev.vencord.Vesktop" log "Deploying Vencord config..." diff --git a/setup/modules/optional-Modules/apps/vscodium.sh b/setup/modules/optional-Modules/apps/vscodium.sh index fa5eccd..42243d9 100755 --- a/setup/modules/optional-Modules/apps/vscodium.sh +++ b/setup/modules/optional-Modules/apps/vscodium.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing VSCodium (Flatpak)..." ensure_flatpak -flatpak install -y flathub com.vscodium.codium +flatpak install --user -y flathub com.vscodium.codium apply_flatpak_theme "com.vscodium.codium" log "VSCodium installed." diff --git a/setup/modules/optional-Modules/apps/wireshark.sh b/setup/modules/optional-Modules/apps/wireshark.sh index 0d10f59..d9d565e 100755 --- a/setup/modules/optional-Modules/apps/wireshark.sh +++ b/setup/modules/optional-Modules/apps/wireshark.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Wireshark (Flatpak)..." ensure_flatpak -flatpak install -y flathub org.wireshark.Wireshark +flatpak install --user -y flathub org.wireshark.Wireshark apply_flatpak_theme "org.wireshark.Wireshark" log "Wireshark installed." diff --git a/setup/modules/optional-Modules/apps/wprs.sh b/setup/modules/optional-Modules/apps/wprs.sh index 831abf0..8a1c2dc 100755 --- a/setup/modules/optional-Modules/apps/wprs.sh +++ b/setup/modules/optional-Modules/apps/wprs.sh @@ -1,7 +1,7 @@ #!/bin/bash # set -euo pipefail: abort on errors, unset vars, and pipeline failures. set -euo pipefail -source "$(dirname "${BASH_SOURCE[0]}")/../lib/logging.sh" +source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" # wprs (Wayland Proxy for Remote Sessions) allows running Wayland compositors # inside an existing Wayland session — useful for nested/remote desktop setups. diff --git a/setup/modules/optional-Modules/apps/xournal.sh b/setup/modules/optional-Modules/apps/xournal.sh index 3d1aabc..d58f626 100755 --- a/setup/modules/optional-Modules/apps/xournal.sh +++ b/setup/modules/optional-Modules/apps/xournal.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Xournal++ (Flatpak)..." ensure_flatpak -flatpak install -y flathub com.github.xournalpp.xournalpp +flatpak install --user -y flathub com.github.xournalpp.xournalpp apply_flatpak_theme "com.github.xournalpp.xournalpp" log "Xournal++ installed." diff --git a/setup/modules/optional-Modules/apps/zed-ide.sh b/setup/modules/optional-Modules/apps/zed-ide.sh index 336b25a..6aa037d 100755 --- a/setup/modules/optional-Modules/apps/zed-ide.sh +++ b/setup/modules/optional-Modules/apps/zed-ide.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Zed editor (Flatpak)..." ensure_flatpak -flatpak install -y flathub dev.zed.Zed +flatpak install --user -y flathub dev.zed.Zed apply_flatpak_theme "dev.zed.Zed" log "Zed editor installed." diff --git a/setup/modules/optional-Modules/apps/zen-browser.sh b/setup/modules/optional-Modules/apps/zen-browser.sh index ec6577f..8ff3bf7 100755 --- a/setup/modules/optional-Modules/apps/zen-browser.sh +++ b/setup/modules/optional-Modules/apps/zen-browser.sh @@ -4,6 +4,6 @@ source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" log "Installing Zen Browser (Flatpak)..." ensure_flatpak -flatpak install -y flathub io.github.zen_browser.zen +flatpak install --user -y flathub io.github.zen_browser.zen apply_flatpak_theme "io.github.zen_browser.zen" log "Zen Browser installed." diff --git a/setup/modules/optional-Modules/apps/zfs.sh b/setup/modules/optional-Modules/apps/zfs.sh index f9c90ea..e243f41 100755 --- a/setup/modules/optional-Modules/apps/zfs.sh +++ b/setup/modules/optional-Modules/apps/zfs.sh @@ -1,7 +1,7 @@ #!/bin/bash # set -euo pipefail: abort on errors, unset vars, and pipeline failures. set -euo pipefail -source "$(dirname "${BASH_SOURCE[0]}")/../lib/logging.sh" +source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh" # zfs-dkms is AUR-only because the ZFS on Linux licence is GPL-incompatible # and cannot be shipped in the official Arch repos. diff --git a/setup/modules/shell-setup.sh b/setup/modules/shell-setup.sh index 089be82..f1fcf2b 100755 --- a/setup/modules/shell-setup.sh +++ b/setup/modules/shell-setup.sh @@ -150,6 +150,16 @@ git config --global core.editor nvim log "Deploying dotfiles..." mkdir -p ~/.config ~/Pictures +# Defensive: an earlier root/sudo step (e.g. the installer creating +# ~/.config/Yubico for FIDO before the user-level config exists) can leave +# ~/.config owned by root. `mkdir -p` above won't fix that, and every symlink +# below would then fail with "Permission denied". If ~/.config isn't writable by +# us, reclaim the whole tree. Non-fatal so it never blocks the rest of setup. +if [[ -e "$HOME/.config" && ! -w "$HOME/.config" ]]; then + warn "~/.config is not writable — reclaiming ownership for $(id -un)..." + sudo chown -R "$(id -un):$(id -gn)" "$HOME/.config" 2>/dev/null || true +fi + # Shell init files — symlink so edits in the repo apply immediately ln -sf ~/Dotfiles/.bashrc ~/.bashrc ln -sf ~/Dotfiles/.zshrc ~/.zshrc