The temporary setup drop-in granted `NOPASSWD: ALL`, which covers `sudo <cmd>`
but NOT `sudo -v`. Installers run by the TUI (starship, rustup, …) call `sudo -v`
to pre-authorise, and that check still demands a password whenever the user has
any password-required sudoers entry — which they do, via the wheel rule in
10-wheel. The result was a hidden `[sudo] password for <user>:` prompt that
stalled the otherwise-unattended module install.
Add `Defaults:<user> !authenticate` to the 99-setup-nopasswd drop-in (in both
the auto and guided installers) so the auth check is skipped entirely for the
setup user; `sudo -v` and `sudo <cmd>` are now both passwordless during setup.
Verified live in a VM: `sudo -nv` for the user went from "a password is required"
to rc=0 after adding the line.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01R5kHioUMK3mtf2eiLEozCM
Previously the user password (and the LUKS passphrase for encrypted installs)
were always prompted interactively, so an answerfile install could never be
fully hands-free. Add optional "password" and "luks_password" answerfile fields:
- arch-autoinstall.sh: read both via af_get; when present use them (chpasswd /
cryptsetup --key-file=- with --batch-mode and stdin-piped luksAddKey auth),
otherwise fall back to the interactive prompt. Empty/null/absent => prompt.
- generate-answerfile.sh: replace the "passwords are never stored" notice with
an optional confirmed-entry password prompt (and a LUKS one when encryption is
enabled); emit both as JSON (null when declined).
Secrets stored this way are plain text in the file (and world-readable once
embedded in an ISO) — documented in the header; decline to keep prompting.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01R5kHioUMK3mtf2eiLEozCM
The base installers granted wheel sudo with `echo '%wheel ... ALL' >> /etc/sudoers`.
Because the stock sudoers ends with `@includedir /etc/sudoers.d`, that appended
rule is parsed AFTER the drop-ins, and since sudo applies the last matching rule,
it overrode the temporary 99-setup-nopasswd NOPASSWD rule — so the user had to
re-enter their password on every pacman/yay/flatpak call while the TUI installed
modules.
Grant wheel via /etc/sudoers.d/10-wheel instead, which sorts before
99-setup-nopasswd so NOPASSWD wins during the TUI run and password auth resumes
once the temp file is removed. Also guard that @includedir is present (so the
drop-ins are always read) and set both drop-ins to the canonical 0440 mode.
Applied to both archbaseos-guided-install.sh and arch-autoinstall.sh.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
#2 — Word-boundary match for all module patterns
Generator now pads SELECTED_APPS with spaces and uses *" id "* in
counters, summary, and dispatch, matching the conflict fix from #1.
plymouth-custom no longer false-triggers any plymouth check.
#3 — Guided installer now runs tui-install.sh
archbaseos-guided-install.sh was calling simple-install.sh; both
paths now use the full TUI (sentinel-managed, modules.conf-driven).
#4 — EFI/boot partition size unified at 10 GiB
arch-autoinstall.sh was 15 GiB, archbaseos-guided-install.sh was
5 GiB. Both now use 10 GiB.
#5 — Interactive retry for dotfiles clone (guided installer)
Clone moved outside the chroot heredoc so read() reaches the terminal.
Loops until success or the user skips; AF_MODE warns and continues.
#6 — PAM target unified on system-local-login
archbaseos-guided-install.sh was writing to system-auth (affects
sudo). Both installers now target system-local-login only.
#7 — Redundant second clone removed from autoinstaller
arch-autoinstall.sh had a second git clone inside the chroot as a
fallback that collided with the skel copy and printed a spurious
warning. Removed; skel-only approach matches the guided installer
(last updated). Also removed the individual .zshrc/.bashrc/.vimrc
cp block; aligned to the guided installer's cleaner skel structure.
#8 — Docs: remove stale plymouth core-module section
docs/md/modules.md still described plymouth under Core Modules.
Section removed; plymouth appears in Optional Applications (system
category) via the generated sentinel.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Problem: every module installs its config into the running user's ~/.config, but
/etc/skel was never updated afterwards. Any additional user created with
`useradd -m` later would get an empty home directory with no configs at all —
they would have to manually copy or re-run setup.
Solution: at the end of both TUI installer scripts (after every module and the
colorway step have finished), copy the fully-configured user's home into
/etc/skel so that it becomes the template for all future users.
How it works — tui-install.sh + simple-install.sh (identical block in both):
The block runs AFTER the last run_module call and AFTER apply-theme.sh, so
the snapshot is taken when the home directory is in its final state. It copies:
~/.config/ → /etc/skel/.config/ (all app configs, DE configs, etc.)
~/.themes/ → /etc/skel/.themes/ (GTK themes, including cyberqueer)
~/.zshrc → /etc/skel/.zshrc
~/.bashrc → /etc/skel/.bashrc
~/.vimrc → /etc/skel/.vimrc
Each copy is guarded ([[ -d ]] / [[ -f ]]) so missing files are silently
skipped rather than erroring. sudo is used because /etc/skel is root-owned
but the installer runs as the normal user.
arch-autoinstall.sh + archbaseos-guided-install.sh (chroot-phase changes):
The previous version tried to cherry-pick specific subdirectories from the
Dotfiles repo clone (hypr/, niri/, waybar/, etc.) using a long list of cp
commands. This was brittle — any new module that installs to ~/.config was
not automatically captured, and the list had to be manually maintained.
Replaced with a minimal block that only copies the three shell dotfiles
(.zshrc, .bashrc, .vimrc) from the repo clone into /etc/skel. This is
sufficient for the first user created during installation (useradd -m runs
immediately after, before any modules). The full ~/.config sync above then
takes over for all subsequent users after the modules have run.
arch-autoinstall.sh additionally had the skel setup moved to before the
useradd -m call (was missing entirely before) so even the first user gets
the shell dotfiles, with a fallback direct-clone path if the skel clone fails.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nmtui is not available on the archiso live environment; direct users to
iwctl (WiFi) or ethernet instead, and pause for input before re-checking.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tui-install.sh: dialog height=40 apps checklist and height=24 confirm
dialog both exceeded the standard 24-row VT console, causing dialog to
exit with code 1 and silently skip all apps. Make both heights
terminal-adaptive via tput lines/cols. Also extend the EXIT trap to
reset the terminal so Ctrl-C during a dialog doesn't leave the console
in raw/no-echo mode.
arch-autoinstall.sh, archbaseos-guided-install.sh: add a ping 1.1.1.1
check early in both scripts. In interactive mode, launches nmtui if
offline, then re-checks; prompts to abort if still down. Answerfile
mode logs a warning and continues.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove -s flag from read so the password is visible while typing,
enabling piped input to work visibly on the ISO installer.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On any ERR, both installers now trap the failure, log the line/exit
code, and pop a dialog yes/no asking whether to send the log to another
system via croc. Falls back to a plain read prompt if dialog is absent.
Added dialog and croc to packages.extra so they are present in the live ISO.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add full session logging (tee to logfile) to archbaseos-guided-install.sh,
matching the pattern already in arch-autoinstall.sh; copy log to /mnt/boot/
at the end so it survives into the new system
- Add part() helper to both installers so NVMe/eMMC drives use the correct
'p' separator (e.g. /dev/nvme0n1p1 instead of the broken /dev/nvme0n11)
- Add disk size guard to arch-autoinstall.sh: fail early with a clear message
if ROOT_GIB would be < 8GiB instead of passing a nonsense value to parted
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
arch-autoinstall.sh was missing the keymap handling added to the guided
installer in the previous two commits, so booting the ISO in auto mode
(answerfile embedded) never called loadkeys and left the installed system
with no /etc/vconsole.conf.
- Add the same KEYMAPS array + selection logic to arch-autoinstall.sh
(AF mode reads .keymap, interactive mode prompts)
- Call loadkeys and export KEYMAP into the chroot
- Write /etc/vconsole.conf inside the chroot
- Add keymap dialog to generate-answerfile.sh so the field is populated
- Document .keymap in the arch-autoinstall.sh answerfile field list
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Both arch-autoinstall.sh and archbaseos-guided-install.sh now ask
whether to enable disk encryption. If skipped, btrfs is formatted
directly on the root partition with an appropriate plain GRUB cmdline
(root=UUID=... rootflags=subvol=@).
When encryption is chosen, a 64-byte random key is generated, enrolled
as a second LUKS keyslot, and written to /_LUKS_BACKUP_KEY inside the
new system (mode 400, root-owned, inside the encrypted container).
Also fixes: duplicate 'encrypt' hook in original mkinitcpio HOOKS
strings, missing KERNEL export into arch-autoinstall chroot heredoc.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add setup/archiso/ with build.sh, releng overlay, motd, and
install-arch launcher command for the live ISO
- Fix cryptroot mapper name in arch-autoinstall.sh (was 'root',
breaking all subsequent mounts)
- Add base-devel to pacstrap in both installers (required for yay/makepkg)
- Clone dotfiles inside chroot so tui-install.sh is available immediately
- After base install, offer to run tui-install.sh as the regular user
inside the chroot via runuser, with a temporary NOPASSWD sudoers rule;
skip option available for base-only installs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
