Updates

9 files changed, 120 insertions, 122 deletions

diff --git a/README.md b/README.md
index 4fc7fb9..9fb251f 100644
--- a/README.md
+++ b/README.md
@@ -1,19 +1,4 @@
 ```
-sudo pacman -S base-devel
-
-cd /tmp
-git clone https://github.com/archlinux/archinstall
-
-python3 -m venv .venv
-source .venv/bin/activate
-pip3 install .
-
-cd -
-
 archinstall --config user_configration.json --plugin aur.py --verbose
-
+cp -r fs/etc/* /etc
 ```
-
-1. fillout disk configuration
-2. fillout disk encryption
-3. fill out hostname
diff --git a/aur.py b/aur.py
index 2bea1d1..776f026 100644
--- a/aur.py
+++ b/aur.py
@@ -11,12 +11,7 @@ __version__ = 0.4
 SUDOERS_FMT = "etc/sudoers.d/{user}"
 
 
-class PipelineStep:
-    def cleanup(self):
-        pass
-
-
-class PackageClassifier(PipelineStep):
+class PackageClassifier:
     def split(self, packages):
         aur, std = [], []
         for pkg in packages:
@@ -33,7 +28,7 @@ class PackageClassifier(PipelineStep):
         return std, aur
 
 
-class UserManager(PipelineStep):
+class UserManager:
     def __init__(self, user: str, mount_location: Path, installation):
         self.user = user
         self.mount_location = mount_location
@@ -43,6 +38,12 @@ class UserManager(PipelineStep):
     def _run_chroot(self, command):
         return self.installation.arch_chroot(command, run_as=self.user)
 
+    def _sudoers(self):
+        return self.mount_location / f"etc/sudoers.d/{self.user}"
+
+    def _home(self):
+        return self.mount_location / f"home/{self.user}"
+
     def create(self):
         if self.user_created:
             return
@@ -52,8 +53,7 @@ class UserManager(PipelineStep):
         )
         self.installation.add_additional_packages(["fakeroot", "base-devel"])
 
-        sudoers_path = self.mount_location / SUDOERS_FMT.format(user=self.user)
-        sudoers_path.write_text(f"{self.user} ALL=(ALL:ALL) NOPASSWD: ALL\n")
+        self._sudoers().write_text(f"{self.user} ALL=(ALL:ALL) NOPASSWD: ALL\n")
 
         password = archinstall.lib.models.users.Password(plaintext="somethingrandom")
         user = archinstall.lib.models.users.User(
@@ -61,8 +61,7 @@ class UserManager(PipelineStep):
         )
         self.installation.create_users([user])
 
-        home_path = self.mount_location / "home" / self.user
-        home_path.mkdir(parents=True, exist_ok=True)
+        self._home().mkdir(parents=True, exist_ok=True)
         self.installation.arch_chroot(
             f"/usr/bin/chown {self.user}:{self.user} /home/{self.user}"
         )
@@ -81,14 +80,12 @@ class UserManager(PipelineStep):
             pass
 
         self.installation.arch_chroot(f"/usr/bin/userdel {self.user}")
-        shutil.rmtree(self.mount_location / f"home/{self.user}", ignore_errors=True)
-        (self.mount_location / SUDOERS_FMT.format(user=self.user)).unlink(
-            missing_ok=True
-        )
+        shutil.rmtree(self._home(), ignore_errors=True)
+        self._sudoers.unlink(missing_ok=True)
         self.user_created = False
 
 
-class PackageDownloader(PipelineStep):
+class PackageDownloader:
     def __init__(self, user: str, mount_location: Path, installation):
         self.user = user
         self.mount_location = mount_location
@@ -124,13 +121,8 @@ class PackageDownloader(PipelineStep):
 
         await asyncio.gather(*(sem_task(pkg) for pkg in packages))
 
-    def cleanup(self):
-        for pkg in self.downloaded:
-            tar_path = self.mount_location / "home" / self.user / f"{pkg}.tar.gz"
-            tar_path.unlink(missing_ok=True)
-
 
-class PackageInstaller(PipelineStep):
+class PackageInstaller:
     def __init__(self, user: str, mount_location: Path, installation):
         self.user = user
         self.mount_location = mount_location
@@ -173,28 +165,12 @@ class PackageInstaller(PipelineStep):
             )
             return
 
-#        packages = list(build_dir.glob("*.tar.zst"))
-#        if not packages:
-#            archinstall.log(
-#                f"No built packages found for {package}", level=logging.ERROR, fg="red"
-#            )
-#            return
-#
-#        self._run(
-#            f"/usr/bin/pacman --noconfirm -U /home/{self.user}/{package}/{packages[0].name}"
-#        )
-#        self.installed.append(package)
         self.installed_dirs.append(build_dir)
 
-    def cleanup(self):
-        for build_dir in self.installed_dirs:
-            shutil.rmtree(build_dir, ignore_errors=True)
-        self.installed_dirs.clear()
-
 
 class Plugin:
     def __init__(self):
-        self.user = os.getenv("AUR_USER", "aoffline_usr")
+        self.user = os.getenv("AUR_USER", "packagebuilder")
         self.lazy_initd = False
 
     def _lazy_init(self):
@@ -210,11 +186,6 @@ class Plugin:
         )
         self.lazy_initd = True
 
-    """
-    TODO: 
-    Use the nobody account to run makepkg.
-    Clone the AUR repo, chown it to nobody, then use sudo -u nobody makepkg to build it.
-    """
     def on_pacstrap(self, packages: list[str]) -> list[str]:
         if not self.lazy_initd:
             self._lazy_init()
@@ -224,12 +195,12 @@ class Plugin:
             return std
 
         self.usermgr.create()
+
         asyncio.run(self.downloader.download(aur))
 
         for pkg in self.downloader.downloaded:
             self.installer.install(pkg)
 
-        for step in reversed([self.installer, self.downloader, self.usermgr]):
-            step.cleanup()
+        self.usermgr.cleanup()
 
         return std
diff --git a/fs/etc/kanidm/config b/fs/etc/kanidm/config
new file mode 100644
index 0000000..c1d7951
--- /dev/null
+++ b/fs/etc/kanidm/config
@@ -0,0 +1,3 @@
+uri = "https://idm.liz.coffee"
+verify_ca = true
+verify_hostnames = true
diff --git a/fs/etc/kanidm/unixd b/fs/etc/kanidm/unixd
new file mode 100644
index 0000000..5a81dc3
--- /dev/null
+++ b/fs/etc/kanidm/unixd
@@ -0,0 +1,13 @@
+version = '2'
+
+default_shell = '/bin/zsh'
+
+home_attr = 'uuid'
+home_alias = 'name'
+home_prefix = '/home/'
+
+uid_attr_map = 'name'
+gid_attr_mao = 'name'
+
+[kanidm]
+pam_allowed_login_groups = ['unixers']
diff --git a/fs/etc/nsswitch.conf b/fs/etc/nsswitch.conf
new file mode 100644
index 0000000..67c95b5
--- /dev/null
+++ b/fs/etc/nsswitch.conf
@@ -0,0 +1,17 @@
+passwd: kanidm files systemd
+group: kanidm files systemd
+
+shadow: files systemd
+gshadow: files systemd
+
+publickey: files
+
+hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
+networks: files
+
+protocols: files
+services: files
+ethers: files
+rpc: files
+
+netgroup: files
diff --git a/fs/etc/pam.d/system-auth b/fs/etc/pam.d/system-auth
new file mode 100644
index 0000000..82b2f52
--- /dev/null
+++ b/fs/etc/pam.d/system-auth
@@ -0,0 +1,28 @@
+#%PAM-1.0
+
+auth    required    pam_faillock.so preauth
+auth    sufficient  pam_kanidm.so
+-auth   [success=2 default=ignore]  pam_systemd_home.so
+auth    [success=1 default=bad] pam_unix.so try_first_pass
+auth    [default=die]   pam_faillock.so authfail
+auth    optional    pam_permit.so
+auth    required    pam_env.so
+auth    required    pam_faillock.so authsucc
+
+account sufficient  pam_kanidm.so
+-account    [success=1 default=ignore]  pam_systemd_home.so
+account required    pam_unix.so
+account optional    pam_permit.so
+account required    pam_time.so
+
+password    sufficient  pam_kanidm.so
+-password   [success=1 default=ignore]  pam_systemd_home.so
+password    required    pam_unix.so try_first_pass shadow
+password    optional    pam_permit.so
+
+-session    optional    pam_systemd_home.so
+session required    pam_limits.so
+session required    pam_unix.so
+session optional    pam_kanidm.so
+session optional    pam_permit.so
+
diff --git a/fs/etc/ssh/sshd_config b/fs/etc/ssh/sshd_config
new file mode 100644
index 0000000..dec99a1
--- /dev/null
+++ b/fs/etc/ssh/sshd_config
@@ -0,0 +1,30 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 22
+
+PermitRootLogin no
+PermitEmptyPasswords no
+PasswordAuthentication no
+
+PubkeyAuthentication yes
+UsePAM yes
+AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
+AuthorizedKeysCommandUser nobody
+
+KbdInteractiveAuthentication no
+GSSAPIAuthentication no
+KerberosAuthentication no
+
+AllowAgentForwarding yes
+X11Forwarding no
+
+PrintMotd no
+PrintLastLog yes
+
+AcceptEnv LANG LC_*
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+TCPKeepAlive yes
+ClientAliveInterval 300
+ClientAliveCountMax 1
+
diff --git a/setup_kanidm.sh b/setup_kanidm.sh
deleted file mode 100644
index d6d50ab..0000000
--- a/setup_kanidm.sh
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/bin/bash
-
-UNIXERS_GROUP = {{ unixers }}
-
-/etc/kanidm/config
-<<<
-uri = "https://{{ idm_domain }}"
-verify_ca = true
-verify_hostnames = true
->>>
-
-/etc/kanidm/unixd
-<<<
-version = '2'
-
-default_shell = "/bin/zsh"
-
-home_attr = "uuid"
-home_alias = "name"
-home_prefix = "/home/"
-
-[kanidm]
-pam_allowed_login_groups = ["{{ unixers }}"]
-
-[[kanidm.map_group]]
-local = "admins"
-with = "coffee_admins"
->>>
-
-/etc/sudo
-<<<
-%admins ALL=(ALL:ALL) ALL
->>>
-
-systemctl enable --now kanidm-unixd
-systemctl enable --now kanidm-unixd-tasks
-
-add_line /etc/nsswitch.conf
-<<<
-passwd: kanidm files systemd
-group:  kanidm [SUCCESS=merge] files systemd
->>>
-
-add_line /etc/ssh/sshd_config.d/10-kanidm-keys.conf
-<<<
-PubkeyAuthentication yes
-UsePAM yes
-
-Match Group {{ unixers_group }}
-	AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
-	AuthorizedKeysCommandUser nobody
->>>
-
-# PAM
-add_line /etc/pam.d/common-account
-<<< 
diff --git a/user_configuration.json b/user_configuration.json
index 08eb15d..7977fe3 100644
--- a/user_configuration.json
+++ b/user_configuration.json
@@ -79,7 +79,6 @@
     "librewolf-bin",
     "mpv",
     "neovim",
-    "niri",
     "noto-fonts",
     "noto-fonts-emoji",
     "nvidia-open",
@@ -91,10 +90,12 @@
     "polkit",
     "polkit-kde-agent",
     "reflector",
-    "rustup",
+    "rust",
+    "sddm",
     "sshfs",
     "starship",
     "sudo",
+    "swayfx",
     "swaybg",
     "swayidle",
     "swaylock",
@@ -133,13 +134,19 @@
     "zsh-autosuggestions",
     "zsh-completions",
     "zsh-syntax-highlighting",
-    "ly",
     "mise",
     "mako"
   ],
   "parallel downloads": 3,
   "profile_config": null,
-  "services": ["bluetooth", "ly", "NetworkManager", "reflector", "polkit"],
+  "services": [
+    "bluetooth",
+    "NetworkManager",
+    "reflector",
+    "polkit",
+    "kanidm-unixd",
+    "kanidm-unixd-tasks"
+  ],
   "swap": true,
   "timezone": "US/Pacific",
   "version": "2.8.3"