arch-setup/chroot_setup.sh

#!/usr/bin/env bash
set -euo pipefail
source /root/install/.env

echo ">>> Configuring system"

ln -sf /usr/share/zoneinfo/${TIMEZONE} /etc/localtime
hwclock --systohc

echo "${LOCALE} UTF-8" > /etc/locale.gen
locale-gen
echo "LANG=${LOCALE}" > /etc/locale.conf
echo "KEYMAP=${KEYMAP}" > /etc/vconsole.conf
echo "${HOSTNAME}" > /etc/hostname

cat <<EOF >/etc/hosts
127.0.0.1 localhost
::1       localhost
127.0.1.1 ${HOSTNAME}.localdomain ${HOSTNAME}
EOF

echo ">>> Creating users"

# Root password
echo "root:${ROOT_PASSWORD}" | chpasswd

# Create user only if missing
if ! id -u "${USERNAME}" &>/dev/null; then
  useradd -m -G wheel -s /bin/bash "${USERNAME}"
else
  echo "User ${USERNAME} already exists, skipping creation."
fi

# Always (re)set password
echo "${USERNAME}:${USER_PASSWORD}" | chpasswd

# Ensure sudoers configuration exists
mkdir -p /etc/sudoers.d
echo "%wheel ALL=(ALL:ALL) ALL" > /etc/sudoers.d/10-wheel
chmod 440 /etc/sudoers.d/10-wheel

echo ">>> Installing additional packages"
pacman -S --noconfirm networkmanager openssl sbsigntools tpm2-tools sbctl

systemctl enable NetworkManager

if [[ "${TPM2_ENABLE}" == true ]]; then
  echo ">>> Enrolling TPM2 key"
  systemd-cryptenroll --tpm2-device=auto /dev/disk/by-partlabel/"Linux LUKS" || true
fi

echo ">>> Installing bootloader"
bootctl install

cat <<EOF >/etc/kernel/install.conf
layout=uki
EOF

echo ">>> Creating initial UKI"
kernel-install add "$(uname -r)" /usr/lib/modules/"$(uname -r)"/vmlinuz

echo ">>> Installing firstboot service"
install -Dm755 /root/install/firstboot.sh /usr/local/sbin/firstboot.sh
cat <<'UNIT' >/etc/systemd/system/firstboot.service
[Unit]
Description=First Boot Secure Boot Setup
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/firstboot.sh

[Install]
WantedBy=multi-user.target
UNIT

systemctl enable firstboot.service

echo ">>> Base configuration done. Exit chroot and reboot."