Add notes on dconf not working

Signed-off-by: Tommy <contact@tommytran.io>

install.sh

@@ -22,6 +22,9 @@ unpriv(){
     sudo -u nobody "$@"
 }
 
+# Check if this is a VM
+virtualization=$(systemd-detect-virt)
+
 install_mode_selector() {
     output 'Is this a desktop or server installation?'
     output '1) Desktop'
@@ -38,7 +41,28 @@ install_mode_selector() {
     esac
 }
 
+luks_prompt(){
+    if [ "${virtualization}" != 'none' ]; then
+        output "Virtual machine detected. Do you want to set up LUKS?"
+        output '1) No'
+        output '2) Yes'
+        output 'Insert the number of your selection:'
+        read -r choice
+        case $choice in
+            1 ) use_luks='0'
+                ;;
+            2 ) use_luks='1'
+                ;;
+            * ) output 'You did not enter a valid selection.'
+                luks_prompt
+        esac
+    else
+        use_luks='1'
+    fi
+}
+
 luks_password_prompt () {
+    if [ "${use_luks}" = '1' ]; then
         output 'Enter your encryption password (the password will not be shown on the screen):'
         read -r -s luks_password
 
@@ -53,6 +77,7 @@ luks_password_prompt () {
             output 'Passwords do not match, please try again.'
             luks_password_prompt
         fi
+    fi
 }
 
 disk_prompt (){
@@ -107,6 +132,26 @@ hostname_prompt (){
     fi
 }
 
+network_daemon_prompt(){
+    if [ "${install_mode}" = 'server' ]; then
+        output 'Which network daemon do you want to use'
+        output '1) networkmanager'
+        output '2) systemd-networkd'
+        output 'Insert the number of your selection:'
+        read -r choice
+        case $choice in
+            1 ) network_daemon='networkmanager'
+                ;;
+            2 ) network_daemon='systemd-networkd'
+                ;;
+            * ) output 'You did not enter a valid selection.'
+            install_mode_selector
+        esac
+    else
+        network_daemon='networkmanager'
+    fi
+}
+
 # Set hardcoded variables (temporary, these will be replaced by future prompts)
 locale=en_US
 kblayout=us
@@ -116,14 +161,13 @@ clear
 
 # Initial prompts
 install_mode_selector 
+luks_prompt
 luks_password_prompt
 disk_prompt
 username_prompt
 user_password_prompt
 hostname_prompt
-
+network_daemon_prompt
-# Check if this is a VM
-virtualization=$(systemd-detect-virt)
 
 # Installation
 
@@ -143,10 +187,13 @@ parted -s "${disk}" \
     mklabel gpt \
     mkpart ESP fat32 1MiB 513MiB \
     set 1 esp on \
-    mkpart cryptroot 513MiB 100%
+    mkpart rootfs 513MiB 100%
 
 ESP='/dev/disk/by-partlabel/ESP'
-cryptroot='/dev/disk/by-partlabel/cryptroot'
+
+if [ "${use_luks}" = '1' ]; then
+    cryptroot='/dev/disk/by-partlabel/rootfs'
+fi
 
 ## Informing the Kernel of the changes.
 output 'Informing the Kernel about the disk changes.'
@@ -157,13 +204,17 @@ output 'Formatting the EFI Partition as FAT32.'
 mkfs.fat -F 32 -s 2 "${ESP}" &>/dev/null
 
 ## Creating a LUKS Container for the root partition.
+if [ "${use_luks}" = '1' ]; then
     output 'Creating LUKS Container for the root partition.'
-echo -n "${luks_password}" | cryptsetup luksFormat --pbkdf pbkdf2 ${cryptroot} -d - &>/dev/null
+    echo -n "${luks_password}" | cryptsetup luksFormat --pbkdf pbkdf2 "${cryptroot}" -d - &>/dev/null
-echo -n "${luks_password}" | cryptsetup open ${cryptroot} cryptroot -d -
+    echo -n "${luks_password}" | cryptsetup open "${cryptroot}" cryptroot -d -
     BTRFS='/dev/mapper/cryptroot'
+else
+    BTRFS='/dev/disk/by-partlabel/rootfs'
+fi
 
-## Formatting the LUKS Container as BTRFS.
+## Formatting the partition as BTRFS.
-output 'Formatting the LUKS container as BTRFS.'
+output 'Formatting the rootfs as BTRFS.'
 mkfs.btrfs "${BTRFS}" &>/dev/null
 mount "${BTRFS}" /mnt
 
@@ -190,7 +241,10 @@ if [ "${install_mode}" = 'desktop' ]; then
     btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
     btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
 fi
+
+if [ "${use_luks}" = '1' ]; then
     btrfs su cr /mnt/@/cryptkey &>/dev/null
+fi
 
 ## Disable CoW on subvols we are not taking snapshots of
 chattr +C /mnt/@/boot
@@ -209,7 +263,10 @@ if [ "${install_mode}" = 'desktop' ]; then
     chattr +C /mnt/@/var_lib_gdm
     chattr +C /mnt/@/var_lib_AccountsService
 fi
+
+if [ "${use_luks}" = '1' ]; then
     chattr +C /mnt/@/cryptkey
+fi
 
 ## Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
 btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt
@@ -230,10 +287,15 @@ chmod 600 /mnt/@/.snapshots/1/info.xml
 umount /mnt
 output 'Mounting the newly created subvolumes.'
 mount -o ssd,noatime,compress=zstd "${BTRFS}" /mnt
-mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines,cryptkey}
+mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines}
 if [ "${install_mode}" = 'desktop' ]; then
     mkdir -p /mnt/{var/lib/gdm,var/lib/AccountsService}
 fi
+
+if [ "${use_luks}" = '1' ]; then
+    mkdir -p /mnt/cryptkey
+fi
+
 mount -o ssd,noatime,compress=zstd,nodev,nosuid,noexec,subvol=@/boot "${BTRFS}" /mnt/boot
 mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/root "${BTRFS}" /mnt/root
 mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/home "${BTRFS}" /mnt/home
@@ -260,7 +322,9 @@ if [ "${install_mode}" = 'desktop' ]; then
 fi
 
 ### The encryption is splitted as we do not want to include it in the backup with snap-pac.
+if [ "${use_luks}" = '1' ]; then
     mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
+fi
 
 mkdir -p /mnt/boot/efi
 mount -o nodev,nosuid,noexec "${ESP}" /mnt/boot/efi
@@ -281,7 +345,11 @@ output 'Installing the base system (it may take a while).'
 output "You may see an error when mkinitcpio tries to generate a new initramfs."
 output "It is okay. The script will regenerate the initramfs later in the installation process."
 
-pacstrap /mnt apparmor base chrony efibootmgr firewalld grub grub-btrfs inotify-tools linux-firmware linux-hardened linux-lts "${microcode}" nano networkmanager reflector sbctl snapper sudo zram-generator
+pacstrap /mnt apparmor base chrony efibootmgr firewalld grub grub-btrfs inotify-tools linux-firmware linux-hardened linux-lts "${microcode}" nano reflector sbctl snapper sudo zram-generator
+
+if [ "${network_daemon}" = 'networkmanager' ]; then
+    pacstrap /mnt networkmanager
+fi
 
 if [ "${install_mode}" = 'desktop' ]; then
     pacstrap /mnt nautilus gdm gnome-console gnome-control-center flatpak pipewire-alsa pipewire-pulse pipewire-jack
@@ -329,10 +397,16 @@ echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
 output 'Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook.'
 sed -i 's/#COMPRESSION="zstd"/COMPRESSION="zstd"/g' /mnt/etc/mkinitcpio.conf
 sed -i 's/^MODULES=.*/MODULES=(btrfs)/g' /mnt/etc/mkinitcpio.conf
+if [ "${use_luks}" = '1' ]; then
     sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt)/g' /mnt/etc/mkinitcpio.conf
+else
+    sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block)/g' /mnt/etc/mkinitcpio.conf
+fi
 
 ## Enable LUKS in GRUB and setting the UUID of the LUKS container.
+if [ "${use_luks}" = '1' ]; then
     sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
+fi
 echo '' >> /mnt/etc/default/grub
 echo '# Booting with BTRFS subvolume
 GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub
@@ -345,15 +419,22 @@ sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
 sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
 
 ## Kernel hardening
+
+if [ "${use_luks}" = '1' ]; then
     UUID=$(blkid -s UUID -o value "${cryptroot}")
     sed -i "s#quiet#rd.luks.name=${UUID}=cryptroot root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
+else
+    sed -i "s#quiet#root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
+fi
 
 ## Add keyfile to the initramfs to avoid double password.
+if [ "${use_luks}" = '1' ]; then
     dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
     chmod 000 /mnt/cryptkey/.root.key &>/dev/null
-echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key -d -
+    echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/rootfs /mnt/cryptkey/.root.key -d -
     sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
     sed -i "s#module\.sig_enforce=1#module.sig_enforce=1 rd.luks.key=/cryptkey/.root.key#g" /mnt/etc/default/grub
+fi
 
 ## Continue kernel hardening
 unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
@@ -399,6 +480,8 @@ fi
 # Setup dconf
 
 if [ "${install_mode}" = 'desktop' ]; then
+    # This doesn't actually take effect atm - need to investigate
+
     mkdir -p /mnt/etc/dconf/db/local.d/locks
 
     unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | tee /mnt/etc/dconf/db/local.d/locks/automount-disable
@@ -417,12 +500,15 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
 
 ## Setup Networking
 
-if [ "${install_mode}" = "desktop" ]; then
+if [ "${install_mode}" = 'desktop' ]; then
     unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | tee /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf
     unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | tee /mnt/etc/NetworkManager/conf.d/01-transient-hostname.conf
 fi
 
+if [ "${network_daemon}" = 'networkmanager' ]; then
+    mkdir -p /mnt/etc/systemd/system/NetworkManager.service.d/
     unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /mnt/etc/systemd/system/NetworkManager.service.d/99-brace.conf
+fi 
 
 ## Configuring the system.
 arch-chroot /mnt /bin/bash -e <<EOF
@@ -435,33 +521,33 @@ arch-chroot /mnt /bin/bash -e <<EOF
     hwclock --systohc
 
     # Generating locales.my keys aren't even on
-    output "Generating locales."
+    echo "Generating locales."
     locale-gen
 
     # Create SecureBoot keys. This isn't strictly necessary, but certain things like linux-hardened preset expects it and mkinitcpio will fail without it, sooo...
     sbctl create-keys
 
     # Generating a new initramfs.
-    output "Creating a new initramfs."
+    echo "Creating a new initramfs."
     chmod 600 /boot/initramfs-linux*
     mkinitcpio -P
 
     # Installing GRUB.
-    output "Installing GRUB on /boot."
+    echo "Installing GRUB on /boot."
     grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --disable-shim-lock
 
     # Creating grub config file.
-    output "Creating GRUB config file."
+    echo "Creating GRUB config file."
     grub-mkconfig -o /boot/grub/grub.cfg
 
     # Adding user with sudo privilege
-    output "Adding $username with root privilege."
+    echo "Adding $username with root privilege."
     useradd -m $username
     usermod -aG wheel $username
 
     if [ "${install_mode}" = 'desktop' ]; then
         # Setting up dconf
-        output "Setting up dconf."
+        echo "Setting up dconf."
         dconf update
     fi
 
@@ -487,13 +573,18 @@ systemctl enable chronyd --root=/mnt
 systemctl enable firewalld --root=/mnt
 systemctl enable fstrim.timer --root=/mnt
 systemctl enable grub-btrfsd.service --root=/mnt
-systemctl enable NetworkManager --root=/mnt
 systemctl enable reflector.timer --root=/mnt
 systemctl enable snapper-timeline.timer --root=/mnt
 systemctl enable snapper-cleanup.timer --root=/mnt
 systemctl enable systemd-oomd --root=/mnt
 systemctl disable systemd-timesyncd --root=/mnt
 
+if [ "${network_daemon}" = 'networkmanager' ]; then
+    systemctl enable NetworkManager --root=/mnt
+else 
+    systemctl enable systemd-networkd --root=/mnt
+fi
+
 if [ "${install_mode}" = 'desktop' ]; then
     systemctl enable gdm --root=/mnt
 fi