Refactored installer into modular library structure with improved error handling and logging.

The changes include: - Split monolithic script into lib/, config/, profiles/, and files/ directories - Added error handling with cleanup on failure - Added installation logging to /var/log/arch-install.log - Added username validation
2026-01-17 10:23:17 -05:00
parent f8f2d5a3ce
commit 6b70ce8a97
40 changed files with 2324 additions and 574 deletions
--- a/files/etc/nftables.conf
+++ b/files/etc/nftables.conf
@@ -0,0 +1,41 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+
+		iif lo counter accept comment "accept any localhost traffic"
+		ct state { established, related } counter accept comment "accept established,related"
+		ct state invalid counter drop comment "drop invalid"
+		meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
+
+		tcp dport ssh ct state new counter accept comment "accept new SSH connections"
+
+		counter comment "count any other dropped traffic"
+	}
+
+	chain output {
+		type filter hook output priority filter; policy drop;
+
+		oif lo counter accept comment "accept any localhost traffic"
+		ct state { established, related } counter accept comment "accept established,related"
+		ct state invalid counter drop comment "drop invalid"
+		meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
+
+		udp dport https ct state new counter reject comment "reject new HTTP/3 connections"
+		ct state new counter accept comment "accept new outbound connections"
+
+		counter comment "count any other dropped traffic"
+	}
+
+	chain forward {
+		type filter hook forward priority filter; policy drop;
+
+		# Drop everything forwarded to us. This device is not a router and does not forward.
+
+		counter comment "count dropped traffic"
+	}
+}
--- a/files/etc/ssh/sshd_config
+++ b/files/etc/ssh/sshd_config
@@ -0,0 +1,11 @@
+AllowUsers PLACEHOLDER
+AuthenticationMethods publickey,password
+Ciphers aes256-gcm@openssh.com
+Compression no
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms mlkem768x25519-sha256
+MACs umac-128-etm@openssh.com
+PermitRootLogin no
+PubkeyAcceptedAlgorithms ssh-ed25519
+Subsystem sftp internal-sftp
--- a/files/etc/sysctl.d/90-bbr.conf
+++ b/files/etc/sysctl.d/90-bbr.conf
@@ -0,0 +1 @@
+net.ipv4.tcp_congestion_control = bbr
--- a/files/etc/systemd/network/50-default-ether.network
+++ b/files/etc/systemd/network/50-default-ether.network
@@ -0,0 +1,16 @@
+[Match]
+Type=ether
+
+[Link]
+RequiredForOnline=routable
+
+[Network]
+DHCP=yes
+IPv6AcceptRA=yes
+EmitLLDP=yes
+
+[DHCPv4]
+RouteMetric=100
+
+[IPv6AcceptRA]
+RouteMetric=100
--- a/files/etc/systemd/network/50-default-wlan.network
+++ b/files/etc/systemd/network/50-default-wlan.network
@@ -0,0 +1,19 @@
+[Match]
+Type=wlan
+WLANInterfaceType=station
+SSID=*
+
+[Link]
+RequiredForOnline=routable
+
+[Network]
+DHCP=yes
+IPv6AcceptRA=yes
+IgnoreCarrierLoss=3s
+EmitLLDP=yes
+
+[DHCPv4]
+RouteMetric=200
+
+[IPv6AcceptRA]
+RouteMetric=200
--- a/files/etc/systemd/resolved.conf.d/90-no-fallbackdns.conf
+++ b/files/etc/systemd/resolved.conf.d/90-no-fallbackdns.conf
@@ -0,0 +1,2 @@
+[Resolve]
+FallbackDNS=
--- a/files/etc/systemd/resolved.conf.d/90-no-llmnr.conf
+++ b/files/etc/systemd/resolved.conf.d/90-no-llmnr.conf
@@ -0,0 +1,2 @@
+[Resolve]
+LLMNR=no
--- a/files/etc/systemd/resolved.conf.d/90-no-mdns.conf
+++ b/files/etc/systemd/resolved.conf.d/90-no-mdns.conf
@@ -0,0 +1,2 @@
+[Resolve]
+MulticastDNS=no