commit a9dcbc1db8ef15d8ab0fd6635cec0c5fe88c6007 Author: Levi Woodard Date: Mon May 18 10:11:53 2026 -0600 Initial scaffold: idempotent Sunshine + Moonlight installer for Omarchy Sets up bidirectional game streaming across Omarchy/Hyprland/Wayland machines (NVIDIA desktop and AMD Framework laptop), with the Macbook as an additional Moonlight client. The same install.sh runs on either machine; GPU vendor is detected at runtime and the appropriate hardware-encode packages are installed. Includes: - KMS capture setup (cap_sys_admin on sunshine, input group, uinput udev rule) - ufw / firewalld port opening when a firewall is active - systemd --user service + loginctl enable-linger for always-on hosting - uninstall.sh with --purge for user data removal - Flags to install host-only or client-only diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5818083 --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +*.swp +*.swo +*.bak +*.bak.* +.DS_Store +.idea/ +.vscode/ +.claude/settings.local.json diff --git a/README.md b/README.md new file mode 100644 index 0000000..4b36f8f --- /dev/null +++ b/README.md @@ -0,0 +1,108 @@ +# omarchy-moonlight + +Idempotent install scripts that set up [Sunshine](https://github.com/LizardByte/Sunshine) (host) and [Moonlight](https://moonlight-stream.org/) (client) on Omarchy / Arch Linux / Hyprland / Wayland machines. + +Designed so the same script runs on: + +- a primary NVIDIA desktop (host + client) +- a Framework AMD laptop (host + client) +- any other Omarchy box + +After install, the machine can both stream out (via Sunshine) and view streams (via Moonlight). A Macbook can install Moonlight separately and connect to either Linux host. + +## Quick start + +```bash +git clone ~/omarchy-moonlight +cd ~/omarchy-moonlight +./install.sh +``` + +Then: + +1. **Log out and back in** if you weren't already in the `input` group (the installer adds you; the group only takes effect on a fresh login). +2. Open and set a Sunshine username + password. +3. On a Moonlight client (Mac / phone / the other Linux box), add this host by LAN IP and enter the PIN that Sunshine's web UI shows during pairing. + +## What it does + +- Installs `sunshine` and `moonlight-qt` from the AUR via `yay` +- Adds your user to the `input` group +- Drops a `/etc/udev/rules.d/60-uinput.rules` if no equivalent rule exists (so Sunshine can use `/dev/uinput` for virtual gamepad/keyboard/mouse) +- Runs `setcap cap_sys_admin+p` on the `sunshine` binary so KMS screen capture works without root +- Installs GPU-vendor encoder packages: + - NVIDIA: `nvidia-utils`, `libva-nvidia-driver` + - AMD: `libva-mesa-driver`, `mesa-vdpau`, `vulkan-radeon` + - Intel: `intel-media-driver`, `vulkan-intel` +- Opens Sunshine's LAN ports on `firewalld` / `ufw` if either is active (skips silently otherwise) +- Enables `sunshine.service` under systemd `--user` and turns on `loginctl enable-linger` so the host is reachable without a graphical login + +Re-running is safe — every step is "check, then act." + +## Flags + +```text +./install.sh --no-autostart # install but don't enable the user service +./install.sh --no-firewall # skip firewall rules +./install.sh --no-moonlight # host-only (no client) +./install.sh --no-sunshine # client-only (no host) +``` + +### Use the precompiled Sunshine package + +The default uses `sunshine` from the AUR, which builds from source (slow on first install). To use the precompiled `sunshine-bin` instead: + +```bash +SUNSHINE_PKG=sunshine-bin ./install.sh +``` + +## Uninstall + +```bash +./uninstall.sh # remove packages + udev rule, keep user data +./uninstall.sh --purge # also delete ~/.config/sunshine +``` + +## How streaming works once it's set up + +- **Host (Sunshine) ports** (auto-opened if a firewall is active): + - TCP: `47984 47989 47990 48010` + - UDP: `47998 47999 48000 48010` +- **Pairing**: on first connect, Moonlight shows a PIN. Type it into Sunshine's web UI ( → PIN tab) within a few seconds. +- **Capture mode**: this script configures KMS capture, which streams whatever is on the host's real monitor. A virtual-display mode (so streaming doesn't take over the desk) is a future addition — see `remote/` notes when it lands. + +## Diagnostics + +```bash +systemctl --user status sunshine +journalctl --user -u sunshine -f +getcap "$(readlink -f "$(command -v sunshine)")" # should include cap_sys_admin +id -nG | tr ' ' '\n' | grep -x input # confirm group membership +``` + +If Moonlight pairs but the stream is black: + +- Confirm you're in the `input` group **in a freshly logged-in session** (not just listed in `/etc/group`). +- Confirm `getcap` shows `cap_sys_admin` on the sunshine binary. +- Check `journalctl --user -u sunshine` for `KMS` / `DRM` errors. On NVIDIA, ensure the proprietary driver is active (`nvidia-smi`). + +## Remote access (planned) + +LAN-only for now. Remote access will be added later via one of: Tailscale, WireGuard, or Cloudflare. See `remote/` (stub) when implemented. + +## Layout + +```text +omarchy-moonlight/ +├── install.sh +├── uninstall.sh +├── README.md +├── lib/ +│ ├── common.sh # logging, sudo, idempotency helpers +│ ├── detect.sh # GPU vendor, session type, hostname +│ ├── packages.sh # yay -S sunshine moonlight-qt + GPU encoders +│ ├── permissions.sh # input group, uinput udev, setcap cap_sys_admin +│ ├── firewall.sh # ufw/firewalld detection + port opening +│ └── service.sh # systemctl --user enable + loginctl enable-linger +└── files/ # (reserved — drop-in config files if needed later) +``` diff --git a/files/.gitkeep b/files/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..c70095b --- /dev/null +++ b/install.sh @@ -0,0 +1,130 @@ +#!/usr/bin/env bash +# omarchy-moonlight installer +# Sets up Sunshine (host) + Moonlight (client) on Omarchy/Hyprland/Wayland. +# Idempotent: re-run safely. Same script works on NVIDIA and AMD machines. + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +# shellcheck source=lib/common.sh +source "$SCRIPT_DIR/lib/common.sh" +# shellcheck source=lib/detect.sh +source "$SCRIPT_DIR/lib/detect.sh" +# shellcheck source=lib/packages.sh +source "$SCRIPT_DIR/lib/packages.sh" +# shellcheck source=lib/permissions.sh +source "$SCRIPT_DIR/lib/permissions.sh" +# shellcheck source=lib/firewall.sh +source "$SCRIPT_DIR/lib/firewall.sh" +# shellcheck source=lib/service.sh +source "$SCRIPT_DIR/lib/service.sh" + +usage() { + cat <}${RESET} + - Enter the 4-digit PIN that Sunshine's UI shows during pairing. + + 4. To check status: ${DIM}systemctl --user status sunshine${RESET} + To view logs: ${DIM}journalctl --user -u sunshine -f${RESET} + To uninstall: ${DIM}$SCRIPT_DIR/uninstall.sh${RESET} + +EOF +} + +main "$@" diff --git a/lib/common.sh b/lib/common.sh new file mode 100644 index 0000000..b280b95 --- /dev/null +++ b/lib/common.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash +# Shared helpers: logging, sudo, preflight checks, idempotency primitives. + +if [[ -t 1 ]]; then + BOLD=$'\033[1m' + DIM=$'\033[2m' + RED=$'\033[31m' + GREEN=$'\033[32m' + YELLOW=$'\033[33m' + BLUE=$'\033[34m' + RESET=$'\033[0m' +else + BOLD="" DIM="" RED="" GREEN="" YELLOW="" BLUE="" RESET="" +fi + +step() { printf '\n%s==>%s %s%s%s\n' "$BLUE" "$RESET" "$BOLD" "$*" "$RESET"; } +info() { printf ' %s\n' "$*"; } +ok() { printf ' %s✓%s %s\n' "$GREEN" "$RESET" "$*"; } +warn() { printf ' %s!%s %s\n' "$YELLOW" "$RESET" "$*" >&2; } +err() { printf ' %s✗%s %s\n' "$RED" "$RESET" "$*" >&2; } + +# Run as root via sudo, preserving prompt visibility. +as_root() { sudo "$@"; } + +require_not_root() { + if [[ $EUID -eq 0 ]]; then + err "Do not run this script as root. It will sudo where needed." + exit 1 + fi +} + +require_arch() { + if [[ ! -f /etc/arch-release ]] && ! grep -q '^ID=arch' /etc/os-release 2>/dev/null; then + err "This script targets Arch Linux (Omarchy). /etc/arch-release not found." + exit 1 + fi +} + +require_yay() { + if ! command -v yay >/dev/null 2>&1; then + err "yay is required to install AUR packages. Install yay first." + exit 1 + fi +} + +# True if package is installed (pacman -Qi). +pkg_installed() { pacman -Qi "$1" >/dev/null 2>&1; } + +# Install one or more packages via yay if any are missing. +yay_install() { + local missing=() + local p + for p in "$@"; do + pkg_installed "$p" || missing+=("$p") + done + if [[ ${#missing[@]} -eq 0 ]]; then + ok "Already installed: $*" + return 0 + fi + info "Installing: ${missing[*]}" + yay -S --needed --noconfirm "${missing[@]}" +} diff --git a/lib/detect.sh b/lib/detect.sh new file mode 100644 index 0000000..2c6c0b8 --- /dev/null +++ b/lib/detect.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +# Detect GPU vendor, session type, hostname. + +detect_gpu_vendor() { + local vga + vga="$(lspci -nn 2>/dev/null | grep -iE 'vga|3d|display' || true)" + if grep -qi 'nvidia' <<<"$vga"; then + echo "nvidia" + elif grep -qiE 'amd|advanced micro devices|ati' <<<"$vga"; then + echo "amd" + elif grep -qi 'intel' <<<"$vga"; then + echo "intel" + else + echo "unknown" + fi +} + +detect_all() { + HOSTNAME_SHORT="$(hostname -s 2>/dev/null || hostname)" + GPU_VENDOR="$(detect_gpu_vendor)" + SESSION_TYPE="${XDG_SESSION_TYPE:-unknown}" + export HOSTNAME_SHORT GPU_VENDOR SESSION_TYPE + + if [[ "$SESSION_TYPE" != "wayland" ]]; then + warn "Session type is '$SESSION_TYPE' (not wayland). KMS capture still works at the TTY/DRM level, but Hyprland-specific paths assume Wayland." + fi + if [[ "$GPU_VENDOR" == "unknown" ]]; then + warn "Could not detect GPU vendor. Encoder packages will be skipped; HW encode may not work." + fi +} diff --git a/lib/firewall.sh b/lib/firewall.sh new file mode 100644 index 0000000..ab91bd6 --- /dev/null +++ b/lib/firewall.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +# Open Sunshine's ports on whatever firewall is active. +# Sunshine ports: +# TCP: 47984, 47989, 47990, 48010 +# UDP: 47998, 47999, 48000, 48010 + +SUNSHINE_TCP_PORTS=(47984 47989 47990 48010) +SUNSHINE_UDP_PORTS=(47998 47999 48000 48010) + +_firewalld_active() { systemctl is-active --quiet firewalld 2>/dev/null; } +_ufw_active() { command -v ufw >/dev/null 2>&1 && ufw status 2>/dev/null | grep -q "Status: active"; } +_iptables_has_rules() { + command -v iptables >/dev/null 2>&1 || return 1 + # Heuristic: more than the default 3 chains-with-no-rules output lines means rules exist. + [[ "$(as_root iptables -S 2>/dev/null | wc -l)" -gt 3 ]] +} + +open_sunshine_ports() { + if _firewalld_active; then + info "firewalld is active — opening ports" + local p + for p in "${SUNSHINE_TCP_PORTS[@]}"; do + as_root firewall-cmd --permanent --add-port="${p}/tcp" >/dev/null + done + for p in "${SUNSHINE_UDP_PORTS[@]}"; do + as_root firewall-cmd --permanent --add-port="${p}/udp" >/dev/null + done + as_root firewall-cmd --reload >/dev/null + ok "Opened Sunshine ports in firewalld" + return 0 + fi + + if _ufw_active; then + info "ufw is active — opening ports" + local p + for p in "${SUNSHINE_TCP_PORTS[@]}"; do + as_root ufw allow "${p}/tcp" >/dev/null + done + for p in "${SUNSHINE_UDP_PORTS[@]}"; do + as_root ufw allow "${p}/udp" >/dev/null + done + ok "Opened Sunshine ports in ufw" + return 0 + fi + + if _iptables_has_rules; then + warn "iptables rules detected but no managed firewall (ufw/firewalld). Open these ports manually:" + warn " TCP: ${SUNSHINE_TCP_PORTS[*]}" + warn " UDP: ${SUNSHINE_UDP_PORTS[*]}" + return 0 + fi + + info "No active firewall detected — nothing to configure." +} diff --git a/lib/packages.sh b/lib/packages.sh new file mode 100644 index 0000000..441702d --- /dev/null +++ b/lib/packages.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +# Install Sunshine, Moonlight, and GPU-specific hardware-encode dependencies. + +# Default to source build (canonical AUR package). Override with SUNSHINE_PKG=sunshine-bin +# in the environment for the precompiled build (much faster install). +: "${SUNSHINE_PKG:=sunshine}" + +install_sunshine() { + yay_install "$SUNSHINE_PKG" +} + +install_moonlight() { + # moonlight-qt is in the AUR (also a -bin variant). yay handles both. + yay_install moonlight-qt +} + +install_gpu_encoder_packages() { + case "$GPU_VENDOR" in + nvidia) + # NVENC works through the proprietary driver. libva-nvidia-driver lets some + # apps use VAAPI on NVIDIA; not strictly required for Sunshine NVENC but useful. + yay_install nvidia-utils libva-nvidia-driver + ;; + amd) + # VAAPI (mesa) + Vulkan for AMD hardware encode paths. + yay_install libva-mesa-driver mesa-vdpau vulkan-radeon + ;; + intel) + yay_install intel-media-driver vulkan-intel + ;; + *) + info "Unknown GPU vendor; skipping vendor-specific encoder packages." + ;; + esac +} diff --git a/lib/permissions.sh b/lib/permissions.sh new file mode 100644 index 0000000..61614fb --- /dev/null +++ b/lib/permissions.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# Permissions needed for Sunshine on Wayland: +# - user in 'input' group (so /dev/uinput is usable for virtual gamepad/keyboard/mouse) +# - udev rule granting 'input' group access to /dev/uinput +# - cap_sys_admin on the sunshine binary (so KMS capture works without root) + +UINPUT_RULE_PATH="/etc/udev/rules.d/60-uinput.rules" +UINPUT_RULE_CONTENT='KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess", OWNER="root", GROUP="input", MODE="0660"' + +ensure_input_group() { + if id -nG "$USER" | tr ' ' '\n' | grep -qx input; then + ok "User '$USER' already in 'input' group" + return 0 + fi + info "Adding '$USER' to 'input' group" + as_root usermod -aG input "$USER" + warn "You must log out and back in (or run 'newgrp input') for this to take effect." +} + +ensure_uinput_udev_rule() { + # The sunshine package may ship its own rule under /usr/lib/udev/rules.d/. + # If a usable rule already exists anywhere udev looks, do nothing. + if grep -rqs 'KERNEL=="uinput"' /etc/udev/rules.d /usr/lib/udev/rules.d /run/udev/rules.d 2>/dev/null; then + ok "uinput udev rule already present" + return 0 + fi + info "Writing $UINPUT_RULE_PATH" + echo "$UINPUT_RULE_CONTENT" | as_root tee "$UINPUT_RULE_PATH" >/dev/null + as_root udevadm control --reload-rules + as_root udevadm trigger --subsystem-match=misc --action=change || true +} + +set_sunshine_capabilities() { + local bin + bin="$(command -v sunshine || true)" + if [[ -z "$bin" ]]; then + err "sunshine binary not found on PATH after install; cannot set capabilities." + return 1 + fi + # Follow symlinks (e.g., /usr/bin/sunshine may itself be a real file; harmless to readlink -f). + bin="$(readlink -f "$bin")" + local current + current="$(getcap "$bin" 2>/dev/null || true)" + if [[ "$current" == *"cap_sys_admin"* ]]; then + ok "sunshine binary already has cap_sys_admin set" + return 0 + fi + info "Setting cap_sys_admin+p on $bin (required for KMS capture)" + as_root setcap cap_sys_admin+p "$bin" +} diff --git a/lib/service.sh b/lib/service.sh new file mode 100644 index 0000000..a9281f2 --- /dev/null +++ b/lib/service.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +# Enable Sunshine as a systemd --user service and turn on lingering so it +# runs at boot without a graphical login. + +enable_sunshine_service() { + if ! systemctl --user list-unit-files sunshine.service >/dev/null 2>&1; then + err "sunshine.service not found in user systemd units. Did the package install correctly?" + return 1 + fi + + if ! loginctl show-user "$USER" -p Linger --value 2>/dev/null | grep -qx yes; then + info "Enabling user lingering (loginctl enable-linger $USER)" + as_root loginctl enable-linger "$USER" + else + ok "User lingering already enabled" + fi + + info "Enabling sunshine.service (user)" + systemctl --user enable sunshine.service >/dev/null + + info "Starting sunshine.service (user)" + # Restart so a re-run picks up new config / new caps. Tolerate first-launch races. + systemctl --user restart sunshine.service || systemctl --user start sunshine.service || { + err "Failed to start sunshine.service. Check: journalctl --user -u sunshine" + return 1 + } + + sleep 1 + if systemctl --user is-active --quiet sunshine.service; then + ok "sunshine.service is active" + else + warn "sunshine.service did not stay active. Inspect: journalctl --user -u sunshine -n 50" + fi +} diff --git a/uninstall.sh b/uninstall.sh new file mode 100755 index 0000000..de60ad7 --- /dev/null +++ b/uninstall.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash +# Reverse of install.sh. Leaves user data in ~/.config/sunshine/ alone unless --purge. + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +# shellcheck source=lib/common.sh +source "$SCRIPT_DIR/lib/common.sh" + +PURGE=0 +KEEP_MOONLIGHT=0 +while [[ $# -gt 0 ]]; do + case "$1" in + --purge) PURGE=1 ;; + --keep-moonlight) KEEP_MOONLIGHT=1 ;; + -h|--help) + cat </dev/null || true + +step "Removing user lingering (if enabled by us)" +if loginctl show-user "$USER" -p Linger --value 2>/dev/null | grep -qx yes; then + warn "Lingering is enabled. Leaving it on — other user services may rely on it." + warn "Disable manually with: sudo loginctl disable-linger $USER" +fi + +step "Removing packages" +if pacman -Qi sunshine >/dev/null 2>&1; then + as_root pacman -Rns --noconfirm sunshine +elif pacman -Qi sunshine-bin >/dev/null 2>&1; then + as_root pacman -Rns --noconfirm sunshine-bin +fi +if [[ $KEEP_MOONLIGHT -eq 0 ]] && pacman -Qi moonlight-qt >/dev/null 2>&1; then + as_root pacman -Rns --noconfirm moonlight-qt +fi + +step "Removing udev rule (if we wrote one)" +if [[ -f /etc/udev/rules.d/60-uinput.rules ]]; then + as_root rm -f /etc/udev/rules.d/60-uinput.rules + as_root udevadm control --reload-rules +fi + +if [[ $PURGE -eq 1 ]]; then + step "Purging Sunshine user data" + rm -rf "$HOME/.config/sunshine" "$HOME/.local/share/sunshine" +fi + +ok "Uninstall complete. Firewall rules and 'input' group membership were left in place."