Initial scaffold: idempotent Sunshine + Moonlight installer for Omarchy

Sets up bidirectional game streaming across Omarchy/Hyprland/Wayland
machines (NVIDIA desktop and AMD Framework laptop), with the Macbook
as an additional Moonlight client.

The same install.sh runs on either machine; GPU vendor is detected at
runtime and the appropriate hardware-encode packages are installed.

Includes:
- KMS capture setup (cap_sys_admin on sunshine, input group, uinput udev rule)
- ufw / firewalld port opening when a firewall is active
- systemd --user service + loginctl enable-linger for always-on hosting
- uninstall.sh with --purge for user data removal
- Flags to install host-only or client-only

lib/common.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# Shared helpers: logging, sudo, preflight checks, idempotency primitives.
+
+if [[ -t 1 ]]; then
+  BOLD=$'\033[1m'
+  DIM=$'\033[2m'
+  RED=$'\033[31m'
+  GREEN=$'\033[32m'
+  YELLOW=$'\033[33m'
+  BLUE=$'\033[34m'
+  RESET=$'\033[0m'
+else
+  BOLD="" DIM="" RED="" GREEN="" YELLOW="" BLUE="" RESET=""
+fi
+
+step() { printf '\n%s==>%s %s%s%s\n' "$BLUE" "$RESET" "$BOLD" "$*" "$RESET"; }
+info() { printf '  %s\n' "$*"; }
+ok()   { printf '  %s✓%s %s\n' "$GREEN" "$RESET" "$*"; }
+warn() { printf '  %s!%s %s\n' "$YELLOW" "$RESET" "$*" >&2; }
+err()  { printf '  %s✗%s %s\n' "$RED" "$RESET" "$*" >&2; }
+
+# Run as root via sudo, preserving prompt visibility.
+as_root() { sudo "$@"; }
+
+require_not_root() {
+  if [[ $EUID -eq 0 ]]; then
+    err "Do not run this script as root. It will sudo where needed."
+    exit 1
+  fi
+}
+
+require_arch() {
+  if [[ ! -f /etc/arch-release ]] && ! grep -q '^ID=arch' /etc/os-release 2>/dev/null; then
+    err "This script targets Arch Linux (Omarchy). /etc/arch-release not found."
+    exit 1
+  fi
+}
+
+require_yay() {
+  if ! command -v yay >/dev/null 2>&1; then
+    err "yay is required to install AUR packages. Install yay first."
+    exit 1
+  fi
+}
+
+# True if package is installed (pacman -Qi).
+pkg_installed() { pacman -Qi "$1" >/dev/null 2>&1; }
+
+# Install one or more packages via yay if any are missing.
+yay_install() {
+  local missing=()
+  local p
+  for p in "$@"; do
+    pkg_installed "$p" || missing+=("$p")
+  done
+  if [[ ${#missing[@]} -eq 0 ]]; then
+    ok "Already installed: $*"
+    return 0
+  fi
+  info "Installing: ${missing[*]}"
+  yay -S --needed --noconfirm "${missing[@]}"
+}

lib/detect.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Detect GPU vendor, session type, hostname.
+
+detect_gpu_vendor() {
+  local vga
+  vga="$(lspci -nn 2>/dev/null | grep -iE 'vga|3d|display' || true)"
+  if grep -qi 'nvidia' <<<"$vga"; then
+    echo "nvidia"
+  elif grep -qiE 'amd|advanced micro devices|ati' <<<"$vga"; then
+    echo "amd"
+  elif grep -qi 'intel' <<<"$vga"; then
+    echo "intel"
+  else
+    echo "unknown"
+  fi
+}
+
+detect_all() {
+  HOSTNAME_SHORT="$(hostname -s 2>/dev/null || hostname)"
+  GPU_VENDOR="$(detect_gpu_vendor)"
+  SESSION_TYPE="${XDG_SESSION_TYPE:-unknown}"
+  export HOSTNAME_SHORT GPU_VENDOR SESSION_TYPE
+
+  if [[ "$SESSION_TYPE" != "wayland" ]]; then
+    warn "Session type is '$SESSION_TYPE' (not wayland). KMS capture still works at the TTY/DRM level, but Hyprland-specific paths assume Wayland."
+  fi
+  if [[ "$GPU_VENDOR" == "unknown" ]]; then
+    warn "Could not detect GPU vendor. Encoder packages will be skipped; HW encode may not work."
+  fi
+}

lib/firewall.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# Open Sunshine's ports on whatever firewall is active.
+# Sunshine ports:
+#   TCP: 47984, 47989, 47990, 48010
+#   UDP: 47998, 47999, 48000, 48010
+
+SUNSHINE_TCP_PORTS=(47984 47989 47990 48010)
+SUNSHINE_UDP_PORTS=(47998 47999 48000 48010)
+
+_firewalld_active() { systemctl is-active --quiet firewalld 2>/dev/null; }
+_ufw_active()       { command -v ufw >/dev/null 2>&1 && ufw status 2>/dev/null | grep -q "Status: active"; }
+_iptables_has_rules() {
+  command -v iptables >/dev/null 2>&1 || return 1
+  # Heuristic: more than the default 3 chains-with-no-rules output lines means rules exist.
+  [[ "$(as_root iptables -S 2>/dev/null | wc -l)" -gt 3 ]]
+}
+
+open_sunshine_ports() {
+  if _firewalld_active; then
+    info "firewalld is active — opening ports"
+    local p
+    for p in "${SUNSHINE_TCP_PORTS[@]}"; do
+      as_root firewall-cmd --permanent --add-port="${p}/tcp" >/dev/null
+    done
+    for p in "${SUNSHINE_UDP_PORTS[@]}"; do
+      as_root firewall-cmd --permanent --add-port="${p}/udp" >/dev/null
+    done
+    as_root firewall-cmd --reload >/dev/null
+    ok "Opened Sunshine ports in firewalld"
+    return 0
+  fi
+
+  if _ufw_active; then
+    info "ufw is active — opening ports"
+    local p
+    for p in "${SUNSHINE_TCP_PORTS[@]}"; do
+      as_root ufw allow "${p}/tcp" >/dev/null
+    done
+    for p in "${SUNSHINE_UDP_PORTS[@]}"; do
+      as_root ufw allow "${p}/udp" >/dev/null
+    done
+    ok "Opened Sunshine ports in ufw"
+    return 0
+  fi
+
+  if _iptables_has_rules; then
+    warn "iptables rules detected but no managed firewall (ufw/firewalld). Open these ports manually:"
+    warn "  TCP: ${SUNSHINE_TCP_PORTS[*]}"
+    warn "  UDP: ${SUNSHINE_UDP_PORTS[*]}"
+    return 0
+  fi
+
+  info "No active firewall detected — nothing to configure."
+}

lib/packages.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Install Sunshine, Moonlight, and GPU-specific hardware-encode dependencies.
+
+# Default to source build (canonical AUR package). Override with SUNSHINE_PKG=sunshine-bin
+# in the environment for the precompiled build (much faster install).
+: "${SUNSHINE_PKG:=sunshine}"
+
+install_sunshine() {
+  yay_install "$SUNSHINE_PKG"
+}
+
+install_moonlight() {
+  # moonlight-qt is in the AUR (also a -bin variant). yay handles both.
+  yay_install moonlight-qt
+}
+
+install_gpu_encoder_packages() {
+  case "$GPU_VENDOR" in
+    nvidia)
+      # NVENC works through the proprietary driver. libva-nvidia-driver lets some
+      # apps use VAAPI on NVIDIA; not strictly required for Sunshine NVENC but useful.
+      yay_install nvidia-utils libva-nvidia-driver
+      ;;
+    amd)
+      # VAAPI (mesa) + Vulkan for AMD hardware encode paths.
+      yay_install libva-mesa-driver mesa-vdpau vulkan-radeon
+      ;;
+    intel)
+      yay_install intel-media-driver vulkan-intel
+      ;;
+    *)
+      info "Unknown GPU vendor; skipping vendor-specific encoder packages."
+      ;;
+  esac
+}

lib/permissions.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Permissions needed for Sunshine on Wayland:
+#  - user in 'input' group  (so /dev/uinput is usable for virtual gamepad/keyboard/mouse)
+#  - udev rule granting 'input' group access to /dev/uinput
+#  - cap_sys_admin on the sunshine binary (so KMS capture works without root)
+
+UINPUT_RULE_PATH="/etc/udev/rules.d/60-uinput.rules"
+UINPUT_RULE_CONTENT='KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess", OWNER="root", GROUP="input", MODE="0660"'
+
+ensure_input_group() {
+  if id -nG "$USER" | tr ' ' '\n' | grep -qx input; then
+    ok "User '$USER' already in 'input' group"
+    return 0
+  fi
+  info "Adding '$USER' to 'input' group"
+  as_root usermod -aG input "$USER"
+  warn "You must log out and back in (or run 'newgrp input') for this to take effect."
+}
+
+ensure_uinput_udev_rule() {
+  # The sunshine package may ship its own rule under /usr/lib/udev/rules.d/.
+  # If a usable rule already exists anywhere udev looks, do nothing.
+  if grep -rqs 'KERNEL=="uinput"' /etc/udev/rules.d /usr/lib/udev/rules.d /run/udev/rules.d 2>/dev/null; then
+    ok "uinput udev rule already present"
+    return 0
+  fi
+  info "Writing $UINPUT_RULE_PATH"
+  echo "$UINPUT_RULE_CONTENT" | as_root tee "$UINPUT_RULE_PATH" >/dev/null
+  as_root udevadm control --reload-rules
+  as_root udevadm trigger --subsystem-match=misc --action=change || true
+}
+
+set_sunshine_capabilities() {
+  local bin
+  bin="$(command -v sunshine || true)"
+  if [[ -z "$bin" ]]; then
+    err "sunshine binary not found on PATH after install; cannot set capabilities."
+    return 1
+  fi
+  # Follow symlinks (e.g., /usr/bin/sunshine may itself be a real file; harmless to readlink -f).
+  bin="$(readlink -f "$bin")"
+  local current
+  current="$(getcap "$bin" 2>/dev/null || true)"
+  if [[ "$current" == *"cap_sys_admin"* ]]; then
+    ok "sunshine binary already has cap_sys_admin set"
+    return 0
+  fi
+  info "Setting cap_sys_admin+p on $bin (required for KMS capture)"
+  as_root setcap cap_sys_admin+p "$bin"
+}

lib/service.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# Enable Sunshine as a systemd --user service and turn on lingering so it
+# runs at boot without a graphical login.
+
+enable_sunshine_service() {
+  if ! systemctl --user list-unit-files sunshine.service >/dev/null 2>&1; then
+    err "sunshine.service not found in user systemd units. Did the package install correctly?"
+    return 1
+  fi
+
+  if ! loginctl show-user "$USER" -p Linger --value 2>/dev/null | grep -qx yes; then
+    info "Enabling user lingering (loginctl enable-linger $USER)"
+    as_root loginctl enable-linger "$USER"
+  else
+    ok "User lingering already enabled"
+  fi
+
+  info "Enabling sunshine.service (user)"
+  systemctl --user enable sunshine.service >/dev/null
+
+  info "Starting sunshine.service (user)"
+  # Restart so a re-run picks up new config / new caps. Tolerate first-launch races.
+  systemctl --user restart sunshine.service || systemctl --user start sunshine.service || {
+    err "Failed to start sunshine.service. Check: journalctl --user -u sunshine"
+    return 1
+  }
+
+  sleep 1
+  if systemctl --user is-active --quiet sunshine.service; then
+    ok "sunshine.service is active"
+  else
+    warn "sunshine.service did not stay active. Inspect: journalctl --user -u sunshine -n 50"
+  fi
+}