Initial scaffold: idempotent Sunshine + Moonlight installer for Omarchy

Sets up bidirectional game streaming across Omarchy/Hyprland/Wayland
machines (NVIDIA desktop and AMD Framework laptop), with the Macbook
as an additional Moonlight client.

The same install.sh runs on either machine; GPU vendor is detected at
runtime and the appropriate hardware-encode packages are installed.

Includes:
- KMS capture setup (cap_sys_admin on sunshine, input group, uinput udev rule)
- ufw / firewalld port opening when a firewall is active
- systemd --user service + loginctl enable-linger for always-on hosting
- uninstall.sh with --purge for user data removal
- Flags to install host-only or client-only

.gitignore

@@ -0,0 +1,8 @@
+*.swp
+*.swo
+*.bak
+*.bak.*
+.DS_Store
+.idea/
+.vscode/
+.claude/settings.local.json

README.md

@@ -0,0 +1,108 @@
+# omarchy-moonlight
+
+Idempotent install scripts that set up [Sunshine](https://github.com/LizardByte/Sunshine) (host) and [Moonlight](https://moonlight-stream.org/) (client) on Omarchy / Arch Linux / Hyprland / Wayland machines.
+
+Designed so the same script runs on:
+
+- a primary NVIDIA desktop (host + client)
+- a Framework AMD laptop (host + client)
+- any other Omarchy box
+
+After install, the machine can both stream out (via Sunshine) and view streams (via Moonlight). A Macbook can install Moonlight separately and connect to either Linux host.
+
+## Quick start
+
+```bash
+git clone <this-repo> ~/omarchy-moonlight
+cd ~/omarchy-moonlight
+./install.sh
+```
+
+Then:
+
+1. **Log out and back in** if you weren't already in the `input` group (the installer adds you; the group only takes effect on a fresh login).
+2. Open <https://localhost:47990> and set a Sunshine username + password.
+3. On a Moonlight client (Mac / phone / the other Linux box), add this host by LAN IP and enter the PIN that Sunshine's web UI shows during pairing.
+
+## What it does
+
+- Installs `sunshine` and `moonlight-qt` from the AUR via `yay`
+- Adds your user to the `input` group
+- Drops a `/etc/udev/rules.d/60-uinput.rules` if no equivalent rule exists (so Sunshine can use `/dev/uinput` for virtual gamepad/keyboard/mouse)
+- Runs `setcap cap_sys_admin+p` on the `sunshine` binary so KMS screen capture works without root
+- Installs GPU-vendor encoder packages:
+  - NVIDIA: `nvidia-utils`, `libva-nvidia-driver`
+  - AMD: `libva-mesa-driver`, `mesa-vdpau`, `vulkan-radeon`
+  - Intel: `intel-media-driver`, `vulkan-intel`
+- Opens Sunshine's LAN ports on `firewalld` / `ufw` if either is active (skips silently otherwise)
+- Enables `sunshine.service` under systemd `--user` and turns on `loginctl enable-linger` so the host is reachable without a graphical login
+
+Re-running is safe — every step is "check, then act."
+
+## Flags
+
+```text
+./install.sh --no-autostart   # install but don't enable the user service
+./install.sh --no-firewall    # skip firewall rules
+./install.sh --no-moonlight   # host-only (no client)
+./install.sh --no-sunshine    # client-only (no host)
+```
+
+### Use the precompiled Sunshine package
+
+The default uses `sunshine` from the AUR, which builds from source (slow on first install). To use the precompiled `sunshine-bin` instead:
+
+```bash
+SUNSHINE_PKG=sunshine-bin ./install.sh
+```
+
+## Uninstall
+
+```bash
+./uninstall.sh             # remove packages + udev rule, keep user data
+./uninstall.sh --purge     # also delete ~/.config/sunshine
+```
+
+## How streaming works once it's set up
+
+- **Host (Sunshine) ports** (auto-opened if a firewall is active):
+  - TCP: `47984 47989 47990 48010`
+  - UDP: `47998 47999 48000 48010`
+- **Pairing**: on first connect, Moonlight shows a PIN. Type it into Sunshine's web UI (<https://localhost:47990> → PIN tab) within a few seconds.
+- **Capture mode**: this script configures KMS capture, which streams whatever is on the host's real monitor. A virtual-display mode (so streaming doesn't take over the desk) is a future addition — see `remote/` notes when it lands.
+
+## Diagnostics
+
+```bash
+systemctl --user status sunshine
+journalctl --user -u sunshine -f
+getcap "$(readlink -f "$(command -v sunshine)")"   # should include cap_sys_admin
+id -nG | tr ' ' '\n' | grep -x input               # confirm group membership
+```
+
+If Moonlight pairs but the stream is black:
+
+- Confirm you're in the `input` group **in a freshly logged-in session** (not just listed in `/etc/group`).
+- Confirm `getcap` shows `cap_sys_admin` on the sunshine binary.
+- Check `journalctl --user -u sunshine` for `KMS` / `DRM` errors. On NVIDIA, ensure the proprietary driver is active (`nvidia-smi`).
+
+## Remote access (planned)
+
+LAN-only for now. Remote access will be added later via one of: Tailscale, WireGuard, or Cloudflare. See `remote/` (stub) when implemented.
+
+## Layout
+
+```text
+omarchy-moonlight/
+├── install.sh
+├── uninstall.sh
+├── README.md
+├── lib/
+│   ├── common.sh         # logging, sudo, idempotency helpers
+│   ├── detect.sh         # GPU vendor, session type, hostname
+│   ├── packages.sh       # yay -S sunshine moonlight-qt + GPU encoders
+│   ├── permissions.sh    # input group, uinput udev, setcap cap_sys_admin
+│   ├── firewall.sh       # ufw/firewalld detection + port opening
+│   └── service.sh        # systemctl --user enable + loginctl enable-linger
+└── files/                # (reserved — drop-in config files if needed later)
+```

install.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+# omarchy-moonlight installer
+# Sets up Sunshine (host) + Moonlight (client) on Omarchy/Hyprland/Wayland.
+# Idempotent: re-run safely. Same script works on NVIDIA and AMD machines.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=lib/common.sh
+source "$SCRIPT_DIR/lib/common.sh"
+# shellcheck source=lib/detect.sh
+source "$SCRIPT_DIR/lib/detect.sh"
+# shellcheck source=lib/packages.sh
+source "$SCRIPT_DIR/lib/packages.sh"
+# shellcheck source=lib/permissions.sh
+source "$SCRIPT_DIR/lib/permissions.sh"
+# shellcheck source=lib/firewall.sh
+source "$SCRIPT_DIR/lib/firewall.sh"
+# shellcheck source=lib/service.sh
+source "$SCRIPT_DIR/lib/service.sh"
+
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") [options]
+
+Installs Sunshine + Moonlight on an Omarchy machine.
+
+Options:
+  --no-autostart    Don't enable user service or lingering (manual start only)
+  --no-firewall     Skip firewall configuration
+  --no-moonlight    Don't install moonlight-qt (host-only setup)
+  --no-sunshine     Don't install sunshine (client-only setup)
+  -h, --help        Show this help
+
+Environment overrides:
+  SUNSHINE_PKG       AUR package to use for Sunshine (default: sunshine)
+                     Set to 'sunshine-bin' for the precompiled build.
+EOF
+}
+
+AUTOSTART=1
+FIREWALL=1
+INSTALL_SUNSHINE=1
+INSTALL_MOONLIGHT=1
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --no-autostart)  AUTOSTART=0 ;;
+    --no-firewall)   FIREWALL=0 ;;
+    --no-moonlight)  INSTALL_MOONLIGHT=0 ;;
+    --no-sunshine)   INSTALL_SUNSHINE=0 ;;
+    -h|--help)       usage; exit 0 ;;
+    *)               err "Unknown option: $1"; usage; exit 2 ;;
+  esac
+  shift
+done
+
+main() {
+  require_not_root
+  require_arch
+  require_yay
+
+  step "Detecting system"
+  detect_all
+  info "Host: $HOSTNAME_SHORT   GPU: $GPU_VENDOR   Session: $SESSION_TYPE"
+
+  if [[ $INSTALL_SUNSHINE -eq 1 ]]; then
+    step "Installing Sunshine and GPU encoder support"
+    install_sunshine
+    install_gpu_encoder_packages
+
+    step "Configuring permissions for KMS capture and virtual input"
+    ensure_input_group
+    ensure_uinput_udev_rule
+    set_sunshine_capabilities
+
+    if [[ $FIREWALL -eq 1 ]]; then
+      step "Configuring firewall for Sunshine ports"
+      open_sunshine_ports
+    else
+      info "Skipping firewall (--no-firewall)"
+    fi
+
+    if [[ $AUTOSTART -eq 1 ]]; then
+      step "Enabling Sunshine user service"
+      enable_sunshine_service
+    else
+      info "Skipping autostart (--no-autostart). Start manually with: systemctl --user start sunshine"
+    fi
+  else
+    info "Skipping Sunshine install (--no-sunshine)"
+  fi
+
+  if [[ $INSTALL_MOONLIGHT -eq 1 ]]; then
+    step "Installing Moonlight client"
+    install_moonlight
+  else
+    info "Skipping Moonlight install (--no-moonlight)"
+  fi
+
+  step "Done"
+  print_next_steps
+}
+
+print_next_steps() {
+  local ip
+  ip="$(ip -4 -o addr show scope global | awk '{print $4}' | cut -d/ -f1 | head -n1)"
+  cat <<EOF
+
+  ${BOLD}Next steps:${RESET}
+
+  1. ${BOLD}Re-login${RESET} (or run ${DIM}newgrp input${RESET}) if you weren't already in the 'input' group.
+     This is required for Sunshine to access /dev/uinput.
+
+  2. Open Sunshine's web UI to set credentials and pair clients:
+       ${BOLD}https://localhost:47990${RESET}
+     (Self-signed cert — accept the browser warning.)
+
+  3. On a Moonlight client (this machine, the Framework, or your Mac):
+       - Add this host by IP: ${BOLD}${ip:-<your-lan-ip>}${RESET}
+       - Enter the 4-digit PIN that Sunshine's UI shows during pairing.
+
+  4. To check status:        ${DIM}systemctl --user status sunshine${RESET}
+     To view logs:           ${DIM}journalctl --user -u sunshine -f${RESET}
+     To uninstall:           ${DIM}$SCRIPT_DIR/uninstall.sh${RESET}
+
+EOF
+}
+
+main "$@"

lib/common.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# Shared helpers: logging, sudo, preflight checks, idempotency primitives.
+
+if [[ -t 1 ]]; then
+  BOLD=$'\033[1m'
+  DIM=$'\033[2m'
+  RED=$'\033[31m'
+  GREEN=$'\033[32m'
+  YELLOW=$'\033[33m'
+  BLUE=$'\033[34m'
+  RESET=$'\033[0m'
+else
+  BOLD="" DIM="" RED="" GREEN="" YELLOW="" BLUE="" RESET=""
+fi
+
+step() { printf '\n%s==>%s %s%s%s\n' "$BLUE" "$RESET" "$BOLD" "$*" "$RESET"; }
+info() { printf '  %s\n' "$*"; }
+ok()   { printf '  %s✓%s %s\n' "$GREEN" "$RESET" "$*"; }
+warn() { printf '  %s!%s %s\n' "$YELLOW" "$RESET" "$*" >&2; }
+err()  { printf '  %s✗%s %s\n' "$RED" "$RESET" "$*" >&2; }
+
+# Run as root via sudo, preserving prompt visibility.
+as_root() { sudo "$@"; }
+
+require_not_root() {
+  if [[ $EUID -eq 0 ]]; then
+    err "Do not run this script as root. It will sudo where needed."
+    exit 1
+  fi
+}
+
+require_arch() {
+  if [[ ! -f /etc/arch-release ]] && ! grep -q '^ID=arch' /etc/os-release 2>/dev/null; then
+    err "This script targets Arch Linux (Omarchy). /etc/arch-release not found."
+    exit 1
+  fi
+}
+
+require_yay() {
+  if ! command -v yay >/dev/null 2>&1; then
+    err "yay is required to install AUR packages. Install yay first."
+    exit 1
+  fi
+}
+
+# True if package is installed (pacman -Qi).
+pkg_installed() { pacman -Qi "$1" >/dev/null 2>&1; }
+
+# Install one or more packages via yay if any are missing.
+yay_install() {
+  local missing=()
+  local p
+  for p in "$@"; do
+    pkg_installed "$p" || missing+=("$p")
+  done
+  if [[ ${#missing[@]} -eq 0 ]]; then
+    ok "Already installed: $*"
+    return 0
+  fi
+  info "Installing: ${missing[*]}"
+  yay -S --needed --noconfirm "${missing[@]}"
+}

lib/detect.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Detect GPU vendor, session type, hostname.
+
+detect_gpu_vendor() {
+  local vga
+  vga="$(lspci -nn 2>/dev/null | grep -iE 'vga|3d|display' || true)"
+  if grep -qi 'nvidia' <<<"$vga"; then
+    echo "nvidia"
+  elif grep -qiE 'amd|advanced micro devices|ati' <<<"$vga"; then
+    echo "amd"
+  elif grep -qi 'intel' <<<"$vga"; then
+    echo "intel"
+  else
+    echo "unknown"
+  fi
+}
+
+detect_all() {
+  HOSTNAME_SHORT="$(hostname -s 2>/dev/null || hostname)"
+  GPU_VENDOR="$(detect_gpu_vendor)"
+  SESSION_TYPE="${XDG_SESSION_TYPE:-unknown}"
+  export HOSTNAME_SHORT GPU_VENDOR SESSION_TYPE
+
+  if [[ "$SESSION_TYPE" != "wayland" ]]; then
+    warn "Session type is '$SESSION_TYPE' (not wayland). KMS capture still works at the TTY/DRM level, but Hyprland-specific paths assume Wayland."
+  fi
+  if [[ "$GPU_VENDOR" == "unknown" ]]; then
+    warn "Could not detect GPU vendor. Encoder packages will be skipped; HW encode may not work."
+  fi
+}

lib/firewall.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# Open Sunshine's ports on whatever firewall is active.
+# Sunshine ports:
+#   TCP: 47984, 47989, 47990, 48010
+#   UDP: 47998, 47999, 48000, 48010
+
+SUNSHINE_TCP_PORTS=(47984 47989 47990 48010)
+SUNSHINE_UDP_PORTS=(47998 47999 48000 48010)
+
+_firewalld_active() { systemctl is-active --quiet firewalld 2>/dev/null; }
+_ufw_active()       { command -v ufw >/dev/null 2>&1 && ufw status 2>/dev/null | grep -q "Status: active"; }
+_iptables_has_rules() {
+  command -v iptables >/dev/null 2>&1 || return 1
+  # Heuristic: more than the default 3 chains-with-no-rules output lines means rules exist.
+  [[ "$(as_root iptables -S 2>/dev/null | wc -l)" -gt 3 ]]
+}
+
+open_sunshine_ports() {
+  if _firewalld_active; then
+    info "firewalld is active — opening ports"
+    local p
+    for p in "${SUNSHINE_TCP_PORTS[@]}"; do
+      as_root firewall-cmd --permanent --add-port="${p}/tcp" >/dev/null
+    done
+    for p in "${SUNSHINE_UDP_PORTS[@]}"; do
+      as_root firewall-cmd --permanent --add-port="${p}/udp" >/dev/null
+    done
+    as_root firewall-cmd --reload >/dev/null
+    ok "Opened Sunshine ports in firewalld"
+    return 0
+  fi
+
+  if _ufw_active; then
+    info "ufw is active — opening ports"
+    local p
+    for p in "${SUNSHINE_TCP_PORTS[@]}"; do
+      as_root ufw allow "${p}/tcp" >/dev/null
+    done
+    for p in "${SUNSHINE_UDP_PORTS[@]}"; do
+      as_root ufw allow "${p}/udp" >/dev/null
+    done
+    ok "Opened Sunshine ports in ufw"
+    return 0
+  fi
+
+  if _iptables_has_rules; then
+    warn "iptables rules detected but no managed firewall (ufw/firewalld). Open these ports manually:"
+    warn "  TCP: ${SUNSHINE_TCP_PORTS[*]}"
+    warn "  UDP: ${SUNSHINE_UDP_PORTS[*]}"
+    return 0
+  fi
+
+  info "No active firewall detected — nothing to configure."
+}

lib/packages.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Install Sunshine, Moonlight, and GPU-specific hardware-encode dependencies.
+
+# Default to source build (canonical AUR package). Override with SUNSHINE_PKG=sunshine-bin
+# in the environment for the precompiled build (much faster install).
+: "${SUNSHINE_PKG:=sunshine}"
+
+install_sunshine() {
+  yay_install "$SUNSHINE_PKG"
+}
+
+install_moonlight() {
+  # moonlight-qt is in the AUR (also a -bin variant). yay handles both.
+  yay_install moonlight-qt
+}
+
+install_gpu_encoder_packages() {
+  case "$GPU_VENDOR" in
+    nvidia)
+      # NVENC works through the proprietary driver. libva-nvidia-driver lets some
+      # apps use VAAPI on NVIDIA; not strictly required for Sunshine NVENC but useful.
+      yay_install nvidia-utils libva-nvidia-driver
+      ;;
+    amd)
+      # VAAPI (mesa) + Vulkan for AMD hardware encode paths.
+      yay_install libva-mesa-driver mesa-vdpau vulkan-radeon
+      ;;
+    intel)
+      yay_install intel-media-driver vulkan-intel
+      ;;
+    *)
+      info "Unknown GPU vendor; skipping vendor-specific encoder packages."
+      ;;
+  esac
+}

lib/permissions.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Permissions needed for Sunshine on Wayland:
+#  - user in 'input' group  (so /dev/uinput is usable for virtual gamepad/keyboard/mouse)
+#  - udev rule granting 'input' group access to /dev/uinput
+#  - cap_sys_admin on the sunshine binary (so KMS capture works without root)
+
+UINPUT_RULE_PATH="/etc/udev/rules.d/60-uinput.rules"
+UINPUT_RULE_CONTENT='KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess", OWNER="root", GROUP="input", MODE="0660"'
+
+ensure_input_group() {
+  if id -nG "$USER" | tr ' ' '\n' | grep -qx input; then
+    ok "User '$USER' already in 'input' group"
+    return 0
+  fi
+  info "Adding '$USER' to 'input' group"
+  as_root usermod -aG input "$USER"
+  warn "You must log out and back in (or run 'newgrp input') for this to take effect."
+}
+
+ensure_uinput_udev_rule() {
+  # The sunshine package may ship its own rule under /usr/lib/udev/rules.d/.
+  # If a usable rule already exists anywhere udev looks, do nothing.
+  if grep -rqs 'KERNEL=="uinput"' /etc/udev/rules.d /usr/lib/udev/rules.d /run/udev/rules.d 2>/dev/null; then
+    ok "uinput udev rule already present"
+    return 0
+  fi
+  info "Writing $UINPUT_RULE_PATH"
+  echo "$UINPUT_RULE_CONTENT" | as_root tee "$UINPUT_RULE_PATH" >/dev/null
+  as_root udevadm control --reload-rules
+  as_root udevadm trigger --subsystem-match=misc --action=change || true
+}
+
+set_sunshine_capabilities() {
+  local bin
+  bin="$(command -v sunshine || true)"
+  if [[ -z "$bin" ]]; then
+    err "sunshine binary not found on PATH after install; cannot set capabilities."
+    return 1
+  fi
+  # Follow symlinks (e.g., /usr/bin/sunshine may itself be a real file; harmless to readlink -f).
+  bin="$(readlink -f "$bin")"
+  local current
+  current="$(getcap "$bin" 2>/dev/null || true)"
+  if [[ "$current" == *"cap_sys_admin"* ]]; then
+    ok "sunshine binary already has cap_sys_admin set"
+    return 0
+  fi
+  info "Setting cap_sys_admin+p on $bin (required for KMS capture)"
+  as_root setcap cap_sys_admin+p "$bin"
+}

lib/service.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# Enable Sunshine as a systemd --user service and turn on lingering so it
+# runs at boot without a graphical login.
+
+enable_sunshine_service() {
+  if ! systemctl --user list-unit-files sunshine.service >/dev/null 2>&1; then
+    err "sunshine.service not found in user systemd units. Did the package install correctly?"
+    return 1
+  fi
+
+  if ! loginctl show-user "$USER" -p Linger --value 2>/dev/null | grep -qx yes; then
+    info "Enabling user lingering (loginctl enable-linger $USER)"
+    as_root loginctl enable-linger "$USER"
+  else
+    ok "User lingering already enabled"
+  fi
+
+  info "Enabling sunshine.service (user)"
+  systemctl --user enable sunshine.service >/dev/null
+
+  info "Starting sunshine.service (user)"
+  # Restart so a re-run picks up new config / new caps. Tolerate first-launch races.
+  systemctl --user restart sunshine.service || systemctl --user start sunshine.service || {
+    err "Failed to start sunshine.service. Check: journalctl --user -u sunshine"
+    return 1
+  }
+
+  sleep 1
+  if systemctl --user is-active --quiet sunshine.service; then
+    ok "sunshine.service is active"
+  else
+    warn "sunshine.service did not stay active. Inspect: journalctl --user -u sunshine -n 50"
+  fi
+}

uninstall.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+# Reverse of install.sh. Leaves user data in ~/.config/sunshine/ alone unless --purge.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=lib/common.sh
+source "$SCRIPT_DIR/lib/common.sh"
+
+PURGE=0
+KEEP_MOONLIGHT=0
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --purge)          PURGE=1 ;;
+    --keep-moonlight) KEEP_MOONLIGHT=1 ;;
+    -h|--help)
+      cat <<EOF
+Usage: $(basename "$0") [--purge] [--keep-moonlight]
+
+  --purge            Also delete ~/.config/sunshine and ~/.local/share/sunshine
+  --keep-moonlight   Do not uninstall moonlight-qt
+EOF
+      exit 0 ;;
+    *) err "Unknown option: $1"; exit 2 ;;
+  esac
+  shift
+done
+
+require_not_root
+
+step "Stopping Sunshine service"
+systemctl --user disable --now sunshine.service 2>/dev/null || true
+
+step "Removing user lingering (if enabled by us)"
+if loginctl show-user "$USER" -p Linger --value 2>/dev/null | grep -qx yes; then
+  warn "Lingering is enabled. Leaving it on — other user services may rely on it."
+  warn "Disable manually with: sudo loginctl disable-linger $USER"
+fi
+
+step "Removing packages"
+if pacman -Qi sunshine >/dev/null 2>&1; then
+  as_root pacman -Rns --noconfirm sunshine
+elif pacman -Qi sunshine-bin >/dev/null 2>&1; then
+  as_root pacman -Rns --noconfirm sunshine-bin
+fi
+if [[ $KEEP_MOONLIGHT -eq 0 ]] && pacman -Qi moonlight-qt >/dev/null 2>&1; then
+  as_root pacman -Rns --noconfirm moonlight-qt
+fi
+
+step "Removing udev rule (if we wrote one)"
+if [[ -f /etc/udev/rules.d/60-uinput.rules ]]; then
+  as_root rm -f /etc/udev/rules.d/60-uinput.rules
+  as_root udevadm control --reload-rules
+fi
+
+if [[ $PURGE -eq 1 ]]; then
+  step "Purging Sunshine user data"
+  rm -rf "$HOME/.config/sunshine" "$HOME/.local/share/sunshine"
+fi
+
+ok "Uninstall complete. Firewall rules and 'input' group membership were left in place."