Add Debian/Ubuntu support via a thin distro dispatch layer

Adds a parallel install path for Debian/Ubuntu hosts alongside the existing
Arch/Omarchy/Hyprland one. The Arch path is untouched at runtime; everything
new is gated on $DISTRO and (for headless) $COMPOSITOR.

Highlights:
- lib/distro.sh: detect_distro + pkg_install/pkg_remove/ca_anchor_path/
  ca_update_trust dispatch helpers
- lib/packages.sh: Ubuntu sunshine install pulls LizardByte's official .deb
  from GitHub releases (override via SUNSHINE_DEB_URL/SUNSHINE_DEB_VERSION);
  GPU encoder packages branch per $DISTRO:$GPU_VENDOR
- bin/sunshine-stream-{do,undo,prestart}-sway.sh + files/sway-headless.*:
  swaymsg-based headless capture path for hosts without Hyprland. sway runs
  under a systemd-user unit that sunshine.service depends on via drop-in.
- lib/preflight.sh: clearer NVIDIA driver guidance on Ubuntu (we don't install
  the driver - too many branch/kernel/Secure-Boot variants); sway-aware
  headless preflight
- lib/certs.sh + lib/verify.sh + uninstall.sh: distro-aware CA trust anchor
  (Arch: /etc/ca-certificates/trust-source/anchors + update-ca-trust;
   Debian: /usr/local/share/ca-certificates + update-ca-certificates)

Verified on Ubuntu 24.04: ./install.sh --doctor --headless loads cleanly,
distro/GPU/compositor detection report the right values, all pre-install
failures correspond to the actual missing pieces.

lib/certs.sh

@@ -21,14 +21,21 @@
 SUNSHINE_CRED_DIR="$HOME/.config/sunshine/credentials"
 SUNSHINE_CERT="$SUNSHINE_CRED_DIR/cacert.pem"
 SUNSHINE_KEY="$SUNSHINE_CRED_DIR/cakey.pem"
-SYSTEM_TRUST_ANCHOR="/etc/ca-certificates/trust-source/anchors/omarchy-stream-ca.pem"
+# Resolved per-distro via lib/distro.sh:
+#   Arch:   /etc/ca-certificates/trust-source/anchors/omarchy-stream-ca.pem
+#   Debian: /usr/local/share/ca-certificates/omarchy-stream-ca.crt
+# Read it via ca_anchor_path; do not hard-code here.
 
 # --- 1Password helpers ----------------------------------------------------
 
 op_require_signin() {
   if ! command -v op >/dev/null 2>&1; then
     err "1Password CLI ('op') not found on PATH."
-    err "Install it: yay -S 1password-cli"
+    case "$DISTRO" in
+      arch)   err "Install it: yay -S 1password-cli" ;;
+      debian) err "Install it: https://developer.1password.com/docs/cli/get-started/  (apt repo or .deb)" ;;
+      *)      err "Install the 1Password CLI from https://developer.1password.com/docs/cli/get-started/" ;;
+    esac
     return 1
   fi
   if ! op whoami >/dev/null 2>&1; then
@@ -124,16 +131,25 @@ EOF
 
 install_ca_to_system_trust() {
   local ca_pem="$1"
-  # Idempotent: compare sha256 first to avoid pointless update-ca-trust runs.
-  if [[ -f "$SYSTEM_TRUST_ANCHOR" ]] \
-     && cmp -s "$ca_pem" "$SYSTEM_TRUST_ANCHOR"; then
+  local anchor
+  anchor="$(ca_anchor_path)"
+  if [[ -z "$anchor" ]]; then
+    warn "Don't know how to install CA on distro '$DISTRO' — skipping system trust step."
+    return 0
+  fi
+  # Idempotent: compare sha256 first to avoid pointless update-ca-* runs.
+  if [[ -f "$anchor" ]] && cmp -s "$ca_pem" "$anchor"; then
     ok "CA already in system trust store"
     return 0
   fi
-  info "Installing CA into $SYSTEM_TRUST_ANCHOR"
-  as_root install -m 0644 "$ca_pem" "$SYSTEM_TRUST_ANCHOR"
-  as_root update-ca-trust extract >/dev/null
-  ok "System trust store refreshed (update-ca-trust)"
+  # Debian's update-ca-certificates only picks up files under
+  # /usr/local/share/ca-certificates/ that end in .crt. The path returned by
+  # ca_anchor_path already accounts for that.
+  info "Installing CA into $anchor"
+  as_root mkdir -p "$(dirname "$anchor")"
+  as_root install -m 0644 "$ca_pem" "$anchor"
+  ca_update_trust
+  ok "System trust store refreshed"
 }
 
 # --- Top-level orchestration ---------------------------------------------