Bug: install_sunshine always called yay_install on $SUNSHINE_PKG (default
sunshine-bin) before checking ldd. If the host already had sunshine (source
build) working, the bin install would replace it, trip the ldd check, and
the auto-recovery would rebuild source — a redundant 10-minute compile on
every ./install.sh re-run.
Fix: short-circuit at the top of install_sunshine when either sunshine or
sunshine-bin is already installed AND all its shared libs resolve. The
recovery dance only runs when there's actually something to fix.
Two robustness fixes for failures hit on a real install.
lib/packages.sh
- After installing $SUNSHINE_PKG, run ldd against the binary and check for
"not found" entries. sunshine-bin ships against whichever ICU was current
at AUR-build time; on rolling Arch (jarvis is on ICU 78, package built
against ICU 76) this leaves libicuuc.so.76 unresolved and sunshine exits
127 on every start, eventually tripping the systemd start-limit.
- If sunshine-bin has unresolved deps, remove it and fall back to the
source build (AUR 'sunshine'), then re-verify. If the user explicitly
chose --from-source and it still fails, bail with the ldd diagnostic.
lib/service.sh
- systemctl --user reset-failed before restart, so a previous attempt that
hit start-limit-hit doesn't immediately reject the new start request.
(Re-running install.sh after a broken first attempt was failing because
systemd remembered the prior rate-limit trip.)
Replaces Sunshine's self-signed cert with one minted from a private root CA
whose key material lives in 1Password. Every host running install.sh fetches
the CA via 'op read', mints itself a host cert with SANs for <hostname>.lan
and the current LAN IP, and installs the CA into the system trust store.
Bootstrap (run once, anywhere)
- scripts/cert-bootstrap.sh: generates a 4096-bit RSA root CA (10y validity),
uploads it as a Secure Note titled "Omarchy-Stream Root CA" in the Private
vault with two fields: cert (text) and key (concealed). Refuses to overwrite
an existing item without --force.
Per-host (lib/certs.sh)
- fetch_and_install_certs: reads op://Private/Omarchy-Stream Root CA/{cert,key}
to a tmpfs-staged temp dir (XDG_RUNTIME_DIR), mints a host cert via openssl
with serverAuth + clientAuth EKU, drops cert/key at ~/.config/sunshine/
credentials/{cacert,cakey}.pem, installs the CA at
/etc/ca-certificates/trust-source/anchors/omarchy-stream-ca.pem and runs
update-ca-trust.
- Idempotent: skips re-mint when on-disk cert is signed by the current CA,
has the expected SANs, and isn't within 30 days of expiry. Override with
FORCE_CERTS=1 or --force-certs.
install.sh
- Adds --no-certs, --force-certs flags; sources lib/certs.sh; runs cert step
after permissions/config and before firewall so the service restart at the
end of install picks up the new cert.
client/install-macos.sh
- After installing Moonlight, if `op` is available and signed in, fetches the
CA and adds it as a trusted root to /Library/Keychains/System.keychain via
`security add-trusted-cert -d -r trustRoot`. Skips cleanly when op isn't
ready.
uninstall.sh
- Adds --remove-ca-trust to delete the system trust anchor. By default the
CA is left in place since other tools may rely on it.
verify.sh
- Adds checks for: cert signed by omarchy-stream CA, cert >30 days from
expiry, CA present in system trust store.
Docs
- README "Trusted TLS certs via 1Password" section: bootstrap flow, per-host
flow, client trust matrix (Linux / macOS / iOS / Android / Apple TV),
re-pairing note (first cert install on a host invalidates pinned Moonlight
fingerprints), config env vars.
- client/README gains per-platform CA-trust install steps with concrete
`op read` + platform-specific commands.
Headless mode (new) — for KVM-attached hosts streaming to disconnected clients
- --headless / --mirror flags; default headless on hostname JARVIS, mirror elsewhere
- New lib/headless.sh installs prep-cmd hooks to ~/.local/share/omarchy-moonlight/bin
- bin/sunshine-stream-do.sh creates/resizes a Hyprland HEADLESS-1 output to the
connecting client's resolution and migrates the active workspace onto it
- bin/sunshine-stream-undo.sh tears down the headless output on disconnect and
returns the workspace to a non-headless monitor when one is available
- lib/config.sh writes capture=wlr, output_name=HEADLESS-1, and the JSON
global_prep_cmd entry referencing the installed hook paths
- lib/preflight.sh adds a preflight_headless step that checks hyprctl, jq, and
a running Hyprland session (warn-only, install can proceed)
- lib/verify.sh adds checks for the hook scripts and the wlr/global_prep_cmd
config lines
Mac client
- client/install-macos.sh: Darwin guard, Homebrew presence check, brew cask
install of Moonlight, idempotent
- client/README.md: per-platform install (macOS / Android / iOS / Apple TV /
Linux + Steam Deck) and the five-step first-pair walkthrough
Other
- jq added to the helper install set in lib/packages.sh (hooks parse Hyprland
JSON output)
- README.md rewritten to cover both modes, the new flags, the tuned defaults
per mode + per vendor, the headless internals, and the client pointer
Layers a few things on top of the initial scaffold:
- Default to sunshine-bin (precompiled, ~seconds) instead of building from
source. --from-source restores the old behavior.
- Add lib/preflight.sh: catches the gotchas before any work is done —
Wayland session, NVIDIA driver responsive, nvidia-drm.modeset, amdgpu
loaded, pipewire-pulse present, SSH-without-session warning.
- Add lib/config.sh: writes a tuned ~/.config/sunshine/sunshine.conf with
per-vendor encoder settings (NVENC P1+ll+cbr, VAAPI ultralowlatency,
QuickSync veryfast), KMS capture, pulse audio sink. Uses a
"# managed-by: omarchy-moonlight" marker; removing it hands ownership
back to the user and the installer won't touch the file again.
- Add lib/verify.sh: post-install verification of every step
(cap_sys_admin set, group resolves, udev rule present, /dev/uinput
exists, encoder reachable, service active, :47990 listening). Same
checks are reachable standalone via --doctor.
- Install runtime helpers (pipewire-pulse, vulkan-tools, libva-utils)
alongside Sunshine for diagnostics + audio.
- Uninstall handles both sunshine + sunshine-bin and the -bin moonlight
variant.
- README documents the tuning table, the new flags, and the modeset
troubleshooting path.
Sets up bidirectional game streaming across Omarchy/Hyprland/Wayland
machines (NVIDIA desktop and AMD Framework laptop), with the Macbook
as an additional Moonlight client.
The same install.sh runs on either machine; GPU vendor is detected at
runtime and the appropriate hardware-encode packages are installed.
Includes:
- KMS capture setup (cap_sys_admin on sunshine, input group, uinput udev rule)
- ufw / firewalld port opening when a firewall is active
- systemd --user service + loginctl enable-linger for always-on hosting
- uninstall.sh with --purge for user data removal
- Flags to install host-only or client-only
