Levi Woodard
e878b392e4
Replaces Sunshine's self-signed cert with one minted from a private root CA
whose key material lives in 1Password. Every host running install.sh fetches
the CA via 'op read', mints itself a host cert with SANs for <hostname>.lan
and the current LAN IP, and installs the CA into the system trust store.
Bootstrap (run once, anywhere)
- scripts/cert-bootstrap.sh: generates a 4096-bit RSA root CA (10y validity),
uploads it as a Secure Note titled "Omarchy-Stream Root CA" in the Private
vault with two fields: cert (text) and key (concealed). Refuses to overwrite
an existing item without --force.
Per-host (lib/certs.sh)
- fetch_and_install_certs: reads op://Private/Omarchy-Stream Root CA/{cert,key}
to a tmpfs-staged temp dir (XDG_RUNTIME_DIR), mints a host cert via openssl
with serverAuth + clientAuth EKU, drops cert/key at ~/.config/sunshine/
credentials/{cacert,cakey}.pem, installs the CA at
/etc/ca-certificates/trust-source/anchors/omarchy-stream-ca.pem and runs
update-ca-trust.
- Idempotent: skips re-mint when on-disk cert is signed by the current CA,
has the expected SANs, and isn't within 30 days of expiry. Override with
FORCE_CERTS=1 or --force-certs.
install.sh
- Adds --no-certs, --force-certs flags; sources lib/certs.sh; runs cert step
after permissions/config and before firewall so the service restart at the
end of install picks up the new cert.
client/install-macos.sh
- After installing Moonlight, if `op` is available and signed in, fetches the
CA and adds it as a trusted root to /Library/Keychains/System.keychain via
`security add-trusted-cert -d -r trustRoot`. Skips cleanly when op isn't
ready.
uninstall.sh
- Adds --remove-ca-trust to delete the system trust anchor. By default the
CA is left in place since other tools may rely on it.
verify.sh
- Adds checks for: cert signed by omarchy-stream CA, cert >30 days from
expiry, CA present in system trust store.
Docs
- README "Trusted TLS certs via 1Password" section: bootstrap flow, per-host
flow, client trust matrix (Linux / macOS / iOS / Android / Apple TV),
re-pairing note (first cert install on a host invalidates pinned Moonlight
fingerprints), config env vars.
- client/README gains per-platform CA-trust install steps with concrete
`op read` + platform-specific commands.
215 lines
6.5 KiB
Bash
Executable File
215 lines
6.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# omarchy-moonlight installer
|
|
# Sets up Sunshine (host) + Moonlight (client) on Omarchy/Hyprland/Wayland.
|
|
# Idempotent: re-run safely. Same script works on NVIDIA and AMD machines.
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
# shellcheck source=lib/common.sh
|
|
source "$SCRIPT_DIR/lib/common.sh"
|
|
# shellcheck source=lib/detect.sh
|
|
source "$SCRIPT_DIR/lib/detect.sh"
|
|
# shellcheck source=lib/preflight.sh
|
|
source "$SCRIPT_DIR/lib/preflight.sh"
|
|
# shellcheck source=lib/packages.sh
|
|
source "$SCRIPT_DIR/lib/packages.sh"
|
|
# shellcheck source=lib/permissions.sh
|
|
source "$SCRIPT_DIR/lib/permissions.sh"
|
|
# shellcheck source=lib/config.sh
|
|
source "$SCRIPT_DIR/lib/config.sh"
|
|
# shellcheck source=lib/firewall.sh
|
|
source "$SCRIPT_DIR/lib/firewall.sh"
|
|
# shellcheck source=lib/service.sh
|
|
source "$SCRIPT_DIR/lib/service.sh"
|
|
# shellcheck source=lib/verify.sh
|
|
source "$SCRIPT_DIR/lib/verify.sh"
|
|
# shellcheck source=lib/headless.sh
|
|
source "$SCRIPT_DIR/lib/headless.sh"
|
|
# shellcheck source=lib/certs.sh
|
|
source "$SCRIPT_DIR/lib/certs.sh"
|
|
|
|
usage() {
|
|
cat <<EOF
|
|
Usage: $(basename "$0") [options]
|
|
|
|
Installs Sunshine + Moonlight on an Omarchy machine.
|
|
|
|
Options:
|
|
--no-autostart Don't enable user service or lingering (manual start only)
|
|
--no-firewall Skip firewall configuration
|
|
--no-moonlight Don't install moonlight-qt (host-only setup)
|
|
--no-sunshine Don't install sunshine (client-only setup)
|
|
--no-config Don't write a tuned sunshine.conf
|
|
--from-source Build Sunshine from source (equivalent to SUNSHINE_PKG=sunshine)
|
|
--headless Force headless streaming mode (wlr capture of HEADLESS-1)
|
|
--mirror Force mirror mode (KMS capture of the real display)
|
|
--no-certs Skip the 1Password-backed cert step (use Sunshine's self-signed)
|
|
--force-certs Re-mint the host cert even if the current one is valid
|
|
--doctor Run only the post-install verification checks
|
|
-h, --help Show this help
|
|
|
|
Environment overrides:
|
|
SUNSHINE_PKG AUR package to use for Sunshine (default: sunshine-bin)
|
|
Set to 'sunshine' to build from source instead.
|
|
OP_VAULT 1Password vault that holds the root CA (default: Private)
|
|
OP_CA_ITEM Item title in that vault (default: Omarchy-Stream Root CA)
|
|
EOF
|
|
}
|
|
|
|
AUTOSTART=1
|
|
FIREWALL=1
|
|
INSTALL_SUNSHINE=1
|
|
INSTALL_MOONLIGHT=1
|
|
WRITE_CONFIG=1
|
|
DOCTOR_ONLY=0
|
|
MODE_OVERRIDE=""
|
|
INSTALL_CERTS=1
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--no-autostart) AUTOSTART=0 ;;
|
|
--no-firewall) FIREWALL=0 ;;
|
|
--no-moonlight) INSTALL_MOONLIGHT=0 ;;
|
|
--no-sunshine) INSTALL_SUNSHINE=0 ;;
|
|
--no-config) WRITE_CONFIG=0 ;;
|
|
--no-certs) INSTALL_CERTS=0 ;;
|
|
--force-certs) export FORCE_CERTS=1 ;;
|
|
--from-source) export SUNSHINE_PKG=sunshine ;;
|
|
--headless) MODE_OVERRIDE="headless" ;;
|
|
--mirror) MODE_OVERRIDE="mirror" ;;
|
|
--doctor) DOCTOR_ONLY=1 ;;
|
|
-h|--help) usage; exit 0 ;;
|
|
*) err "Unknown option: $1"; usage; exit 2 ;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
# Pick streaming mode: explicit flag wins; otherwise default to headless on
|
|
# JARVIS (the KVM-attached primary target) and mirror everywhere else.
|
|
compute_stream_mode() {
|
|
if [[ -n "$MODE_OVERRIDE" ]]; then
|
|
STREAM_MODE="$MODE_OVERRIDE"
|
|
return 0
|
|
fi
|
|
local host_lc="${HOSTNAME_SHORT,,}"
|
|
if [[ "$host_lc" == "jarvis" ]]; then
|
|
STREAM_MODE="headless"
|
|
else
|
|
STREAM_MODE="mirror"
|
|
fi
|
|
}
|
|
|
|
main() {
|
|
require_not_root
|
|
require_arch
|
|
require_yay
|
|
|
|
step "Detecting system"
|
|
detect_all
|
|
compute_stream_mode
|
|
export STREAM_MODE
|
|
info "Host: $HOSTNAME_SHORT GPU: $GPU_VENDOR Session: $SESSION_TYPE"
|
|
info "Mode: $STREAM_MODE"
|
|
|
|
if [[ $DOCTOR_ONLY -eq 1 ]]; then
|
|
verify_install
|
|
exit $(( VERIFY_FAILURES > 0 ? 1 : 0 ))
|
|
fi
|
|
|
|
step "Preflight checks"
|
|
preflight_all
|
|
|
|
if [[ $INSTALL_SUNSHINE -eq 1 ]]; then
|
|
step "Installing Sunshine and GPU encoder support"
|
|
install_sunshine
|
|
install_gpu_encoder_packages
|
|
|
|
step "Configuring permissions for KMS capture and virtual input"
|
|
ensure_input_group
|
|
ensure_uinput_udev_rule
|
|
set_sunshine_capabilities
|
|
|
|
if [[ "$STREAM_MODE" == "headless" ]]; then
|
|
step "Installing headless prep-cmd hooks"
|
|
install_headless_hooks
|
|
fi
|
|
|
|
if [[ $WRITE_CONFIG -eq 1 ]]; then
|
|
step "Writing tuned sunshine.conf"
|
|
write_sunshine_config "$STREAM_MODE"
|
|
else
|
|
info "Skipping sunshine.conf (--no-config)"
|
|
fi
|
|
|
|
if [[ $INSTALL_CERTS -eq 1 ]]; then
|
|
step "Installing CA-signed Sunshine cert from 1Password"
|
|
if fetch_and_install_certs; then
|
|
CERTS_REPLACED=1
|
|
else
|
|
warn "Cert install failed — falling back to Sunshine's self-signed cert."
|
|
warn "Run scripts/cert-bootstrap.sh to create the CA item, then re-run install.sh."
|
|
fi
|
|
else
|
|
info "Skipping cert step (--no-certs)"
|
|
fi
|
|
|
|
if [[ $FIREWALL -eq 1 ]]; then
|
|
step "Configuring firewall for Sunshine ports"
|
|
open_sunshine_ports
|
|
else
|
|
info "Skipping firewall (--no-firewall)"
|
|
fi
|
|
|
|
if [[ $AUTOSTART -eq 1 ]]; then
|
|
step "Enabling Sunshine user service"
|
|
enable_sunshine_service
|
|
else
|
|
info "Skipping autostart (--no-autostart). Start manually with: systemctl --user start sunshine"
|
|
fi
|
|
else
|
|
info "Skipping Sunshine install (--no-sunshine)"
|
|
fi
|
|
|
|
if [[ $INSTALL_MOONLIGHT -eq 1 ]]; then
|
|
step "Installing Moonlight client"
|
|
install_moonlight
|
|
else
|
|
info "Skipping Moonlight install (--no-moonlight)"
|
|
fi
|
|
|
|
if [[ $INSTALL_SUNSHINE -eq 1 ]]; then
|
|
verify_install
|
|
fi
|
|
|
|
step "Done"
|
|
print_next_steps
|
|
}
|
|
|
|
print_next_steps() {
|
|
local ip
|
|
ip="$(ip -4 -o addr show scope global | awk '{print $4}' | cut -d/ -f1 | head -n1)"
|
|
cat <<EOF
|
|
|
|
${BOLD}Next steps:${RESET}
|
|
|
|
1. ${BOLD}Re-login${RESET} (or run ${DIM}newgrp input${RESET}) if you weren't already in the 'input' group.
|
|
This is required for Sunshine to access /dev/uinput.
|
|
|
|
2. Open Sunshine's web UI to set credentials and pair clients:
|
|
${BOLD}https://localhost:47990${RESET}
|
|
(Self-signed cert — accept the browser warning.)
|
|
|
|
3. On a Moonlight client (this machine, the Framework, or your Mac):
|
|
- Add this host by IP: ${BOLD}${ip:-<your-lan-ip>}${RESET}
|
|
- Enter the 4-digit PIN that Sunshine's UI shows during pairing.
|
|
|
|
4. To check status: ${DIM}systemctl --user status sunshine${RESET}
|
|
To view logs: ${DIM}journalctl --user -u sunshine -f${RESET}
|
|
To uninstall: ${DIM}$SCRIPT_DIR/uninstall.sh${RESET}
|
|
|
|
EOF
|
|
}
|
|
|
|
main "$@"
|