rain
b40d724f6c
Several run_once scripts unconditionally called sudo pacman/apt to install packages — even on boxes where every package was already present. That triggered a sudo password prompt on every fresh chezmoi apply for nothing. Two changes: 1. .chezmoi.yaml.tmpl: fall back to ~/.local/bin/age if /usr/bin/age isn't installed (matters during initial bootstrap before age is installed system-wide). 2. run_once_*.sh.tmpl: detect missing packages first; only call sudo if there's actually something to install. For the LAN hosts script, detect the existing block and skip if it's already correct. These changes are transparent on boxes that already had everything installed (the existing 5): no behavior change. They reduce sudo prompts on bit (the new box, where most packages are pre-installed) from ~5 prompts to 1 (just for /etc/hosts).
63 lines
No EOL
2.3 KiB
Bash
Executable file
63 lines
No EOL
2.3 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# =============================================================================
|
|
# run_once_00-install-bootstrap-tools.sh.tmpl
|
|
# Install age, curl, ca-certificates, git — needed before anything else.
|
|
# Idempotent: skips if already installed.
|
|
# =============================================================================
|
|
set -euo pipefail
|
|
|
|
log() { printf '\033[1;34m[bootstrap]\033[0m %s\n' "$*"; }
|
|
die() { printf '\033[1;31m[bootstrap ERROR]\033[0m %s\n' "$*" >&2; exit 1; }
|
|
|
|
# This script runs as the invoking user via `chezmoi apply`/`init`. It uses
|
|
# sudo for system package installs. If sudo isn't passwordless, the user
|
|
# will be prompted once per sudo invocation.
|
|
|
|
{{ if eq .os_family "arch" -}}
|
|
# Only sync the package DB if anything is missing. Avoids a no-op sudo
|
|
# (which would still prompt for a password even when there's nothing to
|
|
# install) on boxes where all the bootstrap tools are already present.
|
|
MISSING_PKGS=()
|
|
for p in age curl ca-certificates git base-devel wget; do
|
|
if ! command -v "$p" >/dev/null 2>&1 && ! pacman -Qi "$p" >/dev/null 2>&1; then
|
|
MISSING_PKGS+=("$p")
|
|
fi
|
|
done
|
|
|
|
if (( ${#MISSING_PKGS[@]} > 0 )); then
|
|
log "pacman-sync (missing: ${MISSING_PKGS[*]})"
|
|
sudo pacman -Sy --noconfirm
|
|
log "install base tools (arch)"
|
|
sudo pacman -S --needed --noconfirm "${MISSING_PKGS[@]}"
|
|
else
|
|
log "all base tools already installed; skipping pacman"
|
|
fi
|
|
|
|
{{ else if eq .os_family "debian" -}}
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
# Only run apt if anything is missing, so a no-op sudo isn't required.
|
|
MISSING_PKGS=()
|
|
for p in age curl ca-certificates git wget gnupg libssl-dev pkg-config; do
|
|
if ! command -v "$p" >/dev/null 2>&1; then
|
|
MISSING_PKGS+=("$p")
|
|
fi
|
|
done
|
|
|
|
if (( ${#MISSING_PKGS[@]} > 0 )); then
|
|
log "apt-update (missing: ${MISSING_PKGS[*]})"
|
|
sudo apt-get update -y
|
|
log "apt-upgrade"
|
|
sudo apt-get upgrade -y
|
|
log "install base tools (debian)"
|
|
sudo apt-get install -y --no-install-recommends "${MISSING_PKGS[@]}"
|
|
else
|
|
log "all base tools already installed; skipping apt"
|
|
fi
|
|
|
|
{{ else -}}
|
|
die "unsupported os_family: {{ .os_family }} (this script supports arch or debian)"
|
|
{{ end -}}
|
|
|
|
log "bootstrap tools installed"
|
|
command -v age && age --version
|
|
command -v git && git --version |