# Kickstart file for AlmaLinux 10.1 KDE Plasma Desktop
#
# Guied Installation
graphical
#
# Network information
network --bootproto=dhcp --device=link --noipv6 --activate --onboot=on
network  --hostname=client201.faistos.net
#
# Add Repositories with mirrors
repo --name="ks-appstream" --mirrorlist=https://mirrors.almalinux.org/mirrorlist/10.1/appstream?arch=x86_64_v2 --install --cost=100
repo --name="ks-baseos" --mirrorlist=https://mirrors.almalinux.org/mirrorlist/10.1/baseos?arch=x86_64_v2 --install --cost=100
repo --name="ks-crb" --mirrorlist=https://mirrors.almalinux.org/mirrorlist/10.1/crb?arch=x86_64_v2 --install --cost=100
repo --name="ks-extras" --mirrorlist=https://mirrors.almalinux.org/mirrorlist/10.1/extras?arch=x86_64_v2 --install --cost=100
repo --name="ks-epel" --baseurl="https://epel.repo.almalinux.org/10.1/x86_64_v2/" --install --cost=200
#
# Use Internet Install
#url --url="https://repo.almalinux.org/almalinux/10.1/BaseOS/x86_64_v2/os/"
url --mirrorlist="https://mirrors.almalinux.org/mirrorlist/10.1/baseos?arch=x86_64_v2"
#
# License agreement
eula --agreed
#
# enable first boot agent
firstboot --enable
#
# Users
rootpw --iscrypted $y$j9T$4fQeA5KKOLtaPZDy4t/WN7MN$D44rOHfYBq2V1dzk.yW5rxIsmKUx0dcJXIO06WZPq06
user --groups=wheel,adm,video,audio,dialout,users --name=diaxiristis --password=$y$j9T$fgDjeZEfItiiRyS29xQbvdRu$RPRU2sR1zyaFWDp37lTdIQ4o/VOO.Y/5pCwJ24EmKA4 --iscrypted --gecos="F2.0 Admin"
#
# Disable kdump
%addon com_redhat_kdump --disable
%end
#
# System language + Keyboard
keyboard --vckeymap=us --xlayouts='us'
lang en_US.UTF-8
#
# System timezone + NTP
timesource --ntp-pool=2.almalinux.pool.ntp.org
timesource --ntp-server=192.168.13.181 --nts
timezone Etc/GMT --utc
#
# -----------------------------------------
# Disk autodetect + storage + Partitioning
# -----------------------------------------
%pre --interpreter=/bin/bash
set -euo pipefail
#
DISK="$(lsblk -dpno NAME,TYPE,RM | awk '$2=="disk" && $3==0 {print $1; exit}')"
if [[ -z "${DISK:-}" ]]; then
  echo "No suitable install disk found" > /tmp/ks-pre.error
  exit 1
fi
#
cat > /tmp/storage.ks <<EOF
ignoredisk --only-use=${DISK##*/}
#
clearpart --all --initlabel --drives=${DISK##*/}
#
part /boot/efi		--fstype="efi"  --ondisk=${DISK##*/} --size=1024	--fsoptions="umask=0077,shortname=winnt" --label=EFI
part /boot			--fstype="xfs"  --ondisk=${DISK##*/} --size=1024	--label=boot
part /				--fstype="xfs"  --ondisk=${DISK##*/} --size=87040	--label=root      --encrypted --luks-version=luks2
part swap			--fstype="swap" --ondisk=${DISK##*/} --size=16384 	--label=swap      --encrypted --luks-version=luks2
part /var			--fstype="xfs"  --ondisk=${DISK##*/} --size=10240	--label=var       --encrypted --luks-version=luks2
part /var/log		--fstype="xfs"  --ondisk=${DISK##*/} --size=10240	--label=var_log   --encrypted --luks-version=luks2
part /var/log/audit	--fstype="xfs"  --ondisk=${DISK##*/} --size=10240	--label=log_audit --encrypted --luks-version=luks2
part /var/tmp		--fstype="xfs"  --ondisk=${DISK##*/} --size=10240 	--label=var_tmp   --encrypted --luks-version=luks2
part /tmp			--fstype="xfs"  --ondisk=${DISK##*/} --size=10240 	--label=tmp       --encrypted --luks-version=luks2
# Last partition: to /home. the rest space left
part /home			--fstype="xfs"  --ondisk=${DISK##*/} --size=1 --grow	--label=home      --encrypted --luks-version=luks2
EOF
%end
#
%include /tmp/storage.ks
#
# Basic Installation
%packages
@^minimal-environment
%end
# =========================================================================
# 1st POST: NOCHROOT (We have access to USB)
# =========================================================================
%post --nochroot
# The installer have mounted USB to /run/install/repo
# We copy everything to SSD (/mnt/sysimage)
mkdir -p /mnt/sysimage/tmp/extras_temp
cp -r /run/install/repo/extras/* /mnt/sysimage/tmp/extras_temp/
%end
# =========================================================================
# POST: CHROOT (System Configuration)
# =========================================================================
%post --log=/root/ks-post.log
#
SRC="/tmp/extras_temp"
#
# Emergency Access Setup
ssh-keygen -A || true
systemctl enable sshd || true
#
# -------------------------
# Create directories on target disk
mkdir -p "/usr/share/icons/hicolor/scalable/apps"
mkdir -p "/usr/share/plymouth/themes/spinfinity"
mkdir -p "/usr/share/applications"
mkdir -p "/etc/xdg/autostart"
mkdir -p "/opt"
mkdir -p "/usr/local/bin"
mkdir -p "/etc/systemd/system"
mkdir -p "/etc/systemd/user"
mkdir -p "/etc/logrotate.d"
mkdir -p "/usr/share/backgrounds"
mkdir -p "/usr/share/wallpapers"
mkdir -p "/usr/share/icons"
mkdir -p "/etc/dnf/plugins/post-transaction-actions.d/"
mkdir -p "/etc/yum.repos.d/DefaultRepos"
mkdir -p "/home/diaxiristis/.config"
mkdir -p "/home/diaxiristis/.config/linphone"
mkdir -p "/home/diaxiristis/.local"
mkdir -p "/home/diaxiristis/.local/share"
mkdir -p "/home/diaxiristis/.local/share/linphone"
mkdir -p "/home/diaxiristis/.local/share/linphone/codecs"
#
# Copy Copy AppImages, Images and Files
cp -f "$SRC/linphone.svg" "/usr/share/icons/hicolor/scalable/apps/"
cp -f "$SRC/linphone.desktop" "/usr/share/applications/"
cp -f "$SRC/linphonerc" "/home/diaxiristis/.config/linphone/"
cp -f "$SRC/H264.txt" "/home/diaxiristis/.local/share/linphone/codecs/"
cp -f "$SRC/libopenh264.so" "/home/diaxiristis/.local/share/linphone/codecs/"
cp -f "$SRC/conky-logomark-violet.svg" "/usr/share/icons/hicolor/scalable/apps/"
cp -f "$SRC/conky.desktop" "/etc/xdg/autostart/"
cp -f "$SRC/conky.desktop" "/usr/share/applications/"
cp -f "$SRC/conkyrc" "/etc/conkyrc"
cp -f "$SRC/header-image.png" "/usr/share/plymouth/themes/spinfinity/"
cp -f "$SRC/header-image.png" "/usr/share/icons/hicolor/scalable/apps/"
cp -f "$SRC/connection_to_2ndvpn.sh" "/opt/"
cp -f "$SRC/connection_to_2ndvpn.sh.desktop" "/etc/xdg/autostart/"
cp -f "$SRC/connection_to_2ndvpn.sh.desktop" "/usr/share/applications/"
cp -f "$SRC/google.chrome.svg" "/usr/share/icons/"
cp -f "$SRC/pfsense-pre-shutdown.sh" "/usr/local/bin/"
cp -f "$SRC/pfsense-pre-shutdown-hook.service" "/etc/systemd/system/"
cp -f "$SRC/pfsense-pre-shutdown" "/etc/logrotate.d/"
cp -f "$SRC/background.jpeg" "/usr/share/backgrounds/"
cp -f "$SRC/background.jpeg" "/usr/share/wallpapers/"
cp -f "$SRC/kscreenlockerrc" "/home/diaxiristis/.config/"
cp -f "$SRC/ksplashrc" "/home/diaxiristis/.config/"
cp -f "$SRC/ktimezonedrc" "/home/diaxiristis/.config/"
cp -f "$SRC/kwinrc" "/home/diaxiristis/.config/"
cp -f "$SRC/kxkbrc" "/home/diaxiristis/.config/"
cp -f "$SRC/plasma-localerc" "/home/diaxiristis/.config/"
cp -f "$SRC/powerdevilrc" "/home/diaxiristis/.config/"
cp -f "$SRC/spinfinity.plymouth" "/usr/share/plymouth/themes/spinfinity/"
cp -f "$SRC/secnet-customs.action" "/etc/dnf/plugins/post-transaction-actions.d/"
cp -f "$SRC/secnet-post-dnf.sh" "/usr/local/bin/secnet-post-dnf.sh"
cp -f "$SRC/secnet-monitor.path" "/etc/systemd/system/secnet-monitor.path"
cp -f "$SRC/secnet-monitor.service" "/etc/systemd/system/secnet-monitor.service"
cp -f "$SRC/secnet" "/etc/logrotate.d/secnet"
cp -f "$SRC/99-hardening.conf" "/etc/sysctl.d/"
cp -f "$SRC/ssh-conn-watch.service" "/etc/systemd/system/"
cp -f "$SRC/ssh-conn-watch.sh" "/usr/local/bin/"
cp -f "$SRC/clam_scan_dispatch.sh" "/usr/local/bin/"
cp -f "$SRC/clam_scan_home.sh" "/usr/local/bin/"
cp -f "$SRC/clam_scan_mount.sh" "/usr/local/bin/"
cp -f "$SRC/clam_watch_home.sh" "/usr/local/bin/"
cp -f "$SRC/clam_watch_mount.sh" "/usr/local/bin/"
cp -f "$SRC/vc_mount_dispatch.sh" "/usr/local/bin/"
cp -f "$SRC/home-antivirus.service" "/etc/systemd/user/"
cp -f "$SRC/scanveracrypt1.service" "/etc/systemd/system/"
cp -f "$SRC/scanveracrypt2.service" "/etc/systemd/system/"
cp -f "$SRC/vc-mount-watcher.service" "/etc/systemd/system/"
cp -f "$SRC/clamav-automation" "/etc/logrotate.d/"
cp -f "$SRC/freshclam.conf" "/etc/freshclam.conf"
cp -f "$SRC/scan.conf" "/etc/clamd.d/scan.conf"
cp -f "$SRC/veracrypt.xpm" "/usr/share/pixmaps/"
cp -f "$SRC/veracrypt.desktop" "/usr/share/applications/"
cp -f "$SRC/setup_user_theme.sh" "/usr/local/bin/"
cp -rf "$SRC/default-confs" "/opt/"
#
# Copy Tars and installers to tmp (IMPORTANT)
cp -f "$SRC/Watch_Dogs_Theme.tar.xz" "/tmp/"
cp -f "$SRC/Win11OS-dark.tar.xz" "/tmp/"
cp -f "$SRC/veracrypt.tar.xz" "/tmp/"
cp -f "$SRC/conky.tar.xz" "/tmp/"
cp -f "$SRC/ClientAlmaLinux10Local.repo" "/tmp/"
cp -f "$SRC/Main.qml" "/tmp/Main.qml.custom"
cp -f "$SRC/linphone.tar.xz" "/tmp/"
#
# Scripts Ownerspips
chmod 755 /opt/connection_to_2ndvpn.sh || true
chmod 755 /usr/local/bin/*.sh || true
chmod 644 /etc/systemd/system/*.service || true
chmod 644 /etc/systemd/user/*.service || true
chown -R diaxiristis:diaxiristis /home/diaxiristis
#
# GPG Keys & Repos
rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-10 || true
rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-10-EPEL-AltArch || true
#
# DNF Config
cat <<EOF >> /etc/dnf/dnf.conf
max_parallel_downloads=10
EOF
#
# Install KDE Plasma Workspaces
dnf -y install epel-release
dnf -y groupinstall "KDE Plasma Workspaces"
#
# Add - Remove Programms
dnf install -y --nogpgcheck firefox chromium lm_sensors python3-dnf-plugin-post-transaction-actions firewalld policycoreutils \
policycoreutils-python-utils rpmconf ntfsprogs inotify-tools hplip gnome-disk-utility btop zenity mc kcalc \
okular kolourpaint kamera skanpage gwenview libcamera-gstreamer clamav clamav-update clamav-data clamav-scanner-systemd clamav-filesystem \
flatpak ostree gtk2 wxGTK
#
dnf install -y usbguard aide plymouth-theme-spinfinity || (echo "FAILED: install failed" && true)
#
dnf remove -y cockpit* kdeconnectd NetworkManager-adsl NetworkManager-l2tp NetworkManager-pptp NetworkManager-bluetooth || (echo "FAILED: install failed" && true)
#
dnf install -y setroubleshoot-server
#
#=====================================
# Plymouth & Grub & Rescue Images
#=====================================
echo "========== Configuring Boot, Plymouth and Rescue Mode =========="
#
# Define Kernel
INSTALLED_KERNEL=$(ls /lib/modules | head -n 1)
echo "Target Kernel identified: $INSTALLED_KERNEL"
#
# Hide GRUB & Disable Rescue Mode Config
sed -i 's/^GRUB_TIMEOUT=.*/GRUB_TIMEOUT=0/' /etc/default/grub
if grep -q '^GRUB_RESCUE_RECOVERY=' /etc/default/grub; then
    sed -i 's/^GRUB_RESCUE_RECOVERY=.*/GRUB_RESCUE_RECOVERY="false"/' /etc/default/grub
else
    echo 'GRUB_RESCUE_RECOVERY="false"' >> /etc/default/grub
fi
#
# Disable rescue image in dracut (Μόνιμα)
mkdir -p /etc/dracut.conf.d/
echo 'dracut_rescue_image="no"' > /etc/dracut.conf.d/02-rescue.conf
#
# Remove rescue files and packages
dnf remove -y dracut-config-rescue || true
rm -f /boot/*rescue* || true
#
# Dynamic removal of rescue entries via grubby
rescue_kernel=$(grubby --info=ALL 2>/dev/null | grep -oE '/boot/vmlinuz-0-rescue-[^"]+' | head -n1)
if [[ -n "$rescue_kernel" ]]; then
    grubby --remove-kernel="$rescue_kernel"
fi
#
# Final Regeneration & Plymouth
# Εδώ το dracut τρέχει ΜΙΑ φορά και σωστά
grubby --update-kernel=ALL --args="ipv6.disable=1 rhgb quiet"
plymouth-set-default-theme -R spinfinity || true
#
# Creating Initramfs
dracut -f /boot/initramfs-${INSTALLED_KERNEL}.img ${INSTALLED_KERNEL} || true
#
# Update Grub config
grub2-mkconfig --update-bls-cmdline -o /boot/grub2/grub.cfg
grub2-mkconfig --update-bls-cmdline -o /boot/efi/EFI/almalinux/grub.cfg || true
#
# ==========================================================
# Themes - SDDM & Conky Configuration
# ==========================================================
echo "========== Unzipping Themes, Setting SDDM and Conky=========="
#
# Creating direcroties if not exist
mkdir -p /usr/share/plasma/look-and-feel/
mkdir -p /usr/share/sddm/themes/
mkdir -p /usr/share/conky
#
# Untar themes & conky
tar -xJf /tmp/Watch_Dogs_Theme.tar.xz -C /usr/share/plasma/look-and-feel/ || (echo "Failed to extract Watch_Dogs" && true)
tar -xJf /tmp/Win11OS-dark.tar.xz -C /usr/share/sddm/themes/ || (echo "Failed to extract Win11OS" && true)
tar -xJf /tmp/conky.tar.xz -C /usr/share/ || (echo "Failed to extract conky" && true)
chmod +x /usr/share/conky/usr/bin/conky || true
ln -sf /usr/share/conky/usr/bin/conky /usr/bin/conky || true
#
#============Wallpapper Setup- Apps Installation============
# 1. "Master Key" Creation (TTY access with NOPASSWD)
cat > /etc/sudoers.d/99_installer <<EOF
Defaults:diaxiristis !use_pty
diaxiristis ALL=(ALL) NOPASSWD: ALL
EOF
chmod 440 /etc/sudoers.d/99_installer
#
cat > /home/diaxiristis/setup_apps.sh <<EOF
#!/bin/bash
# Log Records
exec > /home/diaxiristis/install_log.txt 2>&1
echo "--- Start: \\$(date) ---"

# 0. ASCII Logo - FAISTOS 2.0
echo "-----------------------------------------------------------------------------"
echo "███████╗ █████╗ ██╗███████╗████████╗ ██████╗ ███████╗    ██████╗     ██████╗ "
echo "██╔════╝██╔══██╗██║██╔════╝╚══██╔══╝██╔═══██╗██╔════╝    ╚════██╗   ██╔═████╗"
echo "█████╗  ███████║██║███████╗   ██║   ██║   ██║███████╗     █████╔╝   ██║██╔██║"
echo "██╔══╝  ██╔══██║██║╚════██║   ██║   ██║   ██║╚════██║    ██╔═══╝    ████╔╝██║"
echo "██║     ██║  ██║██║███████║   ██║   ╚██████╔╝███████║    ███████╗██╗╚██████╔╝"
echo "╚═╝     ╚═╝  ╚═╝╚═╝╚══════╝   ╚═╝    ╚═════╝ ╚══════╝    ╚══════╝╚═╝ ╚═════╝ "
echo "-----------------------------------------------------------------------------"
echo "Starting applications installation..."

# 1. Waiting for Internet (Curl Check)
echo "Connection check with Flathub..."
for i in {1..15}; do
    if curl -Is --connect-timeout 5 https://flathub.org > /dev/null; then
        echo "Internet OK!"
        break
    fi
    echo "Waiting... (trying \\\$i)"
    sleep 5
done

# 2. Wallpaper
/usr/bin/plasma-apply-wallpaperimage /usr/share/backgrounds/background.jpeg

# 3. Repo Setup
/usr/bin/sudo /usr/bin/flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
/usr/bin/sudo /usr/bin/flatpak repair --system

# 3.a Flatpak Programs Installation
echo "Installing RustDesk..."
/usr/bin/sudo /usr/bin/flatpak install -y flathub com.rustdesk.RustDesk

echo "Installing VLC..."
/usr/bin/sudo /usr/bin/flatpak install -y flathub org.videolan.VLC

echo "Installing LibreOffice..."
/usr/bin/sudo /usr/bin/flatpak install -y flathub org.libreoffice.LibreOffice

# 4. Offline Nextcloud Talk Installation from /tmp
#if [ -f /tmp/Nextcloud.Talk-linux-x64.flatpak ]; then
#    echo "Installing Nextcloud Talk..."
#    /usr/bin/sudo /usr/bin/flatpak install -y /tmp/Nextcloud.Talk-linux-x64.flatpak
#else
#    echo "Nextcloud flatpak not found in /tmp!"
#fi

# 4. Online Nextcloud Talk Installation
echo "Downloading latest Nextcloud Talk..."
/usr/bin/curl -L https://github.com/nextcloud-releases/talk-desktop/releases/latest/download/Nextcloud.Talk-linux-x64.flatpak -o /tmp/Nextcloud.Talk.flatpak

if [ -f /tmp/Nextcloud.Talk.flatpak ]; then
    echo "Installing Nextcloud Talk..."
    /usr/bin/sudo /usr/bin/flatpak install -y /tmp/Nextcloud.Talk.flatpak
    /usr/bin/rm -f /tmp/Nextcloud.Talk.flatpak
else
    echo "Nextcloud flatpak download failed!"
fi

# 5. Updates
echo "Running updates..."
/usr/bin/sudo /usr/bin/flatpak update -y
/usr/bin/flatpak update -y

# 6. Change App Launcher Icon & System Actions
# Change the Icon
/usr/bin/sed -i 's/icon=start-here/icon=header-image.png/g' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc

# Handle primaryActions (Change if exists, add if not)
if /usr/bin/grep -q "primaryActions=" /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc; then
    /usr/bin/sed -i 's/primaryActions=.*/primaryActions=3/' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc
else
    /usr/bin/sed -i '/icon=header-image.png/ a primaryActions=3' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc
fi

# Handle systemFavorites (Change if exists, add if not)
if /usr/bin/grep -q "systemFavorites=" /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc; then
    /usr/bin/sed -i 's/systemFavorites=.*/systemFavorites=lock-screen\\\\,logout\\\\,save-session\\\\,switch-user\\\\,shutdown/' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc
else
    /usr/bin/sed -i '/primaryActions=3/ a systemFavorites=lock-screen\\\\,logout\\\\,save-session\\\\,switch-user\\\\,shutdown' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc
fi

# 7. Digital Clock Appearance & Configuration
/usr/bin/sed -i '/\[Containments\]\[2\]\[Applets\]\[20\]\[Configuration\]/,/^$/ s/^$/\n[Containments][2][Applets][20][Configuration][Appearance]\ncustomDateFormat=ddd d MM yyyy\ndateFormat=custom\nfontWeight=400\nuse24hFormat=2\n/' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc

# 8. Applet 20: Hight Popup & Preload
/usr/bin/sed -i '/\[Containments\]\[2\]\[Applets\]\[20\]\[Configuration\]/,/\[/ {
    s/popupHeight=.*/popupHeight=450/
    /PreloadWeight=/d
    /popupHeight=450/ a PreloadWeight=60
}' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc

# 9. Task Manager: Pinned Apps (Chromium, Firefox...)
# 1st, cleanup if there are double launcher lines
/usr/bin/sed -i '/\[Containments\]\[2\]\[Applets\]\[5\]\[Configuration\]\[General\]/,/^$/d' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc

# Now we add the block after [Applets][5]
/usr/bin/sed -i '/plugin=org.kde.plasma.icontasks/ a \
\
[Containments][2][Applets][5][Configuration][General]\
immutability=1\
launchers=preferred://filemanager,applications:chromium-browser.desktop,applications:org.kde.kwrite.desktop,applications:firefox.desktop,applications:org.kde.konsole.desktop\
plugin=org.kde.plasma.icontasks' /home/diaxiristis/.config/plasma-org.kde.plasma.desktop-appletsrc

# 10. Add diaxiristis to Groups
/usr/bin/sudo usermod -aG clamupdate diaxiristis
/usr/bin/sudo usermod -aG clamscan diaxiristis
/usr/bin/sudo usermod -aG printadmin diaxiristis
/usr/bin/sudo usermod -aG nm-openvpn diaxiristis
/usr/bin/sudo systemctl enable --now secnet-monitor.path

# 11. Final Messages
echo "--------------------------------------------------"
echo "✅ Η ΔΙΑΔΙΚΑΣΙΑ ΟΛΟΚΛΗΡΩΘΗΚΕ ΜΕ ΕΠΙΤΥΧΙΑ !!!"
echo "Με γεια το νέο σας εργαλείο !!! 😋 😉"
echo "--------------------------------------------------"
echo "ΠΑΡΑΚΑΛΩ ΚΛΕΙΣΤΕ ΑΥΤΟ ΤΟ ΠΑΡΑΘΥΡΟ ΠΑΤΩΝΤΑΣ ΤΟ 'X' ΠΑΝΩ ΔΕΞΙΑ."
echo "ΣΤΗ ΣΥΝΕΧΕΙΑ ΚΑΝΤΕ LOGOFF/LOGON ΓΙΑ ΝΑ ΕΦΑΡΜΟΣΤΟΥΝ ΟΙ ΑΛΛΑΓΕΣ."
echo "-----------------------------------------------------------------------------"
echo "                                                                             "
echo "███████╗ █████╗ ██╗███████╗████████╗ ██████╗ ███████╗    ██████╗     ██████╗ "
echo "██╔════╝██╔══██╗██║██╔════╝╚══██╔══╝██╔═══██╗██╔════╝    ╚════██╗   ██╔═████╗"
echo "█████╗  ███████║██║███████╗   ██║   ██║   ██║███████╗     █████╔╝   ██║██╔██║"
echo "██╔══╝  ██╔══██║██║╚════██║   ██║   ██║   ██║╚════██║    ██╔═══╝    ████╔╝██║"
echo "██║     ██║  ██║██║███████║   ██║   ╚██████╔╝███████║    ███████╗██╗╚██████╔╝"
echo "╚═╝     ╚═╝  ╚═╝╚═╝╚══════╝   ╚═╝    ╚═════╝ ╚══════╝    ╚══════╝╚═╝ ╚═════╝ "
echo "-----------------------------------------------------------------------------"
echo "Applications installation Finished"

# Cleanup (Self-Destruction)
if /usr/bin/flatpak list --system | grep -q org.libreoffice.LibreOffice; then
    echo "Success! Lock sudoers and clean up."
    /usr/bin/sudo rm -f /etc/sudoers.d/99_installer
    /usr/bin/rm -f /home/diaxiristis/.config/autostart/setup_apps.desktop
    # Η διαγραφή του script πρέπει να είναι το τελευταίο πράγμα που θα γίνει
    /usr/bin/rm -f /home/diaxiristis/setup_apps.sh &
else
    echo "Unsuccess or LibreOffice not found. The script remains."
fi
EOF
#
# Permissions
chmod +x /home/diaxiristis/setup_apps.sh
chown diaxiristis:diaxiristis /home/diaxiristis/setup_apps.sh
#
mkdir -p /home/diaxiristis/.config/autostart
cat > /home/diaxiristis/.config/autostart/setup_apps.desktop <<EOF
[Desktop Entry]
Type=Application
Exec=bash -c "/home/diaxiristis/setup_apps.sh & konsole --hold -e tail -f /home/diaxiristis/install_log.txt"
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Final System Setup
EOF
#
chown -R diaxiristis:diaxiristis /home/diaxiristis/.config/autostart
#
# Permissions Correction
chmod -R 755 /usr/share/plasma/look-and-feel/
chmod -R 755 /usr/share/sddm/themes/
chmod -R 755 /usr/share/conky/
chmod 755 /usr/local/bin/setup_user_theme.sh
#
# Configure SDDM
mkdir -p /etc/sddm.conf.d
echo -e "[Theme]\nCurrent=Win11OS-dark" > /etc/sddm.conf.d/kde_settings.conf
#
# Backup and Customization of SDDM Theme
if [ -d "/usr/share/sddm/themes/Win11OS-dark" ]; then
    # Backup original
    cp -f /usr/share/sddm/themes/Win11OS-dark/Main.qml /usr/share/sddm/themes/Win11OS-dark/Main.qml.back || true

    if [ -f /tmp/Main.qml.custom ]; then
        cp -f /tmp/Main.qml.custom /usr/share/sddm/themes/Win11OS-dark/Main.qml
        chmod 644 /usr/share/sddm/themes/Win11OS-dark/Main.qml
    fi
fi
#
# VeraCrypt (AppImage Installation)
    # Installation folder-extract
    tar -xJf /tmp/veracrypt.tar.xz -C /usr/share/
    chmod +x /usr/share/veracrypt/usr/bin/veracrypt || true
    ln -sf /usr/share/veracrypt/AppRun /usr/bin/veracrypt || true
#
    # Group & User setup
    getent group veracrypt >/dev/null || groupadd veracrypt
    usermod -aG veracrypt diaxiristis
#
    # Sudoers entry (για να μην ζητάει root pass στο mount)
    echo -e "%veracrypt\tALL=(ALL)\tNOPASSWD: /usr/share/veracrypt/usr/bin/veracrypt" > /etc/sudoers.d/veracrypt
    chmod 440 /etc/sudoers.d/veracrypt
#
# LinPhone (AppImage Installation)
    # Installation folder-extract
    tar -xJf /tmp/linphone.tar.xz -C /usr/share/
    chmod +x /usr/share/linphone/usr/bin/linphone || true
    ln -sf /usr/share/linphone/AppRun /usr/bin/linphone || true
#
    # ClamAV Logging & SELinux Setup
mkdir -p /var/log/clamav
getent group virusgroup >/dev/null || groupadd -r virusgroup
usermod -aG virusgroup diaxiristis
chown root:virusgroup /var/log/clamav
chmod 2775 /var/log/clamav
chmod g+w /var/log/clamav
setfacl -m g:adm:rwx /var/log/clamav
setfacl -m g:virusgroup:rwx /var/log/clamav
semanage fcontext -a -t var_log_t "/var/log/clamav(/.*)?" 2>/dev/null || true
restorecon -Rv /var/log/clamav || true
cat <<'EOF' | tee /etc/tmpfiles.d/clamav-logs.conf
d /var/log/clamav 2775 root virusgroup - -
EOF
#
# Services
systemctl daemon-reload
systemctl enable pfsense-pre-shutdown-hook.service vc-mount-watcher.service clamd@scan.service ssh-conn-watch.service
systemctl --global enable home-antivirus.service
systemctl disable bluetooth.service obex.service sleep.target suspend.target hibernate.target \
hybrid-sleep.target reboot.target scanveracrypt1.service scanveracrypt2.service
systemctl mask bluetooth.service obex.service sleep.target suspend.target hibernate.target hybrid-sleep.target reboot.target
systemctl set-default graphical.target
#
# dnf post transaction actions check
cat > /etc/dnf/plugins/post-transaction-actions.conf <<EOF
[main]
enabled = 1
actiondir = /etc/dnf/plugins/post-transaction-actions.d/
EOF
#
# ==========================================================
# System Update with Safety Excludes
# ==========================================================
echo "========== Running System Update =========="
#
# Add excludes to avoid Conflicts of Alma 10
cat <<EOF >> /etc/dnf/dnf.conf
#
# Temporary excludes for AlmaLinux 10 repo mismatches
exclude=plasma5support gpsd-libs gpsd kf6-kfilemetadata kdegraphics-mobipocket okular-part kdegraphics-thumbnailers okular
EOF
#
# =========================================================================
# Permissions - SELinux - Ownerships
# =========================================================================
# 1. Clearing special Contexts (before restorecon)
semanage fcontext -a -t bin_t "/usr/share/veracrypt(/.*)?" || true
semanage fcontext -a -t bin_t "/usr/share/conky(/.*)?" || true
semanage fcontext -a -t bin_t "/usr/share/linphone(/.*)?" || true
semanage fcontext -a -t bin_t "/opt(/.*)?" || true
#
# 2. Total Restore Context (The most important command)
restorecon -Rv /usr/share/conky \
               /usr/share/veracrypt \
               /usr/share/linphone \
               /usr/bin/linphone \
               /etc/conkyrc \
               /etc/xdg/autostart \
               /usr/share/plymouth/themes/spinfinity \
               /etc/usbguard \
               /opt \
               /usr/local/bin \
               /etc/systemd/system \
               /usr/share/sddm/themes/Win11OS-dark \
               /home/diaxiristis || true

# 3. Special Permissions for system files
chmod 0640 /etc/dnf/plugins/post-transaction-actions.d/secnet-customs.action
chown root:root /etc/dnf/plugins/post-transaction-actions.d/secnet-customs.action
chmod 644 /etc/logrotate.d/clamav-automation
chmod 644 /etc/logrotate.d/secnet
chmod 644 /etc/sysctl.d/99-hardening.conf
#
# 4. Configs /opt and Themes
chown -R root:root /opt/default-confs
find /opt/default-confs -type d -exec chmod 755 {} \;
find /opt/default-confs -type f -exec chmod 644 {} \;
[ -f /opt/default-confs/sudoers ] && chmod 440 /opt/default-confs/sudoers
#
chmod -R 755 /usr/share/plasma/look-and-feel/Watch_Dogs_Theme || true
chmod -R 755 /usr/share/sddm/themes/Win11OS-dark || true
#
# 5. Final Ownership @Home
chown -R diaxiristis:diaxiristis /home/diaxiristis/
#
# Last update with allowerasing (All dnf post actions will execute now)
dnf -y update --allowerasing
#
# Move Default Repos and Activate Local
mkdir -p /etc/yum.repos.d/DefaultRepos
mv -f /etc/yum.repos.d/almalinux-*.repo /etc/yum.repos.d/DefaultRepos/
mv -f /etc/yum.repos.d/epel.repo /etc/yum.repos.d/DefaultRepos/
cp -f /tmp/ClientAlmaLinux10Local.repo /etc/yum.repos.d/
echo "Cleaning up installer repos..."
rm -f /etc/yum.repos.d/ks-*.repo
#
aide --init && mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz || true
# Cleanup and Synchronizing
echo "Synchronizing data and cleaning..."
sync
rm -rf /tmp/extras_temp
rm -f /tmp/*.tar.xz /tmp/Main.qml.custom
echo "All done! Ready for reboot." >> /root/ks-post.log
%end