setup: make reruns idempotent

- Overwrite root and jordanwages authorized_keys each run (deduped)
- Replace ad-hoc fstab edits with a managed NFS block
- Continue using overwrite for fastfetch profile script

setup.sh

@@ -100,44 +100,44 @@ hostnamectl set-hostname "$NEW_HOST"
 msg "Hostname set to $NEW_HOST"
 
 ###############################################################################
-# SSH keys for root                                                           #
+# SSH keys for root (idempotent overwrite per run)                            #
 ###############################################################################
 install -d -m 700 /root/.ssh
 chmod 700 /root/.ssh
-test -n "$DEFAULT_SSH_KEY" && {
+TMP_KEYS_ROOT=$(mktemp)
-    grep -qxF "$DEFAULT_SSH_KEY" /root/.ssh/authorized_keys 2>/dev/null || \
+if [[ -n "$DEFAULT_SSH_KEY" ]]; then
-        echo "$DEFAULT_SSH_KEY" >> /root/.ssh/authorized_keys
+    printf '%s\n' "$DEFAULT_SSH_KEY" >>"$TMP_KEYS_ROOT"
-    chmod 600 /root/.ssh/authorized_keys
+fi
-    msg "Default SSH key added for root"
-}
 if confirm "Add additional SSH public key for root?"; then
     KEY=$(whiptail --title "SSH Key (root)" --inputbox "Paste your public key for root:" 12 70 3>&1 1>&2 2>&3) || die "Cancelled"
-    grep -qxF "$KEY" /root/.ssh/authorized_keys 2>/dev/null || echo "$KEY" >> /root/.ssh/authorized_keys
+    [[ -n "$KEY" ]] && printf '%s\n' "$KEY" >>"$TMP_KEYS_ROOT"
-    chmod 600 /root/.ssh/authorized_keys
-    msg "Additional SSH key added for root"
 fi
+# de-duplicate and overwrite authorized_keys
+awk '!seen[$0]++' "$TMP_KEYS_ROOT" > /root/.ssh/authorized_keys
+chmod 600 /root/.ssh/authorized_keys
+msg "Root authorized_keys updated (overwritten this run)"
+rm -f "$TMP_KEYS_ROOT"
 
 ###############################################################################
-# SSH keys for user jordanwages                                              #
+# SSH keys for user jordanwages (idempotent overwrite per run)               #
 ###############################################################################
 USER_NAME="jordanwages"
 USER_HOME="/home/$USER_NAME"
 install -d -m 700 "$USER_HOME/.ssh"
 chown $USER_NAME:$USER_NAME "$USER_HOME/.ssh"
-test -n "$DEFAULT_SSH_KEY" && {
+TMP_KEYS_USER=$(mktemp)
-    grep -qxF "$DEFAULT_SSH_KEY" "$USER_HOME/.ssh/authorized_keys" 2>/dev/null || \
+if [[ -n "$DEFAULT_SSH_KEY" ]]; then
-        echo "$DEFAULT_SSH_KEY" >> "$USER_HOME/.ssh/authorized_keys"
+    printf '%s\n' "$DEFAULT_SSH_KEY" >>"$TMP_KEYS_USER"
-    chown $USER_NAME:$USER_NAME "$USER_HOME/.ssh/authorized_keys"
+fi
-    chmod 600 "$USER_HOME/.ssh/authorized_keys"
-    msg "Default SSH key added for $USER_NAME"
-}
 if confirm "Add additional SSH public key for $USER_NAME?"; then
     KEY=$(whiptail --title "SSH Key ($USER_NAME)" --inputbox "Paste public key for $USER_NAME:" 12 70 3>&1 1>&2 2>&3) || die "Cancelled"
-    grep -qxF "$KEY" "$USER_HOME/.ssh/authorized_keys" 2>/dev/null || echo "$KEY" >> "$USER_HOME/.ssh/authorized_keys"
+    [[ -n "$KEY" ]] && printf '%s\n' "$KEY" >>"$TMP_KEYS_USER"
-    chown $USER_NAME:$USER_NAME "$USER_HOME/.ssh/authorized_keys"
-    chmod 600 "$USER_HOME/.ssh/authorized_keys"
-    msg "Additional SSH key added for $USER_NAME"
 fi
+awk '!seen[$0]++' "$TMP_KEYS_USER" > "$USER_HOME/.ssh/authorized_keys"
+chown $USER_NAME:$USER_NAME "$USER_HOME/.ssh/authorized_keys"
+chmod 600 "$USER_HOME/.ssh/authorized_keys"
+msg "$USER_NAME authorized_keys updated (overwritten this run)"
+rm -f "$TMP_KEYS_USER"
 
 ###############################################################################
 # Optional utilities                                                         #
@@ -159,7 +159,7 @@ echo 'fastfetch' >/etc/profile.d/90-fastfetch.sh
 chmod +x /etc/profile.d/90-fastfetch.sh
 
 ###############################################################################
-# NFS mounts                                                                 #
+# NFS mounts (managed block, idempotent)                                     #
 ###############################################################################
 NFS_HOSTS=(jimmu keiko keitai)
 OPTS=(); for h in "${NFS_HOSTS[@]}"; do OPTS+=("$h" "" OFF); done
@@ -169,16 +169,32 @@ SEL_HOSTS=$(whiptail --title "NFS Mounts" --checklist \
 
 mkdir -p /media
 for host in "${NFS_HOSTS[@]}"; do
+    [[ $SEL_HOSTS == *\"$host\"* ]] && mkdir -p "/media/$host"
+done
+
+# Clean up legacy lines from prior runs (pre-managed-block versions)
+for host in "${NFS_HOSTS[@]}"; do
+    TEMPLATE="${host}.wageshouse:/Data /media/${host} nfs4 _netdev,x-systemd.automount,noatime 0 0"
+    sed -i "#^${host}\.wageshouse:/Data /media/${host} nfs4 _netdev,x-systemd.automount,noatime 0 0$#d" /etc/fstab || true
+    sed -i "#^# ${host}\.wageshouse:/Data /media/${host} nfs4 _netdev,x-systemd.automount,noatime 0 0$#d" /etc/fstab || true
+done
+
+# Replace the managed block with current selections
+BLOCK_START="# BEGIN setup.sh managed NFS"
+BLOCK_END="# END setup.sh managed NFS"
+sed -i "/^$BLOCK_START$/,/^$BLOCK_END$/d" /etc/fstab || true
+{
+    echo "$BLOCK_START"
+    for host in "${NFS_HOSTS[@]}"; do
         TEMPLATE="${host}.wageshouse:/Data /media/${host} nfs4 _netdev,x-systemd.automount,noatime 0 0"
         if [[ $SEL_HOSTS == *\"$host\"* ]]; then
-        mkdir -p "/media/$host"
+            echo "$TEMPLATE"
-        grep -q "${host}.wageshouse" /etc/fstab && \
-            sed -i "#${host}\.wageshouse#d" /etc/fstab
-        echo "$TEMPLATE" >> /etc/fstab
         else
-        grep -q "${host}.wageshouse" /etc/fstab || echo "# $TEMPLATE" >> /etc/fstab
+            echo "# $TEMPLATE"
         fi
-done
+    done
+    echo "$BLOCK_END"
+} >> /etc/fstab
 
 if ! mount -a 2>>"$LOGFILE"; then
     msg "⚠️  Some NFS mounts failed. Re-run the script to check configuration."