fix(setup): Debian passwordless sudo and optional Docker install

Run visudo validation and sudoers.d checks with sudo so Debian no longer
fails with a false validation error. Prompt before installing Docker and
move AOSC Docker packages into the same optional install path.

Co-authored-by: Cursor <cursoragent@cursor.com>

linux-managements/setup.sh

@@ -266,8 +266,8 @@ install_packages() {
     case "$DISTRO" in
         aosc)
             info "Installing packages via oma ..."
-            psudo oma install -y git fish eza fastfetch btop docker docker-compose docker-buildx
+            psudo oma install -y git fish eza fastfetch btop
-            success "All packages installed via oma"
+            success "Base packages installed via oma"
             ;;
         debian|ubuntu)
             install_git
@@ -327,14 +327,32 @@ setup_fish() {
 install_docker() {
     step "Docker Installation"
 
+    if command -v docker &>/dev/null; then
+        info "Docker already installed ($(docker --version)), configuring non-root access"
+        docker_no_root
+        return
+    fi
+
+    prompt_read ans "Install Docker Engine? [y/N] "
+    case "$ans" in
+        [Yy]*) ;;
+        *)
+            info "Skipping Docker installation"
+            return
+            ;;
+    esac
+
     case "$DISTRO" in
         aosc)
-            info "Docker already installed via oma, skipping"
+            info "Installing Docker via oma ..."
+            if psudo oma install -y docker docker-compose docker-buildx; then
+                success "Docker installed"
+            else
+                warn "Docker installation failed — please install manually later."
+                return
+            fi
             ;;
         debian|ubuntu)
-            if command -v docker &>/dev/null; then
-                info "Docker already installed ($(docker --version)), skipping"
-            else
             curl -fsSL https://git.mitsea.com/FlintyLemming/scripts-public/raw/branch/main/linux-managements/install-docker.sh \
                 -o /tmp/install-docker.sh
             if psudo sh /tmp/install-docker.sh; then
@@ -342,13 +360,10 @@ install_docker() {
             else
                 warn "Docker installation failed (packages may not be available for this release)."
                 warn "Skipping Docker — please install manually later."
-                fi
+                return
             fi
             ;;
         fedora)
-            if command -v docker &>/dev/null; then
-                info "Docker already installed ($(docker --version)), skipping"
-            else
             info "Setting up Docker CE repository ..."
             psudo curl -fsSL https://download.docker.com/linux/fedora/docker-ce.repo \
                 -o /etc/yum.repos.d/docker-ce.repo
@@ -358,12 +373,11 @@ install_docker() {
             else
                 warn "Docker installation failed (packages may not be available for this release)."
                 warn "Skipping Docker — please install manually later."
-                fi
+                return
             fi
             ;;
     esac
 
-    # Only configure docker group/service if docker was actually installed
     if command -v docker &>/dev/null; then
         docker_no_root
     fi
@@ -540,6 +554,12 @@ ensure_sudo() {
     fi
 }
 
+# Debian ignores sudoers.d fragments whose names contain '.' or '~'.
+sudoers_d_filename_ok() {
+    local name="$1"
+    [[ "$name" =~ ^[a-zA-Z0-9_-]+$ ]]
+}
+
 # ─── Passwordless Sudo ────────────────────────────────────────────────────────
 setup_passwordless_sudo() {
     step "Passwordless Sudo"
@@ -547,8 +567,14 @@ setup_passwordless_sudo() {
     local sudoers_file="/etc/sudoers.d/${USER}"
     local expected_line="${USER} ALL=(ALL) NOPASSWD: ALL"
 
-    # Already configured?
+    if ! sudoers_d_filename_ok "$USER"; then
-    if [ -f "$sudoers_file" ] && grep -qF "$expected_line" "$sudoers_file" 2>/dev/null; then
+        warn "Username '$USER' is not valid for /etc/sudoers.d/ on Debian (use only letters, digits, '_' and '-')"
+        warn "Skipping passwordless sudo — configure manually if needed"
+        return
+    fi
+
+    # Already configured? (sudoers.d is root-only readable on Debian)
+    if psudo test -f "$sudoers_file" && psudo grep -qF "$expected_line" "$sudoers_file" 2>/dev/null; then
         info "Passwordless sudo already configured for '$USER'"
         return
     fi
@@ -556,15 +582,14 @@ setup_passwordless_sudo() {
     prompt_read ans "Enable passwordless sudo for '${USER}'? [y/N] "
     case "$ans" in
         [Yy]*)
-            # Write to a temp file first, then validate with visudo -cf
             local tmp_file
             tmp_file="$(mktemp)"
             echo "$expected_line" > "$tmp_file"
             chmod 0440 "$tmp_file"
 
-            if visudo -cf "$tmp_file" >/dev/null 2>&1; then
+            # visudo requires root on Debian/Ubuntu; validating as the current user fails with "Permission denied"
-                psudo cp "$tmp_file" "$sudoers_file"
+            if psudo visudo -cf "$tmp_file" >/dev/null 2>&1; then
-                psudo chmod 0440 "$sudoers_file"
+                psudo install -o root -g root -m 0440 "$tmp_file" "$sudoers_file"
                 rm -f "$tmp_file"
                 success "Passwordless sudo enabled for '$USER'"
             else