diff --git a/.sh/path b/.sh/path
index e492be3ab2b..433dd06238b 100644
--- a/.sh/path
+++ b/.sh/path
@@ -1,8 +1,4 @@
 #!/bin/sh
-# Android
-if [ -d /system/bin ]; then
-	PATH="$PATH:/system/bin"
-fi
 
 if [ -d "$HOME/bin" ]; then
 	PATH="$HOME/bin:$PATH"
diff --git a/README.md b/README.md
index cb6029ab754..ed9af4e91ce 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ Non-Termux:
 ```sh
 cd
 curl -#L https://github.com/Rudxain/dotfiles/tarball/main | \
-tar -xzv --strip-components 1 --exclude={.termux,bin/termux-\*,.gitattributes,install,README.md,LICENSE} \
+tar -xzv --strip-components 1 --exclude={.termux,bin/termux-\*,.gitattributes,setup-distro,install,README.md,LICENSE} \
 && . .profile
 ```
 
@@ -48,7 +48,7 @@ Termux:
 ```sh
 cd
 curl -#L https://github.com/Rudxain/dotfiles/tarball/main | \
-tar -xzv --strip-components 1 --exclude={.gitattributes,install,README.md,LICENSE} \
+tar -xzv --strip-components 1 --exclude={.gitattributes,setup-distro,install,README.md,LICENSE} \
 && . .profile
 ```
 
diff --git a/bin/termux-url-opener b/bin/termux-url-opener
old mode 100644
new mode 100755
diff --git a/bin/update b/bin/update
deleted file mode 100755
index 2da921a1174..00000000000
--- a/bin/update
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh
-set -euf
-
-if [ -z "${TERMUX_VERSION:-}" ]; then	
-	# should I use apt-get?
-	# "unstable API" doesn't seem to matter here
-	if apt update && apt upgrade
-	then
-		apt autoclean || true
-		apt autopurge || true
-	
-		# https://github.com/pypa/pip/issues/4551
-	
-		# if `apt` fails,
-		# it's likely `npm` will also fail
-		npm update -g || true # for LSPs
-	fi
-	
-	rustup upgrade
-	# https://github.com/rust-lang/cargo/issues/9527
-	crates="$(\
-		cargo install --list |\
-		# assume stable Cargo API
-		grep -E '^[a-z0-9_-]+ v[0-9.]+:$' |\
-		cut -f1 -d' ' \
-	)"
-	# shellcheck disable=SC2086
-	[ -n "$crates" ] && cargo install $crates
-else
-	# https://wiki.termux.com/wiki/Package_Management
-	if pkg upgrade; then
-		# I have backups, no worries
-		pkg autoclean || true
-		apt autopurge || true
-	
-		npm update -g || true # for LSPs
-	fi
-fi
diff --git a/install b/install
index 7e19cde6f43..4af7decda2d 100755
--- a/install
+++ b/install
@@ -7,7 +7,8 @@ do_it() {
 	rsync \
 		--exclude '.git/' \
 		--exclude '.gitattributes' \
-		--exclude 'bootstrap.sh' \
+		--exclude 'setup-distro' \
+		--exclude 'install' \
 		--exclude 'README.md' \
 		--exclude 'LICENSE' \
 		-avh --no-perms . ~
diff --git a/post-install/Enable_AppArmor b/post-install/Enable_AppArmor
new file mode 100755
index 00000000000..ba2c1f7aa4c
--- /dev/null
+++ b/post-install/Enable_AppArmor
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -euf
+# https://wiki.debian.org/AppArmor/HowToUse#Enable_AppArmor
+sudo mkdir -p /etc/default/grub.d
+echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
+  | sudo tee /etc/default/grub.d/apparmor.cfg
+sudo update-grub
+# user should choose when to do so
+#sudo reboot
diff --git a/post-install/README.md b/post-install/README.md
new file mode 100644
index 00000000000..4c385cd0b9e
--- /dev/null
+++ b/post-install/README.md
@@ -0,0 +1,9 @@
+This sub-repo isn't necessary, but if you're setting-up a clean install of a Debian-based distro it'll be very convenient.
+
+I'm considering switching to NixOS, to make this process seamless.
+
+> [!warning]
+> `main` isn't idempotent!
+> You should only run it once.
+>
+> I'm considering to make it idempotent by default, with an opt-in flag to use old behavior
diff --git a/post-install/apt-autopurge-busybox-dupes b/post-install/apt-autopurge-busybox-dupes
new file mode 100755
index 00000000000..806027c800a
--- /dev/null
+++ b/post-install/apt-autopurge-busybox-dupes
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -euf -o pipefail
+# https://wiki.debian.org/ReduceDebian#Use_busybox_built-ins_instead_of_full_packages
+
+# auto-marks packs that installed same cmds as busybox subcmds, then autopurges
+
+# to-do:
+# filter cmds that belong to "Essential" & "Required" packs,
+# for optimization.
+readonly bb="$(busybox --list)"
+
+readonly c="$(wc -l <<< "$bb")"
+i=0
+for cmd in $bb
+do
+	echo "$i / $c"
+	if pack="$(dpkg -S "$(type -P "$cmd")" 2> /dev/null)"
+	then
+		apt-mark auto "$(cut -d: -f1 <<< "$pack")" > /dev/null
+	fi
+	((i++))
+done
+apt -y autopurge
diff --git a/post-install/apt-purge-retro b/post-install/apt-purge-retro
new file mode 100755
index 00000000000..213f01b6539
--- /dev/null
+++ b/post-install/apt-purge-retro
@@ -0,0 +1,2 @@
+#!/bin/sh
+apt-get purge $(dpkg -l | grep \^rc | awk '{print $2}')
diff --git a/post-install/apt.conf b/post-install/apt.conf
new file mode 100644
index 00000000000..b7e7e6a21ee
--- /dev/null
+++ b/post-install/apt.conf
@@ -0,0 +1,3 @@
+APT::Install-Recommends "0";
+APT::Install-Suggests "0";
+APT::AutoRemove::SuggestsImportant "0";
diff --git a/post-install/dpkg-list-essential b/post-install/dpkg-list-essential
new file mode 100755
index 00000000000..c18255f1524
--- /dev/null
+++ b/post-install/dpkg-list-essential
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -euf
+
+dpkg-query -Wf '${Package;-40}${Essential}\n' \
+| grep yes \
+| awk '{print $1}'
diff --git a/post-install/dpkg-list-sizes b/post-install/dpkg-list-sizes
new file mode 100755
index 00000000000..fb317d8f09e
--- /dev/null
+++ b/post-install/dpkg-list-sizes
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -euf
+
+n="${1-16}"
+
+dpkg-query -Wf '${Installed-size}\t${Package}\n' |
+  sort -rn |
+  head "-n$((n))"
diff --git a/post-install/main b/post-install/main
new file mode 100755
index 00000000000..19037bda7c1
--- /dev/null
+++ b/post-install/main
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -euf -o pipefail
+
+readonly HELP='$1 must be a path to a file
+that contains old output from:
+`apt-mark showmanual`
+'
+
+if [[ $# -lt 1 ]]
+then
+	printf '%s' "$HELP"
+	exit 1
+fi
+readonly pack_ls="$(cat -- "$1")"
+
+# to reduce time between auto-marking & installing,
+# we must config now
+cp apt.conf "${PREFIX:-}/etc/apt/apt.conf"
+# Termux compatibility
+
+# cleanup
+apt-mark auto \*
+
+apt-get update
+
+# mark manual if existent.
+# "--" for extra safety
+apt-get -y install -- $pack_ls
+
+apt-mark auto $(./dpkg-list-essential)
+# more cleanup, just-in-case
+apt-mark minimize-manual
+
+apt autopurge
+
+apt-get -y upgrade
+
+mv path.sh "${PREFIX:-}/etc/profile.d/"
+
+mv apt-purge-retro "${PREFIX:-/usr}/local/bin/"
+chown root:root apt-purge-retro
+chmod 755 "${PREFIX:-/usr}/local/bin/"*
+
+./Enable_AppArmor
diff --git a/post-install/nftables.conf b/post-install/nftables.conf
new file mode 100644
index 00000000000..d7a352f52f0
--- /dev/null
+++ b/post-install/nftables.conf
@@ -0,0 +1,20 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	# 9 December 2021, at 00:51
+	# https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation#fw.inet.basic
+	chain input {
+		type filter hook input priority 0; policy drop;
+		iif lo accept
+		ct state established,related accept
+		icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}
diff --git a/post-install/path.sh b/post-install/path.sh
new file mode 100644
index 00000000000..cd1168a8c1b
--- /dev/null
+++ b/post-install/path.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Android
+if [ -d /system/bin ]; then
+	PATH="$PATH:/system/bin"
+fi
+
+if [ -d "${PREFIX:-/usr}/local/bin" ]; then
+	PATH="$PATH:${PREFIX:-/usr}/local/bin"
+fi
+
+export PATH
diff --git a/post-install/update-hx b/post-install/update-hx
new file mode 100755
index 00000000000..acc49d3c3ac
--- /dev/null
+++ b/post-install/update-hx
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+#shellcheck disable=2317
+set -euf -o pipefail
+
+# to-do: use official GH API rather than scraping
+readonly RELEASE_URL='https://github.com/helix-editor/helix/releases/'
+wget "${RELEASE_URL}latest" -O - | \
+grep -E 'download/\d+\.\d+/helix-\d+\.\d+-x86_64\.AppImage'
+#to-do check version before download
+
+exit 0
+
+readonly ROOT_URL='https://raw.githubusercontent.com/helix-editor/helix/master/'
+readonly ROOT_DIR='/usr/share/'
+readonly ICO="${ROOT_DIR}icons/"
+
+wget "${ROOT_URL}contrib/helix.png" -P "$ICO"
+wget "${ROOT_URL}logo.svg" -O "${ICO}helix.svg"
+unset ICO
+
+wget "${ROOT_URL}contrib/Helix.desktop" -P "${ROOT_DIR}applications" || true
+
+wget "${ROOT_URL}contrib/completion/hx.bash" -P '/etc/bash_completion.d' || true
+
diff --git a/post-install/update-packs b/post-install/update-packs
new file mode 100755
index 00000000000..f70542992e2
--- /dev/null
+++ b/post-install/update-packs
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -uf
+
+if [ -n "${TERMUX_VERSION:-}" ]; then
+	# https://wiki.termux.com/wiki/Package_Management
+	if pkg upgrade; then
+		# I'm aware of the consequences
+		pkg autoclean
+		apt-get autopurge
+	
+		npm update -g # for LSPs
+	fi
+else
+	if apt-get update && apt-get upgrade
+	then
+		apt-get autoclean
+		apt-get autopurge
+
+		npm update -g # for LSPs
+	fi
+fi