2021-04-14 08:11:45 -04:00
#!/usr/bin/env -S bash -e
2021-01-31 08:36:10 -05:00
2021-02-01 03:37:35 -05:00
# Cleaning the TTY.
clear
2021-02-01 03:13:05 -05:00
2021-07-25 03:03:01 -04:00
# Updating the live environment
pacman -Syu
# Installing curl
pacman -S --noconfirm curl
2021-04-14 19:17:38 -04:00
# Selecting the kernel flavor to install.
kernel_selector ( ) {
echo "List of kernels:"
echo "1) Stable — Vanilla Linux kernel and modules, with a few patches applied."
echo "2) Hardened — A security-focused Linux kernel."
echo "3) Longterm — Long-term support (LTS) Linux kernel and modules."
echo "4) Zen Kernel — Optimized for desktop usage."
read -r -p "Insert the number of the corresponding kernel: " choice
echo " $choice will be installed "
2021-04-09 16:53:33 -04:00
case $choice in
2021-04-14 19:17:38 -04:00
1 ) kernel = linux
2021-04-09 16:53:33 -04:00
; ;
2021-04-14 19:17:38 -04:00
2 ) kernel = linux-hardened
2021-04-09 16:53:33 -04:00
; ;
2021-04-14 19:17:38 -04:00
3 ) kernel = linux-lts
2021-04-09 16:53:33 -04:00
; ;
2021-04-14 19:17:38 -04:00
4 ) kernel = linux-zen
2021-04-09 16:53:33 -04:00
; ;
2021-04-11 21:33:19 -04:00
* ) echo "You did not enter a valid selection."
2021-04-14 19:17:38 -04:00
kernel_selector
2021-04-09 16:53:33 -04:00
esac
}
2021-04-14 19:17:38 -04:00
# Checking the microcode to install.
CPU = $( grep vendor_id /proc/cpuinfo)
2021-08-16 19:36:24 -04:00
if [ [ $CPU = = *"AuthenticAMD" * ] ] ; then
2021-04-14 19:17:38 -04:00
microcode = amd-ucode
else
microcode = intel-ucode
fi
2021-04-11 21:33:19 -04:00
2021-01-31 08:36:10 -05:00
# Selecting the target for the installation.
2021-02-07 03:49:38 -05:00
PS3 = "Select the disk where Arch Linux is going to be installed: "
2021-05-22 02:06:57 -04:00
select ENTRY in $( lsblk -dpnoNAME| grep -P "/dev/sd|nvme|vd" ) ;
2021-01-31 08:36:10 -05:00
do
DISK = $ENTRY
echo " Installing Arch Linux on $DISK . "
break
done
# Deleting old partition scheme.
read -r -p " This will delete the current partition table on $DISK . Do you agree [y/N]? " response
response = ${ response ,, }
2021-08-16 19:36:24 -04:00
if [ [ " $response " = ~ ^( yes| y) $ ] ] ; then
2021-05-22 04:41:57 -04:00
wipefs -af " $DISK " & >/dev/null
sgdisk -Zo " $DISK " & >/dev/null
2021-01-31 08:36:10 -05:00
else
2021-02-01 03:13:05 -05:00
echo "Quitting."
exit
2021-01-31 08:36:10 -05:00
fi
# Creating a new partition scheme.
echo " Creating new partition scheme on $DISK . "
2021-04-23 02:36:39 -04:00
parted -s " $DISK " \
2021-01-31 08:50:43 -05:00
mklabel gpt \
2021-04-23 02:36:39 -04:00
mkpart ESP fat32 1MiB 101MiB \
2021-04-24 04:47:49 -04:00
set 1 esp on \
2021-04-23 02:39:46 -04:00
mkpart cryptroot 101MiB 100% \
2021-01-31 08:36:10 -05:00
ESP = "/dev/disk/by-partlabel/ESP"
2021-04-23 02:39:46 -04:00
cryptroot = "/dev/disk/by-partlabel/cryptroot"
2021-01-31 08:36:10 -05:00
2021-02-01 03:33:43 -05:00
# Informing the Kernel of the changes.
echo "Informing the Kernel about the disk changes."
2021-05-22 04:41:57 -04:00
partprobe " $DISK "
2021-01-31 08:36:10 -05:00
# Formatting the ESP as FAT32.
echo "Formatting the EFI Partition as FAT32."
2021-02-01 03:16:23 -05:00
mkfs.fat -F 32 $ESP & >/dev/null
2021-01-31 08:36:10 -05:00
# Creating a LUKS Container for the root partition.
echo "Creating LUKS Container for the root partition."
2021-06-21 23:46:40 -04:00
cryptsetup luksFormat --type luks1 $cryptroot
2021-01-31 08:36:10 -05:00
echo "Opening the newly created LUKS Container."
2021-04-23 02:39:46 -04:00
cryptsetup open $cryptroot cryptroot
2021-02-07 03:45:21 -05:00
BTRFS = "/dev/mapper/cryptroot"
2021-01-31 08:36:10 -05:00
# Formatting the LUKS Container as BTRFS.
echo "Formatting the LUKS container as BTRFS."
2021-02-01 03:16:23 -05:00
mkfs.btrfs $BTRFS & >/dev/null
2021-01-31 08:36:10 -05:00
mount $BTRFS /mnt
# Creating BTRFS subvolumes.
echo "Creating BTRFS subvolumes."
2021-07-25 04:23:01 -04:00
btrfs su cr /mnt/@ & >/dev/null
btrfs su cr /mnt/@/.snapshots & >/dev/null
2021-04-23 12:38:54 -04:00
mkdir -p /mnt/@/.snapshots/1 & >/dev/null
2021-07-25 04:23:01 -04:00
btrfs su cr /mnt/@/.snapshots/1/snapshot & >/dev/null
btrfs su cr /mnt/@/boot/ & >/dev/null
btrfs su cr /mnt/@/home & >/dev/null
btrfs su cr /mnt/@/root & >/dev/null
btrfs su cr /mnt/@/srv & >/dev/null
btrfs su cr /mnt/@/var_log & >/dev/null
2021-08-15 14:18:01 -04:00
btrfs su cr /mnt/@/var_log_journal & >/dev/null
2021-07-25 04:23:01 -04:00
btrfs su cr /mnt/@/var_crash & >/dev/null
btrfs su cr /mnt/@/var_cache & >/dev/null
btrfs su cr /mnt/@/var_tmp & >/dev/null
btrfs su cr /mnt/@/var_spool & >/dev/null
btrfs su cr /mnt/@/var_lib_libvirt_images & >/dev/null
btrfs su cr /mnt/@/var_lib_machines & >/dev/null
btrfs su cr /mnt/@/var_lib_gdm & >/dev/null
btrfs su cr /mnt/@/var_lib_AccountsService & >/dev/null
btrfs su cr /mnt/@/cryptkey & >/dev/null
2021-05-11 05:55:07 -04:00
chattr +C /mnt/@/boot
2021-04-23 11:17:06 -04:00
chattr +C /mnt/@/srv
2021-04-23 10:36:09 -04:00
chattr +C /mnt/@/var_log
2021-08-15 14:18:01 -04:00
chattr +C /mnt/@/var_log_journal
2021-04-23 11:01:19 -04:00
chattr +C /mnt/@/var_crash
chattr +C /mnt/@/var_cache
chattr +C /mnt/@/var_tmp
2021-04-23 11:07:50 -04:00
chattr +C /mnt/@/var_spool
2021-04-23 12:38:54 -04:00
chattr +C /mnt/@/var_lib_libvirt_images
2021-07-08 08:43:51 -04:00
chattr +C /mnt/@/var_lib_machines
2021-07-11 10:49:53 -04:00
chattr +C /mnt/@/var_lib_gdm
chattr +C /mnt/@/var_lib_AccountsService
2021-06-11 17:01:21 -04:00
chattr +C /mnt/@/cryptkey
2021-07-25 04:23:01 -04:00
2021-08-21 02:56:20 -04:00
#Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
2021-05-22 04:46:16 -04:00
btrfs subvolume set-default " $( btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+' ) " /mnt
2021-01-31 08:36:10 -05:00
2021-04-23 12:38:54 -04:00
cat << EOF >> /mnt/@/.snapshots/1/info.xml
<?xml version = "1.0" ?>
<snapshot>
2021-04-23 17:43:25 -04:00
<type>single</type>
<num>1</num>
<date>1999-03-31 0:00:00</date>
<description>First Root Filesystem</description>
<cleanup>number</cleanup>
2021-04-23 12:38:54 -04:00
</snapshot>
EOF
chmod 600 /mnt/@/.snapshots/1/info.xml
2021-01-31 08:36:10 -05:00
# Mounting the newly created subvolumes.
umount /mnt
2021-01-31 09:07:17 -05:00
echo "Mounting the newly created subvolumes."
2021-04-23 10:17:41 -04:00
mount -o ssd,noatime,space_cache,compress= zstd:15 $BTRFS /mnt
2021-08-15 14:18:01 -04:00
mkdir -p /mnt/{ boot,root,home,.snapshots,srv,tmp,/var/log,/var/log/journal,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey}
2021-08-05 00:59:34 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodev,nosuid,noexec,subvol= @/boot $BTRFS /mnt/boot
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodev,nosuid,subvol= @/root $BTRFS /mnt/root
mount -o ssd,noatime,space_cache.autodefrag,compress= zstd:15,discard= async,nodev,nosuid,subvol= @/home $BTRFS /mnt/home
2021-04-29 02:57:00 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,subvol= @/.snapshots $BTRFS /mnt/.snapshots
mount -o ssd,noatime,space_cache.autodefrag,compress= zstd:15,discard= async,subvol= @/srv $BTRFS /mnt/srv
2021-08-05 00:59:34 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/var_log $BTRFS /mnt/var/log
2021-08-22 03:26:49 -04:00
# Toolbox (https://github.com/containers/toolbox) needs /var/log/journal to have dev, suid, and exec. Thus I am splitting the subvolume.
2021-08-15 14:18:01 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,subvol= @/var_log_journal $BTRFS /mnt/var/log/journal
2021-08-22 03:26:49 -04:00
2021-08-05 00:59:34 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/var_crash $BTRFS /mnt/var/crash
2021-08-17 19:28:24 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/var_cache $BTRFS /mnt/var/cache
2021-08-22 03:26:49 -04:00
# Pamac needs /var/tmp to have exec. Thus I am not adding that flag.
# I am considering including pacmac-flatpak-gnome AUR package by default, since I am its maintainer.
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,subvol= @/var_tmp $BTRFS /mnt/var/tmp
2021-08-05 00:59:34 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/var_spool $BTRFS /mnt/var/spool
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/var_lib_libvirt_images $BTRFS /mnt/var/lib/libvirt/images
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/var_lib_machines $BTRFS /mnt/var/lib/machines
2021-08-22 03:26:49 -04:00
# GNOME requires /var/lib/gdm and /var/lib/AccountsService to be writeable when booting into a readonly snapshot. Thus we sadly have to split them.
2021-08-05 00:59:34 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/var_lib_gdm $BTRFS /mnt/var/lib/gdm
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/var_lib_AccountsService $BTRFS /mnt/var/lib/AccountsService
2021-08-22 03:26:49 -04:00
# The encryption is splitted as we do not want to include it in the backup with snap-pac.
2021-08-05 00:59:34 -04:00
mount -o ssd,noatime,space_cache,autodefrag,compress= zstd:15,discard= async,nodatacow,nodev,nosuid,noexec,subvol= @/cryptkey $BTRFS /mnt/cryptkey
2021-08-22 03:26:49 -04:00
2021-04-23 10:17:41 -04:00
mkdir -p /mnt/boot/efi
2021-08-05 00:59:34 -04:00
mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi
2021-04-23 10:17:41 -04:00
2021-04-14 19:17:38 -04:00
kernel_selector
2021-04-11 21:33:19 -04:00
2021-01-31 09:07:17 -05:00
# Pacstrap (setting up a base sytem onto the new root).
2021-08-22 03:26:49 -04:00
# As I said above, I am considering replacing gnome-software with pamac-flatpak-gnome as PackageKit seems very buggy on Arch Linux right now.
2021-02-01 05:20:58 -05:00
echo "Installing the base system (it may take a while)."
2021-08-30 05:37:24 -04:00
pacstrap /mnt base ${ kernel } ${ microcode } linux-firmware grub grub-btrfs snapper snap-pac snap-sync efibootmgr sudo networkmanager apparmor python2-notify python-psutil nano gdm gnome-control-center gnome-terminal gnome-software gnome-software-packagekit-plugin gnome-tweaks nautilus pipewire-pulse pipewire-alsa pipewire-jack flatpak firewalld zram-generator adobe-source-han-sans-otc-fonts adobe-source-han-serif-otc-fonts gnu-free-fonts reflector mlocate man-db
2021-08-22 03:26:49 -04:00
# Routing jack2 through PipeWire.
echo "/usr/lib/pipewire-0.3/jack" > /mnt/etc/ld.so.conf.d/pipewire-jack.conf
2021-01-31 09:07:17 -05:00
2021-02-07 03:45:21 -05:00
# Generating /etc/fstab.
2021-01-31 09:07:17 -05:00
echo "Generating a new fstab."
2021-01-31 09:29:22 -05:00
genfstab -U /mnt >> /mnt/etc/fstab
2021-04-24 04:49:49 -04:00
sed -i 's#,subvolid=258,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot##g' /mnt/etc/fstab
2021-01-31 09:29:22 -05:00
# Setting hostname.
2021-02-01 01:02:41 -05:00
read -r -p "Please enter the hostname: " hostname
2021-05-22 04:41:57 -04:00
echo " $hostname " > /mnt/etc/hostname
2021-01-31 09:29:22 -05:00
2021-02-01 01:02:41 -05:00
# Setting up locales.
2021-02-01 03:43:08 -05:00
read -r -p "Please insert the locale you use in this format (xx_XX): " locale
echo " $locale .UTF-8 UTF-8 " > /mnt/etc/locale.gen
2021-02-03 03:56:40 -05:00
echo " LANG= $locale .UTF-8 " > /mnt/etc/locale.conf
2021-02-01 01:02:41 -05:00
# Setting up keyboard layout.
read -r -p "Please insert the keyboard layout you use: " kblayout
2021-02-03 03:56:40 -05:00
echo " KEYMAP= $kblayout " > /mnt/etc/vconsole.conf
2021-02-01 01:02:41 -05:00
2021-01-31 09:29:22 -05:00
# Setting hosts file.
echo "Setting hosts file."
cat > /mnt/etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
127.0.1.1 $hostname .localdomain $hostname
EOF
2021-01-31 12:20:13 -05:00
# Configuring /etc/mkinitcpio.conf
2021-04-09 16:29:30 -04:00
echo "Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook."
2021-05-11 02:37:33 -04:00
sed -i 's,#COMPRESSION="zstd",COMPRESSION="zstd",g' /mnt/etc/mkinitcpio.conf
2021-07-11 10:49:53 -04:00
sed -i 's,modconf block filesystems keyboard,keyboard modconf block encrypt filesystems,g' /mnt/etc/mkinitcpio.conf
2021-01-31 12:20:13 -05:00
2021-02-01 01:20:36 -05:00
# Enabling LUKS in GRUB and setting the UUID of the LUKS container.
2021-04-23 02:39:46 -04:00
UUID = $( blkid $cryptroot | cut -f2 -d'"' )
2021-01-31 12:20:13 -05:00
sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub
2021-04-10 17:45:28 -04:00
echo "" >> /mnt/etc/default/grub
2021-04-14 19:22:35 -04:00
echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" >> /mnt/etc/default/grub
2021-07-08 06:55:13 -04:00
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen
2021-01-31 12:20:13 -05:00
2021-07-25 03:03:01 -04:00
# Enabling CPU Mitigations
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg >> /mnt/etc/grub.d/40_cpu_mitigations
# Distrusting the CPU
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu
# Enabling IOMMU
2021-07-25 03:11:44 -04:00
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu
2021-07-25 03:03:01 -04:00
2021-07-25 05:10:07 -04:00
# Setting GRUB configuration file permissions
chmod 755 /mnt/etc/grub.d/*
2021-04-14 19:31:15 -04:00
# Adding keyfile to the initramfs to avoid double password.
2021-06-11 17:01:21 -04:00
dd bs = 512 count = 4 if = /dev/random of = /mnt/cryptkey/.root.key iflag = fullblock & >/dev/null
chmod 000 /mnt/cryptkey/.root.key & >/dev/null
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key
2021-08-30 03:25:38 -04:00
sed -i " s#quiet#cryptdevice=UUID= $UUID :cryptroot root= $BTRFS lsm=landlock,lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g " /mnt/etc/default/grub
2021-06-11 17:01:21 -04:00
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
2021-04-14 19:31:15 -04:00
2021-08-30 05:37:24 -04:00
# Configure AppArmor Parser caching
sed -i 's/#write-cache/write-cache/g' /etc/apparmor/parser.conf
sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/#g' /etc/apparmor/parser.conf
2021-07-25 03:11:44 -04:00
# Blacklisting kernel modules
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf >> /mnt/etc/modprobe.d/30_security-misc.conf
2021-07-25 05:10:07 -04:00
chmod 600 /mnt/etc/modprobe.d/*
2021-07-25 03:11:44 -04:00
2021-04-23 02:36:39 -04:00
# Security kernel settings.
2021-07-25 03:29:52 -04:00
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/sysctl.d/30_security-misc.conf >> /mnt/etc/sysctl.d/30_security-misc.conf
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/30_security-misc.conf
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
2021-07-25 05:10:07 -04:00
chmod 600 /mnt/etc/sysctl.d/*
2021-04-23 02:36:39 -04:00
2021-07-25 04:40:50 -04:00
# IO udev rules
curl https://gitlab.com/garuda-linux/themes-and-settings/settings/garuda-common-settings/-/raw/master/etc/udev/rules.d/50-sata.rules > /mnt/etc/udev/rules.d/50-sata.rules
curl https://gitlab.com/garuda-linux/themes-and-settings/settings/garuda-common-settings/-/raw/master/etc/udev/rules.d/60-ioschedulers.rules > /etc/udev/rules.d/60-ioschedulers.rules
2021-07-25 05:10:07 -04:00
chmod 600 /mnt/etc/udev/rules.d/*
2021-07-25 04:40:50 -04:00
2021-08-28 20:06:54 -04:00
# Remove nullok from system-auth
sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth
# ZRAM configuration
bash -c 'cat > /mnt/etc/systemd/zram-generator.conf' <<-'EOF'
[ zram0]
zram-fraction = 1
max-zram-size = 8192
EOF
2021-05-22 02:05:01 -04:00
# Randomize Mac Address.
2021-05-11 06:36:57 -04:00
bash -c 'cat > /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
[ device]
wifi.scan-rand-mac-address= yes
[ connection]
wifi.cloned-mac-address= random
ethernet.cloned-mac-address= random
connection.stable-id= ${ CONNECTION } /${ BOOT }
EOF
2021-05-22 06:53:23 -04:00
chmod 600 /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf
2021-05-11 06:36:57 -04:00
2021-05-22 02:05:01 -04:00
# Disable Connectivity Check.
2021-05-11 06:36:57 -04:00
bash -c 'cat > /mnt/etc/NetworkManager/conf.d/20-connectivity.conf' <<-'EOF'
[ connectivity]
uri = http://www.archlinux.org/check_network_status.txt
interval = 0
EOF
2021-05-22 06:53:23 -04:00
chmod 600 /mnt/etc/NetworkManager/conf.d/20-connectivity.conf
2021-05-11 06:36:57 -04:00
2021-01-31 12:26:22 -05:00
# Configuring the system.
2021-02-07 03:45:21 -05:00
arch-chroot /mnt /bin/bash -e <<EOF
2021-01-31 12:26:22 -05:00
2021-04-14 19:31:15 -04:00
# Setting up timezone.
ln -sf /usr/share/zoneinfo/$( curl -s http://ip-api.com/line?fields= timezone) /etc/localtime & >/dev/null
2021-01-31 12:20:13 -05:00
# Setting up clock.
hwclock --systohc
2021-04-14 19:31:15 -04:00
2021-01-31 12:20:13 -05:00
# Generating locales.
2021-02-01 06:09:02 -05:00
echo "Generating locales."
locale-gen & >/dev/null
2021-04-14 19:31:15 -04:00
2021-01-31 12:20:13 -05:00
# Generating a new initramfs.
2021-02-01 06:09:02 -05:00
echo "Creating a new initramfs."
2021-04-14 19:31:15 -04:00
chmod 600 /boot/initramfs-linux* & >/dev/null
2021-02-01 06:09:02 -05:00
mkinitcpio -P & >/dev/null
2021-01-31 12:20:13 -05:00
2021-04-23 10:17:41 -04:00
# Snapper configuration
umount /.snapshots
rm -r /.snapshots
snapper --no-dbus -c root create-config /
btrfs subvolume delete /.snapshots
mkdir /.snapshots
mount -a
chmod 750 /.snapshots
2021-02-01 06:09:02 -05:00
# Installing GRUB.
echo "Installing GRUB on /boot."
2021-06-23 13:16:22 -04:00
grub-install --target= x86_64-efi --efi-directory= /boot/efi --bootloader-id= GRUB --modules= "normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gtp cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock & >/dev/null
2021-04-14 19:31:15 -04:00
2021-01-31 12:20:13 -05:00
# Creating grub config file.
2021-02-01 06:09:02 -05:00
echo "Creating GRUB config file."
grub-mkconfig -o /boot/grub/grub.cfg & >/dev/null
2021-06-14 21:39:50 -04:00
2021-07-25 02:55:42 -04:00
#Creating wheel user
read -r -p "Please choose an admin user to create: " USER
echo " Creating user $USER "
useradd -m -g wheel $USER
2021-08-30 05:37:24 -04:00
passwd ${ USER }
groupadd -r audit
gpasswd -a ${ USER } audit
EOF
# Enanble AppArmor notifications
2021-09-16 06:58:38 -04:00
bash -c 'cat > /mnt/home/${USER}/.config/autostart/apparmor-notify.desktop' <<-'EOF'
2021-08-30 05:37:24 -04:00
[ Desktop Entry]
Type = Application
Name = AppArmor Notify
Comment = Receive on screen notifications of AppArmor denials
TryExec = aa-notify
Exec = aa-notify -p -s 1 -w 60 -f /var/log/audit/audit.log
StartupNotify = false
NoDisplay = true
2021-01-31 12:26:22 -05:00
EOF
2021-08-30 05:37:24 -04:00
# Giving wheel user sudo access.
2021-07-25 02:55:42 -04:00
sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/g' /mnt/etc/sudoers
2021-01-31 12:26:22 -05:00
2021-08-30 05:37:24 -04:00
# Change audit logging group
echo "log_group = audit" >> /etc/audit/auditd.conf
# Enabling audit service.
systemctl enable auditd --root= /mnt & >/dev/null
2021-02-07 03:45:21 -05:00
# Enabling auto-trimming service.
2021-02-01 03:16:23 -05:00
systemctl enable fstrim.timer --root= /mnt & >/dev/null
2021-01-31 12:26:22 -05:00
2021-02-07 03:45:21 -05:00
# Enabling NetworkManager service.
2021-07-01 05:19:51 -04:00
echo "Enabling NetworkManager"
2021-02-01 03:16:23 -05:00
systemctl enable NetworkManager --root= /mnt & >/dev/null
2021-01-31 14:45:13 -05:00
2021-05-22 02:05:01 -04:00
# Enabling GDM.
2021-04-11 21:33:19 -04:00
systemctl enable gdm --root= /mnt & >/dev/null
2021-05-22 02:05:01 -04:00
# Enabling AppArmor.
2021-07-01 05:19:51 -04:00
echo "Enabling AppArmor."
2021-04-11 21:33:19 -04:00
systemctl enable apparmor --root= /mnt & >/dev/null
2021-05-22 02:05:01 -04:00
# Enabling Firewalld.
2021-07-01 05:19:51 -04:00
echo "Enabling Firewalld."
2021-04-11 21:33:19 -04:00
systemctl enable firewalld --root= /mnt & >/dev/null
2021-07-25 03:11:44 -04:00
# Enabling Bluetooth Service (This is only to fix the visual glitch with gnome where it gets stuck in the menu at the top right).
# IF YOU WANT TO USE BLUETOOTH, YOU MUST REMOVE IT FROM THE LIST OF BLACKLISTED KERNEL MODULES IN /mnt/etc/modprobe.d/30_security-misc.conf
2021-05-13 06:05:38 -04:00
systemctl enable bluetooth --root= /mnt & >/dev/null
2021-05-22 02:05:01 -04:00
# Enabling Reflector timer.
2021-07-01 05:19:51 -04:00
echo "Enabling Reflector."
2021-05-22 01:37:15 -04:00
systemctl enable reflector.timer --root= /mnt & >/dev/null
2021-07-25 03:34:32 -04:00
# Enabling systemd-oomd.
2021-07-20 09:07:52 -04:00
echo "Enabling systemd-oomd."
systemctl enable systemd-oomd --root= /mnt & >/dev/null
2021-07-15 07:42:54 -04:00
2021-07-01 05:19:51 -04:00
# Enabling Snapper automatic snapshots.
echo "Enabling Snapper and automatic snapshots entries."
systemctl enable snapper-timeline.timer --root= /mnt & >/dev/null
systemctl enable snapper-cleanup.timer --root= /mnt & >/dev/null
systemctl enable grub-btrfs.path --root= /mnt & >/dev/null
2021-05-22 02:05:01 -04:00
# Setting umask to 077.
2021-04-14 21:16:08 -04:00
sed -i 's/022/077/g' /mnt/etc/profile
echo "" >> /mnt/etc/bash.bashrc
echo "umask 077" >> /mnt/etc/bash.bashrc
2021-04-11 21:33:19 -04:00
2021-07-25 03:49:16 -04:00
# Finishing up
2021-02-07 03:45:21 -05:00
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
2021-04-09 03:39:46 -04:00
exit