1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-22 01:21:34 -05:00
Arch-Setup-Script/desktop.sh

464 lines
18 KiB
Bash
Raw Normal View History

2021-04-14 08:11:45 -04:00
#!/usr/bin/env -S bash -e
2021-01-31 08:36:10 -05:00
2021-02-01 03:37:35 -05:00
# Cleaning the TTY.
clear
2021-02-01 03:13:05 -05:00
2021-07-25 03:03:01 -04:00
2022-08-24 05:39:39 -04:00
# Selecting the kernel flavor to install.
2021-04-14 19:17:38 -04:00
kernel_selector () {
echo "List of kernels:"
echo "1) Stable — Vanilla Linux kernel and modules, with a few patches applied."
echo "2) Hardened — A security-focused Linux kernel."
echo "3) Longterm — Long-term support (LTS) Linux kernel and modules."
echo "4) Zen Kernel — Optimized for desktop usage."
read -r -p "Insert the number of the corresponding kernel: " choice
echo "$choice will be installed"
case $choice in
2021-04-14 19:17:38 -04:00
1 ) kernel=linux
;;
2021-04-14 19:17:38 -04:00
2 ) kernel=linux-hardened
;;
2021-04-14 19:17:38 -04:00
3 ) kernel=linux-lts
;;
2021-04-14 19:17:38 -04:00
4 ) kernel=linux-zen
;;
2021-04-11 21:33:19 -04:00
* ) echo "You did not enter a valid selection."
2021-04-14 19:17:38 -04:00
kernel_selector
esac
}
## user input ##
2021-04-11 21:33:19 -04:00
2021-01-31 08:36:10 -05:00
# Selecting the target for the installation.
2021-02-07 03:49:38 -05:00
PS3="Select the disk where Arch Linux is going to be installed: "
2021-05-22 02:06:57 -04:00
select ENTRY in $(lsblk -dpnoNAME|grep -P "/dev/sd|nvme|vd");
2021-01-31 08:36:10 -05:00
do
DISK=$ENTRY
echo "Installing Arch Linux on $DISK."
break
done
# Confirming the disk selection.
2021-01-31 08:36:10 -05:00
read -r -p "This will delete the current partition table on $DISK. Do you agree [y/N]? " response
response=${response,,}
if [[ ! ("$response" =~ ^(yes|y)$) ]]; then
2021-02-01 03:13:05 -05:00
echo "Quitting."
exit
2021-01-31 08:36:10 -05:00
fi
#select kernel
kernel_selector
# Setting username.
read -r -p "Please enter name for a user account (leave empty to skip): " username
# Setting password.
if [[ -n $username ]]; then
read -r -p "Please enter a password for the user account: " password
fi
# Choose locales.
read -r -p "Please insert the locale you use in this format (xx_XX): " locale
# Choose keyboard layout.
read -r -p "Please insert the keyboard layout you use: " kblayout
## installation ##
# Updating the live environment usually causes more problems than its worth, and quite often can't be done without remounting cowspace with more capacity, especially at the end of any given month.
pacman -Sy
# Installing curl
pacman -S --noconfirm curl
# formatting the disk
wipefs -af "$DISK" &>/dev/null
sgdisk -Zo "$DISK" &>/dev/null
# Checking the microcode to install.
CPU=$(grep vendor_id /proc/cpuinfo)
if [[ $CPU == *"AuthenticAMD"* ]]; then
microcode=amd-ucode
else
microcode=intel-ucode
fi
2021-01-31 08:36:10 -05:00
# Creating a new partition scheme.
echo "Creating new partition scheme on $DISK."
2021-04-23 02:36:39 -04:00
parted -s "$DISK" \
2021-01-31 08:50:43 -05:00
mklabel gpt \
mkpart ESP fat32 1MiB 128MiB \
2021-04-24 04:47:49 -04:00
set 1 esp on \
mkpart cryptroot 128MiB 100% \
2021-01-31 08:36:10 -05:00
2022-07-19 05:58:57 -04:00
sleep 0.1
ESP="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep ESP| cut -d " " -f1 | cut -c7-)"
cryptroot="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep cryptroot | cut -d " " -f1 | cut -c7-)"
2021-01-31 08:36:10 -05:00
2021-02-01 03:33:43 -05:00
# Informing the Kernel of the changes.
echo "Informing the Kernel about the disk changes."
2021-05-22 04:41:57 -04:00
partprobe "$DISK"
2021-01-31 08:36:10 -05:00
# Formatting the ESP as FAT32.
echo "Formatting the EFI Partition as FAT32."
mkfs.fat -F 32 -s 2 $ESP &>/dev/null
2021-01-31 08:36:10 -05:00
# Creating a LUKS Container for the root partition.
echo "Creating LUKS Container for the root partition."
cryptsetup luksFormat --type luks1 $cryptroot
2021-01-31 08:36:10 -05:00
echo "Opening the newly created LUKS Container."
2021-04-23 02:39:46 -04:00
cryptsetup open $cryptroot cryptroot
2021-02-07 03:45:21 -05:00
BTRFS="/dev/mapper/cryptroot"
2021-01-31 08:36:10 -05:00
# Formatting the LUKS Container as BTRFS.
echo "Formatting the LUKS container as BTRFS."
2021-02-01 03:16:23 -05:00
mkfs.btrfs $BTRFS &>/dev/null
2022-08-24 05:39:39 -04:00
mount -o clear_cache,nospace_cache $BTRFS /mnt
2021-01-31 08:36:10 -05:00
# Creating BTRFS subvolumes.
echo "Creating BTRFS subvolumes."
2021-07-25 04:23:01 -04:00
btrfs su cr /mnt/@ &>/dev/null
btrfs su cr /mnt/@/.snapshots &>/dev/null
2021-04-23 12:38:54 -04:00
mkdir -p /mnt/@/.snapshots/1 &>/dev/null
2021-07-25 04:23:01 -04:00
btrfs su cr /mnt/@/.snapshots/1/snapshot &>/dev/null
btrfs su cr /mnt/@/boot/ &>/dev/null
btrfs su cr /mnt/@/home &>/dev/null
btrfs su cr /mnt/@/root &>/dev/null
btrfs su cr /mnt/@/srv &>/dev/null
btrfs su cr /mnt/@/var_log &>/dev/null
2021-08-15 14:18:01 -04:00
btrfs su cr /mnt/@/var_log_journal &>/dev/null
2021-07-25 04:23:01 -04:00
btrfs su cr /mnt/@/var_crash &>/dev/null
btrfs su cr /mnt/@/var_cache &>/dev/null
btrfs su cr /mnt/@/var_tmp &>/dev/null
btrfs su cr /mnt/@/var_spool &>/dev/null
btrfs su cr /mnt/@/var_lib_libvirt_images &>/dev/null
btrfs su cr /mnt/@/var_lib_machines &>/dev/null
btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
btrfs su cr /mnt/@/cryptkey &>/dev/null
2021-05-11 05:55:07 -04:00
chattr +C /mnt/@/boot
2021-04-23 11:17:06 -04:00
chattr +C /mnt/@/srv
2021-04-23 10:36:09 -04:00
chattr +C /mnt/@/var_log
2021-08-15 14:18:01 -04:00
chattr +C /mnt/@/var_log_journal
2021-04-23 11:01:19 -04:00
chattr +C /mnt/@/var_crash
chattr +C /mnt/@/var_cache
chattr +C /mnt/@/var_tmp
2021-04-23 11:07:50 -04:00
chattr +C /mnt/@/var_spool
2021-04-23 12:38:54 -04:00
chattr +C /mnt/@/var_lib_libvirt_images
chattr +C /mnt/@/var_lib_machines
chattr +C /mnt/@/var_lib_gdm
chattr +C /mnt/@/var_lib_AccountsService
chattr +C /mnt/@/cryptkey
2021-07-25 04:23:01 -04:00
2021-08-21 02:56:20 -04:00
#Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
2021-05-22 04:46:16 -04:00
btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt
2021-01-31 08:36:10 -05:00
2021-04-23 12:38:54 -04:00
cat << EOF >> /mnt/@/.snapshots/1/info.xml
<?xml version="1.0"?>
<snapshot>
2021-04-23 17:43:25 -04:00
<type>single</type>
<num>1</num>
<date>1999-03-31 0:00:00</date>
<description>First Root Filesystem</description>
<cleanup>number</cleanup>
2021-04-23 12:38:54 -04:00
</snapshot>
EOF
chmod 600 /mnt/@/.snapshots/1/info.xml
2021-01-31 08:36:10 -05:00
# Mounting the newly created subvolumes.
umount /mnt
2021-01-31 09:07:17 -05:00
echo "Mounting the newly created subvolumes."
2021-04-23 10:17:41 -04:00
mount -o ssd,noatime,space_cache,compress=zstd:15 $BTRFS /mnt
2022-08-24 05:39:39 -04:00
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey}
2021-10-12 20:31:53 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,noexec,subvol=@/boot $BTRFS /mnt/boot
2022-08-24 05:39:39 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/root $BTRFS /mnt/root
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/home $BTRFS /mnt/home
2021-10-12 20:31:53 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/.snapshots $BTRFS /mnt/.snapshots
mount -o ssd,noatime,space_cache=v2.autodefrag,compress=zstd:15,discard=async,subvol=@/srv $BTRFS /mnt/srv
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_log $BTRFS /mnt/var/log
2021-08-22 03:26:49 -04:00
2022-08-24 05:39:39 -04:00
# Toolbox (https://github.com/containers/toolbox) needs /var/log/journal to have dev, suid, and exec, Thus I am splitting the subvolume. Need to make the directory after /mnt/var/log/ has been mounted.
mkdir -p /mnt/var/log/journal
2021-10-12 20:31:53 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,subvol=@/var_log_journal $BTRFS /mnt/var/log/journal
2021-08-22 03:26:49 -04:00
2021-10-12 20:31:53 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_crash $BTRFS /mnt/var/crash
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_cache $BTRFS /mnt/var/cache
2021-08-22 03:26:49 -04:00
# Pamac needs /var/tmp to have exec. Thus I am not adding that flag.
# I am considering including pacmac-flatpak-gnome AUR package by default, since I am its maintainer.
2021-10-12 20:31:53 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,subvol=@/var_tmp $BTRFS /mnt/var/tmp
2021-08-22 03:26:49 -04:00
2021-10-12 20:31:53 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_spool $BTRFS /mnt/var/spool
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_libvirt_images $BTRFS /mnt/var/lib/libvirt/images
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_machines $BTRFS /mnt/var/lib/machines
2021-08-22 03:26:49 -04:00
# GNOME requires /var/lib/gdm and /var/lib/AccountsService to be writeable when booting into a readonly snapshot. Thus we sadly have to split them.
2021-10-12 20:31:53 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_gdm $BTRFS /mnt/var/lib/gdm
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_AccountsService $BTRFS /mnt/var/lib/AccountsService
2021-08-22 03:26:49 -04:00
# The encryption is splitted as we do not want to include it in the backup with snap-pac.
2021-10-12 20:31:53 -04:00
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey $BTRFS /mnt/cryptkey
2021-08-22 03:26:49 -04:00
2021-04-23 10:17:41 -04:00
mkdir -p /mnt/boot/efi
2021-08-05 00:59:34 -04:00
mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi
2021-04-23 10:17:41 -04:00
2021-04-11 21:33:19 -04:00
2021-01-31 09:07:17 -05:00
# Pacstrap (setting up a base sytem onto the new root).
2021-02-01 05:20:58 -05:00
echo "Installing the base system (it may take a while)."
2023-10-31 12:34:49 -04:00
pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor python-psutil python-notify2 nano gdm gnome-control-center gnome-terminal gnome-tweaks nautilus pipewire-pulse pipewire-alsa pipewire-jack flatpak firewalld zram-generator adobe-source-han-sans-otc-fonts adobe-source-han-serif-otc-fonts gnu-free-fonts reflector mlocate man-db chrony sbctl
2021-08-22 03:26:49 -04:00
# Routing jack2 through PipeWire.
echo "/usr/lib/pipewire-0.3/jack" > /mnt/etc/ld.so.conf.d/pipewire-jack.conf
2021-01-31 09:07:17 -05:00
2021-02-07 03:45:21 -05:00
# Generating /etc/fstab.
2021-01-31 09:07:17 -05:00
echo "Generating a new fstab."
2021-01-31 09:29:22 -05:00
genfstab -U /mnt >> /mnt/etc/fstab
2021-04-24 04:49:49 -04:00
sed -i 's#,subvolid=258,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot##g' /mnt/etc/fstab
2021-01-31 09:29:22 -05:00
# Setting hostname.
2021-02-01 01:02:41 -05:00
read -r -p "Please enter the hostname: " hostname
2021-05-22 04:41:57 -04:00
echo "$hostname" > /mnt/etc/hostname
2021-01-31 09:29:22 -05:00
2021-10-12 20:31:53 -04:00
# Setting hosts file.
echo "Setting hosts file."
cat > /mnt/etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
127.0.1.1 $hostname.localdomain $hostname
EOF
# Setting up locales.
echo "$locale.UTF-8 UTF-8" > /mnt/etc/locale.gen
echo "LANG=$locale.UTF-8" > /mnt/etc/locale.conf
# Setting up keyboard layout.
read -r -p "Please insert the keyboard layout you use: " kblayout
echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
2021-01-31 12:20:13 -05:00
# Configuring /etc/mkinitcpio.conf
echo "Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook."
2021-05-11 02:37:33 -04:00
sed -i 's,#COMPRESSION="zstd",COMPRESSION="zstd",g' /mnt/etc/mkinitcpio.conf
sed -i 's,modconf block filesystems keyboard,keyboard modconf block encrypt filesystems,g' /mnt/etc/mkinitcpio.conf
2021-01-31 12:20:13 -05:00
# Enabling LUKS in GRUB and setting the UUID of the LUKS container.
2021-04-23 02:39:46 -04:00
UUID=$(blkid $cryptroot | cut -f2 -d'"')
2021-01-31 12:20:13 -05:00
sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub
echo "" >> /mnt/etc/default/grub
echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" -o /mnt/etc/default/grub
2021-07-08 06:55:13 -04:00
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen
2021-01-31 12:20:13 -05:00
2021-07-25 03:03:01 -04:00
# Enabling CPU Mitigations
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg -o /mnt/etc/grub.d/40_cpu_mitigations.cfg
2021-07-25 03:03:01 -04:00
# Distrusting the CPU
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg -o /mnt/etc/grub.d/40_distrust_cpu.cfg
2021-07-25 03:03:01 -04:00
# Enabling IOMMU
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg -o /mnt/etc/grub.d/40_enable_iommu.cfg
2021-07-25 03:03:01 -04:00
2022-07-13 09:40:34 -04:00
# Enabling NTS
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /mnt/etc/chrony.conf
2022-07-13 09:40:34 -04:00
2021-07-25 05:10:07 -04:00
# Setting GRUB configuration file permissions
chmod 755 /mnt/etc/grub.d/*
2021-04-14 19:31:15 -04:00
# Adding keyfile to the initramfs to avoid double password.
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key
2021-08-30 03:25:38 -04:00
sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=landlock,lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
2021-04-14 19:31:15 -04:00
2021-08-30 05:37:24 -04:00
# Configure AppArmor Parser caching
2022-08-24 05:39:39 -04:00
sed -i 's/#write-cache/write-cache/g' /mnt/etc/apparmor/parser.conf
sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/,g' /mnt/etc/apparmor/parser.conf
2021-08-30 05:37:24 -04:00
2021-07-25 03:11:44 -04:00
# Blacklisting kernel modules
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /mnt/etc/modprobe.d/30_security-misc.conf
2021-07-25 05:10:07 -04:00
chmod 600 /mnt/etc/modprobe.d/*
2021-07-25 03:11:44 -04:00
2021-04-23 02:36:39 -04:00
# Security kernel settings.
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /mnt/etc/sysctl.d/990-security-misc.conf
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
2021-07-25 05:10:07 -04:00
chmod 600 /mnt/etc/sysctl.d/*
2021-04-23 02:36:39 -04:00
2021-08-28 20:06:54 -04:00
# Remove nullok from system-auth
sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth
# Disable coredump
echo "* hard core 0" >> /mnt/etc/security/limits.conf
# Disable su for non-wheel users
bash -c 'cat > /mnt/etc/pam.d/su' <<-'EOF'
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
EOF
2021-08-28 20:06:54 -04:00
# ZRAM configuration
bash -c 'cat > /mnt/etc/systemd/zram-generator.conf' <<-'EOF'
[zram0]
zram-fraction = 1
max-zram-size = 8192
EOF
2021-05-22 02:05:01 -04:00
# Randomize Mac Address.
2021-05-11 06:36:57 -04:00
bash -c 'cat > /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
connection.stable-id=${CONNECTION}/${BOOT}
EOF
2021-05-22 06:53:23 -04:00
chmod 600 /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf
2021-05-11 06:36:57 -04:00
# Enable IPv6 privacy extensions
bash -c 'cat > /mnt/etc/NetworkManager/conf.d/ip6-privacy.conf' <<-'EOF'
[connection]
ipv6.ip6-privacy=2
EOF
chmod 600 /mnt/etc/NetworkManager/conf.d/ip6-privacy.conf
2022-08-24 05:39:39 -04:00
# Configuring the system.
2021-02-07 03:45:21 -05:00
arch-chroot /mnt /bin/bash -e <<EOF
2022-08-24 05:39:39 -04:00
2021-04-14 19:31:15 -04:00
# Setting up timezone.
ln -sf /usr/share/zoneinfo/$(curl -s http://ip-api.com/line?fields=timezone) /etc/localtime &>/dev/null
2022-08-24 05:39:39 -04:00
2021-01-31 12:20:13 -05:00
# Setting up clock.
hwclock --systohc
2022-08-24 05:39:39 -04:00
# Generating locales.my keys aren't even on
2021-02-01 06:09:02 -05:00
echo "Generating locales."
locale-gen &>/dev/null
2022-08-24 05:39:39 -04:00
2021-01-31 12:20:13 -05:00
# Generating a new initramfs.
2021-02-01 06:09:02 -05:00
echo "Creating a new initramfs."
2021-04-14 19:31:15 -04:00
chmod 600 /boot/initramfs-linux* &>/dev/null
2021-02-01 06:09:02 -05:00
mkinitcpio -P &>/dev/null
2021-01-31 12:20:13 -05:00
2021-04-23 10:17:41 -04:00
# Snapper configuration
umount /.snapshots
rm -r /.snapshots
snapper --no-dbus -c root create-config /
btrfs subvolume delete /.snapshots
mkdir /.snapshots
mount -a
chmod 750 /.snapshots
2021-02-01 06:09:02 -05:00
# Installing GRUB.
echo "Installing GRUB on /boot."
2022-08-24 05:39:39 -04:00
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock &>/dev/null
2021-01-31 12:20:13 -05:00
# Creating grub config file.
2021-02-01 06:09:02 -05:00
echo "Creating GRUB config file."
grub-mkconfig -o /boot/grub/grub.cfg &>/dev/null
2021-06-14 21:39:50 -04:00
2021-10-12 20:31:53 -04:00
# Adding user with sudo privilege
if [ -n "$username" ]; then
echo "Adding $username with root privilege."
useradd -m $username
usermod -aG wheel $username
2022-08-24 05:39:39 -04:00
2021-10-12 20:31:53 -04:00
groupadd -r audit
2022-08-24 05:39:39 -04:00
gpasswd -a $username audit
2021-10-12 20:31:53 -04:00
fi
2021-08-30 05:37:24 -04:00
EOF
2022-08-24 05:39:39 -04:00
# Enable AppArmor notifications
# Must create ~/.config/autostart first
mkdir -p -m 700 /mnt/home/${username}/.config/autostart/
bash -c "cat > /mnt/home/${username}/.config/autostart/apparmor-notify.desktop" <<-'EOF'
2021-08-30 05:37:24 -04:00
[Desktop Entry]
Type=Application
Name=AppArmor Notify
Comment=Receive on screen notifications of AppArmor denials
TryExec=aa-notify
Exec=aa-notify -p -s 1 -w 60 -f /var/log/audit/audit.log
StartupNotify=false
NoDisplay=true
2021-01-31 12:26:22 -05:00
EOF
2022-08-24 05:39:39 -04:00
chmod 700 /mnt/home/${username}/.config/autostart/apparmor-notify.desktop
arch-chroot /mnt chown -R $username:$username /home/${username}/.config
# Setting user password.
[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${password}\n${password}" | arch-chroot /mnt passwd "$username" &>/dev/null
2021-10-12 20:31:53 -04:00
2021-08-30 05:37:24 -04:00
# Giving wheel user sudo access.
sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers
2021-01-31 12:26:22 -05:00
2021-08-30 05:37:24 -04:00
# Change audit logging group
echo "log_group = audit" >> /mnt/etc/audit/auditd.conf
2021-08-30 05:37:24 -04:00
# Enabling audit service.
systemctl enable auditd --root=/mnt &>/dev/null
2021-02-07 03:45:21 -05:00
# Enabling auto-trimming service.
2021-02-01 03:16:23 -05:00
systemctl enable fstrim.timer --root=/mnt &>/dev/null
2021-01-31 12:26:22 -05:00
2021-09-24 12:38:03 -04:00
# Enabling NetworkManager.
2021-02-01 03:16:23 -05:00
systemctl enable NetworkManager --root=/mnt &>/dev/null
2021-01-31 14:45:13 -05:00
2021-05-22 02:05:01 -04:00
# Enabling GDM.
2021-04-11 21:33:19 -04:00
systemctl enable gdm --root=/mnt &>/dev/null
2021-05-22 02:05:01 -04:00
# Enabling AppArmor.
2021-07-01 05:19:51 -04:00
echo "Enabling AppArmor."
2021-04-11 21:33:19 -04:00
systemctl enable apparmor --root=/mnt &>/dev/null
2021-05-22 02:05:01 -04:00
# Enabling Firewalld.
2021-07-01 05:19:51 -04:00
echo "Enabling Firewalld."
2021-04-11 21:33:19 -04:00
systemctl enable firewalld --root=/mnt &>/dev/null
2021-07-25 03:11:44 -04:00
# Enabling Bluetooth Service (This is only to fix the visual glitch with gnome where it gets stuck in the menu at the top right).
# IF YOU WANT TO USE BLUETOOTH, YOU MUST REMOVE IT FROM THE LIST OF BLACKLISTED KERNEL MODULES IN /mnt/etc/modprobe.d/30_security-misc.conf
systemctl enable bluetooth --root=/mnt &>/dev/null
2021-05-22 02:05:01 -04:00
# Enabling Reflector timer.
2021-07-01 05:19:51 -04:00
echo "Enabling Reflector."
2021-05-22 01:37:15 -04:00
systemctl enable reflector.timer --root=/mnt &>/dev/null
2021-07-25 03:34:32 -04:00
# Enabling systemd-oomd.
echo "Enabling systemd-oomd."
systemctl enable systemd-oomd --root=/mnt &>/dev/null
2021-07-15 07:42:54 -04:00
2022-07-13 09:40:34 -04:00
# Disabling systemd-timesyncd
systemctl disable systemd-timesyncd --root=/mnt &>/dev/null
# Enabling chronyd
systemctl enable chronyd --root=/mnt &>/dev/null
2021-07-01 05:19:51 -04:00
# Enabling Snapper automatic snapshots.
echo "Enabling Snapper and automatic snapshots entries."
systemctl enable snapper-timeline.timer --root=/mnt &>/dev/null
systemctl enable snapper-cleanup.timer --root=/mnt &>/dev/null
systemctl enable grub-btrfs.path --root=/mnt &>/dev/null
2021-05-22 02:05:01 -04:00
# Setting umask to 077.
2021-04-14 21:16:08 -04:00
sed -i 's/022/077/g' /mnt/etc/profile
echo "" >> /mnt/etc/bash.bashrc
echo "umask 077" >> /mnt/etc/bash.bashrc
2021-04-11 21:33:19 -04:00
2021-07-25 03:49:16 -04:00
# Finishing up
2021-02-07 03:45:21 -05:00
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
2021-04-09 03:39:46 -04:00
exit