mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-11-09 04:01:33 -05:00
Finish cleanup
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
325f80455f
commit
13b27b4ca9
269
install.sh
269
install.sh
@ -25,29 +25,30 @@ unpriv(){
|
|||||||
}
|
}
|
||||||
|
|
||||||
install_mode_selector() {
|
install_mode_selector() {
|
||||||
output "Is this a desktop or server installation?"
|
output 'Is this a desktop or server installation?'
|
||||||
output "1) Desktop"
|
output '1) Desktop'
|
||||||
output "2) Server"
|
output '2) Server'
|
||||||
read -r -p "Select the installation type: " choice
|
output 'Insert the number of your selection:'
|
||||||
|
read -r choice
|
||||||
case $choice in
|
case $choice in
|
||||||
1 ) install_mode=desktop
|
1 ) install_mode=desktop
|
||||||
;;
|
;;
|
||||||
2 ) install_mode=server
|
2 ) install_mode=server
|
||||||
;;
|
;;
|
||||||
* ) output "You did not enter a valid selection."
|
* ) output 'You did not enter a valid selection.'
|
||||||
install_mode_selector
|
install_mode_selector
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
# Selecting the kernel flavor to install.
|
# Selecting the kernel flavor to install.
|
||||||
kernel_selector () {
|
kernel_selector () {
|
||||||
output "List of kernels:"
|
output 'List of kernels:'
|
||||||
output "1) Stable — Vanilla Linux kernel and modules, with a few patches applied."
|
output '1) Stable — Vanilla Linux kernel and modules, with a few patches applied.'
|
||||||
output "2) Hardened — A security-focused Linux kernel."
|
output '2) Hardened — A security-focused Linux kernel.'
|
||||||
output "3) Longterm — Long-term support (LTS) Linux kernel and modules."
|
output '3) Longterm — Long-term support (LTS) Linux kernel and modules.'
|
||||||
output "4) Zen Kernel — Optimized for desktop usage."
|
output '4) Zen Kernel — Optimized for desktop usage.'
|
||||||
read -r -p "Insert the number of the corresponding kernel:" choice
|
output 'Insert the number of your selection:'
|
||||||
output "$choice will be installed"
|
read -r choice
|
||||||
case $choice in
|
case $choice in
|
||||||
1 ) kernel=linux
|
1 ) kernel=linux
|
||||||
;;
|
;;
|
||||||
@ -57,67 +58,76 @@ kernel_selector () {
|
|||||||
;;
|
;;
|
||||||
4 ) kernel=linux-zen
|
4 ) kernel=linux-zen
|
||||||
;;
|
;;
|
||||||
* ) output "You did not enter a valid selection."
|
* ) output 'You did not enter a valid selection.'
|
||||||
kernel_selector
|
kernel_selector
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
luks_password_prompt () {
|
luks_password_prompt () {
|
||||||
output "Enter your encryption password (the password will not be shown on the screen):"
|
output 'Enter your encryption password (the password will not be shown on the screen):'
|
||||||
read -r -s luks_password
|
read -r -s luks_password
|
||||||
|
|
||||||
if [ -z "${luks_password}" ]; then
|
if [ -z "${luks_password}" ]; then
|
||||||
output "You need to enter a password."
|
output 'You need to enter a password.'
|
||||||
luks_password_prompt
|
luks_password_prompt
|
||||||
fi
|
fi
|
||||||
|
|
||||||
output "Confirm your encryption password (the password will not be shown on the screen):"
|
output 'Confirm your encryption password (the password will not be shown on the screen):'
|
||||||
read -r -s luks_password2
|
read -r -s luks_password2
|
||||||
if [ "${luks_password}" != "${luks_password2}" ]; then
|
if [ "${luks_password}" != "${luks_password2}" ]; then
|
||||||
output "Passwords don't match, please try again."
|
output 'Passwords do not match, please try again.'
|
||||||
luks_password_prompt
|
luks_password_prompt
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
disk_prompt (){
|
disk_prompt (){
|
||||||
output "Please select the number of the corresponding disk (e.g. 1):"
|
output 'Please select the number of the corresponding disk (e.g. 1):'
|
||||||
select entry in $(lsblk -dpnoNAME|grep -P "/dev/sd|nvme|vd");
|
select entry in $(lsblk -dpnoNAME|grep -P "/dev/sd|nvme|vd");
|
||||||
do
|
do
|
||||||
disk="${entry}"
|
disk="${entry}"
|
||||||
output "Arch Linux will be installed on the following disk: ${disk}"
|
output 'Arch Linux will be installed on the following disk: ${disk}'
|
||||||
break
|
break
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
username_prompt (){
|
username_prompt (){
|
||||||
output "Enter your username:"
|
output 'Enter your username:'
|
||||||
read -r username
|
read -r username
|
||||||
|
|
||||||
if [ "${username}" = '' ]; then
|
if [ -z "${username}" ]; then
|
||||||
output "You need to enter a password."
|
output 'You need to enter a username.'
|
||||||
username_prompt
|
username_prompt
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
user_password_prompt () {
|
user_password_prompt () {
|
||||||
output "Enter your user password (the password will not be shown on the screen):"
|
output 'Enter your user password (the password will not be shown on the screen):'
|
||||||
read -r -s user_password
|
read -r -s user_password
|
||||||
|
|
||||||
if [ -z "${user_password}" ]; then
|
if [ -z "${user_password}" ]; then
|
||||||
output "You need to enter a password."
|
output 'You need to enter a password.'
|
||||||
user_password_prompt
|
user_password_prompt
|
||||||
fi
|
fi
|
||||||
|
|
||||||
output "Confirm your user password (the password will not be shown on the screen):"
|
output 'Confirm your user password (the password will not be shown on the screen):'
|
||||||
read -r -s user_password2
|
read -r -s user_password2
|
||||||
if [ "${user_password}" != "${user_password2}" ]; then
|
if [ "${user_password}" != "${user_password2}" ]; then
|
||||||
output "Passwords don't match, please try again."
|
output 'Passwords do not match, please try again.'
|
||||||
user_password_prompt
|
user_password_prompt
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
hostname_prompt (){
|
||||||
|
output 'Enter your username:'
|
||||||
|
read -r hostname
|
||||||
|
|
||||||
|
if [ -z "${hostname}" ]; then
|
||||||
|
output 'You need to enter a hostname.'
|
||||||
|
hostname_prompt
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Set hardcoded variables (temporary, these will be replaced by future prompts)
|
# Set hardcoded variables (temporary, these will be replaced by future prompts)
|
||||||
hostname=localhost
|
|
||||||
locale=en_US
|
locale=en_US
|
||||||
kblayout=us
|
kblayout=us
|
||||||
|
|
||||||
@ -131,6 +141,7 @@ luks_password_prompt
|
|||||||
disk_prompt
|
disk_prompt
|
||||||
username_prompt
|
username_prompt
|
||||||
user_password_prompt
|
user_password_prompt
|
||||||
|
hostname_prompt
|
||||||
|
|
||||||
# Check if this is a VM
|
# Check if this is a VM
|
||||||
virtualization=$(systemd-detect-virt)
|
virtualization=$(systemd-detect-virt)
|
||||||
@ -155,30 +166,30 @@ parted -s "${disk}" \
|
|||||||
set 1 esp on \
|
set 1 esp on \
|
||||||
mkpart CRYPTROOT 513MiB 100% \
|
mkpart CRYPTROOT 513MiB 100% \
|
||||||
|
|
||||||
ESP="/dev/disk/by-partlabel/ESP"
|
ESP='/dev/disk/by-partlabel/ESP'
|
||||||
cryptroot="/dev/disk/by-partlabel/cryptroot"
|
cryptroot='/dev/disk/by-partlabel/cryptroot'
|
||||||
|
|
||||||
## Informing the Kernel of the changes.
|
## Informing the Kernel of the changes.
|
||||||
output "Informing the Kernel about the disk changes."
|
output 'Informing the Kernel about the disk changes.'
|
||||||
partprobe "${disk}"
|
partprobe "${disk}"
|
||||||
|
|
||||||
## Formatting the ESP as FAT32.
|
## Formatting the ESP as FAT32.
|
||||||
output "Formatting the EFI Partition as FAT32."
|
output 'Formatting the EFI Partition as FAT32.'
|
||||||
mkfs.fat -F 32 -s 2 "${ESP}" &>/dev/null
|
mkfs.fat -F 32 -s 2 "${ESP}" &>/dev/null
|
||||||
|
|
||||||
## Creating a LUKS Container for the root partition.
|
## Creating a LUKS Container for the root partition.
|
||||||
output "Creating LUKS Container for the root partition."
|
output 'Creating LUKS Container for the root partition.'
|
||||||
echo -n "${luks_password}" | cryptsetup luksFormat --type luks1 ${cryptroot} -d - &>/dev/null
|
echo -n "${luks_password}" | cryptsetup luksFormat --type luks1 ${cryptroot} -d - &>/dev/null
|
||||||
echo -n "${luks_password}" | cryptsetup open ${cryptroot} cryptroot -d -
|
echo -n "${luks_password}" | cryptsetup open ${cryptroot} cryptroot -d -
|
||||||
BTRFS="/dev/mapper/cryptroot"
|
BTRFS='/dev/mapper/cryptroot'
|
||||||
|
|
||||||
## Formatting the LUKS Container as BTRFS.
|
## Formatting the LUKS Container as BTRFS.
|
||||||
output "Formatting the LUKS container as BTRFS."
|
output 'Formatting the LUKS container as BTRFS.'
|
||||||
mkfs.btrfs "${BTRFS}" &>/dev/null
|
mkfs.btrfs "${BTRFS}" &>/dev/null
|
||||||
mount "${BTRFS}" /mnt
|
mount "${BTRFS}" /mnt
|
||||||
|
|
||||||
## Creating BTRFS subvolumes.
|
## Creating BTRFS subvolumes.
|
||||||
output "Creating BTRFS subvolumes."
|
output 'Creating BTRFS subvolumes.'
|
||||||
|
|
||||||
btrfs su cr /mnt/@ &>/dev/null
|
btrfs su cr /mnt/@ &>/dev/null
|
||||||
btrfs su cr /mnt/@/.snapshots &>/dev/null
|
btrfs su cr /mnt/@/.snapshots &>/dev/null
|
||||||
@ -234,7 +245,7 @@ chmod 600 /mnt/@/.snapshots/1/info.xml
|
|||||||
|
|
||||||
## Mounting the newly created subvolumes.
|
## Mounting the newly created subvolumes.
|
||||||
umount /mnt
|
umount /mnt
|
||||||
echo "Mounting the newly created subvolumes."
|
output 'Mounting the newly created subvolumes.'
|
||||||
mount -o ssd,noatime,space_cache,compress=zstd:3 "${BTRFS}" /mnt
|
mount -o ssd,noatime,space_cache,compress=zstd:3 "${BTRFS}" /mnt
|
||||||
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey}
|
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey}
|
||||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,noexec,subvol=@/boot "${BTRFS}" /mnt/boot
|
mount -o ssd,noatime,compress=zstd,nodev,nosuid,noexec,subvol=@/boot "${BTRFS}" /mnt/boot
|
||||||
@ -262,7 +273,7 @@ mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptk
|
|||||||
mkdir -p /mnt/boot/efi
|
mkdir -p /mnt/boot/efi
|
||||||
mount -o nodev,nosuid,noexec "${ESP}" /mnt/boot/efi
|
mount -o nodev,nosuid,noexec "${ESP}" /mnt/boot/efi
|
||||||
|
|
||||||
## Checking the microcode to install.
|
## Check the microcode to install.
|
||||||
if [ "${virtualization}" = 'none' ]; then
|
if [ "${virtualization}" = 'none' ]; then
|
||||||
CPU=$(grep vendor_id /proc/cpuinfo)
|
CPU=$(grep vendor_id /proc/cpuinfo)
|
||||||
if [[ "${CPU}" == *"AuthenticAMD"* ]]; then
|
if [[ "${CPU}" == *"AuthenticAMD"* ]]; then
|
||||||
@ -272,42 +283,48 @@ if [ "${virtualization}" = 'none' ]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## Pacstrap (setting up a base sytem onto the new root).
|
## Pacstrap
|
||||||
## As I said above, I am considering replacing gnome-software with pamac-flatpak-gnome as PackageKit seems very buggy on Arch Linux right now.
|
output 'Installing the base system (it may take a while).'
|
||||||
echo "Installing the base system (it may take a while)."
|
if [ "${install_mode}" = 'desktop' ]; then
|
||||||
pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor firewalld zram-generator reflector chrony sbctl openssh fwupd
|
pacstrap /mnt base ${kernel} ${microcode} apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper snap-pac sudo gdm gnome-control-center gnome-console nautilus pipewire-pulse pipewire-alsa pipewire-jack flatpak zram-generator
|
||||||
|
elif [ "${install_mode}" = 'server' ]; then
|
||||||
|
pacstrap /mnt base ${kernel} ${microcode} apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper snap-pac sudo zram-generator openssh
|
||||||
|
fi
|
||||||
|
|
||||||
# Generating /etc/fstab.
|
if [ "${virtualization}" = 'none' ]; then
|
||||||
echo "Generating a new fstab."
|
pacstrap /mnt sbctl fwupd
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Generate /etc/fstab.
|
||||||
|
output 'Generating a new fstab.'
|
||||||
genfstab -U /mnt >> /mnt/etc/fstab
|
genfstab -U /mnt >> /mnt/etc/fstab
|
||||||
sed -i 's#,subvolid=258,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot##g' /mnt/etc/fstab
|
sed -i 's#,subvolid=258,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot##g' /mnt/etc/fstab
|
||||||
|
|
||||||
# Setting hostname.
|
output 'Setting up hostname, locale and keyboard layout'
|
||||||
read -r -p "Please enter the hostname: " hostname
|
|
||||||
|
## Set hostname.
|
||||||
echo "$hostname" > /mnt/etc/hostname
|
echo "$hostname" > /mnt/etc/hostname
|
||||||
|
|
||||||
# Setting hosts file.
|
## Setting hosts file.
|
||||||
echo "Setting hosts file."
|
echo 'Setting hosts file.'
|
||||||
cat > /mnt/etc/hosts <<EOF
|
echo "127.0.0.1 localhost
|
||||||
127.0.0.1 localhost
|
|
||||||
::1 localhost
|
::1 localhost
|
||||||
127.0.1.1 $hostname.localdomain $hostname
|
127.0.1.1 $hostname.localdomain $hostname" > /mnt/etc/hosts
|
||||||
EOF
|
|
||||||
|
|
||||||
# Setting up locales.
|
## Setup locales.
|
||||||
echo "$locale.UTF-8 UTF-8" > /mnt/etc/locale.gen
|
echo "$locale.UTF-8 UTF-8" > /mnt/etc/locale.gen
|
||||||
echo "LANG=$locale.UTF-8" > /mnt/etc/locale.conf
|
echo "LANG=$locale.UTF-8" > /mnt/etc/locale.conf
|
||||||
|
|
||||||
# Setting up keyboard layout.
|
## Setup keyboard layout.
|
||||||
read -r -p "Please insert the keyboard layout you use: " kblayout
|
read -r -p "Please insert the keyboard layout you use: " kblayout
|
||||||
echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
|
echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
|
||||||
|
|
||||||
# Configuring /etc/mkinitcpio.conf
|
## Configure /etc/mkinitcpio.conf
|
||||||
echo "Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook."
|
output 'Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook.'
|
||||||
sed -i 's,#COMPRESSION="zstd",COMPRESSION="zstd",g' /mnt/etc/mkinitcpio.conf
|
sed -i 's,#COMPRESSION="zstd",COMPRESSION="zstd",g' /mnt/etc/mkinitcpio.conf
|
||||||
sed -i 's,HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck),HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck),g' /mnt/etc/mkinitcpio.conf
|
sed -i 's,HOOKS=.*,HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck),g' /mnt/etc/mkinitcpio.conf
|
||||||
|
|
||||||
# Enabling LUKS in GRUB and setting the UUID of the LUKS container.
|
## Enable LUKS in GRUB and setting the UUID of the LUKS container.
|
||||||
UUID=$(blkid $cryptroot | cut -f2 -d'"')
|
UUID=$(blkid $cryptroot | cut -f2 -d'"')
|
||||||
sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub
|
sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub
|
||||||
echo "" >> /mnt/etc/default/grub
|
echo "" >> /mnt/etc/default/grub
|
||||||
@ -315,70 +332,37 @@ echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETE
|
|||||||
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux
|
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux
|
||||||
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen
|
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen
|
||||||
|
|
||||||
# Enabling CPU Mitigations
|
## Kernel hardening
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg -o /mnt/etc/grub.d/40_cpu_mitigations.cfg
|
sed -i 's/quiet/cryptdevice=UUID=$UUID:cryptroot root=$BTRFS mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1/g' /etc/default/grub
|
||||||
|
sudo update-grub
|
||||||
|
|
||||||
# Distrusting the CPU
|
## Add keyfile to the initramfs to avoid double password.
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg -o /mnt/etc/grub.d/40_distrust_cpu.cfg
|
|
||||||
|
|
||||||
# Enabling IOMMU
|
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg -o /mnt/etc/grub.d/40_enable_iommu.cfg
|
|
||||||
|
|
||||||
# Enabling NTS
|
|
||||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /mnt/etc/chrony.conf
|
|
||||||
|
|
||||||
# Setting GRUB configuration file permissions
|
|
||||||
chmod 755 /mnt/etc/grub.d/*
|
|
||||||
|
|
||||||
# Adding keyfile to the initramfs to avoid double password.
|
|
||||||
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
|
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
|
||||||
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
|
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
|
||||||
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key
|
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key
|
||||||
sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=landlock,lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
|
sed -i "s#debugfs=off#debugfs=off cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
|
||||||
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
||||||
|
|
||||||
# Configure AppArmor Parser caching
|
## Continue kernel hardening
|
||||||
sed -i 's/#write-cache/write-cache/g' /mnt/etc/apparmor/parser.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
|
||||||
sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/,g' /mnt/etc/apparmor/parser.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /mnt/etc/sysctl.d/990-security-misc.conf
|
||||||
|
|
||||||
# Blacklisting kernel modules
|
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /mnt/etc/modprobe.d/30_security-misc.conf
|
|
||||||
chmod 600 /mnt/etc/modprobe.d/*
|
|
||||||
|
|
||||||
# Security kernel settings.
|
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /mnt/etc/sysctl.d/990-security-misc.conf
|
|
||||||
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf | tee /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf | tee /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
chmod 600 /mnt/etc/sysctl.d/*
|
|
||||||
|
|
||||||
# Remove nullok from system-auth
|
## Setup NTS
|
||||||
|
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | tee /mnt/etc/chrony.conf
|
||||||
|
|
||||||
|
## Remove nullok from system-auth
|
||||||
sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth
|
sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth
|
||||||
|
|
||||||
# Disable coredump
|
## Disable coredump
|
||||||
echo "* hard core 0" >> /mnt/etc/security/limits.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | tee /mnt/etc/security/limits.d/30-disable-coredump.conf
|
||||||
|
|
||||||
# Disable su for non-wheel users
|
## ZRAM configuration
|
||||||
bash -c 'cat > /mnt/etc/pam.d/su' <<-'EOF'
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf | tee /mnt/etc/systemd/zram-generator.conf
|
||||||
#%PAM-1.0
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
# Uncomment the following line to implicitly trust users in the "wheel" group.
|
|
||||||
#auth sufficient pam_wheel.so trust use_uid
|
|
||||||
# Uncomment the following line to require a user to be in the "wheel" group.
|
|
||||||
auth required pam_wheel.so use_uid
|
|
||||||
auth required pam_unix.so
|
|
||||||
account required pam_unix.so
|
|
||||||
session required pam_unix.so
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# ZRAM configuration
|
## Configuring the system.
|
||||||
bash -c 'cat > /mnt/etc/systemd/zram-generator.conf' <<-'EOF'
|
|
||||||
[zram0]
|
|
||||||
zram-fraction = 1
|
|
||||||
max-zram-size = 8192
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Configuring the system.
|
|
||||||
arch-chroot /mnt /bin/bash -e <<EOF
|
arch-chroot /mnt /bin/bash -e <<EOF
|
||||||
|
|
||||||
# Setting up timezone.
|
# Setting up timezone.
|
||||||
@ -418,66 +402,39 @@ arch-chroot /mnt /bin/bash -e <<EOF
|
|||||||
echo "Adding $username with root privilege."
|
echo "Adding $username with root privilege."
|
||||||
useradd -m $username
|
useradd -m $username
|
||||||
usermod -aG wheel $username
|
usermod -aG wheel $username
|
||||||
|
|
||||||
groupadd -r audit
|
|
||||||
gpasswd -a $username audit
|
|
||||||
fi
|
fi
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Setting user password.
|
## Set user password.
|
||||||
[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${user_password}\n${user_password}" | arch-chroot /mnt passwd "$username" &>/dev/null
|
[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${user_password}\n${user_password}" | arch-chroot /mnt passwd "$username" &>/dev/null
|
||||||
|
|
||||||
# Giving wheel user sudo access.
|
## Give wheel user sudo access.
|
||||||
sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers
|
sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers
|
||||||
|
|
||||||
# Change audit logging group
|
## Enabling openssh server
|
||||||
echo "log_group = audit" >> /mnt/etc/audit/auditd.conf
|
if [ "${install_mode}" = 'server' ]; then
|
||||||
|
systemctl enable sshd --root=/mnt &>/dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
# Enabling audit service.
|
## Enable services
|
||||||
systemctl enable auditd --root=/mnt &>/dev/null
|
|
||||||
|
|
||||||
# Enabling openssh server
|
|
||||||
systemctl enable sshd --root=/mnt &>/dev/null
|
|
||||||
|
|
||||||
# Enabling auto-trimming service.
|
|
||||||
systemctl enable fstrim.timer --root=/mnt &>/dev/null
|
|
||||||
|
|
||||||
# Enabling NetworkManager.
|
|
||||||
systemctl enable NetworkManager --root=/mnt &>/dev/null
|
|
||||||
|
|
||||||
# Enabling AppArmor.
|
|
||||||
echo "Enabling AppArmor."
|
|
||||||
systemctl enable apparmor --root=/mnt &>/dev/null
|
systemctl enable apparmor --root=/mnt &>/dev/null
|
||||||
|
|
||||||
# Enabling Firewalld.
|
|
||||||
echo "Enabling Firewalld."
|
|
||||||
systemctl enable firewalld --root=/mnt &>/dev/null
|
|
||||||
|
|
||||||
# Enabling Reflector timer.
|
|
||||||
echo "Enabling Reflector."
|
|
||||||
systemctl enable reflector.timer --root=/mnt &>/dev/null
|
|
||||||
|
|
||||||
# Enabling systemd-oomd.
|
|
||||||
echo "Enabling systemd-oomd."
|
|
||||||
systemctl enable systemd-oomd --root=/mnt &>/dev/null
|
|
||||||
|
|
||||||
# Disabling systemd-timesyncd
|
|
||||||
systemctl disable systemd-timesyncd --root=/mnt &>/dev/null
|
|
||||||
|
|
||||||
# Enabling chronyd
|
|
||||||
systemctl enable chronyd --root=/mnt &>/dev/null
|
systemctl enable chronyd --root=/mnt &>/dev/null
|
||||||
|
systemctl enable firewalld --root=/mnt &>/dev/null
|
||||||
# Enabling Snapper automatic snapshots.
|
systemctl enable fstrim.timer --root=/mnt &>/dev/null
|
||||||
echo "Enabling Snapper and automatic snapshots entries."
|
systemctl enable grub-btrfs.path --root=/mnt &>/dev/null
|
||||||
|
systemctl enable NetworkManager --root=/mnt &>/dev/null
|
||||||
|
systemctl enable reflector.timer --root=/mnt &>/dev/null
|
||||||
systemctl enable snapper-timeline.timer --root=/mnt &>/dev/null
|
systemctl enable snapper-timeline.timer --root=/mnt &>/dev/null
|
||||||
systemctl enable snapper-cleanup.timer --root=/mnt &>/dev/null
|
systemctl enable snapper-cleanup.timer --root=/mnt &>/dev/null
|
||||||
systemctl enable grub-btrfs.path --root=/mnt &>/dev/null
|
systemctl enable systemd-oomd --root=/mnt &>/dev/null
|
||||||
|
systemctl disable systemd-timesyncd --root=/mnt &>/dev/null
|
||||||
|
|
||||||
# Setting umask to 077.
|
## Set umask to 077.
|
||||||
sed -i 's/022/077/g' /mnt/etc/profile
|
sudo sed -i 's/^UMASK.*/UMASK 077/g' /mnt/etc/login.defs
|
||||||
echo "" >> /mnt/etc/bash.bashrc
|
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /mnt/etc/login.defs
|
||||||
echo "umask 077" >> /mnt/etc/bash.bashrc
|
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /mnt/etc/login.defs
|
||||||
|
sudo sed -i 's/umask 022/umask 077/g' /mnt/etc/bash.bashrc
|
||||||
|
|
||||||
# Finishing up
|
# Finish up
|
||||||
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
|
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
|
||||||
exit
|
exit
|
Loading…
Reference in New Issue
Block a user