1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-25 02:51:32 -05:00

Update install.sh

This commit is contained in:
TommyTran732 2021-07-25 07:11:44 +00:00 committed by tommytran732
parent f439bf3ff7
commit e28effdd0d
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2

View File

@ -216,7 +216,7 @@ curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/g
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu
# Enabling IOMMU # Enabling IOMMU
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> 40_enable_iommu curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu
# Adding keyfile to the initramfs to avoid double password. # Adding keyfile to the initramfs to avoid double password.
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
@ -225,6 +225,9 @@ cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.ke
sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
# Blacklisting kernel modules
curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf >> /mnt/etc/modprobe.d/30_security-misc.conf
# Security kernel settings. # Security kernel settings.
echo "kernel.kptr_restrict = 2" > /mnt/etc/sysctl.d/51-kptr-restrict.conf echo "kernel.kptr_restrict = 2" > /mnt/etc/sysctl.d/51-kptr-restrict.conf
echo "kernel.kexec_load_disabled = 1" > /mnt/etc/sysctl.d/51-kexec-restrict.conf echo "kernel.kexec_load_disabled = 1" > /mnt/etc/sysctl.d/51-kexec-restrict.conf
@ -320,7 +323,8 @@ systemctl enable apparmor --root=/mnt &>/dev/null
echo "Enabling Firewalld." echo "Enabling Firewalld."
systemctl enable firewalld --root=/mnt &>/dev/null systemctl enable firewalld --root=/mnt &>/dev/null
# Enabling Bluetooth Service (If you don't want bluetooth, disable it with GNOME, don't disable the service). # Enabling Bluetooth Service (This is only to fix the visual glitch with gnome where it gets stuck in the menu at the top right).
# IF YOU WANT TO USE BLUETOOTH, YOU MUST REMOVE IT FROM THE LIST OF BLACKLISTED KERNEL MODULES IN /mnt/etc/modprobe.d/30_security-misc.conf
systemctl enable bluetooth --root=/mnt &>/dev/null systemctl enable bluetooth --root=/mnt &>/dev/null
# Enabling Reflector timer. # Enabling Reflector timer.
@ -342,8 +346,5 @@ sed -i 's/022/077/g' /mnt/etc/profile
echo "" >> /mnt/etc/bash.bashrc echo "" >> /mnt/etc/bash.bashrc
echo "umask 077" >> /mnt/etc/bash.bashrc echo "umask 077" >> /mnt/etc/bash.bashrc
#Blacklist Firewire SBP2.
echo "blacklist firewire-sbp2" | sudo tee /mnt/etc/modprobe.d/blacklist.conf
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)." echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
exit exit