mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-11-12 13:21:33 -05:00
Update install.sh
This commit is contained in:
parent
09020c7f17
commit
f134ddebd1
53
install.sh
53
install.sh
@ -58,10 +58,10 @@ fi
|
|||||||
|
|
||||||
# Creating a new partition scheme.
|
# Creating a new partition scheme.
|
||||||
echo "Creating new partition scheme on $DISK."
|
echo "Creating new partition scheme on $DISK."
|
||||||
parted -s $DISK \
|
parted -s "$DISK" \
|
||||||
mklabel gpt \
|
mklabel gpt \
|
||||||
mkpart ESP fat32 1MiB 301MiB \
|
mkpart ESP fat32 1MiB 101MiB \
|
||||||
mkpart cryptroot 301MiB 100% \
|
mkpart Cryptroot 101MiB 100% \
|
||||||
|
|
||||||
ESP="/dev/disk/by-partlabel/ESP"
|
ESP="/dev/disk/by-partlabel/ESP"
|
||||||
Cryptroot="/dev/disk/by-partlabel/cryptroot"
|
Cryptroot="/dev/disk/by-partlabel/cryptroot"
|
||||||
@ -91,21 +91,22 @@ echo "Creating BTRFS subvolumes."
|
|||||||
btrfs su cr /mnt/@ &>/dev/null
|
btrfs su cr /mnt/@ &>/dev/null
|
||||||
btrfs su cr /mnt/@boot &>/dev/null
|
btrfs su cr /mnt/@boot &>/dev/null
|
||||||
btrfs su cr /mnt/@home &>/dev/null
|
btrfs su cr /mnt/@home &>/dev/null
|
||||||
btrfs su cr /mnt/@var &>/dev/null
|
btrfs su cr /mnt/@snapshots &>/dev/null
|
||||||
|
btrfs su cr /mnt/@var_log &>/dev/null
|
||||||
|
|
||||||
# Mounting the newly created subvolumes.
|
# Mounting the newly created subvolumes.
|
||||||
umount /mnt
|
umount /mnt
|
||||||
echo "Mounting the newly created subvolumes."
|
echo "Mounting the newly created subvolumes."
|
||||||
mount -o ssd,noatime,space_cache,compress=zstd,subvol=@ $BTRFS /mnt
|
mount -o ssd,noatime,space_cache,compress=zstd,subvol=@ $BTRFS /mnt
|
||||||
mkdir -p /mnt/{home,var,boot}
|
mkdir -p /mnt/{home,.snapshots,/var/log,boot}
|
||||||
mount -o ssd,noatime,space_cache,compress=zstd,subvol=@boot $BTRFS /mnt/boot
|
mount -o ssd,noatime,space_cache,compress=zstd:15,subvol=@boot $BTRFS /mnt/boot
|
||||||
mount -o ssd,noatime,space_cache,compress=zstd,subvol=@home $BTRFS /mnt/home
|
mount -o ssd,noatime,space_cache.compress=zstd:15,subvol=@home $BTRFS /mnt/home
|
||||||
mount -o ssd,noatime,space_cache,nodatacow,subvol=@var $BTRFS /mnt/var/
|
mount -o ssd,noatime,space_cache,compress=zstd:15,subvol=@snapshots $BTRFS /mnt/.snapshots
|
||||||
mkdir -p /mnt/boot/efi
|
mount -o ssd,noatime,space_cache,nodatacow,subvol=@var_log $BTRFS /mnt/var/log
|
||||||
|
chattr +C /mnt/var/log
|
||||||
|
mkdir /mnt/boot/efi
|
||||||
mount $ESP /mnt/boot/efi
|
mount $ESP /mnt/boot/efi
|
||||||
|
|
||||||
chattr +C /mnt/var
|
|
||||||
|
|
||||||
kernel_selector
|
kernel_selector
|
||||||
|
|
||||||
# Pacstrap (setting up a base sytem onto the new root).
|
# Pacstrap (setting up a base sytem onto the new root).
|
||||||
@ -157,6 +158,16 @@ cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/.root.key
|
|||||||
sed -i -e "s,quiet,quiet cryptdevice=UUID=$UUID:cryptroot root=$BTRFS cryptkey=rootfs:/.root.key,g" /mnt/etc/default/grub
|
sed -i -e "s,quiet,quiet cryptdevice=UUID=$UUID:cryptroot root=$BTRFS cryptkey=rootfs:/.root.key,g" /mnt/etc/default/grub
|
||||||
sed -i 's#FILES=()#FILES=(/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
sed -i 's#FILES=()#FILES=(/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
||||||
|
|
||||||
|
# Security kernel settings.
|
||||||
|
echo "kernel.kptr_restrict = 2" > /mnt/etc/sysctl.d/51-kptr-restrict.conf
|
||||||
|
echo "kernel.kexec_load_disabled = 1" > /mnt/etc/sysctl.d/51-kexec-restrict.conf
|
||||||
|
cat << EOF >> /mnt/etc/sysctl.d/10-security.conf
|
||||||
|
fs.protected_hardlinks = 1
|
||||||
|
fs.protected_symlinks = 1
|
||||||
|
net.core.bpf_jit_harden = 2
|
||||||
|
kernel.yama.ptrace_scope = 3
|
||||||
|
EOF
|
||||||
|
|
||||||
# Configuring the system.
|
# Configuring the system.
|
||||||
arch-chroot /mnt /bin/bash -e <<EOF
|
arch-chroot /mnt /bin/bash -e <<EOF
|
||||||
|
|
||||||
@ -210,26 +221,6 @@ sed -i 's/022/077/g' /mnt/etc/profile
|
|||||||
echo "" >> /mnt/etc/bash.bashrc
|
echo "" >> /mnt/etc/bash.bashrc
|
||||||
echo "umask 077" >> /mnt/etc/bash.bashrc
|
echo "umask 077" >> /mnt/etc/bash.bashrc
|
||||||
|
|
||||||
#Security kernel settings
|
|
||||||
sudo bash -c 'cat > /mnt/etc/sysctl.d/51-dmesg-restrict.conf' <<-'EOF'
|
|
||||||
kernel.dmesg_restrict = 1
|
|
||||||
EOF
|
|
||||||
|
|
||||||
sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kptr-restrict.conf' <<-'EOF'
|
|
||||||
kernel.kptr_restrict = 2
|
|
||||||
EOF
|
|
||||||
|
|
||||||
sudo bash -c 'cat > /mnt/etc/sysctl.d/51-kexec-restrict.conf' <<-'EOF'
|
|
||||||
kernel.kexec_load_disabled = 1
|
|
||||||
EOF
|
|
||||||
|
|
||||||
sudo bash -c 'cat > /mnt/etc/sysctl.d/10-security.conf' <<-'EOF'
|
|
||||||
fs.protected_hardlinks = 1
|
|
||||||
fs.protected_symlinks = 1
|
|
||||||
net.core.bpf_jit_harden = 2
|
|
||||||
kernel.yama.ptrace_scope = 3
|
|
||||||
EOF
|
|
||||||
|
|
||||||
#Blacklist Firewire SBP2
|
#Blacklist Firewire SBP2
|
||||||
echo "blacklist firewire-sbp2" | sudo tee /mnt/etc/modprobe.d/blacklist.conf
|
echo "blacklist firewire-sbp2" | sudo tee /mnt/etc/modprobe.d/blacklist.conf
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user