Tomster/Arch-Setup-Script
1
0
Fork 0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2025-02-20 18:01:33 -05:00
Code

Merge branch 'refs/heads/funk-on-code-correct-shellcheck'

Browse Source 
# Conflicts:
#	README.md
#	desktop.sh
This commit is contained in:
Sebastian Yonekura 2024-05-11 02:10:19 -04:00
commit fb97449b09
2 changed files with 81 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@ -1,16 +1,25 @@
### Introduction
This is my fork of [easy-arch](https://github.com/classy-giraffe/easy-arch), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process (UEFI only).
Welcome to my fork of [Arch-Setup-Script](https://github.com/tommytran732/Arch-Setup-Script), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process (UEFI only).
This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.
Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org
### On a personal note:
I will admit, I prefer doing things [The Arch Way](https://wiki.archlinux.org/index.php/Arch_Linux#Principles), but when your average bootstrapping of Arch Linux involves hundreds of systems a month, ease-of-use **does** become a major factor -- and having tried numerous scripts out there, fixing the least broken one, seemed like the best use of limited time.
After all, if you:
- Do something once, do it from the command line.
- Do something **more** than once, script it.
I will submit some of the changes here back to upstream as well.
If you have any questions about this script as a whole (this is literally just my working fork), please visit the upstream projects Matrix group: https://matrix.to/#/#tommytran732:matrix.org
### How does it work?
1. Download an Arch Linux ISO from [here](https://archlinux.org/download/)
2. Flash the ISO onto an [USB Flash Drive](https://wiki.archlinux.org/index.php/USB_flash_installation_medium).
3. Boot the live environment.
4. Connect to the internet.
5. `git clone https://github.com/tommytran732/Arch-Setup-Script/`
5. `git clone https://github.com/funk-on-code/Arch-Setup-Script/`
6. `cd Arch-Setup-Script`
7. `./install.sh`
@ -20,14 +29,10 @@ The Secure Boot script can be run after you have rebooted into the system to aut
Currently, there is an problem where GRUB requires tpm.mod to be included for signature verification, but if tpm.mod is included and the TPM is enabled it will also attempt to do Measured Boot, breaking the Arch Linux snapshots menu created by grub-btrfs. I have yet to find a solution for this issue.
### Changes to the original project
1. Encrypted /boot with LUKS1
2. SUSE - like partition layout and fully working snapper snapshots & rollback
3. Minimally setup GNOME with pipewire
4. AppArmor and Firewalld enabled by default
5. Defaulting umask to 077
6. Randomize Mac Address and disable Connectivity Check for privacy
7. Added some kernel/grub settings from https://github.com/Whonix/security-misc/tree/master/etc/default
8. Added Secure Boot script
1. Fixes the ESP sizing for encrypted boot.
2. Fixes the wiping disk to support spinning disk and nvme's alike.
3. Adds a user account suitable for both Desktop and Server use alike.
4. Installs a "full-stack(tm)" GNOME Desktop.
### Snapper behavior
The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎

119
desktop.sh
View File

@ -3,6 +3,30 @@
# Cleaning the TTY.
clear
# Add some basic sanity checking, just in case.
if [[ ! "$(id -u)" == "0" ]]; then
echo "[!] You MUST this script as root. Aborting."
exit 255
fi
if [[ ! "$(ls /sys/firmware/efi/efivars)" ]]; then
echo "[!] Please enable booting via UEFI. Aborting."
exit 255
fi
# ... and trap Control-C correctly so we can bail out, when required.
trap '_confirm_sigint' SIGINT
_confirm_sigint() {
printf "\n"; read -rp "SIGINT caught: Are you sure you want to stop running this script? [y/N] " response
{ [ "$response" == "y" ] || [ "$response" == "Y" ]; } && exit 1 || return
}
# Updating the live environment usually causes more problems than its worth, and quite often can't be done without remounting cowspace with more capacity, especially at the end of any given month.
pacman -Sy
# Installing curl
pacman -S --noconfirm curl
# Selecting the kernel flavor to install.
kernel_selector () {
@ -27,9 +51,13 @@ kernel_selector () {
esac
}
## user input ##
# Checking the microcode to install.
CPU=$(grep vendor_id /proc/cpuinfo)
if [[ $CPU == *"AuthenticAMD"* ]]; then
microcode=amd-ucode
else
microcode=intel-ucode
fi
# Selecting the target for the installation.
PS3="Select the disk where Arch Linux is going to be installed: "
@ -40,54 +68,21 @@ do
break
done
# Confirming the disk selection.
# Deleting old partition scheme.
read -r -p "This will delete the current partition table on $DISK. Do you agree [y/N]? " response
response=${response,,}
if [[ ! ("$response" =~ ^(yes|y)$) ]]; then
if [[ "$response" =~ ^(yes|y)$ ]]; then
partprobe -s "$DISK" &>/dev/null
sgdisk --zap-all "$DISK" &>/dev/null
sgdisk --set-alignment=2048 --clear "$DISK" &>/dev/null
blkdiscard -z -f "$DISK"; sync &>/dev/null
wipefs -a -f "$DISK" &>/dev/null
partprobe -s "$DISK" &>/dev/null
else
echo "Quitting."
exit
fi
#select kernel
kernel_selector
# Setting username.
read -r -p "Please enter name for a user account (leave empty to skip): " username
# Setting password.
if [[ -n $username ]]; then
read -r -p "Please enter a password for the user account: " password
fi
# Choose locales.
read -r -p "Please insert the locale you use in this format (xx_XX): " locale
# Choose keyboard layout.
read -r -p "Please insert the keyboard layout you use: " kblayout
## installation ##
# Updating the live environment usually causes more problems than its worth, and quite often can't be done without remounting cowspace with more capacity, especially at the end of any given month.
pacman -Sy
# Installing curl
pacman -S --noconfirm curl
# formatting the disk
wipefs -af "$DISK" &>/dev/null
sgdisk -Zo "$DISK" &>/dev/null
# Checking the microcode to install.
CPU=$(grep vendor_id /proc/cpuinfo)
if [[ $CPU == *"AuthenticAMD"* ]]; then
microcode=amd-ucode
else
microcode=intel-ucode
fi
# Creating a new partition scheme.
echo "Creating new partition scheme on $DISK."
parted -s "$DISK" \
@ -97,8 +92,8 @@ parted -s "$DISK" \
mkpart cryptroot 128MiB 100% \
sleep 0.1
ESP="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep ESP| cut -d " " -f1 | cut -c7-)"
cryptroot="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep cryptroot | cut -d " " -f1 | cut -c7-)"
ESP="/dev/$(lsblk "$DISK" -o NAME,PARTLABEL | grep ESP | cut -d " " -f1 | cut -c7-)"
cryptroot="/dev/$(lsblk "$DISK" -o NAME,PARTLABEL | grep cryptroot | cut -d " " -f1 | cut -c7-)"
# Informing the Kernel of the changes.
echo "Informing the Kernel about the disk changes."
@ -106,7 +101,7 @@ partprobe "$DISK"
# Formatting the ESP as FAT32.
echo "Formatting the EFI Partition as FAT32."
mkfs.fat -F 32 -s 2 $ESP &>/dev/null
mkfs.fat -s 2 -F 32 "$ESP" &>/dev/null
# Creating a LUKS Container for the root partition.
echo "Creating LUKS Container for the root partition."
@ -181,7 +176,7 @@ mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,no
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/root $BTRFS /mnt/root
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/home $BTRFS /mnt/home
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/.snapshots $BTRFS /mnt/.snapshots
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/srv $BTRFS /mnt/srv
mount -o ssd,noatime,space_cache=v2.autodefrag,compress=zstd:15,discard=async,subvol=@/srv $BTRFS /mnt/srv
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_log $BTRFS /mnt/var/log
# Toolbox (https://github.com/containers/toolbox) needs /var/log/journal to have dev, suid, and exec, Thus I am splitting the subvolume. Need to make the directory after /mnt/var/log/ has been mounted.
@ -207,12 +202,16 @@ mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,no
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey $BTRFS /mnt/cryptkey
mkdir -p /mnt/boot/efi
mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi
mount -o nodev,nosuid,noexec "$ESP" /mnt/boot/efi
kernel_selector
# Pacstrap (setting up a base sytem onto the new root).
echo "Installing the base system (it may take a while)."
pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor python-psutil python-notify2 nano gdm gnome-control-center gnome-terminal gnome-tweaks nautilus pipewire-pulse pipewire-alsa pipewire-jack flatpak firewalld zram-generator adobe-source-han-sans-otc-fonts adobe-source-han-serif-otc-fonts gnu-free-fonts reflector mlocate man-db chrony sbctl
pacstrap /mnt base ${kernel} ${microcode} linux-firmware
pacstrap /mnt grub grub-btrfs dosfstools efibootmgr mlocate chrony snapper snap-pac
pacstrap /mnt apparmor bash-completion htop iwd man-db man-pages mc nano nftables reflector sudo tmux usbguard wget vim zram-generator
pacstrap /mnt gnome gnome-extra networkmanager networkmanager-openvpn networkmanager-strongswan networkmanager-pptp networkmanager-l2tp pipewire-pulse piprewire-jack gdm celluloid firewalld rhythmbox transmission-gtk papirus-icon-theme
# Routing jack2 through PipeWire.
echo "/usr/lib/pipewire-0.3/jack" > /mnt/etc/ld.so.conf.d/pipewire-jack.conf
@ -234,7 +233,16 @@ cat > /mnt/etc/hosts <<EOF
127.0.1.1 $hostname.localdomain $hostname
EOF
# Setting username.
read -r -p "Please enter name for a user account (leave empty to skip): " username
# If we have a username, ask for a full name too.
if [ ! -z "$username" ]; then
read -r -p "Please enter name the full name of the user account: " fullname
fi
# Setting up locales.
read -r -p "Please insert the locale you use in this format (xx_XX): " locale
echo "$locale.UTF-8 UTF-8" > /mnt/etc/locale.gen
echo "LANG=$locale.UTF-8" > /mnt/etc/locale.conf
@ -374,11 +382,10 @@ arch-chroot /mnt /bin/bash -e <<EOF
grub-mkconfig -o /boot/grub/grub.cfg &>/dev/null
# Adding user with sudo privilege
# (now suitable for desktop use on i3, KDE & GNOME)
if [ -n "$username" ]; then
echo "Adding $username with root privilege."
useradd -m $username
usermod -aG wheel $username
useradd -g users -G wheel,sys,storage,scanner,power,optical,network,lp,audio,video,input -c "$fullname" -m "$username"
groupadd -r audit
gpasswd -a $username audit
fi
@ -397,8 +404,10 @@ Exec=aa-notify -p -s 1 -w 60 -f /var/log/audit/audit.log
StartupNotify=false
NoDisplay=true
EOF
# (we don't create a user group above any more, so this becomes 'users' rather than 'username'.)
chmod 700 /mnt/home/${username}/.config/autostart/apparmor-notify.desktop
arch-chroot /mnt chown -R $username:$username /home/${username}/.config
arch-chroot /mnt chown -R $username:users /home/${username}/.config
# Setting user password.
[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${password}\n${password}" | arch-chroot /mnt passwd "$username" &>/dev/null