From a785f2b908af1a36f673d93aaaf25dd03420faae Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Mon, 19 Sep 2022 06:05:34 +0000 Subject: [PATCH 01/31] Update README to reflect this is a fork of upstream. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- README.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 7cddd1c..7d60554 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,25 @@ ### Introduction -This is my fork of [easy-arch](https://github.com/classy-giraffe/easy-arch), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process (UEFI only). +Welcome to my fork of [Arch-Setup-Script](https://github.com/tommytran732/Arch-Setup-Script), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process (UEFI only). -This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well. -Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org +### On a personal note: +I will admit, I prefer doing things [The Arch Way](https://wiki.archlinux.org/index.php/Arch_Linux#Principles), but when your average bootstrapping of Arch Linux involves hundreds of systems a month, ease-of-use **does** become a major factor -- and having tried numerous scripts out there, fixing the least broken one, seemed like the best use of limited time. + +After all, if you: + +- Do something once, do it from the command line. +- Do something **more** than once, script it. + +I will submit some of the changes here back to upstream as well. + +If you have any questions about this script as a whole (this is literally just my working fork), please visit the upstream projects Matrix group: https://matrix.to/#/#tommytran732:matrix.org ### How does it work? 1. Download an Arch Linux ISO from [here](https://archlinux.org/download/) 2. Flash the ISO onto an [USB Flash Drive](https://wiki.archlinux.org/index.php/USB_flash_installation_medium). 3. Boot the live environment. 4. Connect to the internet. -5. `git clone https://github.com/tommytran732/Arch-Setup-Script/` +5. `git clone https://github.com/funk-on-code/Arch-Setup-Script/` 6. `cd Arch-Setup-Script` 7. `./install.sh` @@ -20,15 +29,8 @@ The Secure Boot script can be run after you have rebooted into the system to aut Currently, there is an problem where GRUB requires tpm.mod to be included for signature verification, but if tpm.mod is included and the TPM is enabled it will also attempt to do Measured Boot, breaking the Arch Linux snapshots menu created by grub-btrfs. I have yet to find a solution for this issue. ### Changes to the original project -1. Encrypted /boot with LUKS1 -2. SUSE - like partition layout and fully working snapper snapshots & rollback -3. Minimally setup GNOME 40 with pipewire -4. AppArmor and Firewalld enabled by default -5. Defaulting umask to 077 -6. Randomize Mac Address and disable Connectivity Check for privacy -7. Added some kernel/grub settings from https://github.com/Whonix/security-misc/tree/master/etc/default -8. Added udev rules from https://gitlab.com/garuda-linux/themes-and-settings/settings/garuda-common-settings/-/tree/master/etc/udev/rules.d -9. Added Secure Boot script +1. Fixes the ESP sizing for encrypted boot. +2. Adds a user account suitable for both Desktop and Server use alike. ### Snapper behavior The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎 From 0c35ecf54e64f072d26b78e41b8f167de8bc6ada Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Mon, 19 Sep 2022 06:10:51 +0000 Subject: [PATCH 02/31] Adding some basic sanity checking to the script - Allows Control-C to terminate the script at any time. - Confirms you have a UEFI/GPT capable system before operating. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/install.sh b/install.sh index d686e63..f506900 100755 --- a/install.sh +++ b/install.sh @@ -3,6 +3,25 @@ # Cleaning the TTY. clear +# Add some basic sanity checking, just in case. +if [[ ! "$(id -u)" == "0" ]]; then +echo "[!] You MUST this script as root. Aborting." +exit 255 +fi + +if [[ ! "$(ls /sys/firmware/efi/efivars)" ]]; then +echo "[!] Please enable booting via UEFI. Aborting." +exit 255 +fi + +# ... and trap Control-C correctly so we can bail out, when required. +trap '_confirm_sigint' SIGINT + +_confirm_sigint() { + printf "\n"; read -rp "SIGINT caught: Are you sure you want to stop running this script? [y/N] " response + { [ "$response" == "y" ] || [ "$response" == "Y" ]; } && exit 1 || return +} + # Updating the live environment usually causes more problems than its worth, and quite often can't be done without remounting cowspace with more capacity, especially at the end of any given month. pacman -Sy From e2e9f90c0614b1eafa42f8e632e27a0e3b4ea625 Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Mon, 19 Sep 2022 06:17:39 +0000 Subject: [PATCH 03/31] Fix the ESP partition so it is actually created. On: - Live hardware. - a QEMU VM and a VMware ESX VM Upstream does not create a valid ESP bootable partition when a bootloader already exists. Adding the correct sector size (-s 2) for the partition size corrects this issue. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index f506900..5637d54 100755 --- a/install.sh +++ b/install.sh @@ -83,9 +83,9 @@ fi echo "Creating new partition scheme on $DISK." parted -s "$DISK" \ mklabel gpt \ - mkpart ESP fat32 1MiB 101MiB \ + mkpart ESP fat32 1MiB 128MiB \ set 1 esp on \ - mkpart cryptroot 101MiB 100% \ + mkpart cryptroot 128MiB 100% \ sleep 0.1 ESP="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep ESP| cut -d " " -f1 | cut -c7-)" @@ -97,7 +97,7 @@ partprobe "$DISK" # Formatting the ESP as FAT32. echo "Formatting the EFI Partition as FAT32." -mkfs.fat -F 32 $ESP &>/dev/null +mkfs.fat -s 2 -F 32 $ESP &>/dev/null # Creating a LUKS Container for the root partition. echo "Creating LUKS Container for the root partition." From d7d32601628866cb5d3768c5c7d8ebb2dc0e8e8a Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Wed, 21 Sep 2022 08:38:55 +0000 Subject: [PATCH 04/31] Update user creation to support desktops & servers. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index 5637d54..2d2863d 100755 --- a/install.sh +++ b/install.sh @@ -230,6 +230,11 @@ EOF # Setting username. read -r -p "Please enter name for a user account (leave empty to skip): " username +# If we have a username, ask for a full name too. +if [ ! -z "$username" ]; then +read -r -p "Please enter name the full name of the user account: " fullname +fi + # Setting up locales. read -r -p "Please insert the locale you use in this format (xx_XX): " locale echo "$locale.UTF-8 UTF-8" > /mnt/etc/locale.gen @@ -381,8 +386,7 @@ arch-chroot /mnt /bin/bash -e < Date: Thu, 22 Sep 2022 02:08:49 +0000 Subject: [PATCH 05/31] Add commentary for the user creation change. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/install.sh b/install.sh index 2d2863d..27e2066 100755 --- a/install.sh +++ b/install.sh @@ -384,6 +384,7 @@ arch-chroot /mnt /bin/bash -e </dev/null # Adding user with sudo privilege + # (now suitable for desktop use on i3, KDE & GNOME) if [ -n "$username" ]; then echo "Adding $username with root privilege." useradd -g users -G wheel,sys,storage,power,network,audio,video,input -c "$fullname" -m "$username" @@ -406,6 +407,8 @@ Exec=aa-notify -p -s 1 -w 60 -f /var/log/audit/audit.log StartupNotify=false NoDisplay=true EOF + +# (we don't create a user group above any more, so this becomes 'users' rather than 'username'.) chmod 700 /mnt/home/${username}/.config/autostart/apparmor-notify.desktop arch-chroot /mnt chown -R $username:users /home/${username}/.config From 905df159f23024e370d032a65ae003149af855ea Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Mon, 26 Sep 2022 07:45:27 +0000 Subject: [PATCH 06/31] Actually wipe the disk & partitions. - Aligns sgdisk correctly. - Uses blkdiscard (in case we're wiping an nvme). - Moves partprobe. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index 27e2066..e09808d 100755 --- a/install.sh +++ b/install.sh @@ -72,8 +72,12 @@ done read -r -p "This will delete the current partition table on $DISK. Do you agree [y/N]? " response response=${response,,} if [[ "$response" =~ ^(yes|y)$ ]]; then - wipefs -af "$DISK" &>/dev/null - sgdisk -Zo "$DISK" &>/dev/null + partprobe -s "$DISK" &>/dev/null + sgdisk --zap-all "$DISK" &>/dev/null + sgdisk --set-alignment=2048 --clear "$DISK" &>/dev/null + blkdiscard -z -f "$DISK"; sync &>/dev/null + wipefs -a -f "$DISK" &>/dev/null + partprobe -s "$DISK" &>/dev/null else echo "Quitting." exit From 0743890ae2b3cb025cc0a80cecff19e6d0beffc1 Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Mon, 26 Sep 2022 07:47:30 +0000 Subject: [PATCH 07/31] Update README.md Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7d60554..702be03 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,8 @@ Currently, there is an problem where GRUB requires tpm.mod to be included for si ### Changes to the original project 1. Fixes the ESP sizing for encrypted boot. -2. Adds a user account suitable for both Desktop and Server use alike. +2. Fixes the wiping disk to support spinning disk and nvme's alike. +3. Adds a user account suitable for both Desktop and Server use alike. ### Snapper behavior The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎 From 4a3468356ff2cd45ba8b988475cfb0d54159cb07 Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Tue, 27 Sep 2022 07:56:25 +0000 Subject: [PATCH 08/31] Re-order Kernel Choice I use -hardened pretty much everywhere, except SMB/Fileservers, which use -lts, so I re-order these. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/install.sh b/install.sh index e09808d..e67cbf1 100755 --- a/install.sh +++ b/install.sh @@ -31,20 +31,20 @@ pacman -S --noconfirm curl # Selecting the kernel flavor to install. kernel_selector () { echo "List of kernels:" - echo "1) Stable — Vanilla Linux kernel and modules, with a few patches applied." - echo "2) Hardened — A security-focused Linux kernel." - echo "3) Longterm — Long-term support (LTS) Linux kernel and modules." - echo "4) Zen Kernel — Optimized for desktop usage." + echo "1) Hardened — A security-focused Linux kernel." + echo "2) Longterm — Long-term support (LTS) Linux kernel and modules." + echo "3) Zen Kernel — Optimized for desktop usage." + echo "4) Stable — Vanilla Linux kernel and modules, with a few patches applied." read -r -p "Insert the number of the corresponding kernel: " choice echo "$choice will be installed" case $choice in - 1 ) kernel=linux + 1 ) kernel=linux-hardened ;; - 2 ) kernel=linux-hardened + 2 ) kernel=linux-lts ;; - 3 ) kernel=linux-lts + 3 ) kernel=linux-zen ;; - 4 ) kernel=linux-zen + 4 ) kernel=linux ;; * ) echo "You did not enter a valid selection." kernel_selector From ff9f458ef102598f6a47d5e237aaeebd46f4a7ae Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Thu, 13 Oct 2022 01:14:58 +0000 Subject: [PATCH 09/31] Updating my chosen package list, installs GNOME for Desktop Use. Update my own package list to install "full-stack(tm)" GNOME. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index e67cbf1..d56ec80 100755 --- a/install.sh +++ b/install.sh @@ -207,9 +207,11 @@ mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi kernel_selector # Pacstrap (setting up a base sytem onto the new root). -# As I said above, I am considering replacing gnome-software with pamac-flatpak-gnome as PackageKit seems very buggy on Arch Linux right now. echo "Installing the base system (it may take a while)." -pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor python-psutil python-notify2 nano gdm gnome-control-center gnome-terminal gnome-software gnome-software-packagekit-plugin gnome-tweaks nautilus pipewire-pulse pipewire-alsa pipewire-jack flatpak firewalld zram-generator adobe-source-han-sans-otc-fonts adobe-source-han-serif-otc-fonts gnu-free-fonts reflector mlocate man-db chrony +pacstrap /mnt base ${kernel} ${microcode} linux-firmware +pacstrap /mnt grub grub-btrfs dosfstools efibootmgr mlocate chrony snapper snap-pac +pacstrap /mnt apparmor bash-completion htop iwd man-db man-pages mc nano nftables reflector sudo tmux usbguard wget vim zram-generator +pacstrap /mnt gnome gnome-extras networkmanager networkmanager-openvpn networkmanager-strongswan networkmanager-pptp networkmanager-l2tp pipewire-pulse piprewire-jack gdm firewalld transmission-gtk # Routing jack2 through PipeWire. echo "/usr/lib/pipewire-0.3/jack" > /mnt/etc/ld.so.conf.d/pipewire-jack.conf From 332abd589b21a940fb0a8b7185cb246b60b5f28c Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Thu, 13 Oct 2022 01:16:16 +0000 Subject: [PATCH 10/31] Update README.md Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 702be03..5e78986 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ Currently, there is an problem where GRUB requires tpm.mod to be included for si 1. Fixes the ESP sizing for encrypted boot. 2. Fixes the wiping disk to support spinning disk and nvme's alike. 3. Adds a user account suitable for both Desktop and Server use alike. +4. Installs a "full-stack(tm)" GNOME Desktop. ### Snapper behavior The partition layout I use rallows us to replicate the behavior found in openSUSE 🦎 From 66c68f36998329b472168a26d946e86a2ab89091 Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Thu, 13 Oct 2022 02:57:04 +0000 Subject: [PATCH 11/31] Update groups list so CUPS/VPN support also works. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/install.sh b/install.sh index d56ec80..f1eaff7 100755 --- a/install.sh +++ b/install.sh @@ -393,8 +393,7 @@ arch-chroot /mnt /bin/bash -e < Date: Thu, 13 Oct 2022 03:11:29 +0000 Subject: [PATCH 12/31] Update GNOME setup Adds icon theme, rhythmbox, transmission & celluloid. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index f1eaff7..5330b92 100755 --- a/install.sh +++ b/install.sh @@ -211,7 +211,7 @@ echo "Installing the base system (it may take a while)." pacstrap /mnt base ${kernel} ${microcode} linux-firmware pacstrap /mnt grub grub-btrfs dosfstools efibootmgr mlocate chrony snapper snap-pac pacstrap /mnt apparmor bash-completion htop iwd man-db man-pages mc nano nftables reflector sudo tmux usbguard wget vim zram-generator -pacstrap /mnt gnome gnome-extras networkmanager networkmanager-openvpn networkmanager-strongswan networkmanager-pptp networkmanager-l2tp pipewire-pulse piprewire-jack gdm firewalld transmission-gtk +pacstrap /mnt gnome gnome-extra networkmanager networkmanager-openvpn networkmanager-strongswan networkmanager-pptp networkmanager-l2tp pipewire-pulse piprewire-jack gdm celluloid firewalld rhythmbox transmission-gtk papirus-icon-theme # Routing jack2 through PipeWire. echo "/usr/lib/pipewire-0.3/jack" > /mnt/etc/ld.so.conf.d/pipewire-jack.conf From fee4fbb4215b6d67ec9924df1dfd13991134d067 Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Wed, 19 Oct 2022 03:30:41 +0000 Subject: [PATCH 13/31] Silence / Correct some Shellcheck Warnings. Quote variables correctly to silence shellcheck warnings. (run with shellcheck -f diff -s bash install.sh) Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/install.sh b/install.sh index 5330b92..4859299 100755 --- a/install.sh +++ b/install.sh @@ -92,8 +92,8 @@ parted -s "$DISK" \ mkpart cryptroot 128MiB 100% \ sleep 0.1 -ESP="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep ESP| cut -d " " -f1 | cut -c7-)" -cryptroot="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep cryptroot | cut -d " " -f1 | cut -c7-)" +ESP="/dev/$(lsblk "$DISK" -o NAME,PARTLABEL | grep ESP | cut -d " " -f1 | cut -c7-)" +cryptroot="/dev/$(lsblk "$DISK" -o NAME,PARTLABEL | grep cryptroot | cut -d " " -f1 | cut -c7-)" # Informing the Kernel of the changes. echo "Informing the Kernel about the disk changes." @@ -101,7 +101,7 @@ partprobe "$DISK" # Formatting the ESP as FAT32. echo "Formatting the EFI Partition as FAT32." -mkfs.fat -s 2 -F 32 $ESP &>/dev/null +mkfs.fat -s 2 -F 32 "$ESP" &>/dev/null # Creating a LUKS Container for the root partition. echo "Creating LUKS Container for the root partition." @@ -202,7 +202,7 @@ mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,no mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey $BTRFS /mnt/cryptkey mkdir -p /mnt/boot/efi -mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi +mount -o nodev,nosuid,noexec "$ESP" /mnt/boot/efi kernel_selector From 6accad464bd3c784eb30f9f03916e589cf12ba34 Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Wed, 28 Sep 2022 16:23:11 +0000 Subject: [PATCH 14/31] Fixes ESP Generation from Archlinux 2022.07+ (#16) Fixes ESP filesystem generation on Live Archlinux ISOs from July 2022 to September (fixes both "Sector Not Allocated" error from mkfs.fat and the grub-install command since the changes to grub-install introduced in the latest update. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/install.sh b/install.sh index 4859299..39bae06 100755 --- a/install.sh +++ b/install.sh @@ -31,20 +31,20 @@ pacman -S --noconfirm curl # Selecting the kernel flavor to install. kernel_selector () { echo "List of kernels:" - echo "1) Hardened — A security-focused Linux kernel." - echo "2) Longterm — Long-term support (LTS) Linux kernel and modules." - echo "3) Zen Kernel — Optimized for desktop usage." - echo "4) Stable — Vanilla Linux kernel and modules, with a few patches applied." + echo "1) Stable — Vanilla Linux kernel and modules, with a few patches applied." + echo "2) Hardened — A security-focused Linux kernel." + echo "3) Longterm — Long-term support (LTS) Linux kernel and modules." + echo "4) Zen Kernel — Optimized for desktop usage." read -r -p "Insert the number of the corresponding kernel: " choice echo "$choice will be installed" case $choice in - 1 ) kernel=linux-hardened + 1 ) kernel=linux ;; - 2 ) kernel=linux-lts + 2 ) kernel=linux-hardened ;; - 3 ) kernel=linux-zen + 3 ) kernel=linux-lts ;; - 4 ) kernel=linux + 4 ) kernel=linux-zen ;; * ) echo "You did not enter a valid selection." kernel_selector From 000ed817c544b17426caab4662b3abc6dedd3b68 Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Sat, 22 Oct 2022 18:05:39 +0000 Subject: [PATCH 15/31] Auditd should point to chroot, not live install. (#18) Auditd fails to start on ArchLinux 2022.10 because the auditd.conf file does not exist in the chroot after install. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index 39bae06..e2d04ea 100755 --- a/install.sh +++ b/install.sh @@ -427,7 +427,7 @@ arch-chroot /mnt chown -R $username:users /home/${username}/.config sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/g' /mnt/etc/sudoers # Change audit logging group -echo "log_group = audit" >> /etc/audit/auditd.conf +echo "log_group = audit" >> /mnt/etc/audit/auditd.conf # Enabling audit service. systemctl enable auditd --root=/mnt &>/dev/null From a2ad2855acb39050302da78c6d02f8e940084904 Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 25 Oct 2022 16:49:44 -0400 Subject: [PATCH 16/31] Fix grub-install command Signed-off-by: Tommy --- secureboot.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secureboot.sh b/secureboot.sh index 74b6509..500727f 100755 --- a/secureboot.sh +++ b/secureboot.sh @@ -42,7 +42,7 @@ sbkeysync --verbose --pk chmod -R g-rwx /etc/secureboot chmod -R g-rwx /etc/secureboot -grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile tpm gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock +grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs tpm" --disable-shim-lock sbsign --key /etc/efi-keys/DB.key --cert /etc/efi-keys/DB.crt --output /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi grub-mkconfig -o /boot/grub/grub.cfg @@ -58,7 +58,7 @@ Description=Update grubx64.efi Depends=grub When=PostTransaction NeedsTargets -Exec=/bin/bash -c 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile tpm gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock && /usr/bin/sbsign --key /etc/efi-keys/DB.key --cert /etc/efi-keys/DB.crt --output /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi && /usr/bin/sed -i 's#rootflags=subvol=${rootsubvol} ##g' /etc/grub.d/10_linux && /usr/bin/sed -i 's#rootflags=subvol=${rootsubvol} ##g' /etc/grub.d/20_linux_xen && /usr/bin/grub-mkconfig -o /boot/grub/grub.cfg' +Exec=/bin/bash -c 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs tpm" --disable-shim-lock && /usr/bin/sbsign --key /etc/efi-keys/DB.key --cert /etc/efi-keys/DB.crt --output /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi && /usr/bin/sed -i 's#rootflags=subvol=${rootsubvol} ##g' /etc/grub.d/10_linux && /usr/bin/sed -i 's#rootflags=subvol=${rootsubvol} ##g' /etc/grub.d/20_linux_xen && /usr/bin/grub-mkconfig -o /boot/grub/grub.cfg' EOF chmod 600 /etc/pacman.d/hooks/* From 1aefcb24cf0c45c691d7d3c6b9bf899eab280ef0 Mon Sep 17 00:00:00 2001 From: tommytran732 Date: Thu, 17 Nov 2022 18:21:44 -0500 Subject: [PATCH 17/31] Change links to Kicksecure Signed-off-by: tommytran732 --- install.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/install.sh b/install.sh index e2d04ea..889d003 100755 --- a/install.sh +++ b/install.sh @@ -264,13 +264,13 @@ sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen # Enabling CPU Mitigations -curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg >> /mnt/etc/grub.d/40_cpu_mitigations +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg >> /mnt/etc/grub.d/40_cpu_mitigations # Distrusting the CPU -curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu # Enabling IOMMU -curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu # Enabling NTS curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf >> /mnt/etc/chrony.conf @@ -290,13 +290,13 @@ sed -i 's/#write-cache/write-cache/g' /mnt/etc/apparmor/parser.conf sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/,g' /mnt/etc/apparmor/parser.conf # Blacklisting kernel modules -curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf >> /mnt/etc/modprobe.d/30_security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf >> /mnt/etc/modprobe.d/30_security-misc.conf chmod 600 /mnt/etc/modprobe.d/* # Security kernel settings. -curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/sysctl.d/30_security-misc.conf >> /mnt/etc/sysctl.d/30_security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf >> /mnt/etc/sysctl.d/30_security-misc.conf sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/30_security-misc.conf -curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf chmod 600 /mnt/etc/sysctl.d/* # Remove nullok from system-auth From d20b149e61d46ca72872e70001da453be13488df Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 3 Dec 2022 17:07:36 -0500 Subject: [PATCH 18/31] Fix file names Signed-off-by: Tommy --- install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index 889d003..b3e704e 100755 --- a/install.sh +++ b/install.sh @@ -264,13 +264,13 @@ sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen # Enabling CPU Mitigations -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg >> /mnt/etc/grub.d/40_cpu_mitigations +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg >> /mnt/etc/grub.d/40_cpu_mitigations.cfg # Distrusting the CPU -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu.cfg # Enabling IOMMU -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu.cfg # Enabling NTS curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf >> /mnt/etc/chrony.conf From 85e29ef5fdcb10d67bc13382dc81958c1363c492 Mon Sep 17 00:00:00 2001 From: Welteam <8932313+Welteam@users.noreply.github.com> Date: Fri, 16 Dec 2022 20:12:18 +0000 Subject: [PATCH 19/31] Fix sed command for sudo access (#21) Adapt sed regexp to variations of sudoers file Signed-off-by: Welteam <8932313+Welteam@users.noreply.github.com> --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index b3e704e..c502e3e 100755 --- a/install.sh +++ b/install.sh @@ -424,7 +424,7 @@ arch-chroot /mnt chown -R $username:users /home/${username}/.config [ -n "$username" ] && echo "Setting user password for ${username}." && arch-chroot /mnt /bin/passwd "$username" # Giving wheel user sudo access. -sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/g' /mnt/etc/sudoers +sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers # Change audit logging group echo "log_group = audit" >> /mnt/etc/audit/auditd.conf From b042e5aaa296396c1e2ac451a77c8e3e2ce5b181 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 16 Dec 2022 15:16:43 -0500 Subject: [PATCH 20/31] Typo fix Signed-off-by: Tommy --- install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.sh b/install.sh index c502e3e..00a2d42 100755 --- a/install.sh +++ b/install.sh @@ -174,7 +174,7 @@ mount -o ssd,noatime,space_cache,compress=zstd:15 $BTRFS /mnt mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey} mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,noexec,subvol=@/boot $BTRFS /mnt/boot mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/root $BTRFS /mnt/root -mount -o ssd,noatime,space_cache=v2.autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/home $BTRFS /mnt/home +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/home $BTRFS /mnt/home mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/.snapshots $BTRFS /mnt/.snapshots mount -o ssd,noatime,space_cache=v2.autodefrag,compress=zstd:15,discard=async,subvol=@/srv $BTRFS /mnt/srv mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_log $BTRFS /mnt/var/log From 61ad3457eee2366bd807d3c6b28f6885be8be18b Mon Sep 17 00:00:00 2001 From: calvinreu <52322921+calvinreu@users.noreply.github.com> Date: Sun, 18 Dec 2022 02:05:23 +0100 Subject: [PATCH 21/31] input at start (#20) move input to start --- install.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/install.sh b/install.sh index 00a2d42..40308c1 100755 --- a/install.sh +++ b/install.sh @@ -417,11 +417,8 @@ EOF chmod 700 /mnt/home/${username}/.config/autostart/apparmor-notify.desktop arch-chroot /mnt chown -R $username:users /home/${username}/.config - # Setting user password. - - -[ -n "$username" ] && echo "Setting user password for ${username}." && arch-chroot /mnt /bin/passwd "$username" +[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${password}\n${password}" | arch-chroot /mnt passwd "$username" &>/dev/null # Giving wheel user sudo access. sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers From 05420f65a0e62ca29f4cc519a593bb72b2c86ae0 Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 4 Feb 2023 05:19:19 -0500 Subject: [PATCH 22/31] Update kicksecure sysctl Signed-off-by: Tommy --- install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/install.sh b/install.sh index 40308c1..322c40f 100755 --- a/install.sh +++ b/install.sh @@ -297,6 +297,7 @@ chmod 600 /mnt/etc/modprobe.d/* curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf >> /mnt/etc/sysctl.d/30_security-misc.conf sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/30_security-misc.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf >> /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf chmod 600 /mnt/etc/sysctl.d/* # Remove nullok from system-auth From 72b5564f7e386a614cc99ec33d1a6f6627064d93 Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 5 Mar 2023 05:40:13 -0500 Subject: [PATCH 23/31] Remove disable connectivity checks Signed-off-by: Tommy --- install.sh | 9 --------- 1 file changed, 9 deletions(-) diff --git a/install.sh b/install.sh index 322c40f..aa4793c 100755 --- a/install.sh +++ b/install.sh @@ -338,15 +338,6 @@ EOF chmod 600 /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf -# Disable Connectivity Check. -bash -c 'cat > /mnt/etc/NetworkManager/conf.d/20-connectivity.conf' <<-'EOF' -[connectivity] -uri=http://www.archlinux.org/check_network_status.txt -interval=0 -EOF - -chmod 600 /mnt/etc/NetworkManager/conf.d/20-connectivity.conf - # Enable IPv6 privacy extensions bash -c 'cat > /mnt/etc/NetworkManager/conf.d/ip6-privacy.conf' <<-'EOF' [connection] From 02d4d45a475818105ca462c07eacbca2b0d94618 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 17 Mar 2023 08:26:13 -0400 Subject: [PATCH 24/31] Switch to Apache License Signed-off-by: Tommy --- LICENSE | 214 +++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 197 insertions(+), 17 deletions(-) diff --git a/LICENSE b/LICENSE index 65bf691..261eeb9 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,201 @@ -MIT License + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ -Copyright (c) 2021 Tommaso Chiti, Thien Tran + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: + 1. Definitions. -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. From 654d2a273b04dfbdfaad69c9c4339e11f3ab8f3e Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 2 Jul 2023 06:24:21 -0700 Subject: [PATCH 25/31] Delete secureboot.sh Signed-off-by: Tommy --- secureboot.sh | 64 --------------------------------------------------- 1 file changed, 64 deletions(-) delete mode 100755 secureboot.sh diff --git a/secureboot.sh b/secureboot.sh deleted file mode 100755 index 500727f..0000000 --- a/secureboot.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -pacman -S --noconfirm sbsigntools efitools openssl -mkdir -p /etc/efi-keys -cd /etc/efi-keys || exit -curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh -chmod +x mkkeys.sh -./mkkeys.sh - -chmod -R g-rwx /etc/efi-keys -chmod -R o-rwx /etc/efi-keys - -if [ -f /boot/vmlinuz-linux ]; then - sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux -fi - -if [ -f /boot/vmlinuz-linux-lts ]; then - sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux-lts /boot/vmlinuz-linux-lts -fi - -if [ -f /boot/vmlinuz-linux-hardened ]; then - sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux-hardened /boot/vmlinuz-linux-hardened -fi - -if [ -f /boot/vmlinuz-linux-zen ]; then - sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux-zen /boot/vmlinuz-linux-zen -fi - -cp /usr/share/libalpm/hooks/90-mkinitcpio-install.hook /etc/pacman.d/hooks/90-mkinitcpio-install.hook -sed -i 's#Exec = /usr/share/libalpm/scripts/mkinitcpio-install#Exec = /usr/local/share/libalpm/scripts/mkinitcpio-install#g' /etc/pacman.d/hooks/90-mkinitcpio-install.hook - -cp /usr/share/libalpm/scripts/mkinitcpio-install /usr/local/share/libalpm/scripts/mkinitcpio-install -sed -i 's#install -Dm644 "${line}" "/boot/vmlinuz-${pkgbase}"#sbsign --key /etc/efi-keys/DB.key --cert /etc/efi-keys/DB.crt --output "/boot/vmlinuz-${pkgbase}" "${line}"#g' /usr/local/share/libalpm/scripts/mkinitcpio-install - -mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK} -ln -s /etc/efi-keys/DB.auth /etc/secureboot/keys/db/DB.auth -ln -s /etc/efi-keys/KEK.auth /etc/secureboot/keys/KEK/KEK.auth -ln -s /etc/efi-keys/PK.auth /etc/secureboot/keys/PK/PK.auth - -sbkeysync --verbose --pk - -chmod -R g-rwx /etc/secureboot -chmod -R g-rwx /etc/secureboot - -grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs tpm" --disable-shim-lock -sbsign --key /etc/efi-keys/DB.key --cert /etc/efi-keys/DB.crt --output /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi -grub-mkconfig -o /boot/grub/grub.cfg - -cat << EOF >> /etc/pacman.d/hooks/grub.hook -[Trigger] -Operation=Install -Operation=Upgrade -Type=Package -Target=grub - -[Action] -Description=Update grubx64.efi -Depends=grub -When=PostTransaction -NeedsTargets -Exec=/bin/bash -c 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs tpm" --disable-shim-lock && /usr/bin/sbsign --key /etc/efi-keys/DB.key --cert /etc/efi-keys/DB.crt --output /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi && /usr/bin/sed -i 's#rootflags=subvol=${rootsubvol} ##g' /etc/grub.d/10_linux && /usr/bin/sed -i 's#rootflags=subvol=${rootsubvol} ##g' /etc/grub.d/20_linux_xen && /usr/bin/grub-mkconfig -o /boot/grub/grub.cfg' -EOF - -chmod 600 /etc/pacman.d/hooks/* From 54a4ce6ffdf89db3380e8d2ec6163a245e9402cc Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 2 Jul 2023 06:27:08 -0700 Subject: [PATCH 26/31] Rename install.sh to desktop.sh Signed-off-by: Tommy --- install.sh => desktop.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename install.sh => desktop.sh (100%) diff --git a/install.sh b/desktop.sh similarity index 100% rename from install.sh rename to desktop.sh From f62fb72d1266f23fea19254d89fc46e256e0976c Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 2 Jul 2023 06:52:39 -0700 Subject: [PATCH 27/31] Create server.sh Signed-off-by: Tommy --- server.sh | 410 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 410 insertions(+) create mode 100644 server.sh diff --git a/server.sh b/server.sh new file mode 100644 index 0000000..842b81a --- /dev/null +++ b/server.sh @@ -0,0 +1,410 @@ +#!/usr/bin/env -S bash -e + +# Cleaning the TTY. +clear + + +# Selecting the kernel flavor to install. +kernel_selector () { + echo "List of kernels:" + echo "1) Stable — Vanilla Linux kernel and modules, with a few patches applied." + echo "2) Hardened — A security-focused Linux kernel." + echo "3) Longterm — Long-term support (LTS) Linux kernel and modules." + echo "4) Zen Kernel — Optimized for desktop usage." + read -r -p "Insert the number of the corresponding kernel: " choice + echo "$choice will be installed" + case $choice in + 1 ) kernel=linux + ;; + 2 ) kernel=linux-hardened + ;; + 3 ) kernel=linux-lts + ;; + 4 ) kernel=linux-zen + ;; + * ) echo "You did not enter a valid selection." + kernel_selector + esac +} + + + +## user input ## + +# Selecting the target for the installation. +PS3="Select the disk where Arch Linux is going to be installed: " +select ENTRY in $(lsblk -dpnoNAME|grep -P "/dev/sd|nvme|vd"); +do + DISK=$ENTRY + echo "Installing Arch Linux on $DISK." + break +done + +# Confirming the disk selection. +read -r -p "This will delete the current partition table on $DISK. Do you agree [y/N]? " response +response=${response,,} +if [[ ! ("$response" =~ ^(yes|y)$) ]]; then + echo "Quitting." + exit +fi + +#select kernel +kernel_selector + +# Setting username. +read -r -p "Please enter name for a user account (leave empty to skip): " username + +# Setting password. +if [[ -n $username ]]; then + read -r -p "Please enter a password for the user account: " password +fi + +# Choose locales. +read -r -p "Please insert the locale you use in this format (xx_XX): " locale + +# Choose keyboard layout. +read -r -p "Please insert the keyboard layout you use: " kblayout + + + + +## installation ## + +# Updating the live environment usually causes more problems than its worth, and quite often can't be done without remounting cowspace with more capacity, especially at the end of any given month. +pacman -Sy + +# Installing curl +pacman -S --noconfirm curl + +# formatting the disk +wipefs -af "$DISK" &>/dev/null +sgdisk -Zo "$DISK" &>/dev/null + +# Checking the microcode to install. +CPU=$(grep vendor_id /proc/cpuinfo) +if [[ $CPU == *"AuthenticAMD"* ]]; then + microcode=amd-ucode +else + microcode=intel-ucode +fi + +# Creating a new partition scheme. +echo "Creating new partition scheme on $DISK." +parted -s "$DISK" \ + mklabel gpt \ + mkpart ESP fat32 1MiB 128MiB \ + set 1 esp on \ + mkpart cryptroot 128MiB 100% \ + +sleep 0.1 +ESP="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep ESP| cut -d " " -f1 | cut -c7-)" +cryptroot="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep cryptroot | cut -d " " -f1 | cut -c7-)" + +# Informing the Kernel of the changes. +echo "Informing the Kernel about the disk changes." +partprobe "$DISK" + +# Formatting the ESP as FAT32. +echo "Formatting the EFI Partition as FAT32." +mkfs.fat -F 32 -s 2 $ESP &>/dev/null + +# Creating a LUKS Container for the root partition. +echo "Creating LUKS Container for the root partition." +cryptsetup luksFormat --type luks1 $cryptroot +echo "Opening the newly created LUKS Container." +cryptsetup open $cryptroot cryptroot +BTRFS="/dev/mapper/cryptroot" + +# Formatting the LUKS Container as BTRFS. +echo "Formatting the LUKS container as BTRFS." +mkfs.btrfs $BTRFS &>/dev/null +mount -o clear_cache,nospace_cache $BTRFS /mnt + +# Creating BTRFS subvolumes. +echo "Creating BTRFS subvolumes." +btrfs su cr /mnt/@ &>/dev/null +btrfs su cr /mnt/@/.snapshots &>/dev/null +mkdir -p /mnt/@/.snapshots/1 &>/dev/null +btrfs su cr /mnt/@/.snapshots/1/snapshot &>/dev/null +btrfs su cr /mnt/@/boot/ &>/dev/null +btrfs su cr /mnt/@/home &>/dev/null +btrfs su cr /mnt/@/root &>/dev/null +btrfs su cr /mnt/@/srv &>/dev/null +btrfs su cr /mnt/@/var_log &>/dev/null +btrfs su cr /mnt/@/var_log_journal &>/dev/null +btrfs su cr /mnt/@/var_crash &>/dev/null +btrfs su cr /mnt/@/var_cache &>/dev/null +btrfs su cr /mnt/@/var_tmp &>/dev/null +btrfs su cr /mnt/@/var_spool &>/dev/null +btrfs su cr /mnt/@/var_lib_libvirt_images &>/dev/null +btrfs su cr /mnt/@/var_lib_machines &>/dev/null +btrfs su cr /mnt/@/var_lib_gdm &>/dev/null +btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null +btrfs su cr /mnt/@/cryptkey &>/dev/null + +chattr +C /mnt/@/boot +chattr +C /mnt/@/srv +chattr +C /mnt/@/var_log +chattr +C /mnt/@/var_log_journal +chattr +C /mnt/@/var_crash +chattr +C /mnt/@/var_cache +chattr +C /mnt/@/var_tmp +chattr +C /mnt/@/var_spool +chattr +C /mnt/@/var_lib_libvirt_images +chattr +C /mnt/@/var_lib_machines +chattr +C /mnt/@/var_lib_gdm +chattr +C /mnt/@/var_lib_AccountsService +chattr +C /mnt/@/cryptkey + +#Set the default BTRFS Subvol to Snapshot 1 before pacstrapping +btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt + +cat << EOF >> /mnt/@/.snapshots/1/info.xml + + + single + 1 + 1999-03-31 0:00:00 + First Root Filesystem + number + +EOF + +chmod 600 /mnt/@/.snapshots/1/info.xml + +# Mounting the newly created subvolumes. +umount /mnt +echo "Mounting the newly created subvolumes." +mount -o ssd,noatime,space_cache,compress=zstd:15 $BTRFS /mnt +mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey} +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,noexec,subvol=@/boot $BTRFS /mnt/boot +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/root $BTRFS /mnt/root +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/home $BTRFS /mnt/home +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/.snapshots $BTRFS /mnt/.snapshots +mount -o ssd,noatime,space_cache=v2.autodefrag,compress=zstd:15,discard=async,subvol=@/srv $BTRFS /mnt/srv +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_log $BTRFS /mnt/var/log + +# Toolbox (https://github.com/containers/toolbox) needs /var/log/journal to have dev, suid, and exec, Thus I am splitting the subvolume. Need to make the directory after /mnt/var/log/ has been mounted. +mkdir -p /mnt/var/log/journal +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,subvol=@/var_log_journal $BTRFS /mnt/var/log/journal + +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_crash $BTRFS /mnt/var/crash +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_cache $BTRFS /mnt/var/cache +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_tmp $BTRFS /mnt/var/tmp + +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_spool $BTRFS /mnt/var/spool +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_libvirt_images $BTRFS /mnt/var/lib/libvirt/images +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_machines $BTRFS /mnt/var/lib/machines + +# The encryption is splitted as we do not want to include it in the backup with snap-pac. +mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey $BTRFS /mnt/cryptkey + +mkdir -p /mnt/boot/efi +mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi + +# Pacstrap (setting up a base sytem onto the new root). +# As I said above, I am considering replacing gnome-software with pamac-flatpak-gnome as PackageKit seems very buggy on Arch Linux right now. +echo "Installing the base system (it may take a while)." +pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor firewalld zram-generator reflector chrony sbctl + +# Generating /etc/fstab. +echo "Generating a new fstab." +genfstab -U /mnt >> /mnt/etc/fstab +sed -i 's#,subvolid=258,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot##g' /mnt/etc/fstab + +# Setting hostname. +read -r -p "Please enter the hostname: " hostname +echo "$hostname" > /mnt/etc/hostname + +# Setting hosts file. +echo "Setting hosts file." +cat > /mnt/etc/hosts < /mnt/etc/locale.gen +echo "LANG=$locale.UTF-8" > /mnt/etc/locale.conf + +# Setting up keyboard layout. +read -r -p "Please insert the keyboard layout you use: " kblayout +echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf + +# Configuring /etc/mkinitcpio.conf +echo "Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook." +sed -i 's,#COMPRESSION="zstd",COMPRESSION="zstd",g' /mnt/etc/mkinitcpio.conf +sed -i 's,modconf block filesystems keyboard,keyboard modconf block encrypt filesystems,g' /mnt/etc/mkinitcpio.conf + +# Enabling LUKS in GRUB and setting the UUID of the LUKS container. +UUID=$(blkid $cryptroot | cut -f2 -d'"') +sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub +echo "" >> /mnt/etc/default/grub +echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" >> /mnt/etc/default/grub +sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux +sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen + +# Enabling CPU Mitigations +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg >> /mnt/etc/grub.d/40_cpu_mitigations.cfg + +# Distrusting the CPU +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu.cfg + +# Enabling IOMMU +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu.cfg + +# Enabling NTS +curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf >> /mnt/etc/chrony.conf + +# Setting GRUB configuration file permissions +chmod 755 /mnt/etc/grub.d/* + +# Adding keyfile to the initramfs to avoid double password. +dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null +chmod 000 /mnt/cryptkey/.root.key &>/dev/null +cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key +sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=landlock,lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub +sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf + +# Configure AppArmor Parser caching +sed -i 's/#write-cache/write-cache/g' /mnt/etc/apparmor/parser.conf +sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/,g' /mnt/etc/apparmor/parser.conf + +# Blacklisting kernel modules +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf >> /mnt/etc/modprobe.d/30_security-misc.conf +chmod 600 /mnt/etc/modprobe.d/* + +# Security kernel settings. +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf >> /mnt/etc/sysctl.d/30_security-misc.conf +sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/30_security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf >> /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf +chmod 600 /mnt/etc/sysctl.d/* + +# Remove nullok from system-auth +sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth + +# Disable coredump +echo "* hard core 0" >> /mnt/etc/security/limits.conf + +# Disable su for non-wheel users +bash -c 'cat > /mnt/etc/pam.d/su' <<-'EOF' +#%PAM-1.0 +auth sufficient pam_rootok.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +auth required pam_wheel.so use_uid +auth required pam_unix.so +account required pam_unix.so +session required pam_unix.so +EOF + +# ZRAM configuration +bash -c 'cat > /mnt/etc/systemd/zram-generator.conf' <<-'EOF' +[zram0] +zram-fraction = 1 +max-zram-size = 8192 +EOF + +# Configuring the system. +arch-chroot /mnt /bin/bash -e </dev/null + + # Setting up clock. + hwclock --systohc + + # Generating locales.my keys aren't even on + echo "Generating locales." + locale-gen &>/dev/null + + # Generating a new initramfs. + echo "Creating a new initramfs." + chmod 600 /boot/initramfs-linux* &>/dev/null + mkinitcpio -P &>/dev/null + + # Snapper configuration + umount /.snapshots + rm -r /.snapshots + snapper --no-dbus -c root create-config / + btrfs subvolume delete /.snapshots + mkdir /.snapshots + mount -a + chmod 750 /.snapshots + + # Installing GRUB. + echo "Installing GRUB on /boot." + grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock &>/dev/null + + # Creating grub config file. + echo "Creating GRUB config file." + grub-mkconfig -o /boot/grub/grub.cfg &>/dev/null + + # Adding user with sudo privilege + if [ -n "$username" ]; then + echo "Adding $username with root privilege." + useradd -m $username + usermod -aG wheel $username + + groupadd -r audit + gpasswd -a $username audit + fi +EOF + +# Setting user password. +[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${password}\n${password}" | arch-chroot /mnt passwd "$username" &>/dev/null + +# Giving wheel user sudo access. +sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers + +# Change audit logging group +echo "log_group = audit" >> /mnt/etc/audit/auditd.conf + +# Enabling audit service. +systemctl enable auditd --root=/mnt &>/dev/null + +# Enabling auto-trimming service. +systemctl enable fstrim.timer --root=/mnt &>/dev/null + +# Enabling NetworkManager. +systemctl enable NetworkManager --root=/mnt &>/dev/null + +# Enabling AppArmor. +echo "Enabling AppArmor." +systemctl enable apparmor --root=/mnt &>/dev/null + +# Enabling Firewalld. +echo "Enabling Firewalld." +systemctl enable firewalld --root=/mnt &>/dev/null + +# Enabling Reflector timer. +echo "Enabling Reflector." +systemctl enable reflector.timer --root=/mnt &>/dev/null + +# Enabling systemd-oomd. +echo "Enabling systemd-oomd." +systemctl enable systemd-oomd --root=/mnt &>/dev/null + +# Disabling systemd-timesyncd +systemctl disable systemd-timesyncd --root=/mnt &>/dev/null + +# Enabling chronyd +systemctl enable chronyd --root=/mnt &>/dev/null + +# Enabling Snapper automatic snapshots. +echo "Enabling Snapper and automatic snapshots entries." +systemctl enable snapper-timeline.timer --root=/mnt &>/dev/null +systemctl enable snapper-cleanup.timer --root=/mnt &>/dev/null +systemctl enable grub-btrfs.path --root=/mnt &>/dev/null + +# Setting umask to 077. +sed -i 's/022/077/g' /mnt/etc/profile +echo "" >> /mnt/etc/bash.bashrc +echo "umask 077" >> /mnt/etc/bash.bashrc + +# Finishing up +echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)." +exit From 439fa6b7a236e6dd551fb5000fe52c8ec27ab5b9 Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 2 Jul 2023 06:56:10 -0700 Subject: [PATCH 28/31] Add openssh and fwupd Signed-off-by: Tommy --- server.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/server.sh b/server.sh index 842b81a..04314a0 100644 --- a/server.sh +++ b/server.sh @@ -27,8 +27,6 @@ kernel_selector () { esac } - - ## user input ## # Selecting the target for the installation. @@ -205,7 +203,7 @@ mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi # Pacstrap (setting up a base sytem onto the new root). # As I said above, I am considering replacing gnome-software with pamac-flatpak-gnome as PackageKit seems very buggy on Arch Linux right now. echo "Installing the base system (it may take a while)." -pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor firewalld zram-generator reflector chrony sbctl +pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor firewalld zram-generator reflector chrony sbctl openssh tuned fwupd # Generating /etc/fstab. echo "Generating a new fstab." @@ -366,6 +364,9 @@ echo "log_group = audit" >> /mnt/etc/audit/auditd.conf # Enabling audit service. systemctl enable auditd --root=/mnt &>/dev/null +# Enabling openssh server +systemctl enable sshd --root=/mnt &>/dev/null + # Enabling auto-trimming service. systemctl enable fstrim.timer --root=/mnt &>/dev/null From e40b76ec02786f860389f2954faf542524fdd6e8 Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 15 Nov 2023 14:24:58 -0700 Subject: [PATCH 29/31] Update 990-security-misc path Signed-off-by: Tommy --- desktop.sh | 4 ++-- server.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/desktop.sh b/desktop.sh index aa4793c..9f8fa91 100755 --- a/desktop.sh +++ b/desktop.sh @@ -294,8 +294,8 @@ curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modpr chmod 600 /mnt/etc/modprobe.d/* # Security kernel settings. -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf >> /mnt/etc/sysctl.d/30_security-misc.conf -sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/30_security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf >> /mnt/etc/sysctl.d/990-security-misc.conf +sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf >> /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf chmod 600 /mnt/etc/sysctl.d/* diff --git a/server.sh b/server.sh index 04314a0..d07dba0 100644 --- a/server.sh +++ b/server.sh @@ -274,8 +274,8 @@ curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modpr chmod 600 /mnt/etc/modprobe.d/* # Security kernel settings. -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf >> /mnt/etc/sysctl.d/30_security-misc.conf -sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/30_security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf >> /mnt/etc/sysctl.d/990-security-misc.conf +sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf >> /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf chmod 600 /mnt/etc/sysctl.d/* From 446ec3e82df355bbe6d3dd3f8adc1bab5fbdc47f Mon Sep 17 00:00:00 2001 From: Tommy Date: Wed, 15 Nov 2023 14:30:00 -0700 Subject: [PATCH 30/31] Update curl syntax Signed-off-by: Tommy --- desktop.sh | 18 +++++++++--------- server.sh | 16 ++++++++-------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/desktop.sh b/desktop.sh index 9f8fa91..a489fd2 100755 --- a/desktop.sh +++ b/desktop.sh @@ -259,21 +259,21 @@ sed -i 's,modconf block filesystems keyboard,keyboard modconf block encrypt file UUID=$(blkid $cryptroot | cut -f2 -d'"') sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub echo "" >> /mnt/etc/default/grub -echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" >> /mnt/etc/default/grub +echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" -o /mnt/etc/default/grub sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen # Enabling CPU Mitigations -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg >> /mnt/etc/grub.d/40_cpu_mitigations.cfg +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg -o /mnt/etc/grub.d/40_cpu_mitigations.cfg # Distrusting the CPU -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu.cfg +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg -o /mnt/etc/grub.d/40_distrust_cpu.cfg # Enabling IOMMU -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu.cfg +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg -o /mnt/etc/grub.d/40_enable_iommu.cfg # Enabling NTS -curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf >> /mnt/etc/chrony.conf +curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /mnt/etc/chrony.conf # Setting GRUB configuration file permissions chmod 755 /mnt/etc/grub.d/* @@ -290,14 +290,14 @@ sed -i 's/#write-cache/write-cache/g' /mnt/etc/apparmor/parser.conf sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/,g' /mnt/etc/apparmor/parser.conf # Blacklisting kernel modules -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf >> /mnt/etc/modprobe.d/30_security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /mnt/etc/modprobe.d/30_security-misc.conf chmod 600 /mnt/etc/modprobe.d/* # Security kernel settings. -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf >> /mnt/etc/sysctl.d/990-security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /mnt/etc/sysctl.d/990-security-misc.conf sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf >> /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /mnt/etc/sysctl.d/30_silent-kernel-printk.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf chmod 600 /mnt/etc/sysctl.d/* # Remove nullok from system-auth diff --git a/server.sh b/server.sh index d07dba0..dd29fe0 100644 --- a/server.sh +++ b/server.sh @@ -244,16 +244,16 @@ sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen # Enabling CPU Mitigations -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg >> /mnt/etc/grub.d/40_cpu_mitigations.cfg +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg -o /mnt/etc/grub.d/40_cpu_mitigations.cfg # Distrusting the CPU -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg >> /mnt/etc/grub.d/40_distrust_cpu.cfg +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg -o /mnt/etc/grub.d/40_distrust_cpu.cfg # Enabling IOMMU -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg >> /mnt/etc/grub.d/40_enable_iommu.cfg +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg -o /mnt/etc/grub.d/40_enable_iommu.cfg # Enabling NTS -curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf >> /mnt/etc/chrony.conf +curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /mnt/etc/chrony.conf # Setting GRUB configuration file permissions chmod 755 /mnt/etc/grub.d/* @@ -270,14 +270,14 @@ sed -i 's/#write-cache/write-cache/g' /mnt/etc/apparmor/parser.conf sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/,g' /mnt/etc/apparmor/parser.conf # Blacklisting kernel modules -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf >> /mnt/etc/modprobe.d/30_security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /mnt/etc/modprobe.d/30_security-misc.conf chmod 600 /mnt/etc/modprobe.d/* # Security kernel settings. -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf >> /mnt/etc/sysctl.d/990-security-misc.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /mnt/etc/sysctl.d/990-security-misc.conf sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf >> /mnt/etc/sysctl.d/30_silent-kernel-printk.conf -curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf >> /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /mnt/etc/sysctl.d/30_silent-kernel-printk.conf +curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf chmod 600 /mnt/etc/sysctl.d/* # Remove nullok from system-auth From 2077ee482973ace02e26d0549986d645b36ff1de Mon Sep 17 00:00:00 2001 From: funk-on-code <113871227+funk-on-code@users.noreply.github.com> Date: Sun, 5 May 2024 23:30:12 +1000 Subject: [PATCH 31/31] Update mkinitcpio hooks, enables systems to boot. (#29) Fixes #26 mkinitcpio has had several changes since 2023, after much trial-and-error, rewriting the entire line is a more robust way of fixing this problem. Signed-off-by: funk-on-code <113871227+funk-on-code@users.noreply.github.com> --- server.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server.sh b/server.sh index dd29fe0..8ebe9cf 100644 --- a/server.sh +++ b/server.sh @@ -233,7 +233,7 @@ echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf # Configuring /etc/mkinitcpio.conf echo "Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook." sed -i 's,#COMPRESSION="zstd",COMPRESSION="zstd",g' /mnt/etc/mkinitcpio.conf -sed -i 's,modconf block filesystems keyboard,keyboard modconf block encrypt filesystems,g' /mnt/etc/mkinitcpio.conf +sed -i 's,HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck),HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck),g' /mnt/etc/mkinitcpio.conf # Enabling LUKS in GRUB and setting the UUID of the LUKS container. UUID=$(blkid $cryptroot | cut -f2 -d'"')