mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-11-25 02:51:32 -05:00
Compare commits
No commits in common. "8a0504c4d8d823c5d94fc6b1d979675fc7d0e981" and "81bf0790f70656c134c53a2a1f72dd84399dc2b7" have entirely different histories.
8a0504c4d8
...
81bf0790f7
@ -23,12 +23,12 @@ The partition layout I use allows us to replicate the behavior found in openSUSE
|
||||
1. Snapper rollback <number> works! You will no longer need to manually rollback from a live USB like you would with the @ and @home layout suggested in the Arch Wiki.
|
||||
2. You can boot into a readonly snapshot! GDM and other services will start normally so you can get in and verify that everything works before rolling back.
|
||||
3. Automatic snapshots on pacman install/update/remove operations
|
||||
4. Directories such as `/boot`, `/boot/efi`, `/var/log`, `/var/crash`, `/var/tmp`, `/var/spool`, /`var/lib/libvirt/images` are excluded from the snapshots as they either should be persistent or are just temporary files. `/cryptkey` is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.
|
||||
5. GRUB will boot into the default BTRFS snapshot set by snapper. Like on openSUSE, your running system will always be a read-write snapshot in `@/.snapshots/X/snapshot`.
|
||||
4. Directories such as /boot, /boot/efi, /var/log, /var/crash, /var/tmp, /var/spool, /var/lib/libvirt/images are excluded from the snapshots as they either should be persistent or are just temporary files. /cryptkey is excluded as we do not want the encryption key to be included in the snapshots, which could be sent to another device as a backup.
|
||||
5. GRUB will boot into the default BTRFS snapshot set by snapper. Like on openSUSE, your running system will always be a read-write snapshot in @/.snapshots/X/snapshot.
|
||||
|
||||
### Security considerations
|
||||
|
||||
Since this is an encrypted `/boot` setup, GRUB will prompt you for your encryption password and decrypt the drive so that it can access the kernel and initramfs. I am unaware of any way to make it use a TPM + PIN setup.
|
||||
Since this is an encrypted /boot setup, GRUB will prompt you for your encryption password and decrypt the drive so that it can access the kernel and initramfs. I am unaware of any way to make it use a TPM + PIN setup.
|
||||
|
||||
The implication of this is that an attacker can change your secure boot state with a programmer, replace your grubx64.efi and it will not be detected until its too late.
|
||||
|
||||
|
55
install.sh
55
install.sh
@ -186,10 +186,8 @@ btrfs su cr /mnt/@/var_tmp &>/dev/null
|
||||
btrfs su cr /mnt/@/var_spool &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_libvirt_images &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_machines &>/dev/null
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
|
||||
fi
|
||||
btrfs su cr /mnt/@/cryptkey &>/dev/null
|
||||
|
||||
## Disable CoW on subvols we are not taking snapshots of
|
||||
@ -205,10 +203,8 @@ chattr +C /mnt/@/var_tmp
|
||||
chattr +C /mnt/@/var_spool
|
||||
chattr +C /mnt/@/var_lib_libvirt_images
|
||||
chattr +C /mnt/@/var_lib_machines
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
chattr +C /mnt/@/var_lib_gdm
|
||||
chattr +C /mnt/@/var_lib_AccountsService
|
||||
fi
|
||||
chattr +C /mnt/@/cryptkey
|
||||
|
||||
## Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
|
||||
@ -230,10 +226,7 @@ chmod 600 /mnt/@/.snapshots/1/info.xml
|
||||
umount /mnt
|
||||
output 'Mounting the newly created subvolumes.'
|
||||
mount -o ssd,noatime,compress=zstd "${BTRFS}" /mnt
|
||||
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines,cryptkey}
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
mkdir -p /mnt/{var/lib/gdm,var/lib/AccountsService}
|
||||
fi
|
||||
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey}
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,noexec,subvol=@/boot "${BTRFS}" /mnt/boot
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/root "${BTRFS}" /mnt/root
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/home "${BTRFS}" /mnt/home
|
||||
@ -254,10 +247,8 @@ mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_li
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_machines "${BTRFS}" /mnt/var/lib/machines
|
||||
|
||||
# GNOME requires /var/lib/gdm and /var/lib/AccountsService to be writeable when booting into a readonly snapshot. Thus we sadly have to split them.
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_gdm $BTRFS /mnt/var/lib/gdm
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_AccountsService $BTRFS /mnt/var/lib/AccountsService
|
||||
fi
|
||||
|
||||
### The encryption is splitted as we do not want to include it in the backup with snap-pac.
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
|
||||
@ -328,8 +319,7 @@ echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
|
||||
## Configure /etc/mkinitcpio.conf
|
||||
output 'Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook.'
|
||||
sed -i 's/#COMPRESSION="zstd"/COMPRESSION="zstd"/g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i 's/^MODULES=.*/MODULES=(btrfs)/g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt)/g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems)/g' /mnt/etc/mkinitcpio.conf
|
||||
|
||||
## Enable LUKS in GRUB and setting the UUID of the LUKS container.
|
||||
sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
|
||||
@ -358,16 +348,12 @@ sed -i "s#module\.sig_enforce=1#module.sig_enforce=1 rd.luks.key=/cryptkey/.root
|
||||
## Continue kernel hardening
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install msr/install msr/g' /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
if [ "${install_mode}" = 'server' ]; then
|
||||
if [ "${install_mode}" != 'server' ]; then
|
||||
sudo sed -i 's/#[[:space:]]*install bluetooth/install bluetooth/g' /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#[[:space:]]*install btusb/install btusb/g' /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
fi
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
sed -i 's/kernel\.yama\.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
if [ "${install_mode}" = 'server' ]; then
|
||||
sudo sed -i 's/net\.ipv4\.icmp_echo_ignore_all[[:space:]]*=.*/net.ipv4.icmp_echo_ignore_all=0/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/net\.ipv6\.icmp.echo_ignore_all[[:space:]]*=.*/net.ipv6.icmp.echo_ignore_all=0/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
fi
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf | tee /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf | tee /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
|
||||
@ -378,27 +364,14 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
|
||||
## Remove nullok from system-auth
|
||||
sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth
|
||||
|
||||
## Harden SSH
|
||||
## Arch annoyingly does not split openssh-server out so even desktop Arch will have the daemon.
|
||||
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /mnt/etc/ssh/ssh_config.d/10-custom.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee tee /mnt/etc/ssh/sshd_config.d/10-custom.conf
|
||||
sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /mnt/etc/ssh/sshd_config.d/10-custom.conf
|
||||
mkdir -p /etc/systemd/system/sshd.service.d/
|
||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /mnt/etc/systemd/system/sshd.service.d/override.conf
|
||||
|
||||
## Disable coredump
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | tee /mnt/etc/security/limits.d/30-disable-coredump.conf
|
||||
|
||||
# Disable XWayland
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
mkdir -p /mnt/etc/systemd/user/org.gnome.Shell@wayland.service.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/user/org.gnome.Shell%40wayland.service.d/override.conf | tee /mnt/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf
|
||||
fi
|
||||
sudo mkdir -p /mnt/etc/systemd/user/org.gnome.Shell@wayland.service.d
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/user/org.gnome.Shell%40wayland.service.d/override.conf | sudo tee /mnt/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf
|
||||
|
||||
# Setup dconf
|
||||
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
mkdir -p /mnt/etc/dconf/db/local.d/locks
|
||||
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | tee /mnt/etc/dconf/db/local.d/locks/automount-disable
|
||||
@ -410,7 +383,6 @@ if [ "${install_mode}" = 'desktop' ]; then
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark | tee /mnt/etc/dconf/db/local.d/prefer-dark
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy | tee /mnt/etc/dconf/db/local.d/privacy
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/touchpad | tee /mnt/etc/dconf/db/local.d/touchpad
|
||||
fi
|
||||
|
||||
## ZRAM configuration
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf | tee /mnt/etc/systemd/zram-generator.conf
|
||||
@ -448,22 +420,22 @@ arch-chroot /mnt /bin/bash -e <<EOF
|
||||
|
||||
# Installing GRUB.
|
||||
output "Installing GRUB on /boot."
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --disable-shim-lock
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock
|
||||
|
||||
# Creating grub config file.
|
||||
output "Creating GRUB config file."
|
||||
grub-mkconfig -o /boot/grub/grub.cfg
|
||||
|
||||
# Adding user with sudo privilege
|
||||
if [ -n "$username" ]; then
|
||||
output "Adding $username with root privilege."
|
||||
useradd -m $username
|
||||
usermod -aG wheel $username
|
||||
fi
|
||||
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
# Setting up dconf
|
||||
output "Setting up dconf."
|
||||
dconf update
|
||||
fi
|
||||
|
||||
# Snapper configuration
|
||||
umount /.snapshots
|
||||
@ -479,13 +451,14 @@ EOF
|
||||
[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${user_password}\n${user_password}" | arch-chroot /mnt passwd "$username" &>/dev/null
|
||||
|
||||
## Give wheel user sudo access.
|
||||
sed -i 's/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g' /mnt/etc/sudoers
|
||||
sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers
|
||||
|
||||
## Enable services
|
||||
systemctl enable apparmor --root=/mnt
|
||||
systemctl enable chronyd --root=/mnt
|
||||
systemctl enable firewalld --root=/mnt
|
||||
systemctl enable fstrim.timer --root=/mnt
|
||||
systemctl enable gdm.service --root=/mnt
|
||||
systemctl enable grub-btrfsd.service --root=/mnt
|
||||
systemctl enable NetworkManager --root=/mnt
|
||||
systemctl enable reflector.timer --root=/mnt
|
||||
@ -503,10 +476,10 @@ if [ "${install_mode}" = 'server' ]; then
|
||||
fi
|
||||
|
||||
## Set umask to 077.
|
||||
sed -i 's/^UMASK.*/UMASK 077/g' /mnt/etc/login.defs
|
||||
sed -i 's/^HOME_MODE/#HOME_MODE/g' /mnt/etc/login.defs
|
||||
sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /mnt/etc/login.defs
|
||||
sed -i 's/umask 022/umask 077/g' /mnt/etc/bash.bashrc
|
||||
sudo sed -i 's/^UMASK.*/UMASK 077/g' /mnt/etc/login.defs
|
||||
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /mnt/etc/login.defs
|
||||
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /mnt/etc/login.defs
|
||||
sudo sed -i 's/umask 022/umask 077/g' /mnt/etc/bash.bashrc
|
||||
|
||||
# Finish up
|
||||
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
|
||||
|
@ -1,30 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2021-2024 Thien Tran
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
# Install new grub version
|
||||
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --disable-shim-lock
|
||||
|
||||
# Sign grub
|
||||
sudo sbctl sign-all
|
||||
|
||||
# Disable root subvol pinning.
|
||||
## This is **extremely** important, as snapper expects to be able to set the default btrfs subvol.
|
||||
# shellcheck disable=SC2016
|
||||
sudo sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
|
||||
# shellcheck disable=SC2016
|
||||
sudo sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
|
||||
|
||||
# Generate grub config
|
||||
sudo grub-mkconfig -o /boot/grub/grub.cfg
|
Loading…
Reference in New Issue
Block a user