1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-24 18:41:33 -05:00

Compare commits

..

7 Commits

Author SHA1 Message Date
daf2664d08
Add notes on dconf not working
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-02 02:00:23 -07:00
6d0c3594d9
Fix arch-chroot section
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-02 01:44:16 -07:00
ce3d59b072
Add missing directory
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-02 01:32:58 -07:00
38ed7b9cb2
Fix typo
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-02 01:07:30 -07:00
8351da101f
Add suport for VM installs without encryption
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-02 00:47:34 -07:00
e812fa7185
Typo fix
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-02 00:14:37 -07:00
0128fd93b6
Support networkd for server installs
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-02 00:02:15 -07:00

View File

@ -22,6 +22,9 @@ unpriv(){
sudo -u nobody "$@"
}
# Check if this is a VM
virtualization=$(systemd-detect-virt)
install_mode_selector() {
output 'Is this a desktop or server installation?'
output '1) Desktop'
@ -38,20 +41,42 @@ install_mode_selector() {
esac
}
luks_password_prompt () {
output 'Enter your encryption password (the password will not be shown on the screen):'
read -r -s luks_password
if [ -z "${luks_password}" ]; then
output 'You need to enter a password.'
luks_password_prompt
luks_prompt(){
if [ "${virtualization}" != 'none' ]; then
output "Virtual machine detected. Do you want to set up LUKS?"
output '1) No'
output '2) Yes'
output 'Insert the number of your selection:'
read -r choice
case $choice in
1 ) use_luks='0'
;;
2 ) use_luks='1'
;;
* ) output 'You did not enter a valid selection.'
luks_prompt
esac
else
use_luks='1'
fi
}
output 'Confirm your encryption password (the password will not be shown on the screen):'
read -r -s luks_password2
if [ "${luks_password}" != "${luks_password2}" ]; then
output 'Passwords do not match, please try again.'
luks_password_prompt
luks_password_prompt () {
if [ "${use_luks}" = '1' ]; then
output 'Enter your encryption password (the password will not be shown on the screen):'
read -r -s luks_password
if [ -z "${luks_password}" ]; then
output 'You need to enter a password.'
luks_password_prompt
fi
output 'Confirm your encryption password (the password will not be shown on the screen):'
read -r -s luks_password2
if [ "${luks_password}" != "${luks_password2}" ]; then
output 'Passwords do not match, please try again.'
luks_password_prompt
fi
fi
}
@ -107,6 +132,26 @@ hostname_prompt (){
fi
}
network_daemon_prompt(){
if [ "${install_mode}" = 'server' ]; then
output 'Which network daemon do you want to use'
output '1) networkmanager'
output '2) systemd-networkd'
output 'Insert the number of your selection:'
read -r choice
case $choice in
1 ) network_daemon='networkmanager'
;;
2 ) network_daemon='systemd-networkd'
;;
* ) output 'You did not enter a valid selection.'
install_mode_selector
esac
else
network_daemon='networkmanager'
fi
}
# Set hardcoded variables (temporary, these will be replaced by future prompts)
locale=en_US
kblayout=us
@ -116,14 +161,13 @@ clear
# Initial prompts
install_mode_selector
luks_prompt
luks_password_prompt
disk_prompt
username_prompt
user_password_prompt
hostname_prompt
# Check if this is a VM
virtualization=$(systemd-detect-virt)
network_daemon_prompt
# Installation
@ -143,10 +187,13 @@ parted -s "${disk}" \
mklabel gpt \
mkpart ESP fat32 1MiB 513MiB \
set 1 esp on \
mkpart cryptroot 513MiB 100%
mkpart rootfs 513MiB 100%
ESP='/dev/disk/by-partlabel/ESP'
cryptroot='/dev/disk/by-partlabel/cryptroot'
if [ "${use_luks}" = '1' ]; then
cryptroot='/dev/disk/by-partlabel/rootfs'
fi
## Informing the Kernel of the changes.
output 'Informing the Kernel about the disk changes.'
@ -157,13 +204,17 @@ output 'Formatting the EFI Partition as FAT32.'
mkfs.fat -F 32 -s 2 "${ESP}" &>/dev/null
## Creating a LUKS Container for the root partition.
output 'Creating LUKS Container for the root partition.'
echo -n "${luks_password}" | cryptsetup luksFormat --pbkdf pbkdf2 ${cryptroot} -d - &>/dev/null
echo -n "${luks_password}" | cryptsetup open ${cryptroot} cryptroot -d -
BTRFS='/dev/mapper/cryptroot'
if [ "${use_luks}" = '1' ]; then
output 'Creating LUKS Container for the root partition.'
echo -n "${luks_password}" | cryptsetup luksFormat --pbkdf pbkdf2 "${cryptroot}" -d - &>/dev/null
echo -n "${luks_password}" | cryptsetup open "${cryptroot}" cryptroot -d -
BTRFS='/dev/mapper/cryptroot'
else
BTRFS='/dev/disk/by-partlabel/rootfs'
fi
## Formatting the LUKS Container as BTRFS.
output 'Formatting the LUKS container as BTRFS.'
## Formatting the partition as BTRFS.
output 'Formatting the rootfs as BTRFS.'
mkfs.btrfs "${BTRFS}" &>/dev/null
mount "${BTRFS}" /mnt
@ -190,7 +241,10 @@ if [ "${install_mode}" = 'desktop' ]; then
btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
fi
btrfs su cr /mnt/@/cryptkey &>/dev/null
if [ "${use_luks}" = '1' ]; then
btrfs su cr /mnt/@/cryptkey &>/dev/null
fi
## Disable CoW on subvols we are not taking snapshots of
chattr +C /mnt/@/boot
@ -209,7 +263,10 @@ if [ "${install_mode}" = 'desktop' ]; then
chattr +C /mnt/@/var_lib_gdm
chattr +C /mnt/@/var_lib_AccountsService
fi
chattr +C /mnt/@/cryptkey
if [ "${use_luks}" = '1' ]; then
chattr +C /mnt/@/cryptkey
fi
## Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt
@ -230,10 +287,15 @@ chmod 600 /mnt/@/.snapshots/1/info.xml
umount /mnt
output 'Mounting the newly created subvolumes.'
mount -o ssd,noatime,compress=zstd "${BTRFS}" /mnt
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines,cryptkey}
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines}
if [ "${install_mode}" = 'desktop' ]; then
mkdir -p /mnt/{var/lib/gdm,var/lib/AccountsService}
fi
if [ "${use_luks}" = '1' ]; then
mkdir -p /mnt/cryptkey
fi
mount -o ssd,noatime,compress=zstd,nodev,nosuid,noexec,subvol=@/boot "${BTRFS}" /mnt/boot
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/root "${BTRFS}" /mnt/root
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/home "${BTRFS}" /mnt/home
@ -260,7 +322,9 @@ if [ "${install_mode}" = 'desktop' ]; then
fi
### The encryption is splitted as we do not want to include it in the backup with snap-pac.
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
if [ "${use_luks}" = '1' ]; then
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
fi
mkdir -p /mnt/boot/efi
mount -o nodev,nosuid,noexec "${ESP}" /mnt/boot/efi
@ -281,7 +345,11 @@ output 'Installing the base system (it may take a while).'
output "You may see an error when mkinitcpio tries to generate a new initramfs."
output "It is okay. The script will regenerate the initramfs later in the installation process."
pacstrap /mnt apparmor base chrony efibootmgr firewalld grub grub-btrfs inotify-tools linux-firmware linux-hardened linux-lts "${microcode}" nano networkmanager reflector sbctl snapper sudo zram-generator
pacstrap /mnt apparmor base chrony efibootmgr firewalld grub grub-btrfs inotify-tools linux-firmware linux-hardened linux-lts "${microcode}" nano reflector sbctl snapper sudo zram-generator
if [ "${network_daemon}" = 'networkmanager' ]; then
pacstrap /mnt networkmanager
fi
if [ "${install_mode}" = 'desktop' ]; then
pacstrap /mnt nautilus gdm gnome-console gnome-control-center flatpak pipewire-alsa pipewire-pulse pipewire-jack
@ -329,10 +397,16 @@ echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
output 'Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook.'
sed -i 's/#COMPRESSION="zstd"/COMPRESSION="zstd"/g' /mnt/etc/mkinitcpio.conf
sed -i 's/^MODULES=.*/MODULES=(btrfs)/g' /mnt/etc/mkinitcpio.conf
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt)/g' /mnt/etc/mkinitcpio.conf
if [ "${use_luks}" = '1' ]; then
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt)/g' /mnt/etc/mkinitcpio.conf
else
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block)/g' /mnt/etc/mkinitcpio.conf
fi
## Enable LUKS in GRUB and setting the UUID of the LUKS container.
sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
if [ "${use_luks}" = '1' ]; then
sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
fi
echo '' >> /mnt/etc/default/grub
echo '# Booting with BTRFS subvolume
GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub
@ -345,15 +419,22 @@ sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
## Kernel hardening
UUID=$(blkid -s UUID -o value "${cryptroot}")
sed -i "s#quiet#rd.luks.name=${UUID}=cryptroot root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
if [ "${use_luks}" = '1' ]; then
UUID=$(blkid -s UUID -o value "${cryptroot}")
sed -i "s#quiet#rd.luks.name=${UUID}=cryptroot root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
else
sed -i "s#quiet#root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
fi
## Add keyfile to the initramfs to avoid double password.
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key -d -
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
sed -i "s#module\.sig_enforce=1#module.sig_enforce=1 rd.luks.key=/cryptkey/.root.key#g" /mnt/etc/default/grub
if [ "${use_luks}" = '1' ]; then
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/rootfs /mnt/cryptkey/.root.key -d -
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
sed -i "s#module\.sig_enforce=1#module.sig_enforce=1 rd.luks.key=/cryptkey/.root.key#g" /mnt/etc/default/grub
fi
## Continue kernel hardening
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
@ -399,6 +480,8 @@ fi
# Setup dconf
if [ "${install_mode}" = 'desktop' ]; then
# This doesn't actually take effect atm - need to investigate
mkdir -p /mnt/etc/dconf/db/local.d/locks
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | tee /mnt/etc/dconf/db/local.d/locks/automount-disable
@ -417,12 +500,15 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
## Setup Networking
if [ "${install_mode}" = "desktop" ]; then
if [ "${install_mode}" = 'desktop' ]; then
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | tee /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | tee /mnt/etc/NetworkManager/conf.d/01-transient-hostname.conf
fi
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /mnt/etc/systemd/system/NetworkManager.service.d/99-brace.conf
if [ "${network_daemon}" = 'networkmanager' ]; then
mkdir -p /mnt/etc/systemd/system/NetworkManager.service.d/
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /mnt/etc/systemd/system/NetworkManager.service.d/99-brace.conf
fi
## Configuring the system.
arch-chroot /mnt /bin/bash -e <<EOF
@ -435,33 +521,33 @@ arch-chroot /mnt /bin/bash -e <<EOF
hwclock --systohc
# Generating locales.my keys aren't even on
output "Generating locales."
echo "Generating locales."
locale-gen
# Create SecureBoot keys. This isn't strictly necessary, but certain things like linux-hardened preset expects it and mkinitcpio will fail without it, sooo...
sbctl create-keys
# Generating a new initramfs.
output "Creating a new initramfs."
echo "Creating a new initramfs."
chmod 600 /boot/initramfs-linux*
mkinitcpio -P
# Installing GRUB.
output "Installing GRUB on /boot."
echo "Installing GRUB on /boot."
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --disable-shim-lock
# Creating grub config file.
output "Creating GRUB config file."
echo "Creating GRUB config file."
grub-mkconfig -o /boot/grub/grub.cfg
# Adding user with sudo privilege
output "Adding $username with root privilege."
echo "Adding $username with root privilege."
useradd -m $username
usermod -aG wheel $username
if [ "${install_mode}" = 'desktop' ]; then
# Setting up dconf
output "Setting up dconf."
echo "Setting up dconf."
dconf update
fi
@ -487,13 +573,18 @@ systemctl enable chronyd --root=/mnt
systemctl enable firewalld --root=/mnt
systemctl enable fstrim.timer --root=/mnt
systemctl enable grub-btrfsd.service --root=/mnt
systemctl enable NetworkManager --root=/mnt
systemctl enable reflector.timer --root=/mnt
systemctl enable snapper-timeline.timer --root=/mnt
systemctl enable snapper-cleanup.timer --root=/mnt
systemctl enable systemd-oomd --root=/mnt
systemctl disable systemd-timesyncd --root=/mnt
if [ "${network_daemon}" = 'networkmanager' ]; then
systemctl enable NetworkManager --root=/mnt
else
systemctl enable systemd-networkd --root=/mnt
fi
if [ "${install_mode}" = 'desktop' ]; then
systemctl enable gdm --root=/mnt
fi