mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-11-25 02:51:32 -05:00
Compare commits
7 Commits
8a0504c4d8
...
daf2664d08
Author | SHA1 | Date | |
---|---|---|---|
daf2664d08 | |||
6d0c3594d9 | |||
ce3d59b072 | |||
38ed7b9cb2 | |||
8351da101f | |||
e812fa7185 | |||
0128fd93b6 |
159
install.sh
159
install.sh
@ -22,6 +22,9 @@ unpriv(){
|
||||
sudo -u nobody "$@"
|
||||
}
|
||||
|
||||
# Check if this is a VM
|
||||
virtualization=$(systemd-detect-virt)
|
||||
|
||||
install_mode_selector() {
|
||||
output 'Is this a desktop or server installation?'
|
||||
output '1) Desktop'
|
||||
@ -38,7 +41,28 @@ install_mode_selector() {
|
||||
esac
|
||||
}
|
||||
|
||||
luks_prompt(){
|
||||
if [ "${virtualization}" != 'none' ]; then
|
||||
output "Virtual machine detected. Do you want to set up LUKS?"
|
||||
output '1) No'
|
||||
output '2) Yes'
|
||||
output 'Insert the number of your selection:'
|
||||
read -r choice
|
||||
case $choice in
|
||||
1 ) use_luks='0'
|
||||
;;
|
||||
2 ) use_luks='1'
|
||||
;;
|
||||
* ) output 'You did not enter a valid selection.'
|
||||
luks_prompt
|
||||
esac
|
||||
else
|
||||
use_luks='1'
|
||||
fi
|
||||
}
|
||||
|
||||
luks_password_prompt () {
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
output 'Enter your encryption password (the password will not be shown on the screen):'
|
||||
read -r -s luks_password
|
||||
|
||||
@ -53,6 +77,7 @@ luks_password_prompt () {
|
||||
output 'Passwords do not match, please try again.'
|
||||
luks_password_prompt
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
disk_prompt (){
|
||||
@ -107,6 +132,26 @@ hostname_prompt (){
|
||||
fi
|
||||
}
|
||||
|
||||
network_daemon_prompt(){
|
||||
if [ "${install_mode}" = 'server' ]; then
|
||||
output 'Which network daemon do you want to use'
|
||||
output '1) networkmanager'
|
||||
output '2) systemd-networkd'
|
||||
output 'Insert the number of your selection:'
|
||||
read -r choice
|
||||
case $choice in
|
||||
1 ) network_daemon='networkmanager'
|
||||
;;
|
||||
2 ) network_daemon='systemd-networkd'
|
||||
;;
|
||||
* ) output 'You did not enter a valid selection.'
|
||||
install_mode_selector
|
||||
esac
|
||||
else
|
||||
network_daemon='networkmanager'
|
||||
fi
|
||||
}
|
||||
|
||||
# Set hardcoded variables (temporary, these will be replaced by future prompts)
|
||||
locale=en_US
|
||||
kblayout=us
|
||||
@ -116,14 +161,13 @@ clear
|
||||
|
||||
# Initial prompts
|
||||
install_mode_selector
|
||||
luks_prompt
|
||||
luks_password_prompt
|
||||
disk_prompt
|
||||
username_prompt
|
||||
user_password_prompt
|
||||
hostname_prompt
|
||||
|
||||
# Check if this is a VM
|
||||
virtualization=$(systemd-detect-virt)
|
||||
network_daemon_prompt
|
||||
|
||||
# Installation
|
||||
|
||||
@ -143,10 +187,13 @@ parted -s "${disk}" \
|
||||
mklabel gpt \
|
||||
mkpart ESP fat32 1MiB 513MiB \
|
||||
set 1 esp on \
|
||||
mkpart cryptroot 513MiB 100%
|
||||
mkpart rootfs 513MiB 100%
|
||||
|
||||
ESP='/dev/disk/by-partlabel/ESP'
|
||||
cryptroot='/dev/disk/by-partlabel/cryptroot'
|
||||
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
cryptroot='/dev/disk/by-partlabel/rootfs'
|
||||
fi
|
||||
|
||||
## Informing the Kernel of the changes.
|
||||
output 'Informing the Kernel about the disk changes.'
|
||||
@ -157,13 +204,17 @@ output 'Formatting the EFI Partition as FAT32.'
|
||||
mkfs.fat -F 32 -s 2 "${ESP}" &>/dev/null
|
||||
|
||||
## Creating a LUKS Container for the root partition.
|
||||
output 'Creating LUKS Container for the root partition.'
|
||||
echo -n "${luks_password}" | cryptsetup luksFormat --pbkdf pbkdf2 ${cryptroot} -d - &>/dev/null
|
||||
echo -n "${luks_password}" | cryptsetup open ${cryptroot} cryptroot -d -
|
||||
BTRFS='/dev/mapper/cryptroot'
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
output 'Creating LUKS Container for the root partition.'
|
||||
echo -n "${luks_password}" | cryptsetup luksFormat --pbkdf pbkdf2 "${cryptroot}" -d - &>/dev/null
|
||||
echo -n "${luks_password}" | cryptsetup open "${cryptroot}" cryptroot -d -
|
||||
BTRFS='/dev/mapper/cryptroot'
|
||||
else
|
||||
BTRFS='/dev/disk/by-partlabel/rootfs'
|
||||
fi
|
||||
|
||||
## Formatting the LUKS Container as BTRFS.
|
||||
output 'Formatting the LUKS container as BTRFS.'
|
||||
## Formatting the partition as BTRFS.
|
||||
output 'Formatting the rootfs as BTRFS.'
|
||||
mkfs.btrfs "${BTRFS}" &>/dev/null
|
||||
mount "${BTRFS}" /mnt
|
||||
|
||||
@ -190,7 +241,10 @@ if [ "${install_mode}" = 'desktop' ]; then
|
||||
btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
|
||||
fi
|
||||
btrfs su cr /mnt/@/cryptkey &>/dev/null
|
||||
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
btrfs su cr /mnt/@/cryptkey &>/dev/null
|
||||
fi
|
||||
|
||||
## Disable CoW on subvols we are not taking snapshots of
|
||||
chattr +C /mnt/@/boot
|
||||
@ -209,7 +263,10 @@ if [ "${install_mode}" = 'desktop' ]; then
|
||||
chattr +C /mnt/@/var_lib_gdm
|
||||
chattr +C /mnt/@/var_lib_AccountsService
|
||||
fi
|
||||
chattr +C /mnt/@/cryptkey
|
||||
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
chattr +C /mnt/@/cryptkey
|
||||
fi
|
||||
|
||||
## Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
|
||||
btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt
|
||||
@ -230,10 +287,15 @@ chmod 600 /mnt/@/.snapshots/1/info.xml
|
||||
umount /mnt
|
||||
output 'Mounting the newly created subvolumes.'
|
||||
mount -o ssd,noatime,compress=zstd "${BTRFS}" /mnt
|
||||
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines,cryptkey}
|
||||
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines}
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
mkdir -p /mnt/{var/lib/gdm,var/lib/AccountsService}
|
||||
fi
|
||||
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
mkdir -p /mnt/cryptkey
|
||||
fi
|
||||
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,noexec,subvol=@/boot "${BTRFS}" /mnt/boot
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/root "${BTRFS}" /mnt/root
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/home "${BTRFS}" /mnt/home
|
||||
@ -260,7 +322,9 @@ if [ "${install_mode}" = 'desktop' ]; then
|
||||
fi
|
||||
|
||||
### The encryption is splitted as we do not want to include it in the backup with snap-pac.
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
|
||||
fi
|
||||
|
||||
mkdir -p /mnt/boot/efi
|
||||
mount -o nodev,nosuid,noexec "${ESP}" /mnt/boot/efi
|
||||
@ -281,7 +345,11 @@ output 'Installing the base system (it may take a while).'
|
||||
output "You may see an error when mkinitcpio tries to generate a new initramfs."
|
||||
output "It is okay. The script will regenerate the initramfs later in the installation process."
|
||||
|
||||
pacstrap /mnt apparmor base chrony efibootmgr firewalld grub grub-btrfs inotify-tools linux-firmware linux-hardened linux-lts "${microcode}" nano networkmanager reflector sbctl snapper sudo zram-generator
|
||||
pacstrap /mnt apparmor base chrony efibootmgr firewalld grub grub-btrfs inotify-tools linux-firmware linux-hardened linux-lts "${microcode}" nano reflector sbctl snapper sudo zram-generator
|
||||
|
||||
if [ "${network_daemon}" = 'networkmanager' ]; then
|
||||
pacstrap /mnt networkmanager
|
||||
fi
|
||||
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
pacstrap /mnt nautilus gdm gnome-console gnome-control-center flatpak pipewire-alsa pipewire-pulse pipewire-jack
|
||||
@ -329,10 +397,16 @@ echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
|
||||
output 'Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook.'
|
||||
sed -i 's/#COMPRESSION="zstd"/COMPRESSION="zstd"/g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i 's/^MODULES=.*/MODULES=(btrfs)/g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt)/g' /mnt/etc/mkinitcpio.conf
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt)/g' /mnt/etc/mkinitcpio.conf
|
||||
else
|
||||
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block)/g' /mnt/etc/mkinitcpio.conf
|
||||
fi
|
||||
|
||||
## Enable LUKS in GRUB and setting the UUID of the LUKS container.
|
||||
sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
|
||||
fi
|
||||
echo '' >> /mnt/etc/default/grub
|
||||
echo '# Booting with BTRFS subvolume
|
||||
GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub
|
||||
@ -345,15 +419,22 @@ sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
|
||||
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
|
||||
|
||||
## Kernel hardening
|
||||
UUID=$(blkid -s UUID -o value "${cryptroot}")
|
||||
sed -i "s#quiet#rd.luks.name=${UUID}=cryptroot root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
|
||||
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
UUID=$(blkid -s UUID -o value "${cryptroot}")
|
||||
sed -i "s#quiet#rd.luks.name=${UUID}=cryptroot root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
|
||||
else
|
||||
sed -i "s#quiet#root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
|
||||
fi
|
||||
|
||||
## Add keyfile to the initramfs to avoid double password.
|
||||
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
|
||||
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
|
||||
echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key -d -
|
||||
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i "s#module\.sig_enforce=1#module.sig_enforce=1 rd.luks.key=/cryptkey/.root.key#g" /mnt/etc/default/grub
|
||||
if [ "${use_luks}" = '1' ]; then
|
||||
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
|
||||
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
|
||||
echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/rootfs /mnt/cryptkey/.root.key -d -
|
||||
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i "s#module\.sig_enforce=1#module.sig_enforce=1 rd.luks.key=/cryptkey/.root.key#g" /mnt/etc/default/grub
|
||||
fi
|
||||
|
||||
## Continue kernel hardening
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
@ -399,6 +480,8 @@ fi
|
||||
# Setup dconf
|
||||
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
# This doesn't actually take effect atm - need to investigate
|
||||
|
||||
mkdir -p /mnt/etc/dconf/db/local.d/locks
|
||||
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | tee /mnt/etc/dconf/db/local.d/locks/automount-disable
|
||||
@ -417,12 +500,15 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
|
||||
|
||||
## Setup Networking
|
||||
|
||||
if [ "${install_mode}" = "desktop" ]; then
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | tee /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | tee /mnt/etc/NetworkManager/conf.d/01-transient-hostname.conf
|
||||
fi
|
||||
|
||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /mnt/etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||
if [ "${network_daemon}" = 'networkmanager' ]; then
|
||||
mkdir -p /mnt/etc/systemd/system/NetworkManager.service.d/
|
||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /mnt/etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||
fi
|
||||
|
||||
## Configuring the system.
|
||||
arch-chroot /mnt /bin/bash -e <<EOF
|
||||
@ -435,33 +521,33 @@ arch-chroot /mnt /bin/bash -e <<EOF
|
||||
hwclock --systohc
|
||||
|
||||
# Generating locales.my keys aren't even on
|
||||
output "Generating locales."
|
||||
echo "Generating locales."
|
||||
locale-gen
|
||||
|
||||
# Create SecureBoot keys. This isn't strictly necessary, but certain things like linux-hardened preset expects it and mkinitcpio will fail without it, sooo...
|
||||
sbctl create-keys
|
||||
|
||||
# Generating a new initramfs.
|
||||
output "Creating a new initramfs."
|
||||
echo "Creating a new initramfs."
|
||||
chmod 600 /boot/initramfs-linux*
|
||||
mkinitcpio -P
|
||||
|
||||
# Installing GRUB.
|
||||
output "Installing GRUB on /boot."
|
||||
echo "Installing GRUB on /boot."
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --disable-shim-lock
|
||||
|
||||
# Creating grub config file.
|
||||
output "Creating GRUB config file."
|
||||
echo "Creating GRUB config file."
|
||||
grub-mkconfig -o /boot/grub/grub.cfg
|
||||
|
||||
# Adding user with sudo privilege
|
||||
output "Adding $username with root privilege."
|
||||
echo "Adding $username with root privilege."
|
||||
useradd -m $username
|
||||
usermod -aG wheel $username
|
||||
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
# Setting up dconf
|
||||
output "Setting up dconf."
|
||||
echo "Setting up dconf."
|
||||
dconf update
|
||||
fi
|
||||
|
||||
@ -487,13 +573,18 @@ systemctl enable chronyd --root=/mnt
|
||||
systemctl enable firewalld --root=/mnt
|
||||
systemctl enable fstrim.timer --root=/mnt
|
||||
systemctl enable grub-btrfsd.service --root=/mnt
|
||||
systemctl enable NetworkManager --root=/mnt
|
||||
systemctl enable reflector.timer --root=/mnt
|
||||
systemctl enable snapper-timeline.timer --root=/mnt
|
||||
systemctl enable snapper-cleanup.timer --root=/mnt
|
||||
systemctl enable systemd-oomd --root=/mnt
|
||||
systemctl disable systemd-timesyncd --root=/mnt
|
||||
|
||||
if [ "${network_daemon}" = 'networkmanager' ]; then
|
||||
systemctl enable NetworkManager --root=/mnt
|
||||
else
|
||||
systemctl enable systemd-networkd --root=/mnt
|
||||
fi
|
||||
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
systemctl enable gdm --root=/mnt
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user