mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-11-09 04:01:33 -05:00
Compare commits
18 Commits
91678b4f1e
...
eeeb6f0f03
Author | SHA1 | Date | |
---|---|---|---|
eeeb6f0f03 | |||
8f9bda05c0 | |||
541d48f9ea | |||
dcbae1fd2d | |||
c74b56a456 | |||
eefffc2d8b | |||
3e74eab90d | |||
8dac3b4346 | |||
33197000d4 | |||
ac1ba91ef2 | |||
3002feddd8 | |||
2ea12a051a | |||
cd0939fa64 | |||
13b27b4ca9 | |||
325f80455f | |||
8fb069f128 | |||
f72a957468 | |||
dcf1536d2a |
27
.github/ISSUE_TEMPLATE/bug_report.md
vendored
27
.github/ISSUE_TEMPLATE/bug_report.md
vendored
@ -1,27 +0,0 @@
|
||||
---
|
||||
name: Bug report
|
||||
about: Create a report to help us improve
|
||||
title: ''
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Describe the bug**
|
||||
A clear and concise description of what the bug is.
|
||||
|
||||
**To Reproduce**
|
||||
Steps to reproduce the behavior:
|
||||
1. Go to '...'
|
||||
2. Click on '....'
|
||||
3. Scroll down to '....'
|
||||
4. See error
|
||||
|
||||
**Expected behavior**
|
||||
A clear and concise description of what you expected to happen.
|
||||
|
||||
**Screenshots**
|
||||
If applicable, add screenshots to help explain your problem.
|
||||
|
||||
**Additional context**
|
||||
Add any other context about the problem here.
|
463
desktop.sh
463
desktop.sh
@ -1,463 +0,0 @@
|
||||
#!/usr/bin/env -S bash -e
|
||||
|
||||
# Cleaning the TTY.
|
||||
clear
|
||||
|
||||
|
||||
# Selecting the kernel flavor to install.
|
||||
kernel_selector () {
|
||||
echo "List of kernels:"
|
||||
echo "1) Stable — Vanilla Linux kernel and modules, with a few patches applied."
|
||||
echo "2) Hardened — A security-focused Linux kernel."
|
||||
echo "3) Longterm — Long-term support (LTS) Linux kernel and modules."
|
||||
echo "4) Zen Kernel — Optimized for desktop usage."
|
||||
read -r -p "Insert the number of the corresponding kernel: " choice
|
||||
echo "$choice will be installed"
|
||||
case $choice in
|
||||
1 ) kernel=linux
|
||||
;;
|
||||
2 ) kernel=linux-hardened
|
||||
;;
|
||||
3 ) kernel=linux-lts
|
||||
;;
|
||||
4 ) kernel=linux-zen
|
||||
;;
|
||||
* ) echo "You did not enter a valid selection."
|
||||
kernel_selector
|
||||
esac
|
||||
}
|
||||
|
||||
|
||||
|
||||
## user input ##
|
||||
|
||||
# Selecting the target for the installation.
|
||||
PS3="Select the disk where Arch Linux is going to be installed: "
|
||||
select ENTRY in $(lsblk -dpnoNAME|grep -P "/dev/sd|nvme|vd");
|
||||
do
|
||||
DISK=$ENTRY
|
||||
echo "Installing Arch Linux on $DISK."
|
||||
break
|
||||
done
|
||||
|
||||
# Confirming the disk selection.
|
||||
read -r -p "This will delete the current partition table on $DISK. Do you agree [y/N]? " response
|
||||
response=${response,,}
|
||||
if [[ ! ("$response" =~ ^(yes|y)$) ]]; then
|
||||
echo "Quitting."
|
||||
exit
|
||||
fi
|
||||
|
||||
#select kernel
|
||||
kernel_selector
|
||||
|
||||
# Setting username.
|
||||
read -r -p "Please enter name for a user account (leave empty to skip): " username
|
||||
|
||||
# Setting password.
|
||||
if [[ -n $username ]]; then
|
||||
read -r -p "Please enter a password for the user account: " password
|
||||
fi
|
||||
|
||||
# Choose locales.
|
||||
read -r -p "Please insert the locale you use in this format (xx_XX): " locale
|
||||
|
||||
# Choose keyboard layout.
|
||||
read -r -p "Please insert the keyboard layout you use: " kblayout
|
||||
|
||||
|
||||
|
||||
|
||||
## installation ##
|
||||
|
||||
# Updating the live environment usually causes more problems than its worth, and quite often can't be done without remounting cowspace with more capacity, especially at the end of any given month.
|
||||
pacman -Sy
|
||||
|
||||
# Installing curl
|
||||
pacman -S --noconfirm curl
|
||||
|
||||
# formatting the disk
|
||||
wipefs -af "$DISK" &>/dev/null
|
||||
sgdisk -Zo "$DISK" &>/dev/null
|
||||
|
||||
# Checking the microcode to install.
|
||||
CPU=$(grep vendor_id /proc/cpuinfo)
|
||||
if [[ $CPU == *"AuthenticAMD"* ]]; then
|
||||
microcode=amd-ucode
|
||||
else
|
||||
microcode=intel-ucode
|
||||
fi
|
||||
|
||||
# Creating a new partition scheme.
|
||||
echo "Creating new partition scheme on $DISK."
|
||||
parted -s "$DISK" \
|
||||
mklabel gpt \
|
||||
mkpart ESP fat32 1MiB 128MiB \
|
||||
set 1 esp on \
|
||||
mkpart cryptroot 128MiB 100% \
|
||||
|
||||
sleep 0.1
|
||||
ESP="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep ESP| cut -d " " -f1 | cut -c7-)"
|
||||
cryptroot="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep cryptroot | cut -d " " -f1 | cut -c7-)"
|
||||
|
||||
# Informing the Kernel of the changes.
|
||||
echo "Informing the Kernel about the disk changes."
|
||||
partprobe "$DISK"
|
||||
|
||||
# Formatting the ESP as FAT32.
|
||||
echo "Formatting the EFI Partition as FAT32."
|
||||
mkfs.fat -F 32 -s 2 $ESP &>/dev/null
|
||||
|
||||
# Creating a LUKS Container for the root partition.
|
||||
echo "Creating LUKS Container for the root partition."
|
||||
cryptsetup luksFormat --type luks1 $cryptroot
|
||||
echo "Opening the newly created LUKS Container."
|
||||
cryptsetup open $cryptroot cryptroot
|
||||
BTRFS="/dev/mapper/cryptroot"
|
||||
|
||||
# Formatting the LUKS Container as BTRFS.
|
||||
echo "Formatting the LUKS container as BTRFS."
|
||||
mkfs.btrfs $BTRFS &>/dev/null
|
||||
mount -o clear_cache,nospace_cache $BTRFS /mnt
|
||||
|
||||
# Creating BTRFS subvolumes.
|
||||
echo "Creating BTRFS subvolumes."
|
||||
btrfs su cr /mnt/@ &>/dev/null
|
||||
btrfs su cr /mnt/@/.snapshots &>/dev/null
|
||||
mkdir -p /mnt/@/.snapshots/1 &>/dev/null
|
||||
btrfs su cr /mnt/@/.snapshots/1/snapshot &>/dev/null
|
||||
btrfs su cr /mnt/@/boot/ &>/dev/null
|
||||
btrfs su cr /mnt/@/home &>/dev/null
|
||||
btrfs su cr /mnt/@/root &>/dev/null
|
||||
btrfs su cr /mnt/@/srv &>/dev/null
|
||||
btrfs su cr /mnt/@/var_log &>/dev/null
|
||||
btrfs su cr /mnt/@/var_log_journal &>/dev/null
|
||||
btrfs su cr /mnt/@/var_crash &>/dev/null
|
||||
btrfs su cr /mnt/@/var_cache &>/dev/null
|
||||
btrfs su cr /mnt/@/var_tmp &>/dev/null
|
||||
btrfs su cr /mnt/@/var_spool &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_libvirt_images &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_machines &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
|
||||
btrfs su cr /mnt/@/cryptkey &>/dev/null
|
||||
|
||||
chattr +C /mnt/@/boot
|
||||
chattr +C /mnt/@/srv
|
||||
chattr +C /mnt/@/var_log
|
||||
chattr +C /mnt/@/var_log_journal
|
||||
chattr +C /mnt/@/var_crash
|
||||
chattr +C /mnt/@/var_cache
|
||||
chattr +C /mnt/@/var_tmp
|
||||
chattr +C /mnt/@/var_spool
|
||||
chattr +C /mnt/@/var_lib_libvirt_images
|
||||
chattr +C /mnt/@/var_lib_machines
|
||||
chattr +C /mnt/@/var_lib_gdm
|
||||
chattr +C /mnt/@/var_lib_AccountsService
|
||||
chattr +C /mnt/@/cryptkey
|
||||
|
||||
#Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
|
||||
btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt
|
||||
|
||||
cat << EOF >> /mnt/@/.snapshots/1/info.xml
|
||||
<?xml version="1.0"?>
|
||||
<snapshot>
|
||||
<type>single</type>
|
||||
<num>1</num>
|
||||
<date>1999-03-31 0:00:00</date>
|
||||
<description>First Root Filesystem</description>
|
||||
<cleanup>number</cleanup>
|
||||
</snapshot>
|
||||
EOF
|
||||
|
||||
chmod 600 /mnt/@/.snapshots/1/info.xml
|
||||
|
||||
# Mounting the newly created subvolumes.
|
||||
umount /mnt
|
||||
echo "Mounting the newly created subvolumes."
|
||||
mount -o ssd,noatime,space_cache,compress=zstd:15 $BTRFS /mnt
|
||||
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey}
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,noexec,subvol=@/boot $BTRFS /mnt/boot
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/root $BTRFS /mnt/root
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/home $BTRFS /mnt/home
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/.snapshots $BTRFS /mnt/.snapshots
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/srv $BTRFS /mnt/srv
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_log $BTRFS /mnt/var/log
|
||||
|
||||
# Toolbox (https://github.com/containers/toolbox) needs /var/log/journal to have dev, suid, and exec, Thus I am splitting the subvolume. Need to make the directory after /mnt/var/log/ has been mounted.
|
||||
mkdir -p /mnt/var/log/journal
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,subvol=@/var_log_journal $BTRFS /mnt/var/log/journal
|
||||
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_crash $BTRFS /mnt/var/crash
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_cache $BTRFS /mnt/var/cache
|
||||
|
||||
# Pamac needs /var/tmp to have exec. Thus I am not adding that flag.
|
||||
# I am considering including pacmac-flatpak-gnome AUR package by default, since I am its maintainer.
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,subvol=@/var_tmp $BTRFS /mnt/var/tmp
|
||||
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_spool $BTRFS /mnt/var/spool
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_libvirt_images $BTRFS /mnt/var/lib/libvirt/images
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_machines $BTRFS /mnt/var/lib/machines
|
||||
|
||||
# GNOME requires /var/lib/gdm and /var/lib/AccountsService to be writeable when booting into a readonly snapshot. Thus we sadly have to split them.
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_gdm $BTRFS /mnt/var/lib/gdm
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_AccountsService $BTRFS /mnt/var/lib/AccountsService
|
||||
|
||||
# The encryption is splitted as we do not want to include it in the backup with snap-pac.
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey $BTRFS /mnt/cryptkey
|
||||
|
||||
mkdir -p /mnt/boot/efi
|
||||
mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi
|
||||
|
||||
|
||||
# Pacstrap (setting up a base sytem onto the new root).
|
||||
echo "Installing the base system (it may take a while)."
|
||||
pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor python-psutil python-notify2 nano gdm gnome-control-center gnome-terminal gnome-tweaks nautilus pipewire-pulse pipewire-alsa pipewire-jack flatpak firewalld zram-generator adobe-source-han-sans-otc-fonts adobe-source-han-serif-otc-fonts gnu-free-fonts reflector mlocate man-db chrony sbctl
|
||||
|
||||
# Routing jack2 through PipeWire.
|
||||
echo "/usr/lib/pipewire-0.3/jack" > /mnt/etc/ld.so.conf.d/pipewire-jack.conf
|
||||
|
||||
# Generating /etc/fstab.
|
||||
echo "Generating a new fstab."
|
||||
genfstab -U /mnt >> /mnt/etc/fstab
|
||||
sed -i 's#,subvolid=258,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot##g' /mnt/etc/fstab
|
||||
|
||||
# Setting hostname.
|
||||
read -r -p "Please enter the hostname: " hostname
|
||||
echo "$hostname" > /mnt/etc/hostname
|
||||
|
||||
# Setting hosts file.
|
||||
echo "Setting hosts file."
|
||||
cat > /mnt/etc/hosts <<EOF
|
||||
127.0.0.1 localhost
|
||||
::1 localhost
|
||||
127.0.1.1 $hostname.localdomain $hostname
|
||||
EOF
|
||||
|
||||
# Setting up locales.
|
||||
echo "$locale.UTF-8 UTF-8" > /mnt/etc/locale.gen
|
||||
echo "LANG=$locale.UTF-8" > /mnt/etc/locale.conf
|
||||
|
||||
# Setting up keyboard layout.
|
||||
read -r -p "Please insert the keyboard layout you use: " kblayout
|
||||
echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
|
||||
|
||||
# Configuring /etc/mkinitcpio.conf
|
||||
echo "Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook."
|
||||
sed -i 's,#COMPRESSION="zstd",COMPRESSION="zstd",g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i 's,modconf block filesystems keyboard,keyboard modconf block encrypt filesystems,g' /mnt/etc/mkinitcpio.conf
|
||||
|
||||
# Enabling LUKS in GRUB and setting the UUID of the LUKS container.
|
||||
UUID=$(blkid $cryptroot | cut -f2 -d'"')
|
||||
sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub
|
||||
echo "" >> /mnt/etc/default/grub
|
||||
echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" -o /mnt/etc/default/grub
|
||||
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux
|
||||
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen
|
||||
|
||||
# Enabling CPU Mitigations
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg -o /mnt/etc/grub.d/40_cpu_mitigations.cfg
|
||||
|
||||
# Distrusting the CPU
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg -o /mnt/etc/grub.d/40_distrust_cpu.cfg
|
||||
|
||||
# Enabling IOMMU
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg -o /mnt/etc/grub.d/40_enable_iommu.cfg
|
||||
|
||||
# Enabling NTS
|
||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /mnt/etc/chrony.conf
|
||||
|
||||
# Setting GRUB configuration file permissions
|
||||
chmod 755 /mnt/etc/grub.d/*
|
||||
|
||||
# Adding keyfile to the initramfs to avoid double password.
|
||||
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
|
||||
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
|
||||
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key
|
||||
sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=landlock,lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
|
||||
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
||||
|
||||
# Configure AppArmor Parser caching
|
||||
sed -i 's/#write-cache/write-cache/g' /mnt/etc/apparmor/parser.conf
|
||||
sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/,g' /mnt/etc/apparmor/parser.conf
|
||||
|
||||
# Blacklisting kernel modules
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
chmod 600 /mnt/etc/modprobe.d/*
|
||||
|
||||
# Security kernel settings.
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
chmod 600 /mnt/etc/sysctl.d/*
|
||||
|
||||
# Remove nullok from system-auth
|
||||
sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth
|
||||
|
||||
# Disable coredump
|
||||
echo "* hard core 0" >> /mnt/etc/security/limits.conf
|
||||
|
||||
# Disable su for non-wheel users
|
||||
bash -c 'cat > /mnt/etc/pam.d/su' <<-'EOF'
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
# Uncomment the following line to implicitly trust users in the "wheel" group.
|
||||
#auth sufficient pam_wheel.so trust use_uid
|
||||
# Uncomment the following line to require a user to be in the "wheel" group.
|
||||
auth required pam_wheel.so use_uid
|
||||
auth required pam_unix.so
|
||||
account required pam_unix.so
|
||||
session required pam_unix.so
|
||||
EOF
|
||||
|
||||
# ZRAM configuration
|
||||
bash -c 'cat > /mnt/etc/systemd/zram-generator.conf' <<-'EOF'
|
||||
[zram0]
|
||||
zram-fraction = 1
|
||||
max-zram-size = 8192
|
||||
EOF
|
||||
|
||||
# Randomize Mac Address.
|
||||
bash -c 'cat > /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
|
||||
[device]
|
||||
wifi.scan-rand-mac-address=yes
|
||||
[connection]
|
||||
wifi.cloned-mac-address=random
|
||||
ethernet.cloned-mac-address=random
|
||||
connection.stable-id=${CONNECTION}/${BOOT}
|
||||
EOF
|
||||
|
||||
chmod 600 /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||
|
||||
# Enable IPv6 privacy extensions
|
||||
bash -c 'cat > /mnt/etc/NetworkManager/conf.d/ip6-privacy.conf' <<-'EOF'
|
||||
[connection]
|
||||
ipv6.ip6-privacy=2
|
||||
EOF
|
||||
|
||||
chmod 600 /mnt/etc/NetworkManager/conf.d/ip6-privacy.conf
|
||||
|
||||
# Configuring the system.
|
||||
arch-chroot /mnt /bin/bash -e <<EOF
|
||||
|
||||
# Setting up timezone.
|
||||
ln -sf /usr/share/zoneinfo/$(curl -s http://ip-api.com/line?fields=timezone) /etc/localtime &>/dev/null
|
||||
|
||||
# Setting up clock.
|
||||
hwclock --systohc
|
||||
|
||||
# Generating locales.my keys aren't even on
|
||||
echo "Generating locales."
|
||||
locale-gen &>/dev/null
|
||||
|
||||
# Generating a new initramfs.
|
||||
echo "Creating a new initramfs."
|
||||
chmod 600 /boot/initramfs-linux* &>/dev/null
|
||||
mkinitcpio -P &>/dev/null
|
||||
|
||||
# Snapper configuration
|
||||
umount /.snapshots
|
||||
rm -r /.snapshots
|
||||
snapper --no-dbus -c root create-config /
|
||||
btrfs subvolume delete /.snapshots
|
||||
mkdir /.snapshots
|
||||
mount -a
|
||||
chmod 750 /.snapshots
|
||||
|
||||
# Installing GRUB.
|
||||
echo "Installing GRUB on /boot."
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock &>/dev/null
|
||||
|
||||
# Creating grub config file.
|
||||
echo "Creating GRUB config file."
|
||||
grub-mkconfig -o /boot/grub/grub.cfg &>/dev/null
|
||||
|
||||
# Adding user with sudo privilege
|
||||
if [ -n "$username" ]; then
|
||||
echo "Adding $username with root privilege."
|
||||
useradd -m $username
|
||||
usermod -aG wheel $username
|
||||
|
||||
groupadd -r audit
|
||||
gpasswd -a $username audit
|
||||
fi
|
||||
EOF
|
||||
|
||||
# Enable AppArmor notifications
|
||||
# Must create ~/.config/autostart first
|
||||
mkdir -p -m 700 /mnt/home/${username}/.config/autostart/
|
||||
bash -c "cat > /mnt/home/${username}/.config/autostart/apparmor-notify.desktop" <<-'EOF'
|
||||
[Desktop Entry]
|
||||
Type=Application
|
||||
Name=AppArmor Notify
|
||||
Comment=Receive on screen notifications of AppArmor denials
|
||||
TryExec=aa-notify
|
||||
Exec=aa-notify -p -s 1 -w 60 -f /var/log/audit/audit.log
|
||||
StartupNotify=false
|
||||
NoDisplay=true
|
||||
EOF
|
||||
chmod 700 /mnt/home/${username}/.config/autostart/apparmor-notify.desktop
|
||||
arch-chroot /mnt chown -R $username:$username /home/${username}/.config
|
||||
|
||||
# Setting user password.
|
||||
[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${password}\n${password}" | arch-chroot /mnt passwd "$username" &>/dev/null
|
||||
|
||||
# Giving wheel user sudo access.
|
||||
sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers
|
||||
|
||||
# Change audit logging group
|
||||
echo "log_group = audit" >> /mnt/etc/audit/auditd.conf
|
||||
|
||||
# Enabling audit service.
|
||||
systemctl enable auditd --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling auto-trimming service.
|
||||
systemctl enable fstrim.timer --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling NetworkManager.
|
||||
systemctl enable NetworkManager --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling GDM.
|
||||
systemctl enable gdm --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling AppArmor.
|
||||
echo "Enabling AppArmor."
|
||||
systemctl enable apparmor --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling Firewalld.
|
||||
echo "Enabling Firewalld."
|
||||
systemctl enable firewalld --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling Bluetooth Service (This is only to fix the visual glitch with gnome where it gets stuck in the menu at the top right).
|
||||
# IF YOU WANT TO USE BLUETOOTH, YOU MUST REMOVE IT FROM THE LIST OF BLACKLISTED KERNEL MODULES IN /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
systemctl enable bluetooth --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling Reflector timer.
|
||||
echo "Enabling Reflector."
|
||||
systemctl enable reflector.timer --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling systemd-oomd.
|
||||
echo "Enabling systemd-oomd."
|
||||
systemctl enable systemd-oomd --root=/mnt &>/dev/null
|
||||
|
||||
# Disabling systemd-timesyncd
|
||||
systemctl disable systemd-timesyncd --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling chronyd
|
||||
systemctl enable chronyd --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling Snapper automatic snapshots.
|
||||
echo "Enabling Snapper and automatic snapshots entries."
|
||||
systemctl enable snapper-timeline.timer --root=/mnt &>/dev/null
|
||||
systemctl enable snapper-cleanup.timer --root=/mnt &>/dev/null
|
||||
systemctl enable grub-btrfs.path --root=/mnt &>/dev/null
|
||||
|
||||
# Setting umask to 077.
|
||||
sed -i 's/022/077/g' /mnt/etc/profile
|
||||
echo "" >> /mnt/etc/bash.bashrc
|
||||
echo "umask 077" >> /mnt/etc/bash.bashrc
|
||||
|
||||
# Finishing up
|
||||
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
|
||||
exit
|
454
install.sh
Normal file
454
install.sh
Normal file
@ -0,0 +1,454 @@
|
||||
#!/bin/bash
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2021-2024 Thien Tran, Tommaso Chiti
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
output(){
|
||||
echo -e '\e[36m'"$1"'\e[0m';
|
||||
}
|
||||
|
||||
unpriv(){
|
||||
sudo -u nobody "$@"
|
||||
}
|
||||
|
||||
install_mode_selector() {
|
||||
output 'Is this a desktop or server installation?'
|
||||
output '1) Desktop'
|
||||
output '2) Server'
|
||||
output 'Insert the number of your selection:'
|
||||
read -r choice
|
||||
case $choice in
|
||||
1 ) install_mode=desktop
|
||||
;;
|
||||
2 ) install_mode=server
|
||||
;;
|
||||
* ) output 'You did not enter a valid selection.'
|
||||
install_mode_selector
|
||||
esac
|
||||
}
|
||||
|
||||
# Selecting the kernel flavor to install.
|
||||
kernel_selector () {
|
||||
output 'List of kernels:'
|
||||
output '1) Stable — Vanilla Linux kernel and modules, with a few patches applied.'
|
||||
output '2) Hardened — A security-focused Linux kernel.'
|
||||
output '3) Longterm — Long-term support (LTS) Linux kernel and modules.'
|
||||
output '4) Zen Kernel — Optimized for desktop usage.'
|
||||
output 'Insert the number of your selection:'
|
||||
read -r choice
|
||||
case $choice in
|
||||
1 ) kernel=linux
|
||||
;;
|
||||
2 ) kernel=linux-hardened
|
||||
;;
|
||||
3 ) kernel=linux-lts
|
||||
;;
|
||||
4 ) kernel=linux-zen
|
||||
;;
|
||||
* ) output 'You did not enter a valid selection.'
|
||||
kernel_selector
|
||||
esac
|
||||
}
|
||||
|
||||
luks_password_prompt () {
|
||||
output 'Enter your encryption password (the password will not be shown on the screen):'
|
||||
read -r -s luks_password
|
||||
|
||||
if [ -z "${luks_password}" ]; then
|
||||
output 'You need to enter a password.'
|
||||
luks_password_prompt
|
||||
fi
|
||||
|
||||
output 'Confirm your encryption password (the password will not be shown on the screen):'
|
||||
read -r -s luks_password2
|
||||
if [ "${luks_password}" != "${luks_password2}" ]; then
|
||||
output 'Passwords do not match, please try again.'
|
||||
luks_password_prompt
|
||||
fi
|
||||
}
|
||||
|
||||
disk_prompt (){
|
||||
lsblk
|
||||
output 'Please select the number of the corresponding disk (e.g. 1):'
|
||||
select entry in $(lsblk -dpnoNAME|grep -P "/dev/sd|nvme|vd");
|
||||
do
|
||||
disk="${entry}"
|
||||
output "Arch Linux will be installed on the following disk: ${disk}"
|
||||
break
|
||||
done
|
||||
}
|
||||
|
||||
username_prompt (){
|
||||
output 'Enter your username:'
|
||||
read -r username
|
||||
|
||||
if [ -z "${username}" ]; then
|
||||
output 'You need to enter a username.'
|
||||
username_prompt
|
||||
fi
|
||||
}
|
||||
|
||||
user_password_prompt () {
|
||||
output 'Enter your user password (the password will not be shown on the screen):'
|
||||
read -r -s user_password
|
||||
|
||||
if [ -z "${user_password}" ]; then
|
||||
output 'You need to enter a password.'
|
||||
user_password_prompt
|
||||
fi
|
||||
|
||||
output 'Confirm your user password (the password will not be shown on the screen):'
|
||||
read -r -s user_password2
|
||||
if [ "${user_password}" != "${user_password2}" ]; then
|
||||
output 'Passwords do not match, please try again.'
|
||||
user_password_prompt
|
||||
fi
|
||||
}
|
||||
|
||||
hostname_prompt (){
|
||||
output 'Enter your hostname:'
|
||||
read -r hostname
|
||||
|
||||
if [ -z "${hostname}" ]; then
|
||||
output 'You need to enter a hostname.'
|
||||
hostname_prompt
|
||||
fi
|
||||
}
|
||||
|
||||
# Set hardcoded variables (temporary, these will be replaced by future prompts)
|
||||
locale=en_US
|
||||
kblayout=us
|
||||
|
||||
# Cleaning the TTY.
|
||||
clear
|
||||
|
||||
# Initial prompts
|
||||
install_mode_selector
|
||||
kernel_selector
|
||||
luks_password_prompt
|
||||
disk_prompt
|
||||
username_prompt
|
||||
user_password_prompt
|
||||
hostname_prompt
|
||||
|
||||
# Check if this is a VM
|
||||
virtualization=$(systemd-detect-virt)
|
||||
|
||||
# Installation
|
||||
|
||||
## Updating the live environment usually causes more problems than its worth, and quite often can't be done without remounting cowspace with more capacity, especially at the end of any given month.
|
||||
pacman -Sy
|
||||
|
||||
## Installing curl
|
||||
pacman -S --noconfirm curl
|
||||
|
||||
## Formatting the disk
|
||||
wipefs -af "${disk}" &>/dev/null
|
||||
sgdisk -Zo "${disk}" &>/dev/null
|
||||
|
||||
## Creating a new partition scheme.
|
||||
output "Creating new partition scheme on ${disk}."
|
||||
parted -s "${disk}" \
|
||||
mklabel gpt \
|
||||
mkpart ESP fat32 1MiB 513MiB \
|
||||
set 1 esp on \
|
||||
mkpart cryptroot 513MiB 100%
|
||||
|
||||
ESP='/dev/disk/by-partlabel/ESP'
|
||||
cryptroot='/dev/disk/by-partlabel/cryptroot'
|
||||
|
||||
## Informing the Kernel of the changes.
|
||||
output 'Informing the Kernel about the disk changes.'
|
||||
partprobe "${disk}"
|
||||
|
||||
## Formatting the ESP as FAT32.
|
||||
output 'Formatting the EFI Partition as FAT32.'
|
||||
mkfs.fat -F 32 -s 2 "${ESP}" &>/dev/null
|
||||
|
||||
## Creating a LUKS Container for the root partition.
|
||||
output 'Creating LUKS Container for the root partition.'
|
||||
echo -n "${luks_password}" | cryptsetup luksFormat --type luks1 ${cryptroot} -d - &>/dev/null
|
||||
echo -n "${luks_password}" | cryptsetup open ${cryptroot} cryptroot -d -
|
||||
BTRFS='/dev/mapper/cryptroot'
|
||||
|
||||
## Formatting the LUKS Container as BTRFS.
|
||||
output 'Formatting the LUKS container as BTRFS.'
|
||||
mkfs.btrfs "${BTRFS}" &>/dev/null
|
||||
mount "${BTRFS}" /mnt
|
||||
|
||||
## Creating BTRFS subvolumes.
|
||||
output 'Creating BTRFS subvolumes.'
|
||||
|
||||
btrfs su cr /mnt/@ &>/dev/null
|
||||
btrfs su cr /mnt/@/.snapshots &>/dev/null
|
||||
mkdir -p /mnt/@/.snapshots/1 &>/dev/null
|
||||
btrfs su cr /mnt/@/.snapshots/1/snapshot &>/dev/null
|
||||
btrfs su cr /mnt/@/boot/ &>/dev/null
|
||||
btrfs su cr /mnt/@/home &>/dev/null
|
||||
btrfs su cr /mnt/@/root &>/dev/null
|
||||
btrfs su cr /mnt/@/srv &>/dev/null
|
||||
btrfs su cr /mnt/@/var_log &>/dev/null
|
||||
btrfs su cr /mnt/@/var_log_journal &>/dev/null
|
||||
btrfs su cr /mnt/@/var_crash &>/dev/null
|
||||
btrfs su cr /mnt/@/var_cache &>/dev/null
|
||||
btrfs su cr /mnt/@/var_tmp &>/dev/null
|
||||
btrfs su cr /mnt/@/var_spool &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_libvirt_images &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_machines &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
|
||||
btrfs su cr /mnt/@/cryptkey &>/dev/null
|
||||
|
||||
## Disable CoW on subvols we are not taking snapshots of
|
||||
chattr +C /mnt/@/boot
|
||||
chattr +C /mnt/@/home
|
||||
chattr +C /mnt/@/root
|
||||
chattr +C /mnt/@/srv
|
||||
chattr +C /mnt/@/var_log
|
||||
chattr +C /mnt/@/var_log_journal
|
||||
chattr +C /mnt/@/var_crash
|
||||
chattr +C /mnt/@/var_cache
|
||||
chattr +C /mnt/@/var_tmp
|
||||
chattr +C /mnt/@/var_spool
|
||||
chattr +C /mnt/@/var_lib_libvirt_images
|
||||
chattr +C /mnt/@/var_lib_machines
|
||||
chattr +C /mnt/@/var_lib_gdm
|
||||
chattr +C /mnt/@/var_lib_AccountsService
|
||||
chattr +C /mnt/@/cryptkey
|
||||
|
||||
## Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
|
||||
btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt
|
||||
|
||||
## Temporarily hardcode the date here, will make it work with proper date later.
|
||||
echo '<?xml version="1.0"?>
|
||||
<snapshot>
|
||||
<type>single</type>
|
||||
<num>1</num>
|
||||
<date>1999-03-31 0:00:00</date>
|
||||
<description>First Root Filesystem</description>
|
||||
<cleanup>number</cleanup>
|
||||
</snapshot>' > /mnt/@/.snapshots/1/info.xml
|
||||
|
||||
chmod 600 /mnt/@/.snapshots/1/info.xml
|
||||
|
||||
## Mounting the newly created subvolumes.
|
||||
umount /mnt
|
||||
output 'Mounting the newly created subvolumes.'
|
||||
mount -o ssd,noatime,compress=zstd "${BTRFS}" /mnt
|
||||
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey}
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,noexec,subvol=@/boot "${BTRFS}" /mnt/boot
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/root "${BTRFS}" /mnt/root
|
||||
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/home "${BTRFS}" /mnt/home
|
||||
mount -o ssd,noatime,compress=zstd,subvol=@/.snapshots "${BTRFS}" /mnt/.snapshots
|
||||
mount -o ssd,noatime,compress=zstd,subvol=@/srv "${BTRFS}" /mnt/srv
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_log "${BTRFS}" /mnt/var/log
|
||||
|
||||
### Toolbox (https://github.com/containers/toolbox) needs /var/log/journal to have dev, suid, and exec, Thus I am splitting the subvolume. Need to make the directory after /mnt/var/log/ has been mounted.
|
||||
mkdir -p /mnt/var/log/journal
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,subvol=@/var_log_journal "${BTRFS}" /mnt/var/log/journal
|
||||
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_crash "${BTRFS}" /mnt/var/crash
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_cache "${BTRFS}" /mnt/var/cache
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_tmp "${BTRFS}" /mnt/var/tmp
|
||||
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_spool "${BTRFS}" /mnt/var/spool
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_libvirt_images "${BTRFS}" /mnt/var/lib/libvirt/images
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_machines "${BTRFS}" /mnt/var/lib/machines
|
||||
|
||||
### The encryption is splitted as we do not want to include it in the backup with snap-pac.
|
||||
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
|
||||
|
||||
mkdir -p /mnt/boot/efi
|
||||
mount -o nodev,nosuid,noexec "${ESP}" /mnt/boot/efi
|
||||
|
||||
## Check the microcode to install.
|
||||
if [ "${virtualization}" = 'none' ]; then
|
||||
CPU=$(grep vendor_id /proc/cpuinfo)
|
||||
if [[ "${CPU}" == *"AuthenticAMD"* ]]; then
|
||||
microcode=amd-ucode
|
||||
else
|
||||
microcode=intel-ucode
|
||||
fi
|
||||
fi
|
||||
|
||||
## Pacstrap
|
||||
output 'Installing the base system (it may take a while).'
|
||||
if [ "${install_mode}" = 'desktop' ]; then
|
||||
pacstrap /mnt base ${kernel} ${microcode} apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator nautilus gdm gnome-console gnome-control-center pipewire-alsa pipewire-pulse pipewire-jack
|
||||
elif [ "${install_mode}" = 'server' ]; then
|
||||
pacstrap /mnt base ${kernel} ${microcode} apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator openssh
|
||||
fi
|
||||
|
||||
if [ "${virtualization}" = 'none' ]; then
|
||||
pacstrap /mnt sbctl fwupd
|
||||
echo 'UriSchemes=file;https' | sudo tee -a /mnt/etc/fwupd/fwupd.conf
|
||||
fi
|
||||
|
||||
pacstrap /mnt snap-pac
|
||||
|
||||
## Generate /etc/fstab.
|
||||
output 'Generating a new fstab.'
|
||||
genfstab -U /mnt >> /mnt/etc/fstab
|
||||
sed -i 's#,subvolid=258,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot##g' /mnt/etc/fstab
|
||||
|
||||
output 'Setting up hostname, locale and keyboard layout'
|
||||
|
||||
## Set hostname.
|
||||
echo "$hostname" > /mnt/etc/hostname
|
||||
|
||||
## Setting hosts file.
|
||||
echo 'Setting hosts file.'
|
||||
echo "127.0.0.1 localhost
|
||||
::1 localhost
|
||||
127.0.1.1 $hostname.localdomain $hostname" > /mnt/etc/hosts
|
||||
|
||||
## Setup locales.
|
||||
echo "$locale.UTF-8 UTF-8" > /mnt/etc/locale.gen
|
||||
echo "LANG=$locale.UTF-8" > /mnt/etc/locale.conf
|
||||
|
||||
## Setup keyboard layout.
|
||||
echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
|
||||
|
||||
## Configure /etc/mkinitcpio.conf
|
||||
output 'Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook.'
|
||||
sed -i 's/#COMPRESSION="zstd"/COMPRESSION="zstd"/g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems)/g' /mnt/etc/mkinitcpio.conf
|
||||
|
||||
## Enable LUKS in GRUB and setting the UUID of the LUKS container.
|
||||
sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
|
||||
echo '' >> /mnt/etc/default/grub
|
||||
echo '# Booting with BTRFS subvolume
|
||||
GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub
|
||||
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
|
||||
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
|
||||
|
||||
## Kernel hardening
|
||||
UUID=$(blkid -s UUID -o value "${cryptroot}")
|
||||
sed -i "s#quiet#rd.luks.name=${UUID}=cryptroot root=${BTRFS} mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
|
||||
|
||||
## Add keyfile to the initramfs to avoid double password.
|
||||
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
|
||||
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
|
||||
echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key -d -
|
||||
sed -i "s#module.sig_enforce=1#module.sig_enforce=1 cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
|
||||
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
||||
|
||||
## Continue kernel hardening
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
sed -i 's/kernel.yama.ptrace_scope.*/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf | tee /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf | tee /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
|
||||
## Setup NTS
|
||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | tee /mnt/etc/chrony.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | tee /etc/sysconfig/chronyd
|
||||
|
||||
## Remove nullok from system-auth
|
||||
sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth
|
||||
|
||||
## Disable coredump
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | tee /mnt/etc/security/limits.d/30-disable-coredump.conf
|
||||
|
||||
## ZRAM configuration
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf | tee /mnt/etc/systemd/zram-generator.conf
|
||||
|
||||
## Setup Networking
|
||||
|
||||
if [ "${install_mode}" = "desktop" ]; then
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | tee /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | tee /mnt/etc/NetworkManager/conf.d/01-transient-hostname.conf
|
||||
fi
|
||||
|
||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /mnt/etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||
|
||||
## Configuring the system.
|
||||
arch-chroot /mnt /bin/bash -e <<EOF
|
||||
|
||||
# Setting up timezone.
|
||||
# Temporarily hardcoding here
|
||||
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime &>/dev/null
|
||||
|
||||
# Setting up clock.
|
||||
hwclock --systohc
|
||||
|
||||
# Generating locales.my keys aren't even on
|
||||
echo "Generating locales."
|
||||
locale-gen &>/dev/null
|
||||
|
||||
# Generating a new initramfs.
|
||||
echo "Creating a new initramfs."
|
||||
chmod 600 /boot/initramfs-linux* &>/dev/null
|
||||
mkinitcpio -P &>/dev/null
|
||||
|
||||
# Installing GRUB.
|
||||
echo "Installing GRUB on /boot."
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock &>/dev/null
|
||||
|
||||
# Creating grub config file.
|
||||
echo "Creating GRUB config file."
|
||||
grub-mkconfig -o /boot/grub/grub.cfg &>/dev/null
|
||||
|
||||
# Adding user with sudo privilege
|
||||
if [ -n "$username" ]; then
|
||||
echo "Adding $username with root privilege."
|
||||
useradd -m $username
|
||||
usermod -aG wheel $username
|
||||
fi
|
||||
|
||||
# Snapper configuration
|
||||
umount /.snapshots
|
||||
rm -r /.snapshots
|
||||
snapper --no-dbus -c root create-config /
|
||||
btrfs subvolume delete /.snapshots
|
||||
mkdir /.snapshots
|
||||
mount -a
|
||||
chmod 750 /.snapshots
|
||||
EOF
|
||||
|
||||
## Set user password.
|
||||
[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${user_password}\n${user_password}" | arch-chroot /mnt passwd "$username" &>/dev/null
|
||||
|
||||
## Give wheel user sudo access.
|
||||
sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers
|
||||
|
||||
## Enabling openssh server
|
||||
if [ "${install_mode}" = 'server' ]; then
|
||||
systemctl enable sshd --root=/mnt &>/dev/null
|
||||
fi
|
||||
|
||||
## Enable services
|
||||
systemctl enable apparmor --root=/mnt &>/dev/null
|
||||
systemctl enable chronyd --root=/mnt &>/dev/null
|
||||
systemctl enable firewalld --root=/mnt &>/dev/null
|
||||
systemctl enable fstrim.timer --root=/mnt &>/dev/null
|
||||
systemctl enable grub-btrfs.path --root=/mnt &>/dev/null
|
||||
systemctl enable NetworkManager --root=/mnt &>/dev/null
|
||||
systemctl enable reflector.timer --root=/mnt &>/dev/null
|
||||
systemctl enable snapper-timeline.timer --root=/mnt &>/dev/null
|
||||
systemctl enable snapper-cleanup.timer --root=/mnt &>/dev/null
|
||||
systemctl enable systemd-oomd --root=/mnt &>/dev/null
|
||||
systemctl disable systemd-timesyncd --root=/mnt &>/dev/null
|
||||
|
||||
## Set umask to 077.
|
||||
sudo sed -i 's/^UMASK.*/UMASK 077/g' /mnt/etc/login.defs
|
||||
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /mnt/etc/login.defs
|
||||
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /mnt/etc/login.defs
|
||||
sudo sed -i 's/umask 022/umask 077/g' /mnt/etc/bash.bashrc
|
||||
|
||||
# Finish up
|
||||
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
|
||||
exit
|
411
server.sh
411
server.sh
@ -1,411 +0,0 @@
|
||||
#!/usr/bin/env -S bash -e
|
||||
|
||||
# Cleaning the TTY.
|
||||
clear
|
||||
|
||||
|
||||
# Selecting the kernel flavor to install.
|
||||
kernel_selector () {
|
||||
echo "List of kernels:"
|
||||
echo "1) Stable — Vanilla Linux kernel and modules, with a few patches applied."
|
||||
echo "2) Hardened — A security-focused Linux kernel."
|
||||
echo "3) Longterm — Long-term support (LTS) Linux kernel and modules."
|
||||
echo "4) Zen Kernel — Optimized for desktop usage."
|
||||
read -r -p "Insert the number of the corresponding kernel: " choice
|
||||
echo "$choice will be installed"
|
||||
case $choice in
|
||||
1 ) kernel=linux
|
||||
;;
|
||||
2 ) kernel=linux-hardened
|
||||
;;
|
||||
3 ) kernel=linux-lts
|
||||
;;
|
||||
4 ) kernel=linux-zen
|
||||
;;
|
||||
* ) echo "You did not enter a valid selection."
|
||||
kernel_selector
|
||||
esac
|
||||
}
|
||||
|
||||
## user input ##
|
||||
|
||||
# Selecting the target for the installation.
|
||||
PS3="Select the disk where Arch Linux is going to be installed: "
|
||||
select ENTRY in $(lsblk -dpnoNAME|grep -P "/dev/sd|nvme|vd");
|
||||
do
|
||||
DISK=$ENTRY
|
||||
echo "Installing Arch Linux on $DISK."
|
||||
break
|
||||
done
|
||||
|
||||
# Confirming the disk selection.
|
||||
read -r -p "This will delete the current partition table on $DISK. Do you agree [y/N]? " response
|
||||
response=${response,,}
|
||||
if [[ ! ("$response" =~ ^(yes|y)$) ]]; then
|
||||
echo "Quitting."
|
||||
exit
|
||||
fi
|
||||
|
||||
#select kernel
|
||||
kernel_selector
|
||||
|
||||
# Setting username.
|
||||
read -r -p "Please enter name for a user account (leave empty to skip): " username
|
||||
|
||||
# Setting password.
|
||||
if [[ -n $username ]]; then
|
||||
read -r -p "Please enter a password for the user account: " password
|
||||
fi
|
||||
|
||||
# Choose locales.
|
||||
read -r -p "Please insert the locale you use in this format (xx_XX): " locale
|
||||
|
||||
# Choose keyboard layout.
|
||||
read -r -p "Please insert the keyboard layout you use: " kblayout
|
||||
|
||||
|
||||
|
||||
|
||||
## installation ##
|
||||
|
||||
# Updating the live environment usually causes more problems than its worth, and quite often can't be done without remounting cowspace with more capacity, especially at the end of any given month.
|
||||
pacman -Sy
|
||||
|
||||
# Installing curl
|
||||
pacman -S --noconfirm curl
|
||||
|
||||
# formatting the disk
|
||||
wipefs -af "$DISK" &>/dev/null
|
||||
sgdisk -Zo "$DISK" &>/dev/null
|
||||
|
||||
# Checking the microcode to install.
|
||||
CPU=$(grep vendor_id /proc/cpuinfo)
|
||||
if [[ $CPU == *"AuthenticAMD"* ]]; then
|
||||
microcode=amd-ucode
|
||||
else
|
||||
microcode=intel-ucode
|
||||
fi
|
||||
|
||||
# Creating a new partition scheme.
|
||||
echo "Creating new partition scheme on $DISK."
|
||||
parted -s "$DISK" \
|
||||
mklabel gpt \
|
||||
mkpart ESP fat32 1MiB 128MiB \
|
||||
set 1 esp on \
|
||||
mkpart cryptroot 128MiB 100% \
|
||||
|
||||
sleep 0.1
|
||||
ESP="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep ESP| cut -d " " -f1 | cut -c7-)"
|
||||
cryptroot="/dev/$(lsblk $DISK -o NAME,PARTLABEL | grep cryptroot | cut -d " " -f1 | cut -c7-)"
|
||||
|
||||
# Informing the Kernel of the changes.
|
||||
echo "Informing the Kernel about the disk changes."
|
||||
partprobe "$DISK"
|
||||
|
||||
# Formatting the ESP as FAT32.
|
||||
echo "Formatting the EFI Partition as FAT32."
|
||||
mkfs.fat -F 32 -s 2 $ESP &>/dev/null
|
||||
|
||||
# Creating a LUKS Container for the root partition.
|
||||
echo "Creating LUKS Container for the root partition."
|
||||
cryptsetup luksFormat --type luks1 $cryptroot
|
||||
echo "Opening the newly created LUKS Container."
|
||||
cryptsetup open $cryptroot cryptroot
|
||||
BTRFS="/dev/mapper/cryptroot"
|
||||
|
||||
# Formatting the LUKS Container as BTRFS.
|
||||
echo "Formatting the LUKS container as BTRFS."
|
||||
mkfs.btrfs $BTRFS &>/dev/null
|
||||
mount -o clear_cache,nospace_cache $BTRFS /mnt
|
||||
|
||||
# Creating BTRFS subvolumes.
|
||||
echo "Creating BTRFS subvolumes."
|
||||
btrfs su cr /mnt/@ &>/dev/null
|
||||
btrfs su cr /mnt/@/.snapshots &>/dev/null
|
||||
mkdir -p /mnt/@/.snapshots/1 &>/dev/null
|
||||
btrfs su cr /mnt/@/.snapshots/1/snapshot &>/dev/null
|
||||
btrfs su cr /mnt/@/boot/ &>/dev/null
|
||||
btrfs su cr /mnt/@/home &>/dev/null
|
||||
btrfs su cr /mnt/@/root &>/dev/null
|
||||
btrfs su cr /mnt/@/srv &>/dev/null
|
||||
btrfs su cr /mnt/@/var_log &>/dev/null
|
||||
btrfs su cr /mnt/@/var_log_journal &>/dev/null
|
||||
btrfs su cr /mnt/@/var_crash &>/dev/null
|
||||
btrfs su cr /mnt/@/var_cache &>/dev/null
|
||||
btrfs su cr /mnt/@/var_tmp &>/dev/null
|
||||
btrfs su cr /mnt/@/var_spool &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_libvirt_images &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_machines &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
|
||||
btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
|
||||
btrfs su cr /mnt/@/cryptkey &>/dev/null
|
||||
|
||||
chattr +C /mnt/@/boot
|
||||
chattr +C /mnt/@/srv
|
||||
chattr +C /mnt/@/var_log
|
||||
chattr +C /mnt/@/var_log_journal
|
||||
chattr +C /mnt/@/var_crash
|
||||
chattr +C /mnt/@/var_cache
|
||||
chattr +C /mnt/@/var_tmp
|
||||
chattr +C /mnt/@/var_spool
|
||||
chattr +C /mnt/@/var_lib_libvirt_images
|
||||
chattr +C /mnt/@/var_lib_machines
|
||||
chattr +C /mnt/@/var_lib_gdm
|
||||
chattr +C /mnt/@/var_lib_AccountsService
|
||||
chattr +C /mnt/@/cryptkey
|
||||
|
||||
#Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
|
||||
btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt
|
||||
|
||||
cat << EOF >> /mnt/@/.snapshots/1/info.xml
|
||||
<?xml version="1.0"?>
|
||||
<snapshot>
|
||||
<type>single</type>
|
||||
<num>1</num>
|
||||
<date>1999-03-31 0:00:00</date>
|
||||
<description>First Root Filesystem</description>
|
||||
<cleanup>number</cleanup>
|
||||
</snapshot>
|
||||
EOF
|
||||
|
||||
chmod 600 /mnt/@/.snapshots/1/info.xml
|
||||
|
||||
# Mounting the newly created subvolumes.
|
||||
umount /mnt
|
||||
echo "Mounting the newly created subvolumes."
|
||||
mount -o ssd,noatime,space_cache,compress=zstd:15 $BTRFS /mnt
|
||||
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,/var/log,/var/crash,/var/cache,/var/tmp,/var/spool,/var/lib/libvirt/images,/var/lib/machines,/var/lib/gdm,/var/lib/AccountsService,/cryptkey}
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,noexec,subvol=@/boot $BTRFS /mnt/boot
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/root $BTRFS /mnt/root
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodev,nosuid,subvol=@/home $BTRFS /mnt/home
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/.snapshots $BTRFS /mnt/.snapshots
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,subvol=@/srv $BTRFS /mnt/srv
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_log $BTRFS /mnt/var/log
|
||||
|
||||
# Toolbox (https://github.com/containers/toolbox) needs /var/log/journal to have dev, suid, and exec, Thus I am splitting the subvolume. Need to make the directory after /mnt/var/log/ has been mounted.
|
||||
mkdir -p /mnt/var/log/journal
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,subvol=@/var_log_journal $BTRFS /mnt/var/log/journal
|
||||
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_crash $BTRFS /mnt/var/crash
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_cache $BTRFS /mnt/var/cache
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_tmp $BTRFS /mnt/var/tmp
|
||||
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_spool $BTRFS /mnt/var/spool
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_libvirt_images $BTRFS /mnt/var/lib/libvirt/images
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/var_lib_machines $BTRFS /mnt/var/lib/machines
|
||||
|
||||
# The encryption is splitted as we do not want to include it in the backup with snap-pac.
|
||||
mount -o ssd,noatime,space_cache=v2,autodefrag,compress=zstd:15,discard=async,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey $BTRFS /mnt/cryptkey
|
||||
|
||||
mkdir -p /mnt/boot/efi
|
||||
mount -o nodev,nosuid,noexec $ESP /mnt/boot/efi
|
||||
|
||||
# Pacstrap (setting up a base sytem onto the new root).
|
||||
# As I said above, I am considering replacing gnome-software with pamac-flatpak-gnome as PackageKit seems very buggy on Arch Linux right now.
|
||||
echo "Installing the base system (it may take a while)."
|
||||
pacstrap /mnt base ${kernel} ${microcode} linux-firmware grub grub-btrfs snapper snap-pac efibootmgr sudo networkmanager apparmor firewalld zram-generator reflector chrony sbctl openssh fwupd
|
||||
|
||||
# Generating /etc/fstab.
|
||||
echo "Generating a new fstab."
|
||||
genfstab -U /mnt >> /mnt/etc/fstab
|
||||
sed -i 's#,subvolid=258,subvol=/@/.snapshots/1/snapshot,subvol=@/.snapshots/1/snapshot##g' /mnt/etc/fstab
|
||||
|
||||
# Setting hostname.
|
||||
read -r -p "Please enter the hostname: " hostname
|
||||
echo "$hostname" > /mnt/etc/hostname
|
||||
|
||||
# Setting hosts file.
|
||||
echo "Setting hosts file."
|
||||
cat > /mnt/etc/hosts <<EOF
|
||||
127.0.0.1 localhost
|
||||
::1 localhost
|
||||
127.0.1.1 $hostname.localdomain $hostname
|
||||
EOF
|
||||
|
||||
# Setting up locales.
|
||||
echo "$locale.UTF-8 UTF-8" > /mnt/etc/locale.gen
|
||||
echo "LANG=$locale.UTF-8" > /mnt/etc/locale.conf
|
||||
|
||||
# Setting up keyboard layout.
|
||||
read -r -p "Please insert the keyboard layout you use: " kblayout
|
||||
echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
|
||||
|
||||
# Configuring /etc/mkinitcpio.conf
|
||||
echo "Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook."
|
||||
sed -i 's,#COMPRESSION="zstd",COMPRESSION="zstd",g' /mnt/etc/mkinitcpio.conf
|
||||
sed -i 's,HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block filesystems fsck),HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck),g' /mnt/etc/mkinitcpio.conf
|
||||
|
||||
# Enabling LUKS in GRUB and setting the UUID of the LUKS container.
|
||||
UUID=$(blkid $cryptroot | cut -f2 -d'"')
|
||||
sed -i 's/#\(GRUB_ENABLE_CRYPTODISK=y\)/\1/' /mnt/etc/default/grub
|
||||
echo "" >> /mnt/etc/default/grub
|
||||
echo -e "# Booting with BTRFS subvolume\nGRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true" >> /mnt/etc/default/grub
|
||||
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/10_linux
|
||||
sed -i 's#rootflags=subvol=${rootsubvol}##g' /mnt/etc/grub.d/20_linux_xen
|
||||
|
||||
# Enabling CPU Mitigations
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_cpu_mitigations.cfg -o /mnt/etc/grub.d/40_cpu_mitigations.cfg
|
||||
|
||||
# Distrusting the CPU
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_distrust_cpu.cfg -o /mnt/etc/grub.d/40_distrust_cpu.cfg
|
||||
|
||||
# Enabling IOMMU
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/default/grub.d/40_enable_iommu.cfg -o /mnt/etc/grub.d/40_enable_iommu.cfg
|
||||
|
||||
# Enabling NTS
|
||||
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /mnt/etc/chrony.conf
|
||||
|
||||
# Setting GRUB configuration file permissions
|
||||
chmod 755 /mnt/etc/grub.d/*
|
||||
|
||||
# Adding keyfile to the initramfs to avoid double password.
|
||||
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
|
||||
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
|
||||
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key
|
||||
sed -i "s#quiet#cryptdevice=UUID=$UUID:cryptroot root=$BTRFS lsm=landlock,lockdown,yama,apparmor,bpf cryptkey=rootfs:/cryptkey/.root.key#g" /mnt/etc/default/grub
|
||||
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
||||
|
||||
# Configure AppArmor Parser caching
|
||||
sed -i 's/#write-cache/write-cache/g' /mnt/etc/apparmor/parser.conf
|
||||
sed -i 's,#Include /etc/apparmor.d/,Include /etc/apparmor.d/,g' /mnt/etc/apparmor/parser.conf
|
||||
|
||||
# Blacklisting kernel modules
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /mnt/etc/modprobe.d/30_security-misc.conf
|
||||
chmod 600 /mnt/etc/modprobe.d/*
|
||||
|
||||
# Security kernel settings.
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf -o /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
chmod 600 /mnt/etc/sysctl.d/*
|
||||
|
||||
# Remove nullok from system-auth
|
||||
sed -i 's/nullok//g' /mnt/etc/pam.d/system-auth
|
||||
|
||||
# Disable coredump
|
||||
echo "* hard core 0" >> /mnt/etc/security/limits.conf
|
||||
|
||||
# Disable su for non-wheel users
|
||||
bash -c 'cat > /mnt/etc/pam.d/su' <<-'EOF'
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
# Uncomment the following line to implicitly trust users in the "wheel" group.
|
||||
#auth sufficient pam_wheel.so trust use_uid
|
||||
# Uncomment the following line to require a user to be in the "wheel" group.
|
||||
auth required pam_wheel.so use_uid
|
||||
auth required pam_unix.so
|
||||
account required pam_unix.so
|
||||
session required pam_unix.so
|
||||
EOF
|
||||
|
||||
# ZRAM configuration
|
||||
bash -c 'cat > /mnt/etc/systemd/zram-generator.conf' <<-'EOF'
|
||||
[zram0]
|
||||
zram-fraction = 1
|
||||
max-zram-size = 8192
|
||||
EOF
|
||||
|
||||
# Configuring the system.
|
||||
arch-chroot /mnt /bin/bash -e <<EOF
|
||||
|
||||
# Setting up timezone.
|
||||
ln -sf /usr/share/zoneinfo/$(curl -s http://ip-api.com/line?fields=timezone) /etc/localtime &>/dev/null
|
||||
|
||||
# Setting up clock.
|
||||
hwclock --systohc
|
||||
|
||||
# Generating locales.my keys aren't even on
|
||||
echo "Generating locales."
|
||||
locale-gen &>/dev/null
|
||||
|
||||
# Generating a new initramfs.
|
||||
echo "Creating a new initramfs."
|
||||
chmod 600 /boot/initramfs-linux* &>/dev/null
|
||||
mkinitcpio -P &>/dev/null
|
||||
|
||||
# Snapper configuration
|
||||
umount /.snapshots
|
||||
rm -r /.snapshots
|
||||
snapper --no-dbus -c root create-config /
|
||||
btrfs subvolume delete /.snapshots
|
||||
mkdir /.snapshots
|
||||
mount -a
|
||||
chmod 750 /.snapshots
|
||||
|
||||
# Installing GRUB.
|
||||
echo "Installing GRUB on /boot."
|
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock &>/dev/null
|
||||
|
||||
# Creating grub config file.
|
||||
echo "Creating GRUB config file."
|
||||
grub-mkconfig -o /boot/grub/grub.cfg &>/dev/null
|
||||
|
||||
# Adding user with sudo privilege
|
||||
if [ -n "$username" ]; then
|
||||
echo "Adding $username with root privilege."
|
||||
useradd -m $username
|
||||
usermod -aG wheel $username
|
||||
|
||||
groupadd -r audit
|
||||
gpasswd -a $username audit
|
||||
fi
|
||||
EOF
|
||||
|
||||
# Setting user password.
|
||||
[ -n "$username" ] && echo "Setting user password for ${username}." && echo -e "${password}\n${password}" | arch-chroot /mnt passwd "$username" &>/dev/null
|
||||
|
||||
# Giving wheel user sudo access.
|
||||
sed -i 's/# \(%wheel ALL=(ALL\(:ALL\|\)) ALL\)/\1/g' /mnt/etc/sudoers
|
||||
|
||||
# Change audit logging group
|
||||
echo "log_group = audit" >> /mnt/etc/audit/auditd.conf
|
||||
|
||||
# Enabling audit service.
|
||||
systemctl enable auditd --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling openssh server
|
||||
systemctl enable sshd --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling auto-trimming service.
|
||||
systemctl enable fstrim.timer --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling NetworkManager.
|
||||
systemctl enable NetworkManager --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling AppArmor.
|
||||
echo "Enabling AppArmor."
|
||||
systemctl enable apparmor --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling Firewalld.
|
||||
echo "Enabling Firewalld."
|
||||
systemctl enable firewalld --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling Reflector timer.
|
||||
echo "Enabling Reflector."
|
||||
systemctl enable reflector.timer --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling systemd-oomd.
|
||||
echo "Enabling systemd-oomd."
|
||||
systemctl enable systemd-oomd --root=/mnt &>/dev/null
|
||||
|
||||
# Disabling systemd-timesyncd
|
||||
systemctl disable systemd-timesyncd --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling chronyd
|
||||
systemctl enable chronyd --root=/mnt &>/dev/null
|
||||
|
||||
# Enabling Snapper automatic snapshots.
|
||||
echo "Enabling Snapper and automatic snapshots entries."
|
||||
systemctl enable snapper-timeline.timer --root=/mnt &>/dev/null
|
||||
systemctl enable snapper-cleanup.timer --root=/mnt &>/dev/null
|
||||
systemctl enable grub-btrfs.path --root=/mnt &>/dev/null
|
||||
|
||||
# Setting umask to 077.
|
||||
sed -i 's/022/077/g' /mnt/etc/profile
|
||||
echo "" >> /mnt/etc/bash.bashrc
|
||||
echo "umask 077" >> /mnt/etc/bash.bashrc
|
||||
|
||||
# Finishing up
|
||||
echo "Done, you may now wish to reboot (further changes can be done by chrooting into /mnt)."
|
||||
exit
|
Loading…
Reference in New Issue
Block a user