Tomster/Arch-Setup-Script
1
0
Fork 0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-22 17:41:33 -05:00
Code

Compare commits

base: Tomster:b8e23af72dd2f9ee67dfac1a3af02a310c09382d
Branches Tags
Tomster:main
..
compare: Tomster:eeeb6f0f033db909ae33fb5f8879067b58c6ea31
Branches Tags
Tomster:main

No commits in common. "b8e23af72dd2f9ee67dfac1a3af02a310c09382d" and "eeeb6f0f033db909ae33fb5f8879067b58c6ea31" have entirely different histories.
b8e23af72d ... eeeb6f0f03

3 changed files with 5 additions and 45 deletions
Show Stats Expand all files Collapse all files

37
.github/workflows/shellcheck.yml vendored
View File

@ -1,37 +0,0 @@
name: ShellCheck
on:
workflow_dispatch:
push:
branches:
- master
- main
paths-ignore:
- '**.gitignore'
- '**.md'
- 'LICENSE'
- '**.conf'
- '**.service'
- '**.timer'
- '**.path'
- '**.list'
pull_request:
paths-ignore:
- '**.gitignore'
- '**.md'
- 'LICENSE'
- '**.conf'
- '**.service'
- '**.timer'
- '**.path'
- '**.list'
jobs:
shellcheck:
name: Bash syntax checker
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master

3
README.md
View File

@ -1,7 +1,4 @@
### Introduction ### Introduction
[![ShellCheck](https://github.com/TommyTran732/Arch-Setup-Script/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/TommyTran732/Arch-Setup-Script/actions/workflows/shellcheck.yml)
This is my fork of [easy-arch](https://github.com/classy-giraffe/easy-arch), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process (UEFI only). This is my fork of [easy-arch](https://github.com/classy-giraffe/easy-arch), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process (UEFI only).
This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well. This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.

10
install.sh
View File

@ -1,5 +1,7 @@
#!/bin/bash #!/bin/bash
#!/bin/bash
# Copyright (C) 2021-2024 Thien Tran, Tommaso Chiti # Copyright (C) 2021-2024 Thien Tran, Tommaso Chiti
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may not # Licensed under the Apache License, Version 2.0 (the "License"); you may not
@ -285,9 +287,9 @@ fi
## Pacstrap ## Pacstrap
output 'Installing the base system (it may take a while).' output 'Installing the base system (it may take a while).'
if [ "${install_mode}" = 'desktop' ]; then if [ "${install_mode}" = 'desktop' ]; then
pacstrap /mnt base "${kernel}" "${microcode}" apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator nautilus gdm gnome-console gnome-control-center pipewire-alsa pipewire-pulse pipewire-jack pacstrap /mnt base ${kernel} ${microcode} apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator nautilus gdm gnome-console gnome-control-center pipewire-alsa pipewire-pulse pipewire-jack
elif [ "${install_mode}" = 'server' ]; then elif [ "${install_mode}" = 'server' ]; then
pacstrap /mnt base "${kernel}" "${microcode}" apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator openssh pacstrap /mnt base ${kernel} ${microcode} apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator openssh
fi fi
if [ "${virtualization}" = 'none' ]; then if [ "${virtualization}" = 'none' ]; then
@ -330,9 +332,7 @@ sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/defaul
echo '' >> /mnt/etc/default/grub echo '' >> /mnt/etc/default/grub
echo '# Booting with BTRFS subvolume echo '# Booting with BTRFS subvolume
GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub
# shellcheck disable=SC2016
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
# shellcheck disable=SC2016
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
## Kernel hardening ## Kernel hardening
@ -349,7 +349,7 @@ sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
## Continue kernel hardening ## Continue kernel hardening
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /mnt/etc/sysctl.d/990-security-misc.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /mnt/etc/sysctl.d/990-security-misc.conf
sed -i 's/kernel\.yama\.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf sed -i 's/kernel.yama.ptrace_scope.*/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf | tee /mnt/etc/sysctl.d/30_silent-kernel-printk.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf | tee /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf | tee /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf | tee /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf