1
0
mirror of https://github.com/tommytran732/Arch-Setup-Script synced 2024-11-25 02:51:32 -05:00

Compare commits

..

No commits in common. "daf2664d08282547f1bb42066a29469eb41efd76" and "8a0504c4d8d823c5d94fc6b1d979675fc7d0e981" have entirely different histories.

View File

@ -22,9 +22,6 @@ unpriv(){
sudo -u nobody "$@"
}
# Check if this is a VM
virtualization=$(systemd-detect-virt)
install_mode_selector() {
output 'Is this a desktop or server installation?'
output '1) Desktop'
@ -41,42 +38,20 @@ install_mode_selector() {
esac
}
luks_prompt(){
if [ "${virtualization}" != 'none' ]; then
output "Virtual machine detected. Do you want to set up LUKS?"
output '1) No'
output '2) Yes'
output 'Insert the number of your selection:'
read -r choice
case $choice in
1 ) use_luks='0'
;;
2 ) use_luks='1'
;;
* ) output 'You did not enter a valid selection.'
luks_prompt
esac
else
use_luks='1'
fi
}
luks_password_prompt () {
if [ "${use_luks}" = '1' ]; then
output 'Enter your encryption password (the password will not be shown on the screen):'
read -r -s luks_password
output 'Enter your encryption password (the password will not be shown on the screen):'
read -r -s luks_password
if [ -z "${luks_password}" ]; then
output 'You need to enter a password.'
luks_password_prompt
fi
if [ -z "${luks_password}" ]; then
output 'You need to enter a password.'
luks_password_prompt
fi
output 'Confirm your encryption password (the password will not be shown on the screen):'
read -r -s luks_password2
if [ "${luks_password}" != "${luks_password2}" ]; then
output 'Passwords do not match, please try again.'
luks_password_prompt
fi
output 'Confirm your encryption password (the password will not be shown on the screen):'
read -r -s luks_password2
if [ "${luks_password}" != "${luks_password2}" ]; then
output 'Passwords do not match, please try again.'
luks_password_prompt
fi
}
@ -132,26 +107,6 @@ hostname_prompt (){
fi
}
network_daemon_prompt(){
if [ "${install_mode}" = 'server' ]; then
output 'Which network daemon do you want to use'
output '1) networkmanager'
output '2) systemd-networkd'
output 'Insert the number of your selection:'
read -r choice
case $choice in
1 ) network_daemon='networkmanager'
;;
2 ) network_daemon='systemd-networkd'
;;
* ) output 'You did not enter a valid selection.'
install_mode_selector
esac
else
network_daemon='networkmanager'
fi
}
# Set hardcoded variables (temporary, these will be replaced by future prompts)
locale=en_US
kblayout=us
@ -161,13 +116,14 @@ clear
# Initial prompts
install_mode_selector
luks_prompt
luks_password_prompt
disk_prompt
username_prompt
user_password_prompt
hostname_prompt
network_daemon_prompt
# Check if this is a VM
virtualization=$(systemd-detect-virt)
# Installation
@ -187,13 +143,10 @@ parted -s "${disk}" \
mklabel gpt \
mkpart ESP fat32 1MiB 513MiB \
set 1 esp on \
mkpart rootfs 513MiB 100%
mkpart cryptroot 513MiB 100%
ESP='/dev/disk/by-partlabel/ESP'
if [ "${use_luks}" = '1' ]; then
cryptroot='/dev/disk/by-partlabel/rootfs'
fi
cryptroot='/dev/disk/by-partlabel/cryptroot'
## Informing the Kernel of the changes.
output 'Informing the Kernel about the disk changes.'
@ -204,17 +157,13 @@ output 'Formatting the EFI Partition as FAT32.'
mkfs.fat -F 32 -s 2 "${ESP}" &>/dev/null
## Creating a LUKS Container for the root partition.
if [ "${use_luks}" = '1' ]; then
output 'Creating LUKS Container for the root partition.'
echo -n "${luks_password}" | cryptsetup luksFormat --pbkdf pbkdf2 "${cryptroot}" -d - &>/dev/null
echo -n "${luks_password}" | cryptsetup open "${cryptroot}" cryptroot -d -
BTRFS='/dev/mapper/cryptroot'
else
BTRFS='/dev/disk/by-partlabel/rootfs'
fi
output 'Creating LUKS Container for the root partition.'
echo -n "${luks_password}" | cryptsetup luksFormat --pbkdf pbkdf2 ${cryptroot} -d - &>/dev/null
echo -n "${luks_password}" | cryptsetup open ${cryptroot} cryptroot -d -
BTRFS='/dev/mapper/cryptroot'
## Formatting the partition as BTRFS.
output 'Formatting the rootfs as BTRFS.'
## Formatting the LUKS Container as BTRFS.
output 'Formatting the LUKS container as BTRFS.'
mkfs.btrfs "${BTRFS}" &>/dev/null
mount "${BTRFS}" /mnt
@ -241,10 +190,7 @@ if [ "${install_mode}" = 'desktop' ]; then
btrfs su cr /mnt/@/var_lib_gdm &>/dev/null
btrfs su cr /mnt/@/var_lib_AccountsService &>/dev/null
fi
if [ "${use_luks}" = '1' ]; then
btrfs su cr /mnt/@/cryptkey &>/dev/null
fi
btrfs su cr /mnt/@/cryptkey &>/dev/null
## Disable CoW on subvols we are not taking snapshots of
chattr +C /mnt/@/boot
@ -263,10 +209,7 @@ if [ "${install_mode}" = 'desktop' ]; then
chattr +C /mnt/@/var_lib_gdm
chattr +C /mnt/@/var_lib_AccountsService
fi
if [ "${use_luks}" = '1' ]; then
chattr +C /mnt/@/cryptkey
fi
chattr +C /mnt/@/cryptkey
## Set the default BTRFS Subvol to Snapshot 1 before pacstrapping
btrfs subvolume set-default "$(btrfs subvolume list /mnt | grep "@/.snapshots/1/snapshot" | grep -oP '(?<=ID )[0-9]+')" /mnt
@ -287,15 +230,10 @@ chmod 600 /mnt/@/.snapshots/1/info.xml
umount /mnt
output 'Mounting the newly created subvolumes.'
mount -o ssd,noatime,compress=zstd "${BTRFS}" /mnt
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines}
mkdir -p /mnt/{boot,root,home,.snapshots,srv,tmp,var/log,var/crash,var/cache,var/tmp,var/spool,var/lib/libvirt/images,var/lib/machines,cryptkey}
if [ "${install_mode}" = 'desktop' ]; then
mkdir -p /mnt/{var/lib/gdm,var/lib/AccountsService}
fi
if [ "${use_luks}" = '1' ]; then
mkdir -p /mnt/cryptkey
fi
mount -o ssd,noatime,compress=zstd,nodev,nosuid,noexec,subvol=@/boot "${BTRFS}" /mnt/boot
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/root "${BTRFS}" /mnt/root
mount -o ssd,noatime,compress=zstd,nodev,nosuid,subvol=@/home "${BTRFS}" /mnt/home
@ -322,9 +260,7 @@ if [ "${install_mode}" = 'desktop' ]; then
fi
### The encryption is splitted as we do not want to include it in the backup with snap-pac.
if [ "${use_luks}" = '1' ]; then
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
fi
mount -o ssd,noatime,compress=zstd,nodatacow,nodev,nosuid,noexec,subvol=@/cryptkey "${BTRFS}" /mnt/cryptkey
mkdir -p /mnt/boot/efi
mount -o nodev,nosuid,noexec "${ESP}" /mnt/boot/efi
@ -345,11 +281,7 @@ output 'Installing the base system (it may take a while).'
output "You may see an error when mkinitcpio tries to generate a new initramfs."
output "It is okay. The script will regenerate the initramfs later in the installation process."
pacstrap /mnt apparmor base chrony efibootmgr firewalld grub grub-btrfs inotify-tools linux-firmware linux-hardened linux-lts "${microcode}" nano reflector sbctl snapper sudo zram-generator
if [ "${network_daemon}" = 'networkmanager' ]; then
pacstrap /mnt networkmanager
fi
pacstrap /mnt apparmor base chrony efibootmgr firewalld grub grub-btrfs inotify-tools linux-firmware linux-hardened linux-lts "${microcode}" nano networkmanager reflector sbctl snapper sudo zram-generator
if [ "${install_mode}" = 'desktop' ]; then
pacstrap /mnt nautilus gdm gnome-console gnome-control-center flatpak pipewire-alsa pipewire-pulse pipewire-jack
@ -397,16 +329,10 @@ echo "KEYMAP=$kblayout" > /mnt/etc/vconsole.conf
output 'Configuring /etc/mkinitcpio for ZSTD compression and LUKS hook.'
sed -i 's/#COMPRESSION="zstd"/COMPRESSION="zstd"/g' /mnt/etc/mkinitcpio.conf
sed -i 's/^MODULES=.*/MODULES=(btrfs)/g' /mnt/etc/mkinitcpio.conf
if [ "${use_luks}" = '1' ]; then
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt)/g' /mnt/etc/mkinitcpio.conf
else
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block)/g' /mnt/etc/mkinitcpio.conf
fi
sed -i 's/^HOOKS=.*/HOOKS=(systemd autodetect microcode modconf keyboard sd-vconsole block sd-encrypt)/g' /mnt/etc/mkinitcpio.conf
## Enable LUKS in GRUB and setting the UUID of the LUKS container.
if [ "${use_luks}" = '1' ]; then
sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
fi
sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/default/grub
echo '' >> /mnt/etc/default/grub
echo '# Booting with BTRFS subvolume
GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub
@ -419,22 +345,15 @@ sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
## Kernel hardening
if [ "${use_luks}" = '1' ]; then
UUID=$(blkid -s UUID -o value "${cryptroot}")
sed -i "s#quiet#rd.luks.name=${UUID}=cryptroot root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
else
sed -i "s#quiet#root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
fi
UUID=$(blkid -s UUID -o value "${cryptroot}")
sed -i "s#quiet#rd.luks.name=${UUID}=cryptroot root=${BTRFS} lsm=landlock,lockdown,yama,integrity,apparmor,bpf mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1#g" /mnt/etc/default/grub
## Add keyfile to the initramfs to avoid double password.
if [ "${use_luks}" = '1' ]; then
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/rootfs /mnt/cryptkey/.root.key -d -
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
sed -i "s#module\.sig_enforce=1#module.sig_enforce=1 rd.luks.key=/cryptkey/.root.key#g" /mnt/etc/default/grub
fi
dd bs=512 count=4 if=/dev/random of=/mnt/cryptkey/.root.key iflag=fullblock &>/dev/null
chmod 000 /mnt/cryptkey/.root.key &>/dev/null
echo -n "${luks_password}" | cryptsetup luksAddKey /dev/disk/by-partlabel/cryptroot /mnt/cryptkey/.root.key -d -
sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
sed -i "s#module\.sig_enforce=1#module.sig_enforce=1 rd.luks.key=/cryptkey/.root.key#g" /mnt/etc/default/grub
## Continue kernel hardening
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
@ -480,8 +399,6 @@ fi
# Setup dconf
if [ "${install_mode}" = 'desktop' ]; then
# This doesn't actually take effect atm - need to investigate
mkdir -p /mnt/etc/dconf/db/local.d/locks
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | tee /mnt/etc/dconf/db/local.d/locks/automount-disable
@ -500,15 +417,12 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
## Setup Networking
if [ "${install_mode}" = 'desktop' ]; then
if [ "${install_mode}" = "desktop" ]; then
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | tee /mnt/etc/NetworkManager/conf.d/00-macrandomize.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | tee /mnt/etc/NetworkManager/conf.d/01-transient-hostname.conf
fi
if [ "${network_daemon}" = 'networkmanager' ]; then
mkdir -p /mnt/etc/systemd/system/NetworkManager.service.d/
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /mnt/etc/systemd/system/NetworkManager.service.d/99-brace.conf
fi
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /mnt/etc/systemd/system/NetworkManager.service.d/99-brace.conf
## Configuring the system.
arch-chroot /mnt /bin/bash -e <<EOF
@ -521,33 +435,33 @@ arch-chroot /mnt /bin/bash -e <<EOF
hwclock --systohc
# Generating locales.my keys aren't even on
echo "Generating locales."
output "Generating locales."
locale-gen
# Create SecureBoot keys. This isn't strictly necessary, but certain things like linux-hardened preset expects it and mkinitcpio will fail without it, sooo...
sbctl create-keys
# Generating a new initramfs.
echo "Creating a new initramfs."
output "Creating a new initramfs."
chmod 600 /boot/initramfs-linux*
mkinitcpio -P
# Installing GRUB.
echo "Installing GRUB on /boot."
output "Installing GRUB on /boot."
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --disable-shim-lock
# Creating grub config file.
echo "Creating GRUB config file."
output "Creating GRUB config file."
grub-mkconfig -o /boot/grub/grub.cfg
# Adding user with sudo privilege
echo "Adding $username with root privilege."
output "Adding $username with root privilege."
useradd -m $username
usermod -aG wheel $username
if [ "${install_mode}" = 'desktop' ]; then
# Setting up dconf
echo "Setting up dconf."
output "Setting up dconf."
dconf update
fi
@ -573,18 +487,13 @@ systemctl enable chronyd --root=/mnt
systemctl enable firewalld --root=/mnt
systemctl enable fstrim.timer --root=/mnt
systemctl enable grub-btrfsd.service --root=/mnt
systemctl enable NetworkManager --root=/mnt
systemctl enable reflector.timer --root=/mnt
systemctl enable snapper-timeline.timer --root=/mnt
systemctl enable snapper-cleanup.timer --root=/mnt
systemctl enable systemd-oomd --root=/mnt
systemctl disable systemd-timesyncd --root=/mnt
if [ "${network_daemon}" = 'networkmanager' ]; then
systemctl enable NetworkManager --root=/mnt
else
systemctl enable systemd-networkd --root=/mnt
fi
if [ "${install_mode}" = 'desktop' ]; then
systemctl enable gdm --root=/mnt
fi