mirror of
https://github.com/tommytran732/Arch-Setup-Script
synced 2024-11-09 12:11:33 -05:00
Compare commits
7 Commits
eeeb6f0f03
...
b8e23af72d
Author | SHA1 | Date | |
---|---|---|---|
b8e23af72d | |||
577ebc5fb4 | |||
d9a451b28f | |||
16a442b76d | |||
c75de37394 | |||
8cf9d0370b | |||
ef4f92cb7b |
37
.github/workflows/shellcheck.yml
vendored
Normal file
37
.github/workflows/shellcheck.yml
vendored
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
name: ShellCheck
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
- main
|
||||||
|
paths-ignore:
|
||||||
|
- '**.gitignore'
|
||||||
|
- '**.md'
|
||||||
|
- 'LICENSE'
|
||||||
|
- '**.conf'
|
||||||
|
- '**.service'
|
||||||
|
- '**.timer'
|
||||||
|
- '**.path'
|
||||||
|
- '**.list'
|
||||||
|
pull_request:
|
||||||
|
paths-ignore:
|
||||||
|
- '**.gitignore'
|
||||||
|
- '**.md'
|
||||||
|
- 'LICENSE'
|
||||||
|
- '**.conf'
|
||||||
|
- '**.service'
|
||||||
|
- '**.timer'
|
||||||
|
- '**.path'
|
||||||
|
- '**.list'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
shellcheck:
|
||||||
|
name: Bash syntax checker
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Run ShellCheck
|
||||||
|
uses: ludeeus/action-shellcheck@master
|
@ -1,4 +1,7 @@
|
|||||||
### Introduction
|
### Introduction
|
||||||
|
|
||||||
|
[![ShellCheck](https://github.com/TommyTran732/Arch-Setup-Script/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/TommyTran732/Arch-Setup-Script/actions/workflows/shellcheck.yml)
|
||||||
|
|
||||||
This is my fork of [easy-arch](https://github.com/classy-giraffe/easy-arch), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process (UEFI only).
|
This is my fork of [easy-arch](https://github.com/classy-giraffe/easy-arch), a **script** made in order to boostrap a basic **Arch Linux** environment with **snapshots** and **encryption** by using a fully automated process (UEFI only).
|
||||||
|
|
||||||
This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.
|
This fork comes with various security improvements and fully working rollbacks with snapper. I do submit some of the changes here back to upstream as well.
|
||||||
|
10
install.sh
10
install.sh
@ -1,7 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Copyright (C) 2021-2024 Thien Tran, Tommaso Chiti
|
# Copyright (C) 2021-2024 Thien Tran, Tommaso Chiti
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
@ -287,9 +285,9 @@ fi
|
|||||||
## Pacstrap
|
## Pacstrap
|
||||||
output 'Installing the base system (it may take a while).'
|
output 'Installing the base system (it may take a while).'
|
||||||
if [ "${install_mode}" = 'desktop' ]; then
|
if [ "${install_mode}" = 'desktop' ]; then
|
||||||
pacstrap /mnt base ${kernel} ${microcode} apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator nautilus gdm gnome-console gnome-control-center pipewire-alsa pipewire-pulse pipewire-jack
|
pacstrap /mnt base "${kernel}" "${microcode}" apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator nautilus gdm gnome-console gnome-control-center pipewire-alsa pipewire-pulse pipewire-jack
|
||||||
elif [ "${install_mode}" = 'server' ]; then
|
elif [ "${install_mode}" = 'server' ]; then
|
||||||
pacstrap /mnt base ${kernel} ${microcode} apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator openssh
|
pacstrap /mnt base "${kernel}" "${microcode}" apparmor chrony firewalld grub grub-btrfs linux-firmware nano networkmanager reflector snapper sudo zram-generator openssh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${virtualization}" = 'none' ]; then
|
if [ "${virtualization}" = 'none' ]; then
|
||||||
@ -332,7 +330,9 @@ sed -i 's/#GRUB_ENABLE_CRYPTODISK=.*/GRUB_ENABLE_CRYPTODISK=y/g' /mnt/etc/defaul
|
|||||||
echo '' >> /mnt/etc/default/grub
|
echo '' >> /mnt/etc/default/grub
|
||||||
echo '# Booting with BTRFS subvolume
|
echo '# Booting with BTRFS subvolume
|
||||||
GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub
|
GRUB_BTRFS_OVERRIDE_BOOT_PARTITION_DETECTION=true' >> /mnt/etc/default/grub
|
||||||
|
# shellcheck disable=SC2016
|
||||||
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
|
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/10_linux
|
||||||
|
# shellcheck disable=SC2016
|
||||||
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
|
sed -i 's/rootflags=subvol=${rootsubvol}//g' /mnt/etc/grub.d/20_linux_xen
|
||||||
|
|
||||||
## Kernel hardening
|
## Kernel hardening
|
||||||
@ -349,7 +349,7 @@ sed -i 's#FILES=()#FILES=(/cryptkey/.root.key)#g' /mnt/etc/mkinitcpio.conf
|
|||||||
## Continue kernel hardening
|
## Continue kernel hardening
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /mnt/etc/modprobe.d/30_security-misc.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /mnt/etc/sysctl.d/990-security-misc.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /mnt/etc/sysctl.d/990-security-misc.conf
|
||||||
sed -i 's/kernel.yama.ptrace_scope.*/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
sed -i 's/kernel\.yama\.ptrace_scope[[:space:]]*=.*/kernel.yama.ptrace_scope=3/g' /mnt/etc/sysctl.d/990-security-misc.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf | tee /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf | tee /mnt/etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf | tee /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf | tee /mnt/etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user