Linux-Setup-Scripts/Fedora-Workstation-38.sh

#!/bin/bash

#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
#Customize it to your liking
#Run this script as your admin user, NOT root

#Variables
USER=$(whoami)
PARTITIONID=$(sudo cat /etc/crypttab | awk '{print $1}')
PARTITIONUUID=$(sudo blkid -s UUID -o value /dev/mapper/"${PARTITIONID}")

output(){
    echo -e '\e[36m'$1'\e[0m';
}

#Moving to the home directory
#Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)
cd /home/"${USER}" || exit

#Setting umask to 077
umask 077
sudo sed -i 's/umask 002/umask 077/g' /etc/bashrc
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc

#Make home directory private
chmod 700 /home/*

#Security kernel settings
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf

#Systemd Hardening
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf

echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf

#Setup NTS
rm -rf /etc/chrony/chrony.conf
curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf

#Setup Firewalld
sudo firewall-cmd --permanent --remove-port=1025-65535/udp
sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
sudo firewall-cmd --permanent --remove-service=mdns
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --remove-service=samba-client
sudo firewall-cmd --reload

#Speed up DNF
sudo echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
sudo echo 'deltarpm=true' | sudo tee -a /etc/dnf/dnf.conf
sudo echo 'countme=false' | sudo tee -a /etc/dnf/dnf.conf

#Update packages and firmware
sudo dnf upgrade -y
sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates -y
sudo fwupdmgr update -y

#Remove unneeded packages
sudo dnf -y remove abrt nm-connection-editor mozilla-filesystem chrome-gnome-shell quota* nmap-ncat virtualbox-guest-additions spice-vdagent nfs-utils teamd tcpdump sgpio ImageMagick* adcli libreoffice* lvm2 qemu-guest-agent hyperv* gnome-classic* baobab *kkc* *zhuyin* *pinyin* *evince* *yelp* ModemManager fedora-bookmarks fedora-chromium-config gnome-tour gnome-themes-extra gnome-shell-extension-background-logo gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome podman*  *libvirt* open-vm* *speech* sos totem gnome-characters firefox eog openssh-server dmidecode xorg-x11-drv-vmware xorg-x11-drv-amdgpu yajl words ibus-hangui vino openh264 realmd rsync net-snmp-libs net-tools traceroute mtr geolite2* gnome-boxes gnome-disk-utility gedit gnome-calendar cheese gnome-contacts rhythmbox gnome-screenshot gnome-maps gnome-weather gnome-logs ibus-typing-booster *m17n* gnome-clocks gnome-color-manager mlocate cyrus-sasl-plain cyrus-sasl-gssapi sssd* gnome-user* dos2unix kpartx rng-tools ppp* thermald *perl* gnome-shell-extension-apps-menu gnome-shell-extension-horizontal-workspaces gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list file-roller* sane* simple-scan *hangul* mediawriter *anthy*

#Disable openh264 repo
sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y

#Install packages that I use
sudo dnf -y install gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo setroubleshoot

#Enable auto TRIM
sudo systemctl enable fstrim.timer

#Enable Titlebar buttons
gsettings set org.gnome.desktop.wm.preferences button-layout 'appmenu:minimize,maximize,close'

#Setup BTRFS layout and Timeshift
sudo mkdir /btrfs_pool
sudo mount -o subvolid=5 /dev/mapper/${PARTITIONID} /btrfs_pool
sudo mv /btrfs_pool/root /btrfs_pool/@
sudo mv /btrfs_pool/home /btrfs_pool/@home
sudo btrfs subvolume list /btrfs_pool
sudo sed -i 's/subvol=root/subvol=@,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async/' /etc/fstab
sudo sed -i 's/subvol=home/subvol=@home,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async/' /etc/fstab
sudo echo "UUID=${PARTITIONUUID} /btrfs_pool             btrfs   subvolid=5,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async,x-systemd.device-timeout=0   0 0" | sudo tee -a /etc/fstab
sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
sudo dnf -y install timeshift

#Randomize MAC address
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
EOF

#Disable transient hostname
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
[main]
hostname-mode=none
EOF

sudo systemctl restart NetworkManager
sudo hostnamectl hostname "localhost"

## The script is done. You can also remove gnome-terminal since gnome-console will replace it.
Add files via upload 2021-03-12 23:47:43 -05:00			`#!/bin/bash`

			`#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead`
			`#Customize it to your liking`
Remove flatpak repo and packages Signed-off-by: Tommy <contact@tommytran.io> 2023-06-03 01:46:52 -04:00			`#Run this script as your admin user, NOT root`
Add files via upload 2021-03-12 23:47:43 -05:00
			`#Variables`
			`USER=$(whoami)`
			`PARTITIONID=$(sudo cat /etc/crypttab \| awk '{print $1}')`
Change Mojave-CT repo 2021-08-13 08:36:26 -04:00			`PARTITIONUUID=$(sudo blkid -s UUID -o value /dev/mapper/"${PARTITIONID}")`
Add files via upload 2021-03-12 23:47:43 -05:00
Added Anbox Support 2021-03-13 08:41:20 -05:00			`output(){`
			`echo -e '\e[36m'$1'\e[0m';`
			`}`

Add files via upload 2021-03-12 23:47:43 -05:00			`#Moving to the home directory`
			`#Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)`
Change Mojave-CT repo 2021-08-13 08:36:26 -04:00			`cd /home/"${USER}" \|\| exit`
Add files via upload 2021-03-12 23:47:43 -05:00
			`#Setting umask to 077`
			`umask 077`
			`sudo sed -i 's/umask 002/umask 077/g' /etc/bashrc`
			`sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc`

Update Fedora-WorkStation-33.sh 2021-04-04 05:13:24 -04:00			`#Make home directory private`
Update Fedora-WorkStation-33.sh 2021-04-04 08:48:15 -04:00			`chmod 700 /home/*`
Update Fedora-WorkStation-33.sh 2021-04-04 05:13:24 -04:00
Update Fedora-WorkStation-33.sh 2021-04-14 21:15:11 -04:00			`#Security kernel settings`
Update to Fedora 38 Signed-off-by: Tommy <contact@tommytran.io> 2023-06-03 00:32:37 -04:00			`sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf`
			`sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf`
			`sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf`
			`sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf`
Update Fedora-WorkStation-33.sh 2021-04-04 05:59:54 -04:00
Additional hardening Signed-off-by: Tommy <contact@tommytran.io> 2022-12-01 14:59:49 -05:00			`#Systemd Hardening`
Update to Fedora 38 Signed-off-by: Tommy <contact@tommytran.io> 2023-06-03 00:32:37 -04:00			`sudo mkdir -p /etc/systemd/system/NetworkManager.service.d`
			`sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf`
			`sudo mkdir -p /etc/systemd/system/irqbalance.service.d`
			`sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf`
			`sudo mkdir -p /etc/systemd/system/sshd.service.d`
			`sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf`
Additional hardening Signed-off-by: Tommy <contact@tommytran.io> 2022-12-01 14:59:49 -05:00
Add ssh_config configurations Signed-off-by: Tommy <contact@tommytran.io> 2023-01-18 07:11:30 -05:00			`echo "GSSAPIAuthentication no" \| sudo tee /etc/ssh/ssh_config.d/10-custom.conf`
			`echo "VerifyHostKeyDNS yes" \| sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf`

Add NTS Signed-off-by: Tommy <contact@tommytran.io> 2022-11-20 16:55:46 -05:00			`#Setup NTS`
			`rm -rf /etc/chrony/chrony.conf`
			`curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf`

Add files via upload 2021-03-12 23:47:43 -05:00			`#Setup Firewalld`
			`sudo firewall-cmd --permanent --remove-port=1025-65535/udp`
			`sudo firewall-cmd --permanent --remove-port=1025-65535/tcp`
			`sudo firewall-cmd --permanent --remove-service=mdns`
			`sudo firewall-cmd --permanent --remove-service=ssh`
			`sudo firewall-cmd --permanent --remove-service=samba-client`
			`sudo firewall-cmd --reload`

			`#Speed up DNF`
			`sudo echo 'fastestmirror=1' \| sudo tee -a /etc/dnf/dnf.conf`
			`sudo echo 'deltarpm=true' \| sudo tee -a /etc/dnf/dnf.conf`
Update Fedora-Workstation-36.sh Signed-off-by: Tommy <contact@tommytran.io> 2022-11-18 22:07:53 -05:00			`sudo echo 'countme=false' \| sudo tee -a /etc/dnf/dnf.conf`
Add files via upload 2021-03-12 23:47:43 -05:00
			`#Update packages and firmware`
			`sudo dnf upgrade -y`
			`sudo fwupdmgr get-devices`
			`sudo fwupdmgr refresh --force`
Update Fedora-WorkStation-33.sh 2021-04-04 10:22:57 -04:00			`sudo fwupdmgr get-updates -y`
Minor Fixes 2021-03-14 06:43:41 -04:00			`sudo fwupdmgr update -y`
Add files via upload 2021-03-12 23:47:43 -05:00
			`#Remove unneeded packages`
Remove anthy 2023-06-03 03:34:33 -04:00			sudo dnf -y remove abrt nm-connection-editor mozilla-filesystem chrome-gnome-shell quota* nmap-ncat virtualbox-guest-additions spice-vdagent nfs-utils teamd tcpdump sgpio ImageMagick* adcli libreoffice* lvm2 qemu-guest-agent hyperv* gnome-classic* baobab kkc zhuyin pinyin evince yelp ModemManager fedora-bookmarks fedora-chromium-config gnome-tour gnome-themes-extra gnome-shell-extension-background-logo gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome podman* libvirt open-vm* speech sos totem gnome-characters firefox eog openssh-server dmidecode xorg-x11-drv-vmware xorg-x11-drv-amdgpu yajl words ibus-hangui vino openh264 realmd rsync net-snmp-libs net-tools traceroute mtr geolite2* gnome-boxes gnome-disk-utility gedit gnome-calendar cheese gnome-contacts rhythmbox gnome-screenshot gnome-maps gnome-weather gnome-logs ibus-typing-booster m17n gnome-clocks gnome-color-manager mlocate cyrus-sasl-plain cyrus-sasl-gssapi sssd* gnome-user* dos2unix kpartx rng-tools ppp* thermald perl gnome-shell-extension-apps-menu gnome-shell-extension-horizontal-workspaces gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list file-roller* sane* simple-scan hangul mediawriter anthy
Update Fedora-WorkStation-33.sh 2021-04-06 06:02:35 -04:00
Add files via upload 2021-03-12 23:47:43 -05:00			`#Disable openh264 repo`
			`sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y`

			`#Install packages that I use`
Remove unnecessary customizations 2023-06-03 03:34:06 -04:00			`sudo dnf -y install gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo setroubleshoot`
Add files via upload 2021-03-12 23:47:43 -05:00
			`#Enable auto TRIM`
			`sudo systemctl enable fstrim.timer`

			`#Enable Titlebar buttons`
			`gsettings set org.gnome.desktop.wm.preferences button-layout 'appmenu:minimize,maximize,close'`

			`#Setup BTRFS layout and Timeshift`
			`sudo mkdir /btrfs_pool`
			`sudo mount -o subvolid=5 /dev/mapper/${PARTITIONID} /btrfs_pool`
			`sudo mv /btrfs_pool/root /btrfs_pool/@`
			`sudo mv /btrfs_pool/home /btrfs_pool/@home`
			`sudo btrfs subvolume list /btrfs_pool`
Update Fedora-WorkStation-33.sh Comment out Anbox's installation 2021-04-04 00:57:55 -04:00			`sudo sed -i 's/subvol=root/subvol=@,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async/' /etc/fstab`
			`sudo sed -i 's/subvol=home/subvol=@home,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async/' /etc/fstab`
			`sudo echo "UUID=${PARTITIONUUID} /btrfs_pool btrfs subvolid=5,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async,x-systemd.device-timeout=0 0 0" \| sudo tee -a /etc/fstab`
Add files via upload 2021-03-12 23:47:43 -05:00			`sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg`
			`sudo dnf -y install timeshift`

			`#Randomize MAC address`
			`sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'`
			`[device]`
			`wifi.scan-rand-mac-address=yes`

			`[connection]`
			`wifi.cloned-mac-address=random`
			`ethernet.cloned-mac-address=random`
Clean up Signed-off-by: Tommy <contact@tommytran.io> 2022-09-11 04:16:03 -04:00			`EOF`

			`#Disable transient hostname`
			`sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'`
			`[main]`
			`hostname-mode=none`
Add files via upload 2021-03-12 23:47:43 -05:00			`EOF`

			`sudo systemctl restart NetworkManager`
Clean up Signed-off-by: Tommy <contact@tommytran.io> 2022-09-11 04:16:03 -04:00			`sudo hostnamectl hostname "localhost"`
Remove unnecessary customizations 2023-06-03 03:34:06 -04:00
			`## The script is done. You can also remove gnome-terminal since gnome-console will replace it.`