2021-03-12 23:47:43 -05:00
#!/bin/bash
#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
#Customize it to your liking
2023-06-03 01:46:52 -04:00
#Run this script as your admin user, NOT root
2021-03-12 23:47:43 -05:00
#Variables
USER = $( whoami)
PARTITIONID = $( sudo cat /etc/crypttab | awk '{print $1}' )
2021-08-13 08:36:26 -04:00
PARTITIONUUID = $( sudo blkid -s UUID -o value /dev/mapper/" ${ PARTITIONID } " )
2021-03-12 23:47:43 -05:00
2021-03-13 08:41:20 -05:00
output( ) {
echo -e '\e[36m' $1 '\e[0m' ;
}
2023-08-16 06:22:28 -04:00
# Moving to the home directory
2021-03-12 23:47:43 -05:00
#Note that I always use /home/${USER} because gnome-terminal is wacky and sometimes doesn't load the environment variables in correctly (Right click somewhere in nautilus, click on open in terminal, then hit create new tab and you will see.)
2021-08-13 08:36:26 -04:00
cd /home/" ${ USER } " || exit
2021-03-12 23:47:43 -05:00
2023-08-16 06:22:28 -04:00
# Setting umask to 077
2021-03-12 23:47:43 -05:00
umask 077
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
2023-06-06 01:03:37 -04:00
echo "umask 077" | sudo tee -a /etc/bashrc
2021-03-12 23:47:43 -05:00
2023-08-16 06:22:28 -04:00
# Make home directory private
2021-04-04 08:48:15 -04:00
chmod 700 /home/*
2021-04-04 05:13:24 -04:00
2023-08-16 06:22:28 -04:00
# Setup NTS
sudo rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
echo ' # Command-line options for chronyd
OPTIONS = "-F 1" ' | sudo tee /etc/sysconfig/chronyd
sudo systemctl restart chronyd
2023-09-26 18:32:17 -04:00
# Setup Networking
sudo hostnamectl hostname 'localhost'
sudo hostnamectl --transient hostname ''
2023-09-26 18:20:38 -04:00
sudo firewall-cmd --set-default-zone= block
2023-09-26 18:32:17 -04:00
sudo firewall-cmd --permanent --add-service= dhcpv6-client
2023-08-16 06:22:28 -04:00
sudo firewall-cmd --reload
2023-09-26 18:32:17 -04:00
sudo firewall-cmd --lockdown-on
2023-08-16 06:22:28 -04:00
# Harden SSH
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
# Security kernel settings
2023-06-03 00:32:37 -04:00
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
sudo curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc_kexec-disable.conf -o /etc/sysctl.d/30_security-misc_kexec-disable.conf
2023-08-24 16:42:41 -04:00
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=1/g' /etc/sysctl.d/30_security-misc.conf
2021-04-04 05:59:54 -04:00
2023-08-16 06:22:28 -04:00
# Systemd Hardening
2023-06-03 00:32:37 -04:00
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf -o /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf -o /etc/systemd/system/irqbalance.service.d/99-brace.conf
2023-08-15 20:52:08 -04:00
2023-08-16 06:22:28 -04:00
sudo systemctl restart NetworkManager
sudo systemctl restart irqbalance
2022-11-20 16:55:46 -05:00
2023-06-06 02:58:10 -04:00
# Disable automount
echo ' [ org/gnome/desktop/media-handling]
automount = false
automount-open= false' | sudo tee /etc/dconf/db/local.d/automount-disable
echo ' org/gnome/desktop/media-handling/automount
org/gnome/desktop/media-handling/automount-open' | sudo tee /etc/dconf/db/local.d/locks/automount-disable
sudo dconf update
2023-08-16 06:22:28 -04:00
# Speed up DNF
2023-06-22 03:24:12 -04:00
echo 'fastestmirror=1' | sudo tee -a /etc/dnf/dnf.conf
echo 'countme=false' | sudo tee -a /etc/dnf/dnf.conf
2021-03-12 23:47:43 -05:00
2023-08-16 06:22:28 -04:00
# Update packages and firmware
2021-03-12 23:47:43 -05:00
sudo dnf upgrade -y
sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force
2021-04-04 10:22:57 -04:00
sudo fwupdmgr get-updates -y
2021-03-14 06:43:41 -04:00
sudo fwupdmgr update -y
2021-03-12 23:47:43 -05:00
2023-08-16 06:22:28 -04:00
# Remove unneeded packages
2023-06-06 03:49:48 -04:00
sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem \
#Network + hardware tools
2023-06-08 02:26:21 -04:00
cups nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio \
2023-06-06 03:49:48 -04:00
#Remove support for some languages and spelling
ibus-typing-booster *speech* *zhuyin* *pinyin* *kkc* *m17n* *hangul* *anthy* words \
#Remove codec + image + printers
2023-08-15 20:52:08 -04:00
openh264 ImageMagick* sane* simple-scan \
2023-06-06 03:49:48 -04:00
#Remove Active Directory + Sysadmin + reporting tools
sssd* realmd adcli cyrus-sasl-plain cyrus-sasl-gssapi mlocate quota* dos2unix kpartx sos abrt \
#Remove vm and virtual stuff
podman* *libvirt* open-vm* qemu-guest-agent hyperv* spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu \
#NetworkManager
2023-07-31 17:27:25 -04:00
NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager\
2023-06-06 03:49:48 -04:00
#Remove Gnome apps
gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \
gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \
gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-horizontal-workspaces gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \
gnome-classic* gnome-user* chrome-gnome-shell \
#Remove apps
rhythmbox *yelp* *evince* libreoffice* cheese gedit file-roller* mediawriter \
#other
lvm2 rng-tools thermald *perl* yajl
2021-04-06 06:02:35 -04:00
2023-08-16 06:22:28 -04:00
# Disable openh264 repo
2021-03-12 23:47:43 -05:00
sudo dnf config-manager --set-disabled fedora-cisco-openh264 -y
2023-08-16 06:22:28 -04:00
# Install packages that I use
2023-09-26 18:25:50 -04:00
sudo dnf -y install gnome-console git-core flat-remix-theme gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo gnome-shell-extension-dash-to-dock gnome-shell-extension-no-overview
2021-03-12 23:47:43 -05:00
2023-08-16 06:22:28 -04:00
# Enable auto TRIM
2021-03-12 23:47:43 -05:00
sudo systemctl enable fstrim.timer
2023-08-16 06:22:28 -04:00
# Setup BTRFS layout and Timeshift
2021-03-12 23:47:43 -05:00
sudo mkdir /btrfs_pool
sudo mount -o subvolid = 5 /dev/mapper/${ PARTITIONID } /btrfs_pool
sudo mv /btrfs_pool/root /btrfs_pool/@
sudo mv /btrfs_pool/home /btrfs_pool/@home
sudo btrfs subvolume list /btrfs_pool
2021-04-04 00:57:55 -04:00
sudo sed -i 's/subvol=root/subvol=@,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async/' /etc/fstab
sudo sed -i 's/subvol=home/subvol=@home,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async/' /etc/fstab
sudo echo " UUID= ${ PARTITIONUUID } /btrfs_pool btrfs subvolid=5,ssd,noatime,space_cache,commit=120,compress=zstd:1,discard=async,x-systemd.device-timeout=0 0 0 " | sudo tee -a /etc/fstab
2021-03-12 23:47:43 -05:00
sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
sudo dnf -y install timeshift
2023-09-26 18:32:17 -04:00
# Randomize MAC address
2021-03-12 23:47:43 -05:00
sudo bash -c 'cat > /etc/NetworkManager/conf.d/00-macrandomize.conf' <<-'EOF'
[ device]
wifi.scan-rand-mac-address= yes
[ connection]
wifi.cloned-mac-address= random
ethernet.cloned-mac-address= random
2022-09-11 04:16:03 -04:00
EOF
2023-06-03 05:03:06 -04:00
## The script is done. You can also remove gnome-terminal since gnome-console will replace it.