diff --git a/GCP-Debian-11.sh b/GCP-Debian-11.sh index 21f5f6e..da27d63 100644 --- a/GCP-Debian-11.sh +++ b/GCP-Debian-11.sh @@ -10,7 +10,7 @@ sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' { sudo apt update sudo apt upgrade -y -sudo apt install -y --no-install-recommends tuned unbound ufw +sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw sudo ufw enable sudo ufw allow 22/tcp @@ -20,6 +20,7 @@ sudo tuned-adm profile virtual-guest echo 'server: trust-anchor-signaling: yes root-key-sentinel: yes + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt hide-identity: yes hide-trustanchor: yes @@ -86,6 +87,7 @@ BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log' | sudo tee /etc/systemd/system/unbound.service.d/override.conf sudo systemctl restart unbound +sudo systemctl disable --now systemd-resolved sudo mkdir -p /etc/systemd/system/sshd.service.d sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/limits.conf -o /etc/systemd/system/sshd.service.d/limits.conf @@ -107,4 +109,4 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s echo "* hard core 0" | tee -a /etc/security/limits.conf # Enable fstrim.timer -sudo ystemctl enable --now fstrim.timer \ No newline at end of file +sudo ystemctl enable --now fstrim.timer