diff --git a/GCP-Debian-11.sh b/GCP-Debian-11.sh index bc7a0c9..53404aa 100644 --- a/GCP-Debian-11.sh +++ b/GCP-Debian-11.sh @@ -22,9 +22,17 @@ unpriv(){ sudo -u nobody "$@" } -# Compliance +# Compliance and updates sudo systemctl mask debug-shell.service +## Avoid phased updates +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades +sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades + +sudo apt update +sudo apt full-upgrade -y +sudo apt autoremove -y + # Make home directory private sudo chmod 700 /home/* @@ -36,10 +44,6 @@ sudo systemctl restart chronyd # Setup repositories sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {} \; -# Update and install packages -sudo apt update -sudo apt upgrade -y - # Setup ufw sudo apt install ufw -y sudo ufw enable diff --git a/Proxmox-8.sh b/Proxmox-8.sh index f89f655..071a2ab 100644 --- a/Proxmox-8.sh +++ b/Proxmox-8.sh @@ -20,9 +20,17 @@ output(){ echo -e '\e[36m'"$1"'\e[0m'; } -# Compliance +# Compliance and updates systemctl mask debug-shell.service +## Avoid phased updates +curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades +chmod 644 /etc/apt/apt.conf.d/99sane-upgrades + +apt update +apt full-upgrade -y +apt autoremove -y + # Setup NTS rm -rf /etc/chrony/chrony.conf curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | tee /etc/chrony/chrony.conf @@ -56,10 +64,8 @@ deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee / echo 'deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription' | tee /etc/apt/sources.list.d/ceph.list -# Update and install packages -apt update -apt upgrade -y -apt install -y --no-install-recommends intel-microcode tuned fwupd dropbear-initramfs +# Install packages +apt install -y intel-microcode tuned fwupd dropbear-initramfs ### This part assumes that you are using systemd-boot echo -e "spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on extra_latent_entropy debugfs=off $(cat /etc/kernel/cmdline)" > /etc/kernel/cmdline diff --git a/Ubuntu-22.04-Server.sh b/Ubuntu-22.04-Server.sh index 1bc9302..48dbd5e 100644 --- a/Ubuntu-22.04-Server.sh +++ b/Ubuntu-22.04-Server.sh @@ -29,9 +29,14 @@ sudo systemctl mask debug-shell.service echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net +## Avoid phased updates +sudo apt install -y curl +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades +sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades + sudo apt update -y sudo apt full-upgrade -y -sudo apt install -y curl +sudo apt autoremove -y # Default to gcc-12 instead of gcc-11 sudo rm /usr/bin/gcc diff --git a/Ubuntu-23.10-Desktop.sh b/Ubuntu-23.10-Desktop.sh index 4e87492..ff33883 100644 --- a/Ubuntu-23.10-Desktop.sh +++ b/Ubuntu-23.10-Desktop.sh @@ -27,6 +27,11 @@ unpriv(){ # Compliance and updates sudo systemctl mask debug-shell.service +## Avoid phased updates +sudo apt install curl -y +unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades +sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades + sudo apt update -y sudo apt full-upgrade -y sudo apt autoremove -y @@ -43,7 +48,7 @@ echo 'umask 077' | sudo tee --append /etc/profile # Setup NTS sudo systemctl disable systemd-timesyncd -sudo apt install -y curl chrony +sudo apt install -y chrony unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf sudo systemctl restart chronyd diff --git a/etc/apt/apt.conf.d/99sane-upgrades b/etc/apt/apt.conf.d/99sane-upgrades new file mode 100644 index 0000000..8421378 --- /dev/null +++ b/etc/apt/apt.conf.d/99sane-upgrades @@ -0,0 +1,5 @@ +Update-Manager::Always-Include-Phased-Updates; +APT::Get::Always-Include-Phased-Updates; +APT::Get::Upgrade-Allow-New; +APT::Get::Install-Recommends "false"; +APT::Get::Install-Suggests "false"; \ No newline at end of file