1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-22 01:21:33 -05:00

Compare commits

..

No commits in common. "1ab3c4de47a6fe7bbd8970810fdfe35e554748dc" and "5cc40052cc24838715001e2f93ea690f7495de7c" have entirely different histories.

5 changed files with 28 additions and 48 deletions

View File

@ -11,11 +11,11 @@ sudo find /etc/apt/sources.list.d -type f -exec sudo sed -i 's/http:/https:/g' {
# Update and install packages
sudo apt update
sudo apt upgrade -y
sudo apt install -y --no-install-recommends tuned unbound resolvconf ufw
# Setup ufw
sudo apt install ufw -y
sudo ufw enable
sudo ufw allow OpenSSH
sudo ufw allow 22/tcp
# Harden SSH
echo 'GSSAPIAuthentication no
@ -42,9 +42,6 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
echo "* hard core 0" | tee -a /etc/security/limits.conf
# Setup unbound
sudo apt instal unbound resolvconf -y
echo 'server:
trust-anchor-signaling: yes
root-key-sentinel: yes
@ -115,7 +112,6 @@ sudo systemctl restart unbound
sudo systemctl disable --now systemd-resolved
# Setup tuned
sudo dnf install tuned -y
sudo tuned-adm profile virtual-guest
# Enable fstrim.timer

View File

@ -21,13 +21,12 @@ systemctl restart sshd
# Setup repositories
sed -i '1 {s/^/#/}' /etc/apt/sources.list.d/pve-enterprise.list
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
echo 'deb https://deb.debian.org/debian/ bookworm main contrib non-free
deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
# security updates
deb https://security.debian.org bookworm-security main contrib non-free
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription' | tee /etc/apt/sources.list

View File

@ -49,10 +49,10 @@ sudo curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/s
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Install packages
sudo dnf install tuned unbound yara -y
# Setup unbound
sudo dnf install unbound -y
echo 'server:
chroot: ""
@ -113,8 +113,6 @@ LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.c
sudo systemctl enable --now unbound
# Setup yara
sudo dnf install -y yara
sudo insights-client --collector malware-detection
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
@ -123,16 +121,7 @@ sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-d
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
#Setup fwupd
sudo dnf install fwupd -y
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
echo '[Service]
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
# Setup tuned
sudo dnf install tuned -y
sudo tuned-adm profile virtual-guest
# Enable fstrim.timer

View File

@ -1,15 +1,13 @@
#!/bin/bash
#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
##The script assumes you already have Ubuntu Pro activated
#Customize it to your liking
#Run this script as your admin user, NOT root
#Compliance and updates
# Compliance
sudo ua enable usg
sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y usg
sudo apt autoremove -y
sudo usg fix cis_level2_server
sudo usg fix cis_level2_workstation
# Remove AIDE
sudo apt purge -y aide*
@ -24,6 +22,9 @@ sudo sed -ie '/^UMASK\s\+/ s/022/077/' /etc/login.defs
sudo sed -i 's/USERGROUPS_ENAB yes/USERGROUPS_ENAB no/g' /etc/login.defs
echo "umask 077" | sudo tee --append /etc/profile
# Make sure the system has curl (minimal installs do not include it)
sudo apt install -y curl
# Setup NTS
sudo systemctl disable systemd-timesyncd
sudo apt install -y chrony
@ -113,5 +114,4 @@ EOF
sudo systemctl restart NetworkManager
# Enable fstrim.timer
sudo apt install tuned -y
sudo systemctl enable --now fstrim.timer

View File

@ -1,22 +1,24 @@
#!/bin/bash
#Meant to be run on Ubuntu Pro Minimal
#The script assumes you already have Ubuntu Pro activated
#Compliance and updates
#Compliance
sudo ua enable usg
sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y usg curl libpam-pwquality
sudo apt autoremove -y
sudo apt install -y usg
sudo usg fix cis_level2_server
# Remove AIDE
sudo apt purge -y aide*
# Update and install packages
sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y curl fwupd libpam-pwquality tuned unbound
# Setup NTS
sudo systemctl disable --now systemd-timesyncd
sudo systemctl disable systemd-timesyncd
sudo apt install -y chrony
rm -rf /etc/chrony/chrony.conf
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony/chrony.conf
sudo systemctl restart chronyd
@ -25,11 +27,11 @@ sudo systemctl restart chronyd
sudo apt purge -y ufw
sudo snap install ufw
sudo ufw enable
sudo ufw allow OpenSSH
sudo ufw allow 22
# Harden SSH
echo "GSSAPIAuthentication no
echo "VerifyHostKeyDNS yes" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d
sudo curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf -o /etc/systemd/system/sshd.service.d/local.conf
@ -37,9 +39,6 @@ sudo systemctl daemon-reload
sudo systemctl restart sshd
# Setup unbound
sudp apt install -y unbound
echo 'server:
trust-anchor-signaling: yes
root-key-sentinel: yes
@ -122,8 +121,6 @@ sudo systemctl stop whoopsie.service
sudo systemctl disable whoopsie.service
sudo systemctl mask whoopsie.service
#Setup fwupd
sudo apt install fwupd -y
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
echo '[Service]
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
@ -131,7 +128,6 @@ sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
# Setup tuned
sudo apt install tuned -y
sudo tuned-adm profile virtual-guest
# Enable fstrim.timer