1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-09 11:41:33 -05:00

Compare commits

...

16 Commits

Author SHA1 Message Date
3e97fd298c
Add notes on DNS handling
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 18:16:17 -07:00
520bb847e6
Disable systemd-resolved
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 18:06:18 -07:00
f99929f796
Fix unbound config URL
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 18:00:53 -07:00
236e1ae23a
Add irqbalance hardening for Fedora Server
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 17:49:12 -07:00
0c892f019b
Consistency fix
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 17:48:45 -07:00
b32330c79d
Re-add irqbalance hardening on RHEL 9
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 17:23:29 -07:00
3cd2cf7215
Add notes for unbound on RHEL
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 17:11:34 -07:00
09cd7639ad
Add unbound to Fedora server
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 16:45:12 -07:00
5956eb9095
Install dnf-automatic
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 16:05:07 -07:00
b0cb3d2788
Keep RHEL 9 and F40 scripts in sync
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 16:00:50 -07:00
441c4e068a
Remove abrt
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 15:33:25 -07:00
e3a44ffbd4
Fix indentation
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 15:21:11 -07:00
9610e72d95
Fix tuned handling
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 14:59:14 -07:00
1aecfcd3a5
Add missing -y
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 14:53:50 -07:00
7c8394ea12
Better virtualization handling
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 14:52:09 -07:00
24e7e6bd88
Minor reorganization
Signed-off-by: Tommy <contact@tommytran.io>
2024-05-29 12:43:53 -07:00
6 changed files with 215 additions and 248 deletions

View File

@ -24,6 +24,8 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
virtualization=$(systemd-detect-virt)
# Increase compression level # Increase compression level
sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
@ -95,69 +97,78 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/* sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
# Setup automatic updates
sudo dnf install -y dnf-automatic
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
# Remove unnecessary packages # Remove unnecessary packages
sudo dnf remove -y cockpit* sudo dnf remove -y cockpit*
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent
fi
# Setup unbound
sudo dnf install unbound -y
unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/unbound/unbound.conf | sudo tee /etc/unbound/unbound.conf
sudo mkdir /etc/systemd/system/unbound.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf
sudo systemctl enable --now unbound
sudo systemctl disable systemd-resolved
# Setup fwupd # Setup fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf if [ "$virtualization" = 'none' ]; then
sudo systemctl restart fwupd sudo dnf install -y fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
fi
# Enable auto TRIM # Enable auto TRIM
sudo systemctl enable fstrim.timer sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Installing tuned first here because virt-what is 1 of its dependencies anyways # Setup tuned
sudo dnf install tuned -y sudo dnf install -y tuned
sudo systemctl enable --now tuned sudo systemctl enable --now tuned
virt_type=$(virt-what) if [ "$virtualization" = 'none' ]; then
if [ "$virt_type" = '' ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned
if [ "$virt_type" = '' ]; then
sudo tuned-adm profile latency-performance sudo tuned-adm profile latency-performance
else else
if [ "$virt_type" = 'kvm' ]; then
sudo dnf install qemu-guest-agent -y
fi
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode and hardened_malloc # Setup real-ucode and hardened_malloc
MACHINE_TYPE=$(uname -m) MACHINE_TYPE=$(uname -m)
if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install real-ucode -y sudo dnf install -y real-ucode
sudo dracut -f sudo dracut -f
elif [ "$virt_type" != '' ]; then elif [ "$virtualization" != 'none' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
sudo dnf install hardened_malloc -y sudo dnf install -y hardened_malloc
else else
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
sudo dnf install real-ucode hardened_malloc -y sudo dnf install -y real-ucode hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo dracut -f sudo dracut -f
fi fi
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
sudo dnf copr enable secureblue/hardened_malloc -y sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install hardened_malloc -y sudo dnf install -y hardened_malloc
fi fi
# Setup Networking # Setup networking
sudo firewall-cmd --permanent --remove-service=cockpit sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on sudo firewall-cmd --lockdown-on
@ -167,6 +178,15 @@ unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart NetworkManager sudo systemctl restart NetworkManager
# irqbalance hardening
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Setup notices # Setup notices
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
# Final notes to the user
output 'Server setup complete. To use unbound for DNS, you need to reboot.'

View File

@ -24,22 +24,7 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
install_options(){ virtualization=$(systemd-detect-virt)
output "Are you using a Parallels Virtual Machine?"
output "[1] Yes"
output "[2] No"
read -r choice
case $choice in
1 ) parallels=1
;;
2 ) parallels=0
;;
* ) output "You did not enter a valid selection."
install_options
esac
}
install_options
# Increase compression level # Increase compression level
sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
@ -59,7 +44,7 @@ sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
sudo chmod 700 /home/* sudo chmod 700 /home/*
# Setup NTS # Setup NTS
if [ "${parallels}" = '1' ]; then if [ "${virtualization}" = 'parallels' ]; then
sudo dnf -y remove chrony sudo dnf -y remove chrony
else else
sudo rm -rf /etc/chrony.conf sudo rm -rf /etc/chrony.conf
@ -91,14 +76,14 @@ sudo dracut -f
sudo sysctl -p sudo sysctl -p
if sudo bootctl status | grep -q systemd-boot; then if sudo bootctl status | grep -q systemd-boot; then
if [ "${parallels}" = '1' ]; then if [ "${virtualization}" = 'parallels' ]; then
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline
else else
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline
fi fi
sudo dnf reinstall -y kernel-core sudo dnf reinstall -y kernel-core
else else
if [ "${parallels}" = '1' ]; then if [ "${virtualization}" = 'parallels' ]; then
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off' sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off'
else else
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1' sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
@ -166,7 +151,7 @@ sudo dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gn
gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem
# Remove apps # Remove apps
sudo dnf remove -y cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp sudo dnf remove -y abrt cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
# Remove other packages # Remove other packages
sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl
@ -180,6 +165,11 @@ sudo dnf -y upgrade
# Install packages that I use # Install packages that I use
sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent spice-vdagent
fi
# Setup Flatpak # Setup Flatpak
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
@ -218,58 +208,39 @@ sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Installing tuned first here because virt-what is 1 of its dependencies anyways
sudo dnf install tuned -y
sudo systemctl enable --now tuned
virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned # Setup tuned
if [ "$virt_type" = '' ]; then if [ "$virtualization" = 'none' ]; then
# Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO. output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it."
sudo systemctl disable --now tuned
sudo dnf remove tuned -y
else else
if [ "$virt_type" = 'kvm' ]; then sudo dnf remove -y power-profiles-daemon
sudo dnf install qemu-guest-agent -y sudo dnf install -y tuned
fi sudo systemctl enable --now tuned
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode and hardened_malloc # Setup real-ucode and hardened_malloc
if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install real-ucode -y sudo dnf install -y real-ucode
sudo dracut -f sudo dracut -f
elif [ "$virt_type" != '' ]; then elif [ "$virtualization" != 'none' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
sudo dnf install hardened_malloc -y sudo dnf install -y hardened_malloc
else else
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
sudo dnf install real-ucode hardened_malloc -y sudo dnf install -y real-ucode hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo dracut -f sudo dracut -f
fi fi
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
sudo dnf copr enable secureblue/hardened_malloc -y sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install hardened_malloc -y sudo dnf install -y hardened_malloc
fi fi
# Setup Networking # Setup networking
sudo firewall-cmd --set-default-zone=block sudo firewall-cmd --set-default-zone=block
sudo firewall-cmd --permanent --add-service=dhcpv6-client sudo firewall-cmd --permanent --add-service=dhcpv6-client
sudo firewall-cmd --reload sudo firewall-cmd --reload

View File

@ -2,10 +2,20 @@
My setup scripts for my workstations. You should edit the scripts to your liking before running it. My setup scripts for my workstations. You should edit the scripts to your liking before running it.
Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br /> Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br />
The printing stack (cups) is removed as I do not use it. Bluetooth is disabled by KickSecure's kernel module blacklist. The printing stack (cups) is removed as I do not use it.
Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org
## Notes on DNS handling
For desktop installations, the assumption here is that you will use a VPN of some sort for your privacy. No custom DNS server will be configured, as websites [can detect](https://www.dnsleaktest.com/) that you are using a different DNS server from your VPN provider's server.
For server installations (except Proxmox), Unbound will be configured to handle local DNSSEC validation. The difference in the scripts on how this is set up are because of the following reasons:
- Each distribution needs its own Unbound configuration due to version differences and how each distro package it.
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
# Arch Linux # Arch Linux
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br /> Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
@ -16,3 +26,4 @@ Checkout this repository: https://github.com/tommytran732/QubesOS-Scripts <br />
# Fedora CoreOS # Fedora CoreOS
Checkout this repository: https://github.com/tommytran732/Fedora-CoreOS-Ignition Checkout this repository: https://github.com/tommytran732/Fedora-CoreOS-Ignition

155
RHEL-9.sh
View File

@ -22,25 +22,28 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
virtualization=$(systemd-detect-virt)
# Compliance # Compliance
sudo systemctl mask debug-shell.service sudo systemctl mask debug-shell.service
sudo systemctl mask kdump.service sudo systemctl mask kdump.service
# Setting umask to 077
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS # Setup NTS
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
sudo systemctl restart chronyd sudo systemctl restart chronyd
# Make home directory private
sudo chmod 700 /home/*
# Setup Firewalld
sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on
# Remove nullok # Remove nullok
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
@ -53,47 +56,47 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart sshd sudo systemctl restart sshd
# Kernel hardening # Security kernel settings
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
sudo sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf sudo sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
sudo sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf sudo sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/10-security-misc.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/10-security-misc.conf sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/10-security-misc.conf sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/10-security-misc.conf sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo dracut -f sudo dracut -f
sudo sysctl -p sudo sysctl -p
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
# Disable coredump # Disable coredump
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
# Systemd Hardening # Setup DNF
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Remove packages
sudo dnf remove baobab chrome-gnome-shell evince firefox gedit gnome-calculator gnome-characters gnome-font-viewer gnome-screenshot gnome-tour qemu-guest-agent 'sssd*' 'yelp*'
# Setup dnf
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/* sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
# Setup unbound # Setup automatic updates
sudo dnf install -y dnf-automatic
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
# Remove unnecessary packages
sudo dnf remove -y cockpit*
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent
fi
# Setup unbound
sudo dnf install unbound -y sudo dnf install unbound -y
echo 'server: echo 'server:
@ -154,51 +157,41 @@ sudo dnf install -y yara
sudo insights-client --collector malware-detection sudo insights-client --collector malware-detection
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
# Setup automatic updates # Setup fwupd
if [ "$virtualization" = 'none' ]; then
sudo dnf install -y fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
fi
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf # Enable auto TRIM
sudo systemctl enable --now dnf-automatic.timer sudo systemctl enable fstrim.timer
# Enable fstrim.timer
sudo systemctl enable --now fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Installing tuned first here because virt-what is 1 of its dependencies anyways
sudo dnf install tuned -y
virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned # Setup tuned
if [ "$virt_type" = '' ]; then sudo dnf install -y tuned
sudo tuned-adm profile latency-performance sudo systemctl enable --now tuned
if [ "$virt_type" = 'kvm' ]; then
sudo dnf install qemu-guest-agent -y if [ "$virtualization" = 'none' ]; then
fi sudo tuned-adm profile latency-performance
else else
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode and hardened_malloc # Setup real-ucode and hardened_malloc
if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install real-ucode -y sudo dnf install real-ucode -y
sudo dracut -f sudo dracut -f
elif [ "$virt_type" != '' ]; then elif [ "$virtualization" != 'none' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
sudo dnf install hardened_malloc -y sudo dnf install hardened_malloc -y
else else
@ -212,13 +205,27 @@ elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
sudo dnf install hardened_malloc -y sudo dnf install hardened_malloc -y
fi fi
# Setup fwupd # Setup networking
if [ "$virt_type" = '' ]; then sudo firewall-cmd --permanent --remove-service=cockpit
sudo dnf install fwupd -y sudo firewall-cmd --reload
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf sudo firewall-cmd --lockdown-on
sudo systemctl restart fwupd
mkdir -p /etc/systemd/system/fwupd-refresh.service.d sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer sudo systemctl restart NetworkManager
fi
# irqbalance hardening
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Setup notices
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
# Final notes to the user
output 'Server setup complete. To use unbound for DNS, you need to run the following commands:'
output 'nmcli con mod <interface name> ipv4.dns 127.0.0.1'
output 'nmcli con mod <interface name> ipv6.dns ::1'

View File

@ -24,40 +24,25 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
install_options(){ virtualization=$(systemd-detect-virt)
output "Are you using a Parallels Virtual Machine?"
output "[1] Yes"
output "[2] No"
read -r choice
case $choice in
1 ) parallels=1
;;
2 ) parallels=0
;;
* ) output "You did not enter a valid selection."
install_options
esac
}
install_options
# Compliance and updates # Compliance and updates
sudo systemctl mask debug-shell.service sudo systemctl mask debug-shell.service
# Make home directory private
sudo chmod 700 /home/*
# Setting umask to 077 # Setting umask to 077
umask 077 umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS # Setup NTS
sudo systemctl disable --now systemd-timesyncd sudo systemctl disable --now systemd-timesyncd
sudo systemctl mask systemd-timesyncd sudo systemctl mask systemd-timesyncd
if [ "${parallels}" = "0" ]; then if [ "${virtualization}" = "parallels" ]; then
sudo apt install -y chrony sudo apt install -y chrony
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
sudo systemctl restart chronyd sudo systemctl restart chronyd
@ -126,16 +111,12 @@ sudo systemctl mask whoopsie.service
sudo systemctl disable --now whoopsie.path sudo systemctl disable --now whoopsie.path
sudo systemctl mask whoopsie.path sudo systemctl mask whoopsie.path
# Update packages and firmware # Update packages
sudo apt update -y sudo apt update -y
sudo apt full-upgrade -y sudo apt full-upgrade -y
sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates -y
sudo fwupdmgr update -y
## Avoid phased updates ## Avoid phased updates
sudo apt install curl -y sudo apt install -y curl
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
@ -155,6 +136,11 @@ sudo rm -rf /usr/share/hplip
sudo apt install -y gnome-console gnome-software-plugin-flatpak sudo apt install -y gnome-console gnome-software-plugin-flatpak
sudo snap install gnome-text-editor sudo snap install gnome-text-editor
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo apt install -y qemu-guest-agent spice-vdagent
fi
# Setup Flatpak # Setup Flatpak
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
@ -202,34 +188,23 @@ fi
# Enable fstrim.timer # Enable fstrim.timer
sudo systemctl enable --now fstrim.timer sudo systemctl enable --now fstrim.timer
# Installing tuned first here because virt-what is 1 of its dependencies anyways ### Differentiating bare metal and virtual installs
sudo apt install tuned -y
virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned # Setup tuned
if [ "$virt_type" = '' ]; then if [ "$virtualization" = 'none' ]; then
# Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO. output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it."
sudo apt remove tuned -y
sudo apt autoremove -y
else else
if [ "$virt_type" = 'kvm' ]; then sudo apt purge -y power-profiles-daemon
sudo apt install qemu-guest-agent -y sudo apt install -y tuned
fi systemctl enable --now tuned
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup Networking # Setup fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
# Setup networking
# UFW Snap is strictly confined, unlike its .deb counterpart # UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw sudo apt purge -y ufw

View File

@ -24,20 +24,22 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
virtualization=$(systemd-detect-virt)
# Compliance and updates # Compliance and updates
sudo systemctl mask debug-shell.service sudo systemctl mask debug-shell.service
echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue
echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net
# Make home directory private
sudo chmod 700 /home/*
# Setting umask to 077 # Setting umask to 077
umask 077 umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS # Setup NTS
sudo systemctl disable --now systemd-timesyncd sudo systemctl disable --now systemd-timesyncd
sudo systemctl mask systemd-timesyncd sudo systemctl mask systemd-timesyncd
@ -95,56 +97,37 @@ sudo apt full-upgrade -y
sudo apt autoremove -y sudo apt autoremove -y
## Install basic sysadmin tools ## Install basic sysadmin tools
sudo apt install nano iputils-ping sudo apt install -y nano iputils-ping
#Setup fwupd # Install appropriate virtualization drivers
sudo apt install fwupd -y if [ "$virtualization" = 'kvm' ]; then
mkdir -p /etc/systemd/system/fwupd-refresh.service.d sudo apt install -y qemu-guest-agent
echo '[Service] fi
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
# Enable fstrim.timer # Enable fstrim.timer
sudo systemctl enable --now fstrim.timer sudo systemctl enable --now fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Installing tuned first here because virt-what is 1 of its dependencies anyways
sudo apt install tuned -y
virt_type=$(virt-what)
if [ "$virt_type" = "" ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned # Setup tuned
if [ "$virt_type" = "" ]; then sudo apt install -y tuned
sudo tuned-adm profile latency-performance sudo systemctl enable --now tuned
if [ "$virtualization" = 'none' ]; then
sudo tuned-adm profile latency-performance
else else
if [ "$virt_type" = 'kvm' ]; then sudo tuned-adm profile virtual-guest
sudo apt install qemu-guest-agent -y
fi
sudo tuned-adm profile virtual-guest
fi fi
# Setup fwupd # Setup fwupd
if [ "$virt_type" = '' ]; then if [ "$virtualization" = 'none' ]; then
sudo apt install fwupd -y sudo apt install -y fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd sudo systemctl restart fwupd
mkdir -p /etc/systemd/system/fwupd-refresh.service.d mkdir -p /etc/systemd/system/fwupd-refresh.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer sudo systemctl enable --now fwupd-refresh.timer
fi fi
# Setup unbound # Setup unbound
@ -220,7 +203,7 @@ sudo systemctl daemon-reload
sudo systemctl restart unbound sudo systemctl restart unbound
sudo systemctl disable systemd-resolved sudo systemctl disable systemd-resolved
# Setup Networking # Setup networking
# UFW Snap is strictly confined, unlike its .deb counterpart # UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw sudo apt purge -y ufw