Add notes on DNS handling

Signed-off-by: Tommy <contact@tommytran.io>

Fedora-Server-40.sh

@@ -24,6 +24,8 @@ unpriv(){
     sudo -u nobody "$@"
 }
 
+virtualization=$(systemd-detect-virt)
+
 # Increase compression level
 sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
 
@@ -95,69 +97,78 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
 sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
 
+# Setup automatic updates
+sudo dnf install -y dnf-automatic
+sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
+sudo systemctl enable --now dnf-automatic.timer
+
 # Remove unnecessary packages
 sudo dnf remove -y cockpit*
 
+# Install appropriate virtualization drivers
+if [ "$virtualization" = 'kvm' ]; then
+    sudo dnf install -y qemu-guest-agent
+fi
+
+# Setup unbound
+sudo dnf install unbound -y
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/unbound/unbound.conf | sudo tee /etc/unbound/unbound.conf
+sudo mkdir /etc/systemd/system/unbound.service.d
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf
+sudo systemctl enable --now unbound
+sudo systemctl disable systemd-resolved
+
 # Setup fwupd
-echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
+if [ "$virtualization" = 'none' ]; then
-sudo systemctl restart fwupd
+    sudo dnf install -y fwupd
+    echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
+    sudo systemctl restart fwupd
+    mkdir -p /etc/systemd/system/fwupd-refresh.service.d
+    unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
+    sudo systemctl daemon-reload
+    sudo systemctl enable --now fwupd-refresh.timer
+fi
 
 # Enable auto TRIM
 sudo systemctl enable fstrim.timer
 
 ### Differentiating bare metal and virtual installs
 
-# Installing tuned first here because virt-what is 1 of its dependencies anyways
+# Setup tuned
-sudo dnf install tuned -y
+sudo dnf install -y tuned
 sudo systemctl enable --now tuned
 
-virt_type=$(virt-what)
+if [ "$virtualization" = 'none' ]; then
-if [ "$virt_type" = '' ]; then
-    output 'Virtualization: Bare Metal.'
-elif [ "$virt_type" = 'openvz lxc' ]; then
-    output 'Virtualization: OpenVZ 7.'
-elif [ "$virt_type" = 'xen xen-hvm' ]; then
-    output 'Virtualization: Xen-HVM.'
-elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
-    output 'Virtualization: Xen-HVM on AWS.'
-else
-    output "Virtualization: $virt_type."
-fi
-
-# Setup tuned
-if [ "$virt_type" = '' ]; then
     sudo tuned-adm profile latency-performance
 else
-    if [ "$virt_type" = 'kvm' ]; then
-        sudo dnf install qemu-guest-agent -y
-    fi
     sudo tuned-adm profile virtual-guest
 fi
 
+
 # Setup real-ucode and hardened_malloc
 MACHINE_TYPE=$(uname -m)
-if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
+if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
-    sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
+    sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
     sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
     if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
         sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
-        sudo dnf install real-ucode -y
+        sudo dnf install -y real-ucode
         sudo dracut -f
-    elif [ "$virt_type" != '' ]; then
+    elif [ "$virtualization" != 'none' ]; then
         sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
-        sudo dnf install hardened_malloc -y
+        sudo dnf install -y hardened_malloc
     else
         sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
-        sudo dnf install real-ucode hardened_malloc -y
+        sudo dnf install -y real-ucode hardened_malloc
         echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
         sudo dracut -f
     fi
 elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
     sudo dnf copr enable secureblue/hardened_malloc -y
-    sudo dnf install hardened_malloc -y
+    sudo dnf install -y hardened_malloc
 fi
 
-# Setup Networking
+# Setup networking
 sudo firewall-cmd --permanent --remove-service=cockpit
 sudo firewall-cmd --reload
 sudo firewall-cmd --lockdown-on
@@ -167,6 +178,15 @@ unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd
 sudo systemctl daemon-reload
 sudo systemctl restart NetworkManager
 
+# irqbalance hardening
+sudo mkdir -p /etc/systemd/system/irqbalance.service.d
+unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
+sudo systemctl daemon-reload
+sudo systemctl restart irqbalance
+
 # Setup notices
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
+
+# Final notes to the user
+output 'Server setup complete. To use unbound for DNS, you need to reboot.'

Fedora-Workstation-40.sh

@@ -24,22 +24,7 @@ unpriv(){
     sudo -u nobody "$@"
 }
 
-install_options(){
+virtualization=$(systemd-detect-virt)
-    output "Are you using a Parallels Virtual Machine?"
-    output "[1] Yes"
-    output "[2] No"
-    read -r choice
-    case $choice in
-        1 ) parallels=1
-            ;;
-        2 ) parallels=0
-            ;;
-        * ) output "You did not enter a valid selection."
-            install_options
-    esac
-}
-
-install_options
 
 # Increase compression level
 sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
@@ -59,7 +44,7 @@ sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
 sudo chmod 700 /home/*
 
 # Setup NTS
-if [ "${parallels}" = '1' ]; then
+if [ "${virtualization}" = 'parallels' ]; then
     sudo dnf -y remove chrony
 else
     sudo rm -rf /etc/chrony.conf
@@ -91,14 +76,14 @@ sudo dracut -f
 sudo sysctl -p
 
 if sudo bootctl status | grep -q systemd-boot; then
-    if [ "${parallels}" = '1' ]; then
+    if [ "${virtualization}" = 'parallels' ]; then
         sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline
     else 
         sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline
     fi
     sudo dnf reinstall -y kernel-core
 else
-    if [ "${parallels}" = '1' ]; then
+    if [ "${virtualization}" = 'parallels' ]; then
         sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off'
     else
         sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
@@ -166,7 +151,7 @@ sudo dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gn
     gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem
 
 # Remove apps
-sudo dnf remove -y cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
+sudo dnf remove -y abrt cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
 
 # Remove other packages
  sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl
@@ -180,6 +165,11 @@ sudo dnf -y upgrade
 # Install packages that I use
 sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo
 
+# Install appropriate virtualization drivers
+if [ "$virtualization" = 'kvm' ]; then
+    sudo dnf install -y qemu-guest-agent spice-vdagent
+fi
+
 # Setup Flatpak
 sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
 flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
@@ -218,58 +208,39 @@ sudo systemctl enable fstrim.timer
 
 ### Differentiating bare metal and virtual installs
 
-# Installing tuned first here because virt-what is 1 of its dependencies anyways
-sudo dnf install tuned -y
-sudo systemctl enable --now tuned
-
-virt_type=$(virt-what)
-if [ "$virt_type" = '' ]; then
-    output 'Virtualization: Bare Metal.'
-elif [ "$virt_type" = 'openvz lxc' ]; then
-    output 'Virtualization: OpenVZ 7.'
-elif [ "$virt_type" = 'xen xen-hvm' ]; then
-    output 'Virtualization: Xen-HVM.'
-elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
-    output 'Virtualization: Xen-HVM on AWS.'
-else
-    output "Virtualization: $virt_type."
-fi
-
 # Setup tuned
-if [ "$virt_type" = '' ]; then
+if [ "$virtualization" = 'none' ]; then
-    # Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO.
+    output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it."
-    sudo systemctl disable --now tuned
-    sudo dnf remove tuned -y
 else
-    if [ "$virt_type" = 'kvm' ]; then
+    sudo dnf remove -y power-profiles-daemon
-        sudo dnf install qemu-guest-agent -y
+    sudo dnf install -y tuned
-    fi
+    sudo systemctl enable --now tuned
     sudo tuned-adm profile virtual-guest
 fi
 
 # Setup real-ucode and hardened_malloc
-if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
+if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
-    sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
+    sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
     sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
     if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
         sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
-        sudo dnf install real-ucode -y
+        sudo dnf install -y real-ucode
         sudo dracut -f
-    elif [ "$virt_type" != '' ]; then
+    elif [ "$virtualization" != 'none' ]; then
         sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
-        sudo dnf install hardened_malloc -y
+        sudo dnf install -y hardened_malloc
     else
         sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
-        sudo dnf install real-ucode hardened_malloc -y
+        sudo dnf install -y real-ucode hardened_malloc
         echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
         sudo dracut -f
     fi
 elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
     sudo dnf copr enable secureblue/hardened_malloc -y
-    sudo dnf install hardened_malloc -y
+    sudo dnf install -y hardened_malloc
 fi
 
-# Setup Networking
+# Setup networking
 sudo firewall-cmd --set-default-zone=block
 sudo firewall-cmd --permanent --add-service=dhcpv6-client
 sudo firewall-cmd --reload

README.md

@@ -2,10 +2,20 @@
 My setup scripts for my workstations. You should edit the scripts to your liking before running it.
 Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br />
 
-The printing stack (cups) is removed as I do not use it. Bluetooth is disabled by KickSecure's kernel module blacklist.
+The printing stack (cups) is removed as I do not use it.
 
 Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org
 
+## Notes on DNS handling
+
+For desktop installations, the assumption here is that you will use a VPN of some sort for your privacy. No custom DNS server will be configured, as websites [can detect](https://www.dnsleaktest.com/) that you are using a different DNS server from your VPN provider's server.
+
+For server installations (except Proxmox), Unbound will be configured to handle local DNSSEC validation. The difference in the scripts on how this is set up are because of the following reasons:
+
+- Each distribution needs its own Unbound configuration due to version differences and how each distro package it.
+- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
+- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
+
 # Arch Linux
 Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
 
@@ -16,3 +26,4 @@ Checkout this repository: https://github.com/tommytran732/QubesOS-Scripts <br />
 # Fedora CoreOS
 
 Checkout this repository: https://github.com/tommytran732/Fedora-CoreOS-Ignition
+

RHEL-9.sh

@@ -22,25 +22,28 @@ unpriv(){
   sudo -u nobody "$@"
 }
 
+virtualization=$(systemd-detect-virt)
+
 # Compliance
 sudo systemctl mask debug-shell.service
 sudo systemctl mask kdump.service
 
+# Setting umask to 077
+umask 077
+sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
+sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
+sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
+sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
+
+# Make home directory private
+sudo chmod 700 /home/*
+
 # Setup NTS
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
 
 sudo systemctl restart chronyd
 
-# Make home directory private
-sudo chmod 700 /home/*
-
-# Setup Firewalld
-
-sudo firewall-cmd --permanent --remove-service=cockpit
-sudo firewall-cmd --reload
-sudo firewall-cmd --lockdown-on
-
 # Remove nullok
 sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
 
@@ -53,47 +56,47 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
 sudo systemctl daemon-reload
 sudo systemctl restart sshd
 
-# Kernel hardening
+# Security kernel settings
-
 unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
+sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
 sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
 sudo sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
 sudo sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
-unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/10-security-misc.conf
+unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
-sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/10-security-misc.conf
+sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
-sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/10-security-misc.conf
+sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
-sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/10-security-misc.conf
+sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
+sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
 unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
+sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
 unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
+sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
 sudo dracut -f
 sudo sysctl -p
-sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
+
+sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
 
 # Disable coredump
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
 
-# Systemd Hardening
+# Setup DNF
-
-sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
-unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-sudo systemctl daemon-reload
-sudo systemctl restart NetworkManager
-
-sudo mkdir -p /etc/systemd/system/irqbalance.service.d
-unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
-sudo systemctl daemon-reload
-sudo systemctl restart irqbalance
-
-# Remove packages
-
-sudo dnf remove baobab chrome-gnome-shell evince firefox gedit gnome-calculator gnome-characters gnome-font-viewer gnome-screenshot gnome-tour qemu-guest-agent 'sssd*' 'yelp*'
-
-# Setup dnf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
 sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
 
-# Setup unbound
+# Setup automatic updates
+sudo dnf install -y dnf-automatic
+sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
+sudo systemctl enable --now dnf-automatic.timer
 
+# Remove unnecessary packages
+sudo dnf remove -y cockpit*
+
+# Install appropriate virtualization drivers
+if [ "$virtualization" = 'kvm' ]; then
+    sudo dnf install -y qemu-guest-agent
+fi
+
+# Setup unbound
 sudo dnf install unbound -y
 
 echo 'server:
@@ -154,51 +157,41 @@ sudo dnf install -y yara
 sudo insights-client --collector malware-detection
 sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
 
-# Setup automatic updates
+# Setup fwupd
+if [ "$virtualization" = 'none' ]; then
+    sudo dnf install -y fwupd
+    echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
+    sudo systemctl restart fwupd
+    mkdir -p /etc/systemd/system/fwupd-refresh.service.d
+    unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
+    sudo systemctl daemon-reload
+    sudo systemctl enable --now fwupd-refresh.timer
+fi
 
-sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
+# Enable auto TRIM
-sudo systemctl enable --now dnf-automatic.timer
+sudo systemctl enable fstrim.timer
-
-# Enable fstrim.timer
-sudo systemctl enable --now fstrim.timer
 
 ### Differentiating bare metal and virtual installs
 
-# Installing tuned first here because virt-what is 1 of its dependencies anyways
-sudo dnf install tuned -y
-
-virt_type=$(virt-what)
-if [ "$virt_type" = '' ]; then
-  output 'Virtualization: Bare Metal.'
-elif [ "$virt_type" = 'openvz lxc' ]; then
-  output 'Virtualization: OpenVZ 7.'
-elif [ "$virt_type" = 'xen xen-hvm' ]; then
-  output 'Virtualization: Xen-HVM.'
-elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
-  output 'Virtualization: Xen-HVM on AWS.'
-else
-  output "Virtualization: $virt_type."
-fi
-
 # Setup tuned
-if [ "$virt_type" = '' ]; then
+sudo dnf install -y tuned
-  sudo tuned-adm profile latency-performance
+sudo systemctl enable --now tuned
-  if [ "$virt_type" = 'kvm' ]; then
+
-    sudo dnf install qemu-guest-agent -y
+if [ "$virtualization" = 'none' ]; then
-  fi
+    sudo tuned-adm profile latency-performance
 else
-  sudo tuned-adm profile virtual-guest
+    sudo tuned-adm profile virtual-guest
 fi
 
 # Setup real-ucode and hardened_malloc
-if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
+if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
   sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
   sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
   if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
     sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
     sudo dnf install real-ucode -y
     sudo dracut -f
-  elif [ "$virt_type" != '' ]; then
+  elif [ "$virtualization" != 'none' ]; then
     sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
     sudo dnf install hardened_malloc -y
   else
@@ -212,13 +205,27 @@ elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
   sudo dnf install hardened_malloc -y
 fi
 
-# Setup fwupd
+# Setup networking
-if [ "$virt_type" = '' ]; then
+sudo firewall-cmd --permanent --remove-service=cockpit
-  sudo dnf install fwupd -y
+sudo firewall-cmd --reload
-  echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
+sudo firewall-cmd --lockdown-on
-  sudo systemctl restart fwupd
+
-  mkdir -p /etc/systemd/system/fwupd-refresh.service.d
+sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
-  unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
+unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
-  sudo systemctl daemon-reload
+sudo systemctl daemon-reload
-  sudo systemctl enable --now fwupd-refresh.timer
+sudo systemctl restart NetworkManager
-fi
+
+# irqbalance hardening
+sudo mkdir -p /etc/systemd/system/irqbalance.service.d
+unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
+sudo systemctl daemon-reload
+sudo systemctl restart irqbalance
+
+# Setup notices
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
+
+# Final notes to the user
+output 'Server setup complete. To use unbound for DNS, you need to run the following commands:'
+output 'nmcli con mod <interface name> ipv4.dns 127.0.0.1'
+output 'nmcli con mod <interface name> ipv6.dns ::1'

Ubuntu-23.10-Desktop.sh

@@ -24,40 +24,25 @@ unpriv(){
     sudo -u nobody "$@"
 }
 
-install_options(){
+virtualization=$(systemd-detect-virt)
-    output "Are you using a Parallels Virtual Machine?"
-    output "[1] Yes"
-    output "[2] No"
-    read -r choice
-    case $choice in
-        1 ) parallels=1
-            ;;
-        2 ) parallels=0
-            ;;
-        * ) output "You did not enter a valid selection."
-            install_options
-    esac
-}
-
-install_options
 
 # Compliance and updates
 sudo systemctl mask debug-shell.service
 
-# Make home directory private
-sudo chmod 700 /home/*
-
 # Setting umask to 077
 umask 077
 sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
 sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
 sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
 
+# Make home directory private
+sudo chmod 700 /home/*
+
 # Setup NTS
 sudo systemctl disable --now systemd-timesyncd
 sudo systemctl mask systemd-timesyncd
 
-if [ "${parallels}" = "0" ]; then
+if [ "${virtualization}" = "parallels" ]; then
     sudo apt install -y chrony
     unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
     sudo systemctl restart chronyd
@@ -126,16 +111,12 @@ sudo systemctl mask whoopsie.service
 sudo systemctl disable --now whoopsie.path
 sudo systemctl mask whoopsie.path
 
-# Update packages and firmware
+# Update packages
 sudo apt update -y
 sudo apt full-upgrade -y
-sudo fwupdmgr get-devices
-sudo fwupdmgr refresh --force
-sudo fwupdmgr get-updates -y
-sudo fwupdmgr update -y
 
 ## Avoid phased updates
-sudo apt install curl -y
+sudo apt install -y curl 
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
 sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
@@ -155,6 +136,11 @@ sudo rm -rf /usr/share/hplip
 sudo apt install -y gnome-console gnome-software-plugin-flatpak
 sudo snap install gnome-text-editor
 
+# Install appropriate virtualization drivers
+if [ "$virtualization" = 'kvm' ]; then
+    sudo apt install -y qemu-guest-agent spice-vdagent
+fi
+
 # Setup Flatpak
 sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
 flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
@@ -202,34 +188,23 @@ fi
 # Enable fstrim.timer
 sudo systemctl enable --now fstrim.timer
 
-# Installing tuned first here because virt-what is 1 of its dependencies anyways
+### Differentiating bare metal and virtual installs
-sudo apt install tuned -y
-virt_type=$(virt-what)
-if [ "$virt_type" = '' ]; then
-    output 'Virtualization: Bare Metal.'
-elif [ "$virt_type" = 'openvz lxc' ]; then
-    output 'Virtualization: OpenVZ 7.'
-elif [ "$virt_type" = 'xen xen-hvm' ]; then
-    output 'Virtualization: Xen-HVM.'
-elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
-    output 'Virtualization: Xen-HVM on AWS.'
-else
-    output "Virtualization: $virt_type."
-fi
 
 # Setup tuned
-if [ "$virt_type" = '' ]; then
+if [ "$virtualization" = 'none' ]; then
-    # Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO.
+    output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it."
-        sudo apt remove tuned -y
-        sudo apt autoremove -y
 else
-    if [ "$virt_type" = 'kvm' ]; then
+    sudo apt purge -y power-profiles-daemon
-        sudo apt install qemu-guest-agent -y
+    sudo apt install -y tuned
-    fi
+    systemctl enable --now tuned
     sudo tuned-adm profile virtual-guest
 fi
 
-# Setup Networking
+# Setup fwupd
+echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
+sudo systemctl restart fwupd
+
+# Setup networking
 
 # UFW Snap is strictly confined, unlike its .deb counterpart
 sudo apt purge -y ufw

Ubuntu-24.04-Server.sh

@@ -24,20 +24,22 @@ unpriv(){
   sudo -u nobody "$@"
 }
 
+virtualization=$(systemd-detect-virt)
+
 # Compliance and updates
 sudo systemctl mask debug-shell.service
 echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue
 echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net
 
-# Make home directory private
-sudo chmod 700 /home/*
-
 # Setting umask to 077
 umask 077
 sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
 sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
 sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
 
+# Make home directory private
+sudo chmod 700 /home/*
+
 # Setup NTS
 sudo systemctl disable --now systemd-timesyncd
 sudo systemctl mask systemd-timesyncd
@@ -95,56 +97,37 @@ sudo apt full-upgrade -y
 sudo apt autoremove -y
 
 ## Install basic sysadmin tools
-sudo apt install nano iputils-ping
+sudo apt install -y nano iputils-ping
 
-#Setup fwupd
+# Install appropriate virtualization drivers
-sudo apt install fwupd -y
+if [ "$virtualization" = 'kvm' ]; then
-mkdir -p /etc/systemd/system/fwupd-refresh.service.d
+    sudo apt install -y qemu-guest-agent
-echo '[Service]
+fi
-ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
-sudo systemctl daemon-reload
-sudo systemctl enable --now fwupd-refresh.timer
 
 # Enable fstrim.timer
 sudo systemctl enable --now fstrim.timer
 
 ### Differentiating bare metal and virtual installs
 
-# Installing tuned first here because virt-what is 1 of its dependencies anyways
-sudo apt install tuned -y
-
-virt_type=$(virt-what)
-if [ "$virt_type" = "" ]; then
-  output 'Virtualization: Bare Metal.'
-elif [ "$virt_type" = 'openvz lxc' ]; then
-  output 'Virtualization: OpenVZ 7.'
-elif [ "$virt_type" = 'xen xen-hvm' ]; then
-  output 'Virtualization: Xen-HVM.'
-elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
-  output 'Virtualization: Xen-HVM on AWS.'
-else
-  output "Virtualization: $virt_type."
-fi
-
 # Setup tuned
-if [ "$virt_type" = "" ]; then
+sudo apt install -y tuned
-  sudo tuned-adm profile latency-performance
+sudo systemctl enable --now tuned
+
+if [ "$virtualization" = 'none' ]; then
+    sudo tuned-adm profile latency-performance
 else
-  if [ "$virt_type" = 'kvm' ]; then
+    sudo tuned-adm profile virtual-guest
-    sudo apt install qemu-guest-agent -y
-  fi
-  sudo tuned-adm profile virtual-guest
 fi
 
 # Setup fwupd
-if [ "$virt_type" = '' ]; then
+if [ "$virtualization" = 'none' ]; then
-  sudo apt install fwupd -y
+    sudo apt install -y fwupd
-  echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
+    echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
-  sudo systemctl restart fwupd
+    sudo systemctl restart fwupd
-  mkdir -p /etc/systemd/system/fwupd-refresh.service.d
+    mkdir -p /etc/systemd/system/fwupd-refresh.service.d
-  unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
+    unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
-  sudo systemctl daemon-reload
+    sudo systemctl daemon-reload
-  sudo systemctl enable --now fwupd-refresh.timer
+    sudo systemctl enable --now fwupd-refresh.timer
 fi
 
 # Setup unbound
@@ -220,7 +203,7 @@ sudo systemctl daemon-reload
 sudo systemctl restart unbound
 sudo systemctl disable systemd-resolved
 
-# Setup Networking
+# Setup networking
 
 # UFW Snap is strictly confined, unlike its .deb counterpart
 sudo apt purge -y ufw