mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-09 11:41:33 -05:00
Compare commits
16 Commits
1cca00f237
...
3e97fd298c
Author | SHA1 | Date | |
---|---|---|---|
3e97fd298c | |||
520bb847e6 | |||
f99929f796 | |||
236e1ae23a | |||
0c892f019b | |||
b32330c79d | |||
3cd2cf7215 | |||
09cd7639ad | |||
5956eb9095 | |||
b0cb3d2788 | |||
441c4e068a | |||
e3a44ffbd4 | |||
9610e72d95 | |||
1aecfcd3a5 | |||
7c8394ea12 | |||
24e7e6bd88 |
@ -24,6 +24,8 @@ unpriv(){
|
|||||||
sudo -u nobody "$@"
|
sudo -u nobody "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
virtualization=$(systemd-detect-virt)
|
||||||
|
|
||||||
# Increase compression level
|
# Increase compression level
|
||||||
sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
|
sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
|
||||||
|
|
||||||
@ -95,69 +97,78 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
|
|||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
||||||
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
||||||
|
|
||||||
|
# Setup automatic updates
|
||||||
|
sudo dnf install -y dnf-automatic
|
||||||
|
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
|
||||||
|
sudo systemctl enable --now dnf-automatic.timer
|
||||||
|
|
||||||
# Remove unnecessary packages
|
# Remove unnecessary packages
|
||||||
sudo dnf remove -y cockpit*
|
sudo dnf remove -y cockpit*
|
||||||
|
|
||||||
|
# Install appropriate virtualization drivers
|
||||||
|
if [ "$virtualization" = 'kvm' ]; then
|
||||||
|
sudo dnf install -y qemu-guest-agent
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Setup unbound
|
||||||
|
sudo dnf install unbound -y
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/unbound/unbound.conf | sudo tee /etc/unbound/unbound.conf
|
||||||
|
sudo mkdir /etc/systemd/system/unbound.service.d
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf
|
||||||
|
sudo systemctl enable --now unbound
|
||||||
|
sudo systemctl disable systemd-resolved
|
||||||
|
|
||||||
# Setup fwupd
|
# Setup fwupd
|
||||||
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
if [ "$virtualization" = 'none' ]; then
|
||||||
sudo systemctl restart fwupd
|
sudo dnf install -y fwupd
|
||||||
|
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
||||||
|
sudo systemctl restart fwupd
|
||||||
|
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl enable --now fwupd-refresh.timer
|
||||||
|
fi
|
||||||
|
|
||||||
# Enable auto TRIM
|
# Enable auto TRIM
|
||||||
sudo systemctl enable fstrim.timer
|
sudo systemctl enable fstrim.timer
|
||||||
|
|
||||||
### Differentiating bare metal and virtual installs
|
### Differentiating bare metal and virtual installs
|
||||||
|
|
||||||
# Installing tuned first here because virt-what is 1 of its dependencies anyways
|
# Setup tuned
|
||||||
sudo dnf install tuned -y
|
sudo dnf install -y tuned
|
||||||
sudo systemctl enable --now tuned
|
sudo systemctl enable --now tuned
|
||||||
|
|
||||||
virt_type=$(virt-what)
|
if [ "$virtualization" = 'none' ]; then
|
||||||
if [ "$virt_type" = '' ]; then
|
|
||||||
output 'Virtualization: Bare Metal.'
|
|
||||||
elif [ "$virt_type" = 'openvz lxc' ]; then
|
|
||||||
output 'Virtualization: OpenVZ 7.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM on AWS.'
|
|
||||||
else
|
|
||||||
output "Virtualization: $virt_type."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Setup tuned
|
|
||||||
if [ "$virt_type" = '' ]; then
|
|
||||||
sudo tuned-adm profile latency-performance
|
sudo tuned-adm profile latency-performance
|
||||||
else
|
else
|
||||||
if [ "$virt_type" = 'kvm' ]; then
|
|
||||||
sudo dnf install qemu-guest-agent -y
|
|
||||||
fi
|
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Setup real-ucode and hardened_malloc
|
# Setup real-ucode and hardened_malloc
|
||||||
MACHINE_TYPE=$(uname -m)
|
MACHINE_TYPE=$(uname -m)
|
||||||
if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
||||||
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
|
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
|
||||||
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
||||||
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
|
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
||||||
sudo dnf install real-ucode -y
|
sudo dnf install -y real-ucode
|
||||||
sudo dracut -f
|
sudo dracut -f
|
||||||
elif [ "$virt_type" != '' ]; then
|
elif [ "$virtualization" != 'none' ]; then
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
|
||||||
sudo dnf install hardened_malloc -y
|
sudo dnf install -y hardened_malloc
|
||||||
else
|
else
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
||||||
sudo dnf install real-ucode hardened_malloc -y
|
sudo dnf install -y real-ucode hardened_malloc
|
||||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||||
sudo dracut -f
|
sudo dracut -f
|
||||||
fi
|
fi
|
||||||
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
||||||
sudo dnf copr enable secureblue/hardened_malloc -y
|
sudo dnf copr enable secureblue/hardened_malloc -y
|
||||||
sudo dnf install hardened_malloc -y
|
sudo dnf install -y hardened_malloc
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup Networking
|
# Setup networking
|
||||||
sudo firewall-cmd --permanent --remove-service=cockpit
|
sudo firewall-cmd --permanent --remove-service=cockpit
|
||||||
sudo firewall-cmd --reload
|
sudo firewall-cmd --reload
|
||||||
sudo firewall-cmd --lockdown-on
|
sudo firewall-cmd --lockdown-on
|
||||||
@ -167,6 +178,15 @@ unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd
|
|||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl restart NetworkManager
|
sudo systemctl restart NetworkManager
|
||||||
|
|
||||||
|
# irqbalance hardening
|
||||||
|
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
||||||
|
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart irqbalance
|
||||||
|
|
||||||
# Setup notices
|
# Setup notices
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
|
||||||
|
|
||||||
|
# Final notes to the user
|
||||||
|
output 'Server setup complete. To use unbound for DNS, you need to reboot.'
|
@ -24,22 +24,7 @@ unpriv(){
|
|||||||
sudo -u nobody "$@"
|
sudo -u nobody "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
install_options(){
|
virtualization=$(systemd-detect-virt)
|
||||||
output "Are you using a Parallels Virtual Machine?"
|
|
||||||
output "[1] Yes"
|
|
||||||
output "[2] No"
|
|
||||||
read -r choice
|
|
||||||
case $choice in
|
|
||||||
1 ) parallels=1
|
|
||||||
;;
|
|
||||||
2 ) parallels=0
|
|
||||||
;;
|
|
||||||
* ) output "You did not enter a valid selection."
|
|
||||||
install_options
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
install_options
|
|
||||||
|
|
||||||
# Increase compression level
|
# Increase compression level
|
||||||
sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
|
sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
|
||||||
@ -59,7 +44,7 @@ sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
|||||||
sudo chmod 700 /home/*
|
sudo chmod 700 /home/*
|
||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
if [ "${parallels}" = '1' ]; then
|
if [ "${virtualization}" = 'parallels' ]; then
|
||||||
sudo dnf -y remove chrony
|
sudo dnf -y remove chrony
|
||||||
else
|
else
|
||||||
sudo rm -rf /etc/chrony.conf
|
sudo rm -rf /etc/chrony.conf
|
||||||
@ -91,14 +76,14 @@ sudo dracut -f
|
|||||||
sudo sysctl -p
|
sudo sysctl -p
|
||||||
|
|
||||||
if sudo bootctl status | grep -q systemd-boot; then
|
if sudo bootctl status | grep -q systemd-boot; then
|
||||||
if [ "${parallels}" = '1' ]; then
|
if [ "${virtualization}" = 'parallels' ]; then
|
||||||
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline
|
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline
|
||||||
else
|
else
|
||||||
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline
|
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline
|
||||||
fi
|
fi
|
||||||
sudo dnf reinstall -y kernel-core
|
sudo dnf reinstall -y kernel-core
|
||||||
else
|
else
|
||||||
if [ "${parallels}" = '1' ]; then
|
if [ "${virtualization}" = 'parallels' ]; then
|
||||||
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off'
|
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off'
|
||||||
else
|
else
|
||||||
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
|
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
|
||||||
@ -166,7 +151,7 @@ sudo dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gn
|
|||||||
gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem
|
gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem
|
||||||
|
|
||||||
# Remove apps
|
# Remove apps
|
||||||
sudo dnf remove -y cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
|
sudo dnf remove -y abrt cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
|
||||||
|
|
||||||
# Remove other packages
|
# Remove other packages
|
||||||
sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl
|
sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl
|
||||||
@ -180,6 +165,11 @@ sudo dnf -y upgrade
|
|||||||
# Install packages that I use
|
# Install packages that I use
|
||||||
sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo
|
sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo
|
||||||
|
|
||||||
|
# Install appropriate virtualization drivers
|
||||||
|
if [ "$virtualization" = 'kvm' ]; then
|
||||||
|
sudo dnf install -y qemu-guest-agent spice-vdagent
|
||||||
|
fi
|
||||||
|
|
||||||
# Setup Flatpak
|
# Setup Flatpak
|
||||||
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
|
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
|
||||||
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
|
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
|
||||||
@ -218,58 +208,39 @@ sudo systemctl enable fstrim.timer
|
|||||||
|
|
||||||
### Differentiating bare metal and virtual installs
|
### Differentiating bare metal and virtual installs
|
||||||
|
|
||||||
# Installing tuned first here because virt-what is 1 of its dependencies anyways
|
|
||||||
sudo dnf install tuned -y
|
|
||||||
sudo systemctl enable --now tuned
|
|
||||||
|
|
||||||
virt_type=$(virt-what)
|
|
||||||
if [ "$virt_type" = '' ]; then
|
|
||||||
output 'Virtualization: Bare Metal.'
|
|
||||||
elif [ "$virt_type" = 'openvz lxc' ]; then
|
|
||||||
output 'Virtualization: OpenVZ 7.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM on AWS.'
|
|
||||||
else
|
|
||||||
output "Virtualization: $virt_type."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Setup tuned
|
# Setup tuned
|
||||||
if [ "$virt_type" = '' ]; then
|
if [ "$virtualization" = 'none' ]; then
|
||||||
# Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO.
|
output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it."
|
||||||
sudo systemctl disable --now tuned
|
|
||||||
sudo dnf remove tuned -y
|
|
||||||
else
|
else
|
||||||
if [ "$virt_type" = 'kvm' ]; then
|
sudo dnf remove -y power-profiles-daemon
|
||||||
sudo dnf install qemu-guest-agent -y
|
sudo dnf install -y tuned
|
||||||
fi
|
sudo systemctl enable --now tuned
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup real-ucode and hardened_malloc
|
# Setup real-ucode and hardened_malloc
|
||||||
if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
||||||
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
|
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
|
||||||
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
||||||
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
|
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
||||||
sudo dnf install real-ucode -y
|
sudo dnf install -y real-ucode
|
||||||
sudo dracut -f
|
sudo dracut -f
|
||||||
elif [ "$virt_type" != '' ]; then
|
elif [ "$virtualization" != 'none' ]; then
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
|
||||||
sudo dnf install hardened_malloc -y
|
sudo dnf install -y hardened_malloc
|
||||||
else
|
else
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
||||||
sudo dnf install real-ucode hardened_malloc -y
|
sudo dnf install -y real-ucode hardened_malloc
|
||||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||||
sudo dracut -f
|
sudo dracut -f
|
||||||
fi
|
fi
|
||||||
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
||||||
sudo dnf copr enable secureblue/hardened_malloc -y
|
sudo dnf copr enable secureblue/hardened_malloc -y
|
||||||
sudo dnf install hardened_malloc -y
|
sudo dnf install -y hardened_malloc
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup Networking
|
# Setup networking
|
||||||
sudo firewall-cmd --set-default-zone=block
|
sudo firewall-cmd --set-default-zone=block
|
||||||
sudo firewall-cmd --permanent --add-service=dhcpv6-client
|
sudo firewall-cmd --permanent --add-service=dhcpv6-client
|
||||||
sudo firewall-cmd --reload
|
sudo firewall-cmd --reload
|
||||||
|
13
README.md
13
README.md
@ -2,10 +2,20 @@
|
|||||||
My setup scripts for my workstations. You should edit the scripts to your liking before running it.
|
My setup scripts for my workstations. You should edit the scripts to your liking before running it.
|
||||||
Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br />
|
Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br />
|
||||||
|
|
||||||
The printing stack (cups) is removed as I do not use it. Bluetooth is disabled by KickSecure's kernel module blacklist.
|
The printing stack (cups) is removed as I do not use it.
|
||||||
|
|
||||||
Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org
|
Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org
|
||||||
|
|
||||||
|
## Notes on DNS handling
|
||||||
|
|
||||||
|
For desktop installations, the assumption here is that you will use a VPN of some sort for your privacy. No custom DNS server will be configured, as websites [can detect](https://www.dnsleaktest.com/) that you are using a different DNS server from your VPN provider's server.
|
||||||
|
|
||||||
|
For server installations (except Proxmox), Unbound will be configured to handle local DNSSEC validation. The difference in the scripts on how this is set up are because of the following reasons:
|
||||||
|
|
||||||
|
- Each distribution needs its own Unbound configuration due to version differences and how each distro package it.
|
||||||
|
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
|
||||||
|
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
|
||||||
|
|
||||||
# Arch Linux
|
# Arch Linux
|
||||||
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
|
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
|
||||||
|
|
||||||
@ -16,3 +26,4 @@ Checkout this repository: https://github.com/tommytran732/QubesOS-Scripts <br />
|
|||||||
# Fedora CoreOS
|
# Fedora CoreOS
|
||||||
|
|
||||||
Checkout this repository: https://github.com/tommytran732/Fedora-CoreOS-Ignition
|
Checkout this repository: https://github.com/tommytran732/Fedora-CoreOS-Ignition
|
||||||
|
|
||||||
|
155
RHEL-9.sh
155
RHEL-9.sh
@ -22,25 +22,28 @@ unpriv(){
|
|||||||
sudo -u nobody "$@"
|
sudo -u nobody "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
virtualization=$(systemd-detect-virt)
|
||||||
|
|
||||||
# Compliance
|
# Compliance
|
||||||
sudo systemctl mask debug-shell.service
|
sudo systemctl mask debug-shell.service
|
||||||
sudo systemctl mask kdump.service
|
sudo systemctl mask kdump.service
|
||||||
|
|
||||||
|
# Setting umask to 077
|
||||||
|
umask 077
|
||||||
|
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
|
||||||
|
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
|
||||||
|
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
|
||||||
|
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||||
|
|
||||||
|
# Make home directory private
|
||||||
|
sudo chmod 700 /home/*
|
||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
|
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
|
||||||
|
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
|
|
||||||
# Make home directory private
|
|
||||||
sudo chmod 700 /home/*
|
|
||||||
|
|
||||||
# Setup Firewalld
|
|
||||||
|
|
||||||
sudo firewall-cmd --permanent --remove-service=cockpit
|
|
||||||
sudo firewall-cmd --reload
|
|
||||||
sudo firewall-cmd --lockdown-on
|
|
||||||
|
|
||||||
# Remove nullok
|
# Remove nullok
|
||||||
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
|
||||||
|
|
||||||
@ -53,47 +56,47 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
|
|||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl restart sshd
|
sudo systemctl restart sshd
|
||||||
|
|
||||||
# Kernel hardening
|
# Security kernel settings
|
||||||
|
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||||
|
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
|
||||||
sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||||
sudo sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
sudo sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
|
||||||
sudo sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
sudo sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/10-security-misc.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||||
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/10-security-misc.conf
|
sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
|
||||||
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/10-security-misc.conf
|
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||||
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/10-security-misc.conf
|
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||||
|
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
|
sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
|
sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
sudo dracut -f
|
sudo dracut -f
|
||||||
sudo sysctl -p
|
sudo sysctl -p
|
||||||
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
|
|
||||||
|
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
|
||||||
|
|
||||||
# Disable coredump
|
# Disable coredump
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||||
|
|
||||||
# Systemd Hardening
|
# Setup DNF
|
||||||
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
|
||||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl restart NetworkManager
|
|
||||||
|
|
||||||
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
|
||||||
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl restart irqbalance
|
|
||||||
|
|
||||||
# Remove packages
|
|
||||||
|
|
||||||
sudo dnf remove baobab chrome-gnome-shell evince firefox gedit gnome-calculator gnome-characters gnome-font-viewer gnome-screenshot gnome-tour qemu-guest-agent 'sssd*' 'yelp*'
|
|
||||||
|
|
||||||
# Setup dnf
|
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
||||||
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
||||||
|
|
||||||
# Setup unbound
|
# Setup automatic updates
|
||||||
|
sudo dnf install -y dnf-automatic
|
||||||
|
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
|
||||||
|
sudo systemctl enable --now dnf-automatic.timer
|
||||||
|
|
||||||
|
# Remove unnecessary packages
|
||||||
|
sudo dnf remove -y cockpit*
|
||||||
|
|
||||||
|
# Install appropriate virtualization drivers
|
||||||
|
if [ "$virtualization" = 'kvm' ]; then
|
||||||
|
sudo dnf install -y qemu-guest-agent
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Setup unbound
|
||||||
sudo dnf install unbound -y
|
sudo dnf install unbound -y
|
||||||
|
|
||||||
echo 'server:
|
echo 'server:
|
||||||
@ -154,51 +157,41 @@ sudo dnf install -y yara
|
|||||||
sudo insights-client --collector malware-detection
|
sudo insights-client --collector malware-detection
|
||||||
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
|
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
|
||||||
|
|
||||||
# Setup automatic updates
|
# Setup fwupd
|
||||||
|
if [ "$virtualization" = 'none' ]; then
|
||||||
|
sudo dnf install -y fwupd
|
||||||
|
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
||||||
|
sudo systemctl restart fwupd
|
||||||
|
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl enable --now fwupd-refresh.timer
|
||||||
|
fi
|
||||||
|
|
||||||
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
|
# Enable auto TRIM
|
||||||
sudo systemctl enable --now dnf-automatic.timer
|
sudo systemctl enable fstrim.timer
|
||||||
|
|
||||||
# Enable fstrim.timer
|
|
||||||
sudo systemctl enable --now fstrim.timer
|
|
||||||
|
|
||||||
### Differentiating bare metal and virtual installs
|
### Differentiating bare metal and virtual installs
|
||||||
|
|
||||||
# Installing tuned first here because virt-what is 1 of its dependencies anyways
|
|
||||||
sudo dnf install tuned -y
|
|
||||||
|
|
||||||
virt_type=$(virt-what)
|
|
||||||
if [ "$virt_type" = '' ]; then
|
|
||||||
output 'Virtualization: Bare Metal.'
|
|
||||||
elif [ "$virt_type" = 'openvz lxc' ]; then
|
|
||||||
output 'Virtualization: OpenVZ 7.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM on AWS.'
|
|
||||||
else
|
|
||||||
output "Virtualization: $virt_type."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Setup tuned
|
# Setup tuned
|
||||||
if [ "$virt_type" = '' ]; then
|
sudo dnf install -y tuned
|
||||||
sudo tuned-adm profile latency-performance
|
sudo systemctl enable --now tuned
|
||||||
if [ "$virt_type" = 'kvm' ]; then
|
|
||||||
sudo dnf install qemu-guest-agent -y
|
if [ "$virtualization" = 'none' ]; then
|
||||||
fi
|
sudo tuned-adm profile latency-performance
|
||||||
else
|
else
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup real-ucode and hardened_malloc
|
# Setup real-ucode and hardened_malloc
|
||||||
if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
|
||||||
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
|
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
|
||||||
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
||||||
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
|
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
|
||||||
sudo dnf install real-ucode -y
|
sudo dnf install real-ucode -y
|
||||||
sudo dracut -f
|
sudo dracut -f
|
||||||
elif [ "$virt_type" != '' ]; then
|
elif [ "$virtualization" != 'none' ]; then
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
|
||||||
sudo dnf install hardened_malloc -y
|
sudo dnf install hardened_malloc -y
|
||||||
else
|
else
|
||||||
@ -212,13 +205,27 @@ elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
|
|||||||
sudo dnf install hardened_malloc -y
|
sudo dnf install hardened_malloc -y
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup fwupd
|
# Setup networking
|
||||||
if [ "$virt_type" = '' ]; then
|
sudo firewall-cmd --permanent --remove-service=cockpit
|
||||||
sudo dnf install fwupd -y
|
sudo firewall-cmd --reload
|
||||||
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
sudo firewall-cmd --lockdown-on
|
||||||
sudo systemctl restart fwupd
|
|
||||||
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl enable --now fwupd-refresh.timer
|
sudo systemctl restart NetworkManager
|
||||||
fi
|
|
||||||
|
# irqbalance hardening
|
||||||
|
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
|
||||||
|
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl restart irqbalance
|
||||||
|
|
||||||
|
# Setup notices
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
|
||||||
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
|
||||||
|
|
||||||
|
# Final notes to the user
|
||||||
|
output 'Server setup complete. To use unbound for DNS, you need to run the following commands:'
|
||||||
|
output 'nmcli con mod <interface name> ipv4.dns 127.0.0.1'
|
||||||
|
output 'nmcli con mod <interface name> ipv6.dns ::1'
|
@ -24,40 +24,25 @@ unpriv(){
|
|||||||
sudo -u nobody "$@"
|
sudo -u nobody "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
install_options(){
|
virtualization=$(systemd-detect-virt)
|
||||||
output "Are you using a Parallels Virtual Machine?"
|
|
||||||
output "[1] Yes"
|
|
||||||
output "[2] No"
|
|
||||||
read -r choice
|
|
||||||
case $choice in
|
|
||||||
1 ) parallels=1
|
|
||||||
;;
|
|
||||||
2 ) parallels=0
|
|
||||||
;;
|
|
||||||
* ) output "You did not enter a valid selection."
|
|
||||||
install_options
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
install_options
|
|
||||||
|
|
||||||
# Compliance and updates
|
# Compliance and updates
|
||||||
sudo systemctl mask debug-shell.service
|
sudo systemctl mask debug-shell.service
|
||||||
|
|
||||||
# Make home directory private
|
|
||||||
sudo chmod 700 /home/*
|
|
||||||
|
|
||||||
# Setting umask to 077
|
# Setting umask to 077
|
||||||
umask 077
|
umask 077
|
||||||
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
|
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
|
||||||
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
|
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
|
||||||
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
|
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
|
||||||
|
|
||||||
|
# Make home directory private
|
||||||
|
sudo chmod 700 /home/*
|
||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
sudo systemctl disable --now systemd-timesyncd
|
sudo systemctl disable --now systemd-timesyncd
|
||||||
sudo systemctl mask systemd-timesyncd
|
sudo systemctl mask systemd-timesyncd
|
||||||
|
|
||||||
if [ "${parallels}" = "0" ]; then
|
if [ "${virtualization}" = "parallels" ]; then
|
||||||
sudo apt install -y chrony
|
sudo apt install -y chrony
|
||||||
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
|
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
|
||||||
sudo systemctl restart chronyd
|
sudo systemctl restart chronyd
|
||||||
@ -126,16 +111,12 @@ sudo systemctl mask whoopsie.service
|
|||||||
sudo systemctl disable --now whoopsie.path
|
sudo systemctl disable --now whoopsie.path
|
||||||
sudo systemctl mask whoopsie.path
|
sudo systemctl mask whoopsie.path
|
||||||
|
|
||||||
# Update packages and firmware
|
# Update packages
|
||||||
sudo apt update -y
|
sudo apt update -y
|
||||||
sudo apt full-upgrade -y
|
sudo apt full-upgrade -y
|
||||||
sudo fwupdmgr get-devices
|
|
||||||
sudo fwupdmgr refresh --force
|
|
||||||
sudo fwupdmgr get-updates -y
|
|
||||||
sudo fwupdmgr update -y
|
|
||||||
|
|
||||||
## Avoid phased updates
|
## Avoid phased updates
|
||||||
sudo apt install curl -y
|
sudo apt install -y curl
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
|
||||||
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
||||||
|
|
||||||
@ -155,6 +136,11 @@ sudo rm -rf /usr/share/hplip
|
|||||||
sudo apt install -y gnome-console gnome-software-plugin-flatpak
|
sudo apt install -y gnome-console gnome-software-plugin-flatpak
|
||||||
sudo snap install gnome-text-editor
|
sudo snap install gnome-text-editor
|
||||||
|
|
||||||
|
# Install appropriate virtualization drivers
|
||||||
|
if [ "$virtualization" = 'kvm' ]; then
|
||||||
|
sudo apt install -y qemu-guest-agent spice-vdagent
|
||||||
|
fi
|
||||||
|
|
||||||
# Setup Flatpak
|
# Setup Flatpak
|
||||||
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
|
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
|
||||||
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
|
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
|
||||||
@ -202,34 +188,23 @@ fi
|
|||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
sudo systemctl enable --now fstrim.timer
|
sudo systemctl enable --now fstrim.timer
|
||||||
|
|
||||||
# Installing tuned first here because virt-what is 1 of its dependencies anyways
|
### Differentiating bare metal and virtual installs
|
||||||
sudo apt install tuned -y
|
|
||||||
virt_type=$(virt-what)
|
|
||||||
if [ "$virt_type" = '' ]; then
|
|
||||||
output 'Virtualization: Bare Metal.'
|
|
||||||
elif [ "$virt_type" = 'openvz lxc' ]; then
|
|
||||||
output 'Virtualization: OpenVZ 7.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM on AWS.'
|
|
||||||
else
|
|
||||||
output "Virtualization: $virt_type."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Setup tuned
|
# Setup tuned
|
||||||
if [ "$virt_type" = '' ]; then
|
if [ "$virtualization" = 'none' ]; then
|
||||||
# Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO.
|
output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it."
|
||||||
sudo apt remove tuned -y
|
|
||||||
sudo apt autoremove -y
|
|
||||||
else
|
else
|
||||||
if [ "$virt_type" = 'kvm' ]; then
|
sudo apt purge -y power-profiles-daemon
|
||||||
sudo apt install qemu-guest-agent -y
|
sudo apt install -y tuned
|
||||||
fi
|
systemctl enable --now tuned
|
||||||
sudo tuned-adm profile virtual-guest
|
sudo tuned-adm profile virtual-guest
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup Networking
|
# Setup fwupd
|
||||||
|
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
||||||
|
sudo systemctl restart fwupd
|
||||||
|
|
||||||
|
# Setup networking
|
||||||
|
|
||||||
# UFW Snap is strictly confined, unlike its .deb counterpart
|
# UFW Snap is strictly confined, unlike its .deb counterpart
|
||||||
sudo apt purge -y ufw
|
sudo apt purge -y ufw
|
||||||
|
@ -24,20 +24,22 @@ unpriv(){
|
|||||||
sudo -u nobody "$@"
|
sudo -u nobody "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
virtualization=$(systemd-detect-virt)
|
||||||
|
|
||||||
# Compliance and updates
|
# Compliance and updates
|
||||||
sudo systemctl mask debug-shell.service
|
sudo systemctl mask debug-shell.service
|
||||||
echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue
|
echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue
|
||||||
echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net
|
echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net
|
||||||
|
|
||||||
# Make home directory private
|
|
||||||
sudo chmod 700 /home/*
|
|
||||||
|
|
||||||
# Setting umask to 077
|
# Setting umask to 077
|
||||||
umask 077
|
umask 077
|
||||||
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
|
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
|
||||||
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
|
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
|
||||||
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
|
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
|
||||||
|
|
||||||
|
# Make home directory private
|
||||||
|
sudo chmod 700 /home/*
|
||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
sudo systemctl disable --now systemd-timesyncd
|
sudo systemctl disable --now systemd-timesyncd
|
||||||
sudo systemctl mask systemd-timesyncd
|
sudo systemctl mask systemd-timesyncd
|
||||||
@ -95,56 +97,37 @@ sudo apt full-upgrade -y
|
|||||||
sudo apt autoremove -y
|
sudo apt autoremove -y
|
||||||
|
|
||||||
## Install basic sysadmin tools
|
## Install basic sysadmin tools
|
||||||
sudo apt install nano iputils-ping
|
sudo apt install -y nano iputils-ping
|
||||||
|
|
||||||
#Setup fwupd
|
# Install appropriate virtualization drivers
|
||||||
sudo apt install fwupd -y
|
if [ "$virtualization" = 'kvm' ]; then
|
||||||
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
sudo apt install -y qemu-guest-agent
|
||||||
echo '[Service]
|
fi
|
||||||
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
|
||||||
sudo systemctl daemon-reload
|
|
||||||
sudo systemctl enable --now fwupd-refresh.timer
|
|
||||||
|
|
||||||
# Enable fstrim.timer
|
# Enable fstrim.timer
|
||||||
sudo systemctl enable --now fstrim.timer
|
sudo systemctl enable --now fstrim.timer
|
||||||
|
|
||||||
### Differentiating bare metal and virtual installs
|
### Differentiating bare metal and virtual installs
|
||||||
|
|
||||||
# Installing tuned first here because virt-what is 1 of its dependencies anyways
|
|
||||||
sudo apt install tuned -y
|
|
||||||
|
|
||||||
virt_type=$(virt-what)
|
|
||||||
if [ "$virt_type" = "" ]; then
|
|
||||||
output 'Virtualization: Bare Metal.'
|
|
||||||
elif [ "$virt_type" = 'openvz lxc' ]; then
|
|
||||||
output 'Virtualization: OpenVZ 7.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM.'
|
|
||||||
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
|
|
||||||
output 'Virtualization: Xen-HVM on AWS.'
|
|
||||||
else
|
|
||||||
output "Virtualization: $virt_type."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Setup tuned
|
# Setup tuned
|
||||||
if [ "$virt_type" = "" ]; then
|
sudo apt install -y tuned
|
||||||
sudo tuned-adm profile latency-performance
|
sudo systemctl enable --now tuned
|
||||||
|
|
||||||
|
if [ "$virtualization" = 'none' ]; then
|
||||||
|
sudo tuned-adm profile latency-performance
|
||||||
else
|
else
|
||||||
if [ "$virt_type" = 'kvm' ]; then
|
sudo tuned-adm profile virtual-guest
|
||||||
sudo apt install qemu-guest-agent -y
|
|
||||||
fi
|
|
||||||
sudo tuned-adm profile virtual-guest
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup fwupd
|
# Setup fwupd
|
||||||
if [ "$virt_type" = '' ]; then
|
if [ "$virtualization" = 'none' ]; then
|
||||||
sudo apt install fwupd -y
|
sudo apt install -y fwupd
|
||||||
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
|
||||||
sudo systemctl restart fwupd
|
sudo systemctl restart fwupd
|
||||||
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
|
||||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl enable --now fwupd-refresh.timer
|
sudo systemctl enable --now fwupd-refresh.timer
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup unbound
|
# Setup unbound
|
||||||
@ -220,7 +203,7 @@ sudo systemctl daemon-reload
|
|||||||
sudo systemctl restart unbound
|
sudo systemctl restart unbound
|
||||||
sudo systemctl disable systemd-resolved
|
sudo systemctl disable systemd-resolved
|
||||||
|
|
||||||
# Setup Networking
|
# Setup networking
|
||||||
|
|
||||||
# UFW Snap is strictly confined, unlike its .deb counterpart
|
# UFW Snap is strictly confined, unlike its .deb counterpart
|
||||||
sudo apt purge -y ufw
|
sudo apt purge -y ufw
|
||||||
|
Loading…
Reference in New Issue
Block a user