1
0
mirror of https://github.com/tommytran732/Linux-Setup-Scripts synced 2024-11-09 19:51:34 -05:00

Compare commits

..

No commits in common. "3e97fd298cc03bb43791a1a7f76f41247d8ee6d3" and "1cca00f2377df8783445a31251d04393e7e6f070" have entirely different histories.

6 changed files with 249 additions and 216 deletions

View File

@ -24,8 +24,6 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
virtualization=$(systemd-detect-virt)
# Increase compression level # Increase compression level
sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
@ -97,78 +95,69 @@ unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/m
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/* sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
# Setup automatic updates
sudo dnf install -y dnf-automatic
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
# Remove unnecessary packages # Remove unnecessary packages
sudo dnf remove -y cockpit* sudo dnf remove -y cockpit*
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent
fi
# Setup unbound
sudo dnf install unbound -y
unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/unbound/unbound.conf | sudo tee /etc/unbound/unbound.conf
sudo mkdir /etc/systemd/system/unbound.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/Fedora-CoreOS-Ignition/main/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf
sudo systemctl enable --now unbound
sudo systemctl disable systemd-resolved
# Setup fwupd # Setup fwupd
if [ "$virtualization" = 'none' ]; then echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo dnf install -y fwupd sudo systemctl restart fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
fi
# Enable auto TRIM # Enable auto TRIM
sudo systemctl enable fstrim.timer sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Setup tuned # Installing tuned first here because virt-what is 1 of its dependencies anyways
sudo dnf install -y tuned sudo dnf install tuned -y
sudo systemctl enable --now tuned sudo systemctl enable --now tuned
if [ "$virtualization" = 'none' ]; then virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned
if [ "$virt_type" = '' ]; then
sudo tuned-adm profile latency-performance sudo tuned-adm profile latency-performance
else else
if [ "$virt_type" = 'kvm' ]; then
sudo dnf install qemu-guest-agent -y
fi
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode and hardened_malloc # Setup real-ucode and hardened_malloc
MACHINE_TYPE=$(uname -m) MACHINE_TYPE=$(uname -m)
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install -y real-ucode sudo dnf install real-ucode -y
sudo dracut -f sudo dracut -f
elif [ "$virtualization" != 'none' ]; then elif [ "$virt_type" != '' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
sudo dnf install -y hardened_malloc sudo dnf install hardened_malloc -y
else else
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
sudo dnf install -y real-ucode hardened_malloc sudo dnf install real-ucode hardened_malloc -y
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo dracut -f sudo dracut -f
fi fi
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
sudo dnf copr enable secureblue/hardened_malloc -y sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install -y hardened_malloc sudo dnf install hardened_malloc -y
fi fi
# Setup networking # Setup Networking
sudo firewall-cmd --permanent --remove-service=cockpit sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on sudo firewall-cmd --lockdown-on
@ -178,15 +167,6 @@ unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart NetworkManager sudo systemctl restart NetworkManager
# irqbalance hardening
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Setup notices # Setup notices
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
# Final notes to the user
output 'Server setup complete. To use unbound for DNS, you need to reboot.'

View File

@ -24,7 +24,22 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
virtualization=$(systemd-detect-virt) install_options(){
output "Are you using a Parallels Virtual Machine?"
output "[1] Yes"
output "[2] No"
read -r choice
case $choice in
1 ) parallels=1
;;
2 ) parallels=0
;;
* ) output "You did not enter a valid selection."
install_options
esac
}
install_options
# Increase compression level # Increase compression level
sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab sudo sed -i 's/zstd:1/zstd:3/g' /etc/fstab
@ -44,7 +59,7 @@ sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
sudo chmod 700 /home/* sudo chmod 700 /home/*
# Setup NTS # Setup NTS
if [ "${virtualization}" = 'parallels' ]; then if [ "${parallels}" = '1' ]; then
sudo dnf -y remove chrony sudo dnf -y remove chrony
else else
sudo rm -rf /etc/chrony.conf sudo rm -rf /etc/chrony.conf
@ -76,14 +91,14 @@ sudo dracut -f
sudo sysctl -p sudo sysctl -p
if sudo bootctl status | grep -q systemd-boot; then if sudo bootctl status | grep -q systemd-boot; then
if [ "${virtualization}" = 'parallels' ]; then if [ "${parallels}" = '1' ]; then
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline
else else
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline
fi fi
sudo dnf reinstall -y kernel-core sudo dnf reinstall -y kernel-core
else else
if [ "${virtualization}" = 'parallels' ]; then if [ "${parallels}" = '1' ]; then
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off' sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off'
else else
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1' sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
@ -151,7 +166,7 @@ sudo dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gn
gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem
# Remove apps # Remove apps
sudo dnf remove -y abrt cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp sudo dnf remove -y cheese evince file-roller* libreoffice* mediawriter rhythmbox yelp
# Remove other packages # Remove other packages
sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl
@ -165,11 +180,6 @@ sudo dnf -y upgrade
# Install packages that I use # Install packages that I use
sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo sudo dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-background-logo
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent spice-vdagent
fi
# Setup Flatpak # Setup Flatpak
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
@ -208,39 +218,58 @@ sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Setup tuned # Installing tuned first here because virt-what is 1 of its dependencies anyways
if [ "$virtualization" = 'none' ]; then sudo dnf install tuned -y
output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it." sudo systemctl enable --now tuned
virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else else
sudo dnf remove -y power-profiles-daemon output "Virtualization: $virt_type."
sudo dnf install -y tuned fi
sudo systemctl enable --now tuned
# Setup tuned
if [ "$virt_type" = '' ]; then
# Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO.
sudo systemctl disable --now tuned
sudo dnf remove tuned -y
else
if [ "$virt_type" = 'kvm' ]; then
sudo dnf install qemu-guest-agent -y
fi
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode and hardened_malloc # Setup real-ucode and hardened_malloc
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install -y 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install -y real-ucode sudo dnf install real-ucode -y
sudo dracut -f sudo dracut -f
elif [ "$virtualization" != 'none' ]; then elif [ "$virt_type" != '' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
sudo dnf install -y hardened_malloc sudo dnf install hardened_malloc -y
else else
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
sudo dnf install -y real-ucode hardened_malloc sudo dnf install real-ucode hardened_malloc -y
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo dracut -f sudo dracut -f
fi fi
elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
sudo dnf copr enable secureblue/hardened_malloc -y sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install -y hardened_malloc sudo dnf install hardened_malloc -y
fi fi
# Setup networking # Setup Networking
sudo firewall-cmd --set-default-zone=block sudo firewall-cmd --set-default-zone=block
sudo firewall-cmd --permanent --add-service=dhcpv6-client sudo firewall-cmd --permanent --add-service=dhcpv6-client
sudo firewall-cmd --reload sudo firewall-cmd --reload

View File

@ -2,20 +2,10 @@
My setup scripts for my workstations. You should edit the scripts to your liking before running it. My setup scripts for my workstations. You should edit the scripts to your liking before running it.
Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br /> Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br />
The printing stack (cups) is removed as I do not use it. The printing stack (cups) is removed as I do not use it. Bluetooth is disabled by KickSecure's kernel module blacklist.
Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org
## Notes on DNS handling
For desktop installations, the assumption here is that you will use a VPN of some sort for your privacy. No custom DNS server will be configured, as websites [can detect](https://www.dnsleaktest.com/) that you are using a different DNS server from your VPN provider's server.
For server installations (except Proxmox), Unbound will be configured to handle local DNSSEC validation. The difference in the scripts on how this is set up are because of the following reasons:
- Each distribution needs its own Unbound configuration due to version differences and how each distro package it.
- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
# Arch Linux # Arch Linux
Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br /> Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
@ -26,4 +16,3 @@ Checkout this repository: https://github.com/tommytran732/QubesOS-Scripts <br />
# Fedora CoreOS # Fedora CoreOS
Checkout this repository: https://github.com/tommytran732/Fedora-CoreOS-Ignition Checkout this repository: https://github.com/tommytran732/Fedora-CoreOS-Ignition

151
RHEL-9.sh
View File

@ -22,28 +22,25 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
virtualization=$(systemd-detect-virt)
# Compliance # Compliance
sudo systemctl mask debug-shell.service sudo systemctl mask debug-shell.service
sudo systemctl mask kdump.service sudo systemctl mask kdump.service
# Setting umask to 077
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS # Setup NTS
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
sudo systemctl restart chronyd sudo systemctl restart chronyd
# Make home directory private
sudo chmod 700 /home/*
# Setup Firewalld
sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on
# Remove nullok # Remove nullok
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
@ -56,47 +53,47 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart sshd sudo systemctl restart sshd
# Security kernel settings # Kernel hardening
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
sudo sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf sudo sed -i 's/# install bluetooth/install bluetooth/g' /etc/modprobe.d/30_security-misc.conf
sudo sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf sudo sed -i 's/# install btusb/install btusb/g' /etc/modprobe.d/30_security-misc.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/10-security-misc.conf
sudo chmod 644 /etc/sysctl.d/990-security-misc.conf sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/10-security-misc.conf
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/10-security-misc.conf
sudo sed -i 's/net.ipv4.icmp_echo_ignore_all=1/net.ipv4.icmp_echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/10-security-misc.conf
sudo sed -i 's/net.ipv6.icmp.echo_ignore_all=1/net.ipv6.icmp.echo_ignore_all=0/g' /etc/sysctl.d/990-security-misc.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf unpriv curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
sudo dracut -f sudo dracut -f
sudo sysctl -p sudo sysctl -p
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
# Disable coredump # Disable coredump
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
# Setup DNF # Systemd Hardening
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Remove packages
sudo dnf remove baobab chrome-gnome-shell evince firefox gedit gnome-calculator gnome-characters gnome-font-viewer gnome-screenshot gnome-tour qemu-guest-agent 'sssd*' 'yelp*'
# Setup dnf
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/* sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
# Setup automatic updates
sudo dnf install -y dnf-automatic
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
# Remove unnecessary packages
sudo dnf remove -y cockpit*
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent
fi
# Setup unbound # Setup unbound
sudo dnf install unbound -y sudo dnf install unbound -y
echo 'server: echo 'server:
@ -157,41 +154,51 @@ sudo dnf install -y yara
sudo insights-client --collector malware-detection sudo insights-client --collector malware-detection
sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
# Setup fwupd # Setup automatic updates
if [ "$virtualization" = 'none' ]; then
sudo dnf install -y fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
fi
# Enable auto TRIM sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable fstrim.timer sudo systemctl enable --now dnf-automatic.timer
# Enable fstrim.timer
sudo systemctl enable --now fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Setup tuned # Installing tuned first here because virt-what is 1 of its dependencies anyways
sudo dnf install -y tuned sudo dnf install tuned -y
sudo systemctl enable --now tuned
if [ "$virtualization" = 'none' ]; then virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned
if [ "$virt_type" = '' ]; then
sudo tuned-adm profile latency-performance sudo tuned-adm profile latency-performance
if [ "$virt_type" = 'kvm' ]; then
sudo dnf install qemu-guest-agent -y
fi
else else
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup real-ucode and hardened_malloc # Setup real-ucode and hardened_malloc
if [ "$virtualization" = 'none' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then if [ "$virt_type" = '' ] || [ "${MACHINE_TYPE}" == 'x86_64' ]; then
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
if [ "${MACHINE_TYPE}" != 'x86_64' ]; then if [ "${MACHINE_TYPE}" != 'x86_64' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware
sudo dnf install real-ucode -y sudo dnf install real-ucode -y
sudo dracut -f sudo dracut -f
elif [ "$virtualization" != 'none' ]; then elif [ "$virt_type" != '' ]; then
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,hardened_malloc
sudo dnf install hardened_malloc -y sudo dnf install hardened_malloc -y
else else
@ -205,27 +212,13 @@ elif [ "${MACHINE_TYPE}" == 'aarch64' ]; then
sudo dnf install hardened_malloc -y sudo dnf install hardened_malloc -y
fi fi
# Setup networking # Setup fwupd
sudo firewall-cmd --permanent --remove-service=cockpit if [ "$virt_type" = '' ]; then
sudo firewall-cmd --reload sudo dnf install fwupd -y
sudo firewall-cmd --lockdown-on echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d mkdir -p /etc/systemd/system/fwupd-refresh.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl restart NetworkManager sudo systemctl enable --now fwupd-refresh.timer
fi
# irqbalance hardening
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Setup notices
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
# Final notes to the user
output 'Server setup complete. To use unbound for DNS, you need to run the following commands:'
output 'nmcli con mod <interface name> ipv4.dns 127.0.0.1'
output 'nmcli con mod <interface name> ipv6.dns ::1'

View File

@ -24,25 +24,40 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
virtualization=$(systemd-detect-virt) install_options(){
output "Are you using a Parallels Virtual Machine?"
output "[1] Yes"
output "[2] No"
read -r choice
case $choice in
1 ) parallels=1
;;
2 ) parallels=0
;;
* ) output "You did not enter a valid selection."
install_options
esac
}
install_options
# Compliance and updates # Compliance and updates
sudo systemctl mask debug-shell.service sudo systemctl mask debug-shell.service
# Make home directory private
sudo chmod 700 /home/*
# Setting umask to 077 # Setting umask to 077
umask 077 umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS # Setup NTS
sudo systemctl disable --now systemd-timesyncd sudo systemctl disable --now systemd-timesyncd
sudo systemctl mask systemd-timesyncd sudo systemctl mask systemd-timesyncd
if [ "${virtualization}" = "parallels" ]; then if [ "${parallels}" = "0" ]; then
sudo apt install -y chrony sudo apt install -y chrony
unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony/chrony.conf
sudo systemctl restart chronyd sudo systemctl restart chronyd
@ -111,12 +126,16 @@ sudo systemctl mask whoopsie.service
sudo systemctl disable --now whoopsie.path sudo systemctl disable --now whoopsie.path
sudo systemctl mask whoopsie.path sudo systemctl mask whoopsie.path
# Update packages # Update packages and firmware
sudo apt update -y sudo apt update -y
sudo apt full-upgrade -y sudo apt full-upgrade -y
sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates -y
sudo fwupdmgr update -y
## Avoid phased updates ## Avoid phased updates
sudo apt install -y curl sudo apt install curl -y
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
@ -136,11 +155,6 @@ sudo rm -rf /usr/share/hplip
sudo apt install -y gnome-console gnome-software-plugin-flatpak sudo apt install -y gnome-console gnome-software-plugin-flatpak
sudo snap install gnome-text-editor sudo snap install gnome-text-editor
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo apt install -y qemu-guest-agent spice-vdagent
fi
# Setup Flatpak # Setup Flatpak
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
@ -188,23 +202,34 @@ fi
# Enable fstrim.timer # Enable fstrim.timer
sudo systemctl enable --now fstrim.timer sudo systemctl enable --now fstrim.timer
### Differentiating bare metal and virtual installs # Installing tuned first here because virt-what is 1 of its dependencies anyways
sudo apt install tuned -y
virt_type=$(virt-what)
if [ "$virt_type" = '' ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned # Setup tuned
if [ "$virtualization" = 'none' ]; then if [ "$virt_type" = '' ]; then
output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it." # Don't know whether using tuned would be a good idea on a laptop, power-profiles-daemon should be handling performance tuning IMO.
sudo apt remove tuned -y
sudo apt autoremove -y
else else
sudo apt purge -y power-profiles-daemon if [ "$virt_type" = 'kvm' ]; then
sudo apt install -y tuned sudo apt install qemu-guest-agent -y
systemctl enable --now tuned fi
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup fwupd # Setup Networking
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
# Setup networking
# UFW Snap is strictly confined, unlike its .deb counterpart # UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw sudo apt purge -y ufw

View File

@ -24,22 +24,20 @@ unpriv(){
sudo -u nobody "$@" sudo -u nobody "$@"
} }
virtualization=$(systemd-detect-virt)
# Compliance and updates # Compliance and updates
sudo systemctl mask debug-shell.service sudo systemctl mask debug-shell.service
echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue
echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net echo 'Authorized uses only. All activity may be monitored and reported.' | sudo tee /etc/issue.net
# Make home directory private
sudo chmod 700 /home/*
# Setting umask to 077 # Setting umask to 077
umask 077 umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs sudo sed -i 's/^USERGROUPS_ENAB.*/USERGROUPS_ENAB no/g' /etc/login.defs
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS # Setup NTS
sudo systemctl disable --now systemd-timesyncd sudo systemctl disable --now systemd-timesyncd
sudo systemctl mask systemd-timesyncd sudo systemctl mask systemd-timesyncd
@ -97,31 +95,50 @@ sudo apt full-upgrade -y
sudo apt autoremove -y sudo apt autoremove -y
## Install basic sysadmin tools ## Install basic sysadmin tools
sudo apt install -y nano iputils-ping sudo apt install nano iputils-ping
# Install appropriate virtualization drivers #Setup fwupd
if [ "$virtualization" = 'kvm' ]; then sudo apt install fwupd -y
sudo apt install -y qemu-guest-agent mkdir -p /etc/systemd/system/fwupd-refresh.service.d
fi echo '[Service]
ExecStart=/usr/bin/fwupdmgr update' | tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
# Enable fstrim.timer # Enable fstrim.timer
sudo systemctl enable --now fstrim.timer sudo systemctl enable --now fstrim.timer
### Differentiating bare metal and virtual installs ### Differentiating bare metal and virtual installs
# Setup tuned # Installing tuned first here because virt-what is 1 of its dependencies anyways
sudo apt install -y tuned sudo apt install tuned -y
sudo systemctl enable --now tuned
if [ "$virtualization" = 'none' ]; then virt_type=$(virt-what)
if [ "$virt_type" = "" ]; then
output 'Virtualization: Bare Metal.'
elif [ "$virt_type" = 'openvz lxc' ]; then
output 'Virtualization: OpenVZ 7.'
elif [ "$virt_type" = 'xen xen-hvm' ]; then
output 'Virtualization: Xen-HVM.'
elif [ "$virt_type" = 'xen xen-hvm aws' ]; then
output 'Virtualization: Xen-HVM on AWS.'
else
output "Virtualization: $virt_type."
fi
# Setup tuned
if [ "$virt_type" = "" ]; then
sudo tuned-adm profile latency-performance sudo tuned-adm profile latency-performance
else else
if [ "$virt_type" = 'kvm' ]; then
sudo apt install qemu-guest-agent -y
fi
sudo tuned-adm profile virtual-guest sudo tuned-adm profile virtual-guest
fi fi
# Setup fwupd # Setup fwupd
if [ "$virtualization" = 'none' ]; then if [ "$virt_type" = '' ]; then
sudo apt install -y fwupd sudo apt install fwupd -y
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd sudo systemctl restart fwupd
mkdir -p /etc/systemd/system/fwupd-refresh.service.d mkdir -p /etc/systemd/system/fwupd-refresh.service.d
@ -203,7 +220,7 @@ sudo systemctl daemon-reload
sudo systemctl restart unbound sudo systemctl restart unbound
sudo systemctl disable systemd-resolved sudo systemctl disable systemd-resolved
# Setup networking # Setup Networking
# UFW Snap is strictly confined, unlike its .deb counterpart # UFW Snap is strictly confined, unlike its .deb counterpart
sudo apt purge -y ufw sudo apt purge -y ufw