titanz/Linux-Setup-Scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
titanz 2025-01-27 23:04:14 +01:00
commit 938b3e730e
Signed by: titanz
GPG Key ID: EABC72179C71D4F5
42 changed files with 1454 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
.gitea/workflows/shellcheck.yml Normal file
View File

@ -0,0 +1,39 @@
name: ShellCheck
on:
workflow_dispatch:
push:
branches:
- master
- main
paths-ignore:
- '**.gitignore'
- '**.md'
- 'LICENSE'
- '**.conf'
- '**.service'
- '**.timer'
- '**.path'
- '**.list'
pull_request:
paths-ignore:
- '**.gitignore'
- '**.md'
- 'LICENSE'
- '**.conf'
- '**.service'
- '**.timer'
- '**.path'
- '**.list'
jobs:
shellcheck:
name: Shell syntax checker
runs-on: ubuntu-24.04
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master

193
Fedora-Server-40.sh Normal file
View File

@ -0,0 +1,193 @@
#!/bin/sh
# Copyright (C) 2021-2025 Lukas Raub
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
set -eu
output(){
printf '\e[1;34m%-6s\e[m\n' "${@}"
}
unpriv(){
sudo -u nobody "$@"
}
virtualization=$(systemd-detect-virt)
# Increase compression level
sudo sed -i 's/zstd:1/zstd/g' /etc/fstab
# Compliance
sudo systemctl mask debug-shell.service
sudo systemctl mask kdump.service
# Setting umask to 077
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS
sudo rm -rf /etc/chrony.conf
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf > /dev/null
sudo chmod 644 /etc/chrony.conf
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd > /dev/null
sudo chmod 544 /etc/sysconfig/chronyd
sudo systemctl restart chronyd
# Remove nullok
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
# Harden SSH
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/sshd_config.d/10-custom.conf | sudo tee /etc/ssh/sshd_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d/
sudo chmod 755 /etc/systemd/system/sshd.service.d/
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/override.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/sshd.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl restart sshd
# Security kernel settings
unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null
sudo chmod 644 /etc/sysctl.d/99-server.conf
sudo dracut -f
sudo sysctl -p
if [ -d /usr/lib/systemd/boot/efi ]; then
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200 root/g' /etc/kernel/cmdline
sudo dnf reinstall -y kernel-core
else
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
fi
# Disable coredump
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null
sudo chmod 644 /etc/security/limits.d/30-disable-coredump.conf
sudo mkdir -p /etc/systemd/coredump.conf.d
sudo chmod 755 /etc/systemd/coredump.conf.d
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf > /dev/null
sudo chmod 644 /etc/systemd/coredump.conf.d/disable.conf
# Setup ZRAM
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/zram-generator.conf | sudo tee /etc/systemd/zram-generator.conf > /dev/null
sudo chmod 644 /etc/systemd/zram-generator.conf
# Setup DNF
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf > /dev/null
sudo chmod 644 /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
# Setup automatic updates
sudo dnf install -y dnf-automatic
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
# Remove unnecessary packages
sudo dnf remove -y cockpit*
# Install hardened_malloc
sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install -y hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.preload
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent
fi
# Setup unbound
sudo dnf install unbound -y
unpriv curl -s https://git.conorz.at/titanz/Fedora-CoreOS-Ignition/raw/branch/development/etc/unbound/unbound.conf | sudo tee /etc/unbound/unbound.conf > /dev/null
sudo sed -i 's; ip-transparent: yes;# ip-transparent: yes;g' /etc/unbound/unbound.conf
sudo sed -i 's; interface: 127.0.0.1;# interface: 127.0.0.1;g' /etc/unbound/unbound.conf
sudo sed -i 's; interface: ::1;# interface: ::1;g' /etc/unbound/unbound.conf
sudo sed -i 's; interface: 242.242.0.1;# interface: 242.242.0.1;g' /etc/unbound/unbound.conf
sudo sed -i 's; access-control: 242.242.0.0/16 allow;# access-control: 242.242.0.0/16 allow;g' /etc/unbound/unbound.conf
sudo chmod 644 /etc/unbound/unbound.conf
sudo mkdir /etc/systemd/system/unbound.service.d
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
sudo systemctl enable --now unbound
sudo systemctl disable systemd-resolved
### Differentiating bare metal and virtual installs
# Enable auto TRIM
sudo systemctl enable fstrim.timer
# Setup fwupd
if [ "$virtualization" = 'none' ]; then
sudo dnf install -y fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
mkdir -p /etc/systemd/system/fwupd-refresh.service.d
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
else
sudo dnf remove -y fwupd
fi
# Setup tuned
sudo dnf install -y tuned
sudo systemctl enable --now tuned
if [ "$virtualization" = 'none' ]; then
sudo tuned-adm profile latency-performance
else
sudo tuned-adm profile virtual-guest
fi
# Setup networking
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf > /dev/null
sudo chmod 644 /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
# irqbalance hardening
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf > /dev/null
sudo chmod 644 /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Setup notices
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/issue | sudo tee /etc/issue > /dev/null
sudo chmod 644 /etc/issue
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/issue | sudo tee /etc/issue.net > /dev/null
sudo chmod 644 /etc/issue.net
# Final notes to the user
output 'Server setup complete. To use unbound for DNS, you need to reboot.'

253
Fedora-Workstation-40.sh Normal file
View File

@ -0,0 +1,253 @@
#!/bin/sh
# Copyright (C) 2021-2025 Lukas Raub
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
#Please note that this is how I PERSONALLY setup my computer - I do some stuff such as not using anything to download GNOME extensions from extensions.gnome.org and installing the extensions as a package instead
set -eu
output(){
printf '\e[1;34m%-6s\e[m\n' "${@}"
}
unpriv(){
sudo -u nobody "$@"
}
virtualization=$(systemd-detect-virt)
# Increase compression level
sudo sed -i 's/zstd:1/zstd/g' /etc/fstab
# Compliance
sudo systemctl mask debug-shell.service
sudo systemctl mask kdump.service
# Setting umask to 077
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS
if [ "${virtualization}" = 'parallels' ]; then
sudo dnf -y remove chrony
else
sudo rm -rf /etc/chrony.conf
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf > /dev/null
sudo chmod 644 /etc/chrony.conf
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd > /dev/null
sudo chmod 644 /etc/sysconfig/chronyd
sudo systemctl restart chronyd
fi
# Remove nullok
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
# Harden SSH
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
# Security kernel settings
if [ "${virtualization}" = 'parallels' ]; then
unpriv curl -s https://git.conorz.at/titanz/Kernel-Module-Blacklist/raw/branch/development/etc/modprobe.d/workstation-blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null
else
unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/workstation-blacklist.conf > /dev/null
fi
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/sysctl.d/99-workstation.conf | sudo tee /etc/sysctl.d/99-workstation.conf > /dev/null
sudo chmod 644 /etc/sysctl.d/99-workstation.conf
sudo dracut -f
sudo sysctl -p
if sudo bootctl status | grep -q systemd-boot; then
if [ "${virtualization}" = 'parallels' ]; then
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off root/g' /etc/kernel/cmdline
else
sudo sed -i 's/quiet root/quiet mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 root/g' /etc/kernel/cmdline
fi
sudo dnf reinstall -y kernel-core
else
if [ "${virtualization}" = 'parallels' ]; then
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off'
else
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1'
fi
fi
# Disable coredump
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null
sudo chmod 644 /etc/security/limits.d/30-disable-coredump.conf
sudo mkdir -p /etc/systemd/coredump.conf.d
sudo chmod 755 /etc/systemd/coredump.conf.d
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf > /dev/null
sudo chmod 644 /etc/systemd/coredump.conf.d/disable.conf
# Disable XWayland
sudo mkdir -p /etc/systemd/user/org.gnome.Shell@wayland.service.d
sudo chmod 755 /etc/systemd/user/org.gnome.Shell@wayland.service.d
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/user/org.gnome.Shell%40wayland.service.d/override.conf | sudo tee /etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf
# Disable GJS and WebkitGTK JIT
unpriv curl https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/environment | sudo tee -a /etc/environment
# Setup dconf
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark > /dev/null
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable > /dev/null
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/button-layout | sudo tee /etc/dconf/db/local.d/button-layout > /dev/null
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark > /dev/null
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy > /dev/null
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/touchpad | sudo tee /etc/dconf/db/local.d/touchpad > /dev/null
sudo chmod 644 /etc/dconf/db/local.d/*
mkdir -p /etc/dconf/db/local.d/locks
sudo chmod 755 /etc/dconf/db/local.d/locks
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable > /dev/null
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy > /dev/null
sudo chmod 644 /etc/dconf/db/local.d/locks/*
umask 022
sudo dconf update
umask 077
# Setup ZRAM
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/systemd/zram-generator.conf | sudo tee /etc/systemd/zram-generator.conf > /dev/null
sudo chmod 644 /etc/systemd/zram-generator.conf
# Setup DNF
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/developmentn/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.coraw/branch/development /dev/null
sudo chmod 644 /etc/dnf/dnf.coraw/branch/developmentudo sed -i 's/^metalink=.*/&\&protocol=htraw/branch/developmentaw/branch/development/etc/yum.repos.d/*
raw/branch/developmentmove unwanted groraw/branch/developmentsuraw/branch/developmentnf -y group remove 'Container Managemenraraw/branch/developmentanch/developmentDesktop accessibility' 'Fraw/branch/developmentox Web Browsraw/branch/developmentGuest Desktop Agents' 'LibreOffice' 'Prinraw/branch/development Support'
raw/branch/development/move firefox packagesrraw/branch/development/aw/branch/development -y remove fedora-bookmarks fedora-chromiraw/branch/developmentonfig firmraw/branch/developraw/branch/development/ozilla-filesystemeraw/branch/development/movraw/branch/developmenttwork + hardware tools packages
sudo dnf raw/branch/developmentemove avahi cifs* '*cups' dmidecode dnsmasq geolite2* mtr net-snmp-libs net-tools nfs-utils nmap-ncat nmap-ncat opensc openssh-server rsync rygel sgpio tcpdump teamd traceroute usb_modeswitch
raw/branch/development/move support for some languages and spelling raw/branch/development/dnf -y remove '*anthy*' '*hangul*' ibus-typing-booster '*m17n*' '*pinyin*' '*speech*' texlivsraw/branch/developraw/branch/development/ words '*zhuyin*'eraw/branch/development/move codec + image + printers
sudo dnf -y remove openh264 ImageMagick* sane* simple-scan
# Remove Active Directory + Sysadmin + reporting tools
sudo dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx smraw/branch/developbraw/branch/development/a-client gvfs-smb
# Remmraw/branch/development/ and virtual stuff
sudo yraw/branch/development/ remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu
# Remove NetworkManager
sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemMana#raw/branch/development/ Remove Gnome apps
sudo dnf remove -y baobab chrome-gnome-shell eog gnome-boxes gnome-calculator gnome-calendar gnome-characters gnome-classic* gnome-clocks gnome-color-manager gnome-connections \
gnome-contacts gnome-disk-utility gnome-font-viewer gnome-logs gnome-maps gnome-photos gnome-remote-desktop gnome-screenshot gnome-shell-extension-apps-menu \
gsraw/branch/development/hell-extension-background-logo gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list gnome-text-editor \
gnome-themes-extra gnome-tour gnome-user* gnome-weather loupe snapshot totem
# Remove apps
sudo dnf remove raw/branch/developmentbrt* cheese evince file-roller* libreoffiraw/branch/developmentmediawriter rhythmbox yelp
# Remove other paraw/branch/developmentes
sudo dnf remove -y raw/branch/developraw/branch/development rng-tools thermald '*perl*' yajl
# Disaraw/branch/developmentbranch/developmentopenh264 repo
sudo dnf raw/branch/developmentig-manager --set-draw/branch/developmentlraw/branch/developmentedora-cisco-openh264
# Update packaraw/braw/branch/developmenth/developmentsudo dnf -y upgrade
# Instaraw/branch/developmentardened_mraw/branch/developmentc
sudo dnraw/branch/development/r enable secureblue/hardeneraw/branch/developmentlloc -y
sudo dsraw/branch/development/tall -y hardened_mallraw/branch/developmentcho 'libhardened_malloc.so' | sudo tee /eraw/branch/developmentd.so.preload
sudo c6raw/branch/development/44 /etc/ld.so.prraw/branch/developmentd
raw/braraw/branch/development/evelopment/stall packages that I use raw/branch/development/dnf -y install adw-gtk3-theme gnome-console gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-exoraw/branch/developraw/branch/development/n-background-logonraw/branch/development/stall appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent spice-vdagent
fi
# Setup Flatpak
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpnraw/branch/development/o-talk-name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --nosocket=session-bus --nosocket=system-bus --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak --no-raw/branch/development/name=org.freedesktop.systemd1 --no-talk-name=ca.desrt.dconf --no-talk-name=org.gnome.Shell.Extensions
flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak --user install org.gnome.Extensions com.github.tchx84.Flatseal org.gnome.Loupe -y
flatpak --user override com.github.tchx84.Flatseal --filesystem=/var/lib/flatpak/app:ro --filesystem=xdg-data/flatpak/app:ro --filesystem=xdg-data/flatpak/overrides:create
flatpak --user override org.gnome.Extensions --talk-name=org.gnome.Shell.Extensions
flatpak update -y
# Enable hardened_malloc for Flatpak
sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/libbraw/branch/development/hardened_malloc.so
flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
# Install Microsoft Edge if x86_64
MACHINE_TYPE=$(uname -m)
if [ "${MACHINE_TYPE}" = 'x86_64' ]; then
output 'x86_64 machine, installing Microsoft Edge.'
echo '[microsoft-edge]
name=microsoft-edge
baseurl=https://packages.microsoft.com/yumrepos/edge/
enabled=1
gpgcheck=1
gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/microsoft-edge.repo
sudo chmod 644 /etc/yum.repos.d/microsoft-edge.repo
sudo dnf install -y microsoft-edge-stable
sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
sudo chmod -R 755 /etc/opt
unpriv curl -s https://git.conorz.at/titanz/Microsoft-Edge-Policies/raw/branch/development/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json > /dev/null
unpriv curl -s https://git.conorz.at/titanz/Microsoft-Edge-Policies/raw/branch/development/Linux/recommended.json | sudo tee /etc/opt/edge/policies/recommended/recommended.json > /dev/null
sudo chmod 644 /etc/opt/edge/policies/managed/managed.json /etc/opt/edge/policies/recommended/recommended.json
sudo mkdir -p /usr/local/share/applications
sudo chmod 755 /usr/local/share/applications
sed 's/^Exec=\/usr\/bin\/microsoft-edge-stable/& --ozone-platform=wayland --start-maximized/g' /usr/share/applications/microsoft-edge.desktop | sudo tee /usr/local/share/applications/microsoft-edge.desktop
sudo chmod 644 /usr/local/share/applications/microsoft-edge.desktop
fi
# Enable auto TRIM
sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs
# Setup fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
# Setup tuned
if [ "$virtualization" = 'none' ]; then
output "Bare Metal installation. Tuned will not be set up here - PPD should take care of it."
else
sudo dnf remove -y power-profiles-daemon
sudo dnf install -y tuned
sudo systemctl enable --now tuned
sudo tuned-adm profile virtual-guest
fi
# Setup networking
sudo systemctl enable --now firewalld
sudo firewall-cmd --set-default-zone=block
sudo firewall-cmd --permanent --add-service=dhcpv6-client
sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf > /dev/null
sudo chmod 644 /etc/NetworkManager/conf.d/00-macrandomize.conf
unpriv curl -s https://git.conorz.at/titanz/Linux-Setup-Scripts/raw/branch/development/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf > /dev/null
sudo chmod 644 /etc/NetworkManager/conf.d/01-transient-hostname.conf
sudo nmcli general reload conf
sudo hostnamectl hostname 'localhost'
sudo hostnamectl --transient hostname ''
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf > /dev/null
sudo chmod 644 /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
output 'The script is done. You can also remove gnome-terminal since gnome-console will replace it.'

201
LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2022 Thien Tran
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

25
README.md Normal file
View File

@ -0,0 +1,25 @@
# Linux Setup Scripts
[![ShellCheck](https://git.conorz.at/titanz/Linux-Setup-Scripts/actions/workflows/shellcheck.yml/badge.svg)](https://git.conorz.at/titanz/Linux-Setup-Scripts/actions?workflow=shellcheck.yml)
My setup scripts for my workstations. You should edit the scripts to your liking before running them.
Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br />
The printing stack (cups) is removed as I do not use it.
## Notes on DNS handling
For desktop installations, the assumption here is that you will use a VPN of some sort for your privacy. No custom DNS server will be configured, as websites [can detect](https://www.dnsleaktest.com/) that you are using a different DNS server from your VPN provider's server.
For server installations, Unbound will be configured to handle local DNSSEC validation. The difference in the scripts on how this is set up are because of the following reasons:
- Each distribution needs its own Unbound configuration due to version differences and how each distro packages it.
- If both Unbound and systemd-resolved are preset on the system, whichever one gets used depends entirely on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
## Notes on io_uring
io_uring is disabled. On Proxmox, use aio=native for drives. You will need to manually edit the config for cdrom. Alternatively, if you do not want to deal with this, comment out the io_uring line in `/etc/sysctl.d/99-server.conf`
# Qubes OS
Check out this repository: https://git.conorz.at/titanz/QubesOS-Scripts <br />

219
RHEL-9.sh Normal file
View File

@ -0,0 +1,219 @@
#!/bin/sh
# Copyright (C) 2021-2024 Lukas Raub
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.
set -eu
output(){
printf '\e[1;34m%-6s\e[m\n' "${@}"
}
unpriv(){
sudo -u nobody "$@"
}
virtualization=$(systemd-detect-virt)
# Compliance
sudo systemctl mask debug-shell.service
sudo systemctl mask kdump.service
# Setting umask to 077
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
# Make home directory private
sudo chmod 700 /home/*
# Setup NTS
sudo dnf install -y chrony
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf > /dev/null
sudo chmod 644 /etc/chrony.conf
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd > /dev/null
sudo chmod 644 /etc/sysconfig/chronyd
sudo systemctl restart chronyd
# Remove nullok
sudo /usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
# Harden SSH
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/ssh/sshd_config.d/10-custom.conf | sudo tee /etc/ssh/sshd_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
sudo mkdir -p /etc/systemd/system/sshd.service.d/
sudo chmod 755 /etc/systemd/system/sshd.service.d/
unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/override.conf | sudo tee /etc/systemd/system/sshd.service.d/override.conf > /dev/null
sudo systemctl daemon-reload
sudo systemctl restart sshd
# Security kernel settings
unpriv curl -s https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/etc/modprobe.d/blacklist.conf | sudo tee /etc/modprobe.d/server-blacklist.conf > /dev/null
sudo chmod 644 /etc/modprobe.d/server-blacklist.conf
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/sysctl.d/99-server.conf | sudo tee /etc/sysctl.d/99-server.conf > /dev/null
sudo chmod 644 /etc/sysctl.d/99-server.conf
sudo dracut -f
sudo sysctl -p
# efi=disable_early_pci_dma seems to break boot on RHEL and only RHEL, dunno why yet
sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
# Disable coredump
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null
sudo chmod 644 /etc/security/limits.d/30-disable-coredump.conf
sudo mkdir -p /etc/systemd/coredump.conf.d
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf > /dev/null
sudo chmod 644 /etc/systemd/coredump.conf.d/disable.conf
# Setup DNF
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf > /dev/null
sudo chmod 644 /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
# Setup automatic updates
sudo dnf install -y dnf-automatic
sudo sed -i 's/apply_updates = no/apply_updates = yes\nreboot = when-needed/g' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
# Remove unnecessary packages
sudo dnf remove -y cockpit*
# Install hardened_malloc
sudo dnf copr enable secureblue/hardened_malloc -y
sudo dnf install -y hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.preload
# Install appropriate virtualization drivers
if [ "$virtualization" = 'kvm' ]; then
sudo dnf install -y qemu-guest-agent
fi
# Setup unbound
sudo dnf install unbound -y
echo 'server:
chroot: ""
auto-trust-anchor-file: "/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-ciphers: "PROFILE=SYSTEM"
hide-http-user-agent: yes
hide-identity: yes
hide-trustanchor: yes
hide-version: yes
deny-any: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-referral-path: yes
ignore-cd-flag: yes
max-udp-size: 3072
module-config: "validator iterator"
qname-minimisation-strict: yes
unwanted-reply-threshold: 10000000
use-caps-for-id: yes
outgoing-port-permit: 1024-65535
prefetch: yes
prefetch-key: yes
# ip-transparent: yes
# interface: 127.0.0.1
# interface: ::1
# interface: 242.242.0.1
# access-control: 242.242.0.0/16 allow
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf
sudo chmod 644 /etc/unbound/unbound.conf
sudo mkdir -p /etc/systemd/system/unbound.service.d
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/systemd/system/unbound.service.d/override.conf | sudo tee /etc/systemd/system/unbound.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
sudo systemctl enable --now unbound
# Setup yara
#sudo dnf install -y yara
#sudo insights-client --collector malware-detection
#sudo sed -i 's/test_scan: true/test_scan: false/' /etc/insights-client/malware-detection-config.yml
# Enable auto TRIM
sudo systemctl enable fstrim.timer
### Differentiating bare metal and virtual installs
# Setup fwupd
#if [ "$virtualization" = 'none' ]; then
sudo dnf install -y fwupd
echo 'UriSchemes=file;https' | sudo tee -a /etc/fwupd/fwupd.conf
sudo systemctl restart fwupd
sudo mkdir -p /etc/systemd/system/fwupd-refresh.service.d
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf > /dev/null
sudo chmod 644 /etc/systemd/system/fwupd-refresh.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl enable --now fwupd-refresh.timer
#else
# sudo dnf remove -y fwupd
#fi
# Setup tuned
sudo dnf install -y tuned
sudo systemctl enable --now tuned
if [ "$virtualization" = 'none' ]; then
sudo tuned-adm profile latency-performance
else
sudo tuned-adm profile virtual-guest
fi
# Setup networking
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --remove-service=cockpit
sudo firewall-cmd --reload
sudo firewall-cmd --lockdown-on
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf > /dev/null
sudo chmod 644 /etc/systemd/system/NetworkManager.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
# irqbalance hardening
sudo mkdir -p /etc/systemd/system/irqbalance.service.d
unpriv curl -s https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf > /dev/null
sudo chmod 644 /etc/systemd/system/irqbalance.service.d/99-brace.conf
sudo systemctl daemon-reload
sudo systemctl restart irqbalance
# Setup notices
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/issue | sudo tee /etc/issue > /dev/null
sudo chmod 644 /etc/issue
unpriv curl -s https://git.conorz.at/Linux-Setup-Scripts/raw/branch/development/etc/issue | sudo tee /etc/issue.net > /dev/null
sudo chmod 644 /etc/issue.net
# Final notes to the user
output 'Server setup complete. To use unbound for DNS, you need to run the following commands:'
output 'nmcli con mod <interface name> ipv4.dns 127.0.0.1'
output 'nmcli con mod <interface name> ipv6.dns ::1'

6
etc/NetworkManager/conf.d/00-macrandomize.conf Normal file
View File

@ -0,0 +1,6 @@
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
connection.stable-id=${CONNECTION}/${BOOT}

2
etc/NetworkManager/conf.d/01-transient-hostname.conf Normal file
View File

@ -0,0 +1,2 @@
[main]
hostname-mode=none

6
etc/apt/apt.conf.d/99sane-upgrades Normal file
View File

@ -0,0 +1,6 @@
Update-Manager::Always-Include-Phased-Updates "true";
APT::Get::Always-Include-Phased-Updates "true";
APT::Get::Upgrade-Allow-New "true";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::Get::AutomaticRemove "true";

5
etc/apt/sources.list.d/docker.sources Normal file
View File

@ -0,0 +1,5 @@
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: noble
Components: stable
Signed-By: /usr/share/keyrings/docker.asc

5
etc/apt/sources.list.d/element-io.sources Normal file
View File

@ -0,0 +1,5 @@
Types: deb
URIs: https://packages.element.io/debian/
Suites: default
Components: main
Signed-By: /usr/share/keyrings/element-io-archive-keyring.gpg

21
etc/apt/sources.list.d/mariadb.sources Normal file
View File

@ -0,0 +1,21 @@
Types: deb
URIs: https://dlm.mariadb.com/repo/mariadb-server/11.4/repo/ubuntu
Suites: noble
Components: main
Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg
Architectures: amd64 arm64
# The jammy part is not a typo. They just haven't released it for noble yet.
Types: deb
URIs: https://dlm.mariadb.com/repo/maxscale/latest/apt
Suites: jammy
Components: main
Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg
Architectures: amd64 arm64
Types: deb
URIs: http://downloads.mariadb.com/Tools/ubuntu
Suites: noble
Components: main
Signed-By: /usr/share/keyrings/mariadb-keyring-2019.gpg
Architectures: amd64

6
etc/apt/sources.list.d/microsoft-edge.sources Normal file
View File

@ -0,0 +1,6 @@
Types: deb
URIs: https://packages.microsoft.com/repos/edge
Suites: stable
Components: main
Signed-By: /usr/share/keyrings/microsoft.gpg
Architectures: amd64

5
etc/apt/sources.list.d/nginx.sources Normal file
View File

@ -0,0 +1,5 @@
Types: deb
URIs: http://nginx.org/packages/mainline/ubuntu
Suites: noble
Components: nginx
Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg

27
etc/apt/sources.list.d/rosetta.sources Normal file
View File

@ -0,0 +1,27 @@
Types: deb
URIs: http://ports.ubuntu.com/ubuntu-ports/
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Architectures: arm64
Types: deb
URIs: http://ports.ubuntu.com/ubuntu-ports/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Architectures: arm64
Types: deb
URIs: http://archive.ubuntu.com/ubuntu/
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Architectures: amd64
Types: deb
URIs: http://archive.ubuntu.com/ubuntu/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Architectures: amd64

5
etc/apt/sources.list.d/vscode.sources Normal file
View File

@ -0,0 +1,5 @@
Types: deb
URIs: https://packages.microsoft.com/repos/code
Suites: stable
Components: main
Signed-By: /usr/share/keyrings/microsoft.gpg

2
etc/dconf/db/local.d/adw-gtk3-dark Normal file
View File

@ -0,0 +1,2 @@
[org/gnome/desktop/interface]
gtk-theme='adw-gtk3-dark'

2
etc/dconf/db/local.d/apport-disable Normal file
View File

@ -0,0 +1,2 @@
[com/ubuntu/update-notifier]
show-apport-crashes=false

4
etc/dconf/db/local.d/automount-disable Normal file
View File

@ -0,0 +1,4 @@
[org/gnome/desktop/media-handling]
automount=false
automount-open=false
autorun-never=true

2
etc/dconf/db/local.d/button-layout Normal file
View File

@ -0,0 +1,2 @@
[org/gnome/desktop/wm/preferences]
button-layout='appmenu:minimize,maximize,close'

1
etc/dconf/db/local.d/locks/apport-disable Normal file
View File

@ -0,0 +1 @@
com/ubuntu/update-notifier/show-apport-crashes

3
etc/dconf/db/local.d/locks/automount-disable Normal file
View File

@ -0,0 +1,3 @@
org/gnome/desktop/media-handling/automount
org/gnome/desktop/media-handling/automount-open
/org/gnome/desktop/media-handling/autorun-never

14
etc/dconf/db/local.d/locks/privacy Normal file
View File

@ -0,0 +1,14 @@
/org/gnome/system/location/enabled
/org/gnome/desktop/privacy/remember-recent-files
/org/gnome/desktop/privacy/remove-old-trash-files
/org/gnome/desktop/privacy/remove-old-temp-files
/org/gnome/desktop/privacy/report-technical-problems
/org/gnome/desktop/privacy/send-software-usage-stats
/org/gnome/desktop/privacy/remember-app-usage
/org/gnome/online-accounts/whitelisted-providers
/org/gnome/desktop/remote-desktop/rdp/enable
/org/gnome/desktop/remote-desktop/vnc/enable

2
etc/dconf/db/local.d/prefer-dark Normal file
View File

@ -0,0 +1,2 @@
[org/gnome/desktop/interface]
color-scheme='prefer-dark'

16
etc/dconf/db/local.d/privacy Normal file
View File

@ -0,0 +1,16 @@
[org/gnome/system/location]
enabled=false
[org/gnome/desktop/privacy]
remember-recent-files=false
remove-old-trash-files=true
remove-old-temp-files=true
report-technical-problems=false
send-software-usage-stats=false
remember-app-usage=false
[org/gnome/desktop/remote-desktop/rdp]
enable=false
[org/gnome/desktop/remote-desktop/vnc]
enable=false

5
etc/dconf/db/local.d/touchpad Normal file
View File

@ -0,0 +1,5 @@
[org/gnome/desktop/peripherals/touchpad]
click-method='areas'
disable-while-typing=false
tap-to-click=true
to-finger-scrolling-enabled=false

11
etc/dnf/dnf.conf Normal file
View File

@ -0,0 +1,11 @@
[main]
gpgcheck=True
installonly_limit=3
clean_requirements_on_remove=True
best=False
skip_if_unavailable=True
max_parallel_downloads=10
deltarpm=False
defaultyes=True
install_weak_deps=False
countme=False

2
etc/environment Normal file
View File

@ -0,0 +1,2 @@
JavaScriptCoreUseJIT=0
GJS_DISABLE_JIT=1

6
etc/issue Normal file
View File

@ -0,0 +1,6 @@
You are accessing Lukas Raub's information system that is provided for authorized uses only.
ALL ACTIVITY MAY BE MONITORED AND REPORTED. UNAUTHORIZED USES SHALL BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.
To report a potential security concern, please contact titanz@pm.me.

1
etc/security/limits.d/30-disable-coredump.conf Normal file
View File

@ -0,0 +1 @@
* hard core 0

2
etc/ssh/ssh_config.d/10-custom.conf Normal file
View File

@ -0,0 +1,2 @@
GSSAPIAuthentication no
VerifyHostKeyDNS yes

43
etc/ssh/sshd_config.d/10-custom.conf Normal file
View File

@ -0,0 +1,43 @@
# Encryption hardening
HostKey /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms ssh-ed25519
KexAlgorithms sntrup761x25519-sha512@openssh.com
PubkeyAcceptedKeyTypes ssh-ed25519
Ciphers aes256-gcm@openssh.com
MACs -*
# Security hardening
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
Compression no
DisableForwarding yes
LoginGraceTime 15s
MaxAuthTries 1
PermitUserEnvironment no
PermitUserRC no
StrictModes yes
UseDNS no
# Use KeepAlive over SSH instead of with TCP to prevent spoofing
TCPKeepAlive no
ClientAliveInterval 15
ClientAliveCountMax 4
## Use PAM for session checks here but authentication is disabled below
## Also, this prevents running sshd as non-root
UsePAM yes
# Disabling unused authentication methods
ChallengeResponseAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
KerberosAuthentication no
# Displaying info
Banner /etc/issue.net
PrintLastLog yes
PrintMotd yes

2
etc/sysconfig/chronyd Normal file
View File

@ -0,0 +1,2 @@
# Command-line options for chronyd
OPTIONS="-F 1"

115
etc/sysctl.d/99-server.conf Normal file
View File

@ -0,0 +1,115 @@
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
dev.tty.ldisc_autoload = 0
# https://access.redhat.com/solutions/1985633
# Seems dangerous.
fs.binfmt_misc.status = 0
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
# Enable fs.protected sysctls.
fs.protected_regular = 2
fs.protected_fifos = 2
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
# Disable coredumps.
# For additional safety, disable coredumps using ulimit and systemd too.
kernel.core_pattern=|/bin/false
fs.suid_dumpable = 0
# Restrict dmesg to CAP_SYS_LOG.
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.dmesg_restrict = 1
# Disable io_uring
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel.io_uring_disabled = 2
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
# Restrict access to /proc.
kernel.kptr_restrict = 2
# Not needed, I don't do livepatching and reboot regularly.
# On Ubuntu LTS just sed this to be 0 if you use livepatch.
kernel.kexec_load_disabled = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Basically, restrict eBPF to CAP_BPF.
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it.
kernel.unprivileged_userns_clone = 0
# Needed for gVisor, which is used on almost all of my servers.
kernel.yama.ptrace_scope = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Restrict performance events from unprivileged users as much as possible.
# We are using 4 here, since Ubuntu supports such a level.
# Official Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq.
kernel.sysrq = 0
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
# Not running a router here, so no redirects.
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0
# Check if the source of the IP address is reachable through the same interface it came in.
# Basic IP spoofing mitigation.
net.ipv4.conf.*.rp_filter = 1
# Respond to ICMP
net.ipv4.icmp_echo_ignore_all = 0
net.ipv6.icmp.echo_ignore_all = 0
# Enable IP Forwarding.
# Almost all of my servers run Docker anyways, and Docker absolutely requires this.
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
# Ignore bogus icmp response.
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protection against time-wait assasination attacks.
net.ipv4.tcp_rfc1337 = 1
# Enable SYN cookies.
# Basic SYN flood mitigation.
net.ipv4.tcp_syncookies = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Make sure TCP timestamp is enabled.
net.ipv4.tcp_timestamps = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Disable TCP SACK.
# We have good networking :)
net.ipv4.tcp_sack = 0
# No SACK, therefore no Duplicated SACK.
net.ipv4.tcp_dsack = 0
# Improve ALSR effectiveness for mmap.
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Restrict userfaultfd to CAP_SYS_PTRACE.
# https://bugs.archlinux.org/task/62780
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
# probably not used in the real world at all.
vm.unprivileged_userfaultfd = 0

116
etc/sysctl.d/99-workstation.conf Normal file
View File

@ -0,0 +1,116 @@
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
dev.tty.ldisc_autoload = 0
# https://access.redhat.com/solutions/1985633
# Seems dangerous.
# Roseta need this though, so if you use it change it to 1.
fs.binfmt_misc.status = 0
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
# Enable fs.protected sysctls.
fs.protected_regular = 2
fs.protected_fifos = 2
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
# Disable coredumps.
# For additional safety, disable coredumps using ulimit and systemd too.
kernel.core_pattern=|/bin/false
fs.suid_dumpable = 0
# Restrict dmesg to CAP_SYS_LOG.
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.dmesg_restrict = 1
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
# Restrict access to /proc.
kernel.kptr_restrict = 2
# Not needed, I don't do livepatching and reboot regularly.
# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
kernel.kexec_load_disabled = 1
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Basically, restrict eBPF to CAP_BPF.
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
# Needed for Flatpak and Bubblewrap.
kernel.unprivileged_userns_clone = 1
# Disable ptrace. Not needed on workstations.
kernel.yama.ptrace_scope = 3
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Restrict performance events from unprivileged users as much as possible.
# We are using 4 here, since Ubuntu supports such a level.
# Official Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4
# Disable io_uring
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
# on a Proxmox node.
kernel.io_uring_disabled = 2
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq.
kernel.sysrq = 0
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
# Not running a router here, so no redirects.
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0
# Check if the source of the IP address is reachable through the same interface it came in
# Basic IP spoofing mitigation.
net.ipv4.conf.*.rp_filter = 1
# Do not respond to ICMP.
net.ipv4.icmp_echo_ignore_all = 1
net.ipv6.icmp.echo_ignore_all = 1
# Enable IP Forwarding.
# Needed for VM networking and whatnot.
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
# Ignore bogus icmp response.
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protection against time-wait assasination attacks.
net.ipv4.tcp_rfc1337 = 1
# Enable SYN cookies.
# Basic SYN flood mitigation.
net.ipv4.tcp_syncookies = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Make sure TCP timestamp is enabled.
net.ipv4.tcp_timestamps = 1
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Disable TCP SACK.
# We have good networking :)
net.ipv4.tcp_sack = 0
# No SACK, therefore no Duplicated SACK.
net.ipv4.tcp_dsack = 0
# Improve ALSR effectiveness for mmap.
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Restrict userfaultfd to CAP_SYS_PTRACE.
# https://bugs.archlinux.org/task/62780
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
# probably not used in the real world at all.
vm.unprivileged_userfaultfd = 0

2
etc/systemd/coredump.conf.d/disable.conf Normal file
View File

@ -0,0 +1,2 @@
[Coredump]
Storage=none

2
etc/systemd/system/fwupd-refresh.service.d/override.conf Normal file
View File

@ -0,0 +1,2 @@
[Service]
ExecStart=/usr/bin/fwupdmgr update

35
etc/systemd/system/unbound.service.d/override-chroot.conf Normal file
View File

@ -0,0 +1,35 @@
[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
# This breaks using socket options like 'so-rcvbuf'.
ProtectKernelTunables=true
ProtectProc=invisible
# ProtectSystem with strict does not work - need further testing.
ProtectSystem=full
#RuntimeDirectory=unbound
#ConfigurationDirectory=unbound
#StateDirectory=unbound
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
# Below rules are needed when chroot is enabled (usually it's enabled by default).
# If chroot is disabled like chroot: "" then they may be safely removed.
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log

26
etc/systemd/system/unbound.service.d/override.conf Normal file
View File

@ -0,0 +1,26 @@
[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_DAC_OVERRIDE
MemoryDenyWriteExecute=true
#NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
# This breaks using socket options like 'so-rcvbuf'.
ProtectKernelTunables=true
ProtectProc=invisible
# ProtectSystem with strict does not work - need further testing.
ProtectSystem=full
#RuntimeDirectory=unbound
#ConfigurationDirectory=unbound
#StateDirectory=unbound
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes

3
etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf Normal file
View File

@ -0,0 +1,3 @@
[Service]
ExecStart=
ExecStart=/usr/bin/gnome-shell --no-x11

4
etc/systemd/zram-generator.conf Normal file
View File

@ -0,0 +1,4 @@
[zram0]
zram-fraction = 1
max-zram-size = 8192
compression-algorithm = zstd

15
etc/yum.repos.d/nginx.repo Normal file
View File

@ -0,0 +1,15 @@
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true