From 2ea64706cbe348716b0d8061689685f972b07532 Mon Sep 17 00:00:00 2001 From: buckn Date: Wed, 15 Oct 2025 20:36:12 -0400 Subject: [PATCH] hardened some stuff --- setup | 292 ++++++++++++++++++++-------------------------------------- 1 file changed, 102 insertions(+), 190 deletions(-) diff --git a/setup b/setup index d6e005c..7d1578b 100755 --- a/setup +++ b/setup @@ -1,193 +1,105 @@ -# Rust -curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh +#!/usr/bin/env bash +set -euo pipefail -# -# install cargo apps -# - -# terminal emulator -cargo install alacritty - -# fancy ls command -cargo install lsd - -# cargo doc in terminal -cargo install rusty-man - -# fancy cat -cargo install bat - - - -if [[ $(uname -r) == *"arch"* ]]; then - # update repos - pacman -Sy - - # install basic dev tools - pacman -S git cmake gcc - - # install window manager - pacman -S openbox - - # - # Languages Stuff - # - - # pip - - pacman -S python3-pip - - # - # Music - # - - # player - pacman -S cmus - - # streamrip - pip3 install streamrip --upgrade - - # volume control - pacman -S pavucontrol - - # - # Web - # - - # email client - pacman -S thunderbird - - # browser - pacman -S chromium-browser - - # keybase - pacman -S keybase-bin - run_keybase - - # install nvim - pacman -S neovim - - # install file manager - pacman -S nnn - - # install neofetch - pacmnan -S neofetch - - # install steam - pacman -S steam - - # install fonts - cd ~/bin/setup - git clone https://github.com/ryanoasis/nerd-fonts - cd nerd-fonts - ./install.sh Hack - - # chinese fonts - - sudo pacman -S ttf-arphic-uming ttf-arphic-ukai - - # bluetooth management - pacman -S bluez bluez-tools - pacman -S blueman - - # screenshot - pacman -S flameshot - - # kpcli - pacman -S kpcli - - # upgrade everything - pacman -Syu +# Detect distro +if [[ $(uname -a) == *"arch"* ]]; then + IS_ARCH=true else - # update repos - sudo apt update - - # install basic dev tools - sudo apt install git cmake gcc -y - - # install window manager - sudo apt install openbox -y - - # - # Languages Stuff - # - - # pip - - sudo apt install python3-pip -y - - # - # install cargo apps - # - - # terminal emulator - cargo install alacritty - - # fancy ls command - cargo install lsd - - # cargo doc in terminal - cargo install rusty-man - - # fancy cat - cargo install bat - - # - # Music - # - - # player - sudo apt install cmus -y - - # streamrip - pip3 install streamrip --upgrade - - # volume control - sudo apt install pavucontrol -y - - # - # Web - # - - # email client - sudo apt install thunderbird -y - - # browser - sudo apt install chromium-browser -y - - # keybase - curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb - sudo apt install ./keybase_amd64.deb - run_keybase - - # install nvim - sudo apt install neovim -y - - # install file manager - sudo apt install nnn -y - - # install neofetch - sudo apt install neofetch -y - - # install steam - sudo apt install steam-installer -y - - # install fonts - cd ~/bin/setup - git clone https://github.com/ryanoasis/nerd-fonts - cd nerd-fonts - ./install.sh Hack - - # bluetooth management - sudo apt install bluez bluez-tools -y - sudo apt install blueman -y - - # screenshot - sudo apt install flameshot - - # kpcli - sudo apt install kpcli - - # upgrade everything - sudo apt upgrade + IS_ARCH=false fi + +# --- Helper Functions --- +install_packages_arch() { + sudo pacman -Sy --noconfirm + sudo pacman -S --noconfirm base base-devel linux-hardened linux-hardened-headers \ + git cmake gcc neovim vim python3-pip \ + openbox obconf xorg-server xorg-xinit xorg-xinput xorg-xrandr \ + alacritty cmus flameshot pavucontrol \ + chromium thunderbird steam keepassxc \ + bluez bluez-tools blueman \ + dmenu htop rsync unzip whois xclip xdotool xbindkeys \ + efibootmgr grub nmap lynis rkhunter sbctl + # Yay for AUR packages + if ! command -v yay >/dev/null; then + git clone https://aur.archlinux.org/yay-bin.git /tmp/yay + cd /tmp/yay + makepkg -si --noconfirm + fi + # Additional yay apps + yay -S --noconfirm keybase-bin ckb-next minecraft-launcher nvidia-dkms nvidia-settings +} + +install_packages_ubuntu() { + sudo apt update && sudo apt upgrade -y + sudo apt install -y build-essential git cmake gcc neovim vim python3-pip \ + openbox obconf xorg xinit x11-xserver-utils \ + alacritty cmus flameshot pavucontrol \ + chromium-browser thunderbird steam-installer keepassxc \ + bluez bluez-tools blueman \ + dmenu htop rsync unzip whois xclip xdotool xbindkeys \ + efibootmgr grub nmap lynis rkhunter sudo +} + +# --- Rust Setup --- +setup_rust() { + if ! command -v rustc >/dev/null; then + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + source $HOME/.cargo/env + fi + + # Cargo apps + cargo install --locked alacritty bat lsd rusty-man cargo-expand viu +} + +# --- Fonts --- +install_fonts() { + mkdir -p ~/bin/setup + cd ~/bin/setup + if [[ ! -d nerd-fonts ]]; then + git clone https://github.com/ryanoasis/nerd-fonts + fi + cd nerd-fonts + ./install.sh Hack + cd ~ +} + +# --- Security Setup --- +setup_security() { + # Firewall + if command -v ufw >/dev/null; then + sudo ufw default deny incoming + sudo ufw default allow outgoing + sudo ufw allow ssh + sudo ufw enable + fi + + # SSH hardening + sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config + sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config + sudo systemctl restart sshd + + # Enable fail2ban if available + if command -v fail2ban >/dev/null; then + sudo systemctl enable --now fail2ban + fi + + # Run rkhunter check + if command -v rkhunter >/dev/null; then + sudo rkhunter --update + sudo rkhunter --propupd + fi +} + +# --- Main --- +if $IS_ARCH; then + install_packages_arch +else + install_packages_ubuntu +fi + +setup_rust +install_fonts +setup_security + +echo "Setup complete! You may need to reboot for kernel or grub changes." +