hardened some stuff

2025-10-15 20:36:12 -04:00
parent 95e2e01771
commit 2ea64706cb
1 changed files with 102 additions and 190 deletions
--- a/266
+++ b/266
@ -1,193 +1,105 @@
-# Rust
-curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+#!/usr/bin/env bash
+set -euo pipefail

-#
-# install cargo apps
-#
-
-# terminal emulator
-cargo install alacritty
-
-# fancy ls command
-cargo install lsd
-
-# cargo doc in terminal
-cargo install rusty-man
-
-# fancy cat
-cargo install bat
-
-
-
-if [[ $(uname -r) == *"arch"* ]]; then
-	# update repos
-	pacman -Sy
-
-	# install basic dev tools
-	pacman -S git cmake gcc
-
-	# install window manager
-	pacman -S openbox
-
-	#
-	# Languages Stuff
-	#
-
-	# pip
-
-	pacman -S python3-pip
-
-	#
-	# Music
-	#
-
-	# player
-	pacman -S cmus
-
-	# streamrip
-	pip3 install streamrip --upgrade
-
-	# volume control
-	pacman -S pavucontrol
-
-	#
-	# Web
-	#
-
-	# email client
-	pacman -S thunderbird
-
-	# browser
-	pacman -S chromium-browser
-
-	# keybase
-	pacman -S keybase-bin
-	run_keybase
-
-	# install nvim
-	pacman -S neovim
-
-	# install file manager
-	pacman -S nnn
-
-	# install neofetch
-	pacmnan -S neofetch
-
-	# install steam
-	pacman -S steam
-
-	# install fonts
-	cd ~/bin/setup
-	git clone https://github.com/ryanoasis/nerd-fonts
-	cd nerd-fonts
-	./install.sh Hack
-
-	# chinese fonts
-	
-	sudo pacman -S ttf-arphic-uming ttf-arphic-ukai
-
-	# bluetooth management
-	pacman -S bluez bluez-tools
-	pacman -S blueman
-
-	# screenshot
-	pacman -S flameshot
-
-	# kpcli
-	pacman -S kpcli
-
-	# upgrade everything
-	pacman -Syu
+# Detect distro
+if [[ $(uname -a) == *"arch"* ]]; then
+    IS_ARCH=true
 else
-	# update repos
-	sudo apt update
+    IS_ARCH=false
+fi

-	# install basic dev tools
-	sudo apt install git cmake gcc -y
+# --- Helper Functions ---
+install_packages_arch() {
+    sudo pacman -Sy --noconfirm
+    sudo pacman -S --noconfirm base base-devel linux-hardened linux-hardened-headers \
+        git cmake gcc neovim vim python3-pip \
+        openbox obconf xorg-server xorg-xinit xorg-xinput xorg-xrandr \
+        alacritty cmus flameshot pavucontrol \
+        chromium thunderbird steam keepassxc \
+        bluez bluez-tools blueman \
+        dmenu htop rsync unzip whois xclip xdotool xbindkeys \
+        efibootmgr grub nmap lynis rkhunter sbctl
+    # Yay for AUR packages
+    if ! command -v yay >/dev/null; then
+        git clone https://aur.archlinux.org/yay-bin.git /tmp/yay
+        cd /tmp/yay
+        makepkg -si --noconfirm
+    fi
+    # Additional yay apps
+    yay -S --noconfirm keybase-bin ckb-next minecraft-launcher nvidia-dkms nvidia-settings
+}

-	# install window manager
-	sudo apt install openbox -y
+install_packages_ubuntu() {
+    sudo apt update && sudo apt upgrade -y
+    sudo apt install -y build-essential git cmake gcc neovim vim python3-pip \
+        openbox obconf xorg xinit x11-xserver-utils \
+        alacritty cmus flameshot pavucontrol \
+        chromium-browser thunderbird steam-installer keepassxc \
+        bluez bluez-tools blueman \
+        dmenu htop rsync unzip whois xclip xdotool xbindkeys \
+        efibootmgr grub nmap lynis rkhunter sudo
+}

-	#
-	# Languages Stuff
-	#
+# --- Rust Setup ---
+setup_rust() {
+    if ! command -v rustc >/dev/null; then
+        curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+        source $HOME/.cargo/env
+    fi

-	# pip
+    # Cargo apps
+    cargo install --locked alacritty bat lsd rusty-man cargo-expand viu
+}

-	sudo apt install python3-pip -y
-
-	#
-	# install cargo apps
-	#
-
-	# terminal emulator
-	cargo install alacritty
-
-	# fancy ls command
-	cargo install lsd
-
-	# cargo doc in terminal
-	cargo install rusty-man
-
-	# fancy cat
-	cargo install bat
-
-	#
-	# Music
-	#
-
-	# player
-	sudo apt install cmus -y
-
-	# streamrip
-	pip3 install streamrip --upgrade
-
-	# volume control
-	sudo apt install pavucontrol -y
-
-	#
-	# Web
-	#
-
-	# email client
-	sudo apt install thunderbird -y
-
-	# browser
-	sudo apt install chromium-browser -y
-
-	# keybase
-	curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb
-	sudo apt install ./keybase_amd64.deb
-	run_keybase
-
-	# install nvim
-	sudo apt install neovim -y
-
-	# install file manager
-	sudo apt install nnn -y
-
-	# install neofetch
-	sudo apt install neofetch -y
-
-	# install steam
-	sudo apt install steam-installer -y
-
-	# install fonts
+# --- Fonts ---
+install_fonts() {
+    mkdir -p ~/bin/setup
    cd ~/bin/setup
+    if [[ ! -d nerd-fonts ]]; then
        git clone https://github.com/ryanoasis/nerd-fonts
+    fi
    cd nerd-fonts
    ./install.sh Hack
+    cd ~
+}

-	# bluetooth management
-	sudo apt install bluez bluez-tools -y
-	sudo apt install blueman -y
+# --- Security Setup ---
+setup_security() {
+    # Firewall
+    if command -v ufw >/dev/null; then
+        sudo ufw default deny incoming
+        sudo ufw default allow outgoing
+        sudo ufw allow ssh
+        sudo ufw enable
+    fi

-	# screenshot
-	sudo apt install flameshot
+    # SSH hardening
+    sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+    sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+    sudo systemctl restart sshd

-	# kpcli
-	sudo apt install kpcli
+    # Enable fail2ban if available
+    if command -v fail2ban >/dev/null; then
+        sudo systemctl enable --now fail2ban
+    fi

-	# upgrade everything
-	sudo apt upgrade
+    # Run rkhunter check
+    if command -v rkhunter >/dev/null; then
+        sudo rkhunter --update
+        sudo rkhunter --propupd
+    fi
+}
+
+# --- Main ---
+if $IS_ARCH; then
+    install_packages_arch
+else
+    install_packages_ubuntu
 fi
+
+setup_rust
+install_fonts
+setup_security
+
+echo "Setup complete! You may need to reboot for kernel or grub changes."
+