new iptables, extra packages
This commit is contained in:
parent
d1deaacfc1
commit
c1446a8d3c
1 changed files with 41 additions and 5 deletions
46
archmate.sh
46
archmate.sh
|
|
@ -83,6 +83,9 @@ PKG_DWIN="accountsservice mate mate-applets mate-extra lightdm-gtk-greeter gnome
|
|||
# GUI stuff
|
||||
PKG_XAPP="asunder brasero chromium firefox geeqie gimp gkrellm gucharmap gvfs-afc gvfs-mtp gvfs-smb gvim hexchat hunspell-en_US hyphen-en libreoffice-fresh pragha pidgin pidgin-otr seahorse vlc x11-ssh-askpass wireshark-qt"
|
||||
|
||||
# Non-essential goodies
|
||||
PKG_EXTRA="android-tools argyllcms aspell audacious audacious-plugins axel blueman bluez cadaver clang cmake cmus colord colord-gtk cups cups-filters cups-pdf cups-pk-helper datamash dconf-editor dialog dos2unix doxygen duplicity duplicity easytag elinks expac expect extra-cmake-modules feh figlet foomatic-db foomatic-db-engine foomatic-db-gutenprint-ppds foomatic-db-ppds freerdp galculator-gtk2 gdb gnome-icon-theme gnome-icon-theme-symbolic gnome-themes-extra go graphicsmagick gspell gtk-engine-murrine gtk-engines gtkspell3 gutenprint handbrake hspell hwinfo i7z id3v2 inetutils inkscape iotop jhead jq links llvm logrotate lua lynx man-pages meld mercurial mesa-vdpau mp3splt namcap nano netctl nethogs noto-fonts noto-fonts-cjk numactl p7zip pacman-contrib pacutils pan perf picard pipewire pipewire-alsa pipewire-pulse python2 quodlibet ruby rust sg3_utils smem sqlitebrowser subversion syslinux sysstat system-config-printer thunderbird tigervnc time tk transmission-gtk ttf-hack ttf-hannom ttf-opensans usbutils vi weechat words xdg-user-dirs xorg-xfontsel"
|
||||
|
||||
# Where we'll log all actions (in the chroot)
|
||||
ACTLOG="/root/archmate.log"
|
||||
|
||||
|
|
@ -361,6 +364,9 @@ if [[ ! -f /root/.archmate/stage-5.done ]]; then
|
|||
logact pacman -S --noconfirm --noprogressbar ${PKG_CLI} ${PKG_DWIN} ${PKG_XAPP}
|
||||
[[ $? -ne 0 ]] && myexit "pacman error - exiting."
|
||||
|
||||
logact pacman -S --noconfirm --noprogressbar ${PKG_EXTRA}
|
||||
[[ $? -ne 0 ]] && myexit "pacman error - exiting."
|
||||
|
||||
logact pacman -Rnu --noconfirm ${PKG_XDEL}
|
||||
[[ $? -ne 0 ]] && myexit "pacman error - exiting."
|
||||
|
||||
|
|
@ -433,13 +439,38 @@ logact echo -e "\n${_BAR}\n## Stage 7: Enabling system services\n${_BAR}"
|
|||
|
||||
if [[ ! -f /root/.archmate/stage-7.done ]]; then
|
||||
|
||||
if [[ ! -f /etc/iptables/iptables.rules ]] && \
|
||||
[[ -f /etc/iptables/simple_firewall.rules ]]; then
|
||||
logact cp /etc/iptables/simple_firewall.rules /etc/iptables/iptables.rules
|
||||
fi
|
||||
# firewall rules, port 22 open by default
|
||||
rm -f /etc/iptables/*.rules
|
||||
cat << 'EOF' > /etc/iptables/iptables.rules
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
COMMIT
|
||||
EOF
|
||||
cat << 'EOF' > /etc/iptables/ip6tables.rules
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
||||
COMMIT
|
||||
EOF
|
||||
|
||||
# systemd tweaks
|
||||
sed -i.bak 's/^#SystemMaxUse=.*/SystemMaxUse=50M/g' /etc/systemd/journald.conf
|
||||
sed -i.bak 's/^#KillUserProcesses=.*/KillUserProcesses=yes/g' /etc/systemd/logind.conf
|
||||
sed -i.bak 's/^#Storage=.*/Storage=none/g' /etc/systemd/coredump.conf
|
||||
echo 'kernel.core_pattern=' > /etc/sysctl.d/50-coredump.conf
|
||||
|
||||
|
|
@ -448,6 +479,7 @@ if [[ ! -f /root/.archmate/stage-7.done ]]; then
|
|||
|
||||
logact systemctl enable lightdm.service
|
||||
logact systemctl enable NetworkManager.service
|
||||
logact systemctl enable bluetooth.service
|
||||
logact systemctl enable cronie.service
|
||||
logact systemctl enable iptables.service
|
||||
logact systemctl enable ip6tables.service
|
||||
|
|
@ -468,8 +500,12 @@ _DTS=$(date)
|
|||
logact echo -e "\n${_BAR}\n${_BAR}\n## Finished: ${_DTS}\n${_BAR}\n${_BAR}"
|
||||
|
||||
logact echo -e "Typical next steps:\n"
|
||||
logact echo "# configure /etc/chrony.conf to set offline mode (laptop)"
|
||||
logact echo "# alsamixer (change base levels to ~50%)"
|
||||
logact echo "# vim /etc/chrony.conf to set offline mode (laptop)"
|
||||
logact echo "# vim /etc/mkinitcpio.conf (add resume hook for laptop)"
|
||||
logact echo "# vim /etc/fstab (add discard for SSD)"
|
||||
logact echo "# systemctl enable fstrim.timer (SSD)"
|
||||
logact echo "# systemctl enable cpupower.service (laptop)"
|
||||
logact echo -e "\n# exit (the chroot)\n# umount -R /mnt\n# reboot\n"
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue