tengel/archmate
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

new iptables, extra packages

Browse source
This commit is contained in:
tengel 2024-03-20 11:32:49 -05:00
parent d1deaacfc1
commit c1446a8d3c
1 changed files with 41 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

46
archmate.sh
View file

@ -83,6 +83,9 @@ PKG_DWIN="accountsservice mate mate-applets mate-extra lightdm-gtk-greeter gnome
# GUI stuff # GUI stuff
PKG_XAPP="asunder brasero chromium firefox geeqie gimp gkrellm gucharmap gvfs-afc gvfs-mtp gvfs-smb gvim hexchat hunspell-en_US hyphen-en libreoffice-fresh pragha pidgin pidgin-otr seahorse vlc x11-ssh-askpass wireshark-qt" PKG_XAPP="asunder brasero chromium firefox geeqie gimp gkrellm gucharmap gvfs-afc gvfs-mtp gvfs-smb gvim hexchat hunspell-en_US hyphen-en libreoffice-fresh pragha pidgin pidgin-otr seahorse vlc x11-ssh-askpass wireshark-qt"
# Non-essential goodies
PKG_EXTRA="android-tools argyllcms aspell audacious audacious-plugins axel blueman bluez cadaver clang cmake cmus colord colord-gtk cups cups-filters cups-pdf cups-pk-helper datamash dconf-editor dialog dos2unix doxygen duplicity duplicity easytag elinks expac expect extra-cmake-modules feh figlet foomatic-db foomatic-db-engine foomatic-db-gutenprint-ppds foomatic-db-ppds freerdp galculator-gtk2 gdb gnome-icon-theme gnome-icon-theme-symbolic gnome-themes-extra go graphicsmagick gspell gtk-engine-murrine gtk-engines gtkspell3 gutenprint handbrake hspell hwinfo i7z id3v2 inetutils inkscape iotop jhead jq links llvm logrotate lua lynx man-pages meld mercurial mesa-vdpau mp3splt namcap nano netctl nethogs noto-fonts noto-fonts-cjk numactl p7zip pacman-contrib pacutils pan perf picard pipewire pipewire-alsa pipewire-pulse python2 quodlibet ruby rust sg3_utils smem sqlitebrowser subversion syslinux sysstat system-config-printer thunderbird tigervnc time tk transmission-gtk ttf-hack ttf-hannom ttf-opensans usbutils vi weechat words xdg-user-dirs xorg-xfontsel"
# Where we'll log all actions (in the chroot) # Where we'll log all actions (in the chroot)
ACTLOG="/root/archmate.log" ACTLOG="/root/archmate.log"
@ -361,6 +364,9 @@ if [[ ! -f /root/.archmate/stage-5.done ]]; then
logact pacman -S --noconfirm --noprogressbar ${PKG_CLI} ${PKG_DWIN} ${PKG_XAPP} logact pacman -S --noconfirm --noprogressbar ${PKG_CLI} ${PKG_DWIN} ${PKG_XAPP}
[[ $? -ne 0 ]] && myexit "pacman error - exiting." [[ $? -ne 0 ]] && myexit "pacman error - exiting."
logact pacman -S --noconfirm --noprogressbar ${PKG_EXTRA}
[[ $? -ne 0 ]] && myexit "pacman error - exiting."
logact pacman -Rnu --noconfirm ${PKG_XDEL} logact pacman -Rnu --noconfirm ${PKG_XDEL}
[[ $? -ne 0 ]] && myexit "pacman error - exiting." [[ $? -ne 0 ]] && myexit "pacman error - exiting."
@ -433,13 +439,38 @@ logact echo -e "\n${_BAR}\n## Stage 7: Enabling system services\n${_BAR}"
if [[ ! -f /root/.archmate/stage-7.done ]]; then if [[ ! -f /root/.archmate/stage-7.done ]]; then
if [[ ! -f /etc/iptables/iptables.rules ]] && \ # firewall rules, port 22 open by default
[[ -f /etc/iptables/simple_firewall.rules ]]; then rm -f /etc/iptables/*.rules
logact cp /etc/iptables/simple_firewall.rules /etc/iptables/iptables.rules cat << 'EOF' > /etc/iptables/iptables.rules
fi *filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
cat << 'EOF' > /etc/iptables/ip6tables.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
EOF
# systemd tweaks # systemd tweaks
sed -i.bak 's/^#SystemMaxUse=.*/SystemMaxUse=50M/g' /etc/systemd/journald.conf sed -i.bak 's/^#SystemMaxUse=.*/SystemMaxUse=50M/g' /etc/systemd/journald.conf
sed -i.bak 's/^#KillUserProcesses=.*/KillUserProcesses=yes/g' /etc/systemd/logind.conf
sed -i.bak 's/^#Storage=.*/Storage=none/g' /etc/systemd/coredump.conf sed -i.bak 's/^#Storage=.*/Storage=none/g' /etc/systemd/coredump.conf
echo 'kernel.core_pattern=' > /etc/sysctl.d/50-coredump.conf echo 'kernel.core_pattern=' > /etc/sysctl.d/50-coredump.conf
@ -448,6 +479,7 @@ if [[ ! -f /root/.archmate/stage-7.done ]]; then
logact systemctl enable lightdm.service logact systemctl enable lightdm.service
logact systemctl enable NetworkManager.service logact systemctl enable NetworkManager.service
logact systemctl enable bluetooth.service
logact systemctl enable cronie.service logact systemctl enable cronie.service
logact systemctl enable iptables.service logact systemctl enable iptables.service
logact systemctl enable ip6tables.service logact systemctl enable ip6tables.service
@ -468,8 +500,12 @@ _DTS=$(date)
logact echo -e "\n${_BAR}\n${_BAR}\n## Finished: ${_DTS}\n${_BAR}\n${_BAR}" logact echo -e "\n${_BAR}\n${_BAR}\n## Finished: ${_DTS}\n${_BAR}\n${_BAR}"
logact echo -e "Typical next steps:\n" logact echo -e "Typical next steps:\n"
logact echo "# configure /etc/chrony.conf to set offline mode (laptop)"
logact echo "# alsamixer (change base levels to ~50%)" logact echo "# alsamixer (change base levels to ~50%)"
logact echo "# vim /etc/chrony.conf to set offline mode (laptop)"
logact echo "# vim /etc/mkinitcpio.conf (add resume hook for laptop)"
logact echo "# vim /etc/fstab (add discard for SSD)"
logact echo "# systemctl enable fstrim.timer (SSD)"
logact echo "# systemctl enable cpupower.service (laptop)"
logact echo -e "\n# exit (the chroot)\n# umount -R /mnt\n# reboot\n" logact echo -e "\n# exit (the chroot)\n# umount -R /mnt\n# reboot\n"
exit 0 exit 0