Arch-Linux-Installer/lib/system/security.sh

#!/bin/bash

# Copyright 2026 Logan Fick
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# security.sh - Security hardening functions
#
# Applies security hardening to the installed system:
# - Configures mkinitcpio with sd-encrypt hook for LUKS
# - Enables sudo access for wheel group
# - Disables root account login
# - Enables nftables firewall, smartd, and fstrim timer
# - Configures OpenSSH with restricted settings
# - Installs custom CA certificate to system trust store
# - Sets up USBGuard to whitelist connected devices

# Configure mkinitcpio hooks for encrypted root
configure_initramfs() {
    print "Configuring initramfs..."

    local default_line="HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap sd-vconsole block filesystems fsck)"
    local new_line="HOOKS=(systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)"

    chroot_run sed -i "s|^${default_line}|${new_line}|" /etc/mkinitcpio.conf
    run_visible_cmd chroot_run mkinitcpio -P
}

# Enable BTRFS scrub timer if using BTRFS filesystem
# Arguments:
#   $1 - filesystem type
enable_btrfs_scrub() {
    local filesystem="$1"

    if [ "$filesystem" = "btrfs" ] || [ "$filesystem" = "btrfs-dup" ]; then
        chroot_systemd_enable btrfs-scrub@-.timer
    fi
}

# Configure sudo access for wheel group
configure_sudo() {
    print "Enabling sudo access for wheel group..."
    chroot_run sed -i "s|^# %wheel ALL=(ALL:ALL) ALL|%wheel ALL=(ALL:ALL) ALL|" /etc/sudoers
}

# Disable root account login
disable_root() {
    print "Disabling root account..."
    chroot_run passwd -l root
}

# Configure SSH server
# Arguments:
#   $1 - username to allow SSH access
configure_ssh() {
    local username="$1"

    print "Setting up and enabling OpenSSH server..."

    chroot_run sed -i "s|PLACEHOLDER|${username}|" /etc/ssh/sshd_config
    run_visible_cmd chroot_run ssh-keygen -t ed25519 -C "" -N "" -f /etc/ssh/ssh_host_ed25519_key
    chroot_systemd_enable sshd.service
}

# Display SSH host key fingerprint
show_ssh_fingerprint() {
    print "Public SSH key fingerprint of this host:"
    run_visible_cmd chroot_run ssh-keygen -lvf /etc/ssh/ssh_host_ed25519_key.pub
}

# Install custom CA certificate
install_ca_certificate() {
    print "Adding LogalNet Internal Certification Authority to system CA store..."

    cp "${CA_CERT_PATH}" "${MOUNT_POINT}"
    chroot_run trust anchor --store /logalnet-internal-ca.crt
    chroot_run rm /logalnet-internal-ca.crt
}

# Configure USBGuard
configure_usbguard() {
    print "Please add or remove any USB devices, including the installer drive, to form the standard configuration for this system. USBGuard will be configured to only allow the USB devices connected at the time you press enter to be used; everything else will be blocked."
    print "When ready to proceed, press enter."
    read -r

    chroot_run sh -c "usbguard generate-policy > /etc/usbguard/rules.conf"
    chroot_systemd_enable usbguard.service
}

# Full security setup
# Arguments:
#   $1 - filesystem type
setup_security() {
    local filesystem="$1"

    configure_sudo
    disable_root
    chroot_systemd_enable nftables.service
    chroot_systemd_enable smartd.service
    chroot_systemd_enable fstrim.timer
    enable_btrfs_scrub "$filesystem"
}