hardened malloc. networking + firewall. json based config.

config/filesystem_chroot_install.sh

@@ -1,51 +1,54 @@
-
-#add sources list for noble.
+#add sources list for questing.
 set -e
+set -x
 echo "deb https://archive.ubuntu.com/ubuntu questing main restricted universe multiverse" > /etc/apt/sources.list
 echo "deb https://archive.ubuntu.com/ubuntu questing-updates main restricted universe multiverse" >> /etc/apt/sources.list
 echo "deb https://archive.ubuntu.com/ubuntu questing-backports main restricted universe multiverse" >> /etc/apt/sources.list
 echo "deb https://security.ubuntu.com/ubuntu questing-security main restricted universe multiverse" >> /etc/apt/sources.list
 apt update
 apt upgrade -y
-
-#set locale
-locale-gen "en_US.UTF-8"
-echo "LANG=en_US.UTF-8" > /etc/default/locale
+apt install -y jq bubblewrap curl make build-essential git libselinux1 iptables nftables libnetfilter-queue-dev
 
 #install base system packages
-apt install -y --install-recommends --install-suggests --reinstall systemd
-apt install -y --no-install-recommends gnome-core
-apt install -y git curl flatpak systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping fish python3-bpfcc python3-pip bpfcc-tools gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant ffmpeg vlc pciutils usbutils
+apt install -y --install-recommends --install-suggests systemd   
+apt install -y vanilla-gnome-desktop vanilla-gnome-default-settings gdm3 gnome-shell-extension-appindicator gnome-shell-extension-ubuntu-dock gnome-shell-extension-ubuntu-tiling-assistant
+apt install -y rlwrap dnsutils systemd-resolved ufw nano htop ipset lm-sensors net-tools iputils-ping python3-pip keepassxc ufw opensnitch
 
-#install python systemwide
-pip install --break-system-packages dnslib psutil
+#install packages from config
+jq -r '.packages | .[]' config.json | while read -r item; do
+  apt install -y "$item"
+done
+
+#set locale
+locale=$(jq -r '.locale' config.json)
+echo "$locale"
+locale-gen "$locale"
+echo "LANG=$locale" > /etc/default/locale
 
 #add setuid for some applications
 chmod u+s /usr/bin/bwrap
 chmod u+s /usr/bin/ping
 
+#disable setup screen config
+mkdir -p ~/.config
+touch ~/.config/gnome-initial-setup-done
+
 #enable services
 systemctl enable systemd-resolved
 systemctl enable systemd-networkd
+systemctl enable mem-alloc
 
-#ui changes
-gsettings set org.gnome.desktop.interface color-scheme 'prefer-dark'
-
-
-#run echo "permit persist :sudo as root" >> /etc/doas.conf
-
-
-#create the default user
-useradd -m -s /bin/bash ubuntu
-usermod -a -G sudo ubuntu
-yes defaultpass | passwd ubuntu
-
-#install flatpak apps
-flatpak remote-add flathub https://dl.flathub.org/repo/flathub.flatpakrepo
-flatpak install --system --noninteractive flathub org.keepassxc.KeePassXC
+#firewall enable (inbound block)
+ufw enable
 
 #install brave browser
 curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
 curl -fsSLo /etc/apt/sources.list.d/brave-browser-release.sources https://brave-browser-apt-release.s3.brave.com/brave-browser.sources
 apt update
 apt install -y brave-browser
+
+#configure permissions for opensnitch firewall
+rsync -a /usr/src/opensnitchd/ /etc/opensnitchd/
+chown -R root:root /etc/opensnitchd/
+chmod 777 /etc/opensnitchd/settings.conf
+