-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfqs
More file actions
executable file
·555 lines (494 loc) · 20.2 KB
/
fqs
File metadata and controls
executable file
·555 lines (494 loc) · 20.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
#!/usr/bin/env bash
# |----------------------------------------------------------|
# | Copyright (c) 2024-2026 Vili <https://vili.dev>. GPL-3.0 |
# |----------------------------------------------------------|
# Made in Finland.
set -euo pipefail
# Ensure whiptail is installed
if ! command -v whiptail &> /dev/null; then
echo "Whiptail is required for the TUI. Installing..."
sudo dnf install newt -y > /dev/null
fi
# Authenticate sudo upfront
sudo -v
# Keep sudo alive during the script execution
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &
# Core
command_exists() { command -v "$1" &>/dev/null; }
sys_update() {
echo -e "\n=> Performing system upgrade..."
sudo dnf upgrade --refresh -y
}
add_rpm_repos() {
echo -e "\n=> Adding RPM Fusion and Flathub..."
local fedora_ver
fedora_ver="$(rpm -E %fedora)"
sudo dnf install -y "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-${fedora_ver}.noarch.rpm" \
"https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-${fedora_ver}.noarch.rpm"
sudo dnf install -y dnf-plugins-core
sudo dnf group upgrade core -y
if ! command_exists flatpak; then
sudo dnf install flatpak -y
fi
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
}
append_dnf_configs() {
echo -e "\n=> Optimizing DNF..."
local conf_file="/etc/dnf/dnf.conf"
if ! grep -q "max_parallel_downloads" "$conf_file"; then
sudo tee -a "$conf_file" >/dev/null <<'EOF'
gpgcheck=1
clean_requirements_on_remove=True
skip_if_unavailable=True
deltarpm=False
best=False
keepcache=True
installonly_limit=3
max_parallel_downloads=10
defaultyes=True
EOF
fi
}
setup_auto_updates() {
echo -e "\n=> Setting up DNF Automatic Updates..."
sudo dnf install -y dnf-automatic
local conf_file="/etc/dnf/automatic.conf"
if [ ! -f "$conf_file" ]; then
sudo touch "$conf_file"
sudo tee -a "$conf_file" >/dev/null <<'EOF'
[commands]
upgrade_type = security
random_sleep = 0
download_updates = yes
apply_updates = yes
[emitters]
emit_via = stdio
EOF
fi
sudo systemctl enable --now dnf-automatic.timer
}
install_fail2ban() {
echo -e "\n=> Installing and enabling Fail2Ban..."
sudo dnf install -y fail2ban
sudo systemctl enable --now fail2ban
}
mac_randomization() {
echo -e "\n=> Enabling MAC Randomization..."
local macrandomize_rule="/etc/NetworkManager/conf.d/00-macrandomize.conf"
if [ ! -f "$macrandomize_rule" ]; then
sudo tee -a "$macrandomize_rule" >/dev/null <<'EOF'
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
EOF
fi
sudo systemctl restart NetworkManager
}
ipv6_privacy() {
echo -e "\n=> Enabling IPv6 Privacy Extensions..."
local ipv6_privacy_rule="/etc/NetworkManager/conf.d/00-ipv6-privacy.conf"
if [ ! -f "$ipv6_privacy_rule" ]; then
sudo tee -a "$ipv6_privacy_rule" >/dev/null <<'EOF'
[connection]
ipv6.ip6-privacy=2
EOF
fi
sudo systemctl restart NetworkManager
}
sysctl_hardening() {
echo -e "\n=> Applying sysctl hardening..."
local sysctl_file="/etc/sysctl.d/55-hardening.conf"
sudo tee "$sysctl_file" >/dev/null <<'EOF'
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.shared_media = 0
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.arp_ignore = 2
net.ipv4.conf.all.drop_gratuitous_arp = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.core.bpf_jit_harden = 2
kernel.unprivileged_bpf_disabled = 1
kernel.sysrq = 0
kernel.perf_event_paranoid = 3
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.oops_limit = 100
kernel.warn_limit = 100
kernel.panic = -1
fs.binfmt_misc.status = 0
fs.suid_dumpable = 0
fs.protected_regular = 2
fs.protected_fifos = 2
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
dev.tty.ldisc_autoload = 0
vm.unprivileged_userfaultfd = 0
kernel.printk = 3 3 3 3
kernel.kexec_load_disabled = 1
kernel.core_pattern = |/bin/false
kernel.io_uring_disabled = 2
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
kernel.randomize_va_space = 2
vm.mmap_min_addr = 65536
vm.max_map_count = 1048576
EOF
sudo sysctl --system
}
disable_cups_avahi() {
echo -e "\n=> Disabling CUPS and Avahi-daemon..."
sudo systemctl disable --now cups avahi-daemon
}
disable_wifi() {
echo -e "\n=> Completely disabling Wi-Fi capability..."
sudo nmcli radio wifi off || true
sudo rfkill block wifi || true
sudo systemctl disable --now wpa_supplicant
echo "install iwlwifi /bin/true" | sudo tee /etc/modprobe.d/disable-wifi.conf >/dev/null
echo "install iwlmvm /bin/true" | sudo tee -a /etc/modprobe.d/disable-wifi.conf >/dev/null
echo "install rt2800pci /bin/true" | sudo tee -a /etc/modprobe.d/disable-wifi.conf >/dev/null
echo "install ath9k /bin/true" | sudo tee -a /etc/modprobe.d/disable-wifi.conf >/dev/null
}
disable_bluetooth() {
echo -e "\n=> Completely disabling Bluetooth capability..."
sudo systemctl disable --now bluetooth
sudo rfkill block bluetooth || true
echo "install btusb /bin/true" | sudo tee /etc/modprobe.d/disable-bluetooth.conf >/dev/null
echo "install bluetooth /bin/true" | sudo tee -a /etc/modprobe.d/disable-bluetooth.conf >/dev/null
}
disable_webcam() {
echo -e "\n=> Completely disabling Webcam capability..."
echo "install uvcvideo /bin/true" | sudo tee /etc/modprobe.d/disable-webcam.conf >/dev/null
}
disable_obscure_fs() {
echo -e "\n=> Disabling obscure filesystems..."
local fs_list="cramfs freevxfs jffs2 hfs hfsplus squashfs udf"
for fs in $fs_list; do
echo "install $fs /bin/true" | sudo tee -a /etc/modprobe.d/disable-fs.conf >/dev/null
done
}
enable_secure_dns() {
local dns_ips="$1"
echo -e "\n=> Enabling System-wide DNS-over-TLS (DoT) with IPs: $dns_ips"
sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/dns_over_tls.conf >/dev/null <<EOF
[Resolve]
DNS=$dns_ips
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved
}
strict_flatpak_overrides() {
echo -e "\n=> Applying Strict Flatpak Overrides & Installing Flatseal..."
sudo flatpak override --nofilesystem=host
sudo flatpak override --nofilesystem=home
sudo flatpak override --nodevice=all
sudo dnf install flatpak -y >/dev/null
flatpak install -y flathub com.github.tchx84.Flatseal || echo "Warning: Flatseal failed to install."
}
hardcore_kernel_args() {
echo -e "\n=> Applying hardcore kernel hardening arguments..."
sudo grubby --update-kernel=ALL --args="\
module.sig_enforce=1 \
lockdown=confidentiality \
kptr_restrict=2 \
spec_store_bypass_disable=on \
pti=on \
l1tf=full,force \
mds=full,nosmt \
tsx=off \
spectre_v2=on \
ipv6.disable=1"
}
setup_usbguard() {
echo -e "\n=> Setting up USBGuard..."
sudo dnf install -y usbguard usbguard-notifier
usbguard generate-policy | sudo tee /etc/usbguard/rules.conf >/dev/null
sudo chmod 0600 /etc/usbguard/rules.conf
sudo systemctl enable --now usbguard
}
setup_firewall_drop() {
echo -e "\n=> Configuring Firewalld (Setting default zone to DROP)..."
sudo firewall-cmd --set-default-zone=drop
sudo firewall-cmd --runtime-to-permanent
}
enroll_secureboot() {
echo -e "\n=> Setting up Secure Boot..."
sudo dnf copr enable chenxiaolong/sbctl -y
sudo dnf install sbctl -y
sudo sbctl create-keys
sudo sbctl enroll-keys -m
}
install_vpn_app() {
echo -e "\n=> Installing VPN ($1)..."
if [ "$1" == "IVPN" ]; then
sudo dnf config-manager addrepo --from-repofile=https://repo.ivpn.net/stable/fedora/generic/ivpn.repo
sudo dnf install -y iptables-legacy ivpn-ui
elif [ "$1" == "Mullvad" ]; then
sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
sudo dnf install -y mullvad-vpn
fi
}
install_code_editor() {
echo -e "\n=> Installing Editor ($1)..."
case "$1" in
"Zed") curl -f https://zed.dev/install.sh | sh ;;
"VSCodium")
sudo rpmkeys --import https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg
printf "[gitlab.com_paulcarroty_vscodium_repo]\nname=VSCodium Repository\nbaseurl=https://download.vscodium.com/rpms/\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/raw/master/pub.gpg\nmetadata_expire=1h\n" | sudo tee /etc/yum.repos.d/vscodium.repo
sudo dnf install codium -y ;;
"NeoVim")
sudo dnf install neovim -y
git clone https://github.com/NvChad/starter ~/.config/nvim ;;
esac
}
setup_protonge() {
echo -e "\n=> Installing Steam and Proton-GE..."
sudo dnf install steam -y
mkdir -p ~/.steam/root/compatibilitytools.d
curl -s https://api.github.com/repos/GloriousEggroll/proton-ge-custom/releases/latest | grep "browser_download_url.*tar.gz" | cut -d\" -f4 | xargs curl -L | tar -xz -C ~/.steam/root/compatibilitytools.d
}
install_browser() {
echo -e "\n=> Installing Browser ($1)..."
case "$1" in
"Helium")
sudo dnf copr enable imput/helium -y
sudo dnf install helium-bin -y ;;
"Trivalent")
sudo dnf config-manager addrepo --from-repofile=https://repo.secureblue.dev/secureblue.repo
sudo dnf install trivalent -y ;;
"Brave")
curl -fsS https://dl.brave.com/install.sh | sh
# Brave debloat policies
sudo mkdir -p /etc/brave/policies/managed/
sudo tee /etc/brave/policies/managed/debloat.json >/dev/null <<'EOF'
{ "BraveRewardsDisabled": true, "BraveWalletDisabled": true, "BraveVPNDisabled": true, "BraveAIChatEnabled": false, "BraveNewsDisabled": true, "BraveTalkDisabled": true, "SyncDisabled": true, "TorDisabled": true, "DnsOverHttpsMode": "automatic" }
EOF
;;
"Chromium") sudo dnf install chromium -y ;;
"Librewolf")
curl -fsSL https://rpm.librewolf.net/librewolf-repo.repo | sudo tee /etc/yum.repos.d/librewolf.repo >/dev/null
sudo dnf install librewolf -y ;;
esac
}
install_winboat() {
echo -e "\n=> Installing WinBoat..."
sudo dnf install podman podman-compose freerdp.x86_64 -y
echo -e "ip_tables\niptable_nat" | sudo tee /etc/modules-load.d/iptables.conf
curl -s https://api.github.com/repos/TibixDev/winboat/releases/latest | grep -oP '"browser_download_url": "\K[^"]*\.rpm' | head -1 | xargs curl -L -o /tmp/winboat.rpm
sudo dnf install /tmp/winboat.rpm -y
}
add_dev_tools() {
echo -e "\n=> Installing Developer Tools..."
sudo dnf install kernel-devel android-tools python3-pip python3-devel git nodejs nodejs-npm golang -y
}
install_nvidia() {
echo -e "\n=> Installing Nvidia Drivers..."
sudo dnf install akmod-nvidia -y
}
hid_apple_patch() {
echo -e "\n=> Patching Apple Keyboard (hid_apple)..."
echo "options hid_apple fnmode=0" | sudo tee -a /etc/modprobe.d/hid_apple.conf
sudo modprobe -r hid_apple || true
sudo modprobe hid_apple
}
add_dracut_flags() {
echo -e "\n=> Adding Dracut Flags (Bluetooth Decryption)..."
echo 'hostonly="yes"' | sudo tee -a /etc/dracut.conf.d/flags.conf
echo 'add_dracutmodules+=" bluetooth "' | sudo tee -a /etc/dracut.conf.d/flags.conf
sudo dracut --regenerate-all --force --verbose
}
install_tor() {
echo -e "\n=> Installing Tor..."
sudo dnf install tor torbrowser-launcher -y
sudo systemctl enable --now tor
}
install_selection() {
echo -e "\n=> Installing extra packages: $1"
for pkg in $1; do
if rpm -q "$pkg" &>/dev/null; then continue; fi
sudo dnf install -y "$pkg" || flatpak install -y flathub "$pkg" || echo "Failed to install $pkg"
done
}
setup_bash_prompt() {
echo -e "\n=> Setting up Bash Prompt..."
tee -a "$HOME/.bashrc" >/dev/null <<'EOF'
# Vili's Bash prompt
PROMPT_COMMAND='PS1_CMD1=$(git branch --show-current 2>/dev/null)'
PS1='\[\e[2m\]\t\[\e[0m\] \w ${PS1_CMD1} \$ '
EOF
}
setup_config() {
echo -e "\n=> Setting up SSH and Git..."
if ! command_exists git; then sudo dnf install git -y; fi
ssh-keygen -t ed25519 -f "$HOME/.ssh/id_ed25519" -N ""
git config --global user.name "$1"
git config --global user.email "$2"
}
# TUI
whiptail --title "FQS (Fedora Quick Start)" --msgbox "Welcome to the Fedora Quick Start script by Vili.\n\nThis wizard will guide you through post-installation setup. You will select all your preferences first, and then the script will run uninterrupted." 12 70
# 1. Base Configuration Checklist
BASE_OPTS=$(whiptail --title "System Base Configuration" --checklist \
"Select system tweaks to apply (Space to select, Enter to confirm):" 29 80 20 \
"UPDATE" "Perform Full System Upgrade" ON \
"REPOS" "Enable RPM Fusion & Flathub" ON \
"DNF" "Optimize DNF Configuration" ON \
"FAIL2BAN" "Install and enable Fail2Ban" ON \
"MAC_RAND" "Enable MAC Address Randomization" ON \
"IPV6_PRIV" "Enable IPv6 Privacy Extensions" ON \
"SYSCTL" "Apply Sysctl Kernel Hardening" ON \
"FLATPAK_STRICT" "Strict Flatpak Overrides & Install Flatseal" OFF \
"SECURE_DNS" "Enable System-wide DNS-over-TLS (DoT)" OFF \
"DIS_FS" "Disable obscure filesystems (cramfs, hfs, udf, etc.)" OFF \
"DIS_PRINTERS" "Disable CUPS & Avahi (Printers/Discovery)" ON \
"FIREWALL" "Set Firewalld default zone to DROP" ON \
"USBGUARD" "Set up USBGuard to block unauthorized devices" OFF \
"KERNEL" "Apply Hardcore Kernel Hardening" OFF \
"BASH" "Install custom Bash prompt" ON \
"AUTO_UPDATES" "Enable DNF-Automatic" OFF \
"SECUREBOOT" "Enroll Secure Boot Keys (sbctl)" OFF \
"TOR" "Install and enable Tor service" OFF \
"NVIDIA" "Install Nvidia Drivers (akmod-nvidia)" OFF \
"APPLE_KBD" "Patch Apple Keyboard FN key (hid_apple)" OFF \
"DRACUT" "Allow BT keyboard during LUKS decryption" OFF \
"DIS_WIFI" "Completely Disable Wi-Fi (Modprobe & NM)" OFF \
"DIS_BT" "Completely Disable Bluetooth (Modprobe & RFKill)" OFF \
"DIS_WEBCAM" "Completely Disable Webcam (uvcvideo)" OFF \
3>&1 1>&2 2>&3) || exit 0
BASE_OPTS=$(echo "$BASE_OPTS" | tr -d '"')
# 1.5 Secure DNS Provider (If selected)
DNS_IPS=""
if [[ "$BASE_OPTS" == *"SECURE_DNS"* ]]; then
DNS_CHOICE=$(whiptail --title "Secure DNS Provider" --radiolist \
"Choose a DNS-over-TLS provider:" 15 70 4 \
"Cloudflare" "1.1.1.1 (Fast, Privacy-focused)" ON \
"Quad9" "9.9.9.9 (Malware blocking)" OFF \
"AdGuard" "94.140.14.14 (Ad & Tracker blocking)" OFF \
"Custom" "Enter your own IPs (Space separated)" OFF \
3>&1 1>&2 2>&3) || exit 0
case "$DNS_CHOICE" in
"Cloudflare") DNS_IPS="1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001" ;;
"Quad9") DNS_IPS="9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9" ;;
"AdGuard") DNS_IPS="94.140.14.14 94.140.15.15 2a10:50c0::ad1:ff 2a10:50c0::ad2:ff" ;;
"Custom")
DNS_IPS=$(whiptail --title "Custom DNS" --inputbox "Enter DNS IPs (IPv4 and/or IPv6, space-separated):" 10 70 3>&1 1>&2 2>&3) || exit 0
;;
esac
fi
# 2. Browser Selection
BROWSER=$(whiptail --title "Web Browser" --radiolist \
"Choose your preferred browser:" 15 60 6 \
"None" "Stick with default Firefox" ON \
"Helium" "helium.computer (Recommended)" OFF \
"Trivalent" "secureblue.dev (Recommended)" OFF \
"Brave" "Brave (Will be auto-debloated)" OFF \
"Chromium" "Open-source Chrome" OFF \
"Librewolf" "Privacy-focused Firefox fork" OFF \
3>&1 1>&2 2>&3) || exit 0
RM_FIREFOX="NO"
if [ "$BROWSER" != "None" ]; then
if whiptail --title "Remove Firefox" --yesno "You selected $BROWSER. Do you want to remove Firefox entirely?" 10 60; then
RM_FIREFOX="YES"
fi
fi
# 3. Code Editor
EDITOR=$(whiptail --title "Code Editor" --radiolist \
"Choose your preferred code editor:" 15 60 4 \
"None" "Skip code editor" ON \
"Zed" "High-performance code editor made using Rust" OFF \
"VSCodium" "Telemetry-free VS Code" OFF \
"NeoVim" "NeoVim + NvChad starter" OFF \
3>&1 1>&2 2>&3) || exit 0
# 4. VPN Selection
VPN=$(whiptail --title "VPN Provider" --radiolist \
"Choose a VPN provider to install:" 15 60 3 \
"None" "Skip VPN installation" ON \
"IVPN" "ivpn.net" OFF \
"Mullvad" "mullvad.net" OFF \
3>&1 1>&2 2>&3) || exit 0
# 5. Application Checklist
APP_OPTS=$(whiptail --title "Additional Applications" --checklist \
"Select other applications to install:" 15 70 5 \
"STEAM" "Steam + Latest Proton-GE" OFF \
"DEV_TOOLS" "Developer Tools (Node, Git, Go, Python)" OFF \
"WINBOAT" "WinBoat (Seamless Windows Apps via Docker)" OFF \
"GIT_SSH" "Generate SSH Keys and setup Git Config" OFF \
3>&1 1>&2 2>&3) || exit 0
APP_OPTS=$(echo "$APP_OPTS" | tr -d '"')
# 6. Git Config (If selected)
GIT_NAME=""
GIT_EMAIL=""
if [[ "$APP_OPTS" == *"GIT_SSH"* ]]; then
GIT_NAME=$(whiptail --title "Git Configuration" --inputbox "Enter your Name for Git commits:" 10 60 3>&1 1>&2 2>&3) || exit 0
GIT_EMAIL=$(whiptail --title "Git Configuration" --inputbox "Enter your Email for Git commits:" 10 60 3>&1 1>&2 2>&3) || exit 0
fi
# 7. Extra Packages
EXTRA_PKGS=$(whiptail --title "Extra Packages" --inputbox \
"Enter any additional packages to install via DNF or Flatpak (space-separated, leave blank to skip):" 10 70 3>&1 1>&2 2>&3) || exit 0
whiptail --title "Ready to Go" --msgbox "Configuration complete! The system will now execute your choices. Please sit back and wait for it to finish." 10 60
clear
# Execute
[[ "$BASE_OPTS" == *"DNF"* ]] && append_dnf_configs
[[ "$BASE_OPTS" == *"UPDATE"* ]] && sys_update
[[ "$BASE_OPTS" == *"REPOS"* ]] && add_rpm_repos
[[ "$BASE_OPTS" == *"AUTO_UPDATES"* ]] && setup_auto_updates
[[ "$BASE_OPTS" == *"FAIL2BAN"* ]] && install_fail2ban
[[ "$BASE_OPTS" == *"MAC_RAND"* ]] && mac_randomization
[[ "$BASE_OPTS" == *"IPV6_PRIV"* ]] && ipv6_privacy
[[ "$BASE_OPTS" == *"SYSCTL"* ]] && sysctl_hardening
[[ "$BASE_OPTS" == *"FLATPAK_STRICT"* ]] && strict_flatpak_overrides
[[ "$BASE_OPTS" == *"SECURE_DNS"* ]] && enable_secure_dns "$DNS_IPS"
[[ "$BASE_OPTS" == *"DIS_FS"* ]] && disable_obscure_fs
[[ "$BASE_OPTS" == *"DIS_PRINTERS"* ]] && disable_cups_avahi
[[ "$BASE_OPTS" == *"DIS_WIFI"* ]] && disable_wifi
[[ "$BASE_OPTS" == *"DIS_BT"* ]] && disable_bluetooth
[[ "$BASE_OPTS" == *"DIS_WEBCAM"* ]] && disable_webcam
[[ "$BASE_OPTS" == *"FIREWALL"* ]] && setup_firewall_drop
[[ "$BASE_OPTS" == *"USBGUARD"* ]] && setup_usbguard
[[ "$BASE_OPTS" == *"KERNEL"* ]] && hardcore_kernel_args
[[ "$BASE_OPTS" == *"NVIDIA"* ]] && install_nvidia
[[ "$BASE_OPTS" == *"APPLE_KBD"* ]] && hid_apple_patch
[[ "$BASE_OPTS" == *"DRACUT"* ]] && add_dracut_flags
[[ "$BASE_OPTS" == *"TOR"* ]] && install_tor
[[ "$BASE_OPTS" == *"BASH"* ]] && setup_bash_prompt
[[ "$BASE_OPTS" == *"SECUREBOOT"* ]] && enroll_secureboot
[ "$BROWSER" != "None" ] && install_browser "$BROWSER"
if [ "$RM_FIREFOX" == "YES" ]; then
echo -e "\n=> Removing Firefox..."
sudo dnf remove firefox -y
fi
[ "$EDITOR" != "None" ] && install_code_editor "$EDITOR"
[ "$VPN" != "None" ] && install_vpn_app "$VPN"
[[ "$APP_OPTS" == *"STEAM"* ]] && setup_protonge
[[ "$APP_OPTS" == *"DEV_TOOLS"* ]] && add_dev_tools
[[ "$APP_OPTS" == *"WINBOAT"* ]] && install_winboat
[[ "$APP_OPTS" == *"GIT_SSH"* ]] && setup_config "$GIT_NAME" "$GIT_EMAIL"
[ -n "$EXTRA_PKGS" ] && install_selection "$EXTRA_PKGS"
echo -e "\n\e[32m[+] All steps complete! Your system is now set up and rock solid.\e[0m"
if [[ "$BASE_OPTS" == *"SECUREBOOT"* ]] || [[ "$APP_OPTS" == *"WINBOAT"* ]]; then
echo -e "\e[33m[!] Note: A reboot is highly recommended to apply Secure Boot/WinBoat changes.\e[0m"
fi