diff --git a/fedora-minimal/fedora-minimal.sh b/fedora-minimal/fedora-minimal.sh index 2c85b1f..a1bccbe 100644 --- a/fedora-minimal/fedora-minimal.sh +++ b/fedora-minimal/fedora-minimal.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (C) 2023 Thien Tran +# Copyright (C) 2022-2024 Thien Tran # # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use this file except in compliance with the License. You may obtain a copy of @@ -14,15 +14,34 @@ # License for the specific language governing permissions and limitations under # the License. -# Blacklisting kernel modules -curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf +# Compliance +systemctl mask debug-shell.service +systemctl mask kdump.service -# Security kernel settings. -curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf -sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf -curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf -curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf +# Setting umask to 077 +umask 077 +sed -i 's/umask 022/umask 077/g' /etc/bashrc +echo 'umask 077' | tee -a /etc/bashrc -# Setup SSH client -echo "GSSAPIAuthentication no" > /etc/ssh/ssh_config.d/10-custom.conf -echo "VerifyHostKeyDNS yes" >> /etc/ssh/ssh_config.d/10-custom.conf \ No newline at end of file +# Disable timesyncd +systemctl disable --now systemd-timesyncd +systemctl mask systemd-timesyncd + +# Security kernel settings +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /etc/modprobe.d/30_security-misc.conf +chmod 644 /etc/modprobe.d/30_security-misc.conf +sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /etc/sysctl.d/990-security-misc.conf +chmod 644 /etc/sysctl.d/990-security-misc.conf +sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | tee /etc/sysctl.d/30_silent-kernel-printk.conf +chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | tee /etc/sysctl.d/30_security-misc_kexec-disable.conf +chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf +# Dracut doesn't seem to work - need to investigate +# dracut -f +sysctl -p + +# Harden SSH +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf +chmod 644 /etc/ssh/ssh_config.d/10-custom.conf \ No newline at end of file diff --git a/fedora-minimal/sys-net.sh b/fedora-minimal/sys-net.sh index 1dc0f5f..17d5628 100644 --- a/fedora-minimal/sys-net.sh +++ b/fedora-minimal/sys-net.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (C) 2023 Thien Tran +# Copyright (C) 2022-2024 Thien Tran # # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use this file except in compliance with the License. You may obtain a copy of @@ -14,36 +14,29 @@ # License for the specific language governing permissions and limitations under # the License. +# Install necessary packages dnf install -y qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet notification-daemon gnome-keyring @hardware-support chrony arc-theme -systemctl disable --now systemd-timesyncd -rm -rf /etc/chrony.conf -curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf -systemctl enable --now chronyd - -# Switch DNSSEC to default / allow-downgrade, as there is no guaranteee that the DNS server obtained via DHCP supports DNSSEC. -sed -i 's/DNSSEC=yes/#DNSSEC=false/g' /etc/systemd/resolved.conf -systemctl restart systemd-resolved +# Setup NTS +sudo rm -rf /etc/chrony.conf +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | tee /etc/chrony.conf +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | tee /etc/sysconfig/chronyd # Theming - sudo mkdir -p /etc/gtk-3.0 -echo '[Settings] -gtk-theme-name=Arc-Dark -gtk-application-prefer-dark-theme=1 -' | sudo tee /etc/gtk-3.0/settings.ini +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | tee /etc/gtk-3.0/settings.ini sudo mkdir -p /etc/gtk-4.0 -echo '[Settings] -gtk-theme-name=Arc-Dark -gtk-application-prefer-dark-theme=1 -' | sudo tee /etc/gtk-4.0/settings.ini +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | tee /etc/gtk-4.0/settings.ini -echo '[device] -wifi.scan-rand-mac-address=yes +# Networking +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | tee /etc/NetworkManager/conf.d/00-macrandomize.conf +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | tee /etc/NetworkManager/conf.d/01-transient-hostname.conf +sudo nmcli general reload conf +sudo hostnamectl hostname 'localhost' +sudo hostnamectl --transient hostname '' -[connection] -wifi.cloned-mac-address=random -ethernet.cloned-mac-address=random -connection.stable-id=${CONNECTION}/${BOOT} -' | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager diff --git a/fedora/edge.sh b/fedora/edge.sh index 1f7d4bd..c2c1736 100644 --- a/fedora/edge.sh +++ b/fedora/edge.sh @@ -1,10 +1,28 @@ #!/bin/bash -curl --proxy http://127.0.0.1:8082 -O https://packages.microsoft.com/keys/microsoft.asc -sudo rpm --import microsoft.asc -rm microsoft.asc -sudo dnf config-manager --add-repo https://packages.microsoft.com/yumrepos/edge +# Copyright (C) 2022-2024 Thien Tran +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +echo '[microsoft-edge] +name=microsoft-edge +baseurl=https://packages.microsoft.com/yumrepos/edge/ +enabled=1 +gpgcheck=1 +gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/microsoft-edge.repo + sudo dnf install -y microsoft-edge-stable + sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/ curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json -curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json \ No newline at end of file diff --git a/fedora/fedora-gnome.sh b/fedora/fedora-gnome.sh new file mode 100644 index 0000000..cc03532 --- /dev/null +++ b/fedora/fedora-gnome.sh @@ -0,0 +1,139 @@ +#!/bin/bash + +# Copyright (C) 2022-2024 Thien Tran +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +unpriv(){ + sudo -u nobody "$@" +} + +# Compliance +sudo systemctl mask debug-shell.service +sudo systemctl mask kdump.service + +# Setting umask to 077 +umask 077 +sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc +echo 'umask 077' | sudo tee -a /etc/bashrc + +# Make home directory private +sudo chmod 700 /home/* + +# Harden SSH +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf +sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf + +# Security kernel settings +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf +sudo chmod 644 /etc/modprobe.d/30_security-misc.conf +sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf +sudo chmod 644 /etc/sysctl.d/990-security-misc.conf +sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf +sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf +sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf +# Dracut doesn't seem to work - need to investigate +# dracut -f +sudo sysctl -p + +# Disable coredump +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf + +# Setup dconf +umask 022 +mkdir -p /etc/dconf/db/local.d/locks + +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy + +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/button-layout | sudo tee /etc/dconf/db/local.d/button-layout +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/touchpad | sudo tee /etc/dconf/db/local.d/touchpad + +sudo dconf update +umask 077 + +# Setup DNF +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf +sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/* + +# Remove unnecessary stuff from the Qubes template +sudo dnf -y thunderbird httpd keepassxc rygel + +# Remove firefox packages +sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem + +# Remove Network + hardware tools packages +sudo dnf -y remove '*cups' nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio + +#Remove support for some languages and spelling +sudo dnf -y remove ibus-typing-booster '*speech*' '*zhuyin*' '*pinyin*' '*m17n*' '*hangul*' '*anthy*' words + +#Remove codec + image + printers +sudo dnf -y remove openh264 ImageMagick* sane* simple-scan + +#Remove Active Directory + Sysadmin + reporting tools +sudo dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx sos samba-client gvfs-smb + +#Remove vm and virtual stuff +sudo dnf -y remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu + +#Remove NetworkManager +sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager + +#Remove Gnome apps +sudo dnf remove -y chrome-gnome-shell eog gnome-photos gnome-connections gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \ + gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \ + gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \ + gnome-classic* gnome-user* gnome-text-editor loupe snapshot + +#Remove apps +sudo dnf remove -y rhythmbox yelp evince libreoffice* cheese file-roller* mediawriter + +#Remove other packages + sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl + +# Disable openh264 repo +sudo dnf config-manager --set-disabled fedora-cisco-openh264 + +# Update packages +sudo dnf -y upgrade + +# Install custom packages +sudo dnf install qubes-u2f qubes-gpg-split adw-gtk3-theme gnome-console -y + +# Flatpak update service +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer + +# Systemd hardening +sudo mkdir -p /etc/systemd/system/ModemManager.service.d +curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/divestedcg/Brace/master/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/ModemManager.service.d/99-brace.conf + +# Setup networking +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf +sudo nmcli general reload conf +sudo hostnamectl hostname 'localhost' +sudo hostnamectl --transient hostname '' + +sudo mkdir -p /etc/systemd/system/NetworkManager.service.d +unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf +sudo systemctl daemon-reload +sudo systemctl restart NetworkManager \ No newline at end of file diff --git a/fedora/fedora.sh b/fedora/fedora.sh deleted file mode 100644 index 50af602..0000000 --- a/fedora/fedora.sh +++ /dev/null @@ -1,99 +0,0 @@ -#!/bin/bash - -# Remove unnecessary stuff from the Qubes template -sudo dnf -y thunderbird httpd keepassxc rygel - -# Remove firefox packages -sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem - -# Remove Network + hardware tools packages -sudo dnf -y remove '*cups' nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio - -# Remove support for some languages and spelling -sudo dnf -y remove ibus-typing-booster '*speech*' '*zhuyin*' '*pinyin*' '*kkc*' '*m17n*' '*hangul*' '*anthy*' words - -# Remove codec + image + printers -sudo dnf -y remove openh264 ImageMagick* sane* simple-scan - -# Remove Active Directory + Sysadmin + reporting tools -sudo dnf -y remove 'sssd*' realmd adcli cyrus-sasl-plain cyrus-sasl-gssapi mlocate quota* dos2unix kpartx sos abrt samba-client gvfs-smb - -# Remove vm and virtual stuff -sudo dnf -y remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu -sudo dnf autoremove -y - -# Remove NetworkManager -sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager - -# Remove Gnome apps -sudo dnf remove -y gnome-photos gnome-connections gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \ - gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \ - gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \ - gnome-classic* gnome-user* gnome-text-editor chrome-gnome-shell eog - -# Remove apps -sudo dnf remove -y rhythmbox yelp evince libreoffice* cheese file-roller* mediawriter - -# Remove other packages - sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl - -# Disable openh264 repo -sudo dnf config-manager --set-disabled fedora-cisco-openh264 - -# Install custom packages -sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins -y -echo "countme=False" | sudo tee -a /etc/dnf/dnf.conf - -# Blacklisting kernel modules -curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf -sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf - -# Security kernel settings. -curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf -sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf -curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf -curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf - -# Systemd hardening -sudo mkdir -p /etc/systemd/system/ModemManager.service.d -curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/divestedcg/Brace/master/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/ModemManager.service.d/99-brace.conf - -# Setup SSH client -echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf -echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf - -# Force DNSSEC -sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf -sudo systemctl restart systemd-resolved - -# Theming - -echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment - -echo "[org/gnome/desktop/interface] -gtk-theme='Arc-Dark' - -[org/gnome/desktop/media-handling] -automount=false -automount-open=false" | sudo tee /etc/dconf/db/local.d/custom - -sudo dconf update - -# Flatpak update service - -echo "[Unit] -Description=Update user Flatpaks - -[Service] -Type=oneshot -ExecStart=/usr/bin/flatpak --user update -y" | sudo tee /etc/systemd/user/update-user-flatpaks.service - -echo "[Unit] -Description=Update user Flatpaks daily - -[Timer] -OnCalendar=daily -Persistent=true - -[Install] -WantedBy=timers.target" | sudo tee /etc/systemd/user/update-user-flatpaks.timer diff --git a/fedora/mullvad.sh b/fedora/mullvad.sh index 92d696e..b3c1c30 100644 --- a/fedora/mullvad.sh +++ b/fedora/mullvad.sh @@ -1,19 +1,23 @@ #!/bin/bash -sudo dnf install -y https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm +# Copyright (C) 2022-2024 Thien Tran +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo +sudo dnf install mullvad-vpn sudo systemctl enable mullvad-daemon -echo "[org/gnome/desktop/interface] -gtk-theme='Arc-Dark' - -[org/gnome/desktop/media-handling] -automount=false -automount-open=false" | sudo tee /etc/dconf/db/local.d/custom - -sudo dconf update - -sudo rm -rf /usr/share/icons/Arc - sudo mkdir -p /etc/qubes-bind-dirs.d sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null binds+=( '/etc/mullvad-vpn' ) diff --git a/fedora/sys-usb.sh b/fedora/sys-usb.sh index e30a88b..88a5a52 100644 --- a/fedora/sys-usb.sh +++ b/fedora/sys-usb.sh @@ -1,3 +1,17 @@ #!/bin/bash +# Copyright (C) 2022-2024 Thien Tran +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + sudo dnf install -y gnome-disk-utility yubioath android-tools diff --git a/whonix/whonix-gw.sh b/whonix/whonix-gw.sh index 4cd6de8..c82c559 100644 --- a/whonix/whonix-gw.sh +++ b/whonix/whonix-gw.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (C) 2023 Thien Tran +# Copyright (C) 2022-2024 Thien Tran # # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use this file except in compliance with the License. You may obtain a copy of @@ -19,7 +19,7 @@ unpriv(){ } # Avoid phased updates -unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades # Install packages @@ -35,14 +35,11 @@ sudo systemctl enable --now proc-hidepid.service # Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it. sudo systemctl enable --now hide-hardware-info.service -echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment +# Theming +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment | sudo tee /etc/environment sudo mkdir -p /etc/gtk-3.0 -echo "[Settings] -gtk-theme-name=Arc-Dark -gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | sudo tee /etc/gtk-3.0/settings.ini sudo mkdir -p /etc/gtk-4.0 -echo "[Settings] -gtk-theme-name=Arc-Dark -gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | sudo tee /etc/gtk-4.0/settings.ini diff --git a/whonix/whonix-ws.sh b/whonix/whonix-ws.sh index a6e7849..cceace6 100644 --- a/whonix/whonix-ws.sh +++ b/whonix/whonix-ws.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (C) 2023 Thien Tran +# Copyright (C) 2022-2024 Thien Tran # # Licensed under the Apache License, Version 2.0 (the "License"); you may not # use this file except in compliance with the License. You may obtain a copy of @@ -19,7 +19,7 @@ unpriv(){ } # Avoid phased updates -unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades # Install packages @@ -36,15 +36,10 @@ sudo systemctl enable --now proc-hidepid.service sudo systemctl enable --now hide-hardware-info.service # Theming - -echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment | sudo tee /etc/environment sudo mkdir -p /etc/gtk-3.0 -echo "[Settings] -gtk-theme-name=Arc-Dark -gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | sudo tee /etc/gtk-3.0/settings.ini sudo mkdir -p /etc/gtk-4.0 -echo "[Settings] -gtk-theme-name=Arc-Dark -gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini +unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | sudo tee /etc/gtk-4.0/settings.ini