From aba433f6ec3cce1270927d2d8b59de889322652a Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 28 May 2022 07:24:27 -0400 Subject: [PATCH] Fix --- README.md | 11 +++----- dom0.sh | 2 +- fedora-minimal/sys-firewall.sh | 3 +++ .../net.sh => fedora-minimal/sys-net.sh | 2 +- fedora-minimal/sys-usb.sh | 3 +++ fedora/bitwarden.sh | 4 +++ fedora/emails.sh | 2 +- fedora/fedora.sh | 2 +- {kicksecure => fedora}/nextcloud.sh | 2 +- fedora/protonvpn.sh | 4 +++ fedora/spotify,sh | 4 +++ .../vault-gpg.sh => fedora/vault.sh | 2 +- kicksecure-minimal/firewall.sh | 3 --- kicksecure-minimal/kicksecure.sh | 25 ------------------- kicksecure-minimal/usb.sh | 3 --- kicksecure/brave.sh | 6 ----- kicksecure/protonvpn.sh | 6 ----- kicksecure/vlc.sh | 3 +++ 18 files changed, 30 insertions(+), 57 deletions(-) create mode 100644 fedora-minimal/sys-firewall.sh rename kicksecure-minimal/net.sh => fedora-minimal/sys-net.sh (59%) create mode 100644 fedora-minimal/sys-usb.sh create mode 100644 fedora/bitwarden.sh rename {kicksecure => fedora}/nextcloud.sh (78%) create mode 100644 fedora/protonvpn.sh create mode 100644 fedora/spotify,sh rename kicksecure-minimal/vault-gpg.sh => fedora/vault.sh (73%) delete mode 100644 kicksecure-minimal/firewall.sh delete mode 100644 kicksecure-minimal/kicksecure.sh delete mode 100644 kicksecure-minimal/usb.sh delete mode 100644 kicksecure/brave.sh delete mode 100644 kicksecure/protonvpn.sh create mode 100644 kicksecure/vlc.sh diff --git a/README.md b/README.md index 5e975a4..3f56684 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,12 @@ # QubesOS-Scripts My scripts for setting up QubesOS. -Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For Debian templates, run kicksecure.sh to trim them down and convert them to KickSecure. Note that there are 2 different kicksecure.sh, one for the minimal template, and one for the normal one. +Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For the Debian template, run kicksecure.sh to trim them down and convert them to KickSecure. After you are done running those scripts, any other script can be used in a different template based on those trimmed down templates to create their respective virtual machines. -I have a script to create a Brave VM based on the normal KickSecure and Fedora templates. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead. +I have a script to create a Brave VM based on the normal Fedora template. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead. If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates. -It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests. - -# Notes -1. Kicksecure, while having more security mitigation, takes significantly longer than Fedora to launch and generally runs slower. -2. Currently, launching Flatpak apps from the appmenu does not work on KickSecure. I have not been able to find the culprit, so any help would be greatly appreciated. -3. My personal recommendation is use KickSecure for system VMs like sys-net and sys-usb. For normal apps, especially Flatpaks, just use Fedora instead. Of course, the exception to this rule would be when you can only get official binaries for Debian, like with Signal and Element for example. +It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests. \ No newline at end of file diff --git a/dom0.sh b/dom0.sh index cdc81cf..053c3d4 100644 --- a/dom0.sh +++ b/dom0.sh @@ -17,7 +17,7 @@ qvm-service --enable work qubes-u2f-proxy echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment #Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ -echo "emails vault-gpg allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg +echo "emails vault allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg echo "@anyvm @anyvm ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg #Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho diff --git a/fedora-minimal/sys-firewall.sh b/fedora-minimal/sys-firewall.sh new file mode 100644 index 0000000..ed5393d --- /dev/null +++ b/fedora-minimal/sys-firewall.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sudo dnf install -y qubes-core-agent-networking qubes-core-agent-dom0-updates diff --git a/kicksecure-minimal/net.sh b/fedora-minimal/sys-net.sh similarity index 59% rename from kicksecure-minimal/net.sh rename to fedora-minimal/sys-net.sh index c41a705..a5810b0 100644 --- a/kicksecure-minimal/net.sh +++ b/fedora-minimal/sys-net.sh @@ -1,6 +1,6 @@ #!/bin/bash -sudo apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager wireless-tools notification-daemon gnome-keyring firmware-iwlwifi arc-theme -y +sudo dnf install -y qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet wireless-tools notification-daemon gnome-keyring @hardware-support arc-theme sudo mkdir -p /etc/gtk-3.0 echo '[Settings] diff --git a/fedora-minimal/sys-usb.sh b/fedora-minimal/sys-usb.sh new file mode 100644 index 0000000..dfbfafe --- /dev/null +++ b/fedora-minimal/sys-usb.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sudo dnf install -y qubes-usb-proxy qubes-input-proxy-sender qubes-u2f ykpers diff --git a/fedora/bitwarden.sh b/fedora/bitwarden.sh new file mode 100644 index 0000000..2bbb31e --- /dev/null +++ b/fedora/bitwarden.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sudo dnf install -y snapd qubes-snapd-helper +sudo snap install bitwarden \ No newline at end of file diff --git a/fedora/emails.sh b/fedora/emails.sh index 5700e96..5aa5b62 100644 --- a/fedora/emails.sh +++ b/fedora/emails.sh @@ -4,4 +4,4 @@ sudo dnf install thunderbird -y #Do this in the AppVM after you have set it up #Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ -#echo "vault-gpg" | sudo tee /rw/config/gpg-split-domain +#echo "vault" | sudo tee /rw/config/gpg-split-domain diff --git a/fedora/fedora.sh b/fedora/fedora.sh index 93e6040..ba19895 100644 --- a/fedora/fedora.sh +++ b/fedora/fedora.sh @@ -1,6 +1,6 @@ #!/bin/bash -sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculators gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-character gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* gedit httpd mozilla* cups -y +sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculator gnome-connections gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-character gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* gedit httpd mozilla* cups -y sudo dnf autoremove -y sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins -y echo "countme=false" | sudo tee -a /etc/dnf/dnf.conf diff --git a/kicksecure/nextcloud.sh b/fedora/nextcloud.sh similarity index 78% rename from kicksecure/nextcloud.sh rename to fedora/nextcloud.sh index 22d89ec..2267629 100644 --- a/kicksecure/nextcloud.sh +++ b/fedora/nextcloud.sh @@ -1,6 +1,6 @@ #!/bin/bash -sudo apt install --no-install-recommends nextcloud-client +sudo dnf install -y nextcloud-client #Adding a DNS entry for my Nextcloud server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server. echo "5.226.143.92 cloud.tommytran.io" | sudo tee -a /etc/hosts diff --git a/fedora/protonvpn.sh b/fedora/protonvpn.sh new file mode 100644 index 0000000..15ed03d --- /dev/null +++ b/fedora/protonvpn.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +curl --proxy http://127.0.0.1:8082/ -O https://protonvpn.com/download/protonvpn-stable-release-1.0.1-1.noarch.rpm +sudo dnf install protonvpn -y \ No newline at end of file diff --git a/fedora/spotify,sh b/fedora/spotify,sh new file mode 100644 index 0000000..bbd00e0 --- /dev/null +++ b/fedora/spotify,sh @@ -0,0 +1,4 @@ +#!/bin/bash + +sudo dnf install -y snapd qubes-snapd-helper +sudo snap install spotify \ No newline at end of file diff --git a/kicksecure-minimal/vault-gpg.sh b/fedora/vault.sh similarity index 73% rename from kicksecure-minimal/vault-gpg.sh rename to fedora/vault.sh index 97b0c4e..749eea2 100644 --- a/kicksecure-minimal/vault-gpg.sh +++ b/fedora/vault.sh @@ -1,6 +1,6 @@ #!/bin/bash -sudo apt install --no-install-recommends qubes-gpg-split arc-theme -y +sudo apt install --no-install-recommends qubes-gpg-split yubikey-manager-qt yubioath nitrokey-app arc-theme -y sudo mkdir -p /etc/gtk-3.0 echo '[Settings] diff --git a/kicksecure-minimal/firewall.sh b/kicksecure-minimal/firewall.sh deleted file mode 100644 index 9bb0bb3..0000000 --- a/kicksecure-minimal/firewall.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -sudo apt install --no-install-recommends qubes-core-agent-networking iproute qubes-core-agent-dom0-updates -y diff --git a/kicksecure-minimal/kicksecure.sh b/kicksecure-minimal/kicksecure.sh deleted file mode 100644 index 9288067..0000000 --- a/kicksecure-minimal/kicksecure.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -#Adding KickSecure's signing key -sudo apt install --no-install-recommends curl -y -curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc -sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc -echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list - -#Distribution morphing -sudo apt install --no-install-recommends kicksecure-qubes-cli -y -sudo mv /etc/apt/sources.list ~/ -sudo touch /etc/apt/sources.list - -#Enabling SUID Disabler and Permission Hardener -sudo systemctl enable --now permission-hardening - -#Install LKRG -sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 -y - -#Enable hardened malloc -echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload - -#Reduce kernel information leaks -#Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it. -sudo systemctl enable --now hide-hardware-info.service \ No newline at end of file diff --git a/kicksecure-minimal/usb.sh b/kicksecure-minimal/usb.sh deleted file mode 100644 index 4a8dc11..0000000 --- a/kicksecure-minimal/usb.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -sudo apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-u2f yubikey-personalization -y diff --git a/kicksecure/brave.sh b/kicksecure/brave.sh deleted file mode 100644 index 0ebaf65..0000000 --- a/kicksecure/brave.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -sudo curl --proxy http://127.0.0.1:8082 -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg -echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main"|sudo tee /etc/apt/sources.list.d/brave-browser-release.list -sudo apt update -sudo apt install --no-install-recommends brave-browser diff --git a/kicksecure/protonvpn.sh b/kicksecure/protonvpn.sh deleted file mode 100644 index 71c4fa7..0000000 --- a/kicksecure/protonvpn.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -curl --proxy http://127.0.0.1:8082/ -O https://protonvpn.com/download/protonvpn-stable-release_1.0.1-1_all.deb -sudo apt install --no-install-recommends ./protonvpn-stable-release_1.0.1-1_all.deb -y -sudo apt update -sudo apt install --no-install-recommends protonvpn -y \ No newline at end of file diff --git a/kicksecure/vlc.sh b/kicksecure/vlc.sh new file mode 100644 index 0000000..9e4ae25 --- /dev/null +++ b/kicksecure/vlc.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sudo apt install --no-install-recommends vlc -y \ No newline at end of file