mirror of
https://github.com/tommytran732/QubesOS-Scripts
synced 2024-11-22 01:41:34 -05:00
Fix
This commit is contained in:
parent
1fbe8d8431
commit
aba433f6ec
11
README.md
11
README.md
@ -1,17 +1,12 @@
|
|||||||
# QubesOS-Scripts
|
# QubesOS-Scripts
|
||||||
My scripts for setting up QubesOS.
|
My scripts for setting up QubesOS.
|
||||||
|
|
||||||
Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For Debian templates, run kicksecure.sh to trim them down and convert them to KickSecure. Note that there are 2 different kicksecure.sh, one for the minimal template, and one for the normal one.
|
Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For the Debian template, run kicksecure.sh to trim them down and convert them to KickSecure.
|
||||||
|
|
||||||
After you are done running those scripts, any other script can be used in a different template based on those trimmed down templates to create their respective virtual machines.
|
After you are done running those scripts, any other script can be used in a different template based on those trimmed down templates to create their respective virtual machines.
|
||||||
|
|
||||||
I have a script to create a Brave VM based on the normal KickSecure and Fedora templates. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead.
|
I have a script to create a Brave VM based on the normal Fedora template. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead.
|
||||||
|
|
||||||
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
|
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
|
||||||
|
|
||||||
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
|
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
|
||||||
|
|
||||||
# Notes
|
|
||||||
1. Kicksecure, while having more security mitigation, takes significantly longer than Fedora to launch and generally runs slower.
|
|
||||||
2. Currently, launching Flatpak apps from the appmenu does not work on KickSecure. I have not been able to find the culprit, so any help would be greatly appreciated.
|
|
||||||
3. My personal recommendation is use KickSecure for system VMs like sys-net and sys-usb. For normal apps, especially Flatpaks, just use Fedora instead. Of course, the exception to this rule would be when you can only get official binaries for Debian, like with Signal and Element for example.
|
|
2
dom0.sh
2
dom0.sh
@ -17,7 +17,7 @@ qvm-service --enable work qubes-u2f-proxy
|
|||||||
echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
|
echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
|
||||||
|
|
||||||
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
|
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
|
||||||
echo "emails vault-gpg allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg
|
echo "emails vault allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg
|
||||||
echo "@anyvm @anyvm ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg
|
echo "@anyvm @anyvm ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg
|
||||||
|
|
||||||
#Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho
|
#Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho
|
||||||
|
3
fedora-minimal/sys-firewall.sh
Normal file
3
fedora-minimal/sys-firewall.sh
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sudo dnf install -y qubes-core-agent-networking qubes-core-agent-dom0-updates
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
sudo apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager wireless-tools notification-daemon gnome-keyring firmware-iwlwifi arc-theme -y
|
sudo dnf install -y qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet wireless-tools notification-daemon gnome-keyring @hardware-support arc-theme
|
||||||
|
|
||||||
sudo mkdir -p /etc/gtk-3.0
|
sudo mkdir -p /etc/gtk-3.0
|
||||||
echo '[Settings]
|
echo '[Settings]
|
3
fedora-minimal/sys-usb.sh
Normal file
3
fedora-minimal/sys-usb.sh
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sudo dnf install -y qubes-usb-proxy qubes-input-proxy-sender qubes-u2f ykpers
|
4
fedora/bitwarden.sh
Normal file
4
fedora/bitwarden.sh
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sudo dnf install -y snapd qubes-snapd-helper
|
||||||
|
sudo snap install bitwarden
|
@ -4,4 +4,4 @@ sudo dnf install thunderbird -y
|
|||||||
|
|
||||||
#Do this in the AppVM after you have set it up
|
#Do this in the AppVM after you have set it up
|
||||||
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
|
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
|
||||||
#echo "vault-gpg" | sudo tee /rw/config/gpg-split-domain
|
#echo "vault" | sudo tee /rw/config/gpg-split-domain
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculators gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-character gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* gedit httpd mozilla* cups -y
|
sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculator gnome-connections gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-character gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* gedit httpd mozilla* cups -y
|
||||||
sudo dnf autoremove -y
|
sudo dnf autoremove -y
|
||||||
sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins -y
|
sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins -y
|
||||||
echo "countme=false" | sudo tee -a /etc/dnf/dnf.conf
|
echo "countme=false" | sudo tee -a /etc/dnf/dnf.conf
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
sudo apt install --no-install-recommends nextcloud-client
|
sudo dnf install -y nextcloud-client
|
||||||
|
|
||||||
#Adding a DNS entry for my Nextcloud server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server.
|
#Adding a DNS entry for my Nextcloud server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server.
|
||||||
echo "5.226.143.92 cloud.tommytran.io" | sudo tee -a /etc/hosts
|
echo "5.226.143.92 cloud.tommytran.io" | sudo tee -a /etc/hosts
|
4
fedora/protonvpn.sh
Normal file
4
fedora/protonvpn.sh
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
curl --proxy http://127.0.0.1:8082/ -O https://protonvpn.com/download/protonvpn-stable-release-1.0.1-1.noarch.rpm
|
||||||
|
sudo dnf install protonvpn -y
|
4
fedora/spotify,sh
Normal file
4
fedora/spotify,sh
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sudo dnf install -y snapd qubes-snapd-helper
|
||||||
|
sudo snap install spotify
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
sudo apt install --no-install-recommends qubes-gpg-split arc-theme -y
|
sudo apt install --no-install-recommends qubes-gpg-split yubikey-manager-qt yubioath nitrokey-app arc-theme -y
|
||||||
|
|
||||||
sudo mkdir -p /etc/gtk-3.0
|
sudo mkdir -p /etc/gtk-3.0
|
||||||
echo '[Settings]
|
echo '[Settings]
|
@ -1,3 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
sudo apt install --no-install-recommends qubes-core-agent-networking iproute qubes-core-agent-dom0-updates -y
|
|
@ -1,25 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
#Adding KickSecure's signing key
|
|
||||||
sudo apt install --no-install-recommends curl -y
|
|
||||||
curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc
|
|
||||||
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
|
|
||||||
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
|
|
||||||
|
|
||||||
#Distribution morphing
|
|
||||||
sudo apt install --no-install-recommends kicksecure-qubes-cli -y
|
|
||||||
sudo mv /etc/apt/sources.list ~/
|
|
||||||
sudo touch /etc/apt/sources.list
|
|
||||||
|
|
||||||
#Enabling SUID Disabler and Permission Hardener
|
|
||||||
sudo systemctl enable --now permission-hardening
|
|
||||||
|
|
||||||
#Install LKRG
|
|
||||||
sudo apt install --no-install-recommends lkrg-dkms linux-headers-amd64 -y
|
|
||||||
|
|
||||||
#Enable hardened malloc
|
|
||||||
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
|
|
||||||
|
|
||||||
#Reduce kernel information leaks
|
|
||||||
#Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it.
|
|
||||||
sudo systemctl enable --now hide-hardware-info.service
|
|
@ -1,3 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
sudo apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-u2f yubikey-personalization -y
|
|
@ -1,6 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
sudo curl --proxy http://127.0.0.1:8082 -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
|
|
||||||
echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg arch=amd64] https://brave-browser-apt-release.s3.brave.com/ stable main"|sudo tee /etc/apt/sources.list.d/brave-browser-release.list
|
|
||||||
sudo apt update
|
|
||||||
sudo apt install --no-install-recommends brave-browser
|
|
@ -1,6 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
curl --proxy http://127.0.0.1:8082/ -O https://protonvpn.com/download/protonvpn-stable-release_1.0.1-1_all.deb
|
|
||||||
sudo apt install --no-install-recommends ./protonvpn-stable-release_1.0.1-1_all.deb -y
|
|
||||||
sudo apt update
|
|
||||||
sudo apt install --no-install-recommends protonvpn -y
|
|
3
kicksecure/vlc.sh
Normal file
3
kicksecure/vlc.sh
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
sudo apt install --no-install-recommends vlc -y
|
Loading…
Reference in New Issue
Block a user