diff --git a/README.md b/README.md index cf3efcf..02e2735 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,10 @@ # QubesOS-Scripts -My scripts for setting up QubesOS. Read the scripts and adjust them to your needs, don't just blindly run them. Note that the scripts do not disable passwordless sudo. If you want to do it, follow https://www.qubes-os.org/doc/vm-sudo/ and set it up on the Fedora and Debian templates before using my scripts. The purpose of this is to **hopefully** get a bit better protection against VM escapes (as an attacker would need to both get root privilege in the VM and exploit a bug in the Qubes agents or Xen hypervisor). +My scripts for setting up QubesOS. + +Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For Debian templates, run kicksecure.sh to trim them down and convert them to KickSecure. Note that there are 2 different kicksecure.sh, one for the minimal template, and one for the normal one. + +After you are done running those scripts, any other script can be used in a different template based on those trimmed down templates to create their respective virtual machines. + +I have a script to create a Brave VM based on the normal KickSecure and Fedora templates. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead. + +If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates. \ No newline at end of file diff --git a/dom0.sh b/dom0.sh index 72de443..5c44c37 100644 --- a/dom0.sh +++ b/dom0.sh @@ -18,8 +18,4 @@ echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment #Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ echo "emails vault-gpg allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg -echo "@anyvm @anyvm ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg - -#Support for disabling passwordless sudo -echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth -echo "@anyvm dom0 ask,default_target=dom0" > /etc/qubes-rpc/policy/qubes.VMAuth +echo "@anyvm @anyvm ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg \ No newline at end of file diff --git a/fedora-brave/brave.sh b/fedora/brave.sh similarity index 100% rename from fedora-brave/brave.sh rename to fedora/brave.sh diff --git a/kicksecure/emails.sh b/fedora/emails.sh similarity index 80% rename from kicksecure/emails.sh rename to fedora/emails.sh index 1de273a..5700e96 100644 --- a/kicksecure/emails.sh +++ b/fedora/emails.sh @@ -1,6 +1,6 @@ #!/bin/bash -sudo apt install --no-install-recommends thunderbird -y +sudo dnf install thunderbird -y #Do this in the AppVM after you have set it up #Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ diff --git a/fedora/fedora.sh b/fedora/fedora.sh index 595a4ec..93e6040 100644 --- a/fedora/fedora.sh +++ b/fedora/fedora.sh @@ -18,6 +18,8 @@ icon-theme='Arc'" | sudo tee /etc/dconf/db/local.d/custom sudo dconf update +#Flatpak update service + echo "[Unit] Description=Update user Flatpaks diff --git a/kicksecure/kicksecure.sh b/kicksecure/kicksecure.sh index 690f67a..fa27f20 100644 --- a/kicksecure/kicksecure.sh +++ b/kicksecure/kicksecure.sh @@ -5,7 +5,7 @@ sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list #Debloat -sudo apt purge -y thunderbird emacs emacs-gtk emacs-bin-common emacs-common firefox* keepassxc cups* vim* system-config-printer* xsettingsd xterm* yelp* +sudo apt purge -y thunderbird emacs emacs-gtk emacs-bin-common emacs-common firefox* keepassxc cups* system-config-printer* xsettingsd xterm* yelp* sudo apt autoremove -y sudo apt autoclean @@ -31,12 +31,12 @@ echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.s sudo systemctl enable --now hide-hardware-info.service #Install packages -sudo apt install --no-install-recommend qubes-gpg-split qubes-u2f-proxy eog qt5ct qt5-style-plugins arc-theme -y +sudo apt install --no-install-recommends qubes-gpg-split qubes-u2f eog qt5ct qt5-style-plugins arc-theme -y #Theming git config --global http.proxy http://127.0.0.1:8082 git clone https://github.com/horst3180/arc-icon-theme -mv arc-icon-theme/Arc /usr/share/icons +sudo mv arc-icon-theme/Arc /usr/share/icons rm -rf arc-icon-theme echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment @@ -44,18 +44,16 @@ echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment sudo mkdir /etc/gtk-3.0 echo "[Settings] gtk-theme-name=Arc-Dark -gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini +gtk-application-prefer-dark-theme=1 +gtk-icon-theme-name=Arc-Dark" | sudo tee /etc/gtk-3.0/settings.ini sudo mkdir /etc/gtk-4.0 echo "[Settings] gtk-theme-name=Arc-Dark -gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini +gtk-application-prefer-dark-theme=1 +gtk-icon-theme-name=Arc" | sudo tee /etc/gtk-4.0/settings.ini -echo "[org/gnome/desktop/interface] -gtk-theme='Arc-Dark' -icon-theme='Arc'" | sudo tee /etc/dconf/db/local.d/custom - -sudo dconf update +#Flatpak update service echo "[Unit] Description=Update user Flatpaks