1
0
mirror of https://github.com/tommytran732/QubesOS-Scripts synced 2024-11-04 18:11:34 -05:00
This commit is contained in:
Tommy 2022-05-26 19:43:44 -04:00 committed by GitHub
parent d7ef6c238c
commit bf3dc038ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 21 additions and 17 deletions

View File

@ -1,2 +1,10 @@
# QubesOS-Scripts
My scripts for setting up QubesOS. Read the scripts and adjust them to your needs, don't just blindly run them. Note that the scripts do not disable passwordless sudo. If you want to do it, follow https://www.qubes-os.org/doc/vm-sudo/ and set it up on the Fedora and Debian templates before using my scripts. The purpose of this is to **hopefully** get a bit better protection against VM escapes (as an attacker would need to both get root privilege in the VM and exploit a bug in the Qubes agents or Xen hypervisor).
My scripts for setting up QubesOS.
Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For Debian templates, run kicksecure.sh to trim them down and convert them to KickSecure. Note that there are 2 different kicksecure.sh, one for the minimal template, and one for the normal one.
After you are done running those scripts, any other script can be used in a different template based on those trimmed down templates to create their respective virtual machines.
I have a script to create a Brave VM based on the normal KickSecure and Fedora templates. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead.
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.

View File

@ -19,7 +19,3 @@ echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/
echo "emails vault-gpg allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg
echo "@anyvm @anyvm ask,default_target=vault-gpg" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg
#Support for disabling passwordless sudo
echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
echo "@anyvm dom0 ask,default_target=dom0" > /etc/qubes-rpc/policy/qubes.VMAuth

View File

@ -1,6 +1,6 @@
#!/bin/bash
sudo apt install --no-install-recommends thunderbird -y
sudo dnf install thunderbird -y
#Do this in the AppVM after you have set it up
#Obviously replace vault-gpg with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/

View File

@ -18,6 +18,8 @@ icon-theme='Arc'" | sudo tee /etc/dconf/db/local.d/custom
sudo dconf update
#Flatpak update service
echo "[Unit]
Description=Update user Flatpaks

View File

@ -5,7 +5,7 @@ sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
#Debloat
sudo apt purge -y thunderbird emacs emacs-gtk emacs-bin-common emacs-common firefox* keepassxc cups* vim* system-config-printer* xsettingsd xterm* yelp*
sudo apt purge -y thunderbird emacs emacs-gtk emacs-bin-common emacs-common firefox* keepassxc cups* system-config-printer* xsettingsd xterm* yelp*
sudo apt autoremove -y
sudo apt autoclean
@ -31,12 +31,12 @@ echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.s
sudo systemctl enable --now hide-hardware-info.service
#Install packages
sudo apt install --no-install-recommend qubes-gpg-split qubes-u2f-proxy eog qt5ct qt5-style-plugins arc-theme -y
sudo apt install --no-install-recommends qubes-gpg-split qubes-u2f eog qt5ct qt5-style-plugins arc-theme -y
#Theming
git config --global http.proxy http://127.0.0.1:8082
git clone https://github.com/horst3180/arc-icon-theme
mv arc-icon-theme/Arc /usr/share/icons
sudo mv arc-icon-theme/Arc /usr/share/icons
rm -rf arc-icon-theme
echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
@ -44,18 +44,16 @@ echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
sudo mkdir /etc/gtk-3.0
echo "[Settings]
gtk-theme-name=Arc-Dark
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini
gtk-application-prefer-dark-theme=1
gtk-icon-theme-name=Arc-Dark" | sudo tee /etc/gtk-3.0/settings.ini
sudo mkdir /etc/gtk-4.0
echo "[Settings]
gtk-theme-name=Arc-Dark
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini
gtk-application-prefer-dark-theme=1
gtk-icon-theme-name=Arc" | sudo tee /etc/gtk-4.0/settings.ini
echo "[org/gnome/desktop/interface]
gtk-theme='Arc-Dark'
icon-theme='Arc'" | sudo tee /etc/dconf/db/local.d/custom
sudo dconf update
#Flatpak update service
echo "[Unit]
Description=Update user Flatpaks