diff --git a/dom0.sh b/dom0.sh index d355e7e..1b7c636 100644 --- a/dom0.sh +++ b/dom0.sh @@ -30,18 +30,18 @@ qvm-service --enable work qubes-u2f-proxy echo "QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment -#Obviously replace vault with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ +#O bviously replace vault with the actual GPG backend that you are using https://www.qubes-os.org/doc/split-gpg/ echo "emails vault allow" | sudo tee /etc/qubes-rpc/policy/qubes.Gpg echo "@anyvm @anyvm ask,default_target=vault" | sudo tee -a /etc/qubes-rpc/policy/qubes.Gpg -#Same thing, but for split SSH. No default allow here because here though because there will not be a timeout or anything like that. +# Same thing, but for split SSH. No default allow here because here though because there will not be a timeout or anything like that. echo "@anyvm @anyvm ask,default_target=vault" | sudo tee /etc/qubes-rpc/policy/qubes.SshAgent -#Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho +# Enabling VMAuth - if you want to get the prompt you will still need to configure the guest VMs tho echo "/usr/bin/echo 1" | sudo tee /etc/qubes-rpc/qubes.VMAuth sudo chmod u+x /etc/qubes-rpc/qubes.VMAuth echo "@anyvm dom0 ask,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.VMAuth -#Enabling discard and fstrim +# Enabling discard and fstrim sudo sed -i 's/issue_discards = 0/issue_discards = 1/g' /etc/lvm/lvm.conf sudo systemctl enable fstrim.timer diff --git a/fedora-minimal/sys-net.sh b/fedora-minimal/sys-net.sh index cdce6d2..1dc0f5f 100644 --- a/fedora-minimal/sys-net.sh +++ b/fedora-minimal/sys-net.sh @@ -21,11 +21,11 @@ rm -rf /etc/chrony.conf curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf systemctl enable --now chronyd -#Switch DNSSEC to default / allow-downgrade, as there is no guaranteee that the DNS server obtained via DHCP supports DNSSEC. +# Switch DNSSEC to default / allow-downgrade, as there is no guaranteee that the DNS server obtained via DHCP supports DNSSEC. sed -i 's/DNSSEC=yes/#DNSSEC=false/g' /etc/systemd/resolved.conf systemctl restart systemd-resolved -#Theming +# Theming sudo mkdir -p /etc/gtk-3.0 echo '[Settings] diff --git a/fedora/fedora.sh b/fedora/fedora.sh index c8f6a42..b11756c 100644 --- a/fedora/fedora.sh +++ b/fedora/fedora.sh @@ -9,32 +9,32 @@ sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-files # Remove Network + hardware tools packages sudo dnf -y remove '*cups' nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio -#Remove support for some languages and spelling +# Remove support for some languages and spelling sudo dnf -y remove ibus-typing-booster '*speech*' '*zhuyin*' '*pinyin*' '*kkc*' '*m17n*' '*hangul*' '*anthy*' words -#Remove codec + image + printers +# Remove codec + image + printers sudo dnf -y remove openh264 ImageMagick* sane* simple-scan -#Remove Active Directory + Sysadmin + reporting tools +# Remove Active Directory + Sysadmin + reporting tools sudo dnf -y remove 'sssd*' realmd adcli cyrus-sasl-plain cyrus-sasl-gssapi mlocate quota* dos2unix kpartx sos abrt samba-client gvfs-smb -#Remove vm and virtual stuff +# Remove vm and virtual stuff sudo dnf -y remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu sudo dnf autoremove -y -#Remove NetworkManager +# Remove NetworkManager sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager -#Remove Gnome apps +# Remove Gnome apps sudo dnf remove -y gnome-photos gnome-connections gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \ gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \ gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \ gnome-classic* gnome-user* gnome-text-editor chrome-gnome-shell eog -#Remove apps +# Remove apps sudo dnf remove -y rhythmbox yelp evince libreoffice* cheese file-roller* mediawriter -#Remove other packages +# Remove other packages sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl # Disable openh264 repo @@ -57,11 +57,11 @@ curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/s sudo mkdir -p /etc/systemd/system/ModemManager.service.d curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/divestedcg/Brace/master/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/ModemManager.service.d/99-brace.conf -#Setup SSH client +# Setup SSH client echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf -#Force DNSSEC +# Force DNSSEC sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf sudo systemctl restart systemd-resolved @@ -78,7 +78,7 @@ automount-open=false" | sudo tee /etc/dconf/db/local.d/custom sudo dconf update -#Flatpak update service +# Flatpak update service echo "[Unit] Description=Update user Flatpaks diff --git a/fedora/mullvad.sh b/fedora/mullvad.sh index f3c9d0d..92d696e 100644 --- a/fedora/mullvad.sh +++ b/fedora/mullvad.sh @@ -19,6 +19,6 @@ sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null binds+=( '/etc/mullvad-vpn' ) EOF -#Run these in the AppVM: -#echo "sleep 10 # Waiting a bit so that Mullvad can establish connection -#/usr/lib/qubes/qubes-setup-dnat-to-ns" | sudo tee -a /rw/config/rc.local +# Run these in the AppVM: +# echo "sleep 10 # Waiting a bit so that Mullvad can establish connection +# /usr/lib/qubes/qubes-setup-dnat-to-ns" | sudo tee -a /rw/config/rc.local diff --git a/kicksecure/element.sh b/kicksecure/element.sh index b173320..9e34534 100644 --- a/kicksecure/element.sh +++ b/kicksecure/element.sh @@ -19,5 +19,5 @@ echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https:/ sudo apt update sudo apt install --no-install-recommends element-desktop -y -#Adding a DNS entry for my Matrix server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server. +# Adding a DNS entry for my Matrix server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server. echo "5.226.143.168 matrix.arcticfoxes.net" | sudo tee -a /etc/hosts diff --git a/kicksecure/lokinet.sh b/kicksecure/lokinet.sh index c71cc86..7f36222 100644 --- a/kicksecure/lokinet.sh +++ b/kicksecure/lokinet.sh @@ -18,7 +18,7 @@ #The AppVM needs to be granted the network-manager service #There is a risk of leaks because I dont see any killswitch being implemented -#Disabling the Arc icon theme here because it looks bad on the systray +# Disabling the Arc icon theme here because it looks bad on the systray sudo rm -rf /usr/share/icons/Arc echo "[Settings] @@ -30,7 +30,7 @@ gtk-theme-name=Arc-Dark gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini -#Actual Installtion +# Actual Installtion curl --proxy http://127.0.0.1:8082 | sudo tee /etc/apt/trusted.gpg.d/oxen.gpg https://deb.oxen.io/pub.gpg echo "deb https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list curl --proxy http://127.0.0.1:8082 | sudo tee /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg