mirror of
https://github.com/tommytran732/QubesOS-Scripts
synced 2024-11-22 17:51:34 -05:00
Compare commits
11 Commits
1fbe586041
...
ca3835cb68
Author | SHA1 | Date | |
---|---|---|---|
ca3835cb68 | |||
3f4df9dc25 | |||
c828eaea34 | |||
9c109e8a42 | |||
0f9f4b482c | |||
13cc033885 | |||
ee3879d4e8 | |||
eede76a365 | |||
|
bede9ebffe | ||
2b4f9b929b | |||
f284ad8103 |
9
etc/systemd/system/dnat-to-ns.path
Normal file
9
etc/systemd/system/dnat-to-ns.path
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns when /etc/resolv.conf changes
|
||||||
|
|
||||||
|
[Path]
|
||||||
|
PathChanged=/etc/resolv.conf
|
||||||
|
Unit=dnat-to-ns.service
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
6
etc/systemd/system/dnat-to-ns.service
Normal file
6
etc/systemd/system/dnat-to-ns.service
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/lib/qubes/qubes-setup-dnat-to-ns
|
@ -14,6 +14,10 @@
|
|||||||
# License for the specific language governing permissions and limitations under
|
# License for the specific language governing permissions and limitations under
|
||||||
# the License.
|
# the License.
|
||||||
|
|
||||||
|
# Note: Qubes does something that makes the umask for root stay at 022. Need to debug. The umask commands are unnecessary for now.
|
||||||
|
umask 022
|
||||||
|
|
||||||
|
# Install Edge
|
||||||
echo '[microsoft-edge]
|
echo '[microsoft-edge]
|
||||||
name=microsoft-edge
|
name=microsoft-edge
|
||||||
baseurl=https://packages.microsoft.com/yumrepos/edge/
|
baseurl=https://packages.microsoft.com/yumrepos/edge/
|
||||||
@ -25,4 +29,26 @@ sudo dnf install -y microsoft-edge-stable
|
|||||||
|
|
||||||
sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
|
sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
|
||||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json
|
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json
|
||||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json
|
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json
|
||||||
|
|
||||||
|
# Work around for Edge audio bug
|
||||||
|
sudo dnf install -y pulseaudio-utils
|
||||||
|
|
||||||
|
echo '[Unit]
|
||||||
|
Description=Run pactl to work around edge audio bug
|
||||||
|
After=pipewire-pulse.socket
|
||||||
|
Requires=pipewire-pulse.socket
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/pactl info
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target' | sudo tee /etc/systemd/user/pactl.service
|
||||||
|
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
# Run `systemctl --user enable --now pactl.service` in your appVM.
|
||||||
|
# For some uncomprehensible reason, manually enabling pipewire-pulse.service will not work for Edge audio.
|
||||||
|
# /rw/home/user is broken: https://forum.qubes-os.org/t/how-does-rw-home-user-directory-work/15602
|
||||||
|
# Using preset doesn't actually work either
|
@ -23,6 +23,7 @@ sudo systemctl mask debug-shell.service
|
|||||||
sudo systemctl mask kdump.service
|
sudo systemctl mask kdump.service
|
||||||
|
|
||||||
# Setting umask to 077
|
# Setting umask to 077
|
||||||
|
# Note: Qubes does something here that makes the umask for root stay at 022. Need to debug.
|
||||||
umask 077
|
umask 077
|
||||||
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||||
echo 'umask 077' | sudo tee -a /etc/bashrc
|
echo 'umask 077' | sudo tee -a /etc/bashrc
|
||||||
@ -67,20 +68,10 @@ unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Tomm
|
|||||||
sudo dconf update
|
sudo dconf update
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
# Flatpak update service
|
# Setup DNF
|
||||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
||||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer
|
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
||||||
|
|
||||||
# Setup networking
|
|
||||||
# We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net
|
|
||||||
|
|
||||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
|
||||||
unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
|
||||||
|
|
||||||
# Fix GNOME environment variable
|
|
||||||
echo 'XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
|
|
||||||
|
|
||||||
# We do the dnf tasks last, because dnf will break after we configure https repos and we need a reboot to fix it.
|
|
||||||
# Mark packages as manualy installed to avoid removal
|
# Mark packages as manualy installed to avoid removal
|
||||||
sudo dnf mark install flatpak gnome-menus qubes-menus
|
sudo dnf mark install flatpak gnome-menus qubes-menus
|
||||||
|
|
||||||
@ -125,9 +116,13 @@ sudo dnf remove -y lvm2 rng-tools thermald '*perl*'
|
|||||||
sudo dnf config-manager --set-disabled fedora-cisco-openh264
|
sudo dnf config-manager --set-disabled fedora-cisco-openh264
|
||||||
|
|
||||||
# Install custom packages
|
# Install custom packages
|
||||||
# gnome-session is needed for theming to work
|
# gnome-shell is needed for theming to work
|
||||||
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-console gnome-shell
|
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-console gnome-shell
|
||||||
|
|
||||||
|
# Flatpak update service
|
||||||
|
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
||||||
|
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer
|
||||||
|
|
||||||
# Setup hardened_malloc
|
# Setup hardened_malloc
|
||||||
sudo dnf -y install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
|
sudo dnf -y install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
|
||||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
||||||
@ -135,7 +130,12 @@ sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-releas
|
|||||||
sudo dnf -y install hardened_malloc
|
sudo dnf -y install hardened_malloc
|
||||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||||
|
|
||||||
# Setup DNF
|
# Setup networking
|
||||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
# We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net
|
||||||
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
|
||||||
sudo sed -i 's/&protocol=https//g' /etc/yum.repos.d/divested-release.repo
|
# This breaks saving network settings with the Fedora 40 template rn, so I am commenting it out.
|
||||||
|
#sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||||
|
#unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||||
|
|
||||||
|
# Fix GNOME environment variable
|
||||||
|
echo 'XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
|
@ -14,15 +14,17 @@
|
|||||||
# License for the specific language governing permissions and limitations under
|
# License for the specific language governing permissions and limitations under
|
||||||
# the License.
|
# the License.
|
||||||
|
|
||||||
|
unpriv(){
|
||||||
|
sudo -u nobody "$@"
|
||||||
|
}
|
||||||
|
|
||||||
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
|
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
|
||||||
sudo dnf install mullvad-vpn
|
sudo dnf install -y mullvad-vpn
|
||||||
sudo systemctl enable mullvad-daemon
|
|
||||||
|
|
||||||
sudo mkdir -p /etc/qubes-bind-dirs.d
|
sudo mkdir -p /etc/qubes-bind-dirs.d
|
||||||
sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null
|
echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
|
||||||
binds+=( '/etc/mullvad-vpn' )
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Run these in the AppVM:
|
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service | sudo tee /etc/systemd/system/dnat-to-ns.service
|
||||||
# echo "sleep 10 # Waiting a bit so that Mullvad can establish connection
|
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.path | sudo tee /etc/systemd/system/dnat-to-ns.path
|
||||||
# /usr/lib/qubes/qubes-setup-dnat-to-ns" | sudo tee -a /rw/config/rc.local
|
|
||||||
|
sudo systemctl enable dnat-to-ns.path
|
Loading…
Reference in New Issue
Block a user