mirror of
https://github.com/tommytran732/QubesOS-Scripts
synced 2024-12-26 09:01:34 -05:00
Compare commits
14 Commits
481700d2cc
...
7cbadc9835
Author | SHA1 | Date | |
---|---|---|---|
7cbadc9835 | |||
77f9bcf704 | |||
260fdf35a0 | |||
a6b1cec030 | |||
b5113b3b93 | |||
08cbe37868 | |||
7de671277b | |||
ca107c1868 | |||
a405ac8617 | |||
3afee9f2cb | |||
b99636a3d7 | |||
6a664c1ab3 | |||
772e9b230c | |||
c562fba48a |
15
README.md
15
README.md
@ -10,4 +10,17 @@ After you are done running those scripts, any other script can be used in a diff
|
||||
|
||||
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
|
||||
|
||||
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
|
||||
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
|
||||
|
||||
## Laptop Recommendations
|
||||
|
||||
Qubes AEM currently still requires legacy boot. Officially, the last generation of Intel CPUs with VBIOS to support legacy boot Coffee Lake. However, I have found that certain Comet Lake Thinkpads still have legacy support.
|
||||
|
||||
I recommend that you look though [Lenovo's BIOS simulator](https://download.lenovo.com/bsco/index.html#/) to find a suitable Comet Lake Thinkpad. These will have the longest remaining support lifecycle. Personally, I use a Thinkpad T14 gen 1.
|
||||
|
||||
## Lenovo ePrivacy
|
||||
|
||||
Lenovo ePrivacy can be controlled through `/proc/acpi/ibm/lcdshadow`. I use the following shortcuts:
|
||||
|
||||
- F5: `sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'`
|
||||
- F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'`
|
@ -1,4 +0,0 @@
|
||||
# Shortcuts
|
||||
|
||||
- F5: sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'
|
||||
- F6: sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'
|
@ -17,46 +17,51 @@
|
||||
set -eu
|
||||
|
||||
unpriv(){
|
||||
sudo -u nobody "$@"
|
||||
sudo -u nobody "${@}"
|
||||
}
|
||||
|
||||
download() {
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
|
||||
}
|
||||
|
||||
|
||||
# Compliance
|
||||
sudo systemctl mask debug-shell.service
|
||||
|
||||
# Setting umask to 077
|
||||
# Does not actually work for some reason - need to check
|
||||
# Kicksecure defaults to zsh - I need to set it for zsh later.
|
||||
umask 077
|
||||
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
|
||||
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
|
||||
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
|
||||
|
||||
# Make home directory private
|
||||
sudo chmod 700 /home/*
|
||||
|
||||
# Harden SSH
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
|
||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Disable coredump
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
|
||||
|
||||
# Setup dconf
|
||||
umask 022
|
||||
mkdir -p /etc/dconf/db/local.d/locks
|
||||
sudo mkdir -p /etc/dconf/db/local.d/locks
|
||||
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable > /dev/null
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy > /dev/null
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
|
||||
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark > /dev/null
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable > /dev/null
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark > /dev/null
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy > /dev/null
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark /etc/dconf/db/local.d/adw-gtk3-dark
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable /etc/dconf/db/local.d/automount-disable
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
|
||||
|
||||
sudo dconf update
|
||||
umask 077
|
||||
|
||||
# Avoid phased updates
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades > /dev/null
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
|
||||
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
||||
|
||||
|
||||
@ -118,8 +123,14 @@ sudo extrepo disable kicksecure
|
||||
sudo mv /etc/apt/sources.list ~/
|
||||
sudo touch /etc/apt/sources.list
|
||||
|
||||
#Enabling SUID Disabler and Permission Hardener
|
||||
sudo systemctl enable --now permission-hardening
|
||||
# adw-gtk3 theme repo
|
||||
curl -s --proxy http://127.0.0.1:8082 https://julianfairfax.codeberg.page/package-repo/pub.gpg | gpg --dearmor | sudo dd of=/usr/share/keyrings/julians-package-repo.gpg
|
||||
echo 'Types: deb
|
||||
URIs: https://julianfairfax.codeberg.page/package-repo/debs
|
||||
Suites: packages
|
||||
Components: main
|
||||
Signed-By: /usr/share/keyrings/julians-package-repo.gpg' | sudo tee /etc/apt/sources.list.d/julians-package-repo.sources
|
||||
|
||||
|
||||
# Restrict /proc and access
|
||||
sudo systemctl enable --now proc-hidepid.service
|
||||
@ -129,8 +140,9 @@ sudo systemctl enable --now proc-hidepid.service
|
||||
sudo systemctl enable --now hide-hardware-info.service
|
||||
|
||||
# Install packages
|
||||
sudo apt install --no-install-recommends adw-gtk3-theme gnome-console loupe qubes-ctap qubes-gpg-split -y
|
||||
sudo apt update
|
||||
sudo apt install --no-install-recommends adw-gtk3 gnome-console qubes-ctap qubes-gpg-split -y
|
||||
|
||||
# Flatpak update service
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service > /dev/null
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer > /dev/null
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service /etc/systemd/user/update-user-flatpaks.service
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer
|
@ -3,7 +3,11 @@
|
||||
set -eu
|
||||
|
||||
unpriv(){
|
||||
sudo -u nobody "$@"
|
||||
sudo -u nobody "${@}"
|
||||
}
|
||||
|
||||
download() {
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
|
||||
}
|
||||
|
||||
umask 022
|
||||
@ -11,11 +15,11 @@ umask 022
|
||||
sudo mkdir -p /etc/qubes-bind-dirs.d
|
||||
echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
|
||||
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://deb.oxen.io/pub.gpg | sudo tee /usr/share/keyrings/oxen.gpg > /dev/null
|
||||
download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
|
||||
echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
|
||||
|
||||
sudo apt update
|
||||
sudo apt install lokinet resolvconf
|
||||
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service | sudo tee /etc/systemd/system/lokinet-dns-fix.service > /dev/null
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
|
||||
sudo systemctl enable --now lokinet-dns-fix
|
2
dom0.sh
2
dom0.sh
@ -24,7 +24,7 @@ sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qt5ct qt5-qtstyleplugins
|
||||
|
||||
# Configure PCRs
|
||||
sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
|
||||
sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 5 /' /etc/anti-evil-maid.conf
|
||||
sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 10 /' /etc/anti-evil-maid.conf
|
||||
|
||||
# Theming
|
||||
|
||||
|
@ -87,8 +87,12 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
|
||||
#sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||
#unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||
|
||||
# Disable GJS and WebkitGTK JIT
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/environment /etc/environment
|
||||
|
||||
# Fix GNOME environment variable
|
||||
echo 'XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
|
||||
echo '
|
||||
XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
|
||||
|
||||
# Moving DNF handownloading to the bottom as the Qubes template just breaks when repos are changed and needs a reboot to fix
|
||||
|
||||
@ -137,7 +141,7 @@ sudo dnf config-manager --set-disabled fedora-cisco-openh264
|
||||
|
||||
# Install custom packages
|
||||
# gnome-shell is needed for theming to work
|
||||
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-console gnome-shell
|
||||
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-shell ptyxis
|
||||
|
||||
# Setup hardened_malloc
|
||||
sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
|
||||
@ -145,7 +149,10 @@ sudo dnf install -y hardened_malloc
|
||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||
sudo chmod 644 /etc/ld.so.preload
|
||||
|
||||
# Enable hardened_malloc for Flatpak
|
||||
sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
|
||||
flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
|
||||
|
||||
# Setup DNF
|
||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf /etc/dnf/dnf.conf
|
||||
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
||||
sudo sed -i 's/&protocol=https//g' /etc/yum.repos.d/divested-release.repo
|
||||
|
@ -24,7 +24,6 @@ download() {
|
||||
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
|
||||
}
|
||||
|
||||
sudo dnf install -y https://github.com/manga-download/hakuneko/releases/download/nightly-20200705.1/hakuneko-desktop_8.3.4_linux_amd64.rpm
|
||||
sudo dnf config-manager --enable fedora-cisco-openh264 rpmfusion-free rpmfusion-free-updates rpmfusion-nonfree rpmfusion-nonfree-updates
|
||||
sudo dnf upgrade -y
|
||||
sudo dnf install -y ffmpeg yt-dlp
|
@ -32,7 +32,7 @@ umask 022
|
||||
sudo mkdir -p /etc/qubes-bind-dirs.d
|
||||
echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
|
||||
|
||||
sudo mkdir /-p etc/systemd/system/systemd-resolved.service.d
|
||||
sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
|
||||
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service
|
||||
|
@ -14,7 +14,7 @@
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
set -eu -o pipefail
|
||||
set -eu
|
||||
|
||||
unpriv(){
|
||||
sudo -u nobody "${@}"
|
||||
@ -25,11 +25,11 @@ download() {
|
||||
}
|
||||
|
||||
# Setting umask to 077
|
||||
# Does not actually work for some reason - need to check
|
||||
# Whonix defaults to zsh - I need to set it for zsh later.
|
||||
umask 077
|
||||
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
|
||||
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
|
||||
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
|
||||
|
||||
# Make home directory private
|
||||
sudo chmod 700 /home/*
|
||||
@ -59,3 +59,5 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
|
||||
|
||||
sudo mkdir -p /etc/gtk-4.0
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
|
||||
|
||||
# Run qt5ct and set the theme to gtk-2
|
@ -14,7 +14,7 @@
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
set -eu -o pipefail
|
||||
set -eu
|
||||
|
||||
unpriv(){
|
||||
sudo -u nobody "${@}"
|
||||
@ -25,11 +25,11 @@ download() {
|
||||
}
|
||||
|
||||
# Setting umask to 077
|
||||
# Does not actually work for some reason - need to check
|
||||
# Whonix defaults to zsh - I need to set it for zsh later.
|
||||
umask 077
|
||||
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
|
||||
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
|
||||
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
|
||||
|
||||
# Make home directory private
|
||||
sudo chmod 700 /home/*
|
||||
@ -39,7 +39,7 @@ download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main
|
||||
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
||||
|
||||
# Install packages
|
||||
sudo apt install --no-install-recommends arc-theme pipewire-pulse -y
|
||||
sudo apt install --no-install-recommends arc-theme pipewire-pulse qt5ct qt5-style-plugins -y
|
||||
|
||||
# Restrict /proc and access
|
||||
sudo systemctl enable --now proc-hidepid.service
|
||||
@ -59,4 +59,6 @@ sudo mkdir -p /etc/gtk-3.0
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini /etc/gtk-3.0/settings.ini
|
||||
|
||||
sudo mkdir -p /etc/gtk-4.0
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
|
||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
|
||||
|
||||
# Run qt5ct and set the theme to gtk-2
|
Loading…
Reference in New Issue
Block a user