1
0
mirror of https://github.com/tommytran732/QubesOS-Scripts synced 2024-11-23 02:01:32 -05:00

Compare commits

..

14 Commits

Author SHA1 Message Date
7cbadc9835
Remove Hakuneko 2024-11-12 03:11:06 -07:00
77f9bcf704
Add laptop recommendation 2024-11-12 02:24:45 -07:00
260fdf35a0
Change PCR 5 to 10 2024-11-12 01:49:20 -07:00
a6b1cec030
Fix Debian adw-gtk3 2024-11-12 01:49:00 -07:00
b5113b3b93
Fix Debian scripts 2024-11-12 01:36:55 -07:00
08cbe37868
Add missing new line 2024-11-12 00:53:59 -07:00
7de671277b
Disable GJS and WebkitGTK JIT on Fedora 2024-11-12 00:42:06 -07:00
ca107c1868
Enable hardened_malloc for Flatpak on Fedora 2024-11-11 23:11:26 -07:00
a405ac8617
Add notes about qt5ct in Whonix scripts 2024-11-11 22:55:41 -07:00
3afee9f2cb
Fix whonix scripts 2024-11-11 22:45:24 -07:00
b99636a3d7
Switch to ptyxis on Fedora 2024-11-11 22:40:29 -07:00
6a664c1ab3
Typo Fix 2024-11-11 22:27:08 -07:00
772e9b230c
Remove unnecessary command 2024-11-11 22:18:17 -07:00
c562fba48a
Use download in debian scripts 2024-11-11 22:07:11 -07:00
10 changed files with 75 additions and 40 deletions

View File

@ -11,3 +11,16 @@ After you are done running those scripts, any other script can be used in a diff
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
## Laptop Recommendations
Qubes AEM currently still requires legacy boot. Officially, the last generation of Intel CPUs with VBIOS to support legacy boot Coffee Lake. However, I have found that certain Comet Lake Thinkpads still have legacy support.
I recommend that you look though [Lenovo's BIOS simulator](https://download.lenovo.com/bsco/index.html#/) to find a suitable Comet Lake Thinkpad. These will have the longest remaining support lifecycle. Personally, I use a Thinkpad T14 gen 1.
## Lenovo ePrivacy
Lenovo ePrivacy can be controlled through `/proc/acpi/ibm/lcdshadow`. I use the following shortcuts:
- F5: `sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'`
- F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'`

View File

@ -1,4 +0,0 @@
# Shortcuts
- F5: sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'
- F6: sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'

View File

@ -17,46 +17,51 @@
set -eu
unpriv(){
sudo -u nobody "$@"
sudo -u nobody "${@}"
}
download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
}
# Compliance
sudo systemctl mask debug-shell.service
# Setting umask to 077
# Does not actually work for some reason - need to check
# Kicksecure defaults to zsh - I need to set it for zsh later.
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
# Make home directory private
sudo chmod 700 /home/*
# Harden SSH
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
# Disable coredump
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
# Setup dconf
umask 022
mkdir -p /etc/dconf/db/local.d/locks
sudo mkdir -p /etc/dconf/db/local.d/locks
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy > /dev/null
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy > /dev/null
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark /etc/dconf/db/local.d/adw-gtk3-dark
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable /etc/dconf/db/local.d/automount-disable
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
sudo dconf update
umask 077
# Avoid phased updates
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades > /dev/null
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
@ -118,8 +123,14 @@ sudo extrepo disable kicksecure
sudo mv /etc/apt/sources.list ~/
sudo touch /etc/apt/sources.list
#Enabling SUID Disabler and Permission Hardener
sudo systemctl enable --now permission-hardening
# adw-gtk3 theme repo
curl -s --proxy http://127.0.0.1:8082 https://julianfairfax.codeberg.page/package-repo/pub.gpg | gpg --dearmor | sudo dd of=/usr/share/keyrings/julians-package-repo.gpg
echo 'Types: deb
URIs: https://julianfairfax.codeberg.page/package-repo/debs
Suites: packages
Components: main
Signed-By: /usr/share/keyrings/julians-package-repo.gpg' | sudo tee /etc/apt/sources.list.d/julians-package-repo.sources
# Restrict /proc and access
sudo systemctl enable --now proc-hidepid.service
@ -129,8 +140,9 @@ sudo systemctl enable --now proc-hidepid.service
sudo systemctl enable --now hide-hardware-info.service
# Install packages
sudo apt install --no-install-recommends adw-gtk3-theme gnome-console loupe qubes-ctap qubes-gpg-split -y
sudo apt update
sudo apt install --no-install-recommends adw-gtk3 gnome-console qubes-ctap qubes-gpg-split -y
# Flatpak update service
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer > /dev/null
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service /etc/systemd/user/update-user-flatpaks.service
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer

View File

@ -3,7 +3,11 @@
set -eu
unpriv(){
sudo -u nobody "$@"
sudo -u nobody "${@}"
}
download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
}
umask 022
@ -11,11 +15,11 @@ umask 022
sudo mkdir -p /etc/qubes-bind-dirs.d
echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
unpriv curl -s --proxy http://127.0.0.1:8082 https://deb.oxen.io/pub.gpg | sudo tee /usr/share/keyrings/oxen.gpg > /dev/null
download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
sudo apt update
sudo apt install lokinet resolvconf
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service | sudo tee /etc/systemd/system/lokinet-dns-fix.service > /dev/null
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
sudo systemctl enable --now lokinet-dns-fix

View File

@ -24,7 +24,7 @@ sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qt5ct qt5-qtstyleplugins
# Configure PCRs
sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 5 /' /etc/anti-evil-maid.conf
sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 10 /' /etc/anti-evil-maid.conf
# Theming

View File

@ -87,8 +87,12 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
#sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
#unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
# Disable GJS and WebkitGTK JIT
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/environment /etc/environment
# Fix GNOME environment variable
echo 'XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
echo '
XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
# Moving DNF handownloading to the bottom as the Qubes template just breaks when repos are changed and needs a reboot to fix
@ -137,7 +141,7 @@ sudo dnf config-manager --set-disabled fedora-cisco-openh264
# Install custom packages
# gnome-shell is needed for theming to work
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-console gnome-shell
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-shell ptyxis
# Setup hardened_malloc
sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
@ -145,7 +149,10 @@ sudo dnf install -y hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.preload
# Enable hardened_malloc for Flatpak
sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
# Setup DNF
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
sudo sed -i 's/&protocol=https//g' /etc/yum.repos.d/divested-release.repo

View File

@ -24,7 +24,6 @@ download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
}
sudo dnf install -y https://github.com/manga-download/hakuneko/releases/download/nightly-20200705.1/hakuneko-desktop_8.3.4_linux_amd64.rpm
sudo dnf config-manager --enable fedora-cisco-openh264 rpmfusion-free rpmfusion-free-updates rpmfusion-nonfree rpmfusion-nonfree-updates
sudo dnf upgrade -y
sudo dnf install -y ffmpeg yt-dlp

View File

@ -32,7 +32,7 @@ umask 022
sudo mkdir -p /etc/qubes-bind-dirs.d
echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
sudo mkdir /-p etc/systemd/system/systemd-resolved.service.d
sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service

View File

@ -14,7 +14,7 @@
# License for the specific language governing permissions and limitations under
# the License.
set -eu -o pipefail
set -eu
unpriv(){
sudo -u nobody "${@}"
@ -25,11 +25,11 @@ download() {
}
# Setting umask to 077
# Does not actually work for some reason - need to check
# Whonix defaults to zsh - I need to set it for zsh later.
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
# Make home directory private
sudo chmod 700 /home/*
@ -59,3 +59,5 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
sudo mkdir -p /etc/gtk-4.0
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
# Run qt5ct and set the theme to gtk-2

View File

@ -14,7 +14,7 @@
# License for the specific language governing permissions and limitations under
# the License.
set -eu -o pipefail
set -eu
unpriv(){
sudo -u nobody "${@}"
@ -25,11 +25,11 @@ download() {
}
# Setting umask to 077
# Does not actually work for some reason - need to check
# Whonix defaults to zsh - I need to set it for zsh later.
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
# Make home directory private
sudo chmod 700 /home/*
@ -39,7 +39,7 @@ download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
# Install packages
sudo apt install --no-install-recommends arc-theme pipewire-pulse -y
sudo apt install --no-install-recommends arc-theme pipewire-pulse qt5ct qt5-style-plugins -y
# Restrict /proc and access
sudo systemctl enable --now proc-hidepid.service
@ -60,3 +60,5 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
sudo mkdir -p /etc/gtk-4.0
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
# Run qt5ct and set the theme to gtk-2