mirror of
https://github.com/tommytran732/QubesOS-Scripts
synced 2024-11-23 02:01:32 -05:00
Compare commits
No commits in common. "6589b673647f70c15c470d90184d25ecdf62aba5" and "a39e0ceb38265058042ca0be5ffff8c39f7c8390" have entirely different histories.
6589b67364
...
a39e0ceb38
@ -1,10 +1,12 @@
|
||||
# QubesOS-Scripts
|
||||
My scripts for setting up QubesOS.
|
||||
|
||||
Running these scripts should be very straight forward. For the default Fedora template, run fedora-gnome.sh to trim it down first.
|
||||
Running these scripts should be very straight forward. For the default Fedora template, run fedora.sh to trim it down first. For the Debian template, run kicksecure.sh to trim them down and convert them to KickSecure.
|
||||
|
||||
After you are done running those scripts, any other script can be used in a different template based on those trimmed down templates to create their respective virtual machines.
|
||||
|
||||
I have a script to create a Brave VM based on the normal Fedora template. The idea behind this is that you would want to use a disposable Brave VM for web browsing most of the time, and have it seperated from your AppVM. If you try to visit a link inside of an AppVM without a browser, qubes will launch a browser inside of a disposable VM for you. Of course, for VMs where you want the browser to stay persistent, you can just base it on the Brave template instead.
|
||||
|
||||
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
|
||||
|
||||
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2022-2024 Thien Tran
|
||||
# Copyright (C) 2023 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
@ -14,41 +14,15 @@
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
# Compliance
|
||||
systemctl mask debug-shell.service
|
||||
systemctl mask kdump.service
|
||||
# Blacklisting kernel modules
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
|
||||
# Setting umask to 077
|
||||
umask 077
|
||||
sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||
echo 'umask 077' | tee -a /etc/bashrc
|
||||
# Security kernel settings.
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
|
||||
# Disable timesyncd
|
||||
systemctl disable --now systemd-timesyncd
|
||||
systemctl mask systemd-timesyncd
|
||||
|
||||
# Security kernel settings
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | tee /etc/modprobe.d/30_security-misc.conf
|
||||
chmod 644 /etc/modprobe.d/30_security-misc.conf
|
||||
sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | tee /etc/sysctl.d/990-security-misc.conf
|
||||
chmod 644 /etc/sysctl.d/990-security-misc.conf
|
||||
sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
# Dracut doesn't seem to work - need to investigate
|
||||
# dracut -f
|
||||
sysctl -p
|
||||
|
||||
# Harden SSH
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Setup hardened_malloc
|
||||
dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
|
||||
sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
||||
dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
||||
dnf install hardened_malloc -y
|
||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||
# Setup SSH client
|
||||
echo "GSSAPIAuthentication no" > /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo "VerifyHostKeyDNS yes" >> /etc/ssh/ssh_config.d/10-custom.conf
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2022-2024 Thien Tran
|
||||
# Copyright (C) 2023 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
@ -14,29 +14,36 @@
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
# Install necessary packages
|
||||
dnf install -y qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet notification-daemon gnome-keyring @hardware-support chrony arc-theme
|
||||
|
||||
# Setup NTS
|
||||
sudo rm -rf /etc/chrony.conf
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | tee /etc/chrony.conf
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | tee /etc/sysconfig/chronyd
|
||||
systemctl disable --now systemd-timesyncd
|
||||
rm -rf /etc/chrony.conf
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
|
||||
systemctl enable --now chronyd
|
||||
|
||||
# Switch DNSSEC to default / allow-downgrade, as there is no guaranteee that the DNS server obtained via DHCP supports DNSSEC.
|
||||
sed -i 's/DNSSEC=yes/#DNSSEC=false/g' /etc/systemd/resolved.conf
|
||||
systemctl restart systemd-resolved
|
||||
|
||||
# Theming
|
||||
|
||||
sudo mkdir -p /etc/gtk-3.0
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | tee /etc/gtk-3.0/settings.ini
|
||||
echo '[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1
|
||||
' | sudo tee /etc/gtk-3.0/settings.ini
|
||||
|
||||
sudo mkdir -p /etc/gtk-4.0
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | tee /etc/gtk-4.0/settings.ini
|
||||
echo '[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1
|
||||
' | sudo tee /etc/gtk-4.0/settings.ini
|
||||
|
||||
# Networking
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
|
||||
sudo nmcli general reload conf
|
||||
sudo hostnamectl hostname 'localhost'
|
||||
sudo hostnamectl --transient hostname ''
|
||||
echo '[device]
|
||||
wifi.scan-rand-mac-address=yes
|
||||
|
||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||
curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart NetworkManager
|
||||
[connection]
|
||||
wifi.cloned-mac-address=random
|
||||
ethernet.cloned-mac-address=random
|
||||
connection.stable-id=${CONNECTION}/${BOOT}
|
||||
' | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||
|
@ -1,28 +1,10 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2022-2024 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
echo '[microsoft-edge]
|
||||
name=microsoft-edge
|
||||
baseurl=https://packages.microsoft.com/yumrepos/edge/
|
||||
enabled=1
|
||||
gpgcheck=1
|
||||
gpgkey=https://packages.microsoft.com/keys/microsoft.asc' | sudo tee /etc/yum.repos.d/microsoft-edge.repo
|
||||
|
||||
curl --proxy http://127.0.0.1:8082 -O https://packages.microsoft.com/keys/microsoft.asc
|
||||
sudo rpm --import microsoft.asc
|
||||
rm microsoft.asc
|
||||
sudo dnf config-manager --add-repo https://packages.microsoft.com/yumrepos/edge
|
||||
sudo dnf install -y microsoft-edge-stable
|
||||
|
||||
sudo mkdir -p /etc/opt/edge/policies/managed/ /etc/opt/edge/policies/recommended/
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/managed.json | sudo tee /etc/opt/edge/policies/managed/managed.json
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Microsoft-Edge-Policies/main/Linux/recommended.json | sudo tee /etc/opt/edge/policies/managed/recommended.json
|
||||
|
@ -1,150 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2022-2024 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
unpriv(){
|
||||
sudo -u nobody "$@"
|
||||
}
|
||||
|
||||
# Compliance
|
||||
sudo systemctl mask debug-shell.service
|
||||
sudo systemctl mask kdump.service
|
||||
|
||||
# Setting umask to 077
|
||||
umask 077
|
||||
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
|
||||
echo 'umask 077' | sudo tee -a /etc/bashrc
|
||||
|
||||
# Make home directory private
|
||||
sudo chmod 700 /home/*
|
||||
|
||||
# Harden SSH
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Security kernel settings
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
sudo chmod 644 /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
sudo chmod 644 /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
# Dracut doesn't seem to work - need to investigate
|
||||
# dracut -f
|
||||
sudo sysctl -p
|
||||
|
||||
# Disable coredump
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
|
||||
|
||||
# Setup dconf
|
||||
umask 022
|
||||
mkdir -p /etc/dconf/db/local.d/locks
|
||||
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy
|
||||
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/button-layout | sudo tee /etc/dconf/db/local.d/button-layout
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/touchpad | sudo tee /etc/dconf/db/local.d/touchpad
|
||||
|
||||
sudo dconf update
|
||||
umask 077
|
||||
|
||||
# Setup DNF
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
|
||||
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
|
||||
|
||||
# Remove unnecessary stuff from the Qubes template
|
||||
sudo dnf -y remove thunderbird httpd keepassxc rygel
|
||||
|
||||
# Remove firefox packages
|
||||
sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
|
||||
|
||||
# Remove Network + hardware tools packages
|
||||
sudo dnf -y remove '*cups' nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio
|
||||
|
||||
# Remove support for some languages and spelling
|
||||
sudo dnf -y remove ibus-typing-booster '*speech*' '*zhuyin*' '*pinyin*' '*m17n*' '*hangul*' '*anthy*' words
|
||||
|
||||
# Remove codec + image + printers
|
||||
sudo dnf -y remove openh264 ImageMagick* sane* simple-scan
|
||||
|
||||
# Remove Active Directory + Sysadmin + reporting tools
|
||||
sudo dnf -y remove 'sssd*' realmd cyrus-sasl-gssapi quota* dos2unix kpartx sos samba-client gvfs-smb
|
||||
|
||||
# Remove vm and virtual stuff
|
||||
sudo dnf -y remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu
|
||||
|
||||
# Remove NetworkManager
|
||||
sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager
|
||||
|
||||
# Remove Gnome apps
|
||||
sudo dnf remove -y chrome-gnome-shell eog gnome-photos gnome-connections gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \
|
||||
gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \
|
||||
gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \
|
||||
gnome-classic* gnome-user* gnome-text-editor loupe snapshot
|
||||
|
||||
# Remove apps
|
||||
sudo dnf remove -y rhythmbox yelp evince libreoffice* cheese file-roller* mediawriter
|
||||
|
||||
# Remove other packages
|
||||
# We deviate from the script in TommyTran732/Linux-Setup-Scripts here, as removing yajl will break qubes integration.
|
||||
sudo dnf remove -y lvm2 rng-tools thermald '*perl*'
|
||||
|
||||
# Disable openh264 repo
|
||||
sudo dnf config-manager --set-disabled fedora-cisco-openh264
|
||||
|
||||
# Update packages
|
||||
sudo dnf -y upgrade
|
||||
|
||||
# Install custom packages
|
||||
sudo dnf install qubes-ctap qubes-gpg-split adw-gtk3-theme gnome-console -y
|
||||
|
||||
# Flatpak update service
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer
|
||||
|
||||
# Systemd hardening
|
||||
sudo mkdir -p /etc/systemd/system/ModemManager.service.d
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/divestedcg/Brace/master/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/ModemManager.service.d/99-brace.conf
|
||||
|
||||
# Setup hardened_malloc
|
||||
sudo dnf install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm' -y
|
||||
sudo sed -i 's/^metalink=.*/&?protocol=https/g' /etc/yum.repos.d/divested-release.repo
|
||||
sudo dnf config-manager --save --setopt=divested.includepkgs=divested-release,real-ucode,microcode_ctl,amd-ucode-firmware,hardened_malloc
|
||||
sudo dnf install hardened_malloc -y
|
||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||
|
||||
# Setup networking
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/00-macrandomize.conf | sudo tee /etc/NetworkManager/conf.d/00-macrandomize.conf
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/NetworkManager/conf.d/01-transient-hostname.conf | sudo tee /etc/NetworkManager/conf.d/01-transient-hostname.conf
|
||||
|
||||
# Can't do nmcli reload here because NetworkManager is not running in a TemplateVM
|
||||
# sudo nmcli general reload conf
|
||||
|
||||
sudo hostnamectl hostname 'localhost'
|
||||
sudo hostnamectl --transient hostname ''
|
||||
|
||||
sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl restart NetworkManager
|
99
fedora/fedora.sh
Normal file
99
fedora/fedora.sh
Normal file
@ -0,0 +1,99 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Remove unnecessary stuff from the Qubes template
|
||||
sudo dnf -y thunderbird httpd keepassxc rygel
|
||||
|
||||
# Remove firefox packages
|
||||
sudo dnf -y remove fedora-bookmarks fedora-chromium-config firefox mozilla-filesystem
|
||||
|
||||
# Remove Network + hardware tools packages
|
||||
sudo dnf -y remove '*cups' nmap-ncat nfs-utils nmap-ncat openssh-server net-snmp-libs net-tools opensc traceroute rsync tcpdump teamd geolite2* mtr dmidecode sgpio
|
||||
|
||||
# Remove support for some languages and spelling
|
||||
sudo dnf -y remove ibus-typing-booster '*speech*' '*zhuyin*' '*pinyin*' '*kkc*' '*m17n*' '*hangul*' '*anthy*' words
|
||||
|
||||
# Remove codec + image + printers
|
||||
sudo dnf -y remove openh264 ImageMagick* sane* simple-scan
|
||||
|
||||
# Remove Active Directory + Sysadmin + reporting tools
|
||||
sudo dnf -y remove 'sssd*' realmd adcli cyrus-sasl-plain cyrus-sasl-gssapi mlocate quota* dos2unix kpartx sos abrt samba-client gvfs-smb
|
||||
|
||||
# Remove vm and virtual stuff
|
||||
sudo dnf -y remove 'podman*' '*libvirt*' 'open-vm*' qemu-guest-agent 'hyperv*' spice-vdagent virtualbox-guest-additions vino xorg-x11-drv-vmware xorg-x11-drv-amdgpu
|
||||
sudo dnf autoremove -y
|
||||
|
||||
# Remove NetworkManager
|
||||
sudo dnf -y remove NetworkManager-pptp-gnome NetworkManager-ssh-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-vpnc-gnome ppp* ModemManager
|
||||
|
||||
# Remove Gnome apps
|
||||
sudo dnf remove -y gnome-photos gnome-connections gnome-tour gnome-themes-extra gnome-screenshot gnome-remote-desktop gnome-font-viewer gnome-calculator gnome-calendar gnome-contacts \
|
||||
gnome-maps gnome-weather gnome-logs gnome-boxes gnome-disk-utility gnome-clocks gnome-color-manager gnome-characters baobab totem \
|
||||
gnome-shell-extension-background-logo gnome-shell-extension-apps-menu gnome-shell-extension-launch-new-instance gnome-shell-extension-places-menu gnome-shell-extension-window-list \
|
||||
gnome-classic* gnome-user* gnome-text-editor chrome-gnome-shell eog
|
||||
|
||||
# Remove apps
|
||||
sudo dnf remove -y rhythmbox yelp evince libreoffice* cheese file-roller* mediawriter
|
||||
|
||||
# Remove other packages
|
||||
sudo dnf remove -y lvm2 rng-tools thermald '*perl*' yajl
|
||||
|
||||
# Disable openh264 repo
|
||||
sudo dnf config-manager --set-disabled fedora-cisco-openh264
|
||||
|
||||
# Install custom packages
|
||||
sudo dnf install qubes-u2f qubes-gpg-split arc-theme qt5ct qt5-qtstyleplugins -y
|
||||
echo "countme=False" | sudo tee -a /etc/dnf/dnf.conf
|
||||
|
||||
# Blacklisting kernel modules
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
|
||||
# Security kernel settings.
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
sudo sed -i 's/kernel.yama.ptrace_scope=2/kernel.yama.ptrace_scope=3/g' /etc/sysctl.d/990-security-misc.conf
|
||||
curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_silent-kernel-printk.conf | sudo tee /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
curl --proxy http://127.00.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | sudo tee /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||
|
||||
# Systemd hardening
|
||||
sudo mkdir -p /etc/systemd/system/ModemManager.service.d
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/divestedcg/Brace/master/brace/usr/lib/systemd/system/ModemManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/ModemManager.service.d/99-brace.conf
|
||||
|
||||
# Setup SSH client
|
||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Force DNSSEC
|
||||
sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf
|
||||
sudo systemctl restart systemd-resolved
|
||||
|
||||
# Theming
|
||||
|
||||
echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
|
||||
|
||||
echo "[org/gnome/desktop/interface]
|
||||
gtk-theme='Arc-Dark'
|
||||
|
||||
[org/gnome/desktop/media-handling]
|
||||
automount=false
|
||||
automount-open=false" | sudo tee /etc/dconf/db/local.d/custom
|
||||
|
||||
sudo dconf update
|
||||
|
||||
# Flatpak update service
|
||||
|
||||
echo "[Unit]
|
||||
Description=Update user Flatpaks
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/flatpak --user update -y" | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
||||
|
||||
echo "[Unit]
|
||||
Description=Update user Flatpaks daily
|
||||
|
||||
[Timer]
|
||||
OnCalendar=daily
|
||||
Persistent=true
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target" | sudo tee /etc/systemd/user/update-user-flatpaks.timer
|
@ -1,23 +1,19 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2022-2024 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
|
||||
sudo dnf install mullvad-vpn
|
||||
sudo dnf install -y https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm
|
||||
sudo systemctl enable mullvad-daemon
|
||||
|
||||
echo "[org/gnome/desktop/interface]
|
||||
gtk-theme='Arc-Dark'
|
||||
|
||||
[org/gnome/desktop/media-handling]
|
||||
automount=false
|
||||
automount-open=false" | sudo tee /etc/dconf/db/local.d/custom
|
||||
|
||||
sudo dconf update
|
||||
|
||||
sudo rm -rf /usr/share/icons/Arc
|
||||
|
||||
sudo mkdir -p /etc/qubes-bind-dirs.d
|
||||
sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null
|
||||
binds+=( '/etc/mullvad-vpn' )
|
||||
|
@ -1,17 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2022-2024 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
sudo dnf install -y gnome-disk-utility yubioath android-tools
|
||||
|
20
kicksecure/element.sh
Normal file
20
kicksecure/element.sh
Normal file
@ -0,0 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2023 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
curl --proxy http://127.0.0.1:8082/ https://packages.element.io/debian/element-io-archive-keyring.gpg | sudo tee /usr/share/keyrings/element-io-archive-keyring.gpg
|
||||
echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list
|
||||
sudo apt update
|
||||
sudo apt install --no-install-recommends element-desktop -y
|
93
kicksecure/kicksecure.sh
Normal file
93
kicksecure/kicksecure.sh
Normal file
@ -0,0 +1,93 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2023 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
unpriv(){
|
||||
sudo -u nobody "$@"
|
||||
}
|
||||
|
||||
# Avoid phased updates
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
|
||||
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
||||
|
||||
# Adding KickSecure's signing key
|
||||
curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc
|
||||
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
|
||||
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
|
||||
sudo apt update
|
||||
|
||||
# Debloat
|
||||
sudo apt purge -y thunderbird emacs emacs-gtk emacs-bin-common emacs-common firefox* keepassxc cups* system-config-printer* xsettingsd yelp*
|
||||
sudo apt autoremove -y
|
||||
sudo apt autoclean
|
||||
|
||||
# Distribution morphing
|
||||
sudo apt install --no-install-recommends kicksecure-qubes-cli gnome-settings-daemon -y
|
||||
sudo apt autoremove -y
|
||||
sudo mv /etc/apt/sources.list ~/
|
||||
sudo touch /etc/apt/sources.list
|
||||
|
||||
#E nabling SUID Disabler and Permission Hardener
|
||||
sudo systemctl enable --now permission-hardening
|
||||
|
||||
# Restrict /proc and access
|
||||
sudo systemctl enable --now proc-hidepid.service
|
||||
|
||||
# educe kernel information leaks
|
||||
# Will break a lot of applications. The apps I use on KickSecure work fine with it so I am enabling it.
|
||||
sudo systemctl enable --now hide-hardware-info.service
|
||||
|
||||
# Install packages
|
||||
sudo apt install --no-install-recommends tirdad qubes-gpg-split qubes-u2f eog qt5ct qt5-style-plugins arc-theme -y
|
||||
|
||||
# Setup SSH client
|
||||
echo "GSSAPIAuthentication no" | sudo tee /etc/ssh/ssh_config.d/10-custom.conf
|
||||
echo "VerifyHostKeyDNS yes" | sudo tee -a /etc/ssh/ssh_config.d/10-custom.conf
|
||||
|
||||
# Force DNSSEC
|
||||
sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf
|
||||
sudo systemctl restart systemd-resolved
|
||||
|
||||
# Theming
|
||||
|
||||
echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
|
||||
|
||||
echo "[org/gnome/desktop/interface]
|
||||
gtk-theme='Arc-Dark'
|
||||
|
||||
[org/gnome/desktop/media-handling]
|
||||
automount=false
|
||||
automount-open=false" | sudo tee /etc/dconf/db/local.d/custom
|
||||
|
||||
sudo dconf update
|
||||
|
||||
# Flatpak update service
|
||||
|
||||
echo "[Unit]
|
||||
Description=Update user Flatpaks
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/flatpak --user update -y" | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
||||
|
||||
echo "[Unit]
|
||||
Description=Update user Flatpaks daily
|
||||
|
||||
[Timer]
|
||||
OnCalendar=daily
|
||||
Persistent=true
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target" | sudo tee /etc/systemd/user/update-user-flatpaks.timer
|
41
kicksecure/lokinet.sh
Normal file
41
kicksecure/lokinet.sh
Normal file
@ -0,0 +1,41 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2023 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
#DNS doesn't work on an AppVM if Lokinet is used in a ProxyVM so Lokinet has to be installed on the AppVM
|
||||
#The AppVM needs to be granted the network-manager service
|
||||
#There is a risk of leaks because I dont see any killswitch being implemented
|
||||
|
||||
# Disabling the Arc icon theme here because it looks bad on the systray
|
||||
sudo rm -rf /usr/share/icons/Arc
|
||||
|
||||
echo "[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini
|
||||
|
||||
echo "[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini
|
||||
|
||||
|
||||
# Actual Installtion
|
||||
curl --proxy http://127.0.0.1:8082 | sudo tee /etc/apt/trusted.gpg.d/oxen.gpg https://deb.oxen.io/pub.gpg
|
||||
echo "deb https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
|
||||
curl --proxy http://127.0.0.1:8082 | sudo tee /usr/share/keyrings/brave-browser-archive-keyring.gpg https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
|
||||
echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main" | sudo tee /etc/apt/sources.list.d/brave-browser-release.list
|
||||
sudo apt update
|
||||
sudo apt install --no-install-recommends brave-browser lokinet-gui resolvconf
|
||||
sudo sed -i 's/#exit-node=/exit-node=exit.loki/' /var/lib/lokinet/lokinet.ini
|
||||
sudo systemctl enable --now lokinet
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2022-2024 Thien Tran
|
||||
# Copyright (C) 2023 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
@ -19,15 +19,14 @@ unpriv(){
|
||||
}
|
||||
|
||||
# Avoid phased updates
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
|
||||
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
||||
|
||||
# Install packages
|
||||
sudo apt install --no-install-recommends qt5ct qt5-style-plugins arc-theme -y
|
||||
sudo apt install --no-install-recommends tirdad qt5ct qt5-style-plugins arc-theme -y
|
||||
|
||||
# Enabling SUID Disabler and Permission Hardener
|
||||
sudo permission-hardener enable
|
||||
sudo systemctl enable --now permission-hardener
|
||||
sudo systemctl enable --now permission-hardening
|
||||
|
||||
# Restrict /proc and access
|
||||
sudo systemctl enable --now proc-hidepid.service
|
||||
@ -36,11 +35,14 @@ sudo systemctl enable --now proc-hidepid.service
|
||||
# Will break a lot of applications. The apps I use on Whonix work fine with it so I am enabling it.
|
||||
sudo systemctl enable --now hide-hardware-info.service
|
||||
|
||||
# Theming
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment | sudo tee /etc/environment
|
||||
echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
|
||||
|
||||
sudo mkdir -p /etc/gtk-3.0
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | sudo tee /etc/gtk-3.0/settings.ini
|
||||
echo "[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini
|
||||
|
||||
sudo mkdir -p /etc/gtk-4.0
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | sudo tee /etc/gtk-4.0/settings.ini
|
||||
echo "[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2022-2024 Thien Tran
|
||||
# Copyright (C) 2023 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
@ -19,15 +19,14 @@ unpriv(){
|
||||
}
|
||||
|
||||
# Avoid phased updates
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
|
||||
unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades
|
||||
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
||||
|
||||
# Install packages
|
||||
sudo apt install --no-install-recommends qt5ct qt5-style-plugins arc-theme git -y
|
||||
sudo apt install --no-install-recommends tirdad qt5ct qt5-style-plugins arc-theme git -y
|
||||
|
||||
# Enabling SUID Disabler and Permission Hardener
|
||||
sudo permission-hardener enable
|
||||
sudo systemctl enable --now permission-hardener
|
||||
sudo systemctl enable --now permission-hardening
|
||||
|
||||
# Restrict /proc and access
|
||||
sudo systemctl enable --now proc-hidepid.service
|
||||
@ -37,10 +36,15 @@ sudo systemctl enable --now proc-hidepid.service
|
||||
sudo systemctl enable --now hide-hardware-info.service
|
||||
|
||||
# Theming
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/environment | sudo tee /etc/environment
|
||||
|
||||
echo "export QT_QPA_PLATFORMTHEME=gtk2" | sudo tee /etc/environment
|
||||
|
||||
sudo mkdir -p /etc/gtk-3.0
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini | sudo tee /etc/gtk-3.0/settings.ini
|
||||
echo "[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini
|
||||
|
||||
sudo mkdir -p /etc/gtk-4.0
|
||||
unpriv curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini | sudo tee /etc/gtk-4.0/settings.ini
|
||||
echo "[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-4.0/settings.ini
|
||||
|
Loading…
Reference in New Issue
Block a user