mirror of
https://github.com/tommytran732/QubesOS-Scripts
synced 2024-11-23 02:01:32 -05:00
Compare commits
No commits in common. "6b7dacda7caf04aaa47f88c106438aba55c70546" and "7ca046d5091627f841a60de6e5137b5655a2130b" have entirely different histories.
6b7dacda7c
...
7ca046d509
20
dom0.sh
20
dom0.sh
@ -20,20 +20,16 @@ sudo systemctl enable fstrim.timer
|
||||
|
||||
# Theming
|
||||
|
||||
# After a reboot, run qt5ct and set the theme to gtk-2
|
||||
|
||||
sudo qubes-dom0-update qubes-ctap-dom0 qt5ct qt5-qtstyleplugins
|
||||
|
||||
echo 'QT_QPA_PLATFORMTHEME=qt5ct' | sudo tee -a /etc/environment
|
||||
|
||||
# Add extra gtk theming - this is probably not necessary, but why not
|
||||
|
||||
sudo mkdir -p /etc/gtk-3.0
|
||||
echo '[Settings]
|
||||
echo "[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1' | sudo tee /etc/gtk-3.0/settings.ini
|
||||
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini
|
||||
|
||||
sudo mkdir -p /etc/gtk-4.0
|
||||
echo '[Settings]
|
||||
echo "[Settings]
|
||||
gtk-theme-name=Arc-Dark
|
||||
gtk-application-prefer-dark-theme=1' | sudo tee /etc/gtk-4.0/settings.ini
|
||||
gtk-application-prefer-dark-theme=1" | sudo tee /etc/gtk-3.0/settings.ini
|
||||
|
||||
sudo qubes-dom0-update qubes-u2f-dom0 qt5ct qt5-qtstyleplugins
|
||||
|
||||
echo "QT_QPA_PLATFORMTHEME=qt5ct" | sudo tee /etc/environment
|
||||
|
||||
@ -46,7 +46,6 @@ echo "countme=False" | sudo tee -a /etc/dnf/dnf.conf
|
||||
|
||||
# Blacklisting kernel modules
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/modprobe.d/30_security-misc.conf | sudo tee /etc/modprobe.d/30_security-misc.conf
|
||||
sudo sed -i 's/#install msr/install msr/g' /etc/modprobe.d/30_security-misc.conf
|
||||
|
||||
# Security kernel settings.
|
||||
curl --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/Kicksecure/security-misc/master/usr/lib/sysctl.d/990-security-misc.conf | sudo tee /etc/sysctl.d/990-security-misc.conf
|
||||
@ -86,7 +85,10 @@ Description=Update user Flatpaks
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/flatpak --user update -y" | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
||||
ExecStart=/usr/bin/flatpak --user update -y
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target" | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
||||
|
||||
echo "[Unit]
|
||||
Description=Update user Flatpaks daily
|
||||
|
||||
23
fedora/sysadmin-AppVM.sh
Normal file
23
fedora/sysadmin-AppVM.sh
Normal file
@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
|
||||
#Run this in an AppVM, not a TemplateVM
|
||||
|
||||
echo '# SPLIT SSH CONFIGURATION >>>
|
||||
# replace "vault" with your AppVM name which stores the ssh private key(s)
|
||||
SSH_VAULT_VM="vault"
|
||||
|
||||
if [ "$SSH_VAULT_VM" != "" ]; then
|
||||
export SSH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
|
||||
rm -f "$SSH_SOCK"
|
||||
sudo -u user /bin/sh -c "umask 177 && exec socat 'UNIX-LISTEN:$SSH_SOCK,fork' 'EXEC:qrexec-client-vm $SSH_VAULT_VM qubes.SshAgent'" &
|
||||
fi
|
||||
# <<< SPLIT SSH CONFIGURATION' | sudo tee -a /rw/config/rc.local
|
||||
|
||||
echo '# SPLIT SSH CONFIGURATION >>>
|
||||
# replace "vault" with your AppVM name which stores the ssh private key(s)
|
||||
SSH_VAULT_VM="vault"
|
||||
|
||||
if [ "$SSH_VAULT_VM" != "" ]; then
|
||||
export SSH_AUTH_SOCK="/home/user/.SSH_AGENT_$SSH_VAULT_VM"
|
||||
fi
|
||||
# <<< SPLIT SSH CONFIGURATION' | tee -a ~/.bashrc
|
||||
@ -18,3 +18,6 @@ curl --proxy http://127.0.0.1:8082/ https://packages.element.io/debian/element-i
|
||||
echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list
|
||||
sudo apt update
|
||||
sudo apt install --no-install-recommends element-desktop -y
|
||||
|
||||
# Adding a DNS entry for my Matrix server here so I can add a Firewall rule locking the AppVM to only being able to connect to my server.
|
||||
echo "5.226.143.168 matrix.arcticfoxes.net" | sudo tee -a /etc/hosts
|
||||
|
||||
@ -42,6 +42,9 @@ sudo touch /etc/apt/sources.list
|
||||
#E nabling SUID Disabler and Permission Hardener
|
||||
sudo systemctl enable --now permission-hardening
|
||||
|
||||
# Enable hardened malloc
|
||||
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
|
||||
|
||||
# Restrict /proc and access
|
||||
sudo systemctl enable --now proc-hidepid.service
|
||||
|
||||
@ -80,7 +83,10 @@ Description=Update user Flatpaks
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/flatpak --user update -y" | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
||||
ExecStart=/usr/bin/flatpak --user update -y
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target" | sudo tee /etc/systemd/user/update-user-flatpaks.service
|
||||
|
||||
echo "[Unit]
|
||||
Description=Update user Flatpaks daily
|
||||
|
||||
21
kicksecure/signal.sh
Normal file
21
kicksecure/signal.sh
Normal file
@ -0,0 +1,21 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright (C) 2023 Thien Tran
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy of
|
||||
# the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations under
|
||||
# the License.
|
||||
|
||||
curl --proxy http://127.0.0.1:8082/ https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
|
||||
cat signal-desktop-keyring.gpg | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
|
||||
|
||||
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
|
||||
sudo apt update && sudo apt install --no-install-recommends signal-desktop -y
|
||||
@ -28,6 +28,9 @@ sudo apt install --no-install-recommends tirdad qt5ct qt5-style-plugins arc-them
|
||||
# Enabling SUID Disabler and Permission Hardener
|
||||
sudo systemctl enable --now permission-hardening
|
||||
|
||||
# Enable hardened malloc
|
||||
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
|
||||
|
||||
# Restrict /proc and access
|
||||
sudo systemctl enable --now proc-hidepid.service
|
||||
|
||||
|
||||
@ -28,6 +28,9 @@ sudo apt install --no-install-recommends tirdad qt5ct qt5-style-plugins arc-them
|
||||
# Enabling SUID Disabler and Permission Hardener
|
||||
sudo systemctl enable --now permission-hardening
|
||||
|
||||
# Enable hardened malloc
|
||||
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
|
||||
|
||||
# Restrict /proc and access
|
||||
sudo systemctl enable --now proc-hidepid.service
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user