mirror of
https://github.com/tommytran732/QubesOS-Scripts
synced 2024-11-21 09:21:34 -05:00
Compare commits
17 Commits
7cbadc9835
...
a20b69f516
Author | SHA1 | Date | |
---|---|---|---|
a20b69f516 | |||
03b5249c63 | |||
bf4a426aa8 | |||
5e3cf1f979 | |||
3775461e28 | |||
2ca3b492d2 | |||
e7ef3a8194 | |||
7b8f77e399 | |||
857fbd5f14 | |||
babf17970a | |||
25f99d79cd | |||
629109324f | |||
feea47d5df | |||
cae56433cd | |||
a734aa26a0 | |||
ab1dbd9b3a | |||
b3476a5ef8 |
@ -10,7 +10,7 @@ After you are done running those scripts, any other script can be used in a diff
|
|||||||
|
|
||||||
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
|
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
|
||||||
|
|
||||||
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
|
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care of dom0 so you only need to worry about the guests. Skip whonix-gateway as it will create an annoying prompt every time a VM attached to it boots.
|
||||||
|
|
||||||
## Laptop Recommendations
|
## Laptop Recommendations
|
||||||
|
|
||||||
|
@ -15,11 +15,16 @@ umask 022
|
|||||||
sudo mkdir -p /etc/qubes-bind-dirs.d
|
sudo mkdir -p /etc/qubes-bind-dirs.d
|
||||||
echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
|
echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
|
||||||
|
|
||||||
|
# Add repositories
|
||||||
download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
|
download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
|
||||||
echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
|
echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
|
||||||
|
|
||||||
|
download https://repository.mullvad.net/deb/mullvad-keyring.asc /usr/share/keyrings/mullvad-keyring.asc
|
||||||
|
echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list
|
||||||
|
|
||||||
|
# Install packages
|
||||||
sudo apt update
|
sudo apt update
|
||||||
sudo apt install lokinet resolvconf
|
sudo apt install -y lokinet mullvad-browser resolvconf
|
||||||
|
|
||||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
|
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
|
||||||
sudo systemctl enable --now lokinet-dns-fix
|
sudo systemctl enable --now lokinet-dns-fix
|
||||||
|
21
dom0.sh
21
dom0.sh
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Copyright (C) 2023 Thien Tran
|
# Copyright (C) 2023-2024 Thien Tran
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
# use this file except in compliance with the License. You may obtain a copy of
|
# use this file except in compliance with the License. You may obtain a copy of
|
||||||
@ -14,7 +14,7 @@
|
|||||||
# License for the specific language governing permissions and limitations under
|
# License for the specific language governing permissions and limitations under
|
||||||
# the License.
|
# the License.
|
||||||
|
|
||||||
set -eu
|
set -eu -o pipefail
|
||||||
|
|
||||||
# Enabling discard and fstrim
|
# Enabling discard and fstrim
|
||||||
sudo sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
|
sudo sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
|
||||||
@ -26,9 +26,20 @@ sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qt5ct qt5-qtstyleplugins
|
|||||||
sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
|
sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
|
||||||
sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 10 /' /etc/anti-evil-maid.conf
|
sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 10 /' /etc/anti-evil-maid.conf
|
||||||
|
|
||||||
# Theming
|
# Configure sudo prompt for domUs
|
||||||
|
echo "/usr/bin/echo 1" | sudo tee /etc/qubes-rpc/qubes.VMAuth
|
||||||
|
echo "@anyvm dom0 ask,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.VMAuth
|
||||||
|
sudo chmod +x /etc/qubes-rpc/qubes.VMAuth
|
||||||
|
|
||||||
# After a reboot, run qt5ct and set the theme to gtk-2
|
# Set qvm-features
|
||||||
|
|
||||||
|
sudo qvm-features fedora-40 default-menu-items 'org.gnome.Nautilus.desktop org.gnome.Ptyxis.desktop'
|
||||||
|
sudo qvm-features fedora-40 netvm-menu-items 'org.gnome.Ptyxis.desktop'
|
||||||
|
|
||||||
|
sudo qvm-features debian-12 default-menu-items 'org.gnome.Console.desktop org.gnome.Nautilus.desktop'
|
||||||
|
sudo qvm-features debian-12 netvm-menu-items 'org.gnome.Console.desktop'
|
||||||
|
|
||||||
|
# Theming
|
||||||
|
|
||||||
echo 'QT_QPA_PLATFORMTHEME=gtk2' | sudo tee -a /etc/environment
|
echo 'QT_QPA_PLATFORMTHEME=gtk2' | sudo tee -a /etc/environment
|
||||||
|
|
||||||
@ -43,3 +54,5 @@ sudo mkdir -p /etc/gtk-4.0
|
|||||||
echo '[Settings]
|
echo '[Settings]
|
||||||
gtk-theme-name = Arc-Dark
|
gtk-theme-name = Arc-Dark
|
||||||
gtk-application-prefer-dark-theme = true' | sudo tee /etc/gtk-4.0/settings.ini
|
gtk-application-prefer-dark-theme = true' | sudo tee /etc/gtk-4.0/settings.ini
|
||||||
|
|
||||||
|
# After a reboot, run qt5ct and set the theme to gtk-2
|
51
fedora-gnome/hardened-chromium.sh
Normal file
51
fedora-gnome/hardened-chromium.sh
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Copyright (C) 2024 Thien Tran
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||||
|
# use this file except in compliance with the License. You may obtain a copy of
|
||||||
|
# the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations under
|
||||||
|
# the License.
|
||||||
|
|
||||||
|
set -eu -o pipefail
|
||||||
|
|
||||||
|
unpriv(){
|
||||||
|
sudo -u nobody "${@}"
|
||||||
|
}
|
||||||
|
|
||||||
|
download() {
|
||||||
|
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened-chromium -y
|
||||||
|
sudo dnf install -y hardened-chromium
|
||||||
|
|
||||||
|
umask 022
|
||||||
|
|
||||||
|
# Workaround for this problem: https://forum.qubes-os.org/t/upgraded-to-4-2-and-audio-no-longer-works/23130/60
|
||||||
|
sudo dnf install -y pulseaudio-utils
|
||||||
|
|
||||||
|
echo '[Unit]
|
||||||
|
Description=Run pactl to work around edge audio bug
|
||||||
|
After=pipewire-pulse.socket
|
||||||
|
Requires=pipewire-pulse.socket
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/pactl info
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target' | sudo tee /etc/systemd/user/pactl.service
|
||||||
|
|
||||||
|
umask 077
|
||||||
|
|
||||||
|
# Run `systemctl --user enable --now pactl.service` in your appVM.
|
||||||
|
# For some uncomprehensible reason, manually enabling pipewire-pulse.service will not work for Edge audio.
|
||||||
|
# Using preset doesn't actually work :/
|
@ -32,7 +32,7 @@ umask 022
|
|||||||
sudo mkdir -p /etc/qubes-bind-dirs.d
|
sudo mkdir -p /etc/qubes-bind-dirs.d
|
||||||
echo 'binds+=( '\'''/etc/opt/ivpn/mutable''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
|
echo 'binds+=( '\'''/etc/opt/ivpn/mutable''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
|
||||||
|
|
||||||
sudo mkdir /-p etc/systemd/system/systemd-resolved.service.d
|
sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
|
||||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
|
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
|
||||||
|
|
||||||
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service
|
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service
|
||||||
@ -40,4 +40,4 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
|
|||||||
|
|
||||||
sudo systemctl enable dnat-to-ns.path
|
sudo systemctl enable dnat-to-ns.path
|
||||||
|
|
||||||
# Follow these instructions on how to set up the ProxyVM: https://privsec.dev/posts/qubes/using-ivpn-on-qubes-os/#creating-the-proxyvm
|
# Follow these instructions on how to set up the ProxyVM: https://privsec.dev/posts/qubes/using-ivpn-on-qubes-os/#creating-the-proxyvm
|
||||||
|
8
fedora-minimal/README.md
Normal file
8
fedora-minimal/README.md
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# Enable SELinux
|
||||||
|
|
||||||
|
To enable SELinux, do the following after you have run fedora-minimal.sh:
|
||||||
|
- Shutdown the VM.
|
||||||
|
- Run `qvm-features fedora-40-minimal selinux 1`.
|
||||||
|
- Start the minimal VM.
|
||||||
|
- Edit /etc/sysconfig/selinux and change SELINUX mode to enforcing.
|
||||||
|
- Restart the VM.
|
@ -49,8 +49,6 @@ chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
|
|||||||
download https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf /etc/modprobe.d/workstation-blacklist.conf
|
download https://raw.githubusercontent.com/secureblue/secureblue/live/files/system/usr/etc/modprobe.d/blacklist.conf /etc/modprobe.d/workstation-blacklist.conf
|
||||||
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
|
sudo chmod 644 /etc/modprobe.d/workstation-blacklist.conf
|
||||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf /etc/sysctl.d/99-workstation.conf
|
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-workstation.conf /etc/sysctl.d/99-workstation.conf
|
||||||
# This doesn't exist (jackwagon)
|
|
||||||
# sudo chmod 644 /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
|
||||||
# Dracut doesn't seem to work - need to investigate
|
# Dracut doesn't seem to work - need to investigate
|
||||||
# dracut -f
|
# dracut -f
|
||||||
sudo sysctl -p
|
sudo sysctl -p
|
||||||
@ -58,8 +56,14 @@ sudo sysctl -p
|
|||||||
# Setup ZRAM
|
# Setup ZRAM
|
||||||
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf /etc/systemd/zram-generator.conf
|
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/zram-generator.conf /etc/systemd/zram-generator.conf
|
||||||
|
|
||||||
|
# Install necessary packages
|
||||||
|
sudo dnf install -y qubes-core-agent-selinux
|
||||||
|
|
||||||
# Setup hardened_malloc
|
# Setup hardened_malloc
|
||||||
sudo https_proxy=https://127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
|
sudo https_proxy=https://127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
|
||||||
sudo dnf install -y hardened_malloc
|
sudo dnf install -y hardened_malloc
|
||||||
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
|
||||||
sudo chmod 644 /etc/ld.so.preload
|
sudo chmod 644 /etc/ld.so.preload
|
||||||
|
|
||||||
|
# Prepare for SELinux
|
||||||
|
sudo touch /.autorelabel
|
@ -25,7 +25,7 @@ download() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Install necessary packages
|
# Install necessary packages
|
||||||
dnf install -y @hardware-support arc-theme chrony gnome-keyring NetworkManager-wifi network-manager-applet qubes-core-agent-networking qubes-core-agent-network-manager xfce4-notifyd
|
sudo dnf install -y @hardware-support arc-theme chrony gnome-keyring fwupd-qubes-vm NetworkManager-wifi network-manager-applet qubes-core-agent-dom0-updates qubes-core-agent-networking qubes-core-agent-network-manager xfce4-notifyd
|
||||||
|
|
||||||
# Setup NTS
|
# Setup NTS
|
||||||
sudo rm -rf /etc/chrony.conf
|
sudo rm -rf /etc/chrony.conf
|
||||||
|
@ -39,7 +39,7 @@ download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main
|
|||||||
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
|
||||||
|
|
||||||
# Install packages
|
# Install packages
|
||||||
sudo apt install --no-install-recommends qt5ct qt5-style-plugins arc-theme -y
|
sudo apt install --no-install-recommends fwupd-qubes-vm qt5ct qt5-style-plugins arc-theme -y
|
||||||
|
|
||||||
# Restrict /proc and access
|
# Restrict /proc and access
|
||||||
sudo systemctl enable --now proc-hidepid.service
|
sudo systemctl enable --now proc-hidepid.service
|
Loading…
Reference in New Issue
Block a user