1
0
mirror of https://github.com/tommytran732/QubesOS-Scripts synced 2024-12-27 17:31:33 -05:00

Compare commits

..

No commits in common. "7cbadc9835570e1c7cb4e02d5c306eb5f895074c" and "481700d2cc5fed38b932d14f04709c0bb07af7f3" have entirely different histories.

10 changed files with 40 additions and 75 deletions

View File

@ -10,17 +10,4 @@ After you are done running those scripts, any other script can be used in a diff
If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
## Laptop Recommendations
Qubes AEM currently still requires legacy boot. Officially, the last generation of Intel CPUs with VBIOS to support legacy boot Coffee Lake. However, I have found that certain Comet Lake Thinkpads still have legacy support.
I recommend that you look though [Lenovo's BIOS simulator](https://download.lenovo.com/bsco/index.html#/) to find a suitable Comet Lake Thinkpad. These will have the longest remaining support lifecycle. Personally, I use a Thinkpad T14 gen 1.
## Lenovo ePrivacy
Lenovo ePrivacy can be controlled through `/proc/acpi/ibm/lcdshadow`. I use the following shortcuts:
- F5: `sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'`
- F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'`
It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.

4
Shortcuts.md Normal file
View File

@ -0,0 +1,4 @@
# Shortcuts
- F5: sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'
- F6: sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'

View File

@ -17,51 +17,46 @@
set -eu
unpriv(){
sudo -u nobody "${@}"
sudo -u nobody "$@"
}
download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
}
# Compliance
sudo systemctl mask debug-shell.service
# Setting umask to 077
# Kicksecure defaults to zsh - I need to set it for zsh later.
# Does not actually work for some reason - need to check
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
# Make home directory private
sudo chmod 700 /home/*
# Harden SSH
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
# Disable coredump
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null
# Setup dconf
umask 022
sudo mkdir -p /etc/dconf/db/local.d/locks
mkdir -p /etc/dconf/db/local.d/locks
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy > /dev/null
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark /etc/dconf/db/local.d/adw-gtk3-dark
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable /etc/dconf/db/local.d/automount-disable
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy > /dev/null
sudo dconf update
umask 077
# Avoid phased updates
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades > /dev/null
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
@ -123,14 +118,8 @@ sudo extrepo disable kicksecure
sudo mv /etc/apt/sources.list ~/
sudo touch /etc/apt/sources.list
# adw-gtk3 theme repo
curl -s --proxy http://127.0.0.1:8082 https://julianfairfax.codeberg.page/package-repo/pub.gpg | gpg --dearmor | sudo dd of=/usr/share/keyrings/julians-package-repo.gpg
echo 'Types: deb
URIs: https://julianfairfax.codeberg.page/package-repo/debs
Suites: packages
Components: main
Signed-By: /usr/share/keyrings/julians-package-repo.gpg' | sudo tee /etc/apt/sources.list.d/julians-package-repo.sources
#Enabling SUID Disabler and Permission Hardener
sudo systemctl enable --now permission-hardening
# Restrict /proc and access
sudo systemctl enable --now proc-hidepid.service
@ -140,9 +129,8 @@ sudo systemctl enable --now proc-hidepid.service
sudo systemctl enable --now hide-hardware-info.service
# Install packages
sudo apt update
sudo apt install --no-install-recommends adw-gtk3 gnome-console qubes-ctap qubes-gpg-split -y
sudo apt install --no-install-recommends adw-gtk3-theme gnome-console loupe qubes-ctap qubes-gpg-split -y
# Flatpak update service
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service /etc/systemd/user/update-user-flatpaks.service
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service > /dev/null
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer > /dev/null

View File

@ -3,11 +3,7 @@
set -eu
unpriv(){
sudo -u nobody "${@}"
}
download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
sudo -u nobody "$@"
}
umask 022
@ -15,11 +11,11 @@ umask 022
sudo mkdir -p /etc/qubes-bind-dirs.d
echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
unpriv curl -s --proxy http://127.0.0.1:8082 https://deb.oxen.io/pub.gpg | sudo tee /usr/share/keyrings/oxen.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
sudo apt update
sudo apt install lokinet resolvconf
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service | sudo tee /etc/systemd/system/lokinet-dns-fix.service > /dev/null
sudo systemctl enable --now lokinet-dns-fix

View File

@ -24,7 +24,7 @@ sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qt5ct qt5-qtstyleplugins
# Configure PCRs
sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 10 /' /etc/anti-evil-maid.conf
sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 5 /' /etc/anti-evil-maid.conf
# Theming

View File

@ -87,12 +87,8 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
#sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
#unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
# Disable GJS and WebkitGTK JIT
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/environment /etc/environment
# Fix GNOME environment variable
echo '
XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
echo 'XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
# Moving DNF handownloading to the bottom as the Qubes template just breaks when repos are changed and needs a reboot to fix
@ -141,7 +137,7 @@ sudo dnf config-manager --set-disabled fedora-cisco-openh264
# Install custom packages
# gnome-shell is needed for theming to work
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-shell ptyxis
sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-console gnome-shell
# Setup hardened_malloc
sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
@ -149,10 +145,7 @@ sudo dnf install -y hardened_malloc
echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.preload
# Enable hardened_malloc for Flatpak
sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
# Setup DNF
download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf /etc/dnf/dnf.conf
sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
sudo sed -i 's/&protocol=https//g' /etc/yum.repos.d/divested-release.repo

View File

@ -24,6 +24,7 @@ download() {
unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
}
sudo dnf install -y https://github.com/manga-download/hakuneko/releases/download/nightly-20200705.1/hakuneko-desktop_8.3.4_linux_amd64.rpm
sudo dnf config-manager --enable fedora-cisco-openh264 rpmfusion-free rpmfusion-free-updates rpmfusion-nonfree rpmfusion-nonfree-updates
sudo dnf upgrade -y
sudo dnf install -y ffmpeg yt-dlp

View File

@ -32,7 +32,7 @@ umask 022
sudo mkdir -p /etc/qubes-bind-dirs.d
echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
sudo mkdir /-p etc/systemd/system/systemd-resolved.service.d
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service

View File

@ -14,7 +14,7 @@
# License for the specific language governing permissions and limitations under
# the License.
set -eu
set -eu -o pipefail
unpriv(){
sudo -u nobody "${@}"
@ -25,11 +25,11 @@ download() {
}
# Setting umask to 077
# Whonix defaults to zsh - I need to set it for zsh later.
# Does not actually work for some reason - need to check
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
# Make home directory private
sudo chmod 700 /home/*
@ -59,5 +59,3 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
sudo mkdir -p /etc/gtk-4.0
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
# Run qt5ct and set the theme to gtk-2

View File

@ -14,7 +14,7 @@
# License for the specific language governing permissions and limitations under
# the License.
set -eu
set -eu -o pipefail
unpriv(){
sudo -u nobody "${@}"
@ -25,11 +25,11 @@ download() {
}
# Setting umask to 077
# Whonix defaults to zsh - I need to set it for zsh later.
# Does not actually work for some reason - need to check
umask 077
sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
echo 'umask 077' | sudo tee -a /etc/bash.bashrc
sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc
# Make home directory private
sudo chmod 700 /home/*
@ -39,7 +39,7 @@ download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main
sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
# Install packages
sudo apt install --no-install-recommends arc-theme pipewire-pulse qt5ct qt5-style-plugins -y
sudo apt install --no-install-recommends arc-theme pipewire-pulse -y
# Restrict /proc and access
sudo systemctl enable --now proc-hidepid.service
@ -59,6 +59,4 @@ sudo mkdir -p /etc/gtk-3.0
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini /etc/gtk-3.0/settings.ini
sudo mkdir -p /etc/gtk-4.0
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
# Run qt5ct and set the theme to gtk-2
download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini