2024-11-23 02:01:32 -05:00
10 changed files with 40 additions and 75 deletions
--- a/README.md
+++ b/README.md
@ -10,17 +10,4 @@ After you are done running those scripts, any other script can be used in a diff

 If you want to install Flatpak packages, install them inside of an AppVM as a **user Flatpak** and enable the update-user-flatpaks.service as a **user** systemd service for automatic updates.

-It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
-
-## Laptop Recommendations
-
-Qubes AEM currently still requires legacy boot. Officially, the last generation of Intel CPUs with VBIOS to support legacy boot Coffee Lake. However, I have found that certain Comet Lake Thinkpads still have legacy support.
-
-I recommend that you look though [Lenovo's BIOS simulator](https://download.lenovo.com/bsco/index.html#/) to find a suitable Comet Lake Thinkpad. These will have the longest remaining support lifecycle. Personally, I use a Thinkpad T14 gen 1.
-
-## Lenovo ePrivacy
-
-Lenovo ePrivacy can be controlled through `/proc/acpi/ibm/lcdshadow`. I use the following shortcuts:
-
- F5: `sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'`
- F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'`
+It is recommended that you follow the docs [here](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) to make a prompt for root access on non-minimal VMs. dom0.sh already takes care dom dom0 so you only need to worry about the guests.
--- a/Shortcuts.md
+++ b/Shortcuts.md
@ -0,0 +1,4 @@
+# Shortcuts
+
+- F5: sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'
+- F6: sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'
--- a/debian-gnome/debian-gnome.sh
+++ b/debian-gnome/debian-gnome.sh
@ -17,51 +17,46 @@
 set -eu

 unpriv(){
-  sudo -u nobody "${@}"
+  sudo -u nobody "$@"
 }

-download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
-}
-
-
 # Compliance
 sudo systemctl mask debug-shell.service

 # Setting umask to 077
-# Kicksecure defaults to zsh - I need to set it for zsh later.
+# Does not actually work for some reason - need to check
 umask 077
 sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
 sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc

 # Make home directory private
 sudo chmod 700 /home/*

 # Harden SSH
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf /etc/ssh/ssh_config.d/10-custom.conf
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | sudo tee /etc/ssh/ssh_config.d/10-custom.conf > /dev/null
 sudo chmod 644 /etc/ssh/ssh_config.d/10-custom.conf

 # Disable coredump
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf /etc/security/limits.d/30-disable-coredump.conf
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf > /dev/null

 # Setup dconf
 umask 022
-sudo mkdir -p /etc/dconf/db/local.d/locks
+mkdir -p /etc/dconf/db/local.d/locks

-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable /etc/dconf/db/local.d/locks/automount-disable
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy /etc/dconf/db/local.d/locks/privacy
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/automount-disable | sudo tee /etc/dconf/db/local.d/locks/automount-disable > /dev/null
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/locks/privacy | sudo tee /etc/dconf/db/local.d/locks/privacy > /dev/null

-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark /etc/dconf/db/local.d/adw-gtk3-dark
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable /etc/dconf/db/local.d/automount-disable
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark /etc/dconf/db/local.d/prefer-dark
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy /etc/dconf/db/local.d/privacy
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/adw-gtk3-dark | sudo tee /etc/dconf/db/local.d/adw-gtk3-dark > /dev/null
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/automount-disable | sudo tee /etc/dconf/db/local.d/automount-disable > /dev/null
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/prefer-dark | sudo tee /etc/dconf/db/local.d/prefer-dark > /dev/null
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dconf/db/local.d/privacy | sudo tee /etc/dconf/db/local.d/privacy > /dev/null

 sudo dconf update
 umask 077

 # Avoid phased updates
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades /etc/apt/apt.conf.d/99sane-upgrades
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | sudo tee /etc/apt/apt.conf.d/99sane-upgrades > /dev/null
 sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades


@ -123,14 +118,8 @@ sudo extrepo disable kicksecure
 sudo mv /etc/apt/sources.list ~/
 sudo touch /etc/apt/sources.list

-# adw-gtk3 theme repo
-curl -s --proxy http://127.0.0.1:8082 https://julianfairfax.codeberg.page/package-repo/pub.gpg | gpg --dearmor | sudo dd of=/usr/share/keyrings/julians-package-repo.gpg
-echo 'Types: deb
-URIs: https://julianfairfax.codeberg.page/package-repo/debs
-Suites: packages
-Components: main
-Signed-By: /usr/share/keyrings/julians-package-repo.gpg' | sudo tee /etc/apt/sources.list.d/julians-package-repo.sources
-
+#Enabling SUID Disabler and Permission Hardener
+sudo systemctl enable --now permission-hardening

 # Restrict /proc and access
 sudo systemctl enable --now proc-hidepid.service
@ -140,9 +129,8 @@ sudo systemctl enable --now proc-hidepid.service
 sudo systemctl enable --now hide-hardware-info.service

 # Install packages
-sudo apt update
-sudo apt install --no-install-recommends adw-gtk3 gnome-console qubes-ctap qubes-gpg-split -y
+sudo apt install --no-install-recommends adw-gtk3-theme gnome-console loupe qubes-ctap qubes-gpg-split -y

 # Flatpak update service
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service /etc/systemd/user/update-user-flatpaks.service
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer /etc/systemd/user/update-user-flatpaks.timer
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.service | sudo tee /etc/systemd/user/update-user-flatpaks.service > /dev/null
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/user/update-user-flatpaks.timer | sudo tee /etc/systemd/user/update-user-flatpaks.timer > /dev/null
--- a/debian-gnome/lokinet.sh
+++ b/debian-gnome/lokinet.sh
@ -3,11 +3,7 @@
 set -eu

 unpriv(){
-  sudo -u nobody "${@}"
-}
-
-download() {
-  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+  sudo -u nobody "$@"
 }

 umask 022
@ -15,11 +11,11 @@ umask 022
 sudo mkdir -p /etc/qubes-bind-dirs.d
 echo 'binds+=( '\'''/etc/loki''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 

-download https://deb.oxen.io/pub.gpg /usr/share/keyrings/oxen.gpg
+unpriv curl -s --proxy http://127.0.0.1:8082 https://deb.oxen.io/pub.gpg | sudo tee /usr/share/keyrings/oxen.gpg > /dev/null
 echo "deb [signed-by=/usr/share/keyrings/oxen.gpg] https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list

 sudo apt update
 sudo apt install lokinet resolvconf

-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service /etc/systemd/system/lokinet-dns-fix.service
+unpriv curl -s --proxy http://127.0.0.1:8082 https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/lokinet-dns-fix.service | sudo tee /etc/systemd/system/lokinet-dns-fix.service > /dev/null
 sudo systemctl enable --now lokinet-dns-fix
--- a/dom0.sh
+++ b/dom0.sh
@ -24,7 +24,7 @@ sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qt5ct qt5-qtstyleplugins

 # Configure PCRs
 sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
-sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 10 /' /etc/anti-evil-maid.conf
+sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 5 /' /etc/anti-evil-maid.conf

 # Theming

--- a/fedora-gnome/fedora-gnome.sh
+++ b/fedora-gnome/fedora-gnome.sh
@ -87,12 +87,8 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
 #sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 #unpriv curl --proxy http://127.0.0.1:8082 https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf

-# Disable GJS and WebkitGTK JIT
-download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/environment /etc/environment
-
 # Fix GNOME environment variable
-echo '
-XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment
+echo 'XDG_CURRENT_DESKTOP=GNOME' | sudo tee -a /etc/environment

 # Moving DNF handownloading to the bottom as the Qubes template just breaks when repos are changed and needs a reboot to fix

@ -141,7 +137,7 @@ sudo dnf config-manager --set-disabled fedora-cisco-openh264

 # Install custom packages
 # gnome-shell is needed for theming to work
-sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-shell ptyxis
+sudo dnf -y install qubes-ctap qubes-gpg-split adw-gtk3-theme ncurses gnome-console gnome-shell

 # Setup hardened_malloc
 sudo https_proxy=127.0.0.1:8082 dnf copr enable secureblue/hardened_malloc -y
@ -149,10 +145,7 @@ sudo dnf install -y hardened_malloc
 echo 'libhardened_malloc.so' | sudo tee /etc/ld.so.preload
 sudo chmod 644 /etc/ld.so.preload

-# Enable hardened_malloc for Flatpak
-sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
-flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
-
 # Setup DNF
 download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf /etc/dnf/dnf.conf
 sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
+sudo sed -i 's/&protocol=https//g' /etc/yum.repos.d/divested-release.repo
--- a/fedora-gnome/media.sh
+++ b/fedora-gnome/media.sh
@ -24,6 +24,7 @@ download() {
  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
 }

+sudo dnf install -y https://github.com/manga-download/hakuneko/releases/download/nightly-20200705.1/hakuneko-desktop_8.3.4_linux_amd64.rpm
 sudo dnf config-manager --enable fedora-cisco-openh264 rpmfusion-free rpmfusion-free-updates rpmfusion-nonfree rpmfusion-nonfree-updates
 sudo dnf upgrade -y
 sudo dnf install -y ffmpeg yt-dlp
--- a/fedora-gnome/mullvad.sh
+++ b/fedora-gnome/mullvad.sh
@ -32,7 +32,7 @@ umask 022
 sudo mkdir -p /etc/qubes-bind-dirs.d
 echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf 

-sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d
+sudo mkdir /-p etc/systemd/system/systemd-resolved.service.d
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/systemd-resolved.service.d/override.conf /etc/systemd/system/systemd-resolved.service.d/override.conf

 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/systemd/system/dnat-to-ns.service /etc/systemd/system/dnat-to-ns.service
--- a/whonix/whonix-gw.sh
+++ b/whonix/whonix-gw.sh
@ -14,7 +14,7 @@
 # License for the specific language governing permissions and limitations under
 # the License.

-set -eu
+set -eu -o pipefail

 unpriv(){
  sudo -u nobody "${@}"
@ -25,11 +25,11 @@ download() {
 }

 # Setting umask to 077
-# Whonix defaults to zsh - I need to set it for zsh later.
+# Does not actually work for some reason - need to check
 umask 077
 sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
 sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc

 # Make home directory private
 sudo chmod 700 /home/*
@ -59,5 +59,3 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc

 sudo mkdir -p /etc/gtk-4.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
-
-# Run qt5ct and set the theme to gtk-2
--- a/whonix/whonix-ws.sh
+++ b/whonix/whonix-ws.sh
@ -14,7 +14,7 @@
 # License for the specific language governing permissions and limitations under
 # the License.

-set -eu
+set -eu -o pipefail

 unpriv(){
  sudo -u nobody "${@}"
@ -25,11 +25,11 @@ download() {
 }

 # Setting umask to 077
-# Whonix defaults to zsh - I need to set it for zsh later.
+# Does not actually work for some reason - need to check
 umask 077
 sudo sed -i 's/^UMASK.*/UMASK 077/g' /etc/login.defs
 sudo sed -i 's/^HOME_MODE/#HOME_MODE/g' /etc/login.defs
-echo 'umask 077' | sudo tee -a /etc/bash.bashrc
+sudo sed -i 's/umask 022/umask 077/g' /etc/bashrc

 # Make home directory private
 sudo chmod 700 /home/*
@ -39,7 +39,7 @@ download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main
 sudo chmod 644 /etc/apt/apt.conf.d/99sane-upgrades

 # Install packages
-sudo apt install --no-install-recommends arc-theme pipewire-pulse qt5ct qt5-style-plugins -y
+sudo apt install --no-install-recommends arc-theme pipewire-pulse -y

 # Restrict /proc and access
 sudo systemctl enable --now proc-hidepid.service
@ -59,6 +59,4 @@ sudo mkdir -p /etc/gtk-3.0
 download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-3.0/settings.ini /etc/gtk-3.0/settings.ini

 sudo mkdir -p /etc/gtk-4.0
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini
-
-# Run qt5ct and set the theme to gtk-2
+download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/gtk-4.0/settings.ini /etc/gtk-4.0/settings.ini